·

keepalived (5) Linux Manual Page

ByLinux Manual Posted on

/etc/keepalived/keepalived.conf – configuration file for keepalived

Description

keepalived.conf is the configuration file which describes all the keepalived keywords. keywords are placed in hierachies of blocks (and subblocks), each layer being delimited by ‘{‘ and ‘}’ pairs.

Comments start with ‘#’ or ‘!’ to the end of the line and can start anywhere in a line.

Top Hierachy

GLOBAL CONFIGURATION

VRRPD CONFIGURATION

LVS CONFIGURATION

Global Configuration

contains subblocks of Global definitions and Static routes

Global definitions

 global_defs           Block id
 
 notification_email    To:
  {
  admin [at] example1.com 
  
  }
 From: from address that will be in header
 notification_email_from admin [at] example.com 
 smtp_server 127.0.0.1   IP
 smtp_connect_timeout 30 integer, seconds
 router_id my_hostname   string identifying the machine,
                   (doesn’t have to be hostname).
 }

Static routes/addresses

keepalived can configure static addresses and routes with ip (ie if addresses are not already on the machine). These addresses are NOT moved by vrrpd, they stay on the machine. If you already have IPs and routes on your machines and your machines can ping each other, you don’t need this section.

The whole string is fed to ip addr add. You can truncate the string anywhere you like and let ip addr add use defaults for the rest of the string. If you just feed the string "192.168.1.1", the IP will be 192.168.1.1/32, which you probably don’t want. This is different to ifconfig which will configure the IP with the standard class, here 192.168.1.1/24. The minimum string then would be the IP/netmask, eg 192.168.1.1/24

 static_ipaddress
 {
 192.168.1.1/24 brd dev eth0 scope global
 
 }

The whole string is fed to ip route add. You can truncate the string allowing ip route add to use defaults.

 static_routes
 {
 src $SRC_IP to $DST_IP dev $SRC_DEVICE 
 
 src $SRC_IP to $DST_IP via $GW dev $SRC_DEVICE
 }

Vrrpd Configuration

contains subblocks of VRRP synchronization group(s) and VRRP instance(s)

VRRP synchronization group(s)

 #string, name of group of IPs that failover together
 vrrp_sync_group VG_1 
 group {
inside_network   name of vrrp_instance (below) 
outside_network  One for each moveable IP. 
… 
 }
 
 notify scripts and alerts are optional
 #
 filenames of scripts to run on transitions
 can be unquoted (if just filename) 
 or quoted (if has parameters)
 to MASTER transition
 notify_master /path/to_master.sh 
 to BACKUP transition
 notify_backup /path/to_backup.sh 
 FAULT transition 
 notify_fault "/path/fault.sh VG_1" 
 for ANY state transition.
 "notify" script is called AFTER the 
 notify_* script(s) and is executed 
 with 3 arguments provided by keepalived
 (ie don’t include parameters in the notify line).
 arguments
 $1 "GROUP"|"INSTANCE"
 $2 name of group or instance
 $3 target state of transition 
     ("MASTER"|"BACKUP"|"FAULT")
 notify /path/notify.sh 
 Send email notifcation during state transition, 
 using addresses in global_defs above.
 smtp_alert
 }

VRRP instance(s)

describes the moveable IP for each instance of a group in vrrp_sync_group. Here are described two IPs (on inside_network and on outside_network), on machine "my_hostname", which belong to the group VG_1 and which will transition together on any state change.

 #You will need to write another block for outside_network.
 vrrp_instance inside_network {
 Initial state, MASTER|BACKUP
 As soon as the other machine(s) come up, 
 an election will be held and the machine 
 with the highest "priority" will become MASTER.
 So the entry here doesn’t matter a whole lot.
 state MASTER
 interface for inside_network, bound by vrrp
 interface eth0
 Ignore VRRP interface faults (default unset)
 dont_track_primary
 optional, monitor these as well. 
 go to FAULT state if any of these go down.
 track_interface {
eth0 
eth1 

 }
 #default IP for binding vrrpd is the primary IP 
 #on interface. If you want to hide location of vrrpd, 
 #use this IP as src_addr for multicast vrrp packets.
 #(since it’s multicast, vrrpd will get the reply 
 #packet no matter what src_addr is used).
 #optional
 mcast_src_ip <IPADDR> 
 Binding interface for lvs syncd
 lvs_sync_daemon_interface eth1 
 delay for gratuitous ARP after transition to MASTER
 garp_master_delay 10 secs, default 5 
 arbitary unique number 0..255
 used to differentiate multiple instances of vrrpd
 running on the same NIC (and hence same socket).
 virtual_router_id 51
 for electing MASTER, highest priority wins.
 to be MASTER, make 50 more than other machines.
 priority 100
 VRRP Advert interval, secs (use default)
 advert_int 1
 authentication     Authentication block
  PASS||AH
  PASS – Simple Passwd (suggested) 
  AH – IPSEC (not recommended))
  auth_type PASS
  Password for accessing vrrpd.
  should be the same for all machines.
  auth_pass 1234
 #addresses add|del on change to MASTER, to BACKUP.
 #With the same entries on other machines,
 #the opposite transition will be occuring.
 virtual_ipaddress {
  <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label <LABEL>
  192.168.200.17/24 dev eth1
  192.168.200.18/24 dev eth2 label eth2:1
 }
 #VRRP IP excluded from VRRP
 #optional.
 #For cases with large numbers (eg 200) of IPs 
 #on the same interface. To decrease the number 
 #of packets sent in adverts, you can exclude 
 #most IPs from adverts.
 #The IPs are add|del as for virtual_ipaddress.
 virtual_ipaddress_excluded 
  <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> 
  <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
  
 }
 routes add|del when changing to MASTER, to BACKUP
 virtual_routes {
  src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR> dev <STRING> scope <SCOPE> tab
  src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev eth1
  192.168.110.0/24 via 192.168.200.254 dev eth1
  192.168.111.0/24 dev eth2
  192.168.112.0/24 via 192.168.100.254
 }
 VRRP will normally preempt a lower priority
 machine when a higher priority machine comes
 online.  "nopreempt" allows the lower priority
 machine to maintain the master role, even when
 a higher priority machine comes back online.
 NOTE: For this to work, the initial state of this
 entry must be BACKUP.
 nopreempt
 Seconds after startup until preemption
 (if not disabled by "nopreempt").
 Range: 0 (default) to 1,000
 NOTE: For this to work, the initial state of this
 entry must be BACKUP.
 preempt_delay 300    waits 5 minutes
 Debug level, not implemented yet.
 debug
 notify scripts, alert as above
 notify_master <STRING>|<QUOTED-STRING>
 notify_backup <STRING>|<QUOTED-STRING>
 notify_fault <STRING>|<QUOTED-STRING> 
 notify <STRING>|<QUOTED-STRING> 
 smtp_alert 
 }

Lvs Configuration

contains subblocks of Virtual server group(s) and Virtual server(s)

The subblocks contain arguments for ipvsadm(8). A knowlege of ipvsadm(8) will be helpful here.

Virtual server group(s)

 optional
 this groups allows a service on a real_server 
 to belong to multiple virtual services 
 and to be only health checked once.
 Only for very large LVSs.
 virtual_server_group <STRING> {
  #VIP port
  <IPADDR> <PORT> 
  <IPADDR> <PORT>
  
  #
  <IPADDR RANGE> has the form 
  XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10 
  range includes both .1 and .10 address
  <IPADDR RANGE> <PORT># VIP range VPORT
  <IPADDR RANGE> <PORT>
  
  fwmark <INT>  fwmark
  fwmark <INT>
  … }

Virtual server(s)

A virtual_server can be a declaration of one of

vip vport (IPADDR PORT pair)

fwmark <INT>

(virtual server) group <STRING>

 #setup service
 virtual_server IP port |
 virtual_server fwmark int |
 virtual_server group string
 {
 delay timer for service polling
 delay_loop <INT> 
 LVS scheduler 
 lb_algo rr|wrr|lc|wlc|lblc|sh|dh 
 LVS forwarding method
 lb_kind NAT|DR|TUN 
 LVS persistence timeout, sec
 persistence_timeout <INT> 
 LVS granularity mask (-M in ipvsadm)
 persistence_granularity <NETMASK> 
 Only TCP is implemented
 protocol TCP 
 If VS IP address is not set, 
 suspend healthchecker’s activity
 ha_suspend
 
 VirtualHost string for HTTP_GET or SSL_GET
 eg virtualhost www.firewall.loc
 virtualhost <STRING>                
 Assume silently all RSs down and healthchecks
 failed on start. This helps preventing false
 positive actions on startup. Alpha mode is
 disabled by default.
 alpha
 On daemon shutdown, consider quorum and RS
 down notifiers for execution, where appropriate.
 Omega mode is disabled by default.
 omega
 Minimum total weight of all live servers in
 the pool necessary to operate VS with no
 quality regression. Defaults to 1.
 quorum <INT>
 Tolerate this much weight units compared to the
 nominal quorum, when considering quorum gain
 or loss. A flap dampener. Defaults to 0.
 hysteresis <INT>
 Script to launch when quorum is gained.
 quorum_up <STRING>|<QUOTED-STRING>
 Script to launch when quorum is lost.
 quorum_down <STRING>|<QUOTED-STRING>
 setup realserver(s)
 RS to add when all realservers are down
 sorry_server <IPADDR> <PORT>
 
 one entry for each realserver     

 real_server <IPADDR> <PORT> 
 {
     relative weight to use, default: 1
     weight <INT> 
     Set weight to 0
     when healthchecker detects failure
     inhibit_on_failure 
          
     Script to launch when healthchecker
     considers service as up.
     notify_up <STRING>|<QUOTED-STRING> 
     Script to launch when healthchecker
     considers service as down.
     notify_down <STRING>|<QUOTED-STRING> 

     pick one healthchecker
     HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK

     HTTP and SSL healthcheckers
     HTTP_GET|SSL_GET 
                  
         A url to test
         can have multiple entries here
         url {
           #eg path , or path /mrtg2/
           path <STRING> 
           healthcheck needs status_code
           or status_code and digest
           Digest computed with genhash
           eg digest 9b3a0c85a887a256d6939da88aabd8cd
           digest <STRING>
           status code returned in the HTTP header
           eg status_code 200
           status_code <INT>     
         
         #IP, tcp port for service on realserver 
         connect_port <PORT> 
         bindto <IPADDR>
         Timeout connection, sec
         connect_timeout <INT> 
         number of get retry
         nb_get_retry <INT> 
         delay before retry
         delay_before_retry <INT>
     #HTTP_GET|SSL_GET

     #TCP healthchecker (bind to IP port)
     TCP_CHECK 
     
         connect_port <PORT>
         bindto <IPADDR>
         connect_timeout <INT> 
     #TCP_CHECK
     SMTP healthchecker
     SMTP_CHECK
     {
         An optional host interface to check.
         If no host directives are present, only
         the ip address of the real server will
         be checked.
         host {
           IP address to connect to
           connect_ip <IP ADDRESS>
           Optional port to connect to if not
           the default of 25
           connect_port <PORT>
           Optional interface to use to
           originate the connection
           bindto <IP ADDRESS>
        }
        Connection and read/write timeout
        in seconds
        connect_timeout <INTEGER>
        Number of times to retry a failed check
        retry <INTEGER>
        Delay in seconds before retrying
        delay_before_retry <INTEGER>
        Optional string to use for the smtp HELO request
        helo_name <STRING>|<QUOTED-STRING>
     #SMTP_CHECK
     #MISC healthchecker, run a program
     MISC_CHECK 
     {
         External system script or program
         misc_path <STRING>|<QUOTED-STRING>
         Script execution timeout
         misc_timeout <INT>
         If set, exit code from healthchecker is used
         to dynamically adjust the weight as follows:
           exit status 0: svc check success, weight
             unchanged.
           exit status 1: svc check failed.
           exit status 2-255: svc check success, weight
             changed to 2 less than exit status.
           (for example: exit status of 255 would set
             weight to 253)
         misc_dynamic
     }
 realserver defn
 virtual service

Author

Joseph Mack.
Information derived from doc/keepalived.conf.SYNOPSIS, doc/samples/keepalived.conf.* and Changelog by Alexandre Cassen for keepalived-1.1.4, and from HOWTOs by Adam Fletcher and Vince Worthington.

See Also

ipvsadm(8), ip –help.

Leave a Reply

Your email address will not be published. Required fields are marked *