keepalived (5) - Linux Manuals

keepalived: configuration file for keepalived

NAME

/etc/keepalived/keepalived.conf - configuration file for keepalived

DESCRIPTION

keepalived.conf is the configuration file which describes all the keepalived keywords. keywords are placed in hierachies of blocks (and subblocks), each layer being delimited by '{' and '}' pairs.

Comments start with '#' or '!' to the end of the line and can start anywhere in a line.

TOP HIERACHY

GLOBAL CONFIGURATION

VRRPD CONFIGURATION

LVS CONFIGURATION

GLOBAL CONFIGURATION

contains subblocks of Global definitions and Static routes

Global definitions

 global_defs           # Block id
 { 
 notification_email    # To:
  {
  admin [at] example1.com 
  ...
  }
 # From: from address that will be in header
 notification_email_from admin [at] example.com 
 smtp_server 127.0.0.1   # IP
 smtp_connect_timeout 30 # integer, seconds
 router_id my_hostname   # string identifying the machine,
                   # (doesn't have to be hostname).
 }

Static routes/addresses

keepalived can configure static addresses and routes with ip (ie if addresses are not already on the machine). These addresses are NOT moved by vrrpd, they stay on the machine. If you already have IPs and routes on your machines and your machines can ping each other, you don't need this section.

The whole string is fed to ip addr add. You can truncate the string anywhere you like and let ip addr add use defaults for the rest of the string. If you just feed the string "192.168.1.1", the IP will be 192.168.1.1/32, which you probably don't want. This is different to ifconfig which will configure the IP with the standard class, here 192.168.1.1/24. The minimum string then would be the IP/netmask, eg 192.168.1.1/24

 static_ipaddress
 {
 192.168.1.1/24 brd + dev eth0 scope global
 ...
 }

The whole string is fed to ip route add. You can truncate the string allowing ip route add to use defaults.

 static_routes
 {
 src $SRC_IP to $DST_IP dev $SRC_DEVICE 
 ...
 src $SRC_IP to $DST_IP via $GW dev $SRC_DEVICE
 }

VRRPD CONFIGURATION

contains subblocks of VRRP synchronization group(s) and VRRP instance(s)

VRRP synchronization group(s)

 #string, name of group of IPs that failover together
 vrrp_sync_group VG_1 { 
 group {
inside_network   # name of vrrp_instance (below) 
outside_network  # One for each moveable IP. 
... 
 }
 
 # notify scripts and alerts are optional
 #
 # filenames of scripts to run on transitions
 # can be unquoted (if just filename) 
 # or quoted (if has parameters)
 # to MASTER transition
 notify_master /path/to_master.sh 
 # to BACKUP transition
 notify_backup /path/to_backup.sh 
 # FAULT transition 
 notify_fault "/path/fault.sh VG_1" 
 # for ANY state transition.
 # "notify" script is called AFTER the 
 # notify_* script(s) and is executed 
 # with 3 arguments provided by keepalived
 # (ie don't include parameters in the notify line).
 # arguments
 # $1 = "GROUP"|"INSTANCE"
 # $2 = name of group or instance
 # $3 = target state of transition 
 #     ("MASTER"|"BACKUP"|"FAULT")
 notify /path/notify.sh 
 # Send email notifcation during state transition, 
 # using addresses in global_defs above.
 smtp_alert
 }

VRRP instance(s)

describes the moveable IP for each instance of a group in vrrp_sync_group. Here are described two IPs (on inside_network and on outside_network), on machine "my_hostname", which belong to the group VG_1 and which will transition together on any state change.

 #You will need to write another block for outside_network.
 vrrp_instance inside_network {
 # Initial state, MASTER|BACKUP
 # As soon as the other machine(s) come up, 
 # an election will be held and the machine 
 # with the highest "priority" will become MASTER.
 # So the entry here doesn't matter a whole lot.
 state MASTER
 # interface for inside_network, bound by vrrp
 interface eth0
 # Ignore VRRP interface faults (default unset)
 dont_track_primary
 # optional, monitor these as well. 
 # go to FAULT state if any of these go down.
 track_interface {
eth0 
eth1 
...
 }
 #default IP for binding vrrpd is the primary IP 
 #on interface. If you want to hide location of vrrpd, 
 #use this IP as src_addr for multicast vrrp packets.
 #(since it's multicast, vrrpd will get the reply 
 #packet no matter what src_addr is used).
 #optional
 mcast_src_ip <IPADDR> 
 # Binding interface for lvs syncd
 lvs_sync_daemon_interface eth1 
 # delay for gratuitous ARP after transition to MASTER
 garp_master_delay 10 # secs, default 5 
 # arbitary unique number 0..255
 # used to differentiate multiple instances of vrrpd
 # running on the same NIC (and hence same socket).
 virtual_router_id 51
 # for electing MASTER, highest priority wins.
 # to be MASTER, make 50 more than other machines.
 priority 100
 # VRRP Advert interval, secs (use default)
 advert_int 1
 authentication {     # Authentication block
  # PASS||AH
  # PASS - Simple Passwd (suggested) 
  # AH - IPSEC (not recommended))
  auth_type PASS
  # Password for accessing vrrpd.
  # should be the same for all machines.
  auth_pass 1234
 #addresses add|del on change to MASTER, to BACKUP.
 #With the same entries on other machines,
 #the opposite transition will be occuring.
 virtual_ipaddress {
  <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label <LABEL>
  192.168.200.17/24 dev eth1
  192.168.200.18/24 dev eth2 label eth2:1
 }
 #VRRP IP excluded from VRRP
 #optional.
 #For cases with large numbers (eg 200) of IPs 
 #on the same interface. To decrease the number 
 #of packets sent in adverts, you can exclude 
 #most IPs from adverts.
 #The IPs are add|del as for virtual_ipaddress.
 virtual_ipaddress_excluded { 
  <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> 
  <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
  ...
 }
 # routes add|del when changing to MASTER, to BACKUP
 virtual_routes {
  # src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR> dev <STRING> scope <SCOPE> tab
  src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev eth1
  192.168.110.0/24 via 192.168.200.254 dev eth1
  192.168.111.0/24 dev eth2
  192.168.112.0/24 via 192.168.100.254
 }
 # VRRP will normally preempt a lower priority
 # machine when a higher priority machine comes
 # online.  "nopreempt" allows the lower priority
 # machine to maintain the master role, even when
 # a higher priority machine comes back online.
 # NOTE: For this to work, the initial state of this
 # entry must be BACKUP.
 nopreempt
 # Seconds after startup until preemption
 # (if not disabled by "nopreempt").
 # Range: 0 (default) to 1,000
 # NOTE: For this to work, the initial state of this
 # entry must be BACKUP.
 preempt_delay 300    # waits 5 minutes
 # Debug level, not implemented yet.
 debug
 # notify scripts, alert as above
 notify_master <STRING>|<QUOTED-STRING>
 notify_backup <STRING>|<QUOTED-STRING>
 notify_fault <STRING>|<QUOTED-STRING> 
 notify <STRING>|<QUOTED-STRING> 
 smtp_alert 
 }

LVS CONFIGURATION

contains subblocks of Virtual server group(s) and Virtual server(s)

The subblocks contain arguments for ipvsadm(8). A knowlege of ipvsadm(8) will be helpful here.

Virtual server group(s)

 # optional
 # this groups allows a service on a real_server 
 # to belong to multiple virtual services 
 # and to be only health checked once.
 # Only for very large LVSs.
 virtual_server_group <STRING> {
  #VIP port
  <IPADDR> <PORT> 
  <IPADDR> <PORT>
  ...
  #
  # <IPADDR RANGE> has the form 
  # XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10 
  # range includes both .1 and .10 address
  <IPADDR RANGE> <PORT># VIP range VPORT
  <IPADDR RANGE> <PORT>
  ...
  fwmark <INT>  # fwmark
  fwmark <INT>
  ... }

Virtual server(s)

A virtual_server can be a declaration of one of

vip vport (IPADDR PORT pair)

fwmark <INT>

(virtual server) group <STRING>

 #setup service
 virtual_server IP port |
 virtual_server fwmark int |
 virtual_server group string
 {
 # delay timer for service polling
 delay_loop <INT> 
 # LVS scheduler 
 lb_algo rr|wrr|lc|wlc|lblc|sh|dh 
 # LVS forwarding method
 lb_kind NAT|DR|TUN 
 # LVS persistence timeout, sec
 persistence_timeout <INT> 
 # LVS granularity mask (-M in ipvsadm)
 persistence_granularity <NETMASK> 
 # Only TCP is implemented
 protocol TCP 
 # If VS IP address is not set, 
 # suspend healthchecker's activity
 ha_suspend
 
 # VirtualHost string for HTTP_GET or SSL_GET
 # eg virtualhost www.firewall.loc
 virtualhost <STRING>                
 # Assume silently all RSs down and healthchecks
 # failed on start. This helps preventing false
 # positive actions on startup. Alpha mode is
 # disabled by default.
 alpha
 # On daemon shutdown, consider quorum and RS
 # down notifiers for execution, where appropriate.
 # Omega mode is disabled by default.
 omega
 # Minimum total weight of all live servers in
 # the pool necessary to operate VS with no
 # quality regression. Defaults to 1.
 quorum <INT>
 # Tolerate this much weight units compared to the
 # nominal quorum, when considering quorum gain
 # or loss. A flap dampener. Defaults to 0.
 hysteresis <INT>
 # Script to launch when quorum is gained.
 quorum_up <STRING>|<QUOTED-STRING>
 # Script to launch when quorum is lost.
 quorum_down <STRING>|<QUOTED-STRING>
 # setup realserver(s)
 # RS to add when all realservers are down
 sorry_server <IPADDR> <PORT>
 
 # one entry for each realserver     

 real_server <IPADDR> <PORT> 
 {
     # relative weight to use, default: 1
     weight <INT> 
     # Set weight to 0
     # when healthchecker detects failure
     inhibit_on_failure 
          
     # Script to launch when healthchecker
     # considers service as up.
     notify_up <STRING>|<QUOTED-STRING> 
     # Script to launch when healthchecker
     # considers service as down.
     notify_down <STRING>|<QUOTED-STRING> 

     # pick one healthchecker
     # HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK

     # HTTP and SSL healthcheckers
     HTTP_GET|SSL_GET 
     {              
         # A url to test
         # can have multiple entries here
         url {
           #eg path / , or path /mrtg2/
           path <STRING> 
           # healthcheck needs status_code
           # or status_code and digest
           # Digest computed with genhash
           # eg digest 9b3a0c85a887a256d6939da88aabd8cd
           digest <STRING>
           # status code returned in the HTTP header
           # eg status_code 200
           status_code <INT>     
         } 
         #IP, tcp port for service on realserver 
         connect_port <PORT> 
         bindto <IPADDR>
         # Timeout connection, sec
         connect_timeout <INT> 
         # number of get retry
         nb_get_retry <INT> 
         # delay before retry
         delay_before_retry <INT>
     } #HTTP_GET|SSL_GET

     #TCP healthchecker (bind to IP port)
     TCP_CHECK 
     { 
         connect_port <PORT>
         bindto <IPADDR>
         connect_timeout <INT> 
     } #TCP_CHECK
     # SMTP healthchecker
     SMTP_CHECK
     {
         # An optional host interface to check.
         # If no host directives are present, only
         # the ip address of the real server will
         # be checked.
         host {
           # IP address to connect to
           connect_ip <IP ADDRESS>
           # Optional port to connect to if not
           # the default of 25
           connect_port <PORT>
           # Optional interface to use to
           # originate the connection
           bindto <IP ADDRESS>
        }
        # Connection and read/write timeout
        # in seconds
        connect_timeout <INTEGER>
        # Number of times to retry a failed check
        retry <INTEGER>
        # Delay in seconds before retrying
        delay_before_retry <INTEGER>
        # Optional string to use for the smtp HELO request
        helo_name <STRING>|<QUOTED-STRING>
     } #SMTP_CHECK
     #MISC healthchecker, run a program
     MISC_CHECK 
     {
         # External system script or program
         misc_path <STRING>|<QUOTED-STRING>
         # Script execution timeout
         misc_timeout <INT>
         # If set, exit code from healthchecker is used
         # to dynamically adjust the weight as follows:
         #   exit status 0: svc check success, weight
         #     unchanged.
         #   exit status 1: svc check failed.
         #   exit status 2-255: svc check success, weight
         #     changed to 2 less than exit status.
         #   (for example: exit status of 255 would set
         #     weight to 253)
         misc_dynamic
     }
 } # realserver defn
 } # virtual service

AUTHOR

Joseph Mack.
Information derived from doc/keepalived.conf.SYNOPSIS, doc/samples/keepalived.conf.* and Changelog by Alexandre Cassen for keepalived-1.1.4, and from HOWTOs by Adam Fletcher and Vince Worthington.