VRRP – Virtual Redundancy Routing Protocol in Linux systems could be implemented with keepalived.
Also, keepalived could be used to implement High Availability (active/passive) or load balancing (active/active).
Four aspects need to be configured on a VRRP HA server: keepalived, iptables, sysctl and the service itself (rsyslog in this case).
Sysctl.
The host’s kernel needs to be configured to allow a process to bind to a non-local IP address and enable ip routing.
# in /etc/sysctl.conf or similar
net.ipv4.ip_nonlocal_bind=1
net.ipv4.ip_forward = 1Keepalived.
Sample configuration for Keepalived at server Balance1.
vrrp_instance VI_S1 {
state MASTER # (optional) initial state for this server
interface eth1 # interface where VRRP traffic will exist
advert_int 5 # how often we will vote (sec).
virtual_router_id 71 # unique identifier per VRRP instance (same across all servers on the instance)
priority 100 # server priority - higher number == higher priority
# authentication for VRRP messages
authentication {
auth_type PASS # simple authentication (plain)
#auth_type AH # good authentication
auth_pass super_secure_password # password
}
virtual_ipaddress {
10.10.10.10/24 dev eth0 # Virtual IP address and interface assignment
}
track_script {
check_rsyslog # tracking script
}
vrrp_script check_rsyslog {
script "/usr/local/sbin/checkrsyslog.sh"
interval 5 # 5s per check
fall 2 # 2 fails - 10s
rise 2 # 2 OKs - 10s
#timeout 15 # wait up to 15 seconds for script before assuming fail
#weight 50 # Reduce priority by 10 on fall
}Notes:
- VRRP instance will start as MASTER, meaning it will be an active server.
- VRRP traffic will go via eth1 interface. We can use other interfaces, including same interface on what Virtual IP live.
- virtual_router_id and authentication must match across all nodes in the VRRP instance.
- track_script, defined under ‘vrrp_script check_rsyslog’ points to a custom script that checks whether the HA service is live. If the script returns any value other than 0, the HA service is seems failed and the node will remove itself from the pool of eligible hosts that can be active. If it was the active server, then another node will become active.
Iptables.
iptables needs to be configured in a way that the server accepts incoming traffic on the VRRP interface (eth1 in the sample configuration) from the other VRRP instance nodes under protocols VRRP or AH respectively for auth_type PASS or AH:
-A <CHAIN> -s <OTHER_VRRP_INSTANCE_NODES> -p vrrp -j ACCEPT
-A <CHAIN> -s <OTHER_VRRP_INSTANCE_NODES> -p ah -j ACCEPTService.
Finally, the service needs to be setup to listen on the Virtual IP interface, in this case rsyslog was configured to bind to all interfaces.
And, of course we need to start keepalived service.
Sample configuration for Keepalived at server Balance2.
Configuration foe second server almost identical to server Balance1 with slight difference in keepalived configuration (indicate initial state as Backup and decreased priority to make sure this server will be backup server).
Here configuration fragment with differences:
vrrp_instance VI_S1 {
state BACKUP # (optional) initial state for this server
interface eth1 # interface where VRRP traffic will exist
advert_int 5 # how often we will vote (sec).
virtual_router_id 71 # unique identifier per VRRP instance (same across all servers on the instance)
priority 50 # server priority - higher number == higher priority