Keepalived implementiert VRRP (Virtual Router Redundancy Protocol) für Linux. Es ermöglicht automatisches Failover durch virtuelle IP-Adressen zwischen mehreren Servern.
Konzept
VRRP-Funktionsweise
┌─────────────┐
│ Virtual IP │
│192.168.1.100│
└──────┬──────┘
│
┌──────────────┴──────────────┐
│ │
┌────┴────┐ ┌────┴────┐
│ Master │ │ Backup │
│Priority │ │Priority │
│ 101 │ │ 100 │
│.1 │ │.2 │
└─────────┘ └─────────┘Begriffe
| Begriff | Beschreibung | |---------|--------------| | VIP | Virtuelle IP-Adresse | | Master | Aktiver Server | | Backup | Standby-Server | | Priority | Priorität (höher = Master) | | VRID | Virtual Router ID |
Installation
Debian/Ubuntu
apt install keepalivedCentOS/RHEL
dnf install keepalivedService
systemctl enable --now keepalivedGrundkonfiguration
Master-Server
# /etc/keepalived/keepalived.conf
global_defs {
router_id LVS_MASTER
enable_script_security
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass secret123
}
virtual_ipaddress {
192.168.1.100/24
}
}Backup-Server
# /etc/keepalived/keepalived.conf
global_defs {
router_id LVS_BACKUP
enable_script_security
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass secret123
}
virtual_ipaddress {
192.168.1.100/24
}
}Health Checks
Script-basierte Checks
# /etc/keepalived/keepalived.conf
vrrp_script chk_haproxy {
script "/usr/bin/killall -0 haproxy"
interval 2
weight 2
fall 2
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
authentication {
auth_type PASS
auth_pass secret123
}
virtual_ipaddress {
192.168.1.100/24
}
track_script {
chk_haproxy
}
}Erweitertes Health Check Script
#!/bin/bash
# /etc/keepalived/check_service.sh
# HTTP-Check
if curl -s --connect-timeout 2 http://localhost/health | grep -q "OK"; then
exit 0
else
exit 1
fivrrp_script chk_service {
script "/etc/keepalived/check_service.sh"
interval 5
weight -20
fall 3
rise 2
}Interface-Tracking
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
track_interface {
eth0 weight -50
eth1 weight -50
}
virtual_ipaddress {
192.168.1.100/24
}
}Notify Scripts
Skripte bei Zustandsänderung
# /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
virtual_ipaddress {
192.168.1.100/24
}
notify_master "/etc/keepalived/notify.sh MASTER"
notify_backup "/etc/keepalived/notify.sh BACKUP"
notify_fault "/etc/keepalived/notify.sh FAULT"
}Notify Script
#!/bin/bash
# /etc/keepalived/notify.sh
STATE=$1
INSTANCE=$2
PRIORITY=$3
case $STATE in
"MASTER")
echo "$(date): Becoming MASTER" >> /var/log/keepalived-state.log
# Service starten
systemctl start nginx
;;
"BACKUP")
echo "$(date): Becoming BACKUP" >> /var/log/keepalived-state.log
# Service stoppen (optional)
;;
"FAULT")
echo "$(date): FAULT state" >> /var/log/keepalived-state.log
;;
esacMehrere VIPs
Mehrere IPs in einer Instanz
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
virtual_ipaddress {
192.168.1.100/24
192.168.1.101/24
192.168.1.102/24
}
}Mehrere VRRP-Instanzen
vrrp_instance VI_WEB {
state MASTER
interface eth0
virtual_router_id 51
priority 101
virtual_ipaddress {
192.168.1.100/24
}
}
vrrp_instance VI_DB {
state BACKUP
interface eth0
virtual_router_id 52
priority 100
virtual_ipaddress {
192.168.1.200/24
}
}Active-Active Setup
# Server 1
vrrp_instance VI_1 {
state MASTER
priority 101
virtual_router_id 51
virtual_ipaddress { 192.168.1.100/24 }
}
vrrp_instance VI_2 {
state BACKUP
priority 100
virtual_router_id 52
virtual_ipaddress { 192.168.1.101/24 }
}
# Server 2
vrrp_instance VI_1 {
state BACKUP
priority 100
virtual_router_id 51
virtual_ipaddress { 192.168.1.100/24 }
}
vrrp_instance VI_2 {
state MASTER
priority 101
virtual_router_id 52
virtual_ipaddress { 192.168.1.101/24 }
}HAProxy + Keepalived
Komplettes Setup
# /etc/keepalived/keepalived.conf (Server 1)
global_defs {
router_id LB1
enable_script_security
}
vrrp_script chk_haproxy {
script "killall -0 haproxy"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass haproxy_secret
}
virtual_ipaddress {
192.168.1.100/24
}
track_script {
chk_haproxy
}
notify_master "/etc/keepalived/notify.sh MASTER"
notify_backup "/etc/keepalived/notify.sh BACKUP"
}HAProxy-Konfiguration
# /etc/haproxy/haproxy.cfg
frontend http_front
bind 192.168.1.100:80
bind 192.168.1.100:443 ssl crt /etc/haproxy/certs/
default_backend web_servers
backend web_servers
balance roundrobin
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 checkNginx + Keepalived
Health Check für Nginx
vrrp_script chk_nginx {
script "curl -s --connect-timeout 2 http://localhost/nginx_status || exit 1"
interval 3
weight -20
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
virtual_ipaddress {
192.168.1.100/24
}
track_script {
chk_nginx
}
}Unicast VRRP
Für Netzwerke ohne Multicast
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 101
# Unicast statt Multicast
unicast_src_ip 192.168.1.1
unicast_peer {
192.168.1.2
}
virtual_ipaddress {
192.168.1.100/24
}
}Sync Groups
Mehrere Instanzen synchronisieren
vrrp_sync_group VG1 {
group {
VI_WEB
VI_DB
}
notify_master "/etc/keepalived/notify.sh MASTER"
notify_backup "/etc/keepalived/notify.sh BACKUP"
}
vrrp_instance VI_WEB {
state MASTER
interface eth0
virtual_router_id 51
priority 101
virtual_ipaddress { 192.168.1.100/24 }
}
vrrp_instance VI_DB {
state MASTER
interface eth0
virtual_router_id 52
priority 101
virtual_ipaddress { 192.168.1.200/24 }
}Troubleshooting
Status prüfen
# IP-Adressen prüfen
ip addr show eth0
# Keepalived-Status
systemctl status keepalived
# Logs
journalctl -u keepalived -f
tail -f /var/log/syslog | grep -i keepalivedVRRP-Traffic prüfen
# VRRP-Pakete sehen
tcpdump -i eth0 -n vrrp
# Multicast-Gruppe
tcpdump -i eth0 -n host 224.0.0.18Häufige Probleme
# Split-Brain (beide Master)
# → Authentication prüfen
# → VRID muss identisch sein
# → Firewall-Regeln prüfen
# VIP wird nicht gebunden
# → net.ipv4.ip_nonlocal_bind = 1 setzen
# → Interface-Name prüfen
# Kein Failover
# → Priority und track_script prüfen
# → Scripts müssen ausführbar seinFirewall-Regeln
# iptables
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -d 224.0.0.18 -j ACCEPT
# firewalld
firewall-cmd --add-protocol=vrrp --permanent
firewall-cmd --reloadSysctl-Einstellungen
# /etc/sysctl.d/99-keepalived.conf
# VIP auf nicht-lokalem Interface binden
net.ipv4.ip_nonlocal_bind = 1
# ARP-Einstellungen
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2sysctl -p /etc/sysctl.d/99-keepalived.confZusammenfassung
| Parameter | Beschreibung | |-----------|--------------| | state | MASTER oder BACKUP | | interface | Netzwerk-Interface | | virtual_router_id | VRID (1-255) | | priority | Priorität (1-254) | | advert_int | Advertisement-Intervall | | virtual_ipaddress | VIP(s) |
| Script-Parameter | Beschreibung | |------------------|--------------| | interval | Check-Intervall | | weight | Prioritäts-Anpassung | | fall | Fehler bis Down | | rise | Erfolge bis Up |
| Notify | Event | |--------|-------| | notify_master | Wird Master | | notify_backup | Wird Backup | | notify_fault | Fehler-Zustand |
Fazit
Keepalived ist der Standard für IP-basiertes Failover unter Linux. Die Kombination mit HAProxy oder Nginx ermöglicht hochverfügbare Load-Balancer-Setups. Health Checks stellen sicher, dass nur funktionierende Services die VIP halten. Für kritische Infrastruktur ist Keepalived unverzichtbar.
