故障现象:

主机名director-Adirector-B
IP192.168.14.128192.168.14.131
默认主备MASTERBACKUP 
优先级9080

VIP为 192.168.14.201

先启动主节点keepalived服务,后启动备节点keepalived,发现主备节点都配置了vip。

keepalived_1.png

keepalived_2.png

分析与解决过程:

理应主节点启动keepalived后发送vrrp广播报文,备节点启动keepalived后因为配置同一个广播域,能收到vrrp广播报文,从而运行在BACKUP状态,一直监听着MASTER发送的vrrp广播。

首先检查BACKUP节点message日志,发现keepalived先进入BACKUP状态(根据keepalived.conf配置,正常行为),但间隔4s后vrrp实例切换为MASTER状态,这行为不符合正常逻辑。

keepalived_3.png

而备vrrp实例切换为MASTER的原因通常是一定时间内没有收到MASTER节点发出的vrrp广播报文,因此在备节点物理网卡上tcpdump抓包可见,主节点192.168.14.128发出的vrrp广播报文已经到达备节点。这种情况下,keepalived仍认为主节点是down,很可能是OS对物理网卡收到的vrrp广播报文并未送进内核,keepalived进程无法从捕获主节点发出的vrrp报文。

keepalived_4.png

因此要检查Linux防火墙Selinux和iptables规则

1
2
3
4
5
6
<code class="  language-bash"><span class="token punctuation">[root@director-B keepalived<span class="token punctuation">]<span class="token comment"># getenforce
Enforcing 
<span class="token comment">#说明selinux也是开着,由于其安全设置级别较强,使用不当容易影响正常业务,一般建议关闭selinux。
<span class="token comment">#SELinux共有3个状态enforcing (执行中)、permissive (不执行但产生警告)、disabled(关闭)
<span class="token punctuation">[root@director-B keepalived<span class="token punctuation">]<span class="token comment"># vim /etc/selinux/config
SELINUX<span class="token operator">=disabled <span class="token comment">#将该配置改为disabled,保存退出后reboot</span></span></span></span></span></span></span></span></span></span></code>
 

跟踪iptables规则发现,默认的iptables规则仅允许22端口和icmp报文通过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<code class="  language-bash"><span class="token punctuation">[root@director-A ~<span class="token punctuation">]<span class="token comment"># iptables -vnL INPUT
Chain INPUT <span class="token punctuation">(policy ACCEPT 0 packets, 0 bytes<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination        
  471 44874 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  192 14016 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
   19  1456 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
   19  1456 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
   19  1456 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
   18  1404 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited <span class="token comment">##默认拒绝所有报文,并告知访问者主机已被限制
<span class="token punctuation">[root@director-B ~<span class="token punctuation">]<span class="token comment"># iptables -vnL INPUT_direct
Chain INPUT_direct <span class="token punctuation">(1 references<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination        
<span class="token punctuation">[root@director-B ~<span class="token punctuation">]<span class="token comment"># iptables -vnL  INPUT_ZONES_SOURCE
Chain INPUT_ZONES_SOURCE <span class="token punctuation">(1 references<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination
 <span class="token punctuation">[root@director-B ~<span class="token punctuation">]<span class="token comment"># iptables -vnL INPUT_ZONES
Chain INPUT_ZONES <span class="token punctuation">(1 references<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination        
   55  4210 IN_public  all  --  ens33  *       0.0.0.0/0            0.0.0.0/0           <span class="token punctuation">[goto<span class="token punctuation">]
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           <span class="token punctuation">[goto<span class="token punctuation">]
 <span class="token punctuation">[root@director-B ~<span class="token punctuation">]<span class="token comment"># iptables -vnL  IN_public
Chain IN_public <span class="token punctuation">(2 references<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination        
   28  2158 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
   28  2158 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
   28  2158 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0     <span class="token comment">######允许ICMP报文访问
<span class="token punctuation">[root@director-B ~<span class="token punctuation">]<span class="token comment"># iptables -vnL  IN_public_log
Chain IN_public_log <span class="token punctuation">(1 references<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination        
<span class="token punctuation">[root@director-B ~<span class="token punctuation">]<span class="token comment"># iptables -vnL  IN_public_deny
Chain IN_public_deny <span class="token punctuation">(1 references<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination        
<span class="token punctuation">[root@director-B ~<span class="token punctuation">]<span class="token comment"># iptables -vnL  IN_public_allow
Chain IN_public_allow <span class="token punctuation">(1 references<span class="token punctuation">)
 pkts bytes target     prot opt <span class="token keyword">in     out     <span class="token function">source               destination        
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW  <span class="token comment">######允许ssh报文访问</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code>
 

 

尝试通过另一个客户端192.168.14.129访问备节点80端口,在客户端就能抓包icmp 通知报文。

keepalived_5.png

此iptables链表结构为系统默认配置,该链结构太过复杂,且多有iptables链为空链。因此将多余的iptables规则清理掉,多余的iptables链删除,允许所有报文通过即可。

 

[root@director-B ~]# iptables -F #删除所有iptables规则
 
[root@director-B ~]# iptables -X #删除除默认链之外的所有iptables链
 

此时问题已解决,keepalived只有MASTER节点配置vip,且主备节点之间切换vip正常。

 

不过vip切换的问题虽然解决了,但iptables的遗留问题是在配置文件/etc/sysconfig/iptables中并未配置以上复杂的iptables规则,且重启系统之后,也仍然会生成以上复杂的iptables规则。修改了/etc/sysconfig/iptables-config配置也在重启系统后被复原。定是那系统启动脚本搞得鬼,还得继续排查。