Linux
當 Firewalld 執行時,Keepalived 腦裂
我正在使用 keepalived 在兩個 Alma 8 Nginx 伺服器之間提供可用性(如果有任何相關性,則託管在 VMWare 上)。啟用 firewalld 後,儘管為 VRRP 設置了豐富的規則,但當我啟動 firewalld 時,兩台主機都開始響應虛擬 IP:
root@dca-nfs01:~# arping 172.31.5.233 60 bytes from 00:50:56:84:ac:d0 (172.31.5.233): index=39 time=1.960 usec 60 bytes from 00:50:56:84:ac:d0 (172.31.5.233): index=40 time=20.660 usec 60 bytes from 00:50:56:84:52:ed (172.31.5.233): index=41 time=24.930 usec 60 bytes from 00:50:56:84:ac:d0 (172.31.5.233): index=42 time=534.616 msec 60 bytes from 00:50:56:84:52:ed (172.31.5.233): index=43 time=534.646 msec
我的 keepalived 配置取自標準教程模板,如下所示:
[root@dca-ngx01-al ~]# cat /etc/keepalived/keepalived.conf global_defs { # Keepalived process identifier router_id nginx } # Script to check whether Nginx is running or not vrrp_script check_nginx { script "/sbin/pidof nginx" interval 2 weight 50 } # Virtual interface - The priority specifies the order in which the assigned interface to take over in a failover vrrp_instance VI_01 { state MASTER interface ens192 virtual_router_id 151 priority 110 # The virtual ip address shared between the two NGINX Web Server which will float virtual_ipaddress { 172.31.5.233 } track_script { check_nginx } authentication { auth_type AH auth_pass secret } }
兩個盒子都有一個簡單的單區防火牆,我添加了一個豐富的規則來允許兩台主機之間的 VRRP 通信:
[root@dca-ngx01-al ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: dhcpv6-client http https ssh ports: 10050/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule protocol value="vrrp" accept
我也
net.ipv4.ip_forward = 1
入了/etc/sysctl.conf
。當firewalld在兩個盒子上都停止時,keepalived行為正確,但是當啟用時,雙方似乎失去了聯繫,只是重複發送免費的ARP數據包:
● keepalived.service - LVS and VRRP High Availability Monitor Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-03-25 12:48:25 GMT; 2h 35min ago Process: 7140 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 12966 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS) Main PID: 12967 (keepalived) Tasks: 2 (limit: 11406) Memory: 1.8M CGroup: /system.slice/keepalived.service ├─12967 /usr/sbin/keepalived -D └─12968 /usr/sbin/keepalived -D Mar 25 15:08:15 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:15 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:15 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:15 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:18 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: (VI_01) Sending/queueing gratuitous ARPs on ens192 for 1> Mar 25 15:08:18 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:18 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:18 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:18 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233 Mar 25 15:08:18 dca-ngx01-al.REDACTED.local Keepalived_vrrp[12968]: Sending gratuitous ARP on ens192 for 172.31.5.233
然而,我可以通過使用 TCPDump 看到,當 firewalld 處於活動狀態時,來自其他主機的正常 VRRP 數據包至少會到達網路介面:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 15:25:21.532300 IP dca-ngx02-al.REDACTED.local > vrrp.mcast.net: AH(spi=0xac1f05e5,seq=0x3160): VRRPv2, Advertisement, vrid 151, prio 150, authtype ah, intvl 1s, length 20 15:25:22.532419 IP dca-ngx02-al.REDACTED.local > vrrp.mcast.net: AH(spi=0xac1f05e5,seq=0x3161): VRRPv2, Advertisement, vrid 151, prio 150, authtype ah, intvl 1s, length 20 15:25:23.532476 IP dca-ngx02-al.REDACTED.local > vrrp.mcast.net: AH(spi=0xac1f05e5,seq=0x3162): VRRPv2, Advertisement, vrid 151, prio 150, authtype ah, intvl 1s, length 20 15:25:24.532544 IP dca-ngx02-al.REDACTED.local > vrrp.mcast.net: AH(spi=0xac1f05e5,seq=0x3163): VRRPv2, Advertisement, vrid 151, prio 150, authtype ah, intvl 1s, length 20
有人對我如何進一步解決此問題有任何想法嗎?
提前致謝。
今天早上我已經弄清楚了問題的原因是什麼,以防將來對某人有所幫助。我啟用
LogDenied=all
了/etc/firewalld/firewalld.conf
,然後能夠使用交換機辨識防火牆仍在丟棄哪些數據包--get-log-denied
:[root@dca-ngx02-al keepalived]# firewall-cmd --get-log-denied Mar 28 08:40:04 dca-ngx01-al.REDACTED.local kernel: FINAL_REJECT: IN=ens192 OUT= MAC=01:00:5e:00:00:12:00:50:56:84:ac:d0:08:00 SRC=172.31.5.229 DST=224.0.0.18 LEN=64 TOS=0x00 PREC=0xC0 TTL=255 ID=79 PROTO=AH SPI=0xac1f05e5 Mar 28 08:40:05 dca-ngx01-al.REDACTED.local kernel: FINAL_REJECT: IN=ens192 OUT= MAC=01:00:5e:00:00:12:00:50:56:84:ac:d0:08:00 SRC=172.31.5.229 DST=224.0.0.18 LEN=64 TOS=0x00 PREC=0xC0 TTL=255 ID=80 PROTO=AH SPI=0xac1f05e5
我通過為 AH 多播數據包添加後續防火牆規則解決了這個問題。
firewall-cmd --add-rich-rule='rule protocol value="ah" accept' --permanent