12.6.2 Keepalived + HAProxy 负载均衡高可用

Keepalived + HAProxy 负载均衡高可用用于承载入口流量并消除单点:HAProxy负责四/七层转发与后端健康检查,Keepalived基于VRRP漂移VIP实现主备切换。典型拓扑为两台HAProxy节点组成主备,前端VIP对外提供服务,后端为多台业务实例。

文章图片

安装与基础配置示例#

环境假设:
- HAProxy-1:10.0.0.21(MASTER)
- HAProxy-2:10.0.0.22(BACKUP)
- VIP:10.0.0.100/24
- 网卡:eth0

1) 安装软件#

# 两台HAProxy节点均执行
sudo yum install -y keepalived haproxy

# 或 Ubuntu/Debian
# sudo apt-get update && sudo apt-get install -y keepalived haproxy

2) HAProxy 配置(/etc/haproxy/haproxy.cfg)#

global
  log /dev/log local0
  maxconn 4096

defaults
  log global
  mode http
  timeout connect 5s
  timeout client  30s
  timeout server  30s

frontend fe_http
  bind 0.0.0.0:80
  default_backend be_web

backend be_web
  option httpchk GET /health
  http-check expect status 200
  balance roundrobin
  server web1 10.0.0.11:80 check inter 2000 rise 2 fall 3
  server web2 10.0.0.12:80 check inter 2000 rise 2 fall 3

启动并验证:

sudo systemctl enable --now haproxy
sudo ss -lntp | grep 80
# 预期:haproxy监听0.0.0.0:80

3) Keepalived 配置(/etc/keepalived/keepalived.conf)#

MASTER 节点(10.0.0.21)#

global_defs {
  router_id LVS_MASTER
}

vrrp_script chk_haproxy {
  script "/etc/keepalived/check_haproxy.sh"
  interval 2
  weight -30
  fall 2
  rise 2
}

vrrp_instance VI_1 {
  state MASTER
  interface eth0
  virtual_router_id 51
  priority 120
  advert_int 1
  preempt_delay 5
  authentication {
    auth_type PASS
    auth_pass 123456
  }
  virtual_ipaddress {
    10.0.0.100/24
  }
  track_script {
    chk_haproxy
  }
}

BACKUP 节点(10.0.0.22)#

global_defs {
  router_id LVS_BACKUP
}

vrrp_script chk_haproxy {
  script "/etc/keepalived/check_haproxy.sh"
  interval 2
  weight -30
  fall 2
  rise 2
}

vrrp_instance VI_1 {
  state BACKUP
  interface eth0
  virtual_router_id 51
  priority 100
  advert_int 1
  preempt_delay 5
  authentication {
    auth_type PASS
    auth_pass 123456
  }
  virtual_ipaddress {
    10.0.0.100/24
  }
  track_script {
    chk_haproxy
  }
}

4) Keepalived 健康检查脚本#

# /etc/keepalived/check_haproxy.sh
#!/bin/bash
# 作用:检查HAProxy进程和本地端口,失败则让Keepalived降权
if ! pgrep haproxy >/dev/null; then
  exit 1
fi
if ! ss -lnt | grep -q ":80"; then
  exit 1
fi
exit 0

sudo chmod +x /etc/keepalived/check_haproxy.sh
sudo systemctl enable --now keepalived

验证VIP漂移:

# 在MASTER上查看
ip a | grep 10.0.0.100
# 预期:MASTER持有VIP

# 停止MASTER keepalived后测试切换
sudo systemctl stop keepalived

# 在BACKUP上查看
ip a | grep 10.0.0.100
# 预期:BACKUP持有VIP

关键命令解释#

  • virtual_router_id:同一组VRRP实例标识,主备必须一致。
  • priority:优先级,数值越大越优先成为MASTER。
  • preempt_delay:MASTER恢复后延迟抢占,避免频繁切换。
  • track_script:脚本返回非0则降低权重,触发切换。
  • option httpchk:HAProxy对后端执行HTTP健康检查。

故障排查与常见问题#

1) VIP不漂移 

# 检查VRRP组播/单播是否被拦截
tcpdump -ni eth0 vrrp
# 预期:看到VRRP报文(proto 112)

2) Keepalived状态异常 

journalctl -u keepalived -f
# 关注"Entering MASTER/BACKUP"及脚本返回码

3) HAProxy健康检查误判 

# 验证后端健康URL
curl -I http://10.0.0.11/health
# 若非200,调整httpchk路径或应用健康接口

4) 脑裂风险
- 确保主备网络互通,VRRP报文可达。
- 若交换机禁用了组播,可改用单播模式(keepalived支持unicast配置)。

演练与练习#

1) 切换演练
- 停止MASTER的haproxy进程:sudo systemctl stop haproxy
- 观察BACKUP是否接管VIP,并访问 http://10.0.0.100

2) 健康检查调整
- 将 httpchk 修改为 /status,并在后端提供该接口。
- 观察 HAProxy stats 或日志确认状态变化。

3) 负载均衡策略对比
- 将 balance roundrobin 改为 leastconn,比较并发高时分发效果。

4) 故障恢复
- 恢复MASTER服务后观察是否回切,调整 preempt_delay 验证效果。