openstack环境下搭建的keepalived 两台服务器直接无法ping通VIP ALLOWED-ADDRESS-PAIRS

真的是搞了很久 结果一问人才知道真的是neutron的问题

当然前提是设置unicast 而不是默认设置

先贴出来后面再更新图片

[root@haproxy1 ~]# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 200
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.0.0.121
unicast_peer {
10.0.0.122
}

==== haproxy2

[root@haproxy2 ~]# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state SLAVE
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.0.0.122
unicast_peer {
10.0.0.121
}
virtual_ipaddress {
10.0.0.200/24 brd 10.0.0.255 dev eth0 label eth0:vip
}
}
[root@haproxy2 ~]#

测试arp

# tcpdump -i eth0 vrrp -n
可以显示VIP 但是就是无法ping通vip 10.0.0.200

问题出在openstack中的

ALLOWED-ADDRESS-PAIRS

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/networking_guide/sec-allowed-address-pairs

Allowed-address-pairs allow you to specify mac_address/ip_address (CIDR) pairs that pass through a port regardless of subnet. This enables the use of protocols such as VRRP, which floats an IP address between two instances to enable fast data plane failover.

　　

haproxy1
| 59f73969-0126-4e87-b829-9ece9d905541 | | fa:16:3e:d8:70:a2 | {"subnet_id": "36350ca0-2734-44ca-9167-7713ff9925e2", "ip_address": "10.0.0.121"}

haproxy2
| 7b49f386-e908-42ac-89ef-dc9d977b37e5 | | fa:16:3e:4e:55:8b | {"subnet_id": "36350ca0-2734-44ca-9167-7713ff9925e2", "ip_address": "10.0.0.122"}
set vip = 200

ubuntu@p01-neutron-a1-e1c7g7:~$ neutron port-update 7b49f386-e908-42ac-89ef-dc9d977b37e5 --allowed-address-pairs type=dict list=true ip_address=10.0.0.200
Updated port: 7b49f386-e908-42ac-89ef-dc9d977b37e5
ubuntu@p01-neutron-a1-e1c7g7:~$

然后就好了。。还真是无语 

=== 更新 不停failover 问题

[root@haproxy1 ~]# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
    state BACKUP   #全部设置成backup 通过priority的数字去竞争谁是master那么就不会在master起来后 vip跳到原来master上面去了
    interface eth0
    virtual_router_id 51
    priority 50  #has issue so aleays make it secondary
    advert_int 1
    nopreempt    # 防止变成master后 vip会failback
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    unicast_src_ip 10.0.0.121
    unicast_peer {
        10.0.0.122
   }
    virtual_ipaddress {
        10.0.0.200/24 brd 10.0.0.255  dev eth0 label eth0:vip
    }
}

　　

参考

https://blog.51cto.com/13590999/2096701

nopreempt        #设置为不抢占 注：这个配置只能设置在backup主机上，而且这个主机优先级要比另外一台高  

但是！！！！master不能设置nopreempt

所以解决方案是：不设置master，全部设置成backup,这样大家都是backup，就都能添加nopreempt，即使原本成为master的LB坏掉重新修好之后也不会抢占master。

通常如果master服务死掉后backup会变成master，但是当master服务又好了的时候 master此时会抢占VIP，这样就会发生两次切换对业务繁忙的网站来说是不好的。所以我们要在配置文件加入 nopreempt 非抢占，但是这个参数只能用于state 为backup，故我们在用HA的时候最好master 和backup的state都设置成backup 让其通过priority来竞争