1KEEPALIVED.CONF(5) File Formats Manual KEEPALIVED.CONF(5)
2
6 /etc/keepalived/keepalived.conf - configuration file for keepalived
7
9 keepalived.conf is the configuration file which describes all the
10 keepalived keywords. keywords are placed in hierachies of blocks (and
11 subblocks), each layer being delimited by '{' and '}' pairs.
12 Comments start with '#' or '!' to the end of the line and can start
14 anywhere in a line.
15
17 GLOBAL CONFIGURATION
18 VRRPD CONFIGURATION
20 LVS CONFIGURATION
22
24 contains subblocks of Global definitions and Static routes
25
27 global_defs # Block id
28 {
29 notification_email # To:
30 {
31 admin@example1.com
32 ...
33 }
34 # From: from address that will be in header
35 notification_email_from admin@example.com
36 smtp_server 127.0.0.1 # IP
37 smtp_connect_timeout 30 # integer, seconds
38 router_id my_hostname # string identifying the machine,
39 # (doesn't have to be hostname).
40 vrrp_mcast_group4 224.0.0.18 # optional, default 224.0.0.18
41 vrrp_mcast_group6 ff02::12 # optional, default ff02::12
42 enable_traps # enable SNMP traps
43 }
44
48 keepalived can configure static addresses and routes. These addresses
49 are NOT moved by vrrpd, they stay on the machine. If you already have
50 IPs and routes on your machines and your machines can ping each other,
51 you don't need this section.
52 The syntax is the same as for virtual addresses and virtual routes.
54 static_ipaddress
56 {
57 192.168.1.1/24 dev eth0 scope global
58 ...
59 }
60 static_routes
62 {
63 192.168.2.0/24 via 192.168.1.100 dev eth0
64 ...
65 }
66
68 contains subblocks of VRRP synchronization group(s) and VRRP
69 instance(s)
70
72 #string, name of group of IPs that failover together
73 vrrp_sync_group VG_1 {
74 group {
75 inside_network # name of vrrp_instance (below)
76 outside_network # One for each moveable IP.
77 ...
78 }
79 # notify scripts and alerts are optional
81 #
82 # filenames of scripts to run on transitions
83 # can be unquoted (if just filename)
84 # or quoted (if has parameters)
85 # to MASTER transition
86 notify_master /path/to_master.sh
87 # to BACKUP transition
88 notify_backup /path/to_backup.sh
89 # FAULT transition
90 notify_fault "/path/fault.sh VG_1"
91 # for ANY state transition.
93 # "notify" script is called AFTER the
94 # notify_* script(s) and is executed
95 # with 3 arguments provided by keepalived
96 # (ie don't include parameters in the notify line).
97 # arguments
98 # $1 = "GROUP"|"INSTANCE"
99 # $2 = name of group or instance
100 # $3 = target state of transition
101 # ("MASTER"|"BACKUP"|"FAULT")
102 notify /path/notify.sh
103 # Send email notifcation during state transition,
105 # using addresses in global_defs above.
106 smtp_alert
107 }
108
111 describes the moveable IP for each instance of a group in
112 vrrp_sync_group. Here are described two IPs (on inside_network and on
113 outside_network), on machine "my_hostname", which belong to the group
114 VG_1 and which will transition together on any state change.
115 #You will need to write another block for outside_network.
117 vrrp_instance inside_network {
118 # Initial state, MASTER|BACKUP
119 # As soon as the other machine(s) come up,
120 # an election will be held and the machine
121 # with the highest "priority" will become MASTER.
122 # So the entry here doesn't matter a whole lot.
123 state MASTER
124 # interface for inside_network, bound by vrrp
126 interface eth0
127 # Use VRRP Virtual MAC.
129 use_vmac <VMAC_INTERFACE>
130 # Send/Recv VRRP messages from base interface instead of
132 # VMAC interface
133 vmac_xmit_base
134 # Ignore VRRP interface faults (default unset)
136 dont_track_primary
137 # optional, monitor these as well.
139 # go to FAULT state if any of these go down.
140 track_interface {
141 eth0
142 eth1
143 ...
144 }
145 # default IP for binding vrrpd is the primary IP
147 # on interface. If you want to hide location of vrrpd,
148 # use this IP as src_addr for multicast or unicast vrrp
149 # packets. (since it's multicast, vrrpd will get the reply
150 # packet no matter what src_addr is used).
151 # optional
152 mcast_src_ip <IPADDR>
153 unicast_src_ip <IPADDR>
154 # Do not send VRRP adverts over VRRP multicast group.
156 # Instead it sends adverts to the following list of
157 # ip addresses using unicast design fashion. It can
158 # be cool to use VRRP FSM and features in a networking
159 # environement where multicast is not supported !
160 # IP Addresses specified can IPv4 as well as IPv6
161 unicast_peer {
162 <IPADDR>
163 ...
164 }
165 # Binding interface for lvs syncd
167 lvs_sync_daemon_interface eth1
168 # delay for gratuitous ARP after transition to MASTER
170 garp_master_delay 10 # secs, default 5
171 # arbitary unique number 0..255
173 # used to differentiate multiple instances of vrrpd
174 # running on the same NIC (and hence same socket).
175 virtual_router_id 51
176 # for electing MASTER, highest priority wins.
178 # to be MASTER, make 50 more than other machines.
179 priority 100
180 # VRRP Advert interval, secs (use default)
182 advert_int 1
183 authentication { # Authentication block
184 # PASS||AH
185 # PASS - Simple Passwd (suggested)
186 # AH - IPSEC (not recommended))
187 auth_type PASS
188 # Password for accessing vrrpd.
189 # should be the same for all machines.
190 # Only the first eight (8) characters are used.
191 auth_pass 1234
192 }
193 #addresses add|del on change to MASTER, to BACKUP.
195 #With the same entries on other machines,
196 #the opposite transition will be occuring.
197 virtual_ipaddress {
198 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label
199 <LABEL>
200 192.168.200.17/24 dev eth1
201 192.168.200.18/24 dev eth2 label eth2:1
202 }
203 #VRRP IP excluded from VRRP
205 #optional.
206 #For cases with large numbers (eg 200) of IPs
207 #on the same interface. To decrease the number
208 #of packets sent in adverts, you can exclude
209 #most IPs from adverts.
210 #The IPs are add|del as for virtual_ipaddress.
211 virtual_ipaddress_excluded {
212 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
213 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
214 ...
215 }
216 # routes add|del when changing to MASTER, to BACKUP
217 virtual_routes {
218 # src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR> [or
219 <IPADDR>] dev <STRING> scope <SCOPE> tab
220 src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev
221 eth1
222 192.168.110.0/24 via 192.168.200.254 dev eth1
223 192.168.111.0/24 dev eth2
224 192.168.112.0/24 via 192.168.100.254 192.168.113.0/24 via
225 192.168.200.254 or 192.168.100.254 dev eth1 blackhole
226 192.168.114.0/24
227 }
228 # VRRP will normally preempt a lower priority
230 # machine when a higher priority machine comes
231 # online. "nopreempt" allows the lower priority
232 # machine to maintain the master role, even when
233 # a higher priority machine comes back online.
234 # NOTE: For this to work, the initial state of this
235 # entry must be BACKUP.
236 nopreempt
237 # Seconds after startup until preemption
239 # (if not disabled by "nopreempt").
240 # Range: 0 (default) to 1,000
241 # NOTE: For this to work, the initial state of this
242 # entry must be BACKUP.
243 preempt_delay 300 # waits 5 minutes
244 # Debug level, not implemented yet.
246 debug
247 # notify scripts, alert as above
249 notify_master <STRING>|<QUOTED-STRING>
250 notify_backup <STRING>|<QUOTED-STRING>
251 notify_fault <STRING>|<QUOTED-STRING>
252 notify <STRING>|<QUOTED-STRING>
253 smtp_alert
254 }
255
258 contains subblocks of Virtual server group(s) and Virtual server(s)
259 The subblocks contain arguments for ipvsadm(8). A knowlege of
261 ipvsadm(8) will be helpful here.
262
264 # optional
265 # this groups allows a service on a real_server
266 # to belong to multiple virtual services
267 # and to be only health checked once.
268 # Only for very large LVSs.
269 virtual_server_group <STRING> {
270 #VIP port
271 <IPADDR> <PORT>
272 <IPADDR> <PORT>
273 ...
274 #
275 # <IPADDR RANGE> has the form
276 # XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10
277 # range includes both .1 and .10 address
278 <IPADDR RANGE> <PORT># VIP range VPORT
279 <IPADDR RANGE> <PORT>
280 ...
281 fwmark <INT> # fwmark
282 fwmark <INT>
283 ... }
284
287 A virtual_server can be a declaration of one of
288 vip vport (IPADDR PORT pair)
290 fwmark <INT>
292 (virtual server) group <STRING>
294 #setup service
296 virtual_server IP port |
297 virtual_server fwmark int |
298 virtual_server group string
299 {
300 # delay timer for service polling
301 delay_loop <INT>
302 # LVS scheduler
304 lb_algo rr|wrr|lc|wlc|lblc|sh|dh
305 # Enable One-Packet-Scheduling for UDP (-O in ipvsadm)
306 ops
307 # LVS forwarding method
308 lb_kind NAT|DR|TUN
309 # LVS persistence timeout, sec
310 persistence_timeout <INT>
311 # LVS granularity mask (-M in ipvsadm)
312 persistence_granularity <NETMASK>
313 # Only TCP is implemented
314 protocol TCP
315 # If VS IP address is not set,
316 # suspend healthchecker's activity
317 ha_suspend
318 # VirtualHost string for HTTP_GET or SSL_GET
320 # eg virtualhost www.firewall.loc
321 virtualhost <STRING>
322 # Assume silently all RSs down and healthchecks
324 # failed on start. This helps preventing false
325 # positive actions on startup. Alpha mode is
326 # disabled by default.
327 alpha
328 # On daemon shutdown, consider quorum and RS
330 # down notifiers for execution, where appropriate.
331 # Omega mode is disabled by default.
332 omega
333 # Minimum total weight of all live servers in
335 # the pool necessary to operate VS with no
336 # quality regression. Defaults to 1.
337 quorum <INT>
338 # Tolerate this much weight units compared to the
340 # nominal quorum, when considering quorum gain
341 # or loss. A flap dampener. Defaults to 0.
342 hysteresis <INT>
343 # Script to launch when quorum is gained.
345 quorum_up <STRING>|<QUOTED-STRING>
346 # Script to launch when quorum is lost.
348 quorum_down <STRING>|<QUOTED-STRING>
349 # setup realserver(s)
352 # RS to add when all realservers are down
354 sorry_server <IPADDR> <PORT>
355 # applies inhibit_on_failure behaviour to the
356 # preceding sorry_server directive
357 sorry_server_inhibit
358 # one entry for each realserver
360 real_server <IPADDR> <PORT>
361 {
362 # relative weight to use, default: 1
363 weight <INT>
364 # Set weight to 0
365 # when healthchecker detects failure
366 inhibit_on_failure
367 # Script to launch when healthchecker
369 # considers service as up.
370 notify_up <STRING>|<QUOTED-STRING>
371 # Script to launch when healthchecker
372 # considers service as down.
373 notify_down <STRING>|<QUOTED-STRING>
374 # pick one healthchecker
376 # HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK
377 # HTTP and SSL healthcheckers
379 HTTP_GET|SSL_GET
380 {
381 # A url to test
382 # can have multiple entries here
383 url {
384 #eg path / , or path /mrtg2/
385 path <STRING>
386 # healthcheck needs status_code
387 # or status_code and digest
388 # Digest computed with genhash
389 # eg digest 9b3a0c85a887a256d6939da88aabd8cd
390 digest <STRING>
391 # status code returned in the HTTP header
392 # eg status_code 200
393 status_code <INT>
394 }
395 # number of get retry
396 nb_get_retry <INT>
397 # delay before retry
398 delay_before_retry <INT>
399 # ======== generic connection options
401 # Optional IP address to connect to.
402 # The default is real server's IP
403 connect_ip <IP ADDRESS>
404 # Optional port to connect to if not
405 # The default is real server's port
406 connect_port <PORT>
407 # Optional interface to use to
408 # originate the connection
409 bindto <IP ADDRESS>
410 # Optional source port to
411 # originate the connection from
412 bind_port <PORT>
413 # Optional connection timeout in seconds.
414 # The default is 5 seconds
415 connect_timeout <INTEGER>
416 # Optional fwmark to mark all outgoing
417 # checker pakets with
418 fwmark <INTEGER>
419 # Optional random delay to begin initial check
421 for
422 # maximum N seconds.
423 # Useful to scatter multiple simultaneous
424 # checks to the same RS. Enabled by default, with
425 # the maximum at delay_loop. Specify 0 to disable
426 warmup <INT>
427 } #HTTP_GET|SSL_GET
428 #TCP healthchecker (bind to IP port)
430 TCP_CHECK
431 {
432 # ======== generic connection options
433 # Optional IP address to connect to.
434 # The default is real server's IP
435 connect_ip <IP ADDRESS>
436 # Optional port to connect to if not
437 # The default is real server's port
438 connect_port <PORT>
439 # Optional interface to use to
440 # originate the connection
441 bindto <IP ADDRESS>
442 # Optional source port to
443 # originate the connection from
444 bind_port <PORT>
445 # Optional connection timeout in seconds.
446 # The default is 5 seconds
447 connect_timeout <INTEGER>
448 # Optional fwmark to mark all outgoing
449 # checker pakets with
450 fwmark <INTEGER>
451 # Optional random delay to begin initial check
453 for
454 # maximum N seconds.
455 # Useful to scatter multiple simultaneous
456 # checks to the same RS. Enabled by default, with
457 # the maximum at delay_loop. Specify 0 to disable
458 warmup <INT>
459 } #TCP_CHECK
460 # SMTP healthchecker
462 SMTP_CHECK
463 {
464 # An optional host interface to check.
465 # If no host directives are present, only
466 # the ip address of the real server will
467 # be checked.
468 host {
469 # ======== generic connection options
470 # Optional IP address to connect to.
471 # The default is real server's IP
472 connect_ip <IP ADDRESS>
473 # Optional port to connect to if not
474 # the default of 25
475 connect_port <PORT>
476 # Optional interface to use to
477 # originate the connection
478 bindto <IP ADDRESS>
479 # Optional source port to
480 # originate the connection from
481 bind_port <PORT>
482 # Optional per-host connection timeout.
483 # Default is outer-scope connect_timeout
484 connect_timeout <INTEGER>
485 # Optional fwmark to mark all outgoing
486 # checker pakets with
487 fwmark <INTEGER>
488 }
489 # Connection and read/write timeout
490 # in seconds. The default is 5 seconds
491 connect_timeout <INTEGER>
492 # Number of times to retry a failed check
493 retry <INTEGER>
494 # Delay in seconds before retrying
495 delay_before_retry <INTEGER>
496 # Optional string to use for the smtp HELO request
497 helo_name <STRING>|<QUOTED-STRING>
498 # Optional random delay to begin initial check for
500 # maximum N seconds.
501 # Useful to scatter multiple simultaneous
502 # checks to the same RS. Enabled by default, with
503 # the maximum at delay_loop. Specify 0 to disable
504 warmup <INT>
505 } #SMTP_CHECK
506 #MISC healthchecker, run a program
508 MISC_CHECK
509 {
510 # External system script or program
511 misc_path <STRING>|<QUOTED-STRING>
512 # Script execution timeout
513 misc_timeout <INT>
514 # Optional random delay to begin initial check
516 for
517 # maximum N seconds.
518 # Useful to scatter multiple simultaneous
519 # checks to the same RS. Enabled by default, with
520 # the maximum at delay_loop. Specify 0 to disable
521 warmup <INT>
522 # If set, exit code from healthchecker is used
524 # to dynamically adjust the weight as follows:
525 # exit status 0: svc check success, weight
526 # unchanged.
527 # exit status 1: svc check failed.
528 # exit status 2-255: svc check success, weight
529 # changed to 2 less than exit status.
530 # (for example: exit status of 255 would set
531 # weight to 253)
532 misc_dynamic
533 }
534 } # realserver defn
535 } # virtual service
536
540 Joseph Mack.
541 Information derived from doc/keepalived.conf.SYNOPSIS, doc/sam‐
542 ples/keepalived.conf.* and Changelog by Alexandre Cassen for
543 keepalived-1.1.4, and from HOWTOs by Adam Fletcher and Vince Worthing‐
544 ton.
545
547 ipvsadm(8), ip --help.
5484th Berkeley Distribution Jan 2004 KEEPALIVED.CONF(5)