1KEEPALIVED.CONF(5) File Formats Manual KEEPALIVED.CONF(5)
2
3
4
6 keepalived.conf - configuration file for Keepalived
7
9 keepalived.conf is the configuration file which describes all the
10 Keepalived keywords. Keywords are placed in hierarchies of blocks and
11 subblocks, each layer being delimited by '{' and '}' pairs.
12
13 Comments start with '#' or '!' to the end of the line and can start
14 anywhere in a line.
15
16 The keyword 'include' allows inclusion of other configuration files
17 from within the main configuration file.
18
20 <BOOL> is one of on|off|true|false|yes|no
21
23 Any configuration line starts with '@' is a conditional configuration
24 line. The word immediately following (i.e. without any space) the '@'
25 character is compared against the string specified with the -i command
26 line option, and if they don't match, the configuration line is
27 ignored.
28
29 The purpose of this is to allow a single configuration file to be used
30 for multiple systems, where the only differences are likely to be the
31 router_id, vrrp instance priorities, and possibly interface names.
32
33 For example:
34
35 global_defs
36 {
37 @main router_id main_router
38 @backup router_id backup_router
39 }
40
41 If keepalived is invoked with -i main, then the router_id will be set
42 to main_router, if invoked with -i backup, then backup_router, if not
43 invoked with -i, or with -i anything else, then the router_id will not
44 be set.
45
47 GLOBAL CONFIGURATION
48
49 VRRPD CONFIGURATION
50
51 LVS CONFIGURATION
52
54 contains subblocks of Global definitions, Static routes, and Static
55 rules
56
58 global_defs # Block id
59 {
60 notification_email # To:
61 {
62 admin@example1.com
63 ...
64 }
65 # From: from address that will be in the header (default
66 keepalived@<local host name>)
67 notification_email_from admin@example.com
68 smtp_server 127.0.0.1 [<PORT>]
69 # IP address or domain name
70 # with optional port number (default 25)
71 smtp_helo_name <HOST_NAME> # name to use in HELO messages
72 # defaults to local host name
73 smtp_connect_timeout 30 # integer, seconds
74 router_id my_hostname # string identifying the machine,
75 # (doesn't have to be hostname).
76 # default: local host name
77 vrrp_mcast_group4 224.0.0.18 # optional, default 224.0.0.18
78 vrrp_mcast_group6 ff02::12 # optional, default ff02::12
79 default_interface p33p1.3 # sets the default interface for static
80 addresses, default eth0
81
82
83 lvs_sync_daemon <INTERFACE> <VRRP_INSTANCE> [id <SYNC_ID>] [maxlen
84 <LEN>] [port <PORT>] [ttl <TTL>] [group <IP ADDR>]
85 # Binding interface, vrrp instance and
86 optional
87 # syncid for lvs syncd
88 # syncid (0 to 255) for lvs syncd
89 # maxlen (1..65507) maximum packet
90 length
91 # port (1..65535) UDP port number to use
92 # ttl (1..255)
93 # group - multicast group address (IPv4
94 or IPv6)
95 # NOTE: maxlen, port, ttl and group are
96 only available on Linux 4.3 or later.
97 lvs_flush # flush any existing LVS configuration at
98 startup
99
100 # delay for second set of gratuitous ARPs after transition to MASTER
101 vrrp_garp_master_delay 10 # seconds, default 5, 0 for no second set
102
103 # number of gratuitous ARP messages to send at a time after transition
104 to MASTER
105 vrrp_garp_master_repeat 1 # default 5
106
107 # delay for second set of gratuitous ARPs after lower priority advert
108 received when MASTER
109 vrrp_garp_lower_prio_delay 10
110
111 # number of gratuitous ARP messages to send at a time after lower pri‐
112 ority advert received when MASTER
113 vrrp_garp_lower_prio_repeat 1
114
115 # minimum time interval for refreshing gratuitous ARPs while MASTER
116 vrrp_garp_master_refresh 60 # secs, default 0 (no refreshing)
117
118 # number of gratuitous ARP messages to send at a time while MASTER
119 vrrp_garp_master_refresh_repeat 2 # default 1
120
121 # Delay in ms between gratuitous ARP messages sent on an interface
122 vrrp_garp_interval 0.001 # decimal, seconds (resolution
123 usecs). Default 0.
124
125 # Delay in ms between unsolicited NA messages sent on an interface
126 vrrp_gna_interval 0.000001 # decimal, seconds (resolution
127 usecs). Default 0.
128
129 # If a lower priority advert is received, don't send another advert.
130 This causes
131 # adherence to the RFCs. Defaults to false, unless strict_mode is set.
132 vrrp_lower_prio_no_advert [<BOOL>]
133
134 # If we are master and receive a higher priority advert, send an
135 advert (which will be
136 # lower priority than the other master), before we transition to
137 backup. This means
138 # that if the other master has garp_lower_priority_repeat set, it will
139 resend garp messages.
140 # This is to get around the problem of their having been two simulta‐
141 neous masters, and the
142 # last GARP messages seen were from us.
143 vrrp_higher_prio_send_advert [<BOOL>]
144
145 # Set the default VRRP version to use
146 vrrp_version <2 or 3> # default version 2
147
148 # Specify the iptables chain for ensuring a version 3 instance
149 # doesn't respond on addresses that it doesn't own.
150 # Note: it is necessary for the specified chain to exist in
151 # the iptables and/or ip6tables configuration, and for the chain
152 # to be called from an appropriate point in the iptables configura‐
153 tion.
154 # It will probably be necessary to have this filtering after accepting
155 # any ESTABLISHED,RELATED packets, because IPv4 might select the VIP
156 as
157 # the source address for outgoing connections.
158 vrrp_iptables keepalived # default INPUT
159
160 # or for outbound filtering as well
161 # Note, outbound filtering won't work with IPv4, since the VIP can be
162 selected as the source address
163 # for an outgoing connection. With IPv6 this is unlikely since the
164 addresses are deprecated.
165 vrrp_iptables keepalived_in keepalived_out
166
167 # or to not add any iptables rules:
168 vrrp_iptables
169
170 # Keepalived may have the option to use ipsets in conjunction with
171 iptables.
172 # If so, then the ipset names can be specified, defaults as below.
173 # If no names are specified, ipsets will not be used, otherwise any
174 omitted
175 # names will be constructed by adding "_if" and/or "6" to previously
176 specified
177 # names.
178 vrrp_ipsets [keepalived [keepalived6 [keepalived_if6]]]
179
180 # The following enables checking that when in unicast mode, the source
181 # address of a VRRP packet is one of our unicast peers.
182 vrrp_check_unicast_src
183
184 # Checking all the addresses in a received VRRP advert can be time
185 consuming.
186 # Setting this flag means the check won't be carried out if the advert
187 is
188 # from the same master router as the previous advert received.
189 vrrp_skip_check_adv_addr # Default - don't skip
190
191 # Enforce strict VRRP protocol compliance. This will prohibit:
192 # 0 VIPs
193 # unicast peers
194 # IPv6 addresses in VRRP version 2
195 vrrp_strict
196
197 # The following 4 options can be used if vrrp or checker processes
198 # are timing out. This can be seen by a backup vrrp instance becom‐
199 ing
200 # master even when the master is still running because the master or
201 # backup system is too busy to process vrrp packets.
202 vrrp_priority <-20 to 19> # Set the vrrp child process priority
203 # Negative values increase priority.
204 checker_priority <-20 to 19> # Set the checker child process priority
205 vrrp_no_swap # Set the vrrp child process non swap‐
206 pable
207 checker_no_swap # Set the checker child process non swap‐
208 pable
209
210 # If Keepalived has been build with SNMP support, the following key‐
211 words are available
212 # Note: Keepalived, checker and RFC support can be individually
213 enabled/disabled
214 snmp_socket udp:1.2.3.4:705 # specify socket to use for connecting to
215 SNMP master agent (default unix:/var/agentx/master)
216 # unless using a network namespace, when
217 the default is udp:localhost:705
218 enable_snmp_keepalived # enable SNMP handling of vrrp element of
219 KEEPALIVED MIB
220 enable_snmp_checker # enable SNMP handling of checker element
221 of KEEPALIVED MIB
222 enable_snmp_rfc # enable SNMP handling of RFC2787 and
223 RFC6527 VRRP MIBs
224 enable_snmp_rfcv2 # enable SNMP handling of RFC2787 VRRP
225 MIB
226 enable_snmp_rfcv3 # enable SNMP handling of RFC6527 VRRP
227 MIB
228 enable_traps # enable SNMP traps
229
230 # If Keepalived has been build with DBus support, the following key‐
231 word is available
232 enable_dbus # enable the DBus interface
233
234 # Specify the default username/groupname to run scripts under.
235 # If this option is not specified, the user defaults to
236 keepalived_script
237 # if that user exists, otherwise root.
238 script_user username [groupname] # If groupname is not specified, it
239 defaults to the user's group
240 enable_script_security # Don't run scripts configured to be run
241 as root if any part of the path
242 # is writable by a non-root user.
243 }
244
245 # For running keepalived in a separate network namespace
246 net_namespace NAME # Set the network namespace to run in
247 # The directory /var/run/keepalived will
248 be created as an unshared mount point,
249 # for example for pid files.
250 # syslog entries will have _NAME appended
251 to the ident.
252 # Note: the namespace cannot be changed
253 on a configuration reload
254 namespace_with_ipsets # ipsets wasn't network namespace aware
255 until Linux 3.13, and so if running with
256 # an earlier version of the kernel, by
257 default use of ipsets is disabled if using
258 # a namespace and vrrp_ipsets has not
259 been specified. This options overrides the
260 # default and allows ipsets to be used
261 with a namespace on kernels prior to 3.13.
262
263 instance NAME # If multiple instances of keepalived are
264 run in the same namespace, this will
265 # create pid files with NAME as part of
266 the file names, in /var/run/keepalived.
267 # Note: the instance name cannot be
268 changed on a configuration reload
269
270 use_pid_dir # Create pid files in /var/run/keepalived
271
272 linkbeat_use_polling # Poll to detect media link failure oth‐
273 erwise attempt to use ETHTOOL or MII interface
274
275
277 Keepalived can configure static addresses, routes, and rules. These
278 addresses are NOT moved by vrrpd, they stay on the machine. If you
279 already have IPs and routes on your machines and your machines can ping
280 each other, you don't need this section. The syntax for rules and
281 routes is that same as for ip rule add/ip route add.
282
283 The syntax is the same for virtual addresses and virtual routes. If no
284 dev element is specified, it defaults to default_interface (default
285 eth0).
286
287 static_ipaddress
288 {
289 192.168.1.1/24 dev eth0 scope global
290 ...
291 }
292
293 static_routes
294 {
295 192.168.2.0/24 via 192.168.1.100 dev eth0
296 192.168.100.0/24 table 6909 nexthop via 192.168.101.1 dev wlan0 onlink
297 weight 1 nexthop via 192.168.101.2 dev wlan0 onlink weight 2
298 192.168.200.0/24 dev p33p1.2 table 6909 tos 0x04 protocol bird scope
299 link priority 12 mtu 1000 hoplimit 100 advmss 101 rtt 102 rttvar 103
300 reordering 104 window 105 cwnd 106 ssthresh lock 107 realms PQA/0x14
301 rto_min 108 initcwnd 109 initrwnd 110 features ecn
302 2001:470:69e9:1:2::4 dev p33p1.2 table 6909 tos 0x04 protocol bird
303 scope link priority 12 mtu 1000 hoplimit 100 advmss 101 rtt 102 rttvar
304 103 reordering 104 window 105 cwnd 106 ssthresh lock 107 rto_min 108
305 initcwnd 109 initrwnd 110 features ecn
306 ...
307 }
308
309 static_rules
310 {
311 from 192.168.2.0/24 table 1
312 to 192.168.2.0/24 table 1
313 from 192.168.28.0/24 to 192.168.29.0/26 table small iif p33p1 oif
314 wlan0 tos 22 fwmark 24/12 preference 39 realms 30/20 goto 40
315 to 1:2:3:4:5:6:7:0/112 from 7:6:5:4:3:2::/96 table 6908 uidrange
316 10000-19999
317 ...
318 }
319
321 contains subblocks of VRRP script(s), VRRP synchronization group(s),
322 VRRP gratuitous ARP and unsolicited neighbour advert delay group(s) and
323 VRRP instance(s)
324
326 # Adds a script to be executed periodically. Its exit code will be
327 # recorded for all VRRP instances which are monitoring it.
328 vrrp_script <SCRIPT_NAME> {
329 script <STRING>|<QUOTED-STRING> # path of the script to execute
330 interval <INTEGER> # seconds between script invocations, default 1
331 second
332 timeout <INTEGER> # seconds after which script is considered to
333 have failed
334 weight <INTEGER:-254..254> # adjust priority by this weight,
335 default 0
336 rise <INTEGER> # required number of successes for OK
337 transition
338 fall <INTEGER> # required number of successes for KO
339 transition
340 user USERNAME [GROUPNAME] # user/group names to run script under
341 # group default to group of user
342 init_fail # assume script initially is in failed
343 state
344 }
345
347 #string, name of group of IPs that failover together
348 vrrp_sync_group VG_1 {
349 group {
350 inside_network # name of the vrrp_instance (see below)
351 outside_network # One for each movable IP
352 ...
353 }
354
355 # notify scripts and alerts are optional
356 #
357 # filenames of scripts to run on transitions
358 # can be unquoted (if just filename)
359 # or quoted (if it has parameters)
360 # The username and groupname specify the user and group
361 # under which the scripts should be run. If username is
362 # specified, the group defaults to the group of the user.
363 # If username is not specified, they default to the
364 # global script_user and script_group
365 # to MASTER transition
366 notify_master /path/to_master.sh [username [groupname]]
367 # to BACKUP transition
368 notify_backup /path/to_backup.sh [username [groupname]]
369 # FAULT transition
370 notify_fault "/path/fault.sh VG_1" [username [groupname]]
371
372 # for ANY state transition.
373 # "notify" script is called AFTER the
374 # notify_* script(s) and is executed
375 # with 4 arguments provided by Keepalived
376 # (so don't include parameters in the notify line).
377 # arguments
378 # $1 = "GROUP"|"INSTANCE"
379 # $2 = name of the group or instance
380 # $3 = target state of transition
381 # ("MASTER"|"BACKUP"|"FAULT")
382 # $4 = priority value
383 notify /path/notify.sh [username [groupname]]
384
385 # Send email notification during state transition,
386 # using addresses in global_defs above.
387 smtp_alert
388
389 global_tracking # All VRRP share the same tracking config
390 }
391
392
394 specifies the setting of delays between sending gratuitous ARPs and
395 unsolicited neighbour advertisements. This is intended for when an
396 upstream switch is unable to handle being flooded with ARPs/NAs.
397
398 Use interface when the limits apply on the single physical interface.
399 Use interfaces when a group of interfaces are linked to the same switch
400 and the limits apply to the switch as a whole.
401
402
403 If the global vrrp_garp_interval and/or vrrp_gna_interval are set, any
404 interfaces that aren't specified in a garp_group will inherit the
405 global settings.
406
407 garp_group {
408 # Sets the interval between Gratuitous ARP (in seconds, resolution
409 microseconds)
410 garp_interval <DECIMAL>
411 # Sets the default interval between unsolicited NA (in seconds,
412 resolution microseconds)
413 gna_interval <DECIMAL>
414 # The physical interface to which the intervals apply
415 interface <STRING>
416 # A list of interfaces accross which the delays are aggregated.
417 interfaces {
418 <STRING>
419 <STRING>
420 ...
421 }
422 }
423
425 describes the movable IP for each instance of a group in
426 vrrp_sync_group. Here are described two IPs (on inside_network and on
427 outside_network), on machine "my_hostname", which belong to the group
428 VG_1 and which will transition together on any state change.
429
430 #You will need to write another block for outside_network.
431 vrrp_instance inside_network {
432 # Initial state, MASTER|BACKUP
433 # As soon as the other machine(s) come up,
434 # an election will be held and the machine
435 # with the highest priority will become MASTER.
436 # So the entry here doesn't matter a whole lot.
437 state MASTER
438
439 # interface for inside_network, bound by vrrp
440 interface eth0
441
442 # Use VRRP Virtual MAC.
443 use_vmac [<VMAC_INTERFACE>]
444
445 # Send/Recv VRRP messages from base interface instead of
446 # VMAC interface
447 vmac_xmit_base
448
449 native_ipv6 # force instance to use IPv6 (when mixed IPv4
450 and IPv6 config).
451
452 # Ignore VRRP interface faults (default unset)
453 dont_track_primary
454
455 # optional, monitor these as well.
456 # go to FAULT state if any of these go down.
457 track_interface {
458 eth0
459 eth1
460 eth2 weight <-254..254>
461 ...
462 }
463
464 # add a tracking script to the interface (<SCRIPT_NAME> is the name
465 of the vrrp_script entry)
466 track_script {
467 <SCRIPT_NAME>
468 <SCRIPT_NAME> weight <-254..254>
469 }
470
471 # default IP for binding vrrpd is the primary IP
472 # on interface. If you want to hide the location of vrrpd,
473 # use this IP as src_addr for multicast or unicast vrrp
474 # packets. (since it's multicast, vrrpd will get the reply
475 # packet no matter what src_addr is used).
476 # optional
477 mcast_src_ip <IPADDR>
478 unicast_src_ip <IPADDR>
479
480 version <2 or 3> # VRRP version to run on interface
481 # default is global parameter
482 vrrp_version.
483
484 # Do not send VRRP adverts over a VRRP multicast group.
485 # Instead it sends adverts to the following list of
486 # ip addresses using unicast. It can be cool to use
487 # the VRRP FSM and features in a networking
488 # environment where multicast is not supported!
489 # IP addresses specified can be IPv4 as well as IPv6.
490 unicast_peer {
491 <IPADDR>
492 ...
493 }
494
495 # interface specific settings, same as global parameters; default
496 to global parameters
497 garp_master_delay 10
498 garp_master_repeat 1
499 garp_lower_prio_delay 10
500 garp_lower_prio_repeat 1
501 garp_master_refresh 60
502 garp_master_refresh_repeat 2
503 garp_interval 100
504 gna_interval 100
505
506 lower_prio_no_advert [<BOOL>]
507 higher_prio_send_advert [<BOOL>]
508
509 # arbitrary unique number from 0 to 255
510 # used to differentiate multiple instances of vrrpd
511 # running on the same NIC (and hence same socket).
512 virtual_router_id 51
513
514 # for electing MASTER, highest priority wins.
515 # to be MASTER, make this 50 more than on other machines.
516 priority 100
517
518 # VRRP Advert interval in seconds (e.g. 0.92) (use default)
519 advert_int 1
520
521 # Note: authentication was removed from the VRRPv2 specification by
522 RFC3768 in 2004.
523 # Use of this option is non-compliant and can cause problems;
524 avoid using if possible,
525 # except when using unicast, where it can be helpful.
526 authentication { # Authentication block
527 # PASS||AH
528 # PASS - Simple password (suggested)
529 # AH - IPSEC (not recommended))
530 auth_type PASS
531 # Password for accessing vrrpd.
532 # should be the same on all machines.
533 # Only the first eight (8) characters are used.
534 auth_pass 1234
535 }
536
537 #addresses add|del on change to MASTER, to BACKUP.
538 #With the same entries on other machines,
539 #the opposite transition will be occurring.
540 virtual_ipaddress {
541 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label
542 <LABEL>
543 192.168.200.17/24 dev eth1
544 192.168.200.18/24 dev eth2 label eth2:1
545 }
546
547 #VRRP IP excluded from VRRP
548 #optional.
549 #For cases with large numbers (eg 200) of IPs
550 #on the same interface. To decrease the number
551 #of packets sent in adverts, you can exclude
552 #most IPs from adverts.
553 #The IPs are add|del as for virtual_ipaddress.
554 # Can also be used if you want to be able to add
555 # a mixture of IPv4 and IPv6 addresses, since all
556 # addresses in virtual_ipaddress must be of the
557 # same family.
558 virtual_ipaddress_excluded {
559 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
560 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
561 ...
562 }
563
564 # Set the promote_secondaries flag on the interface to stop other
565 # addresses in the same CIDR being removed when 1 of them is
566 removed
567 # For example if 10.1.1.2/24 and 10.1.1.3/24 are both configured on
568 an
569 # interface, and one is removed, unless promote_secondaries is set
570 on
571 # the interface the other address will also be removed.
572 prompte_secondaries
573
574 # routes add|del when changing to MASTER, to BACKUP.
575 # See static_routes for more details
576 virtual_routes {
577 # src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR> [or
578 <IPADDR>] dev <STRING> scope <SCOPE> table <TABLE>
579 src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev
580 eth1
581 192.168.110.0/24 via 192.168.200.254 dev eth1
582 192.168.111.0/24 dev eth2
583 192.168.112.0/24 via 192.168.100.254
584 192.168.113.0/24 via 192.168.200.254 or 192.168.100.254 dev
585 eth1
586 blackhole 192.168.114.0/24
587 0.0.0.0/0 gw 192.168.0.1 table 100 # To set a default gateway
588 into table 100.
589 }
590
591 # rules add|del when changing to MASTER, to BACKUP
592 # See static_rules for more details
593 virtual_rules {
594 from 192.168.2.0/24 table 1
595 to 192.168.2.0/24 table 1
596 }
597
598 # VRRPv3 has an Accept Mode to allow the virtual router when not
599 the address owner to
600 # receive packets addressed to a VIP. This is the default setting
601 unless strict mode is set.
602 # As an extension, this also works for VRRPv2 (RFC 3768 doesn't
603 define an accept mode).
604 accept # Accept packets to non address-owner
605 no_accept # Drop packets to non address-owner.
606
607 # VRRP will normally preempt a lower priority
608 # machine when a higher priority machine comes
609 # online. "nopreempt" allows the lower priority
610 # machine to maintain the master role, even when
611 # a higher priority machine comes back online.
612 # NOTE: For this to work, the initial state of this
613 # entry must be BACKUP.
614 nopreempt
615 preempt # for backwards compatibility
616
617 # See description of global vrrp_skip_check_adv_addr, which
618 # sets the default value. Defaults to vrrp_skip_check_adv_addr
619 skip_check_adv_addr [on|off|true|false|yes|no] # Default on if
620 no word specified
621
622 # See description of global vrrp_strict
623 # If vrrp_strict is not specified, it takes the value of
624 vrrp_strict
625 # If strict_mode without a parameter is specified, it defaults to
626 on
627 strict_mode [on|off|true|false|yes|no]
628
629 # Seconds after startup or seeing a lower priority master until
630 preemption
631 # (if not disabled by "nopreempt").
632 # Range: 0 (default) to 1000
633 # NOTE: For this to work, the initial state of this
634 # entry must be BACKUP.
635 preempt_delay 300 # waits 5 minutes
636
637 # Debug level, not implemented yet.
638 debug <LEVEL> # LEVEL is a number in the range 0 to 4
639
640 # notify scripts, alert as above
641 notify_master <STRING>|<QUOTED-STRING> [username [groupname]]
642 notify_backup <STRING>|<QUOTED-STRING> [username [groupname]]
643 notify_fault <STRING>|<QUOTED-STRING> [username [groupname]]
644 notify_stop <STRING>|<QUOTED-STRING> [username [groupname]] #
645 executed when stopping vrrp
646 notify <STRING>|<QUOTED-STRING> [username [groupname]]
647 smtp_alert
648 }
649
650 # Parameters used for SSL_GET check.
651 # If none of the parameters are specified, the SSL context will be
652 auto generated.
653 SSL {
654 password <STRING> # password
655 ca <STRING> # ca file
656 certificate <STRING> # certificate file
657 key <STRING> # key file
658 }
659
660
662 contains subblocks of Virtual server group(s) and Virtual server(s)
663
664 The subblocks contain arguments for ipvsadm(8). Knowledge of
665 ipvsadm(8) will be helpful here.
666
668 # optional
669 # this groups allows a service on a real_server
670 # to belong to multiple virtual services
671 # and to only be health checked once.
672 # Only for very large LVSs.
673 virtual_server_group <STRING> {
674 #VIP port
675 <IPADDR> <PORT>
676 <IPADDR> <PORT>
677 ...
678 #
679 # <IPADDR RANGE> has the form
680 # XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10
681 # range includes both .1 and .10 address
682 <IPADDR RANGE> <PORT># VIP range VPORT
683 <IPADDR RANGE> <PORT>
684 ...
685 fwmark <INT> # fwmark
686 fwmark <INT>
687 ... }
688
689
691 A virtual_server can be a declaration of one of
692
693 vip vport (IPADDR PORT pair)
694
695 fwmark <INT>
696
697 (virtual server) group <STRING>
698
699 #setup service
700 virtual_server IP port |
701 virtual_server fwmark int |
702 virtual_server group string
703 {
704 # delay timer for service polling
705 delay_loop <INT>
706
707 # LVS scheduler
708 lb_algo rr|wrr|lc|wlc|lblc|sh|dh
709
710 # Enable hashed entry
711 hashed
712 # Enable flag-1 for scheduler (-b flag-1 in ipvsadm)
713 flag-1
714 # Enable flag-2 for scheduler (-b flag-2 in ipvsadm)
715 flag-2
716 # Enable flag-3 for scheduler (-b flag-3 in ipvsadm)
717 flag-3
718 # Enable sh-port for sh scheduler (-b sh-port in ipvsadm)
719 sh-port
720 # Enable sh-fallback for sh scheduler (-b sh-fallback in
721 ipvsadm)
722 sh-fallback
723 # Enable One-Packet-Scheduling for UDP (-O in ipvsadm)
724 ops
725 # LVS forwarding method
726 lb_kind NAT|DR|TUN
727 # LVS persistence engine name
728 persistence_engine <STRING>
729 # LVS persistence timeout in seconds, default 6 minutes
730 persistence_timeout [<INT>]
731 # LVS granularity mask (-M in ipvsadm)
732 persistence_granularity <NETMASK>
733 # L4 protocol
734 protocol TCP|UDP|SCTP
735 # If VS IP address is not set,
736 # suspend healthchecker's activity
737 ha_suspend
738
739 lvs_sched # synonym for lb_algo
740 lvs_method # synonym for lb_kind
741
742 # VirtualHost string for HTTP_GET or SSL_GET
743 # eg virtualhost www.firewall.loc
744 virtualhost <STRING>
745
746 # On daemon startup assume that all RSs are down
747 # and healthchecks failed. This helps to prevent
748 # false positives on startup. Alpha mode is
749 # disabled by default.
750 alpha
751
752 # On daemon shutdown consider quorum and RS
753 # down notifiers for execution, where appropriate.
754 # Omega mode is disabled by default.
755 omega
756
757 # Minimum total weight of all live servers in
758 # the pool necessary to operate VS with no
759 # quality regression. Defaults to 1.
760 quorum <INT>
761
762 # Tolerate this much weight units compared to the
763 # nominal quorum, when considering quorum gain
764 # or loss. A flap dampener. Defaults to 0.
765 hysteresis <INT>
766
767 # Script to execute when quorum is gained.
768 quorum_up <STRING>|<QUOTED-STRING>
769
770 # Script to execute when quorum is lost.
771 quorum_down <STRING>|<QUOTED-STRING>
772
773 # IP family for a fwmark service (optional)
774 ip_family inet|inet6
775
776
777 # setup realserver(s)
778
779 # RS to add when all realservers are down
780 sorry_server <IPADDR> <PORT>
781 # applies inhibit_on_failure behaviour to the
782 # preceding sorry_server directive
783 sorry_server_inhibit
784
785 # one entry for each realserver
786 real_server <IPADDR> <PORT>
787 {
788 # relative weight to use, default: 1
789 weight <INT>
790 # Set weight to 0 when healthchecker detects failure
791 inhibit_on_failure
792
793 # Script to execute when healthchecker
794 # considers service as up.
795 notify_up <STRING>|<QUOTED-STRING> [username [group‐
796 name]]
797 # Script to execute when healthchecker
798 # considers service as down.
799 notify_down <STRING>|<QUOTED-STRING> [username
800 [groupname]]
801
802 uthreshold <INTEGER> # maximum number of connections
803 to server
804 lthreshold <INTEGER> # minimum number of connections
805 to server
806
807 # pick one healthchecker
808 #
809 HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|DNS_CHECK|MISC_CHECK
810
811 # HTTP and SSL healthcheckers
812 HTTP_GET|SSL_GET
813 {
814 # An url to test
815 # can have multiple entries here
816 url {
817 #eg path / , or path /mrtg2/
818 path <STRING>
819 # healthcheck needs status_code
820 # or status_code and digest
821 # Digest computed with genhash
822 # eg digest 9b3a0c85a887a256d6939da88aabd8cd
823 digest <STRING>
824 # status code returned in the HTTP header
825 # eg status_code 200. Default is any 2xx value
826 status_code <INT>
827 }
828 # number of get retries
829 nb_get_retry <INT>
830 # delay before retry
831 delay_before_retry <INT>
832
833 # ======== generic connection options
834 # Optional IP address to connect to.
835 # The default is the realserver IP
836 connect_ip <IP ADDRESS>
837 # Optional port to connect to
838 # The default is the realserver port
839 connect_port <PORT>
840 # Optional interface to use to
841 # originate the connection
842 bindto <IP ADDRESS>
843 # Optional source port to
844 # originate the connection from
845 bind_port <PORT>
846 # Optional connection timeout in seconds.
847 # The default is 5 seconds
848 connect_timeout <INTEGER>
849 # Optional fwmark to mark all outgoing
850 # checker packets with
851 fwmark <INTEGER>
852
853 # Optional random delay to start the initial
854 check
855 # for maximum N seconds.
856 # Useful to scatter multiple simultaneous
857 # checks to the same RS. Enabled by default, with
858 # the maximum at delay_loop. Specify 0 to disable
859 warmup <INT>
860 } #HTTP_GET|SSL_GET
861
862 # TCP healthchecker
863 TCP_CHECK
864 {
865 # ======== generic connection options
866 # Optional IP address to connect to.
867 # The default is the realserver IP
868 connect_ip <IP ADDRESS>
869 # Optional port to connect to
870 # The default is the realserver port
871 connect_port <PORT>
872 # Optional interface to use to
873 # originate the connection
874 bindto <IP ADDRESS>
875 # Optional source port to
876 # originate the connection from
877 bind_port <PORT>
878 # Optional connection timeout in seconds.
879 # The default is 5 seconds
880 connect_timeout <INTEGER>
881 # Optional fwmark to mark all outgoing
882 # checker packets with
883 fwmark <INTEGER>
884
885 # Optional random delay to start the initial
886 check
887 # for maximum N seconds.
888 # Useful to scatter multiple simultaneous
889 # checks to the same RS. Enabled by default, with
890 # the maximum at delay_loop. Specify 0 to disable
891 warmup <INT>
892 # Retry count to make additional checks if check
893 # of an alive server fails. Default: 1
894 retry <INT>
895 # Delay in seconds before retrying. Default: 1
896 delay_before_retry <INT>
897 } #TCP_CHECK
898
899 # SMTP healthchecker
900 SMTP_CHECK
901 {
902 # ======== generic connection options
903 # Optional IP address to connect to.
904 # The default is the realserver IP
905 connect_ip <IP ADDRESS>
906 # Optional port to connect to
907 # the default is port 25
908 connect_port <PORT>
909 # Optional interface to use to
910 # originate the connection
911 bindto <IP ADDRESS>
912 # Optional source port to
913 # originate the connection from
914 bind_port <PORT>
915 # Optional per-host connection timeout.
916 # Default is outer-scope connect_timeout
917 connect_timeout <INTEGER>
918 # Optional fwmark to mark all outgoing
919 # checker packets with
920 fwmark <INTEGER>
921
922 # An optional host interface to check.
923 # If no host directives are present, only
924 # the IP address of the realserver will
925 # be checked.
926 host {
927 # ======== generic connection options
928 # Optional IP address to connect to.
929 # The default is the realserver IP
930 connect_ip <IP ADDRESS>
931 # Optional port to connect to
932 # the default is port 25
933 connect_port <PORT>
934 # Optional interface to use to
935 # originate the connection
936 bindto <IP ADDRESS>
937 # Optional source port to
938 # originate the connection from
939 bind_port <PORT>
940 # Optional per-host connection timeout.
941 # Default is outer-scope connect_timeout
942 connect_timeout <INTEGER>
943 # Optional fwmark to mark all outgoing
944 # checker packets with
945 fwmark <INTEGER>
946 }
947
948 # Number of times to retry a failed check
949 retry <INTEGER>
950 # Delay in seconds before retrying
951 delay_before_retry <INTEGER>
952 # Optional string to use for the SMTP HELO request
953 helo_name <STRING>|<QUOTED-STRING>
954
955 # Optional random delay to start the initial check
956 # for maximum N seconds.
957 # Useful to scatter multiple simultaneous
958 # checks to the same RS. Enabled by default, with
959 # the maximum at delay_loop. Specify 0 to disable
960 warmup <INT>
961 } #SMTP_CHECK
962
963 # DNS healthchecker
964 DNS_CHECK
965 {
966 # ======== generic connection options
967 # Optional IP address to connect to.
968 # The default is the realserver IP
969 connect_ip <IP ADDRESS>
970 # Optional port to connect to
971 # The default is the realserver port
972 connect_port <PORT>
973 # Optional interface to use to
974 # originate the connection
975 bindto <IP ADDRESS>
976 # Optional source port to
977 # originate the connection from
978 bind_port <PORT>
979 # Optional connection timeout in seconds.
980 # The default is 5 seconds
981 connect_timeout <INTEGER>
982 # Optional fwmark to mark all outgoing
983 # checker packets with
984 fwmark <INTEGER>
985
986 # Number of times to retry a failed check
987 # The default is 3 times.
988 retry <INTEGER>
989 # DNS query type
990 # A|NS|CNAME|SOA|MX|TXT|AAAA
991 # The default is SOA
992 type <STRING>
993 # Domain name to use for the DNS query
994 # The default is . (dot)
995 name <STRING>
996 }
997
998 # MISC healthchecker, run a program
999 MISC_CHECK
1000 {
1001 # External script or program
1002 misc_path <STRING>|<QUOTED-STRING>
1003 # Script execution timeout
1004 misc_timeout <INT>
1005
1006 # Optional random delay to start the initial
1007 check
1008 # for maximum N seconds.
1009 # Useful to scatter multiple simultaneous
1010 # checks to the same RS. Enabled by default, with
1011 # the maximum at delay_loop. Specify 0 to disable
1012 warmup <INT>
1013
1014 # If set, the exit code from healthchecker is
1015 used
1016 # to dynamically adjust the weight as follows:
1017 # exit status 0: svc check success, weight
1018 # unchanged.
1019 # exit status 1: svc check failed.
1020 # exit status 2-255: svc check success, weight
1021 # changed to 2 less than exit status.
1022 # (for example: exit status of 255 would set
1023 # weight to 253)
1024 misc_dynamic
1025
1026 # Specify the username/groupname that the script
1027 should
1028 # be run under.
1029 # If GROUPNAME is not specified, the group of the
1030 user
1031 # is used
1032 user USERNAME [GROUPNAME]
1033 }
1034 } # realserver defn
1035 } # virtual service
1036
1037
1038
1040 Joseph Mack.
1041 Information derived from doc/keepalived.conf.SYNOPSIS, doc/sam‐
1042 ples/keepalived.conf.* and Changelog by Alexandre Cassen for
1043 keepalived-1.1.4, and from HOWTOs by Adam Fletcher and Vince Worthing‐
1044 ton.
1045
1047 ipvsadm(8), ip --help.
1048
1049
1050
10514th Berkeley Distribution Apr 2016 KEEPALIVED.CONF(5)