1keepalived.conf(5) Keepalived Configuration's Manual keepalived.conf(5)
2
6 keepalived.conf - configuration file for Keepalived
7
9 keepalived.conf is the configuration file which describes all the
10 Keepalived keywords. Keywords are placed in hierarchies of blocks and
11 subblocks, each layer being delimited by '{' and '}' pairs.
12 Comments start with '#' or '!' to the end of the line and can start
14 anywhere in a line.
15 The keyword 'include' allows inclusion of other configuration files
17 from within the main configuration file, or from subsequently included
18 files.
19 The format of the include directive is:
21 include FILENAME
23 FILENAME can be a fully qualified or relative pathname, and can include
25 wildcards, including csh style brace expressions such as
26 "{foo/{,cat,dog},bar}" if glob() supports them.
27 After opening an included file, the current directory is set to the
29 directory of the file itself, so any relative paths included from a
30 file are relative to the directory of the including file itself.
31 Note: This documentation MUST be considered as THE exhaustive source of
33 information in order to configure Keepalived. This documenation is sup‐
34 ported and maintained by Keepalived Core-Team.
35
37 <BOOL> is one of on|off|true|false|yes|no
38 <TIMER> is a time value in seconds, including fractional seconds, e.g.
39 2.71828 or 3; resolution of timer is micro-seconds.
40
42 There are three classes of scripts can be configured to be executed.
43 (a) Notify scripts that are run when a vrrp instance or vrrp group
45 changes state, or a virtual server quorum changes between up and down.
46 (b) vrrp tracking scripts that will cause vrrp instances to go down it
48 they exit a non-zero exist status, or if a weight is specified will add
49 or subtract the weight to/from the priority of that vrrp instance.
50 (c) LVS checker misc scripts that will cause a real server to be con‐
52 figured down if they exit with a non-zero status.
53 By default the scripts will be executed by user keepalived_script if
55 that user exists, or if not by root, but for each script the user/group
56 under which it is to be executed can be specified.
57 There are significant security implications if scripts are executed
59 with root privileges, especially if the scripts themselves are modifi‐
60 able or replaceable by a non root user. Consequently, security checks
61 are made at startup to ensure that if a script is executed by root,
62 then it cannot be modified or replaced by a non root user.
63 All scripts should be written so that they will terminate on receipt of
65 a SIGTERM signal. Scripts will be sent SIGTERM if their parent termi‐
66 nates, or it is a script the keepalived is awaiting its exit status and
67 it has run for too long.
68
70 Quoted strings are specified between " characters; more specifically a
71 string will only end after a quoted string if there is whitespace
72 afterwards. For example:
73 "abcd" efg h jkl "mnop"
74 will be the single string "abcd efg h jkl mnop", i.e. the embedded "
75 characters are removed.
76 Quoted strings can also have escaped characters, like the shell. \a,
78 \b, \E, \f, \n, \r, \t, \v, \nnn and \xXX (where nnn is up to 3 octal
79 digits, and XX is any sequence of hex digits) and \cC (which produces
80 the control version of character C) are all supported. \C for any other
81 character C is just treated as an escaped version of character C, so \\
82 is a \ character and \" will be a " character, but it won't start or
83 terminate a quoted string.
84 For specifying scripts with parameters, unquoted spaces will separate
86 the parameters. If it is required for a parameter to contain a space,
87 it should be enclosed in single quotes (').
88
91 Traditionally the configuration file parser has not been one of the
92 strengths of keepalived. Lot of efforts have been put to correct this
93 even if this is not the primal goal of the project.
94
96 Keepalived configuration file is articulated around a set of configura‐
97 tion blocks. Each block is focusing and targetting a specific daemon
98 family feature. These features are:
99 GLOBAL CONFIGURATION
101 BFD CONFIGURATION
103 VRRPD CONFIGURATION
105 LVS CONFIGURATION
107
109 contains subblocks of Global definitions, Linkbeat interfaces, Static
110 track groups, Static addresses, Static routes, and Static rules
111
113 # Following are global daemon facilities for running
114 # keepalived in a separate network namespace:
115 # --
116 # Set the network namespace to run in.
117 # The directory /var/run/keepalived will be created as an
118 # unshared mount point, for example for pid files.
119 # syslog entries will have _NAME appended to the ident.
120 # Note: the namespace cannot be changed on a configuration reload.
121 net_namespace NAME
122 # ipsets wasn't network namespace aware until Linux 3.13, and so
124 # if running with # an earlier version of the kernel, by default
125 # use of ipsets is disabled if using a namespace and vrrp_ipsets
126 # has not been specified. This options overrides the default and
127 # allows ipsets to be used with a namespace on kernels prior to 3.13.
128 namespace_with_ipsets
129 # If multiple instances of keepalived are run in the same namespace,
131 # this will create pid files with NAME as part of the file names,
132 # in /var/run/keepalived.
133 # Note: the instance name cannot be changed on a configuration reload
134 instance NAME
135 # Create pid files in /var/run/keepalived
137 use_pid_dir
138 # Poll to detect media link failure using ETHTOOL, MII or ioctl interface
140 # otherwise uses netlink interface.
141 linkbeat_use_polling
142 # Time for main process to allow for child processes to exit on termination
144 # in seconds. This can be needed for very large configurations.
145 # (default: 5)
146 child_wait_time SECS
147 # Global definitions configuration block
149 global_defs {
150 # Set the process names of the keepalived processes to the default values:
151 # keepalived, keepalived_vrrp, keepalived_ipvs, keepalived_bfd
152 process_names
153 # Specify the individual process names
155 process_name NAME
156 vrrp_process_name NAME
157 ipvs_process_name NAME
158 bfd_process_name NAME
159 # Set of email To: notify
161 notification_email {
162 admin@example1.com
163 ...
164 }
165 # email from address that will be in the header
167 # (default: keepalived@<local host name>)
168 notification_email_from admin@example.com
169 # Remote SMTP server used to send notification email.
171 # IP address or domain name with optional port number.
172 # (default port number: 25)
173 smtp_server 127.0.0.1 [<PORT>]
174 # Name to use in HELO messages.
176 # (default: local host name)
177 smtp_helo_name <STRING>
178 # SMTP server connection timeout in seconds.
180 smtp_connect_timeout 30
181 # Sets default state for all smtp_alerts
183 smtp_alert <BOOL>
184 # Sets default state for vrrp smtp_alerts
186 smtp_alert_vrrp <BOOL>
187 # Sets default state for checker smtp_alerts
189 smtp_alert_checker <BOOL>
190 # Sets logging all checker failes while checker up
192 checker_log_all_failures <BOOL>
193 # Don't send smtp alerts for fault conditions
195 no_email_faults
196 # String identifying the machine (doesn't have to be hostname).
198 # (default: local host name)
199 router_id <STRING>
200 # Multicast Group to use for IPv4 VRRP adverts
202 # (default: 224.0.0.18)
203 vrrp_mcast_group4 224.0.0.18
204 # Multicast Group to use for IPv6 VRRP adverts
206 # (default: ff02::12)
207 vrrp_mcast_group6 ff02::12
208 # sets the default interface for static addresses.
210 # (default: eth0)
211 default_interface p33p1.3
212 # Sync daemon as provided by IPVS kernel code only support
214 # a single daemon instance at a time to synchronize connection table.
215 # Binding interface, vrrp instance and optional
216 # syncid for lvs syncd
217 # syncid (0 to 255) for lvs syncd
218 # maxlen (1..65507) maximum packet length
219 # port (1..65535) UDP port number to use
220 # ttl (1..255)
221 # group - multicast group address (IPv4 or IPv6)
222 # NOTE: maxlen, port, ttl and group are only available on Linux 4.3 or later.
223 lvs_sync_daemon <INTERFACE> <VRRP_INSTANCE> [id <SYNC_ID>] [maxlen <LEN>] \
224 [port <PORT>] [ttl <TTL>] [group <IP ADDR>]
225 # flush any existing LVS configuration at startup
227 lvs_flush
228 # flush remaining LVS configuration at shutdown
230 # If VS is specified, remove each keepalived managed virtual
231 # server without explicitly removing the real servers (the kernel will
232 # remove them).
233 lvs_flush_onstop [VS]
234 # delay for second set of gratuitous ARPs after transition to MASTER.
236 # in seconds, 0 for no second set.
237 # (default: 5)
238 vrrp_garp_master_delay 10
239 # number of gratuitous ARP messages to send at a time after
241 # transition to MASTER.
242 # (default: 5)
243 vrrp_garp_master_repeat 1
244 # delay for second set of gratuitous ARPs after lower priority
246 # advert received when MASTER.
247 vrrp_garp_lower_prio_delay 10
248 # number of gratuitous ARP messages to send at a time after
250 # lower priority advert received when MASTER.
251 vrrp_garp_lower_prio_repeat 1
252 # minimum time interval for refreshing gratuitous ARPs while MASTER.
254 # in seconds.
255 # (default: 0 (no refreshing))
256 vrrp_garp_master_refresh 60
257 # number of gratuitous ARP messages to send at a time while MASTER
259 # (default: 1)
260 vrrp_garp_master_refresh_repeat 2
261 # Delay in ms between gratuitous ARP messages sent on an interface
263 # decimal, seconds (resolution usecs).
264 # (default: 0)
265 vrrp_garp_interval 0.001
266 # Delay in ms between unsolicited NA messages sent on an interface
268 # decimal, seconds (resolution usecs).
269 # (default: 0)
270 vrrp_gna_interval 0.000001
271 # By default keepalived sends 5 gratuitions ARP/NA messages at a
273 # time, and after transitioning to MASTER sends a second block of
274 # 5 messages 5 seconds later.
275 # With modern switches this is unnecessary, so setting vrrp_min_garp
276 # causes only one ARP/NA message to be sent, with no repeat 5 seconds
277 # later.
278 vrrp_min_garp [<BOOL>]
279 # If a lower priority advert is received, don't send another advert.
281 # This causes adherence to the RFCs. Defaults to false, unless
282 # strict_mode is set.
283 vrrp_lower_prio_no_advert [<BOOL>]
284 # If we are master and receive a higher priority advert, send an advert
286 # (which will be lower priority than the other master), before we
287 # transition to backup. This means that if the other master has
288 # garp_lower_priority_repeat set, it will resend garp messages.
289 # This is to get around the problem of their having been two simultaneous
290 # masters, and the last GARP messages seen were from us.
291 vrrp_higher_prio_send_advert [<BOOL>]
292 # Set the default VRRP version to use
294 # (default: 2, but IPv6 instances will use version 3)
295 vrrp_version <2 or 3>
296 # Specify the iptables chain for ensuring a version 3 instance
298 # doesn't respond on addresses that it doesn't own.
299 # Note: it is necessary for the specified chain to exist in
300 # the iptables and/or ip6tables configuration, and for the chain
301 # to be called from an appropriate point in the iptables configuration.
302 # It will probably be necessary to have this filtering after accepting
303 # any ESTABLISHED,RELATED packets, because IPv4 might select the VIP as
304 # the source address for outgoing connections.
305 # (default: INPUT)
306 vrrp_iptables keepalived
307 # or for outbound filtering as well
309 # Note, outbound filtering won't work with IPv4, since the VIP can be
310 # selected as the source address for an outgoing connection. With IPv6
311 # this is unlikely since the addresses are deprecated.
312 vrrp_iptables keepalived_in keepalived_out
313 # or to not add any iptables rules:
315 vrrp_iptables
316 # Keepalived may have the option to use ipsets in conjunction with
318 # iptables. If so, then the ipset names can be specified, defaults
319 # as below. If no names are specified, ipsets will not be used,
320 # otherwise any omitted names will be constructed by adding "_if"
321 # and/or "6" and _igmp/_mld to previously specified names.
322 vrrp_ipsets [keepalived [keepalived6 [keepalived_if6 [keepalived_igmp [keepalived_mld]]]]]
323 # Use nftables to implement no_accept mode and only send IGMP/MLD
325 # messages on the parent interface of a VMAC.
326 # TABLENAME must not exist, and must be different for each
327 # instance of keepalived running in the same network namespace.
328 # Default tablename is keepalived, and priority is -1.
329 # keepalived will create base chains in the table.
330 # counters means counters are added to the rules (primarily for
331 # debugging purposes).
332 # ifindex means create IPv6 link local sets using ifindex rather
333 # than ifnames. This is the default unless the vrrp_instance has
334 # set dont_track_primary. The alternative is to use interface names
335 # as part of the set key, but the nft utility prior to v0.8.3 will
336 # then not output interface names properly.
337 nftables [TABLENAME]
338 nftables_priority PRIORITY
339 nftables_counters
340 nftables_ifindex
341 # The following enables checking that when in unicast mode, the
343 # source address of a VRRP packet is one of our unicast peers.
344 vrrp_check_unicast_src
345 # Checking all the addresses in a received VRRP advert can be time
347 # consuming. Setting this flag means the check won't be carried out
348 # if the advert is from the same master router as the previous advert
349 # received.
350 # (default: don't skip)
351 vrrp_skip_check_adv_addr
352 # Enforce strict VRRP protocol compliance. This will prohibit:
354 # 0 VIPs
355 # unicast peers
356 # IPv6 addresses in VRRP version 2
357 vrrp_strict
358 # Send vrrp instance priority notifications on notify FIFOs.
360 vrrp_notify_priority_changes <BOOL>
361 # The following options can be used if vrrp, checker or bfd processes
363 # are timing out. This can be seen by a backup vrrp instance becoming
364 # master even when the master is still running because the master or
365 # backup system is too busy to process vrrp packets.
366 # --
367 # Set the vrrp child process priority (Negative values increase priority)
368 vrrp_priority <-20 to 19>
369 # Set the checker child process priority
371 checker_priority <-20 to 19>
372 # Set the BFD child process priority
374 bfd_priority <-20 to 19>
375 # Set the vrrp child process non swappable
377 vrrp_no_swap
378 # Set the checker child process non swappable
380 checker_no_swap
381 # Set the BFD child process non swappable
383 bfd_no_swap
384 # The following options can be used to force vrrp, checker and bfd
386 # processes to run on a restricted CPU set.
387 # You can either bind processes to a single CPU or define a set of
388 # cpu. In that last case Linux kernel will be restricted to that cpu
389 # set during scheduling. Forcing process binding to single CPU can
390 # increase performances on heavy loaded box.
391 # INTEGER following configuration keyword are representing cpu_id
392 # as shown in /proc/cpuinfo on line "processor:"
393 # --
394 # Set CPU Affinity for the vrrp child process
395 vrrp_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
396 # Set CPU Affinity for the checker child process
398 checker_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
399 # Set CPU Affinity for the bfd child process
401 bfd_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
402 # Set the vrrp child process to use real-time scheduling
404 # at the specified priority
405 vrrp_rt_priority <1..99>
406 # Set the checker child process to use real-time scheduling
408 # at the specified priority
409 checker_rt_priority <1..99>
410 # Set the BFD child process to use real-time scheduling
412 # at the specified priority
413 bfd_rt_priority <1..99>
414 # Set the limit on CPU time between blocking system calls,
416 # in microseconds
417 # (default: 1000)
418 vrrp_rlimit_rtime >=1
419 checker_rlimit_rtime >=1
420 bfd_rlimit_rtime >=1
421 # If Keepalived has been build with SNMP support, the following
423 # keywords are available.
424 # Note: Keepalived, checker and RFC support can be individually
425 # enabled/disabled
426 # --
427 # Specify socket to use for connecting to SNMP master agent
428 # (see source module keepalived/vrrp/vrrp_snmp.c for more details)
429 # (default: unix:/var/agentx/master)
430 snmp_socket udp:1.2.3.4:705
431 # enable SNMP handling of vrrp element of KEEPALIVED MIB
433 enable_snmp_vrrp
434 # enable SNMP handling of checker element of KEEPALIVED MIB
436 enable_snmp_checker
437 # enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
439 enable_snmp_rfc
440 # enable SNMP handling of RFC2787 VRRP MIB
442 enable_snmp_rfcv2
443 # enable SNMP handling of RFC6527 VRRP MIB
445 enable_snmp_rfcv3
446 # enable SNMP traps
448 enable_traps
449 # If Keepalived has been build with DBus support, the following
451 # keywords are available.
452 # --
453 # Enable the DBus interface
454 enable_dbus
455 # Name of DBus service
457 # Useful if you want to run multiple keepalived processes with DBus enabled
458 # (default: org.keepalived.Vrrp1)
459 dbus_service_name SERVICE_NAME
460 # Specify the default username/groupname to run scripts under.
462 # If this option is not specified, the user defaults to keepalived_script
463 # if that user exists, otherwise root.
464 # If groupname is not specified, it defaults to the user's group.
465 script_user username [groupname]
466 # Don't run scripts configured to be run as root if any part of the path
468 # is writable by a non-root user.
469 enable_script_security
470 # Rather than using notify scripts, specifying a fifo allows more
472 # efficient processing of notify events, and guarantees that they
473 # will be delivered in the correct sequence.
474 # NOTE: the FIFO names must all be different
475 # --
476 # FIFO to write notify events to
477 # See vrrp_notify_fifo and lvs_notify_fifo for format of output
478 # For further details, see the description under vrrp_sync_group.
479 # see doc/samples/sample_notify_fifo.sh for sample usage.
480 notify_fifo FIFO_NAME [username [groupname]]
481 # script to be run by keepalived to process notify events
483 # The FIFO name will be passed to the script as the last parameter
484 notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
485 # FIFO to write vrrp notify events to.
487 # The string written will be a line of the form: INSTANCE "VI_1" MASTER 100
488 # and will be terminated with a new line character.
489 # For further details of the output, see the description under vrrp_sync_group
490 # and doc/samples/sample_notify_fifo.sh for sample usage.
491 vrrp_notify_fifo FIFO_NAME [username [groupname]]
492 # script to be run by keepalived to process vrrp notify events
494 # The FIFO name will be passed to the script as the last parameter
495 vrrp_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
496 # FIFO to write notify healthchecker events to
498 # The string written will be a line of the form:
499 # VS [192.168.201.15]:tcp:80 {UP|DOWN}
500 # RS [1.2.3.4]:tcp:80 [192.168.201.15]:tcp:80 {UP|DOWN}
501 # and will be terminated with a new line character.
502 lvs_notify_fifo FIFO_NAME [username [groupname]]
503 # script to be run by keepalived to process healthchecher notify events
505 # The FIFO name will be passed to the script as the last parameter
506 lvs_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
507 # Allow configuration to include interfaces that don't exist at startup.
509 # This allows keepalived to work with interfaces that may be deleted and restored
510 # and also allows virtual and static routes and rules on VMAC interfaces.
511 # allow_if_changes allows an interface to be deleted and recreated with a
512 # different type or underlying interface, eg changing from vlan to macvlan
513 # or changing a macvlan from eth1 to eth2. This is predominantly used for
514 # reporting duplicate VRID errors at startup if allow_if_changes is not set.
515 dynamic_interfaces [allow_if_changes]
516 # The following options are only needed for large configurations, where either
518 # keepalived creates a large number of interface, or the system has a large
519 # number of interface. These options only need using if
520 # "Netlink: Receive buffer overrun" messages are seen in the system logs.
521 # If the buffer size needed exceeds the value in /proc/sys/net/core/rmem_max
522 # the corresponding force option will need to be set.
523 # --
524 # Set netlink receive buffer size. This is useful for
525 # very large configurations where a large number of interfaces exist, and
526 # the initial read of the interfaces on the system causes a netlink buffer
527 # overrun.
528 vrrp_netlink_cmd_rcv_bufs BYTES
529 vrrp_netlink_cmd_rcv_bufs_force <BOOL>
530 vrrp_netlink_monitor_rcv_bufs BYTES
531 vrrp_netlink_monitor_rcv_bufs_force <BOOL>
532 # The vrrp netlink command and monitor socket the checker command and
534 # and monitor socket and process monitor buffer sizes can be independently set.
535 # The force flag means to use SO_RCVBUFFORCE, so that the buffer size
536 # can exceed /proc/sys/net/core/rmem_max.
537 lvs_netlink_cmd_rcv_bufs BYTES
538 lvs_netlink_cmd_rcv_bufs_force <BOOL>
539 lvs_netlink_monitor_rcv_bufs BYTES
540 lvs_netlink_monitor_rcv_bufs_force <BOOL>
541 # As a guide for process_monitor_rcv_bufs for 1400 processes terminating
543 # simultaneously, 212992 (the default on some systems) is insufficient, whereas
544 # 500000 is sufficient.
545 process_monitor_rcv_bufs BYTES
546 process_monitor_rcv_bufs_force <BOOL>
547 # When a socket is opened, the kernel configures the max rx buffer size for
549 # the socket to /proc/sys/net/core/rmem_default. On some systems this can be
550 # very large, and even generally this can be much larger than necessary.
551 # This isn't a problem so long as keepalived is reading all queued data from
552 # it's sockets, but if rmem_default was set sufficiently large, and if for
553 # some reason keepalived stopped reading, it could consume all system memory.
554 # The vrrp_rx_bufs_policy allows configuring of the rx bufs size when the
555 # sockets are opened. If the policy is MTU, the rx buf size is configured
556 # to the total of interface's MTU * vrrp_rx_bufs_multiplier for each vrrp
557 # instance using the socket. Likewise, if the policy is ADVERT, then it is
558 # the total of each vrrp instances advert packet size * multiplier.
559 # (default: use system default)
560 vrrp_rx_bufs_policy [MTU|ADVERT|NUMBER]
561 # (default: 3)
563 vrrp_rx_bufs_multiplier NUMBER
564 # Send notifies at startup for real servers that are starting up
566 rs_init_notifies
567 # Don't send an email every time a real server checker changes state;
569 # only send email when a real server is added or removed
570 no_checker_emails
571 # The umask to use for creating files. The number can be specified in hex, octal
573 # or decimal. BITS are I{R|W|X}{USR|GRP|OTH}, e.g. IRGRP, separated by '|'s.
574 # The default umask is IWGRP | IWOTH. This option cannot override the
575 # command-line option.
576 umask [NUMBER|BITS]
577 # On some systems when bond interfaces are created, they can start passing traffic
579 # and then have a several second gap when they stop passing traffic inbound. This
580 # can mean that if keepalived is started at boot time, i.e. at the same time as
581 # bond interfaces are being created, keepalived doesn't receive adverts and hence
582 # can become master despite an instance with higher priority sending adverts.
583 # This option specifies a delay in seconds before vrrp instances start up after
584 # keepalived starts,
585 vrrp_startup_delay 5.5
586 # The following will cause logging of receipt of VRRP adverts for VRIDs not configured
588 # on the interface on which they are received.
589 log_unknown_vrids
590 # Specify random seed for ${_RANDOM}, to make configurations repeatable (default
592 # is to use a seed based on the time, so that each time a different configuration
593 # will be generated).
594 random_seed UNSIGNED_INT
595 }
596
598 The linkbeat_interfaces block allows specifying which interfaces should
599 use polling via MII, Ethtool or ioctl status rather than rely on
600 netlink status updates. This allows more granular control of global
601 definition linkbeat_use_polling.
602 This option is preferred over the deprecated use of
604 linkbeat_use_polling in a vrrp_instance block, since the latter only
605 allows using linkbeat on the interface of the vrrp_instance itself,
606 whereas track_interface and virtual_ipaddresses and virtual_iproutes
607 may require monitoring other interfaces, which may need to use linkbeat
608 polling.
609 The default polling type to use is MII, unless that isn't supported in
611 which case ETHTOOL is used, and if that isn't supported then ioctl
612 polling. The preferred type of polling to use can be specified with MII
613 or ETHTOOL or IOCTL after the interface name, but if that type isn't
614 supported, a supported type will be used.
615 The synfax for linkbeat_interfaces is:
617 linkbeat_interfaces {
618 eth2
619 enp2s0 ETHTOOL
620 }
621
623 Static track groups are used to allow vrrp instances to track static
624 addresses, routes and rules. If a static address/route/rule specifies a
625 track group, then if the address/route/rule is deleted and cannot be
626 restored, the vrrp instance will transition to fault state.
627 The syntax for a track group is:
629 track_group GROUP1 {
630 group {
631 VI_1
632 VI_2
633 }
634 }
635
637 Keepalived can configure static addresses, routes, and rules. These
638 addresses are NOT moved by vrrpd, they stay on the machine. If you
639 already have IPs and routes on your machines and your machines can ping
640 each other, you don't need this section. The syntax for rules and
641 routes is that same as for ip rule add/ip route add (except shorted
642 option names aren't supported due to ambiguities). The track_group
643 specification refers to a named track_group which lists the vrrp
644 instances which will track the address, i.e. if the address is deleted
645 the vrrp instances will transition to backup.
646 NOTE: since rules without preferences can be added in different orders
648 due to vrrp instances transitioning from master to backup etc, rules
649 need to have a preference. If a preference is not specified, keepalived
650 will assign one, but it will probably not be what you want.
651 The syntax is the same for virtual addresses and virtual routes. If no
653 dev element is specified, it defaults to default_interface (default
654 eth0). Note: the broadcast address may be specified as '-' or '+' to
655 clear or set the host bits of the address.
656 If a route or rule could apply to either IPv4 or IPv6 it will default
658 to IPv4. To force a route/rule to be IPv6, add the keyword "inet6".
659 static_ipaddress {
661 <IPADDR>[/<MASK>] [brd <IPADDR>] [dev <STRING>] [scope <SCOPE>]
662 [label <LABEL>] [peer <IPADDR>] [home]
663 [-nodad] [mngtmpaddr] [noprefixroute]
664 [autojoin] [track_group GROUP]
665 192.168.1.1/24 dev eth0 scope global
666 ...
667 }
668 static_routes {
670 192.168.2.0/24 via 192.168.1.100 dev eth0 track_group GROUP1
671 192.168.100.0/24 table 6909 nexthop via 192.168.101.1 dev wlan0
673 onlink weight 1 nexthop via 192.168.101.2
674 dev wlan0 onlink weight 2
675 192.168.200.0/24 dev p33p1.2 table 6909 tos 0x04 protocol bird
677 scope link priority 12 mtu 1000 hoplimit 100
678 advmss 101 rtt 102 rttvar 103 reordering 104
679 window 105 cwnd 106 ssthresh lock 107 realms
680 PQA/0x14 rto_min 108 initcwnd 109 initrwnd 110
681 features ecn
682 2001:470:69e9:1:2::4 dev p33p1.2 table 6909 tos 0x04 protocol
684 bird scope link priority 12 mtu 1000
685 hoplimit 100 advmss 101 rtt 102 rttvar 103
686 reordering 104 window 105 cwnd 106 ssthresh
687 lock 107 rto_min 108 initcwnd 109
688 initrwnd 110 features ecn fastopen_no_cookie 1
689 ...
690 }
691 static_rules {
693 from 192.168.2.0/24 table 1 track_group GROUP1
694 to 192.168.2.0/24 table 1
696 from 192.168.28.0/24 to 192.168.29.0/26 table small iif p33p1
698 oif wlan0 tos 22 fwmark 24/12
699 preference 39 realms 30/20 goto 40
700 to 1:2:3:4:5:6:7:0/112 from 7:6:5:4:3:2::/96 table 6908
702 uidrange 10000-19999
703 to 1:2:3:4:6:6:7:0/112 from 8:6:5:4:3:2::/96 l3mdev protocol 12
705 ip_proto UDP sport 10-20 dport 20-30
706 ...
707 }
708
710 The configuration block looks like:
711 vrrp_track_process <STRING> {
713 # process to monitor (with optional parameters)
714 # A quoted string is treated as a single element, so if the first item
715 # after the process keyword is quoted, that will be the command name.
716 # For example:
717 # process "/tmp/a b" param1 "param 2"
718 # would mean a process named '/tmp/a b' (quotes removed) with 2 parameters
719 # 'param1' and 'param 2'.
720 process <STRING>|<QUOTED_STRING> [<STRING>|<QUOTED_STRING> ...]
721 # If matching parameters, this specifies a partial match (i.e. the first
723 # n parameters match exactly), or an initial match, i.e. the last
724 # parameter may be longer that the parameter configured.
725 # To specify that a command must have no parameters, don't specify
726 # any parameters, but specify param_match.
727 param_match {initial|partial}
728 # default weight (default is 1). For description of reverse, see track_process.
730 # 'weight 0 reverse' will cause the vrrp instance to be down when the
731 # quorum is up, and vice versa.
732 weight <-254..254> [reverse]
733 # minimum number of processes for success
735 quorum NUM
736 # maximum number of processes for success. For example, setting
738 # this to 1 would cause a failure if two instances of the process
739 # were running (but beware forks - see fork_delay below).
740 # Setting this to 0 would mean failure if the matching process were
741 # running at all.
742 quorum_max NUM
743 # time to delay after process quorum gained after fork before
745 # consider process up (in fractions of second)
746 # This is to avoid up/down bounce for fork/exec
747 fork_delay SECS
748 # time to delay after process quorum lost before
750 # consider process down (in fractions of second)
751 # This is to avoid down/up bounce after terminate/parent refork.
752 terminate_delay SECS
753 # this sets fork_delay and terminate_delay
755 delay SECS
756 # Normally process string is matched against the process name,
758 # as shown on the Name: line in /proc/PID/status, unless
759 # parameters are specified.
760 # This option forces matching the full command line
761 full_command
762 }
763 To avoid having to frequently run a track_script to monitor the exis‐
765 tance of processes (often haproxy or nginx), vrrp_track_process can
766 monitor whether other processes are running.
767 One difference from pgrep is track_process doesn't do a regular expres‐
769 sion match of the command string, but does an exact match. 'pgrep ssh'
770 will match an sshd process, this track_process will not (it is equiva‐
771 lent to pgrep "^ssh$").
772 If full_command is used (equivalent to pgrep -f), /proc/PID/cmdline is
774 used, but any updates to cmdline will not be detected (a process
775 shouldn't normally change it, although it is possible with great care,
776 for example systemd).
777 Prior to Linux v3.2 track_process will not support detection of changes
779 to a process name, since the kernel did not notify changes of process
780 name prior to 3.2. Most processes do not change their process name,
781 but, for example, firefox forks processes that change their process
782 name to "Web Content". The process name referred to here is the con‐
783 tents of /proc/PID/comm.
784 Quorum is the number of matching processes that must be run for an OK
786 status.
787 Delay might be useful if it anticipated that a process may be reloaded
789 (stopped and restarted), and it isn't desired to down and up a vrrp
790 instance.
791 A positive weight means that an OK status will add <weight> to the pri‐
793 ority of all VRRP instances which monitor it. On the opposite, a nega‐
794 tive weight will be subtracted from the initial priority in case of
795 insufficient processes.
796 If the vrrp instance or sync group is not the address owner and the
798 result is between -253 and 253, the result will be added to the initial
799 priority of the VRRP instance (a negative value will reduce the prior‐
800 ity), although the effective priority will be limited to the range
801 [1,254].
802 If a vrrp instance using a track_process is a member of a sync group,
804 unless sync_group_tracking_weight is set on the group weight 0 must be
805 set. Likewise, if the vrrp instance is the address owner, weight 0
806 must also be set.
807 Rational for not using pgrep/pidof/killall and the likes:
809 Every time pgrep or its equivalent is run, it iterates though the
811 /proc/[1-9][0-9]* directories, and opens the status and cmdline pseudo
812 files in each directory. The cmdline pseudo file is mapped to the
813 process's address space, and so if that part of the process is swapped
814 out, it will have to be fetched from the swap space. pgrep etc also
815 include zombie processes whereas keepalived does not, since they aren't
816 running.
817 This implementation only iterates though /proc/[1-9][0-9]*/ directories
819 at start up, and it won't even read the cmdline pseudo files if
820 'full_command' is not specified for any of the vrrp_track_process
821 entries. After startup, it uses the process_events kernel <-> userspace
822 connector to receive notification of process changes. If full_command
823 is specified for any track_process instance, the cmdline pseudo file
824 will have to be read upon notification of the creation of the new
825 process, but at that time it is very unlikely that it will have already
826 been swapped out.
827 On a busy system with a high number of process creations/terminations,
829 using a track_script with pgrep/pidof/killall may be more efficient,
830 although those processes are inefficient compared to the minimum that
831 keepalived needs.
832 Using pgrep etc on a system that is swapping can have a significant
834 detrimental impact on the performance of the system, due to having to
835 fetch swapped memory from the swap space, thereby causing additional
836 swapping.
837
839 This is an implementation of RFC5880 (Bidirectional forwarding detec‐
840 tion), and this can be configured to work between 2 keepalived
841 instances, but using unweighted track_bfds between a master/backup pair
842 of VRRP instances means that the VRRP instance will only be able to
843 come up if both VRRP instance are running, which somewhat defeats the
844 purpose of VRRP.
845 This implementation has been tested with OpenBFDD (available at
847 https://github.com/dyninc/OpenBFDD).
848 The syntax for bfd instance is :
850 bfd_instance <STRING> {
852 # BFD Neighbor IP (synonym neighbour_ip)
853 neighbor_ip <IP ADDRESS>
854 # Source IP to use (optional, except in order to ensure that the
856 # local port is valid, it is required)
857 source_ip <IP ADDRESS>
858 # Required min RX interval, in ms
860 # (default is 10 ms)
861 min_rx <INTEGER>
862 # Desired min TX interval, in ms
864 # (default is 10 ms)
865 min_tx <INTEGER>
866 # Desired idle TX interval, in ms
868 # (default is 1000 ms)
869 idle_tx <INTEGER>
870 # Number of missed packets after
872 # which the session is declared down
873 # (default is 5)
874 multiplier <INTEGER>
875 # Operate in passive mode (default is active)
877 passive
878 # outgoing IPv4 ttl to use (default 255)
880 ttl <INTEGER>
881 # outgoing IPv6 hoplimit to use (default 64)
883 hoplimit <INTEGER>
884 # maximum reduction of ttl/hoplimit
886 # in received packet (default 0)
887 # (255 disables hop count checking)
888 max_hops <INTEGER>
889 # Default tracking weight
891 # Normally, positive weights are added to the vrrp instance priority when
892 # the bfd instance is up, negative weights reduce the priority when it is down.
893 # However, if reverse is specified, the priority is decreased when up and
894 # increased when down. 'weight 0 reverse' will cause the vrrp instance to be down
895 # when the bfd instance is up, and vice versa.
896 weight <-253:253> [reverse]
897 # Normally bfd event notifications are sent to both the VRRP and checker processes.
899 # Specifying vrrp or checker will cause event notifications for this bfd_instance
900 # only to be sent to the specified process
901 vrrp
902 checker
903 }
904
906 contains subblocks of VRRP script(s), VRRP synchronization group(s),
907 VRRP gratuitous ARP and unsolicited neighbour advert delay group(s) and
908 VRRP instance(s)
909
911 The script will be executed periodically, every <interval> seconds. Its
912 exit code will be recorded for all VRRP instances which monitor it.
913 Note that the script will only be executed if at least one VRRP
914 instance monitors it.
915 The default weight equals 0, which means that any VRRP instance moni‐
917 toring the script will transition to the fault state after <fall> con‐
918 secutive failures of the script. After that, <rise> consecutive suc‐
919 cesses will cause VRRP instances to leave the fault state, unless they
920 are also in the fault state due to other scripts or interfaces that
921 they are tracking.
922 A positive weight means that <rise> successes will add <weight> to the
924 priority of all VRRP instances which monitor it. On the opposite, a
925 negative weight will be subtracted from the initial priority in case of
926 <fall> failures.
927 The syntax for the vrrp script is:
929 # Adds a script to be executed periodically. Its exit code will be
931 # recorded for all VRRP instances and sync groups which are monitoring it.
932 vrrp_script <SCRIPT_NAME> {
933 # path of the script to execute
934 script <STRING>|<QUOTED-STRING>
935 # seconds between script invocations, (default: 1 second)
937 interval <INTEGER>
938 # seconds after which script is considered to have failed
940 timeout <INTEGER>
941 # adjust priority by this weight, (default: 0)
943 # For description of reverse, see track_script.
944 # 'weight 0 reverse' will cause the vrrp instance to be down when the
945 # script is up, and vice versa.
946 weight <INTEGER:-253..253> [reverse]
947 # required number of successes for OK transition
949 rise <INTEGER>
950 # required number of successes for KO transition
952 fall <INTEGER>
953 # user/group names to run script under.
955 # group default to group of user
956 user USERNAME [GROUPNAME]
957 # assume script initially is in failed state
959 init_fail
960 }
961
963 Adds a file to be monitored. The script will be read whenever it is
964 modified. The value in the file will be recorded for all VRRP instances
965 and sync groups which monitor it. Note that the file will only be read
966 if at least one VRRP instance or sync group monitors it.
967 A value will be read as a number in text from the file. If the weight
969 configured against the track_file is 0, a non-zero value in the file
970 will be treated as a failure status, and a zero value will be treated
971 as an OK status, otherwise the value will be multiplied by the weight
972 configured in the track_file statement. If the result is less than -253
973 any VRRP instance or sync group monitoring the script will transition
974 to the fault state (the weight can be 254 to allow for a negative value
975 being read from the file).
976 If the vrrp instance or sync group is not the address owner and the
978 result is between -253 and 253, the result will be added to the initial
979 priority of the VRRP instance (a negative value will reduce the prior‐
980 ity), although the effective priority will be limited to the range
981 [1,254].
982 If a vrrp instance using a track_file is a member of a sync group,
984 unless sync_group_tracking_weight is set on the group weight 0 must be
985 set. Likewise, if the vrrp instance is the address owner, weight 0
986 must also be set.
987 The syntax for vrrp track file is :
989 vrrp_track_file <STRING> {
991 # file to track (weight defaults to 1)
992 file <QUOTED_STRING>
993 # optional default weight
995 weight <-254..254> [reverse]
996 # create the file and/or initialise the value
998 # This causes VALUE (default 0) to be written to
999 # the specified file at startup if the file doesn't
1000 # exist, unless overwrite is specified in which case
1001 # any existing file contents will be overwritten with
1002 # the specified value.
1003 init_file [VALUE] [overwrite]
1004 }
1005
1007 VRRP Sync Group is an extension to VRRP protocol. The main goal is to
1008 define a bundle of VRRP instance to get synchronized together so that
1009 transition of one instance will be reflected to others group members.
1010 In addition there is an enhanced notify feature for fine state transi‐
1012 tion catching.
1013 You can also define multiple track policy in order to force state tran‐
1015 sition according to a third party event such as interface, scripts,
1016 file, BFD.
1017 Important: for a SYNC group to run reliably, it is vital that all
1019 instances in the group are MASTER or that they are all either BACKUP or
1020 FAULT. A situation with half instances having higher priority on
1021 machine A half others with higher priority on machine B will lead to
1022 constant re-elections. For this reason, when instances are grouped, any
1023 track scripts/files configured against member VRRP instances will have
1024 their tracking weights automatically set to zero, in order to avoid
1025 inconsistent priorities across instances.
1026 The syntax for vrrp_sync_group is :
1028 vrrp_sync_group <STRING> {
1030 group {
1031 # name of the vrrp_instance (see below)
1032 # Set of VRRP_Instance string
1033 <STRING>
1034 <STRING>
1035 ...
1036 }
1037 # Synchronization group tracking interface, script, file & bfd will
1039 # update the status/priority of all VRRP instances which are members
1040 # of the sync group.
1041 # 'weight 0 reverse' will cause the vrrp instance to be down when the
1042 # interface is up, and vice versa.
1043 track_interface {
1044 eth0
1045 eth1
1046 eth2 weight <-253..253> [reverse]
1047 ...
1048 }
1049 # add a tracking script to the sync group (<SCRIPT_NAME> is the name
1051 # of the vrrp_script entry) go to FAULT state if any of these go down
1052 # if unweighted.
1053 # reverse causes the direction of the adjustment of the priority to be reversed.
1054 track_script {
1055 <SCRIPT_NAME>
1056 <SCRIPT_NAME> weight <-253..253> [reverse|no_reverse]
1057 }
1058 # Files whose state we monitor, value is added to effective priority.
1060 # <STRING> is the name of a vrrp_track_file
1061 # weight defaults to weight configured in vrrp_track_file
1062 track_file {
1063 <STRING>
1064 <STRING> weight <-254..254> [reverse|noreverse]
1065 ...
1066 }
1067 # Process to monitor, weight is added to effective priority.
1069 # <STRING> is the name of a vrrp_track_process
1070 # weight defaults to weight configured in vrrp_track_process.
1071 # See vrrp_instance track_process for description of weight.
1072 track_process {
1073 <STRING>
1074 <STRING> weight <-254..254> [reverse|noreverse]
1075 ...
1076 }
1077 # BFD instances we monitor, value is added to effective priority.
1079 # <STRING> is the name of a BFD instance
1080 track_bfd {
1081 <STRING>
1082 <STRING>
1083 <STRING> weight <INTEGER: -253..253> [reverse|noreverse]
1084 ...
1085 }
1086 # notify scripts and alerts are optional
1088 #
1089 # filenames of scripts to run on transitions can be unquoted (if
1090 # just filename) or quoted (if it has parameters)
1091 # The username and groupname specify the user and group
1092 # under which the scripts should be run. If username is
1093 # specified, the group defaults to the group of the user.
1094 # If username is not specified, they default to the
1095 # global script_user and script_group
1096 # to MASTER transition
1098 notify_master /path/to_master.sh [username [groupname]]
1099 # to BACKUP transition
1101 notify_backup /path/to_backup.sh [username [groupname]]
1102 # FAULT transition
1104 notify_fault "/path/fault.sh VG_1" [username [groupname]]
1105 # executed when stopping vrrp
1107 notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
1108 # for ANY state transition.
1110 # "notify" script is called AFTER the notify_* script(s) and
1111 # is executed with 4 additional arguments after the configured
1112 # arguments provided by Keepalived:
1113 # $(n-3) = "GROUP"|"INSTANCE"
1114 # $(n-2) = name of the group or instance
1115 # $(n-1) = target state of transition (stop only applies to instances)
1116 # ("MASTER"|"BACKUP"|"FAULT"|"STOP")
1117 # $(n) = priority value
1118 # $(n-3) and $(n-1) are ALWAYS sent in uppercase, and the possible
1119 # strings sent are the same ones listed above
1120 # ("GROUP"/"INSTANCE", "MASTER"/"BACKUP"/"FAULT"/"STOP")
1121 # (note: STOP is only applicable to instances)
1122 notify <STRING>|<QUOTED-STRING> [username [groupname]]
1123 # The notify fifo output is the same as the last 4 parameters for the "notify"
1125 # script, with the addition of "MASTER_RX_LOWER_PRI" instead of state for an
1126 # instance, and also "MASTER_PRIORITY" and "BACKUP_PRIORITY" if the priority
1127 # changes and notify_priority_changes is configured.
1128 # MASTER_RX_LOWER_PRI is used if a master needs to set some external state, such
1129 # as setting a secondary IP address when using Amazon AWS; if another keepalived
1130 # has transitioned to master due to a communications break, the lower priority
1131 # instance will have taken over the secondary IP address, and the proper master
1132 # needs to be able to restore it.
1133 # Send FIFO notifies for vrrp priority changes
1135 notify_priority_changes <BOOL>
1136 # Send email notification during state transition,
1138 # using addresses in global_defs above (default no,
1139 # unless global smtp_alert/smtp_alert_vrrp set)
1140 smtp_alert <BOOL>
1141 # DEPRECATED. Use track_interface, track_script and
1143 # track_file on vrrp_sync_groups instead.
1144 global_tracking
1145 # allow sync groups to use differing weights.
1147 # This probably WON'T WORK, but is a replacement for
1148 # global_tracking in case different weights were used
1149 # across different vrrp instances in the same sync group.
1150 sync_group_tracking_weight
1151 }
1152
1154 specifies the setting of delays between sending gratuitous ARPs and
1155 unsolicited neighbour advertisements. This is intended for when an
1156 upstream switch is unable to handle being flooded with ARPs/NAs.
1157 Use interface when the limits apply on the single physical interface.
1159 Use interfaces when a group of interfaces are linked to the same switch
1160 and the limits apply to the switch as a whole.
1161 Note: Only one of interface or interfaces should be used per block.
1163 If the global vrrp_garp_interval and/or vrrp_gna_interval are set, any
1165 interfaces that aren't specified in a garp_group will inherit the
1166 global settings.
1167 The syntax for garp_group is :
1169 garp_group {
1171 # Sets the interval between Gratuitous ARP (in seconds, resolution microseconds)
1172 garp_interval <DECIMAL>
1173 # Sets the default interval between unsolicited NA (in seconds, resolution microseconds)
1175 gna_interval <DECIMAL>
1176 # The physical interface to which the intervals apply
1178 interface <STRING>
1179 # A list of interfaces accross which the delays are aggregated.
1181 interfaces {
1182 <STRING>
1183 <STRING>
1184 ...
1185 }
1186 }
1187
1189 A VRRP Instance is the VRRP protocol key feature. It defines and con‐
1190 figures VRRP behaviour to run on a specific interface. Each VRRP
1191 Instances are related to a uniq interface.
1192 The syntax for vrrp_instance is :
1194 vrrp_instance <STRING> {
1196 # Initial state, MASTER|BACKUP
1197 # As soon as the other machine(s) come up,
1198 # an election will be held and the machine
1199 # with the highest priority will become MASTER.
1200 # So the entry here doesn't matter a whole lot.
1201 state MASTER
1202 # interface for inside_network, bound by vrrp
1204 interface eth0
1205 # Use VRRP Virtual MAC.
1207 # NOTE: If sysctl net.ipv4.conf.all.rp_filter is set,
1208 # and this vrrp_instance is an IPv4 instance, using
1209 # this option will cause the individual interfaces to be
1210 # updated to the greater of their current setting, and
1211 # all.rp_filter, as will default.rp_filter, and all.rp_filter
1212 # will be set to 0.
1213 # The original settings are restored on termination.
1214 use_vmac [<VMAC_INTERFACE>]
1215 # Send/Recv VRRP messages from base interface instead of
1217 # VMAC interface
1218 vmac_xmit_base
1219 # Use IPVLAN interface. keepalived will create a mode L2
1221 # ipvlan interface on top of the specified interface.
1222 # For IPv4 instances, an IP address is required, for IPv6
1223 # the address is optional, in which case the link local
1224 # address will be used.
1225 # The mode flags default to bridge. NOTE: the mode flags must be the
1226 # same for all ipvlans on the same underlying interface.
1227 # It is safer to configure an interface name, in case keepalived crashes
1228 # and restarts, in which case it can more reliably find a previously
1229 # created interface.
1230 use_ipvlan [<INTERFACE_NAME>] [IP_ADDRESS] [bridge|private|vepa]
1231 # force instance to use IPv6 (this option is deprecated since
1233 # the virtual ip addresses determine whether IPv4 or IPv6 is used).
1234 native_ipv6
1235 # Ignore VRRP interface faults (default unset)
1237 dont_track_primary
1238 # optional, monitor these as well.
1240 # go to FAULT state if any of these go down if unweighted.
1241 # When a weight is specified in track_interface, instead of setting the vrrp
1242 # instance to the FAULT state in case of failure, its priority will be
1243 # increased by the weight when the interface is up (for positive weights),
1244 # or decreased by the weight's absolute value when the interface is down
1245 # (for negative weights), unless reverse is specified, in which case the
1246 # direction of adjustment of the priority is reversed.
1247 # The weight must be comprised between -253 and +253 inclusive.
1248 # 0 is the default behaviour which means that a failure implies a
1249 # FAULT state. The common practice is to use positive weights to count a
1250 # limited number of good services so that the server with the highest count
1251 # becomes master. Negative weights are better to count unexpected failures
1252 # among a high number of interfaces, as it will not saturate even with high
1253 # number of interfaces. Use reverse to increase priority if an interfaces is down
1254 track_interface {
1255 eth0
1256 eth1
1257 eth2 weight <-253..253> [reverse]
1258 ...
1259 }
1260 # add a tracking script to the interface
1262 # (<SCRIPT_NAME> is the name of the vrrp_track_script entry)
1263 # The same principle as track_interface can be applied to track_script entries,
1264 # except that an unspecified weight means that the default weight declared in
1265 # the script will be used (which itself defaults to 0).
1266 # reverse causes the direction of the adjustment of the priority to be reversed.
1267 track_script {
1268 <SCRIPT_NAME>
1269 <SCRIPT_NAME> weight <-253..253> [reverse|no_reverse]
1270 }
1271 # Files whose state we monitor, value is added to effective priority.
1273 # <STRING> is the name of a vrrp_track_file
1274 track_file {
1275 <STRING>
1276 <STRING>
1277 <STRING> weight <-254..254> [reverse|noreverse]
1278 ...
1279 }
1280 # Positive weights are added/subtracted when the process is running,
1282 # negative weights are subtracted/added when the not running.
1283 # If reverse is specified, the addition/subtraction is reversed.
1284 # <STRING> is the name of a vrrp_track_process
1285 # weight defaults to weight configured in vrrp_track_process
1286 track_process {
1287 <STRING>
1288 <STRING> weight <-254..254> [reverse|noreverse]
1289 ...
1290 }
1291 # BFD instances we monitor, value is added to effective priority,
1293 # unless reverse is specified, when the value is subtracted.
1294 # Positive weights are add/subtracted when the bfd instance is up,
1295 # negative weights are subtracted/added when the bfd instance is down.
1296 # <STRING> is the name of a BFD instance
1297 track_bfd {
1298 <STRING>
1299 <STRING>
1300 <STRING> weight <INTEGER: -253..253> [reverse|noreverse]
1301 ...
1302 }
1303 # default IP for binding vrrpd is the primary IP
1305 # on interface. If you want to hide the location of vrrpd,
1306 # use this IP as src_addr for multicast or unicast vrrp
1307 # packets. (since it's multicast, vrrpd will get the reply
1308 # packet no matter what src_addr is used).
1309 # optional
1310 mcast_src_ip <IPADDR>
1311 unicast_src_ip <IPADDR>
1312 # if the configured src_ip doesn't exist or is removed put the
1314 # instance into fault state
1315 track_src_ip
1316 # VRRP version to run on interface
1318 # default is global parameter vrrp_version, but IPv6 instances will
1319 # always use version 3.
1320 version <2 or 3>
1321 # Do not send VRRP adverts over a VRRP multicast group.
1323 # Instead it sends adverts to the following list of
1324 # ip addresses using unicast. It can be cool to use
1325 # the VRRP FSM and features in a networking
1326 # environment where multicast is not supported!
1327 # IP addresses specified can be IPv4 as well as IPv6.
1328 unicast_peer {
1329 <IPADDR>
1330 ...
1331 }
1332 # The checksum calculation when using VRRPv3 changed after v1.3.6.
1334 # Setting this flag forces the old checksum algorithm to be used
1335 # to maintain backward compatibility, although keepalived will
1336 # attempt to maintain compatibility anyway if it sees an old
1337 # version checksum. Specifying never will turn off auto detection
1338 # of old checksums. [This option may not be enabled - check output
1339 # of `keepalived -v` for OLD_CHKSUM_COMPAT.]
1340 old_unicast_checksum [never]
1341 # interface specific settings, same as global parameters.
1343 # default to global parameters
1344 garp_master_delay 10
1345 garp_master_repeat 1
1346 garp_lower_prio_delay 10
1347 garp_lower_prio_repeat 1
1348 garp_master_refresh 60
1349 garp_master_refresh_repeat 2
1350 garp_interval 100
1351 gna_interval 100
1352 # If a lower priority advert is received, don't send another advert.
1354 # This causes adherence to the RFCs (defaults to global
1355 # vrrp_lower_priority_dont_send_advert).
1356 lower_prio_no_advert [<BOOL>]
1357 # If we are master and receive a higher priority advert, send an advert
1359 # (which will be lower priority than the other master), before we transition
1360 # to backup. This means that if the other master has garp_lower_prio_repeat
1361 # set, it will resend garp messages. This is to get around the problem of
1362 # their having been two simultaneous masters, and the last GARP
1363 # messages seen were from us.
1364 higher_prio_send_advert [<BOOL>]
1365 # arbitrary unique number from 1 to 255
1367 # used to differentiate multiple instances of vrrpd
1368 # running on the same NIC (and hence same socket).
1369 virtual_router_id 51
1370 # for electing MASTER, highest priority wins.
1372 # to be MASTER, make this 50 more than on other machines.
1373 priority 100
1374 # VRRP Advert interval in seconds (e.g. 0.92) (use default)
1376 advert_int 1
1377 # Note: authentication was removed from the VRRPv2 specification by
1379 # RFC3768 in 2004.
1380 # Use of this option is non-compliant and can cause problems; avoid
1381 # using if possible, except when using unicast, where it can be helpful.
1382 authentication {
1383 # PASS|AH
1384 # PASS - Simple password (suggested)
1385 # AH - IPSEC (not recommended))
1386 auth_type PASS
1387 # Password for accessing vrrpd.
1389 # should be the same on all machines.
1390 # Only the first eight (8) characters are used.
1391 auth_pass 1234
1392 }
1393 # addresses add|del on change to MASTER, to BACKUP.
1395 # With the same entries on other machines,
1396 # the opposite transition will be occurring.
1397 # For virutal_ipaddress, virtual_ipaddress_excluded,
1398 # virtual_routes and virtual_rules most of the options
1399 # match the options of the command ip address/route/rule add.
1400 # The track_group option only applies to static addresses/routes/rules.
1401 # no_track is specific to keepalived and means that the
1402 # vrrp_instance will not transition out of master state
1403 # if the address/route/rule is deleted and the address/route/rule
1404 # will not be reinstated until the vrrp instance next transitions
1405 # to master.
1406 # <LABEL>: is optional and creates a name for the alias.
1407 For compatibility with "ifconfig", it should
1408 be of the form <realdev>:<anytext>, for example
1409 eth0:1 for an alias on eth0.
1410 # <SCOPE>: ("site"|"link"|"host"|"nowhere"|"global")
1411 virtual_ipaddress {
1412 <IPADDR>[/<MASK>] [brd <IPADDR>] [dev <STRING>] [scope <SCOPE>]
1413 [label <LABEL>] [peer <IPADDR>] [home]
1414 [-nodad] [mngtmpaddr] [noprefixroute]
1415 [autojoin] [no_track]
1416 192.168.200.17/24 dev eth1
1417 192.168.200.18/24 dev eth2 label eth2:1
1418 }
1419 # VRRP IP excluded from VRRP optional.
1421 # For cases with large numbers (eg 200) of IPs
1422 # on the same interface. To decrease the number
1423 # of addresses sent in adverts, you can exclude
1424 # most IPs from adverts.
1425 # The IPs are add|del as for virtual_ipaddress.
1426 # Can also be used if you want to be able to add
1427 # a mixture of IPv4 and IPv6 addresses, since all
1428 # addresses in virtual_ipaddress must be of the
1429 # same family.
1430 virtual_ipaddress_excluded {
1431 <IPADDR>[/<MASK>] [brd <IPADDR>] [dev <STRING>] [scope <SCOPE>]
1432 [label <LABEL>] [peer <IPADDR>] [home]
1433 [-nodad] [mngtmpaddr] [noprefixroute]
1434 [autojoin] [no_track]
1435 <IPADDR>[/<MASK>] ...
1436 ...
1437 }
1438 # Set the promote_secondaries flag on the interface to stop other
1440 # addresses in the same CIDR being removed when 1 of them is removed
1441 # For example if 10.1.1.2/24 and 10.1.1.3/24 are both configured on an
1442 # interface, and one is removed, unless promote_secondaries is set on
1443 # the interface the other address will also be removed.
1444 promote_secondaries
1445 # routes add|del when changing to MASTER, to BACKUP.
1447 # See static_routes for more details
1448 virtual_routes {
1449 # src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR>
1450 # [or <IPADDR>] dev <STRING> scope <SCOPE> table <TABLE>
1451 src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev eth1
1452 192.168.110.0/24 via 192.168.200.254 dev eth1
1453 192.168.111.0/24 dev eth2 no_track
1454 192.168.112.0/24 via 192.168.100.254
1455 192.168.113.0/24 via 192.168.200.254 or 192.168.100.254 dev eth1
1456 blackhole 192.168.114.0/24
1457 0.0.0.0/0 gw 192.168.0.1 table 100 # To set a default gateway into table 100.
1458 }
1459 # rules add|del when changing to MASTER, to BACKUP
1461 # See static_rules for more details
1462 virtual_rules {
1463 from 192.168.2.0/24 table 1
1464 to 192.168.2.0/24 table 1 no_track
1465 }
1466 # VRRPv3 has an Accept Mode to allow the virtual router when not the
1468 # address owner to receive packets addressed to a VIP. This is the default
1469 # setting unless strict mode is set. As an extension, this also works for
1470 # VRRPv2 (RFC 3768 doesn't define an accept mode).
1471 # --
1472 # Accept packets to non address-owner
1473 accept
1474 # Drop packets to non address-owner.
1476 no_accept
1477 # VRRP will normally preempt a lower priority machine when a higher priority
1479 # machine comes online. "nopreempt" allows the lower priority machine to
1480 # maintain the master role, even when a higher priority machine comes back
1481 # online.
1482 # NOTE: For this to work, the initial state of this
1483 # entry must be BACKUP.
1484 # --
1485 nopreempt
1486 # for backwards compatibility
1488 preempt
1489 # See description of global vrrp_skip_check_adv_addr, which
1491 # sets the default value. Defaults to vrrp_skip_check_adv_addr
1492 skip_check_adv_addr [on|off|true|false|yes|no]
1493 # See description of global vrrp_strict
1495 # If vrrp_strict is not specified, it takes the value of vrrp_strict
1496 # If strict_mode without a parameter is specified, it defaults to on
1497 strict_mode [on|off|true|false|yes|no]
1498 # Seconds after startup or seeing a lower priority master until preemption
1500 # (if not disabled by "nopreempt").
1501 # Range: 0 (default) to 1000 (e.g. 4.12)
1502 # NOTE: For this to work, the initial state of this
1503 # entry must be BACKUP.
1504 preempt_delay 300 # waits 5 minutes
1505 # Debug level, not implemented yet.
1507 # LEVEL is a number in the range 0 to 4
1508 debug <LEVEL>
1509 # notify scripts, alert as above
1511 notify_master <STRING>|<QUOTED-STRING> [username [groupname]]
1512 notify_backup <STRING>|<QUOTED-STRING> [username [groupname]]
1513 notify_fault <STRING>|<QUOTED-STRING> [username [groupname]]
1514 # executed when stopping vrrp
1515 notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
1516 notify <STRING>|<QUOTED-STRING> [username [groupname]]
1517 # The notify_master_rx_lower_pri script is executed if a master
1519 # receives an advert with priority lower than the master's advert.
1520 notify_master_rx_lower_pri <STRING>|<QUOTED-STRING> [username [groupname]]
1521 # Send vrrp instance priority notifications on notify FIFOs.
1523 notify_priority_changes <BOOL>
1524 # Send SMTP alerts
1526 smtp_alert <BOOL>
1527 # Set socket receive buffer size (see global_defs
1529 # vrrp_rx_bufs_policy for explanation)
1530 kernel_rx_buf_size
1531 # Set use of linkbeat for the interface of this VRRP instance. This option is
1533 # deprecated - use linkbeat_interfaces block instead.
1534 linkbeat_use_polling
1535 }
1536
1538 contains subblocks of Virtual server group(s) and Virtual server(s)
1539 The subblocks contain arguments for configuring Linux IPVS (LVS) fea‐
1541 ture. Knowledge of ipvsadm(8) will be helpful here. Configuring LVS is
1542 achieved by defining virtual server groups, virtual servers and option‐
1543 ally SSL configuration. Every virtual server defines a set of real
1544 servers, you can attach healthcheckers to each real server. Keepalived
1545 will then lead LVS operation by dynamically maintaining topology.
1546 For details of what configuration combinations are valid, see the
1548 ipvsadm(8) man page.
1549 Note: Where an option can be configured for a virtual server, real
1551 server, and possibly checker, the virtual server setting is the default
1552 for real servers, and the real server setting is the default for check‐
1553 ers.
1554 Note: Tunnelled real/sorry servers can differ from the address family
1556 of the virtual server and non tunnelled real/sorry servers, which all
1557 have to be the same. If a virtual server uses a fwmark, and all the
1558 real/sorry servers are tunnelled, the address family of the virtual
1559 server will be the same as the address family of the real/sorry servers
1560 if they are all the same, otherwise it will default to IPv4 (use
1561 ip_family inet6 to override this).
1562 Note: The port for the virtual server can only be omitted if the vir‐
1564 tual service is persistent.
1565
1567 This feature offers a way to simplify your configuration by factorizing
1568 virtual server definitions. If you need to define a bunch of virtual
1569 servers with exactly the same real server topology then this feature
1570 will make your configuration much more readable and will optimize
1571 healthchecking task by only spawning one healthchecking where multiple
1572 virtual server declaration will spawn a dedicated healthchecker for
1573 every real server which will waste system resources.
1574 Any combination of IP addresses, IP address ranges and firewall marks
1576 can be used. Use of this option is intended for very large LVSs.
1577 The syntax for virtual_server_group is :
1579 virtual_server_group <STRING> {
1581 # Virtual IP Address and Port
1582 <IPADDR> [<PORT>]
1583 <IPADDR> [<PORT>]
1584 ...
1585 # <IPADDR RANGE> has the form
1586 # XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10
1587 # range includes both .1 and .10 address
1588 <IPADDR RANGE> [<PORT>] # VIP range [VPORT]
1589 <IPADDR RANGE> [<PORT>]
1590 ...
1591 # Firewall Mark (fwmark)
1592 fwmark <INTEGER>
1593 fwmark <INTEGER>
1594 ...
1595 }
1596
1598 A virtual_server can be a declaration of one of <IPADDR> [<PORT>] ,
1599 fwmark <INTEGER> or group <STRING>
1600 The syntax for virtual_server is :
1602 virtual_server <IPADDR> [<PORT>] |
1604 virtual_server fwmark <INTEGER> |
1605 virtual_server group <STRING> {
1606 # LVS scheduler
1607 lvs_sched rr|wrr|lc|wlc|lblc|sh|mh|dh|fo|ovf|lblcr|sed|nq
1608 # Enable hashed entry
1610 hashed
1611 # Enable flag-1 for scheduler (-b flag-1 in ipvsadm)
1612 flag-1
1613 # Enable flag-2 for scheduler (-b flag-2 in ipvsadm)
1614 flag-2
1615 # Enable flag-3 for scheduler (-b flag-3 in ipvsadm)
1616 flag-3
1617 # Enable sh-port for sh scheduler (-b sh-port in ipvsadm)
1618 sh-port
1619 # Enable sh-fallback for sh scheduler (-b sh-fallback in ipvsadm)
1620 sh-fallback
1621 # Enable mh-port for mh scheduler (-b mh-port in ipvsadm)
1622 mh-port
1623 # Enable mh-fallback for mh scheduler (-b mh-fallback in ipvsadm)
1624 mh-fallback
1625 # Enable One-Packet-Scheduling for UDP (-O in ipvsadm)
1626 ops
1627 # Default LVS forwarding method.
1629 # Default tunnel type is ipip. Since Linux 5.2 the GUE tunnel type can
1630 # be specified. If using GUE, a port number is required. Since Linux 5.3
1631 # if the tunnel type is GUE, the checksum option can also be specified.
1632 # Since Linux 5.3, GRE tunnel type is also supported, but without the
1633 # remcsum option.
1634 lvs_method NAT|DR
1635 or
1636 lvs_method TUN [type {ipip|gue port NUM|gre} [nocsum|csum|remcsum]]
1637 # LVS persistence engine name (currently only sip supported)
1638 persistence_engine <STRING>
1639 # LVS persistence timeout in seconds, default 6 minutes
1640 persistence_timeout [<INTEGER>]
1641 # LVS granularity mask (-M in ipvsadm)
1642 persistence_granularity <NETMASK>
1643 # L4 protocol
1644 protocol TCP|UDP|SCTP
1645 # If VS IP address is not set,
1646 # suspend healthchecker's activity
1647 ha_suspend
1648 # Send email notification during quorum up/down transition,
1650 # using addresses in global_defs above (default no,
1651 # unless global smtp_alert/smtp_alert_checker set)
1652 smtp_alert <BOOL>
1653 # Default VirtualHost string for HTTP_GET or SSL_GET
1655 # eg virtualhost www.firewall.loc
1656 # Overridden by virtualhost config of real server or checker
1657 virtualhost <STRING>
1658 # On daemon startup assume that all RSs are down
1660 # and healthchecks failed. This helps to prevent
1661 # false positives on startup. Alpha mode is
1662 # disabled by default.
1663 alpha
1664 # On daemon shutdown consider quorum and RS
1666 # down notifiers for execution, where appropriate.
1667 # Omega mode is disabled by default.
1668 omega
1669 # Minimum total weight of all live servers in
1671 # the pool necessary to operate VS with no
1672 # quality regression. Defaults to 1.
1673 quorum <INTEGER>
1674 # Tolerate this much weight units compared to the
1676 # nominal quorum, when considering quorum gain
1677 # or loss. A flap dampener. Defaults to 0.
1678 hysteresis <INTEGER>
1679 # Script to execute when quorum is gained.
1681 quorum_up <STRING>|<QUOTED-STRING> [username [groupname]]
1682 # Script to execute when quorum is lost.
1684 quorum_down <STRING>|<QUOTED-STRING> [username [groupname]]
1685 # IP family for a fwmark service (optional)
1687 ip_family inet|inet6
1688 # setup realserver(s)
1690 # RS to add to LVS topology when the quorum isn't achieved.
1692 # If a sorry server is configured, all real servers will
1693 # be brought down when the quorum is not achieved.
1694 sorry_server <IPADDR> [<PORT>]
1695 # applies inhibit_on_failure behaviour to the sorry_server
1696 sorry_server_inhibit
1697 # Sorry server LVS forwarding method
1698 # For details of tunnel type, see virtual_server details.
1699 sorry_server_lvs_method NAT|DR
1700 or
1701 sorry_server_lvs_method TUN [type {ipip|gue port NUM|gre} [nocsum|csum|remcsum]]
1702 # Optional connection timeout in seconds.
1704 # The default is 5 seconds
1705 connect_timeout <TIMER>
1706 # Retry count to make additional checks if check
1708 # of an alive server fails. Default: 1 unless specified below
1709 retry <INTEGER>
1710 # delay before retry after failure
1712 delay_before_retry <TIMER>
1713 # Optional random delay to start the initial check
1715 # for maximum N seconds.
1716 # Useful to scatter multiple simultaneous
1717 # checks to the same RS. Enabled by default, with
1718 # the maximum at delay_loop. Specify 0 to disable
1719 warmup <TIMER>
1720 # delay timer for checker polling
1722 delay_loop <TIMER>
1723 # Set weight to 0 when healthchecker detects failure
1725 inhibit_on_failure
1726 # one entry for each realserver
1728 real_server <IPADDR> [<PORT>] {
1729 # relative weight to use, default: 1
1730 weight <INTEGER>
1731 # LVS forwarding method
1732 # For details of tunnel type, see virtual_server details.
1733 lvs_method NAT|DR
1734 or
1735 lvs_method TUN [type {ipip|gue port NUM|gre} [nocsum|csum|remcsum]]
1736 # Script to execute when healthchecker
1738 # considers service as up.
1739 notify_up <STRING>|<QUOTED-STRING> [username [groupname]]
1740 # Script to execute when healthchecker
1741 # considers service as down.
1742 notify_down <STRING>|<QUOTED-STRING> [username [groupname]]
1743 # maximum number of connections to server
1745 uthreshold <INTEGER>
1746 # minimum number of connections to server
1747 lthreshold <INTEGER>
1748 # Send email notification during state transition,
1750 # using addresses in global_defs above (default yes,
1751 # unless global smtp_alert/smtp_alert_checker set)
1752 smtp_alert <BOOL>
1753 # Default VirtualHost string for HTTP_GET or SSL_GET
1755 # eg virtualhost www.firewall.loc
1756 # Overridden by virtualhost config of a checker
1757 virtualhost <STRING>
1758 alpha <BOOL> # see above
1760 connect_timeout <TIMER> # see above
1761 retry <INTEGER> # see above
1762 delay_before_retry <TIMER> # see above
1763 warmup <TIMER> # see above
1764 delay_loop <TIMER> # see above
1765 inhibit_on_failure <BOOL> # see above
1766 log_all_failures <BOOL> # log all failures when checker up
1767 # healthcheckers. Can be multiple of each type
1769 # HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|DNS_CHECK|MISC_CHECK|BFD_CHECK
1770 # All checkers have the following options, except MISC_CHECK
1772 # which only has options alpha onwards, and BFD_CHECK which has none
1773 # of the standard options:
1774 CHECKER_TYPE {
1775 # ======== generic connection options
1776 # Optional IP address to connect to.
1777 # The default is the realserver IP
1778 connect_ip <IPADDR>
1779 # Optional port to connect to
1781 # The default is the realserver port
1782 connect_port <PORT>
1783 # Optional address to use to
1785 # originate the connection
1786 bindto <IPADDR>
1787 # Optional interface to use; needed if
1789 # the bindto address is IPv6 link local
1790 bind_if <IFNAME>
1791 # Optional source port to
1793 # originate the connection from
1794 bind_port <PORT>
1795 # Optional fwmark to mark all outgoing
1797 # checker packets with
1798 fwmark <INTEGER>
1799 alpha <BOOL> # see above
1801 connect_timeout <TIMER> # see above
1802 retry <INTEGER> # see above
1803 delay_before_retry <TIMER> # see above
1804 warmup <TIMER> # see above
1805 delay_loop <TIMER> # see above
1806 }
1807 # The following options are additional checker specific
1809 # HTTP and SSL healthcheckers
1811 HTTP_GET|SSL_GET {
1812 # HTTP protocol version, one of 1.0, 1.0C, 1.1
1813 # Protocol version 1.0C means version 1.0 with the addition
1814 # of a "Connection: close" line, which is included in
1815 # version 1.1 by default.
1816 http_protocol <PROTOCOL>
1817 # When alpha mode is set, or when recovering from a failure,
1818 # each URL is checked, with a delay of <delay_loop> between
1819 # each check. if there were 20 URLs, and the <delay_loop> were
1820 # 3 seconds, it would take 1 minute before the RS would come up
1821 # following startup, or recovery from a failure. Setting
1822 # fast_recovery removes the delay, both at start up and after
1823 # recovery from a failure, meaning that the RS will come up
1824 # once all the URLs have been checked, with no delay between
1825 # checking each URL.
1826 fast_recovery [<BOOL>]
1827 # An url to test
1828 # can have multiple entries here
1829 url {
1830 #eg path / , or path /mrtg2/
1831 path <STRING>
1832 # healthcheck needs digest
1833 # or status_code and digest
1834 # Digest computed with genhash
1835 # eg digest 9b3a0c85a887a256d6939da88aabd8cd
1836 digest <STRING>
1837 # status code returned in the HTTP header
1838 # eg status_code 200 or status_code 200-299 400-499 503 505
1839 # Default is 200-299
1840 status_code <INTEGER|RANGE> [<INTEGER|RANGE>] ...
1841 # VirtualHost string. eg virtualhost www.firewall.loc
1842 # If not set, uses virtualhost from real or virtual server
1843 virtualhost <STRING>
1844 # Regular expression to search returned data against.
1845 # A failure to match causes the check to fail.
1846 regex <STRING>
1847 # Reverse the sense of the match, so a match of the
1848 # returned text causes the check to fail.
1849 regex_no_match
1850 # Space separated list of options for regex.
1851 # See man pcre2api for a description of the options.
1852 # The following option are supported:
1853 # allow_empty_class alt_bsux auto_callout caseless
1854 # dollar_endonly dotall dupnames extended firstline
1855 # match_unset_backref multiline never_ucp never_utf
1856 # no_auto_capture no_auto_possess no_dotstar_anchor
1857 # no_start_optimize ucp ungreedy utf never_backslash_c
1858 # alt_circumflex alt_verbnames use_offset_limit
1859 regex_options <OPTIONS>
1860 # For complicated regular expressions a larger stack
1861 # may be needed, and this allows the start and maximum
1862 # sizes in bytes to be specified. For more details see
1863 # the documentation for pcre2_jit_stack_create()
1864 regex_stack <START> <MAX>
1865 # The minimum offset into the returned data to start
1866 # checking for the regex pattern match. This can save
1867 # processing time if the returned data is large.
1868 regex_min_offset <OFFSET>
1869 # The maximum offset into the returned data for the
1870 # start of the subject match.
1871 regex_max_offset <OFFSET>
1872 }
1873 }
1874 SSL_GET {
1876 # when provided, send Server Name Indicator during SSL handshake
1877 enable_sni
1878 }
1879 # TCP healthchecker
1881 TCP_CHECK {
1882 # No additional options
1883 }
1884 # SMTP healthchecker
1886 SMTP_CHECK {
1887 # Optional string to use for the SMTP HELO request
1888 helo_name <STRING>|<QUOTED-STRING>
1889 }
1890 # DNS healthchecker
1892 DNS_CHECK {
1893 # The retry default is 3.
1894 # DNS query type
1896 # A|NS|CNAME|SOA|MX|TXT|AAAA
1897 # The default is SOA
1898 type <STRING>
1899 # Domain name to use for the DNS query
1901 # The default is . (dot)
1902 name <STRING>
1903 }
1904 # MISC healthchecker, run a program
1906 MISC_CHECK {
1907 # The retry default is 0.
1908 # External script or program
1910 misc_path <STRING>|<QUOTED-STRING>
1911 # Script execution timeout
1912 misc_timeout <INTEGER>
1913 # If set, the exit code from healthchecker is used
1915 # to dynamically adjust the weight as follows:
1916 # exit status 0: svc check success, weight
1917 # unchanged.
1918 # exit status 1: svc check failed.
1919 # exit status 2-255: svc check success, weight
1920 # changed to 2 less than exit status.
1921 # (for example: exit status of 255 would set
1922 # weight to 253)
1923 # NOTE: do not have more than one dynamic MISC_CHECK per real_server.
1924 misc_dynamic
1925 # Specify the username/groupname that the script should
1927 # be run under.
1928 # If GROUPNAME is not specified, the group of the user
1929 # is used
1930 user USERNAME [GROUPNAME]
1931 }
1932 # BFD instance name to check
1934 BFD_CHECK {
1935 name <STRING>
1936 }
1937 }
1938 }
1939 # Parameters used for SSL_GET check.
1941 # If none of the parameters are specified, the SSL context
1942 # will be auto generated.
1943 SSL {
1944 # Password
1945 password <STRING>
1946 # CA file
1947 ca <STRING>
1948 # Certificate file
1949 certificate <STRING>
1950 # Key file
1951 key <STRING>
1952 }
1953
1955 Configuration parser has been extended to support advanced features
1956 such as conditional configuration and parameter substitution. These
1957 features are very usefull for any scripted env where configuration tem‐
1958 plate are generated (datacenters).
1959
1961 The config-id defaults to the first part of the node name as returned
1962 by uname, and can be overridden with the -i or --config-id command line
1963 option.
1964 Any configuration line starting with '@' is a conditional configuration
1966 line. The word immediately following (i.e. without any space) the '@'
1967 character is compared against the config-id, and if they don't match,
1968 the configuration line is ignored.
1969 Alternatively, '@^' is a negative comparison, so if the word immedi‐
1971 ately following does NOT match the config-id, the configuration line IS
1972 included.
1973 The purpose of this is to allow a single configuration file to be used
1975 for multiple systems, where the only differences are likely to be the
1976 router_id, vrrp instance priorities, and possibly interface names and
1977 unicast addresses.
1978 For example:
1980 global_defs {
1982 @main router_id main_router
1983 @backup router_id backup_router
1984 }
1985 ...
1986 vrrp_instance VRRP {
1987 ...
1988 @main unicast_src_ip 1.2.3.4
1989 @backup unicast_src_ip 1.2.3.5
1990 @backup2 unicast_src_ip 1.2.3.6
1991 unicast_peer {
1992 @^main 1.2.3.4
1993 @^backup 1.2.3.5
1994 @^backup2 1.2.3.6
1995 }
1996 ...
1997 }
1998 If keepalived is invoked with -i main, then the router_id will be set
2000 to main_router, if invoked with -i backup, then backup_router, if not
2001 invoked with -i, or with -i anything else, then the router_id will not
2002 be set. The unicast peers for main will be 1.2.3.5 and 1.2.3.6.
2003
2005 Substitutable parameters can be specified. The format for defining a
2006 parameter is:
2007 $PARAMETER=VALUE
2009 where there must be no space before the '=' and only whitespace may
2011 preceed to '$'. Empty values are allowed.
2012 Parameter names can be made up of any combination of A-Za-z0-9 and _,
2014 but cannot start with a digit. Parameter names starting with an under‐
2015 score should be considered reserved names that keepalived will define
2016 for various pre-defined options.
2017 After a parameter is defined, any occurrence of $PARAMETER followed by
2019 whitespace, or any occurrence of ${PARAMETER} (which need not be fol‐
2020 lowed by whitespace) will be replaced by VALUE.
2021 Replacement is recursive, so that if a parameter value itself includes
2023 a replaceable parameter, then after the first substitution, the parame‐
2024 ter in the value will then be replaced; the substitution is done at
2025 replacement time and not at definition time, so for example:
2026 $ADDRESS_BASE=10.2.${ADDRESS_BASE_SUB}
2028 $ADDRESS_BASE_SUB=0
2029 ${ADDRESS_BASE}.100/32
2030 $ADDRESS_BASE_SUB=10
2031 ${ADDRESS_BASE}.100/32
2032 will produce:
2034 10.2.0.100/32
2035 10.2.10.100/32
2036 Note in the above examples the use of both ADDRESS_BASE and
2038 ADDRESS_BASE_SUB required braces ({}) since the parameters were not
2039 followed by whitespace (after the first substitution which produced
2040 10.2.${ADDRESS_BASE_SUB}.100/32 the parameter is still not followed by
2041 whitespace).
2042 If a parameter is not defined, it will not be replaced at all, so for
2044 example ${UNDEF_PARAMETER} will remain in the configuration if it is
2045 undefined; this means that existing configuration that contains a '$'
2046 character (for example in a script definition) will not be changed so
2047 long as no new parameter definitions are added to the configuration.
2048 Parameter substitution works in conjunction with conditional configura‐
2050 tion. For example:
2051 @main $PRIORITY=240
2053 @backup $PRIORITY=200
2054 ...
2055 vrrp_instance VI_0 {
2056 priority $PRIORITY
2057 }
2058 will produce:
2060 ...
2061 vrrp_instance VI_0 {
2062 priority 240
2063 }
2064 if the config_id is main.
2065 $IF_MAIN=@main
2067 $IF_MAIN priority 240
2068 will produce:
2070 priority 240
2071 if the config_id is main and nothing if the config_id is not main,
2072 although why anyone would want to use this rather than simply the
2073 following is not known (but still possible):
2074 @main priority 240
2075 Multiline definitions are also supported, but when used there must be
2077 nothing on the line after the parameter name. A multiline definition is
2078 specified by ending each line except the last with a '\' character.
2079 Example:
2081 $INSTANCE= \
2082 vrrp_instance VI_${NUM} { \
2083 interface eth0.${NUM} \
2084 use_vmac vrrp${NUM}.1 \
2085 virtual_router_id 1 \
2086 @high priority 130 \
2087 @low priority 120 \
2088 advert_int 1 \
2089 virtual_ipaddress { \
2090 10.0.${NUM}.254/24 \
2091 } \
2092 track_script { \
2093 offset_instance_${NUM} \
2094 } \
2095 }
2096 $NUM=0
2098 $INSTANCE
2099 $NUM=1
2101 $INSTANCE
2102 The use of multiline definitions can be nested.
2104 Example:
2106 $RS= \
2107 real_server 192.168.${VS_NUM}.${RS_NUM} 80 { \
2108 weight 1 \
2109 inhibit_on_failure \
2110 smtp_alert \
2111 MISC_CHECK { \
2112 misc_path "${_PWD}/scripts/vs.sh RS_misc.${INST}.${VS_NUM}.${RS_NUM}.0 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2113 } \
2114 MISC_CHECK { \
2116 misc_path "${_PWD}/scripts/vs.sh RS_misc.${INST}.${VS_NUM}.${RS_NUM}.1 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2117 } \
2118 notify_up "${_PWD}/scripts/notify.sh RS_notify.${INST}.${VS_NUM}.${RS_NUM} UP 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2120 notify_down "${_PWD}/scripts/notify.sh RS_notify.${INST}.${VS_NUM}.${RS_NUM} DOWN 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2122 }
2124 $VS= \
2126 virtual_server 10.0.${VS_NUM}.4 80 { \
2127 quorum 2 \
2128 quorum_up "${_PWD}/scripts/notify.sh VS_notify.${INST} UP 10.0.${VS_NUM}.4:80" \
2129 quorum_down "${_PWD}/scripts/notify.sh VS_notify.${INST} DOWN 10.0.${VS_NUM}.4:80" \
2130 $RS_NUM=1 \
2131 $RS \
2132 $RS_NUM=2 \
2133 $RS \
2134 $RS_NUM=3 \
2135 $RS \
2136 }
2137 $VS_NUM=0
2139 $ALPHA=alpha
2140 $VS
2141 $VS_NUM=1
2143 $ALPHA=
2144 $VS
2145 The above will create 2 virtual servers, each with 3 real servers
2147
2149 The following pre-defined definitions are defined:
2150 ${_PWD} : The directory of the current configuration file (this can be
2152 changed if using the include directive).
2153 ${_INSTANCE} : The instance name (as defined by the -i option, defaults
2154 to hostname).
2155 ${_RANDOM [MIN [MAX]]} : This is replaced by a random integer in the
2156 range [MIN, MAX], where MIN and MAX are optional non-negative integers.
2157 Defaults are MIN=0 and MAX=32767.
2158 Additional pre-defined definitions will be added as their need is iden‐
2160 tified. It will normally be quite straightforward to add additional
2161 pre-defined definitions, so if you need one, or have a good idea for
2162 one, then raise an issue at
2163 https://github.com/acassen/keepalived/issues requesting it.
2164
2166 A line starting ~SEQ(var, start, step, end) will cause the remainder of
2167 the line to be processed multiple times, with the variable $var set
2168 initially to start, and then $var will be incremented by step repeat‐
2169 edly, terminating when it is greater than end. step may be omitted, in
2170 which case it defaults to 1 or -1, depending on whether end is greater
2171 or less than start. start may also be omitted, in which case it
2172 defaults to 1 if end > 0 or -1 if end < 0. so, for example:
2173 ~SEQ(SUBNET, 0, 3) ip_address 10.0.$SUBNET.1
2175 would produce:
2177 ip_address 10.0.0.1
2178 ip_address 10.0.1.1
2179 ip_address 10.0.2.1
2180 ip_address 10.0.3.1
2181 There can be multiple ~SEQ elements on a line, so for example:
2183 $VI4= \
2185 vrrp_track_file offset_instance_4.${IF}.${NUM}.${ID} { \
2186 file "${_PWD}/679/track_files/4.${IF}.${NUM}.${ID}" \
2187 weight -100 \
2188 } \
2189 vrrp_instance vrrp4.${IF}.${NUM}.${ID} { \
2190 interface bond${IF}.${NUM} \
2191 use_vmac vrrp4.${IF}.${NUM}.${ID} \
2192 virtual_router_id ${ID} \
2193 priority 130 \
2194 virtual_ipaddress { \
2195 10.${IF}.${NUM}.${ID}/24 \
2196 } \
2197 track_file { \
2198 offset_instance_4.${IF}.${NUM}.${ID} \
2199 } \
2200 }
2201 ~SEQ(IF,0,7) ~SEQ(NUM,0,31) ~SEQ(ID,1,254) $VI4
2203 will produce 65024 vrrp instances with names from vrrp4.0.0.1 through to
2205 vrrp4.7.31.254.
2206
2208 Initial by Joseph Mack. Extensive updates by Alexandre Cassen & Quentin
2209 Armitage.
2210
2212 ipvsadm(8), ip --help.
2213Keepalived 2019-03-24 keepalived.conf(5)