1keepalived.conf(5) Keepalived Configuration's Manual keepalived.conf(5)
2
3
4
6 keepalived.conf - configuration file for Keepalived
7
9 keepalived.conf is the configuration file which describes all the
10 Keepalived keywords. Keywords are placed in hierarchies of blocks and
11 subblocks, each layer being delimited by '{' and '}' pairs.
12
13 Comments start with '#' or '!' to the end of the line and can start
14 anywhere in a line.
15
16 The keyword 'include' allows inclusion of other configuration files
17 from within the main configuration file, or from subsequently included
18 files.
19
20 The format of the include directive is:
21
22 include FILENAME
23
24 FILENAME can be a fully qualified or relative pathname, and can include
25 wildcards, including csh style brace expressions such as
26 "{foo/{,cat,dog},bar}" if glob() supports them.
27
28 After opening an included file, the current directory is set to the
29 directory of the file itself, so any relative paths included from a
30 file are relative to the directory of the including file itself.
31
32 Note: This documentation MUST be considered as THE exhaustive source of
33 information in order to configure Keepalived. This documenation is sup‐
34 ported and maintained by Keepalived Core-Team.
35
37 <BOOL> is one of on|off|true|false|yes|no
38 <TIMER> is a time value in seconds, including fractional seconds, e.g.
39 2.71828 or 3; resolution of timer is micro-seconds.
40
42 There are three classes of scripts can be configured to be executed.
43
44 (a) Notify scripts that are run when a vrrp instance or vrrp group
45 changes state, or a virtual server quorum changes between up and down.
46
47 (b) vrrp tracking scripts that will cause vrrp instances to go down it
48 they exit a non-zero exist status, or if a weight is specified will add
49 or subtract the weight to/from the priority of that vrrp instance.
50
51 (c) LVS checker misc scripts that will cause a real server to be con‐
52 figured down if they exit with a non-zero status.
53
54 By default the scripts will be executed by user keepalived_script if
55 that user exists, or if not by root, but for each script the user/group
56 under which it is to be executed can be specified.
57
58 There are significant security implications if scripts are executed
59 with root privileges, especially if the scripts themselves are modifi‐
60 able or replaceable by a non root user. Consequently, security checks
61 are made at startup to ensure that if a script is executed by root,
62 then it cannot be modified or replaced by a non root user.
63
64 All scripts should be written so that they will terminate on receipt of
65 a SIGTERM signal. Scripts will be sent SIGTERM if their parent termi‐
66 nates, or it is a script the keepalived is awaiting its exit status and
67 it has run for too long.
68
70 Quoted strings are specified between " characters; more specifically a
71 string will only end after a quoted string if there is whitespace
72 afterwards. For example:
73 "abcd" efg h jkl "mnop"
74 will be the single string "abcd efg h jkl mnop", i.e. the embedded "
75 characters are removed.
76
77 Quoted strings can also have escaped characters, like the shell. \a,
78 \b, \E, \f, \n, \r, \t, \v, \nnn and \xXX (where nnn is up to 3 octal
79 digits, and XX is any sequence of hex digits) and \cC (which produces
80 the control version of character C) are all supported. \C for any other
81 character C is just treated as an escaped version of character C, so \\
82 is a \ character and \" will be a " character, but it won't start or
83 terminate a quoted string.
84
85 For specifying scripts with parameters, unquoted spaces will separate
86 the parameters. If it is required for a parameter to contain a space,
87 it should be enclosed in single quotes (').
88
89
91 Traditionally the configuration file parser has not been one of the
92 strengths of keepalived. Lot of efforts have been put to correct this
93 even if this is not the primal goal of the project.
94
96 Keepalived configuration file is articulated around a set of configura‐
97 tion blocks. Each block is focusing and targetting a specific daemon
98 family feature. These features are:
99
100 GLOBAL CONFIGURATION
101
102 BFD CONFIGURATION
103
104 VRRPD CONFIGURATION
105
106 LVS CONFIGURATION
107
109 contains subblocks of Global definitions, Linkbeat interfaces, Static
110 track groups, Static addresses, Static routes, and Static rules
111
113 # Following are global daemon facilities for running
114 # keepalived in a separate network namespace:
115 # --
116 # Set the network namespace to run in.
117 # The directory /var/run/keepalived will be created as an
118 # unshared mount point, for example for pid files.
119 # syslog entries will have _NAME appended to the ident.
120 # Note: the namespace cannot be changed on a configuration reload.
121 net_namespace NAME
122
123 # Add the IPVS configuration in the specified net namespace. It allows to easily
124 # split the VIP traffic on a given namespace and keep the healthchecks traffic
125 # in another namespace. If NAME is not specified, then the default namespace
126 # will be used.
127 net_namespace_ipvs NAME
128
129 # ipsets wasn't network namespace aware until Linux 3.13, and so
130 # if running with # an earlier version of the kernel, by default
131 # use of ipsets is disabled if using a namespace and vrrp_ipsets
132 # has not been specified. This options overrides the default and
133 # allows ipsets to be used with a namespace on kernels prior to 3.13.
134 namespace_with_ipsets
135
136 # If multiple instances of keepalived are run in the same namespace,
137 # this will create pid files with NAME as part of the file names,
138 # in /var/run/keepalived.
139 # Note: the instance name cannot be changed on a configuration reload
140 instance NAME
141
142 # Create pid files in /var/run/keepalived
143 use_pid_dir
144
145 # Poll to detect media link failure using ETHTOOL, MII or ioctl interface
146 # otherwise uses netlink interface.
147 linkbeat_use_polling
148
149 # Time for main process to allow for child processes to exit on termination
150 # in seconds. This can be needed for very large configurations.
151 # (default: 5)
152 child_wait_time SECS
153
154 # Global definitions configuration block
155 global_defs {
156 # Set the process names of the keepalived processes to the default values:
157 # keepalived, keepalived_vrrp, keepalived_ipvs, keepalived_bfd
158 process_names
159
160 # Specify the individual process names
161 process_name NAME
162 vrrp_process_name NAME
163 ipvs_process_name NAME
164 bfd_process_name NAME
165
166 # The startup and shutdown scripts are run once, when keepalived starts
167 # before any child processes are run, and when keepalived stops after
168 # all child processes have terminated, respectively.
169 # The original motivation for adding this feature was that although
170 # keepalived can setup IPVS configuration using firewall marks, there
171 # was no mechanism for adding configuration to set the firewall marks
172 # (or for removing it afterwards).
173 # This feature can also be used to setup the iptables framework required
174 # if using iptables (see vrrp_iptables option below), modify interface
175 # settings, or anything else that can be done from a script or program.
176 # Only one startup script and one shutdown script can be specified.
177 # The timeouts (in seconds default 10 seconds) are the time allowed for
178 # scripts to run; if the timeout expires the scripts will be killed (this
179 # is to stop keepalived hanging waiting for the scripts to terminate).
180 startup_script SCRIPT_NAME [username [groupname]]
181 startup_script_timeout SECONDS # range [1,1000]
182 shutdown_script SCRIPT_NAME [username [groupname]]
183 shutdown_script_timeout SECONDS # range [1,1000]
184
185 # Set of email To: notify
186 notification_email {
187 admin@example1.com
188 ...
189 }
190
191 # email from address that will be in the header
192 # (default: keepalived@<local host name>)
193 notification_email_from admin@example.com
194
195 # Remote SMTP server used to send notification email.
196 # IP address or domain name with optional port number.
197 # (default port number: 25)
198 smtp_server 127.0.0.1 [<PORT>]
199
200 # Name to use in HELO messages.
201 # (default: local host name)
202 smtp_helo_name <STRING>
203
204 # SMTP server connection timeout in seconds.
205 smtp_connect_timeout 30
206
207 # Sets default state for all smtp_alerts
208 smtp_alert <BOOL>
209
210 # Sets default state for vrrp smtp_alerts
211 smtp_alert_vrrp <BOOL>
212
213 # Sets default state for checker smtp_alerts
214 smtp_alert_checker <BOOL>
215
216 # Logs every failed real server check in syslog
217 # (nevertheless, SMTP alert is only sent when all retry checks failed
218 # and real server transitions to DOWN state)
219 checker_log_all_failures <BOOL>
220
221 # Don't send smtp alerts for fault conditions
222 no_email_faults
223
224 # String identifying the machine (doesn't have to be hostname).
225 # (default: local host name)
226 router_id <STRING>
227
228 # Multicast Group to use for IPv4 VRRP adverts
229 # Defaults to the RFC5798 IANA assigned VRRP multicast address 224.0.0.18
230 # which You typically do not want to change.
231 vrrp_mcast_group4 224.0.0.18
232
233 # Multicast Group to use for IPv6 VRRP adverts
234 # (default: ff02::12)
235 vrrp_mcast_group6 ff02::12
236
237 # sets the default interface for static addresses.
238 # (default: eth0)
239 default_interface p33p1.3
240
241 # The sync daemon as provided by the IPVS kernel code only supports
242 # one master and one backup daemon instance at a time to synchronize
243 # the IPVS connection table.
244 # See ipvsadm(8) man page for more details of the sync daemon.
245 # Parameters are binding interface, and optional:
246 # inst VRRP_INSTANCE (inst can be omitted for backward compatibility)
247 # syncid (0 to 255) for lvs syncd, default is the VRID of vrrp instance,
248 # or 0 if no vrrp instance
249 # maxlen (1..65507) maximum packet length (limit is mtu - 20 - 8)
250 # port (1..65535) UDP port number to use, default 8848
251 # ttl (1..255)
252 # group - multicast group address(IPv4 or IPv6), default 224.0.0.81
253 # If VRRP_INSTANCE is not specified, both the master and backup sync daemons
254 # will be run as long as keepalived is running, otherwise the sync daemon
255 # master/backup state tracks the state of the specified vrrp instance: if
256 # the vrrp instance is in master state, only the master sync daemon will run,
257 # if the vrrp instance is not master, only the backup sync daemon will run.
258 # NOTE: maxlen, port, ttl and group are only available on Linux 4.3 or later.
259 # See kernel source doc/Documentation/networking/ipvs-sysctl.txt for details of
260 # parameters controlling IPVS and the sync daemon.
261 # /proc/net/ip_vs* provide some details about the state of IPVS.
262 lvs_sync_daemon <INTERFACE> [[inst] <VRRP_INSTANCE>] [id <SYNC_ID>] \
263 [maxlen <LEN>] [port <PORT>] [ttl <TTL>] [group <IP ADDR>]
264
265 # lvs_timeouts specifies the tcp, tcp_fin and udp connection tracking timeouts
266 # in seconds. At least one value must be specified; not setting a value leaves
267 # it unchanged from when keepalived started.
268 lvs_timeouts [tcp SECS] [tcpfin SECS] [udp SECS]
269
270 # flush any existing LVS configuration at startup
271 lvs_flush
272
273 # flush remaining LVS configuration at shutdown
274 # If VS is specified, remove each keepalived managed virtual
275 # server without explicitly removing the real servers (the kernel will
276 # remove them).
277 lvs_flush_onstop [VS]
278
279 # delay for second set of gratuitous ARPs after transition to MASTER.
280 # in seconds, 0 for no second set.
281 # (default: 5)
282 vrrp_garp_master_delay 10
283
284 # number of gratuitous ARP messages to send at a time after
285 # transition to MASTER.
286 # (default: 5)
287 vrrp_garp_master_repeat 1
288
289 # delay for second set of gratuitous ARPs after lower priority
290 # advert received when MASTER.
291 vrrp_garp_lower_prio_delay 10
292
293 # number of gratuitous ARP messages to send at a time after
294 # lower priority advert received when MASTER.
295 vrrp_garp_lower_prio_repeat 1
296
297 # minimum time interval for refreshing gratuitous ARPs while MASTER.
298 # in seconds.
299 # (default: 0 (no refreshing))
300 vrrp_garp_master_refresh 60
301
302 # number of gratuitous ARP messages to send at a time while MASTER
303 # (default: 1)
304 vrrp_garp_master_refresh_repeat 2
305
306 # Delay in ms between gratuitous ARP messages sent on an interface
307 # decimal, seconds (resolution usecs).
308 # (default: 0)
309 vrrp_garp_interval 0.001
310
311 # Delay in ms between unsolicited NA messages sent on an interface
312 # decimal, seconds (resolution usecs).
313 # (default: 0)
314 vrrp_gna_interval 0.000001
315
316 # By default keepalived sends 5 gratuitions ARP/NA messages at a
317 # time, and after transitioning to MASTER sends a second block of
318 # 5 messages 5 seconds later.
319 # With modern switches this is unnecessary, so setting vrrp_min_garp
320 # causes only one ARP/NA message to be sent, with no repeat 5 seconds
321 # later.
322 vrrp_min_garp [<BOOL>]
323
324 # If a lower priority advert is received, don't send another advert.
325 # This causes adherence to the RFCs. Defaults to false, unless
326 # strict_mode is set.
327 vrrp_lower_prio_no_advert [<BOOL>]
328
329 # If we are master and receive a higher priority advert, send an advert
330 # (which will be lower priority than the other master), before we
331 # transition to backup. This means that if the other master has
332 # garp_lower_priority_repeat set, it will resend garp messages.
333 # This is to get around the problem of their having been two simultaneous
334 # masters, and the last GARP messages seen were from us.
335 vrrp_higher_prio_send_advert [<BOOL>]
336
337 # Set the default VRRP version to use
338 # (default: 2, but IPv6 instances will use version 3)
339 vrrp_version <2 or 3>
340
341 # keepalived uses a firewall (either nftables or iptables) for two purposes:
342 # i) To implement no_accept mode
343 # ii) To stop IGMP/MLD packets being sent on VMAC interfaces, and to move
344 # them onto the underlying interface.
345 # If both vrrp_iptables and vrrp_nftables are specified, keepalived will use
346 # nftables and not iptables. Similarly, if the iptables command is generating
347 # nftables configuration, or there is no iptables command installed,
348 # keepalived will use nftables rather than iptables.
349 # If neither vrrp_nftables or vrrp_iptables are specified but VMACs are in use
350 # or no_accept is specified, keepalived will use nftables if it is available.
351
352 # Use nftables as the firewall.
353 # TABLENAME must not exist, and must be different for each
354 # instance of keepalived running in the same network namespace.
355 # Default tablename is keepalived, and priority is -1.
356 # keepalived will create base chains in the table.
357 # counters means counters are added to the rules (primarily for
358 # debugging purposes).
359 # ifindex means create IPv6 link local sets using ifindex rather
360 # than ifnames. This is the default unless the vrrp_instance has
361 # set dont_track_primary. The alternative is to use interface names
362 # as part of the set key, but the nft utility prior to v0.8.3 will
363 # then not output interface names properly.
364 nftables [TABLENAME]
365 nftables_priority PRIORITY
366 nftables_counters
367 nftables_ifindex
368
369 # Use iptables as the firewall.
370 # Note: it is necessary for the specified chain to exist in
371 # the iptables and/or ip6tables configuration, and for the chain
372 # to be called from an appropriate point in the iptables configuration.
373 # It will probably be necessary to have this filtering after accepting
374 # any ESTABLISHED,RELATED packets, because IPv4 might select the VIP as
375 # the source address for outgoing connections.
376 # (default: INPUT)
377 vrrp_iptables keepalived
378
379 # or for outbound filtering as well
380 # Note, outbound filtering won't work with IPv4, since the VIP can be
381 # selected as the source address for an outgoing connection. With IPv6
382 # this is unlikely since the addresses are deprecated.
383 vrrp_iptables keepalived_in keepalived_out
384
385 # or to to use default chains (INPUT and OUTPUT)
386 vrrp_iptables
387
388 # Keepalived may have the option to use ipsets in conjunction with
389 # iptables. If so, then the ipset names can be specified, defaults
390 # as below. If no names are specified, ipsets will not be used,
391 # otherwise any omitted names will be constructed by adding "_if"
392 # and/or "6" and _igmp/_mld to previously specified names.
393 vrrp_ipsets [keepalived [keepalived6 [keepalived_if6 [keepalived_igmp [keepalived_mld]]]]]
394
395 # The following enables checking that when in unicast mode, the
396 # source address of a VRRP packet is one of our unicast peers.
397 vrrp_check_unicast_src
398
399 # Checking all the addresses in a received VRRP advert can be time
400 # consuming. Setting this flag means the check won't be carried out
401 # if the advert is from the same master router as the previous advert
402 # received.
403 # (default: don't skip)
404 vrrp_skip_check_adv_addr
405
406 # Enforce strict VRRP protocol compliance. This will prohibit:
407 # 0 VIPs
408 # unicast peers
409 # IPv6 addresses in VRRP version 2
410 vrrp_strict
411
412 # Send vrrp instance priority notifications on notify FIFOs.
413 vrrp_notify_priority_changes <BOOL>
414
415 # The following options can be used if vrrp, checker or bfd processes
416 # are timing out. This can be seen by a backup vrrp instance becoming
417 # master even when the master is still running, because the master or
418 # backup system is too busy to process vrrp packets.
419 # --
420 # keepalived can, if it detects that it is not running sufficiently
421 # soon after a timer should expire, increase its priority, first
422 # of all switching to realtime scheduling, and if that is not
423 # sufficient, it will then increase its realtime priority by one each
424 # time it detects a further delay in running. If the event that realtime
425 # scheduling is enabled, RLIMIT_RTTIME will be set, using the values for
426 # {bfd,checker,vrrp}_rlimit_rttime (see below). These values may need
427 # to be increased for slower processors.
428 # --
429 # To limit the maximum increased automatic priority, specify the following
430 # (0 doesn't use automatic priority increases, and is the default. -1 disables
431 # the warning message at startup). Omitting the priority sets the maximum value.
432 max_auto_priority [<-1 to 99>] # 99 is really sched_get_priority_max(SCHED_RR)
433
434 # Minimum delay in microseconds after timer expires before keeplalived is
435 # scheduled after which the process priority will be auto incremented
436 # (default is 1000000 usecs (1 second), maximum is 10000000 (10 seconds))
437 min_auto_priority_delay <delay in usecs>
438
439 # Set the vrrp child process priority (Negative values increase priority)
440 vrrp_priority <-20 to 19>
441
442 # Set the checker child process priority
443 checker_priority <-20 to 19>
444
445 # Set the BFD child process priority
446 bfd_priority <-20 to 19>
447
448 # Set the vrrp child process non swappable
449 vrrp_no_swap
450
451 # Set the checker child process non swappable
452 checker_no_swap
453
454 # Set the BFD child process non swappable
455 bfd_no_swap
456
457 # The following options can be used to force vrrp, checker and bfd
458 # processes to run on a restricted CPU set.
459 # You can either bind processes to a single CPU or define a set of
460 # cpu. In that last case Linux kernel will be restricted to that cpu
461 # set during scheduling. Forcing process binding to single CPU can
462 # increase performances on heavy loaded box.
463 # INTEGER following configuration keyword are representing cpu_id
464 # as shown in /proc/cpuinfo on line "processor:"
465 # --
466 # Set CPU Affinity for the vrrp child process
467 vrrp_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
468
469 # Set CPU Affinity for the checker child process
470 checker_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
471
472 # Set CPU Affinity for the bfd child process
473 bfd_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
474
475 # Set the vrrp child process to use real-time scheduling
476 # at the specified priority
477 vrrp_rt_priority <1..99>
478
479 # Set the checker child process to use real-time scheduling
480 # at the specified priority
481 checker_rt_priority <1..99>
482
483 # Set the BFD child process to use real-time scheduling
484 # at the specified priority
485 bfd_rt_priority <1..99>
486
487 # Set the limit on CPU time between blocking system calls,
488 # in microseconds
489 # (default: 10000)
490 vrrp_rlimit_rttime >=2
491 checker_rlimit_rttime >=2
492 bfd_rlimit_rttime >=2
493
494 # If Keepalived has been build with SNMP support, the following
495 # keywords are available.
496 # Note: Keepalived, checker and RFC support can be individually
497 # enabled/disabled
498 # --
499 # Specify socket to use for connecting to SNMP master agent
500 # (see source module keepalived/vrrp/vrrp_snmp.c for more details)
501 # (default: unix:/var/agentx/master)
502 snmp_socket udp:1.2.3.4:705
503
504 # enable SNMP handling of vrrp element of KEEPALIVED MIB
505 enable_snmp_vrrp
506
507 # enable SNMP handling of checker element of KEEPALIVED MIB
508 enable_snmp_checker
509
510 # enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
511 enable_snmp_rfc
512
513 # enable SNMP handling of RFC2787 VRRP MIB
514 enable_snmp_rfcv2
515
516 # enable SNMP handling of RFC6527 VRRP MIB
517 enable_snmp_rfcv3
518
519 # enable SNMP traps
520 enable_traps
521
522 # If Keepalived has been build with DBus support, the following
523 # keywords are available.
524 # --
525 # Enable the DBus interface
526 enable_dbus
527
528 # Name of DBus service
529 # Useful if you want to run multiple keepalived processes with DBus enabled
530 # (default: org.keepalived.Vrrp1)
531 dbus_service_name SERVICE_NAME
532
533 # Specify the default username/groupname to run scripts under.
534 # If this option is not specified, the user defaults to keepalived_script
535 # if that user exists, otherwise root.
536 # If groupname is not specified, it defaults to the user's group.
537 script_user username [groupname]
538
539 # Don't run scripts configured to be run as root if any part of the path
540 # is writable by a non-root user.
541 enable_script_security
542
543 # Rather than using notify scripts, specifying a fifo allows more
544 # efficient processing of notify events, and guarantees that they
545 # will be delivered in the correct sequence.
546 # NOTE: the FIFO names must all be different
547 # --
548 # FIFO to write notify events to
549 # See vrrp_notify_fifo and lvs_notify_fifo for format of output
550 # For further details, see the description under vrrp_sync_group.
551 # see doc/samples/sample_notify_fifo.sh for sample usage.
552 notify_fifo FIFO_NAME [username [groupname]]
553
554 # script to be run by keepalived to process notify events
555 # The FIFO name will be passed to the script as the last parameter
556 notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
557
558 # FIFO to write vrrp notify events to.
559 # The string written will be a line of the form: INSTANCE "VI_1" MASTER 100
560 # and will be terminated with a new line character.
561 # For further details of the output, see the description under vrrp_sync_group
562 # and doc/samples/sample_notify_fifo.sh for sample usage.
563 vrrp_notify_fifo FIFO_NAME [username [groupname]]
564
565 # script to be run by keepalived to process vrrp notify events
566 # The FIFO name will be passed to the script as the last parameter
567 vrrp_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
568
569 # FIFO to write notify healthchecker events to
570 # The string written will be a line of the form:
571 # VS [192.168.201.15]:tcp:80 {UP|DOWN}
572 # RS [1.2.3.4]:tcp:80 [192.168.201.15]:tcp:80 {UP|DOWN}
573 # and will be terminated with a new line character.
574 lvs_notify_fifo FIFO_NAME [username [groupname]]
575
576 # script to be run by keepalived to process healthchecher notify events
577 # The FIFO name will be passed to the script as the last parameter
578 lvs_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
579
580 # Allow configuration to include interfaces that don't exist at startup.
581 # This allows keepalived to work with interfaces that may be deleted and restored
582 # and also allows virtual and static routes and rules on VMAC interfaces.
583 # allow_if_changes allows an interface to be deleted and recreated with a
584 # different type or underlying interface, eg changing from vlan to macvlan
585 # or changing a macvlan from eth1 to eth2. This is predominantly used for
586 # reporting duplicate VRID errors at startup if allow_if_changes is not set.
587 dynamic_interfaces [allow_if_changes]
588
589 # The following options are only needed for large configurations, where either
590 # keepalived creates a large number of interface, or the system has a large
591 # number of interface. These options only need using if
592 # "Netlink: Receive buffer overrun" messages are seen in the system logs.
593 # If the buffer size needed exceeds the value in /proc/sys/net/core/rmem_max
594 # the corresponding force option will need to be set.
595 # --
596 # Set netlink receive buffer size. This is useful for
597 # very large configurations where a large number of interfaces exist, and
598 # the initial read of the interfaces on the system causes a netlink buffer
599 # overrun.
600 vrrp_netlink_cmd_rcv_bufs BYTES
601 vrrp_netlink_cmd_rcv_bufs_force <BOOL>
602 vrrp_netlink_monitor_rcv_bufs BYTES
603 vrrp_netlink_monitor_rcv_bufs_force <BOOL>
604
605 # The vrrp netlink command and monitor socket the checker command and
606 # and monitor socket and process monitor buffer sizes can be independently set.
607 # The force flag means to use SO_RCVBUFFORCE, so that the buffer size
608 # can exceed /proc/sys/net/core/rmem_max.
609 lvs_netlink_cmd_rcv_bufs BYTES
610 lvs_netlink_cmd_rcv_bufs_force <BOOL>
611 lvs_netlink_monitor_rcv_bufs BYTES
612 lvs_netlink_monitor_rcv_bufs_force <BOOL>
613
614 # As a guide for process_monitor_rcv_bufs for 1400 processes terminating
615 # simultaneously, 212992 (the default on some systems) is insufficient, whereas
616 # 500000 is sufficient.
617 process_monitor_rcv_bufs BYTES
618 process_monitor_rcv_bufs_force <BOOL>
619
620 # When a socket is opened, the kernel configures the max rx buffer size for
621 # the socket to /proc/sys/net/core/rmem_default. On some systems this can be
622 # very large, and even generally this can be much larger than necessary.
623 # This isn't a problem so long as keepalived is reading all queued data from
624 # it's sockets, but if rmem_default was set sufficiently large, and if for
625 # some reason keepalived stopped reading, it could consume all system memory.
626 # The vrrp_rx_bufs_policy allows configuring of the rx bufs size when the
627 # sockets are opened. If the policy is MTU, the rx buf size is configured
628 # to the total of interface's MTU * vrrp_rx_bufs_multiplier for each vrrp
629 # instance using the socket. Likewise, if the policy is ADVERT, then it is
630 # the total of each vrrp instances advert packet size * multiplier.
631 # (default: use system default)
632 vrrp_rx_bufs_policy [MTU|ADVERT|NUMBER]
633
634 # (default: 3)
635 vrrp_rx_bufs_multiplier NUMBER
636
637 # Send notifies at startup for real servers that are starting up
638 rs_init_notifies
639
640 # Don't send an email every time a real server checker changes state;
641 # only send email when a real server is added or removed
642 no_checker_emails
643
644 # The umask to use for creating files. The number can be specified in hex, octal
645 # or decimal. BITS are I{R|W|X}{USR|GRP|OTH}, e.g. IRGRP, separated by '|'s.
646 # The default umask is IWGRP | IWOTH. This option cannot override the
647 # command-line option.
648 umask [NUMBER|BITS]
649
650 # On some systems when bond interfaces are created, they can start passing traffic
651 # and then have a several second gap when they stop passing traffic inbound. This
652 # can mean that if keepalived is started at boot time, i.e. at the same time as
653 # bond interfaces are being created, keepalived doesn't receive adverts and hence
654 # can become master despite an instance with higher priority sending adverts.
655 # This option specifies a delay in seconds before vrrp instances start up after
656 # keepalived starts,
657 vrrp_startup_delay 5.5
658
659 # The following will cause logging of receipt of VRRP adverts for VRIDs not configured
660 # on the interface on which they are received.
661 log_unknown_vrids
662
663 # Specify random seed for ${_RANDOM}, to make configurations repeatable (default
664 # is to use a seed based on the time, so that each time a different configuration
665 # will be generated).
666 random_seed UNSIGNED_INT
667
668 # reload_time_file allows a reload of keepalived to be scheduled in the future. This is
669 # particularly useful if there is a master keepalived and one or more backup keepalived
670 # instances and the new configuration is incompatible with the previous configuration,
671 # e.g. adding or removing VIPs which would cause adverts to be rejected.
672 # All the instances can be scheduled to reload at the same time, thereby ensuring that
673 # no mismatching adverts are received by the backup instances.
674 # The configuration specifies a file which keepalived will monitor. The first line of
675 # the file must contain a valid time or date/time exactly in the formats specified below.
676 # When keepalived starts up, it reads the file if it exists, and schedules a reload at
677 # the specified time. If the file does not exist, then when it is subsequently created
678 # a reload will be scheduled. If the file is updated, the reload time will be modified
679 # accordingly. If the file is deleted, the reload is cancelled.
680 # Normally when the reload occurs the specified file is deleted, since the reload has
681 # been done; if the file included a date then the reload will be in the past and so
682 # ignored. However, if there is no date, then if the file were reread following the
683 # reload, a reload would be scheduled for 24 hours time. In order to stop this, the
684 # file is deleted (unlinked) by default. If reload_repeat is specified, then the
685 # file is not deleted, and if the file contains a time only with no date, then
686 # keepalived will keep reloading at that time every day until the file is removed or
687 # modified.
688 # If the directory containing the file does not exist at startup/reload, or if the
689 # directory is removed or renamed, then no future scheduled reloads will occur until
690 # a manual (SIGHUP) reload is done or keepalived restarts.
691 # The permitted formats of the entry in the timer file are precisely:
692 # HH:MM:SS
693 # YY-MM-DD HH:MM:SS
694 # YYYY-MM-DD HH:MM:SS
695 # each with an optional 'Z' at the end.
696 # There must be no leading or trailing whitespace, and only one space between the date
697 # and the time.
698 # If there is a 'Z' at the end of the time, the time is parsed as UTC, otherwise the
699 # time is the localtime for the environment in which keepalived is running. If the
700 # systems which are being reloaded are in different timezones, it is probably safer to
701 # use UTC.
702 # If using local time with daylight savings, beware that some times don't exist and
703 # some times are duplicated and hence ambiguous.
704 reload_time_file ABSOLUTE-PATHNAME-OF-FILE
705 reload_repeat
706 }
707
709 The linkbeat_interfaces block allows specifying which interfaces should
710 use polling via MII, Ethtool or ioctl status rather than rely on
711 netlink status updates. This allows more granular control of global
712 definition linkbeat_use_polling.
713
714 This option is preferred over the deprecated use of
715 linkbeat_use_polling in a vrrp_instance block, since the latter only
716 allows using linkbeat on the interface of the vrrp_instance itself,
717 whereas track_interface and virtual_ipaddresses and virtual_iproutes
718 may require monitoring other interfaces, which may need to use linkbeat
719 polling.
720
721 The default polling type to use is MII, unless that isn't supported in
722 which case ETHTOOL is used, and if that isn't supported then ioctl
723 polling. The preferred type of polling to use can be specified with MII
724 or ETHTOOL or IOCTL after the interface name, but if that type isn't
725 supported, a supported type will be used.
726
727 The syntax for linkbeat_interfaces is:
728 linkbeat_interfaces {
729 eth2
730 enp2s0 ETHTOOL
731 }
732
734 Static track groups are used to allow vrrp instances to track static
735 addresses, routes and rules. If a static address/route/rule specifies a
736 track group, then if the address/route/rule is deleted and cannot be
737 restored, the vrrp instance will transition to fault state.
738
739 The syntax for a track group is:
740 track_group GROUP1 {
741 group {
742 VI_1
743 VI_2
744 }
745 }
746
748 Keepalived can configure static addresses, routes, and rules. These
749 addresses are NOT moved by vrrpd, they stay on the machine. If you
750 already have IPs and routes on your machines and your machines can ping
751 each other, you don't need this section. The syntax for rules and
752 routes is that same as for ip rule add/ip route add (except shortened
753 option names are not supported due to ambiguities). The track_group
754 specification refers to a named track_group which lists the vrrp
755 instances which will track the address, i.e. if the address is deleted
756 the vrrp instances will transition to backup.
757
758 NOTE: since rules without preferences can be added in different orders
759 due to vrrp instances transitioning from master to backup etc, rules
760 need to have a preference. If a preference is not specified, keepalived
761 will assign one, but it will probably not be what you want.
762
763 The syntax is the same for virtual addresses and virtual routes. If no
764 dev element is specified, it defaults to default_interface (default
765 eth0). Note: the broadcast address may be specified as '-' or '+' to
766 clear or set the host bits of the address.
767
768 If a route or rule could apply to either IPv4 or IPv6 it will default
769 to IPv4. To force a route/rule to be IPv6, add the keyword "inet6".
770
771 static_ipaddress {
772 <IPADDR>[/<MASK>] [brd <IPADDR>] [dev <STRING>] [scope <SCOPE>]
773 [label <LABEL>] [peer <IPADDR>] [home]
774 [-nodad] [mngtmpaddr] [noprefixroute]
775 [autojoin] [track_group GROUP] [preferred_lft nn|forever]
776 192.168.1.1/24 dev eth0 scope global
777 ...
778 }
779
780 static_routes {
781 192.168.2.0/24 via 192.168.1.100 dev eth0 track_group GROUP1
782
783 192.168.100.0/24 table 6909 nexthop via 192.168.101.1 dev wlan0
784 onlink weight 1 nexthop via 192.168.101.2
785 dev wlan0 onlink weight 2
786
787 192.168.200.0/24 dev p33p1.2 table 6909 tos 0x04 protocol bird
788 scope link priority 12 mtu 1000 hoplimit 100
789 advmss 101 rtt 102 rttvar 103 reordering 104
790 window 105 cwnd 106 ssthresh lock 107 realms
791 PQA/0x14 rto_min 108 initcwnd 109 initrwnd 110
792 features ecn
793
794 2001:470:69e9:1:2::4 dev p33p1.2 table 6909 tos 0x04 protocol
795 bird scope link priority 12 mtu 1000
796 hoplimit 100 advmss 101 rtt 102 rttvar 103
797 reordering 104 window 105 cwnd 106 ssthresh
798 lock 107 rto_min 108 initcwnd 109
799 initrwnd 110 features ecn fastopen_no_cookie 1
800 ...
801 }
802
803 static_rules {
804 from 192.168.2.0/24 table 1 track_group GROUP1
805
806 to 192.168.2.0/24 table 1
807
808 from 192.168.28.0/24 to 192.168.29.0/26 table small iif p33p1
809 oif wlan0 tos 22 fwmark 24/12
810 preference 39 realms 30/20 goto 40
811
812 to 1:2:3:4:5:6:7:0/112 from 7:6:5:4:3:2::/96 table 6908
813 uidrange 10000-19999
814
815 to 1:2:3:4:6:6:7:0/112 from 8:6:5:4:3:2::/96 l3mdev protocol 12
816 ip_proto UDP sport 10-20 dport 20-30
817 ...
818 }
819
821 Adds a file to be monitored. The file will be read whenever it is modi‐
822 fied. The value in the file will be recorded for all VRRP instances,
823 sync groups and real servers which monitor it. Note that the file will
824 only be read if at least one VRRP instance, sync group or real server
825 monitors it.
826
827 A value will be read as a number in text from the file. If the weight
828 configured against the track_file is 0, a non-zero value in the file
829 will be treated as a failure status, and a zero value will be treated
830 as an OK status, otherwise the value will be multiplied by the weight
831 configured in the track_file statement.
832
833 For VRRP instances, if the result is less than -253 anything monitoring
834 the script will transition to the fault state (the weight can be 254 to
835 allow for a negative value being read from the file).
836
837 If the vrrp instance or sync group is not the address owner and the
838 result is between -253 and 253, the result will be added to the initial
839 priority of the VRRP instance (a negative value will reduce the prior‐
840 ity), although the effective priority will be limited to the range
841 [1,254]. Likewise for real servers.
842
843 If a vrrp instance using a track_file is a member of a sync group,
844 unless sync_group_tracking_weight is set on the group weight 0 must be
845 set. Likewise, if the vrrp instance is the address owner, weight 0
846 must also be set.
847
848 For real servers monitoring the file, the limits of values read from
849 the track file are 2147483646 to -2147483647. The value, once multi‐
850 plied by the weight, will be added to the real server's IPVS weight.
851 NOTE: weights for track_file for real servers are not fully implemented
852 yet. In particular allowing weight 0, handling negative calculated val‐
853 ues and reloading.
854
855 The syntax for track file is:
856
857 track_file <STRING> { # vrrp_track_file is a deprecated synonym
858 # file to track (weight defaults to 1)
859 file <QUOTED_STRING>
860
861 # optional default weight
862 weight <-2147483647..2147483647> [reverse]
863
864 # create the file and/or initialise the value
865 # This causes VALUE (default 0) to be written to
866 # the specified file at startup if the file doesn't
867 # exist, unless overwrite is specified in which case
868 # any existing file contents will be overwritten with
869 # the specified value.
870 init_file [VALUE] [overwrite]
871 }
872
874 The configuration block looks like:
875
876 vrrp_track_process <STRING> {
877 # process to monitor (with optional parameters)
878 # A quoted string is treated as a single element, so if the first item
879 # after the process keyword is quoted, that will be the command name.
880 # For example:
881 # process "/tmp/a b" param1 "param 2"
882 # would mean a process named '/tmp/a b' (quotes removed) with 2 parameters
883 # 'param1' and 'param 2'.
884 process <STRING>|<QUOTED_STRING> [<STRING>|<QUOTED_STRING> ...]
885
886 # If matching parameters, this specifies a partial match (i.e. the first
887 # n parameters match exactly), or an initial match, i.e. the last
888 # parameter may be longer that the parameter configured.
889 # To specify that a command must have no parameters, don't specify
890 # any parameters, but specify param_match.
891 param_match {initial|partial}
892
893 # default weight (default is 1). For description of reverse, see track_process.
894 # 'weight 0 reverse' will cause the vrrp instance to be down when the
895 # quorum is up, and vice versa.
896 weight <-254..254> [reverse]
897
898 # minimum number of processes for success
899 quorum NUM
900
901 # maximum number of processes for success. For example, setting
902 # this to 1 would cause a failure if two instances of the process
903 # were running (but beware forks - see fork_delay below).
904 # Setting this to 0 would mean failure if the matching process were
905 # running at all.
906 quorum_max NUM
907
908 # time to delay after process quorum gained after fork before
909 # consider process up (in fractions of second)
910 # This is to avoid up/down bounce for fork/exec
911 fork_delay SECS
912
913 # time to delay after process quorum lost before
914 # consider process down (in fractions of second)
915 # This is to avoid down/up bounce after terminate/parent refork.
916 terminate_delay SECS
917
918 # this sets fork_delay and terminate_delay
919 delay SECS
920
921 # Normally process string is matched against the process name,
922 # as shown on the Name: line in /proc/PID/status, unless
923 # parameters are specified.
924 # This option forces matching the full command line
925 full_command
926 }
927
928 To avoid having to frequently run a track_script to monitor the exis‐
929 tance of processes (often haproxy or nginx), vrrp_track_process can
930 monitor whether other processes are running.
931
932 One difference from pgrep is track_process doesn't do a regular expres‐
933 sion match of the command string, but does an exact match. 'pgrep ssh'
934 will match an sshd process, this track_process will not (it is equiva‐
935 lent to pgrep "^ssh$").
936
937 If full_command is used (equivalent to pgrep -f), /proc/PID/cmdline is
938 used, but any updates to cmdline will not be detected (a process
939 shouldn't normally change it, although it is possible with great care,
940 for example systemd).
941
942 Prior to Linux v3.2 track_process will not support detection of changes
943 to a process name, since the kernel did not notify changes of process
944 name prior to 3.2. Most processes do not change their process name,
945 but, for example, firefox forks processes that change their process
946 name to "Web Content". The process name referred to here is the con‐
947 tents of /proc/PID/comm.
948
949 Quorum is the number of matching processes that must be run for an OK
950 status.
951
952 Delay might be useful if it anticipated that a process may be reloaded
953 (stopped and restarted), and it isn't desired to down and up a vrrp
954 instance.
955
956 A positive weight means that an OK status will add <weight> to the pri‐
957 ority of all VRRP instances which monitor it. On the opposite, a nega‐
958 tive weight will be subtracted from the initial priority in case of
959 insufficient processes.
960
961 If the vrrp instance or sync group is not the address owner and the
962 result is between -253 and 253, the result will be added to the initial
963 priority of the VRRP instance (a negative value will reduce the prior‐
964 ity), although the effective priority will be limited to the range
965 [1,254].
966
967 If a vrrp instance using a track_process is a member of a sync group,
968 unless sync_group_tracking_weight is set on the group weight 0 must be
969 set. Likewise, if the vrrp instance is the address owner, weight 0
970 must also be set.
971
972 Rational for not using pgrep/pidof/killall and the likes:
973
974 Every time pgrep or its equivalent is run, it iterates though the
975 /proc/[1-9][0-9]* directories, and opens the status and cmdline pseudo
976 files in each directory. The cmdline pseudo file is mapped to the
977 process's address space, and so if that part of the process is swapped
978 out, it will have to be fetched from the swap space. pgrep etc also
979 include zombie processes whereas keepalived does not, since they aren't
980 running.
981
982 This implementation only iterates though /proc/[1-9][0-9]*/ directories
983 at start up, and it won't even read the cmdline pseudo files if
984 'full_command' is not specified for any of the vrrp_track_process
985 entries. After startup, it uses the process_events kernel <-> userspace
986 connector to receive notification of process changes. If full_command
987 is specified for any track_process instance, the cmdline pseudo file
988 will have to be read upon notification of the creation of the new
989 process, but at that time it is very unlikely that it will have already
990 been swapped out.
991
992 On a busy system with a high number of process creations/terminations,
993 using a track_script with pgrep/pidof/killall may be more efficient,
994 although those processes are inefficient compared to the minimum that
995 keepalived needs.
996
997 Using pgrep etc on a system that is swapping can have a significant
998 detrimental impact on the performance of the system, due to having to
999 fetch swapped memory from the swap space, thereby causing additional
1000 swapping.
1001
1003 This is an implementation of RFC5880 (Bidirectional forwarding detec‐
1004 tion), and this can be configured to work between 2 keepalived
1005 instances, but using unweighted track_bfds between a master/backup pair
1006 of VRRP instances means that the VRRP instance will only be able to
1007 come up if both VRRP instance are running, which somewhat defeats the
1008 purpose of VRRP.
1009
1010 This implementation has been tested with OpenBFDD (available at
1011 https://github.com/dyninc/OpenBFDD).
1012
1013 The syntax for bfd instance is :
1014
1015 bfd_instance <STRING> {
1016 # BFD Neighbor IP (synonym neighbour_ip)
1017 neighbor_ip <IP ADDRESS>
1018
1019 # Source IP to use (optional, except in order to ensure that the
1020 # local port is valid, it is required)
1021 source_ip <IP ADDRESS>
1022
1023 # Required min RX interval, in ms
1024 # (default is 10 ms)
1025 min_rx <INTEGER>
1026
1027 # Desired min TX interval, in ms
1028 # (default is 10 ms)
1029 min_tx <INTEGER>
1030
1031 # Desired idle TX interval, in ms
1032 # (default is 1000 ms)
1033 idle_tx <INTEGER>
1034
1035 # Number of missed packets after
1036 # which the session is declared down
1037 # (default is 5)
1038 multiplier <INTEGER>
1039
1040 # Operate in passive mode (default is active)
1041 passive
1042
1043 # outgoing IPv4 ttl to use (default 255)
1044 ttl <INTEGER>
1045
1046 # outgoing IPv6 hoplimit to use (default 64)
1047 hoplimit <INTEGER>
1048
1049 # maximum reduction of ttl/hoplimit
1050 # in received packet (default 0)
1051 # (255 disables hop count checking)
1052 max_hops <INTEGER>
1053
1054 # Default tracking weight
1055 # Normally, positive weights are added to the vrrp instance priority when
1056 # the bfd instance is up, negative weights reduce the priority when it is down.
1057 # However, if reverse is specified, the priority is decreased when up and
1058 # increased when down. 'weight 0 reverse' will cause the vrrp instance to be down
1059 # when the bfd instance is up, and vice versa.
1060 weight <-253:253> [reverse]
1061
1062 # Normally bfd event notifications are sent to both the VRRP and checker processes.
1063 # Specifying vrrp or checker will cause event notifications for this bfd_instance
1064 # only to be sent to the specified process
1065 vrrp
1066 checker
1067 }
1068
1070 contains subblocks of VRRP script(s), VRRP synchronization group(s),
1071 VRRP gratuitous ARP and unsolicited neighbour advert delay group(s) and
1072 VRRP instance(s)
1073
1075 The script will be executed periodically, every <interval> seconds. Its
1076 exit code will be recorded for all VRRP instances which monitor it.
1077 Note that the script will only be executed if at least one VRRP
1078 instance monitors it.
1079
1080 The default weight equals 0, which means that any VRRP instance moni‐
1081 toring the script will transition to the fault state after <fall> con‐
1082 secutive failures of the script. After that, <rise> consecutive suc‐
1083 cesses will cause VRRP instances to leave the fault state, unless they
1084 are also in the fault state due to other scripts or interfaces that
1085 they are tracking.
1086
1087 A positive weight means that <rise> successes will add <weight> to the
1088 priority of all VRRP instances which monitor it. On the opposite, a
1089 negative weight will be subtracted from the initial priority in case of
1090 <fall> failures.
1091
1092 The syntax for the vrrp script is:
1093
1094 # Adds a script to be executed periodically. Its exit code will be
1095 # recorded for all VRRP instances and sync groups which are monitoring it.
1096 vrrp_script <SCRIPT_NAME> {
1097 # path of the script to execute
1098 script <STRING>|<QUOTED-STRING>
1099
1100 # seconds between script invocations, (default: 1 second)
1101 interval <INTEGER>
1102
1103 # seconds after which script is considered to have failed
1104 timeout <INTEGER>
1105
1106 # adjust priority by this weight, (default: 0)
1107 # For description of reverse, see track_script.
1108 # 'weight 0 reverse' will cause the vrrp instance to be down when the
1109 # script is up, and vice versa.
1110 weight <INTEGER:-253..253> [reverse]
1111
1112 # required number of successes for OK transition
1113 rise <INTEGER>
1114
1115 # required number of successes for KO transition
1116 fall <INTEGER>
1117
1118 # user/group names to run script under.
1119 # group default to group of user
1120 user USERNAME [GROUPNAME]
1121
1122 # assume script initially is in failed state
1123 init_fail
1124 }
1125
1127 VRRP Sync Group is an extension to VRRP protocol. The main goal is to
1128 define a bundle of VRRP instance to get synchronized together so that
1129 transition of one instance will be reflected to others group members.
1130
1131 In addition there is an enhanced notify feature for fine state transi‐
1132 tion catching.
1133
1134 You can also define multiple track policy in order to force state tran‐
1135 sition according to a third party event such as interface, scripts,
1136 file, BFD.
1137
1138 Important: for a SYNC group to run reliably, it is vital that all
1139 instances in the group are MASTER or that they are all either BACKUP or
1140 FAULT. A situation with half instances having higher priority on
1141 machine A half others with higher priority on machine B will lead to
1142 constant re-elections. For this reason, when instances are grouped, any
1143 track scripts/files configured against member VRRP instances will have
1144 their tracking weights automatically set to zero, in order to avoid
1145 inconsistent priorities across instances.
1146
1147 The syntax for vrrp_sync_group is :
1148
1149 vrrp_sync_group <STRING> {
1150 group {
1151 # name of the vrrp_instance (see below)
1152 # Set of VRRP_Instance string
1153 <STRING>
1154 <STRING>
1155 ...
1156 }
1157
1158 # Synchronization group tracking interface, script, file & bfd will
1159 # update the status/priority of all VRRP instances which are members
1160 # of the sync group.
1161 # 'weight 0 reverse' will cause the vrrp instance to be down when the
1162 # interface is up, and vice versa.
1163 track_interface {
1164 eth0
1165 eth1
1166 eth2 weight <-253..253> [reverse]
1167 ...
1168 }
1169
1170 # add a tracking script to the sync group (<SCRIPT_NAME> is the name
1171 # of the vrrp_script entry) go to FAULT state if any of these go down
1172 # if unweighted.
1173 # reverse causes the direction of the adjustment of the priority to be reversed.
1174 track_script {
1175 <SCRIPT_NAME>
1176 <SCRIPT_NAME> weight <-253..253> [reverse|no_reverse]
1177 }
1178
1179 # Files whose state we monitor, value is added to effective priority.
1180 # <STRING> is the name of a track_file
1181 # weight defaults to weight configured in track_file
1182 track_file {
1183 <STRING>
1184 <STRING> weight <-254..254> [reverse|noreverse]
1185 ...
1186 }
1187
1188 # Process to monitor, weight is added to effective priority.
1189 # <STRING> is the name of a vrrp_track_process
1190 # weight defaults to weight configured in vrrp_track_process.
1191 # See vrrp_instance track_process for description of weight.
1192 track_process {
1193 <STRING>
1194 <STRING> weight <-254..254> [reverse|noreverse]
1195 ...
1196 }
1197
1198 # BFD instances we monitor, value is added to effective priority.
1199 # <STRING> is the name of a BFD instance
1200 track_bfd {
1201 <STRING>
1202 <STRING>
1203 <STRING> weight <INTEGER: -253..253> [reverse|noreverse]
1204 ...
1205 }
1206
1207 # notify scripts and alerts are optional
1208 #
1209 # filenames of scripts to run on transitions can be unquoted (if
1210 # just filename) or quoted (if it has parameters)
1211 # The username and groupname specify the user and group
1212 # under which the scripts should be run. If username is
1213 # specified, the group defaults to the group of the user.
1214 # If username is not specified, they default to the
1215 # global script_user and script_group
1216
1217 # to MASTER transition
1218 notify_master /path/to_master.sh [username [groupname]]
1219
1220 # to BACKUP transition
1221 notify_backup /path/to_backup.sh [username [groupname]]
1222
1223 # FAULT transition
1224 notify_fault "/path/fault.sh VG_1" [username [groupname]]
1225
1226 # executed when stopping vrrp
1227 notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
1228
1229 # notify_deleted causes DELETED to be sent to notifies rather
1230 # than the default FAULT after a vrrp instance is deleted during a
1231 # reload. If a script is specified, that script will be executed
1232 # as well.
1233 notify_deleted [<STRING>|<QUOTED-STRING> [username [groupname]]]
1234
1235 # for ANY state transition.
1236 # "notify" script is called AFTER the notify_* script(s) and
1237 # is executed with 4 additional arguments after the configured
1238 # arguments provided by Keepalived:
1239 # $(n-3) = "GROUP"|"INSTANCE"
1240 # $(n-2) = name of the group or instance
1241 # $(n-1) = target state of transition (stop only applies to instances)
1242 # ("MASTER"|"BACKUP"|"FAULT"|"STOP"|"DELETED")
1243 # $(n) = priority value
1244 # $(n-3) and $(n-1) are ALWAYS sent in uppercase, and the possible
1245 # strings sent are the same ones listed above
1246 # ("GROUP"/"INSTANCE", "MASTER"/"BACKUP"/"FAULT"/"STOP"/"DELETED")
1247 # (note: STOP and DELETED are only applicable to instances)
1248 notify <STRING>|<QUOTED-STRING> [username [groupname]]
1249
1250 # The notify fifo output is the same as the last 4 parameters for the "notify"
1251 # script, with the addition of "MASTER_RX_LOWER_PRI" instead of state for an
1252 # instance, and also "MASTER_PRIORITY" and "BACKUP_PRIORITY" if the priority
1253 # changes and notify_priority_changes is configured.
1254 # MASTER_RX_LOWER_PRI is used if a master needs to set some external state, such
1255 # as setting a secondary IP address when using Amazon AWS; if another keepalived
1256 # has transitioned to master due to a communications break, the lower priority
1257 # instance will have taken over the secondary IP address, and the proper master
1258 # needs to be able to restore it.
1259
1260 # Send FIFO notifies for vrrp priority changes
1261 notify_priority_changes <BOOL>
1262
1263 # Send email notification during state transition,
1264 # using addresses in global_defs above (default no,
1265 # unless global smtp_alert/smtp_alert_vrrp set)
1266 smtp_alert <BOOL>
1267
1268 # DEPRECATED. Use track_interface, track_script and
1269 # track_file on vrrp_sync_groups instead.
1270 global_tracking
1271
1272 # allow sync groups to use differing weights.
1273 # This probably WON'T WORK, but is a replacement for
1274 # global_tracking in case different weights were used
1275 # across different vrrp instances in the same sync group.
1276 sync_group_tracking_weight
1277 }
1278
1280 specifies the setting of delays between sending gratuitous ARPs and
1281 unsolicited neighbour advertisements. This is intended for when an
1282 upstream switch is unable to handle being flooded with ARPs/NAs.
1283
1284 Use interface when the limits apply on the single physical interface.
1285 Use interfaces when a group of interfaces are linked to the same switch
1286 and the limits apply to the switch as a whole.
1287
1288 Note: Only one of interface or interfaces should be used per block.
1289
1290 If the global vrrp_garp_interval and/or vrrp_gna_interval are set, any
1291 interfaces that aren't specified in a garp_group will inherit the
1292 global settings.
1293
1294 The syntax for garp_group is :
1295
1296 garp_group {
1297 # Sets the interval between Gratuitous ARP (in seconds, resolution microseconds)
1298 garp_interval <DECIMAL>
1299
1300 # Sets the default interval between unsolicited NA (in seconds, resolution microseconds)
1301 gna_interval <DECIMAL>
1302
1303 # The physical interface to which the intervals apply
1304 interface <STRING>
1305
1306 # A list of interfaces accross which the delays are aggregated.
1307 interfaces {
1308 <STRING>
1309 <STRING>
1310 ...
1311 }
1312 }
1313
1315 A VRRP Instance is the VRRP protocol key feature. It defines and con‐
1316 figures VRRP behaviour to run on a specific interface. Each VRRP
1317 Instances are related to a uniq interface.
1318
1319 The syntax for vrrp_instance is :
1320
1321 vrrp_instance <STRING> {
1322 # Initial state, MASTER|BACKUP
1323 # As soon as the other machine(s) come up,
1324 # an election will be held and the machine
1325 # with the highest priority will become MASTER.
1326 # So the entry here doesn't matter a whole lot.
1327 state MASTER
1328
1329 # interface for inside_network, bound by vrrp.
1330 # Note: if using unicasting, the interface can be omitted as long
1331 # as the unicast addresses are not IPv6 link local addresses (this is
1332 # necessary, for example, if using asymmetric routing).
1333 # If the interface is omitted, then all VIPs and eVIPs should specify
1334 # the interface they are to be configured on, otherwise they will be
1335 # added to the default interface.
1336 interface eth0
1337
1338 # Use VRRP Virtual MAC.
1339 # NOTE: If sysctl net.ipv4.conf.all.rp_filter is set,
1340 # and this vrrp_instance is an IPv4 instance, using
1341 # this option will cause the individual interfaces to be
1342 # updated to the greater of their current setting, and
1343 # all.rp_filter, as will default.rp_filter, and all.rp_filter
1344 # will be set to 0.
1345 # The original settings are restored on termination.
1346 use_vmac [<VMAC_INTERFACE>]
1347
1348 # Send/Recv VRRP messages from base interface instead of
1349 # VMAC interface
1350 vmac_xmit_base
1351
1352 # Use IPVLAN interface. keepalived will create a mode L2
1353 # ipvlan interface on top of the specified interface.
1354 # For IPv4 instances, an IP address is required, for IPv6
1355 # the address is optional, in which case the link local
1356 # address will be used.
1357 # The mode flags default to bridge. NOTE: the mode flags must be the
1358 # same for all ipvlans on the same underlying interface.
1359 # It is safer to configure an interface name, in case keepalived crashes
1360 # and restarts, in which case it can more reliably find a previously
1361 # created interface.
1362 use_ipvlan [<INTERFACE_NAME>] [IP_ADDRESS] [bridge|private|vepa]
1363
1364 # force instance to use IPv6 (this option is deprecated since
1365 # the virtual ip addresses determine whether IPv4 or IPv6 is used).
1366 native_ipv6
1367
1368 # Ignore VRRP interface faults (default unset)
1369 dont_track_primary
1370
1371 # optional, monitor these as well.
1372 # go to FAULT state if any of these go down if unweighted.
1373 # When a weight is specified in track_interface, instead of setting the vrrp
1374 # instance to the FAULT state in case of failure, its priority will be
1375 # increased by the weight when the interface is up (for positive weights),
1376 # or decreased by the weight's absolute value when the interface is down
1377 # (for negative weights), unless reverse is specified, in which case the
1378 # direction of adjustment of the priority is reversed.
1379 # The weight must be comprised between -253 and +253 inclusive.
1380 # 0 is the default behaviour which means that a failure implies a
1381 # FAULT state. The common practice is to use positive weights to count a
1382 # limited number of good services so that the server with the highest count
1383 # becomes master. Negative weights are better to count unexpected failures
1384 # among a high number of interfaces, as it will not saturate even with high
1385 # number of interfaces. Use reverse to increase priority if an interfaces is down
1386 track_interface {
1387 eth0
1388 eth1
1389 eth2 weight <-253..253> [reverse]
1390 ...
1391 }
1392
1393 # add a tracking script to the interface
1394 # (<SCRIPT_NAME> is the name of the vrrp_track_script entry)
1395 # The same principle as track_interface can be applied to track_script entries,
1396 # except that an unspecified weight means that the default weight declared in
1397 # the script will be used (which itself defaults to 0).
1398 # reverse causes the direction of the adjustment of the priority to be reversed.
1399 track_script {
1400 <SCRIPT_NAME>
1401 <SCRIPT_NAME> weight <-253..253> [reverse|no_reverse]
1402 }
1403
1404 # Files whose state we monitor, value is added to effective priority.
1405 # <STRING> is the name of a track_file
1406 track_file {
1407 <STRING>
1408 <STRING>
1409 <STRING> weight <-254..254> [reverse|noreverse]
1410 ...
1411 }
1412
1413 # Positive weights are added/subtracted when the process is running,
1414 # negative weights are subtracted/added when the not running.
1415 # If reverse is specified, the addition/subtraction is reversed.
1416 # <STRING> is the name of a vrrp_track_process
1417 # weight defaults to weight configured in vrrp_track_process
1418 track_process {
1419 <STRING>
1420 <STRING> weight <-254..254> [reverse|noreverse]
1421 ...
1422 }
1423
1424 # BFD instances we monitor, value is added to effective priority,
1425 # unless reverse is specified, when the value is subtracted.
1426 # Positive weights are add/subtracted when the bfd instance is up,
1427 # negative weights are subtracted/added when the bfd instance is down.
1428 # <STRING> is the name of a BFD instance
1429 track_bfd {
1430 <STRING>
1431 <STRING>
1432 <STRING> weight <INTEGER: -253..253> [reverse|noreverse]
1433 ...
1434 }
1435
1436 # default IP for binding vrrpd is the primary IP
1437 # on interface. If you want to hide the location of vrrpd,
1438 # use this IP as src_addr for multicast or unicast vrrp
1439 # packets. (since it's multicast, vrrpd will get the reply
1440 # packet no matter what src_addr is used).
1441 # optional
1442 mcast_src_ip <IPADDR>
1443 unicast_src_ip <IPADDR>
1444
1445 # if the configured src_ip doesn't exist or is removed put the
1446 # instance into fault state
1447 track_src_ip
1448
1449 # VRRP version to run on interface
1450 # default is global parameter vrrp_version, but IPv6 instances will
1451 # always use version 3.
1452 version <2 or 3>
1453
1454 # The following enables checking that when in unicast mode, the
1455 # source address of a VRRP packet is one of our unicast peers.
1456 check_unicast_src
1457
1458 # Do not send VRRP adverts over a VRRP multicast group.
1459 # Instead it sends adverts to the following list of
1460 # ip addresses using unicast. It can be cool to use
1461 # the VRRP FSM and features in a networking
1462 # environment where multicast is not supported!
1463 # IP addresses specified can be IPv4 as well as IPv6.
1464 # If min_ttl and/or max_ttl are specified, the TTL/hop limit
1465 # of any received packet is checked against the specified
1466 # TTL range, and is discarded if it is outside the range.
1467 # Specifying min_ttl or max_ttl turns on check_unicast_src.
1468 unicast_peer {
1469 <IPADDR> [min_ttl {0..255}] [max_ttl {0..255}]
1470 ...
1471 }
1472
1473 # Specify the unicast TTL/HLIM for sending unicast adverts
1474 unicast_ttl {0..255}
1475
1476 # The checksum calculation when using VRRPv3 changed after v1.3.6.
1477 # Setting this flag forces the old checksum algorithm to be used
1478 # to maintain backward compatibility, although keepalived will
1479 # attempt to maintain compatibility anyway if it sees an old
1480 # version checksum. Specifying never will turn off auto detection
1481 # of old checksums. [This option may not be enabled - check output
1482 # of `keepalived -v` for OLD_CHKSUM_COMPAT.]
1483 old_unicast_checksum [never]
1484
1485 # interface specific settings, same as global parameters.
1486 # default to global parameters
1487 garp_master_delay 10
1488 garp_master_repeat 1
1489 garp_lower_prio_delay 10
1490 garp_lower_prio_repeat 1
1491 garp_master_refresh 60
1492 garp_master_refresh_repeat 2
1493
1494 # If a lower priority advert is received, don't send another advert.
1495 # This causes adherence to the RFCs (defaults to global
1496 # vrrp_lower_priority_dont_send_advert).
1497 lower_prio_no_advert [<BOOL>]
1498
1499 # If we are master and receive a higher priority advert, send an advert
1500 # (which will be lower priority than the other master), before we transition
1501 # to backup. This means that if the other master has garp_lower_prio_repeat
1502 # set, it will resend garp messages. This is to get around the problem of
1503 # their having been two simultaneous masters, and the last GARP
1504 # messages seen were from us.
1505 higher_prio_send_advert [<BOOL>]
1506
1507 # arbitrary unique number from 1 to 255
1508 # used to differentiate multiple instances of vrrpd
1509 # running on the same NIC (and hence same socket).
1510 virtual_router_id 51
1511
1512 # for electing MASTER, highest priority wins.
1513 # to be MASTER, make this 50 more than on other machines.
1514 priority 100
1515
1516 # VRRP Advert interval in seconds (e.g. 0.92) (use default)
1517 advert_int 1
1518
1519 # Note: authentication was removed from the VRRPv2 specification by
1520 # RFC3768 in 2004.
1521 # Use of this option is non-compliant and can cause problems; avoid
1522 # using if possible, except when using unicast, where it can be helpful.
1523 authentication {
1524 # PASS|AH
1525 # PASS - Simple password (suggested)
1526 # AH - IPSEC (not recommended))
1527 auth_type PASS
1528
1529 # Password for accessing vrrpd.
1530 # should be the same on all machines.
1531 # Only the first eight (8) characters are used.
1532 auth_pass 1234
1533 }
1534
1535 # addresses add|del on change to MASTER, to BACKUP.
1536 # With the same entries on other machines,
1537 # the opposite transition will be occurring.
1538 # For virtual_ipaddress, virtual_ipaddress_excluded,
1539 # virtual_routes and virtual_rules most of the options
1540 # match the options of the command ip address/route/rule add.
1541 # The track_group option only applies to static addresses/routes/rules.
1542 # no_track is specific to keepalived and means that the
1543 # vrrp_instance will not transition out of master state
1544 # if the address/route/rule is deleted and the address/route/rule
1545 # will not be reinstated until the vrrp instance next transitions
1546 # to master.
1547 # <LABEL>: is optional and creates a name for the alias.
1548 For compatibility with "ifconfig", it should
1549 be of the form <realdev>:<anytext>, for example
1550 eth0:1 for an alias on eth0.
1551 # <SCOPE>: ("site"|"link"|"host"|"nowhere"|"global")
1552 # preferred_lft is set to 0 to deprecate IPv6 addresses (this is the
1553 # default if the address mask is /128). Use "preferred_lft forever"
1554 # to specify that a /128 address should not be deprecated.
1555 virtual_ipaddress {
1556 <IPADDR>[/<MASK>] [brd <IPADDR>] [dev <STRING>] [scope <SCOPE>]
1557 [label <LABEL>] [peer <IPADDR>] [home]
1558 [-nodad] [mngtmpaddr] [noprefixroute]
1559 [autojoin] [no_track] [preferred_lft nn|forever]
1560 192.168.200.17/24 dev eth1
1561 192.168.200.18/24 dev eth2 label eth2:1
1562 }
1563
1564 # VRRP IP excluded from VRRP optional.
1565 # For cases with large numbers (eg 200) of IPs
1566 # on the same interface. To decrease the number
1567 # of addresses sent in adverts, you can exclude
1568 # most IPs from adverts.
1569 # The IPs are add|del as for virtual_ipaddress.
1570 # Can also be used if you want to be able to add
1571 # a mixture of IPv4 and IPv6 addresses, since all
1572 # addresses in virtual_ipaddress must be of the
1573 # same family.
1574 virtual_ipaddress_excluded {
1575 <IPADDR>[/<MASK>] [brd <IPADDR>] [dev <STRING>] [scope <SCOPE>]
1576 [label <LABEL>] [peer <IPADDR>] [home]
1577 [-nodad] [mngtmpaddr] [noprefixroute]
1578 [autojoin] [no_track]
1579 <IPADDR>[/<MASK>] ...
1580 ...
1581 }
1582
1583 # Set the promote_secondaries flag on the interface to stop other
1584 # addresses in the same CIDR being removed when 1 of them is removed
1585 # For example if 10.1.1.2/24 and 10.1.1.3/24 are both configured on an
1586 # interface, and one is removed, unless promote_secondaries is set on
1587 # the interface the other address will also be removed.
1588 promote_secondaries
1589
1590 # routes add|del when changing to MASTER, to BACKUP.
1591 # See static_routes for more details
1592 virtual_routes {
1593 # src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR>
1594 # [or <IPADDR>] dev <STRING> scope <SCOPE> table <TABLE>
1595 src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev eth1
1596 192.168.110.0/24 via 192.168.200.254 dev eth1
1597 192.168.111.0/24 dev eth2 no_track
1598 192.168.112.0/24 via 192.168.100.254
1599 192.168.113.0/24 via 192.168.200.254 or 192.168.100.254 dev eth1
1600 blackhole 192.168.114.0/24
1601 0.0.0.0/0 gw 192.168.0.1 table 100 # To set a default gateway into table 100.
1602 }
1603
1604 # rules add|del when changing to MASTER, to BACKUP
1605 # See static_rules for more details
1606 virtual_rules {
1607 from 192.168.2.0/24 table 1
1608 to 192.168.2.0/24 table 1 no_track
1609 }
1610
1611 # VRRPv3 has an Accept Mode to allow the virtual router when not the
1612 # address owner to receive packets addressed to a VIP. This is the default
1613 # setting unless strict mode is set. As an extension, this also works for
1614 # VRRPv2 (RFC 3768 doesn't define an accept mode).
1615 # --
1616 # Accept packets to non address-owner
1617 accept
1618
1619 # Drop packets to non address-owner.
1620 no_accept
1621
1622 # A higher priority VRRP instance will normally preempt a lower priority instance
1623 # when it comes online. "nopreempt" stops the higher priority machine taking
1624 # over the master role, and allows the lower priority machine to remain as
1625 # master.
1626 # NOTE: For this to work, the initial state must not be MASTER.
1627 # --
1628 nopreempt
1629
1630 # for backwards compatibility
1631 preempt
1632
1633 # Seconds after startup or seeing a lower priority master until preemption
1634 # (if not disabled by "nopreempt").
1635 # Range: 0 (default) to 1000 (e.g. 4.12)
1636 # NOTE: For this to work, the initial state must not be MASTER.
1637 preempt_delay 300 # waits 5 minutes
1638
1639 # See description of global vrrp_skip_check_adv_addr, which
1640 # sets the default value. Defaults to vrrp_skip_check_adv_addr
1641 skip_check_adv_addr [on|off|true|false|yes|no]
1642
1643 # See description of global vrrp_strict
1644 # If strict_mode is not specified, it takes the value of vrrp_strict.
1645 # If strict_mode without a parameter is specified, it defaults to on.
1646 strict_mode [on|off|true|false|yes|no]
1647
1648 # Debug level, not implemented yet.
1649 # LEVEL is a number in the range 0 to 4
1650 debug <LEVEL>
1651
1652 # notify scripts, alert as above
1653 notify_master <STRING>|<QUOTED-STRING> [username [groupname]]
1654 notify_backup <STRING>|<QUOTED-STRING> [username [groupname]]
1655 notify_fault <STRING>|<QUOTED-STRING> [username [groupname]]
1656 # executed when stopping vrrp
1657 notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
1658 notify <STRING>|<QUOTED-STRING> [username [groupname]]
1659
1660 # The notify_master_rx_lower_pri script is executed if a master
1661 # receives an advert with priority lower than the master's priority.
1662 notify_master_rx_lower_pri <STRING>|<QUOTED-STRING> [username [groupname]]
1663
1664 # Send vrrp instance priority notifications on notify FIFOs.
1665 notify_priority_changes <BOOL>
1666
1667 # Send SMTP alerts
1668 smtp_alert <BOOL>
1669
1670 # Set socket receive buffer size (see global_defs
1671 # vrrp_rx_bufs_policy for explanation)
1672 kernel_rx_buf_size
1673
1674 # Set use of linkbeat for the interface of this VRRP instance. This option is
1675 # deprecated - use linkbeat_interfaces block instead.
1676 linkbeat_use_polling
1677 }
1678
1680 contains subblocks of Virtual server group(s) and Virtual server(s)
1681
1682 The subblocks contain arguments for configuring Linux IPVS (LVS) fea‐
1683 ture. Knowledge of ipvsadm(8) will be helpful here. Configuring LVS is
1684 achieved by defining virtual server groups, virtual servers and option‐
1685 ally SSL configuration. Every virtual server defines a set of real
1686 servers, you can attach healthcheckers to each real server. Keepalived
1687 will then lead LVS operation by dynamically maintaining topology.
1688
1689 For details of what configuration combinations are valid, see the
1690 ipvsadm(8) man page.
1691
1692 Note: Where an option can be configured for a virtual server, real
1693 server, and possibly checker, the virtual server setting is the default
1694 for real servers, and the real server setting is the default for check‐
1695 ers.
1696
1697 Note: Tunnelled real/sorry servers can differ from the address family
1698 of the virtual server and non tunnelled real/sorry servers, which all
1699 have to be the same. If a virtual server uses a fwmark, and all the
1700 real/sorry servers are tunnelled, the address family of the virtual
1701 server will be the same as the address family of the real/sorry servers
1702 if they are all the same, otherwise it will default to IPv4 (use
1703 ip_family inet6 to override this).
1704
1705 Note: The port for the virtual server can only be omitted if the vir‐
1706 tual service is persistent.
1707
1709 This feature offers a way to simplify your configuration by factorizing
1710 virtual server definitions. If you need to define a bunch of virtual
1711 servers with exactly the same real server topology then this feature
1712 will make your configuration much more readable and will optimize
1713 healthchecking task by only spawning one healthchecking where multiple
1714 virtual server declaration will spawn a dedicated healthchecker for
1715 every real server which will waste system resources.
1716
1717 Any combination of IP addresses, IP address ranges and firewall marks
1718 can be used, provided that the family of the IP addresses of the vir‐
1719 tual server group match the IP address family of all the real servers
1720 of any virtual server using the virtual server group. The one exception
1721 to this is that the virtual server group can be configured with both
1722 IPv4 and IPv6 addresses and fwmarks provided that all the real servers
1723 (and sorry servers) of all virtual servers using the virtual server
1724 group use tunnel forwarding; if fwmarks are specified in this case, the
1725 address family must be specified. Use of this option is intended for
1726 very large LVSs.
1727
1728 The syntax for virtual_server_group is :
1729
1730 virtual_server_group <STRING> {
1731 # Virtual IP Address and Port
1732 <IPADDR> [<PORT>]
1733 <IPADDR> [<PORT>]
1734 ...
1735 # <IPADDR RANGE> has the form
1736 # XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10
1737 # range includes both .1 and .10 address
1738 <IPADDR RANGE> [<PORT>] # VIP range [VPORT]
1739 <IPADDR RANGE> [<PORT>]
1740 ...
1741 # Firewall Mark (fwmark)
1742 # inet/inet6 should only be specified for virtual server groups
1743 # where all real servers of the virtual servers are tunnelled.
1744 fwmark <INTEGER>
1745 fwmark <INTEGER> [inet|inet6]
1746 ...
1747 }
1748
1750 A virtual_server can be a declaration of one of <IPADDR> [<PORT>] ,
1751 fwmark <INTEGER> or group <STRING>
1752
1753 The syntax for virtual_server is :
1754
1755 virtual_server <IPADDR> [<PORT>] |
1756 virtual_server fwmark <INTEGER> |
1757 virtual_server group <STRING> {
1758 # LVS scheduler
1759 lvs_sched rr|wrr|lc|wlc|lblc|sh|mh|dh|fo|ovf|lblcr|sed|nq
1760
1761 # Enable flag-1 for scheduler (-b flag-1 in ipvsadm)
1762 flag-1
1763 # Enable flag-2 for scheduler (-b flag-2 in ipvsadm)
1764 flag-2
1765 # Enable flag-3 for scheduler (-b flag-3 in ipvsadm)
1766 flag-3
1767 # Enable sh-port for sh scheduler (-b sh-port in ipvsadm)
1768 sh-port
1769 # Enable sh-fallback for sh scheduler (-b sh-fallback in ipvsadm)
1770 sh-fallback
1771 # Enable mh-port for mh scheduler (-b mh-port in ipvsadm)
1772 mh-port
1773 # Enable mh-fallback for mh scheduler (-b mh-fallback in ipvsadm)
1774 mh-fallback
1775 # Enable One-Packet-Scheduling for UDP (-O in ipvsadm)
1776 ops
1777
1778 # Override default LVS forwarding method (default is NAT).
1779 # Default tunnel type is ipip. Since Linux 5.2 the GUE tunnel type can
1780 # be specified. If using GUE, a port number is required. Since Linux 5.3
1781 # if the tunnel type is GUE, the checksum option can also be specified.
1782 # Since Linux 5.3, GRE tunnel type is also supported, but without the
1783 # remcsum option.
1784 lvs_method NAT|DR
1785 or
1786 lvs_method TUN [type {ipip|gue port NUM|gre} [nocsum|csum|remcsum]]
1787 # LVS persistence engine name (currently only sip supported)
1788 persistence_engine <STRING>
1789 # LVS persistence timeout in seconds, default 6 minutes
1790 persistence_timeout [<INTEGER>]
1791 # LVS granularity mask (-M in ipvsadm)
1792 persistence_granularity <NETMASK>
1793 # L4 protocol
1794 protocol TCP|UDP|SCTP
1795 # If VS IP address is not set,
1796 # suspend healthchecker's activity
1797 ha_suspend
1798
1799 # Send email notification during quorum up/down transition,
1800 # using addresses in global_defs above (default no,
1801 # unless global smtp_alert/smtp_alert_checker set)
1802 smtp_alert <BOOL>
1803
1804 # Default VirtualHost string for HTTP_GET or SSL_GET
1805 # eg virtualhost www.firewall.loc
1806 # Overridden by virtualhost config of real server or checker
1807 virtualhost <STRING>
1808
1809 # On daemon startup assume that all RSs are down
1810 # and healthchecks failed. This helps to prevent
1811 # false positives on startup. Alpha mode is
1812 # disabled by default.
1813 alpha
1814
1815 # On daemon shutdown consider quorum and RS
1816 # down notifiers for execution, where appropriate.
1817 # Omega mode is disabled by default.
1818 omega
1819
1820 # Minimum total weight of all live servers in
1821 # the pool necessary to operate VS with no
1822 # quality regression. Defaults to 1.
1823 quorum <INTEGER>
1824
1825 # Tolerate this much weight units compared to the
1826 # nominal quorum, when considering quorum gain
1827 # or loss. A flap dampener. Defaults to 0.
1828 hysteresis <INTEGER>
1829
1830 # Script to execute when quorum is gained.
1831 quorum_up <STRING>|<QUOTED-STRING> [username [groupname]]
1832
1833 # Script to execute when quorum is lost.
1834 quorum_down <STRING>|<QUOTED-STRING> [username [groupname]]
1835
1836 # IP family for a fwmark service (only needed if all real servers are tunnelled
1837 # and persistence_granularity is not specified). Defaults to inet if not specified.
1838 ip_family inet|inet6
1839
1840 # setup realserver(s)
1841
1842 # RS to add to LVS topology when the quorum isn't achieved.
1843 # If a sorry server is configured, all real servers will
1844 # be brought down when the quorum is not achieved and be
1845 # replaced with the sorry server.
1846 sorry_server <IPADDR> [<PORT>]
1847 # applies inhibit_on_failure behaviour to the sorry_server
1848 sorry_server_inhibit
1849 # Sorry server LVS forwarding method. Default is the virtual
1850 # server's default.
1851 # For details of tunnel type, see virtual_server details.
1852 sorry_server_lvs_method NAT|DR
1853 or
1854 sorry_server_lvs_method TUN [type {ipip|gue port NUM|gre} [nocsum|csum|remcsum]]
1855
1856 # Optional connection timeout in seconds.
1857 # The default is 5 seconds
1858 connect_timeout <TIMER>
1859
1860 # Retry count to make additional checks if check
1861 # of an alive server fails. Default: 1 unless specified below
1862 retry <INTEGER>
1863
1864 # delay before retry after failure. Defaults to delay_loop for DNS_CHECK,
1865 # 3 seconds for HTTP_CHECK and SSL_CHECK, and 1 second otherwise.
1866 delay_before_retry <TIMER>
1867
1868 # Optional random delay to start the initial check
1869 # for maximum N seconds.
1870 # Useful to scatter multiple simultaneous
1871 # checks to the same RS. Enabled by default, with
1872 # the maximum at delay_loop. Specify 0 to disable
1873 warmup <TIMER>
1874
1875 # delay timer for checker polling (60 seconds if not specified)
1876 delay_loop <TIMER>
1877
1878 # Set weight to 0 when healthchecker detects failure
1879 inhibit_on_failure
1880
1881 # one entry for each realserver
1882 real_server <IPADDR> [<PORT>] {
1883 # relative weight to use, default: 1
1884 weight <INTEGER>
1885 # LVS forwarding method
1886 # For details of tunnel type, see virtual_server details. The default
1887 # setting is taken from the virtual_server's setting.
1888 lvs_method NAT|DR
1889 or
1890 lvs_method TUN [type {ipip|gue port NUM|gre} [nocsum|csum|remcsum]]
1891
1892 # Script to execute when healthchecker
1893 # considers service as up.
1894 notify_up <STRING>|<QUOTED-STRING> [username [groupname]]
1895 # Script to execute when healthchecker
1896 # considers service as down.
1897 notify_down <STRING>|<QUOTED-STRING> [username [groupname]]
1898
1899 # maximum number of connections to server
1900 uthreshold <INTEGER>
1901 # minimum number of connections to server
1902 lthreshold <INTEGER>
1903
1904 # Send email notification during state transition,
1905 # using addresses in global_defs above (default yes,
1906 # unless global smtp_alert/smtp_alert_checker set)
1907 smtp_alert <BOOL>
1908
1909 # Default VirtualHost string for HTTP_GET or SSL_GET
1910 # eg virtualhost www.firewall.loc
1911 # Overridden by virtualhost config of a checker
1912 virtualhost <STRING>
1913
1914 alpha <BOOL> # see above
1915 connect_timeout <TIMER> # see above
1916 retry <INTEGER> # see above
1917 delay_before_retry <TIMER> # see above
1918 warmup <TIMER> # see above
1919 delay_loop <TIMER> # see above
1920 inhibit_on_failure <BOOL> # see above
1921
1922 # healthcheckers. Can be multiple of each type
1923 # HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|DNS_CHECK|MISC_CHECK|BFD_CHECK|UDP_CHECK|PING_CHECK|FILE_CHECK
1924
1925 # All checkers have the following options, except MISC_CHECK which only
1926 # has options alpha onwards, and BFD_CHECK and FILE_CHECK which have none
1927 # of the standard options:
1928 CHECKER_TYPE {
1929 # ======== generic connection options
1930 # Optional IP address to connect to.
1931 # The default is the realserver IP
1932 connect_ip <IPADDR>
1933
1934 # Optional port to connect to
1935 # The default is the realserver port
1936 connect_port <PORT>
1937
1938 # Optional address to use to
1939 # originate the connection
1940 bindto <IPADDR>
1941
1942 # Optional interface to use; needed if
1943 # the bindto address is IPv6 link local
1944 bind_if <IFNAME>
1945
1946 # Optional source port to
1947 # originate the connection from
1948 bind_port <PORT>
1949
1950 # Optional fwmark to mark all outgoing
1951 # checker packets with
1952 fwmark <INTEGER>
1953
1954 alpha <BOOL> # see above
1955 connect_timeout <TIMER> # see above
1956 retry <INTEGER> # see above
1957 delay_before_retry <TIMER> # see above
1958 warmup <TIMER> # see above
1959 delay_loop <TIMER> # see above
1960 log_all_failures <BOOL> # log all failures when checker up
1961 }
1962
1963 # The following options are additional checker specific
1964
1965 # HTTP and SSL healthcheckers
1966 HTTP_GET|SSL_GET {
1967 # HTTP protocol version, one of 1.0, 1.0C, 1.1
1968 # Protocol version 1.0C means version 1.0 with the addition
1969 # of a "Connection: close" line, which is included in
1970 # version 1.1 by default.
1971 http_protocol <PROTOCOL>
1972 # When alpha mode is set, or when recovering from a failure,
1973 # each URL is checked, with a delay of <delay_loop> between
1974 # each check. if there were 20 URLs, and the <delay_loop> were
1975 # 3 seconds, it would take 1 minute before the RS would come up
1976 # following startup, or recovery from a failure. Setting
1977 # fast_recovery removes the delay, both at start up and after
1978 # recovery from a failure, meaning that the RS will come up
1979 # once all the URLs have been checked, with no delay between
1980 # checking each URL.
1981 fast_recovery [<BOOL>]
1982 # An url to test
1983 # can have multiple entries here
1984 url {
1985 #eg path / , or path /mrtg2/
1986 path <STRING>
1987 # healthcheck needs digest
1988 # or status_code and digest
1989 # Digest computed with genhash
1990 # eg digest 9b3a0c85a887a256d6939da88aabd8cd
1991 digest <STRING>
1992 # status code returned in the HTTP header
1993 # eg status_code 200 or status_code 200-299 400-499 503 505
1994 # Default is 200-299
1995 status_code <INTEGER|RANGE> [<INTEGER|RANGE>] ...
1996 # VirtualHost string. eg virtualhost www.firewall.loc
1997 # If not set, uses virtualhost from real or virtual server
1998 virtualhost <STRING>
1999 # Regular expression to search returned data against.
2000 # A failure to match causes the check to fail.
2001 regex <STRING>
2002 # Reverse the sense of the match, so a match of the
2003 # returned text causes the check to fail.
2004 regex_no_match
2005 # Space separated list of options for regex.
2006 # See man pcre2api for a description of the options.
2007 # The following option are supported:
2008 # allow_empty_class alt_bsux auto_callout caseless
2009 # dollar_endonly dotall dupnames extended firstline
2010 # match_unset_backref multiline never_ucp never_utf
2011 # no_auto_capture no_auto_possess no_dotstar_anchor
2012 # no_start_optimize ucp ungreedy utf never_backslash_c
2013 # alt_circumflex alt_verbnames use_offset_limit
2014 regex_options <OPTIONS>
2015 # For complicated regular expressions a larger stack
2016 # may be needed, and this allows the start and maximum
2017 # sizes in bytes to be specified. For more details see
2018 # the documentation for pcre2_jit_stack_create()
2019 regex_stack <START> <MAX>
2020 # The minimum offset into the returned data to start
2021 # checking for the regex pattern match. This can save
2022 # processing time if the returned data is large.
2023 regex_min_offset <OFFSET>
2024 # The maximum offset into the returned data for the
2025 # start of the subject match.
2026 regex_max_offset <OFFSET>
2027 }
2028 }
2029
2030 SSL_GET {
2031 # when provided, send Server Name Indicator during SSL handshake
2032 enable_sni
2033 }
2034
2035 # TCP healthchecker
2036 TCP_CHECK {
2037 # No additional options
2038 }
2039
2040 # SMTP healthchecker
2041 SMTP_CHECK {
2042 # Optional string to use for the SMTP HELO request
2043 helo_name <STRING>|<QUOTED-STRING>
2044 }
2045
2046 # DNS healthchecker. Uses UDP protocol.
2047 DNS_CHECK {
2048 # The retry default is 3.
2049
2050 # DNS query type
2051 # A|NS|CNAME|SOA|MX|TXT|AAAA
2052 # The default is SOA
2053 type <STRING>
2054
2055 # Domain name to use for the DNS query
2056 # The default is . (dot)
2057 name <STRING>
2058 }
2059
2060 # MISC healthchecker, run a program
2061 MISC_CHECK {
2062 # The retry default is 0.
2063
2064 # External script or program
2065 misc_path <STRING>|<QUOTED-STRING>
2066 # Script execution timeout
2067 misc_timeout <INTEGER>
2068
2069 # If set, the exit code from healthchecker is used
2070 # to dynamically adjust the weight as follows:
2071 # exit status 0: svc check success, weight
2072 # unchanged.
2073 # exit status 1: svc check failed.
2074 # exit status 2-255: svc check success, weight
2075 # changed to 2 less than exit status.
2076 # (for example: exit status of 255 would set
2077 # weight to 253)
2078 # NOTE: do not have more than one dynamic MISC_CHECK per real_server.
2079 misc_dynamic
2080
2081 # Specify the username/groupname that the script should
2082 # be run under.
2083 # If GROUPNAME is not specified, the group of the user
2084 # is used
2085 user USERNAME [GROUPNAME]
2086 }
2087
2088 # BFD instance name to check
2089 BFD_CHECK {
2090 name <STRING>
2091 }
2092
2093 # PING healthchecker
2094 # Note: using this checker may cause /proc/sys/net/ipv4/ping_group_range to be
2095 # updated to allow root to use an IPPROTO_ICMP socket.
2096 PING_CHECK {
2097 # No additional options
2098 }
2099
2100 # UDP healthchecker
2101 # Note: for this checker to work properly, it relies on ICMP error messages such as
2102 # HOST_UNREACH, NET_UNREACH, PORT_UNREACH. HOST_UNREACH relies on ARP requests
2103 # timing out, and so connect_timeout should be long enough to allow for this (e.g.
2104 # at least 4 seconds).
2105 # It may be that you will want to use PING_CHECK to the same server as well.
2106 UDP_CHECK {
2107 require_reply # Require a reply packet for check to be successful
2108 }
2109
2110 # File checker
2111 # This reads and monitors the contents of a file, where STRING is the name specified
2112 # in the track_file configuration block (see above).
2113 # NOTE: weights for track_file for real servers are not fully implemented yet. In
2114 # particular allowing weight 0, handling negative calculated values and reloading.
2115 FILE_CHECK {
2116 track_file <STRING>
2117
2118 # If dynamic is set, the value from the file is used
2119 # to dynamically adjust the weight by adding the weight
2120 # to the quorum and the LVS weight
2121 dynamic
2122
2123 # The weight multiplier to apply to the value read from the file
2124 weight <-2147483647..2147483647> [reverse]
2125 }
2126 }
2127 }
2128
2129 # Parameters used for SSL_GET check.
2130 # If none of the parameters are specified, the SSL context
2131 # will be auto generated.
2132 SSL {
2133 # Password
2134 password <STRING>
2135 # CA file
2136 ca <STRING>
2137 # Certificate file
2138 certificate <STRING>
2139 # Key file
2140 key <STRING>
2141 }
2142
2144 Configuration parser has been extended to support advanced features
2145 such as conditional configuration and parameter substitution. These
2146 features are very useful for any scripted environment where configura‐
2147 tion templates are generated (datacenters).
2148
2150 The config-id defaults to the first part of the node name as returned
2151 by uname, and can be overridden with the -i or --config-id command line
2152 option.
2153
2154 Any configuration line starting with '@' is a conditional configuration
2155 line. The word immediately following (i.e. without any space) the '@'
2156 character is compared against the config-id, and if they don't match,
2157 the configuration line is ignored.
2158
2159 Alternatively, '@^' is a negative comparison, so if the word immedi‐
2160 ately following does NOT match the config-id, the configuration line IS
2161 included.
2162
2163 The purpose of this is to allow a single configuration file to be used
2164 for multiple systems, where the only differences are likely to be the
2165 router_id, vrrp instance priorities, and possibly interface names and
2166 unicast addresses.
2167
2168 For example:
2169
2170 global_defs {
2171 @main router_id main_router
2172 @backup router_id backup_router
2173 }
2174 ...
2175 vrrp_instance VRRP {
2176 ...
2177 @main unicast_src_ip 1.2.3.4
2178 @backup unicast_src_ip 1.2.3.5
2179 @backup2 unicast_src_ip 1.2.3.6
2180 unicast_peer {
2181 @^main 1.2.3.4
2182 @^backup 1.2.3.5
2183 @^backup2 1.2.3.6
2184 }
2185 ...
2186 }
2187
2188 If keepalived is invoked with -i main, then the router_id will be set
2189 to main_router, if invoked with -i backup, then backup_router, if not
2190 invoked with -i, or with -i anything else, then the router_id will not
2191 be set. The unicast peers for main will be 1.2.3.5 and 1.2.3.6.
2192
2194 Substitutable parameters can be specified. The format for defining a
2195 parameter is:
2196
2197 $PARAMETER=VALUE
2198
2199 where there must be no space before the '=' and only whitespace may
2200 preceed to '$'. Empty values are allowed.
2201
2202 Parameter names can be made up of any combination of A-Za-z0-9 and _,
2203 but cannot start with a digit. Parameter names starting with an under‐
2204 score should be considered reserved names that keepalived will define
2205 for various pre-defined options.
2206
2207 After a parameter is defined, any occurrence of $PARAMETER followed by
2208 whitespace, or any occurrence of ${PARAMETER} (which need not be fol‐
2209 lowed by whitespace) will be replaced by VALUE.
2210
2211 Replacement is recursive, so that if a parameter value itself includes
2212 a replaceable parameter, then after the first substitution, the parame‐
2213 ter in the value will then be replaced; the substitution is done at
2214 replacement time and not at definition time, so for example:
2215
2216 $ADDRESS_BASE=10.2.${ADDRESS_BASE_SUB}
2217 $ADDRESS_BASE_SUB=0
2218 ${ADDRESS_BASE}.100/32
2219 $ADDRESS_BASE_SUB=10
2220 ${ADDRESS_BASE}.100/32
2221
2222 will produce:
2223 10.2.0.100/32
2224 10.2.10.100/32
2225
2226 Note in the above examples the use of both ADDRESS_BASE and
2227 ADDRESS_BASE_SUB required braces ({}) since the parameters were not
2228 followed by whitespace (after the first substitution which produced
2229 10.2.${ADDRESS_BASE_SUB}.100/32 the parameter is still not followed by
2230 whitespace).
2231
2232 If a parameter is not defined, it will not be replaced at all, so for
2233 example ${UNDEF_PARAMETER} will remain in the configuration if it is
2234 undefined; this means that existing configuration that contains a '$'
2235 character (for example in a script definition) will not be changed so
2236 long as no new parameter definitions are added to the configuration.
2237
2238 Parameter substitution works in conjunction with conditional configura‐
2239 tion. For example:
2240
2241 @main $PRIORITY=240
2242 @backup $PRIORITY=200
2243 ...
2244 vrrp_instance VI_0 {
2245 priority $PRIORITY
2246 }
2247
2248 will produce:
2249 ...
2250 vrrp_instance VI_0 {
2251 priority 240
2252 }
2253 if the config_id is main.
2254
2255 $IF_MAIN=@main
2256 $IF_MAIN priority 240
2257
2258 will produce:
2259 priority 240
2260 if the config_id is main and nothing if the config_id is not main,
2261 although why anyone would want to use this rather than simply the
2262 following is not known (but still possible):
2263 @main priority 240
2264
2265 Multiline definitions are also supported, but when used there must be
2266 nothing on the line after the parameter name. A multiline definition is
2267 specified by ending each line except the last with a '\' character.
2268
2269 Example:
2270 $INSTANCE= \
2271 vrrp_instance VI_${NUM} { \
2272 interface eth0.${NUM} \
2273 use_vmac vrrp${NUM}.1 \
2274 virtual_router_id 1 \
2275 @high priority 130 \
2276 @low priority 120 \
2277 advert_int 1 \
2278 virtual_ipaddress { \
2279 10.0.${NUM}.254/24 \
2280 } \
2281 track_script { \
2282 offset_instance_${NUM} \
2283 } \
2284 }
2285
2286 $NUM=0
2287 $INSTANCE
2288
2289 $NUM=1
2290 $INSTANCE
2291
2292 The use of multiline definitions can be nested.
2293
2294 Example:
2295 $RS= \
2296 real_server 192.168.${VS_NUM}.${RS_NUM} 80 { \
2297 weight 1 \
2298 inhibit_on_failure \
2299 smtp_alert \
2300 MISC_CHECK { \
2301 misc_path "${_PWD}/scripts/vs.sh RS_misc.${INST}.${VS_NUM}.${RS_NUM}.0 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2302 } \
2303
2304 MISC_CHECK { \
2305 misc_path "${_PWD}/scripts/vs.sh RS_misc.${INST}.${VS_NUM}.${RS_NUM}.1 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2306 } \
2307
2308 notify_up "${_PWD}/scripts/notify.sh RS_notify.${INST}.${VS_NUM}.${RS_NUM} UP 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2309
2310 notify_down "${_PWD}/scripts/notify.sh RS_notify.${INST}.${VS_NUM}.${RS_NUM} DOWN 10.0.${VS_NUM}.4:80->192.168.${VS_NUM}.${RS_NUM}:80" \
2311
2312 }
2313
2314 $VS= \
2315 virtual_server 10.0.${VS_NUM}.4 80 { \
2316 quorum 2 \
2317 quorum_up "${_PWD}/scripts/notify.sh VS_notify.${INST} UP 10.0.${VS_NUM}.4:80" \
2318 quorum_down "${_PWD}/scripts/notify.sh VS_notify.${INST} DOWN 10.0.${VS_NUM}.4:80" \
2319 $RS_NUM=1 \
2320 $RS \
2321 $RS_NUM=2 \
2322 $RS \
2323 $RS_NUM=3 \
2324 $RS \
2325 }
2326
2327 $VS_NUM=0
2328 $ALPHA=alpha
2329 $VS
2330
2331 $VS_NUM=1
2332 $ALPHA=
2333 $VS
2334
2335 The above will create 2 virtual servers, each with 3 real servers
2336
2338 The following pre-defined definitions are defined:
2339
2340 ${_PWD} : The directory of the current configuration file (this can be
2341 changed if using the include directive).
2342 ${_INSTANCE} : The instance name (as defined by the -i option, defaults
2343 to hostname).
2344 ${_RANDOM [MIN [MAX]]} : This is replaced by a random integer in the
2345 range [MIN, MAX], where MIN and MAX are optional non-negative integers.
2346 Defaults are MIN=0 and MAX=32767.
2347 ${_HASH} : This is replaced by a '#' character, which would otherwise
2348 start a comment
2349 ${_BANG} : This is replaced by a '!' character, which would otherwise
2350 start a comment
2351
2352 Additional pre-defined definitions will be added as their need is iden‐
2353 tified. It will normally be quite straightforward to add additional
2354 pre-defined definitions, so if you need one, or have a good idea for
2355 one, then raise an issue at
2356 https://github.com/acassen/keepalived/issues requesting it.
2357
2359 A line starting ~SEQ(var, start, step, end) will cause the remainder of
2360 the line to be processed multiple times, with the variable $var set
2361 initially to start, and then $var will be incremented by step repeat‐
2362 edly, terminating when it is greater than end. step may be omitted, in
2363 which case it defaults to 1 or -1, depending on whether end is greater
2364 or less than start. start may also be omitted, in which case it
2365 defaults to 1 if end > 0 or -1 if end < 0. ~SEQx(...) is the same as
2366 ~SEQ(...), except the variable $var will for formatted in hexadecimal,
2367 which would be useful for IPv6 addresses.
2368
2369 Note: At the moment it is necessary to use different variables for the
2370 ~SEQ block from any previously defined variable, including one used as
2371 the variable in a previous ~SEQ block. This may change in the future,
2372 so do not rely on a ~SEQ block variable being defined after the end of
2373 the block.
2374
2375 Examples:
2376
2377 ~SEQ(SUBNET, 0, 3) ip_address 10.0.${SUBNET}.1
2378
2379 would produce:
2380 ip_address 10.0.0.1
2381 ip_address 10.0.1.1
2382 ip_address 10.0.2.1
2383 ip_address 10.0.3.1
2384
2385 and
2386 ~SEQx(SUBNET, 144, 16, 192) ip_address fe80::20:${SUBNET}:1
2387 or better
2388 ~SEQx(SUBNET, 0x90, 0x10, 0xc0) ip_address fe80::20:${SUBNET}:1
2389
2390 would produce:
2391 ip_address fe80::20:90:1
2392 ip_address fe80::20:a0:1
2393 ip_address fe80::20:b0:1
2394 ip_address fe80::20:c0:1
2395
2396 Another example:
2397
2398 virtual_ipaddress {
2399 ~SEQx(AD2, 0x90, 0x10, 0xc0) ~SEQx(AD1, 0x12, -1, 0x0c) fe81::10:${AD2}:${AD1}
2400 }
2401
2402 There can be multiple ~SEQ elements on a line, so for example:
2403
2404 $VI4= \
2405 track_file offset_instance_4.${IF}.${NUM}.${ID} { \
2406 file "${_PWD}/679/track_files/4.${IF}.${NUM}.${ID}" \
2407 weight -100 \
2408 } \
2409 vrrp_instance vrrp4.${IF}.${NUM}.${ID} { \
2410 interface bond${IF}.${NUM} \
2411 use_vmac vrrp4.${IF}.${NUM}.${ID} \
2412 virtual_router_id ${ID} \
2413 priority 130 \
2414 virtual_ipaddress { \
2415 10.${IF}.${NUM}.${ID}/24 \
2416 } \
2417 track_file { \
2418 offset_instance_4.${IF}.${NUM}.${ID} \
2419 } \
2420 }
2421
2422 ~SEQ(IF,0,7) ~SEQ(NUM,0,31) ~SEQ(ID,1,254) $VI4
2423
2424 will produce 65024 vrrp instances with names from vrrp4.0.0.1 through to
2425 vrrp4.7.31.254.
2426
2428 List blocks are similar to sequence blocks, except that the values to
2429 substitute into the variable are listed in the ~LST specification.
2430
2431 A line starting ~LST(var, val1, val2, val3) will cause the remainder of
2432 the line to be processed multiple times, with the variable $var set
2433 initially to val1, and then val2, and finally val3. Any number of val‐
2434 ues can be specified, as long as at least one value is (although only
2435 one value would be pointless).
2436
2437 If it is desired to substitute more than one variable at a time, the
2438 variables and values need to be enclosed in {...} blocks. For example:
2439
2440 ~LST({IP, IP1}, {10,1},{20,4},{5,6},{12,8}) 192.168.${IP}.${IP1}
2441
2442 would first set IP=10 and IP1=1, then IP=20 and IP1=4, etc, and pro‐
2443 duces:
2444
2445 192.168.10.1
2446 192.168.20.4
2447 192.168.5.6
2448 192.168.12.8
2449
2450 List blocks can be nested, so:
2451
2452 ~LST(IP, 1, 2, 3, 4) ~LST(IP1, 5,6,7) 192.169.${IP}.${IP1}
2453
2454 produces:
2455 192.169.1.5
2456 192.169.1.6
2457 192.169.1.7
2458 192.169.2.5
2459 192.169.2.6
2460 192.169.2.7
2461 192.169.3.5
2462 192.169.3.6
2463 192.169.3.7
2464 192.169.4.5
2465 192.169.4.6
2466 192.169.4.7
2467
2468 Finally, list blocks and sequence blocks can be combined, so:
2469
2470 ~LST({IP, IP1}, {10,1},{20,4},{5,6},{12,8}) ~SEQ(IP2,168,2,172)
2471 192.${IP2}.${IP}.${IP1}
2472
2473 produces:
2474
2475 192.168.10.1
2476 192.170.10.1
2477 192.172.10.1
2478 192.168.20.4
2479 192.170.20.4
2480 192.172.20.4
2481 192.168.5.6
2482 192.170.5.6
2483 192.172.5.6
2484 192.168.12.8
2485 192.170.12.8
2486 192.172.12.8
2487
2489 It has been identified that if proxy_arp and proxy_arp_pvlan are
2490 enabled on an interface that has VIPs or eVIPs configured on it, it can
2491 cause incorrect replies to ARP requests due to the proxy replying to
2492 the ARP request as well as the keepalived host. Both need to be set to
2493 0 to function properly.
2494
2496 Initial by Joseph Mack. Extensive updates by Alexandre Cassen & Quentin
2497 Armitage.
2498
2500 ipvsadm(8), ip --help.
2501
2502
2503
2504Keepalived 2020-05-31 keepalived.conf(5)