1KEEPALIVED.CONF(5) File Formats Manual KEEPALIVED.CONF(5)
2
3
4
6 /etc/keepalived/keepalived.conf - configuration file for keepalived
7
9 keepalived.conf is the configuration file which describes all the
10 keepalived keywords. keywords are placed in hierachies of blocks (and
11 subblocks), each layer being delimited by '{' and '}' pairs.
12
13 Comments start with '#' or '!' to the end of the line and can start
14 anywhere in a line.
15
17 GLOBAL CONFIGURATION
18
19 VRRPD CONFIGURATION
20
21 LVS CONFIGURATION
22
24 contains subblocks of Global definitions and Static routes
25
27 global_defs # Block id
28 {
29 notification_email # To:
30 {
31 admin@example1.com
32 ...
33 }
34 # From: from address that will be in header
35 notification_email_from admin@example.com
36 smtp_server 127.0.0.1 # IP
37 smtp_connect_timeout 30 # integer, seconds
38 router_id my_hostname # string identifying the machine,
39 # (doesn't have to be hostname).
40 }
41
42
43
45 keepalived can configure static addresses and routes with ip (ie if
46 addresses are not already on the machine). These addresses are NOT
47 moved by vrrpd, they stay on the machine. If you already have IPs and
48 routes on your machines and your machines can ping each other, you
49 don't need this section.
50
51 The whole string is fed to ip addr add. You can truncate the string
52 anywhere you like and let ip addr add use defaults for the rest of the
53 string. If you just feed the string "192.168.1.1", the IP will be
54 192.168.1.1/32, which you probably don't want. This is different to
55 ifconfig which will configure the IP with the standard class, here
56 192.168.1.1/24. The minimum string then would be the IP/netmask, eg
57 192.168.1.1/24
58
59 static_ipaddress
60 {
61 192.168.1.1/24 brd + dev eth0 scope global
62 ...
63 }
64
65 The whole string is fed to ip route add. You can truncate the string
66 allowing ip route add to use defaults.
67
68 static_routes
69 {
70 src $SRC_IP to $DST_IP dev $SRC_DEVICE
71 ...
72 src $SRC_IP to $DST_IP via $GW dev $SRC_DEVICE
73 }
74
76 contains subblocks of VRRP synchronization group(s) and VRRP
77 instance(s)
78
80 #string, name of group of IPs that failover together
81 vrrp_sync_group VG_1 {
82 group {
83 inside_network # name of vrrp_instance (below)
84 outside_network # One for each moveable IP.
85 ...
86 }
87
88 # notify scripts and alerts are optional
89 #
90 # filenames of scripts to run on transitions
91 # can be unquoted (if just filename)
92 # or quoted (if has parameters)
93 # to MASTER transition
94 notify_master /path/to_master.sh
95 # to BACKUP transition
96 notify_backup /path/to_backup.sh
97 # FAULT transition
98 notify_fault "/path/fault.sh VG_1"
99
100 # for ANY state transition.
101 # "notify" script is called AFTER the
102 # notify_* script(s) and is executed
103 # with 3 arguments provided by keepalived
104 # (ie don't include parameters in the notify line).
105 # arguments
106 # $1 = "GROUP"|"INSTANCE"
107 # $2 = name of group or instance
108 # $3 = target state of transition
109 # ("MASTER"|"BACKUP"|"FAULT")
110 notify /path/notify.sh
111
112 # Send email notifcation during state transition,
113 # using addresses in global_defs above.
114 smtp_alert
115 }
116
117
119 describes the moveable IP for each instance of a group in
120 vrrp_sync_group. Here are described two IPs (on inside_network and on
121 outside_network), on machine "my_hostname", which belong to the group
122 VG_1 and which will transition together on any state change.
123 #You will need to write another block for outside_network.
124 vrrp_instance inside_network {
125 # Initial state, MASTER|BACKUP
126 # As soon as the other machine(s) come up,
127 # an election will be held and the machine
128 # with the highest "priority" will become MASTER.
129 # So the entry here doesn't matter a whole lot.
130 state MASTER
131
132 # interface for inside_network, bound by vrrp
133 interface eth0
134
135 # Ignore VRRP interface faults (default unset)
136 dont_track_primary
137
138 # optional, monitor these as well.
139 # go to FAULT state if any of these go down.
140 track_interface {
141 eth0
142 eth1
143 ...
144 }
145
146 #default IP for binding vrrpd is the primary IP
147 #on interface. If you want to hide location of vrrpd,
148 #use this IP as src_addr for multicast vrrp packets.
149 #(since it's multicast, vrrpd will get the reply
150 #packet no matter what src_addr is used).
151 #optional
152 mcast_src_ip <IPADDR>
153
154 # Binding interface for lvs syncd
155 lvs_sync_daemon_interface eth1
156
157 # delay for gratuitous ARP after transition to MASTER
158 garp_master_delay 10 # secs, default 5
159
160 # arbitary unique number 0..255
161 # used to differentiate multiple instances of vrrpd
162 # running on the same NIC (and hence same socket).
163 virtual_router_id 51
164
165 # for electing MASTER, highest priority wins.
166 # to be MASTER, make 50 more than other machines.
167 priority 100
168
169 # VRRP Advert interval, secs (use default)
170 advert_int 1
171 authentication { # Authentication block
172 # PASS||AH
173 # PASS - Simple Passwd (suggested)
174 # AH - IPSEC (not recommended))
175 auth_type PASS
176 # Password for accessing vrrpd.
177 # should be the same for all machines.
178 auth_pass 1234
179
180 #addresses add|del on change to MASTER, to BACKUP.
181 #With the same entries on other machines,
182 #the opposite transition will be occuring.
183 virtual_ipaddress {
184 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label
185 <LABEL>
186 192.168.200.17/24 dev eth1
187 192.168.200.18/24 dev eth2 label eth2:1
188 }
189
190 #VRRP IP excluded from VRRP
191 #optional.
192 #For cases with large numbers (eg 200) of IPs
193 #on the same interface. To decrease the number
194 #of packets sent in adverts, you can exclude
195 #most IPs from adverts.
196 #The IPs are add|del as for virtual_ipaddress.
197 virtual_ipaddress_excluded {
198 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
199 <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
200 ...
201 }
202 # routes add|del when changing to MASTER, to BACKUP
203 virtual_routes {
204 # src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR> dev
205 <STRING> scope <SCOPE> tab
206 src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev
207 eth1
208 192.168.110.0/24 via 192.168.200.254 dev eth1
209 192.168.111.0/24 dev eth2
210 192.168.112.0/24 via 192.168.100.254
211 }
212
213 # VRRP will normally preempt a lower priority
214 # machine when a higher priority machine comes
215 # online. "nopreempt" allows the lower priority
216 # machine to maintain the master role, even when
217 # a higher priority machine comes back online.
218 # NOTE: For this to work, the initial state of this
219 # entry must be BACKUP.
220 nopreempt
221
222 # Seconds after startup until preemption
223 # (if not disabled by "nopreempt").
224 # Range: 0 (default) to 1,000
225 # NOTE: For this to work, the initial state of this
226 # entry must be BACKUP.
227 preempt_delay 300 # waits 5 minutes
228
229 # Debug level, not implemented yet.
230 debug
231
232 # notify scripts, alert as above
233 notify_master <STRING>|<QUOTED-STRING>
234 notify_backup <STRING>|<QUOTED-STRING>
235 notify_fault <STRING>|<QUOTED-STRING>
236 notify <STRING>|<QUOTED-STRING>
237 smtp_alert
238 }
239
240
242 contains subblocks of Virtual server group(s) and Virtual server(s)
243
244 The subblocks contain arguments for ipvsadm(8). A knowlege of
245 ipvsadm(8) will be helpful here.
246
248 # optional
249 # this groups allows a service on a real_server
250 # to belong to multiple virtual services
251 # and to be only health checked once.
252 # Only for very large LVSs.
253 virtual_server_group <STRING> {
254 #VIP port
255 <IPADDR> <PORT>
256 <IPADDR> <PORT>
257 ...
258 #
259 # <IPADDR RANGE> has the form
260 # XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10
261 # range includes both .1 and .10 address
262 <IPADDR RANGE> <PORT># VIP range VPORT
263 <IPADDR RANGE> <PORT>
264 ...
265 fwmark <INT> # fwmark
266 fwmark <INT>
267 ... }
268
269
271 A virtual_server can be a declaration of one of
272
273 vip vport (IPADDR PORT pair)
274
275 fwmark <INT>
276
277 (virtual server) group <STRING>
278
279 #setup service
280 virtual_server IP port |
281 virtual_server fwmark int |
282 virtual_server group string
283 {
284 # delay timer for service polling
285 delay_loop <INT>
286
287 # LVS scheduler
288 lb_algo rr|wrr|lc|wlc|lblc|sh|dh
289 # LVS forwarding method
290 lb_kind NAT|DR|TUN
291 # LVS persistence timeout, sec
292 persistence_timeout <INT>
293 # LVS granularity mask (-M in ipvsadm)
294 persistence_granularity <NETMASK>
295 # Only TCP is implemented
296 protocol TCP
297 # If VS IP address is not set,
298 # suspend healthchecker's activity
299 ha_suspend
300
301 # VirtualHost string for HTTP_GET or SSL_GET
302 # eg virtualhost www.firewall.loc
303 virtualhost <STRING>
304
305 # setup realserver(s)
306
307 # RS to add when all realservers are down
308 sorry_server <IPADDR> <PORT>
309
310 # one entry for each realserver
311 real_server <IPADDR> <PORT>
312 {
313 # relative weight to use, default: 1
314 weight <INT>
315 # Set weight to 0
316 # when healthchecker detects failure
317 inhibit_on_failure
318
319 # Script to launch when healthchecker
320 # considers service as up.
321 notify_up <STRING>|<QUOTED-STRING>
322 # Script to launch when healthchecker
323 # considers service as down.
324 notify_down <STRING>|<QUOTED-STRING>
325
326 # pick one healthchecker
327 # HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK
328
329 # HTTP and SSL healthcheckers
330 HTTP_GET|SSL_GET
331 {
332 # A url to test
333 # can have multiple entries here
334 url {
335 #eg path / , or path /mrtg2/
336 path <STRING>
337 # healthcheck needs status_code
338 # or status_code and digest
339 # Digest computed with genhash
340 # eg digest 9b3a0c85a887a256d6939da88aabd8cd
341 digest <STRING>
342 # status code returned in the HTTP header
343 # eg status_code 200
344 status_code <INT>
345 }
346 #IP, tcp port for service on realserver
347 connect_port <PORT>
348 bindto <IPADDR>
349 # Timeout connection, sec
350 connect_timeout <INT>
351 # number of get retry
352 nb_get_retry <INT>
353 # delay before retry
354 delay_before_retry <INT>
355 } #HTTP_GET|SSL_GET
356
357 #TCP healthchecker (bind to IP port)
358 TCP_CHECK
359 {
360 connect_port <PORT>
361 bindto <IPADDR>
362 connect_timeout <INT>
363 } #TCP_CHECK
364
365 # SMTP healthchecker
366 SMTP_CHECK
367 {
368 # An optional host interface to check.
369 # If no host directives are present, only
370 # the ip address of the real server will
371 # be checked.
372 host {
373 # IP address to connect to
374 connect_ip <IP ADDRESS>
375 # Optional port to connect to if not
376 # the default of 25
377 connect_port <PORT>
378 # Optional interface to use to
379 # originate the connection
380 bindto <IP ADDRESS>
381 }
382 # Connection and read/write timeout
383 # in seconds
384 connect_timeout <INTEGER>
385 # Number of times to retry a failed check
386 retry <INTEGER>
387 # Delay in seconds before retrying
388 delay_before_retry <INTEGER>
389 # Optional string to use for the smtp HELO request
390 helo_name <STRING>|<QUOTED-STRING>
391 } #SMTP_CHECK
392
393 #MISC healthchecker, run a program
394 MISC_CHECK
395 {
396 # External system script or program
397 misc_path <STRING>|<QUOTED-STRING>
398 # Script execution timeout
399 misc_timeout <INT>
400
401 # If set, exit code from healthchecker is used
402 # to dynamically adjust the weight as follows:
403 # exit status 0: svc check success, weight
404 # unchanged.
405 # exit status 1: svc check failed.
406 # exit status 2-255: svc check success, weight
407 # changed to 2 less than exit status.
408 # (for example: exit status of 255 would set
409 # weight to 253)
410 misc_dynamic
411 }
412 } # realserver defn
413 } # virtual service
414
415
416
418 Joseph Mack.
419 Information derived from doc/keepalived.conf.SYNOPSIS, doc/sam‐
420 ples/keepalived.conf.* and Changelog by Alexandre Cassen for
421 keepalived-1.1.4, and from HOWTOs by Adam Fletcher and Vince Worthing‐
422 ton.
423
425 ipvsadm(8), ip --help.
426
427
428
4294th Berkeley Distribution Jan 2004 KEEPALIVED.CONF(5)