Setting Up Highly Available Web Servers with Keepalived
28 Oct 2017 at 7:21 PM
Keepalived is very mature, highly performant and is relatively easy to set up.
It allows you to create resilience to individual server failure by creating a "virtual interface" available at a "virtual IP address" that is served by an arrangement of master/slave(s) servers.
28 Oct 2017 at 7:21 PM
In the simplest case a domain name points to one or more IP addresses and each IP address targets a specific server. If that server goes down the website(s) at that IP address are no longer available.
Using keepalived it is possible to have the domain name point to one or more "virtual IP addresses" which are served by a master/slave configuration of servers. If a slave senses that the master is no longer alive then it can take over the task of serving requests received through the "virtual interface".
28 Oct 2017 at 7:27 PM
Strange fact - keepalived uses a "ARP" protocol called vrrp which is a "multicast" protocol. The fact I found strange is that IANA have created a dedicated IP address which is ALWAYS the destination of any VRRP packets sent to a vrrp "port".
That IP address is: 220.127.116.11
IANA RFC for vrrp says:
"The IPv4 multicast address as assigned by the IANA for VRRP is:
This is a link-local scope multicast address. Routers MUST NOT
forward a datagram with this destination address, regardless of its
If you have set up keepalived on a master and slave server and you are having issues then you need to check that the firewall has been configured to allow these VRRP requests to be received. You can configure your firewall using:
# iptables -I INPUT -i eth0 -d 18.104.22.168/8 -j ACCEPT
# iptables -A INPUT -p 112 -i eth0 -j ACCEPT
# iptables -A OUTPUT -p 112 -o eth0 -j ACCEPT
# service iptables save
This assumes your virtual interface is eth0
28 Oct 2017 at 7:39 PM
Logging of keepalived activity is sent to /var/log/messages and all Keepalived messages contain the tag "Keepalived" so you can easily monitor any keep alive messages via:
tail -f /var/log/messages | grep Keepalived
28 Oct 2017 at 9:49 PM
This link is very useful for CentOS/RedHat/Oracle linux users:
5 Nov 2017 at 9:55 PM
For CentOS 7 opening up the firewall for VRRP goes like this, assuming the interface that you are using for the virtual IP is 'eth0';
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface enp0s8 --destination 22.214.171.124 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface enp0s8 --destination 126.96.36.199 --protocol vrrp -j ACCEPT