Open in app

Sign in

Write

Sign in

Keepalived Secure Configuration with Unicast ip and Script Check (Безопасная настройка кластера keepalived с проверкой скриптом)

Eldar Karimov
5 min readApr 12, 2023

After installation we can go to the configuration steps

As you know, some network infrastructures disable “IGMP Multicast” Because of this, it is worth using the Unicast keepalived mode,therefore, we will also use this mode

Also, our configuration will check to run a script defined by us, if the script exit code is 0 (successfully), then this instance will increase its priority and will be the “Master” if not, then the server will have a role “Backup”.

Let’s say we have two servers:

* host1- 192.168.1.73 interface ens192 (wan)
* host2- 192.168.1.74 interface ens192 (wan)
* Virtual Floating IP- 192.168.1.75 ens192 (wan)

The configuration for each host will be as follows

  • keepalived.conf on host1 👇
global_defs {
router_id Your-HA-Name
}

# Define the script to see if the local node is the primary
vrrp_script my_check_script {
script  "/opt/scripts/your_script.sh"  # your script which will be checked  
interval 15  # run script  every 15 seconds
weight 5   if this script exit 0 then promote this server +5 priority
}

vrrp_instance VI_2 {
state BACKUP
interface ens192 #our interface name
virtual_router_id 177 # should will be specific in your infrastructure which to avoid conflicts
priority 201
advert_int 3
authentication {
auth_type PASS
auth_pass YoUrStongPaSS
}
unicast_src_ip 192.168.1.73 # Your host IP. Unicast specific option, this is the IP of the interface keepalived listens on
unicast_peer {              # second and other hosts ip adresses option, this is the IP of the peer instance

192.168.1.74

}
virtual_ipaddress {
192.168.1.75
}

track_script {          
my_check_script       # Your script name Title Look Above on the line 5 
}
}
  • keepalived.conf on host2 👇
global_defs {
router_id Your-HA-Name
}

# Define the script to see if the local node is the primary
vrrp_script my_check_script {
script  "/opt/scripts/your_script.sh"  # your script which will be checked  
interval 15  # run script  every 15 seconds
weight 5   if this script exit 0 then promote this server +5 priority
}

vrrp_instance VI_2 {
state BACKUP
interface ens192   #our interface name 
virtual_router_id 177     # should will be specific in your infrastructure which to avoid conflicts    
priority 201
advert_int 3
authentication {
auth_type PASS
auth_pass YoUrStongPaSS
}
unicast_src_ip 192.168.1.74 # Your host IP. Unicast specific option, this is the IP of the interface keepalived listens on
unicast_peer {              # second and other hosts ip adresses option, this is the IP of the peer instance

192.168.1.73

}
virtual_ipaddress {
192.168.1.75
}

track_script {          
my_check_script       # Your script name Title Look Above on the line 5 
}
}

For troubleshooting you can use command journalctl -u keepalived -f on every hosts and see logs keepalived live mode

Secure Keepalived configuration for protect from attacks to “VRRP”

To protect the server from “VRRP” attacks, a separate VRRP-only interface can be used so that “VRRP keepalived” service packets go through a separate LAN interface that is not accessible from “WAN”. According to this, each host will have two network interfaces ens192 and ens224, the “VRRP” overhead will work on the ens224 interface, and the floating “VIP” 192.168.1.75 will work on the ens192 interface

Adding additional interfaces to our hosts
* host1- 192.168.10.73 interface ens224 (lan)
* host2- 192.168.10.74 interface ens224 (lan)

Virtual Ip Adress dosen’t change and staying like as previous

And so changes the configuration on each host

  • keepalived.conf on host1 👇
global_defs {
router_id Your-HA-Name
}

# Define the script to see if the local node is the primary
vrrp_script my_check_script {
script  "/opt/scripts/your_script.sh"  # your script which will be checked  
interval 15  # run script  every 15 seconds
weight 5   if this script exit 0 then promote this server +5 priority
}

vrrp_instance VI_2 {
state BACKUP
interface ens224 #our interface name
virtual_router_id 177 # should will be specific in your infrastructure which to avoid conflicts
priority 201
advert_int 3
authentication {
auth_type PASS
auth_pass YoUrStongPaSS
}
unicast_src_ip 192.168.10.73 # Your host IP. Unicast specific option, this is the IP of the interface keepalived listens on
unicast_peer {              # second and other hosts ip adresses option, this is the IP of the peer instance

192.168.10.74

}
virtual_ipaddress {
192.168.1.75 dev ens192
}

track_script {          
my_check_script       # Your script name Title Look Above on the line 5 
}
}
  • keepalived.conf on host2 👇
global_defs {
router_id Your-HA-Name
}

# Define the script to see if the local node is the primary
vrrp_script my_check_script {
script  "/opt/scripts/your_script.sh"  # your script which will be checked  
interval 15  # run script  every 15 seconds
weight 5   if this script exit 0 then promote this server +5 priority
}

vrrp_instance VI_2 {
state BACKUP
interface ens224   #our interface name 
virtual_router_id 177     # should will be specific in your infrastructure which to avoid conflicts    
priority 201
advert_int 3
authentication {
auth_type PASS
auth_pass YoUrStongPaSS
}
unicast_src_ip 192.168.10.74 # Your host IP. Unicast specific option, this is the IP of the interface keepalived listens on
unicast_peer {              # second and other hosts ip adresses option, this is the IP of the peer instance

192.168.10.73

}
virtual_ipaddress {
192.168.1.75 dev ens192
}

track_script {          
my_check_script       # Your script name Title Look Above on the line 5 
}
}

Firewall configuration: (Centos, Rhel, Rocky, others…)

  • Run these 👇 commands on every host, to allow “VRRP” packets for exchange between hosts
firewall-cmd --permanent --zone=public --remove-interface=ens224 # delete interface from public zone
firewall-cmd --permanent --zone=internal --add-interface=ens224 # add interface zone internal
firewall-cmd --list-all-zones # check all zones and interfaces in every zone 
firewall-cmd --remove-rich-rule='rule protocol value="vrrp" accept' --permanent #delete old rule which we added when first installation keepalived
firewall-cmd --remove-rich-rule='rule protocol value="vrrp" accept' --zone=internal --permanent #delete old rule which we added when first installation keepalived
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --zone=internal --permanent # add VRRP allow rich rule on our internal zone
systemctl restart firewalld 
#or
firewall-cmd --reload
# Additional optional Remove unnecessary rules in zone👇
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=cockpit
firewall-cmd --permanent --zone=public --remove-service=samba-client
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=mdns
firewall-cmd --permanent --zone=public --remove-service=cockpit
systemctl restart firewalld 
#or
firewall-cmd --reload
systemctl restart keepalived
#END
Linux
Load Balancing
Clustering
Keepalived
Vrrp

--

--

Eldar Karimov

Written by Eldar Karimov

11 Followers

Devops Engineer at Kapital Bank OJSC https://www.linkedin.com/in/eldar-karimov/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams