RabbitMQ启动后没有绑定IP_报错SECURITY VIOLATION – scripts are being executed but script_security not enabled

问题简述


RabbitMQ高可用架构图:
https://www.processon.com/view/link/61289f8763768957962ee433
启动Keepalived后VIP没有绑定到网卡上,报错

Keepalived_vrrp[12186]: WARNING – default user ‘keepalived_script’ for script execution does not exist – please create.
Keepalived_vrrp[12186]: Truncating auth_pass to 8 characters
Keepalived_vrrp[12186]: SECURITY VIOLATION – scripts are being executed but script_security not enabled.

具体报错内容


Aug 27 15:48:06 BJOIS-AS systemd: Starting LVS and VRRP High Availability Monitor...
Aug 27 15:48:06 BJOIS-AS Keepalived[12183]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 27 15:48:06 BJOIS-AS Keepalived[12183]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 15:48:06 BJOIS-AS systemd: Started LVS and VRRP High Availability Monitor.
Aug 27 15:48:06 BJOIS-AS Keepalived[12184]: Starting Healthcheck child process, pid=12185
Aug 27 15:48:06 BJOIS-AS Keepalived_healthcheckers[12185]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 15:48:06 BJOIS-AS Keepalived[12184]: Starting VRRP child process, pid=12186
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: Registering Kernel netlink reflector
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: Registering Kernel netlink command channel
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: Registering gratuitous ARP shared channel
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: WARNING - default user 'keepalived_script' for script execution does not exist - please create.
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: Truncating auth_pass to 8 characters
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: SECURITY VIOLATION - scripts are being executed but script_security not enabled.
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: VRRP_Instance(VI_1) removing protocol VIPs.
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: Using LinkWatch kernel netlink reflector...
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: VRRP_Instance(VI_1) Entering BACKUP STATE
Aug 27 15:48:06 BJOIS-AS Keepalived_vrrp[12186]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(10,11)]
Aug 27 15:48:06 BJOIS-AS Keepalived[12184]: Stopping
Aug 27 15:48:06 BJOIS-AS systemd: Stopping LVS and VRRP High Availability Monitor...
Aug 27 15:48:06 BJOIS-AS Keepalived_healthcheckers[12185]: Stopped
Aug 27 15:48:07 BJOIS-AS Keepalived_vrrp[12186]: Stopped
Aug 27 15:48:07 BJOIS-AS Keepalived[12184]: Stopped Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 27 15:48:07 BJOIS-AS systemd: Stopped LVS and VRRP High Availability Monitor.

第一个问题WARNING – default user ‘keepalived_script’ for script execution does not exist – please create.


WARNING – default user ‘keepalived_script’ for script execution does not exist – please create.

这个错误的原因在于配置文件的错误,在global_defs中加入如下两行即可。

# 运行脚本的用户名和组。默认使用用户的默认组。如未指定,默认为keepalived_script 用户,如无此用户,则使用root
script_user root

重启服务

systemctl restart keepalived.service

查看日志

Aug 27 16:29:34 BJOIS-AS systemd: Starting LVS and VRRP High Availability Monitor...
Aug 27 16:29:34 BJOIS-AS Keepalived[23064]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 27 16:29:34 BJOIS-AS Keepalived[23064]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 16:29:34 BJOIS-AS Keepalived[23065]: Starting Healthcheck child process, pid=23066
Aug 27 16:29:34 BJOIS-AS systemd: Started LVS and VRRP High Availability Monitor.
Aug 27 16:29:34 BJOIS-AS Keepalived[23065]: Starting VRRP child process, pid=23067
Aug 27 16:29:34 BJOIS-AS Keepalived_healthcheckers[23066]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: Registering Kernel netlink reflector
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: Registering Kernel netlink command channel
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: Registering gratuitous ARP shared channel
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: Truncating auth_pass to 8 characters
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: SECURITY VIOLATION - scripts are being executed but script_security not enabled.
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: VRRP_Instance(VI_1) removing protocol VIPs.
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: Using LinkWatch kernel netlink reflector...
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: VRRP_Instance(VI_1) Entering BACKUP STATE
Aug 27 16:29:34 BJOIS-AS Keepalived_vrrp[23067]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(10,11)]
Aug 27 16:29:34 BJOIS-AS Keepalived[23065]: Stopping
Aug 27 16:29:34 BJOIS-AS systemd: Stopping LVS and VRRP High Availability Monitor...
Aug 27 16:29:34 BJOIS-AS Keepalived_healthcheckers[23066]: Stopped
Aug 27 16:29:35 BJOIS-AS Keepalived_vrrp[23067]: Stopped
Aug 27 16:29:35 BJOIS-AS Keepalived[23065]: Stopped Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 27 16:29:35 BJOIS-AS systemd: Stopped LVS and VRRP High Availability Monitor.

发现还是没有绑定IP

第二个问题SECURITY VIOLATION – scripts are being executed but script_security not enabled.


SECURITY VIOLATION – scripts are being executed but script_security not enabled.

这个错误的原因在于配置文件的错误,在global_defs中加入如下两行即可。

#路径为非root可写,不要配置脚本为root用户执行。
enable_script_security

重启服务

systemctl restart keepalived.service

查看日志

Aug 27 16:34:04 BJOIS-AS systemd: Starting LVS and VRRP High Availability Monitor...
Aug 27 16:34:04 BJOIS-AS Keepalived[23137]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 27 16:34:04 BJOIS-AS Keepalived[23137]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 16:34:04 BJOIS-AS Keepalived[23138]: Starting Healthcheck child process, pid=23139
Aug 27 16:34:04 BJOIS-AS systemd: Started LVS and VRRP High Availability Monitor.
Aug 27 16:34:04 BJOIS-AS Keepalived[23138]: Starting VRRP child process, pid=23140
Aug 27 16:34:04 BJOIS-AS keepalived_healthcheckers[23139]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: Registering Kernel netlink reflector
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: Registering Kernel netlink command channel
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: Registering gratuitous ARP shared channel
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: Truncating auth_pass to 8 characters
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: VRRP_Instance(VI_1) removing protocol VIPs.
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: Using LinkWatch kernel netlink reflector...
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: VRRP_Instance(VI_1) Entering BACKUP STATE
Aug 27 16:34:04 BJOIS-AS Keepalived_vrrp[23140]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(10,11)]
Aug 27 16:34:05 BJOIS-AS systemd: Stopping LVS and VRRP High Availability Monitor...
Aug 27 16:34:05 BJOIS-AS Keepalived[23138]: Stopping
Aug 27 16:34:05 BJOIS-AS Keepalived_healthcheckers[23139]: Stopped
Aug 27 16:34:06 BJOIS-AS Keepalived_vrrp[23140]: Stopped
Aug 27 16:34:06 BJOIS-AS Keepalived[23138]: Stopped Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 27 16:34:06 BJOIS-AS systemd: Stopped LVS and VRRP High Availability Monitor.

日志没有问题,但VIP还是没有绑定到服务器上
怎么办

修改检测脚本


haproxy_check2.sh

#!/bin/bash
COUNT=`ps -C haproxy --no-header |wc -l`
T=`date '+%Y-%m-%d %H:%M:%S'`
LOGF='/var/log/keepalived_healthcheckers.log'
echo "$T haproxy Number of processes :"$COUNT >> $LOGF
echo "$T haproxy processes :" `ps -ef |grep haproxy`  >> $LOGF
if [ $COUNT -eq 0 ];then
	echo "$T Stopping keepalived:" >> $LOGF
	systemctl stop keepalived
	echo "$T Stoped keepalived :" >> $LOGF 
fi

我把检测脚本日志写到了/var/log/keepalived_healthcheckers.log里

看一下keepalived_healthcheckers检测日志


2021-08-27 16:47:59 haproxy Number of processes :0
2021-08-27 16:47:59 haproxy processes : 
root 23463 23462 0 16:47 ? 00:00:00 /bin/bash /etc/keepalived/haproxy_check2.sh 
root 23468 23463 0 16:47 ? 00:00:00 /bin/bash /etc/keepalived/haproxy_check2.sh 
root 23470 23468 0 16:47 ? 00:00:00 grep haproxy
2021-08-27 16:47:59 Stopping keepalived:

发现是HAProxy没有启动,好了问题找到了

总结


keepalived+haproxy 架构时 要先启动haproxy才可以,也可以在检测脚本里面把haproxy拉起来

开机自启也无法保证haproxy启动顺序优先于keepalived,所以开机启动也需要自定义一下,写到rc.local里

附开机启动脚本,大概逻辑是先尝试启动haproxy,启动成功再启动keepalived,启动不成功则退出脚本

#!/bin/bash
T=`date '+%Y-%m-%d %H:%M:%S'`
LOGF='/var/log/autoup_haproxy_keepalived.log'
num=10
#------------
# start haproxy
#------------
while true
do
	haproxy_service=`systemctl status haproxy|grep running`
	if [ -z "$haproxy_service" ];then
		if [ $num -eq 60 ];then
			echo "$T haproxy service start faild" >> $LOGF
			exit
		fi
		echo "$T haproxy service start `expr $num / 10`" >> $LOGF
		systemctl start haproxy
	else
		echo "$T haproxy service start success" >> $LOGF
		break
	fi
	sleep 10
	num=$(($a+10))
done
#-----------
# start keepalived
#-----------
num=10
while true
do
	keepalived_service=`systemctl status keepalived|grep running`
	if [ -z "$keepalived_service" ];then
		if [ $num -eq 60 ];then
			echo "$T keepalived service start faild" >> $LOGF
			break
		fi
		echo "$T keepalived service start `expr $num / 10`" >> $LOGF
		systemctl start keepalived
	else
		echo "$T keepalived service start success" >> $LOGF
		break
	fi
	sleep 10
	num=$(($a+10))
done

版权声明:本文为作者原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

原创文章,作者:老C,如若转载,请注明出处:https://www.code404.icu/1133.html

发表评论

登录后才能评论