Keepalived is a Linux implementation of the VRRP (Virtual Router Redundancy Protocol) protocol to make IPs highly available - a so called VIP (Virtual IP). The daemon is furthermore able to provide load balancing mechanisms using the “Linux Virtual Server” (IPVS). In this blog post I’ll write about an almost undocumented feature: check scripts and notify scripts. These scripts can be used to regularly check anything you want to ensure the VRRP master is on the correct node and take action if there is a state change.
How VRRP works
Usually the VRRP protocol ensures that one of participating nodes is master. The backup node(s) listens for multicast packets from a node with a higher priority. If the backup node fails to receive VRRP advertisements for a period longer than three times of the advertisement timer, the backup node takes the master state and assigns the configured IP(s) to itself. In case there are more than one backup nodes with the same priority, the one with the highest IP wins the election.
There is no fencing mechanism available. If f.e. two participating nodes don’t see each other, both will have the master state and both will carry the same IP(s). When I was looking for a way to detect which one should stay the master or give up his master state, I discovered the “Check Script” mechanism.
A check script is a script written in the language of your choice which is executed regularly. This script needs to have a return value: 0 for “everything is fine”, 1 (or other than 0) for “something went wrong”. This value is used by Keepalived to take action. Scripts are defined like this:
As you can see in the example it’s possible to specify the interval in seconds and also how many times the script needs to succeed or fail until any action is taken.
The script can check anything you want. Here are some ideas:
- Is the daemon X running?
- Is the interface X on the remote switch Y up?
- Is the IP 220.127.116.11 pingable?
- Is there enough disk space available to run my application?
This script definition can now be used in a
As soon as the
track_script returns another code than 0 two times, the VRRP instance will change the state to
removes the IP
eth0 and stops sending multicast VRRP packets.
A notify script can be used to take other actions, not only removing or adding an IP to an interface. It can f.e. start or stop a daemon, depending on the VRRP state. And this is how it’s defined in the Keepalived configuration:
The script is called after any state change with the following parameters:
- $1 = “GROUP” or “INSTANCE”
- $2 = name of group or instance
- $3 = target state of transition (“MASTER”, “BACKUP”, “FAULT”)
Here is a sample script:
One example of using these notify scripts is to have a highly available IPsec gateway (start and stop the IPsec process). We are using it successfully at nine.ch for customer IPSec endpoints.