惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
Hacker News: Ask HN
Hacker News: Ask HN
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
MyScale Blog
MyScale Blog
月光博客
月光博客
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
Martin Fowler
Martin Fowler
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
The GitHub Blog
The GitHub Blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
F
Full Disclosure
U
Unit 42
Jina AI
Jina AI
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
腾讯CDC
T
Threatpost
H
Hacker News: Front Page
P
Palo Alto Networks Blog
博客园 - 聂微东
Last Week in AI
Last Week in AI
有赞技术团队
有赞技术团队
Help Net Security
Help Net Security
L
LINUX DO - 热门话题
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy

博客园 - 深海蓝精灵

Linux 系统架构:aarch64,docker、Docker-compose,包下载安装配置 Linux 部署nacos3.1.2,修改Console默认8080端口,修改为8081的解决方案 CloudBeaver Community,web界面,查询表字段长度、及存储过程信息 Linux 服务器 mac 地址查询命令 Linux-LVM 方式挂载大于3T磁盘,详细操作过程 BCLinux,镜像安装GitLab社区版 v18.5.1 Bcliux-docker-nacos2.2.0升级至2.2.3版本 Linux-查询全部密码过期用户 Oracle删除表数据恢复方法 BcLinux-Redis-集群(cluster)安装配置 Bclinux离线安装PostgreSQL10.23+PostGIS2.5编译安装配置 Oracle-失效链接清理 Linux-shell脚本链接Oracle执行查询 Linux系统中,修改密码永不过期 Oracle中replace函数使用简介 ORA-01652: 无法通过 128 (在表空间 TEMP 中) 扩展 temp 段 BcLinux-Redis-集群(cluster)模式安装配置 Oracle-修改字段类型方法总结 Bclinux系统安装MongoDB Linux-下docker和主机之间的文件拷贝 解决:tcpdump -w xxxxx.cap 提示 Permission denied
Linux aarch64 架构离线 Docker-compose 搭建 Nginx+Keepalived 双机热备(高可用集群)
深海蓝精灵 · 2026-05-26 · via 博客园 - 深海蓝精灵

Linux aarch64 架构离线 Docker-compose 搭建 Nginx+Keepalived 双机热备(高可用集群)
一、前置说明
    架构:两台 aarch64 服务器,主备模式,Keepalived 管理 VIP 漂移,Docker 容器化 Nginx+Keepalived
    离线要求:提前下载 aarch64 架构的 Docker 镜像、Docker-compose 二进制包,无外网依赖
    核心信息
        主节点:192.168.158.120 | 备节点:192.168.158.121
        VIP:192.168.158.123 | 网卡:enp3s0
        Nginx 端口:6001、6002 | HTTPS 协议
        安装目录:/home/test/nginx、/home/test/keepalived
        镜像版本:nginx:1.29.7、keepalived:2.3.4(aarch64)
二、离线资源包下载(aarch64/arm64 专用)
1. Docker 镜像离线包(直接下载,拷贝到两台服务器)
# Nginx 1.29.7 aarch64 离线镜像
https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/arm64/nginx_1.29.7_arm64.tar
# Keepalived 2.3.4 aarch64 离线镜像
https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/arm64/keepalived_2.3.4_arm64.tar
# 备用官方镜像拉取导出(有外网机器执行,导出后拷贝到离线服务器)
docker pull --platform arm64 nginx:1.29.7
docker save -o nginx-images-1.29.7-arm64-20260525.tar nginx:1.29.7
docker pull --platform arm64 keepalived:2.3.4
docker save -o keepalived-images-2.3.4-arm64-20250525.tar keepalived:2.3.4
2. Docker-compose aarch64 离线二进制包
https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-aarch64
3. 两台服务器统一目录结构(必须创建)
# 两台服务器都执行
mkdir -p /home/test/nginx/{conf,html,certs,logs}
mkdir -p /home/test/keepalived/conf
mkdir -p /home/test/setup                      # 存放离线镜像、docker-compose
三、基础环境配置(两台服务器都执行)
1. 上传离线包
将以下文件上传到两台服务器 /home/test/setup 目录:
    docker-compose-linux-aarch64
    nginx-images-1.29.7-arm64-20260525.tar
    keepalived-images-2.3.4-arm64-20250525.tar
2. 安装并授权 Docker-compose
# 移动到系统命令目录
mv /home/test/setup/docker-compose-linux-aarch64 /usr/local/bin/docker-compose
# 授权可执行
chmod +x /usr/local/bin/docker-compose
# 验证版本
docker-compose -v
3. 离线加载 Docker 镜像
# 加载Nginx镜像
docker load -i /home/test/setup/nginx-images-1.29.7-arm64-20260525.tar
# 加载Keepalived镜像
docker load -i /home/test/setup/keepalived-images-2.3.4-arm64-20250525.tar
# 查看镜像(确认加载成功)
docker images
4. 系统内核参数(允许 VIP 绑定,两台都执行)
# 临时生效
echo "net.ipv4.ip_nonlocal_bind=1" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# 永久生效
sysctl -p
5. 防火墙放行端口(两台都执行)
# 放行Nginx端口、VRRP协议(Keepalived使用)
firewall-cmd --add-port=6001/tcp --permanent
firewall-cmd --add-port=6002/tcp --permanent
firewall-cmd --add-protocol=vrrp --permanent
firewall-cmd --reload
# 关闭防火墙(测试环境可直接关闭)
systemctl stop firewalld
systemctl disable firewalld
整体目录结构:
/home/test/ha-nginx
├── nginx-keepalived-docker-compose.yml
├── keepalived/
│   ├── keepalived.conf
│   ├── keepalived.conf
│   └── docker-healthcheck.sh
└── nginx/
    └── html/
        └── index.html
四、主节点(192.168.158.120)配置
1. Nginx HTTPS 配置文件
创建 /home/test/nginx/conf/nginx.conf
[test@zkm01 ~/nginx/conf]$ cat nginx.conf 
#load_module modules/ngx_http_vhost_traffic_status_module.so;
user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

#    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                      '$status $body_bytes_sent "$http_referer" '
#                      '"$http_user_agent" "$http_x_forwarded_for"';

    log_format  main  '"$upstream_addr" - [$time_local] - "$request"'
                      ' - "$status" - '
                      '"$http_user_agent" - "$proxy_add_x_forwarded_for" - "$remote_addr" - "$http_x_forwarded_for" ';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
[test@zkm01 ~/nginx/conf]$ 
2. 上传 HTTPS 证书
将你的 server.crt 和 server.key 上传到:/home/test/nginx/certs/
3. Keepalived 主节点配置
创建 /home/test/keepalived/conf/keepalived.conf
[test@zkm01 ~/ha-nginx]$ cat /home/test/keepalived/conf/keepalived.conf
global_defs {                    #1.全局配置标题
    router_id NGINX_MASTER        #2.(重点参数)局域网keepalived主机身份标识信息 每一个keepalived主机身份标识信息唯一
    vrrp_strict false              #3.关闭严格模式
    script_user root               #4.建议脚本执行用户改为 root,避免权限问题
    enable_script_security        
}

# 检查nginx状态的脚本,健康监测脚本
vrrp_script chk_nginx {
    script "/docker-healthcheck.sh nginx"    #5.脚本路径
    interval 2                                #6.脚本执行间隔时间
    weight -20
    user root
}

vrrp_instance VI_1 {        #7.vrrp协议相关配置(vip地址设置)
    state MASTER            #8.keepalived角色描述(状态)信息,可以配置参数(MASTER BACKUP)
    interface enp3s0          #9.修正为宿主机真实网卡
    virtual_router_id 51    #10.表示keepalived家族标识信息
    priority 150            #11.keepalived服务竞选主备服务器优先级设置(越大越优先)
    advert_int 1            #12.主服务组播包发送间隔时间
    authentication {        #13.主备主机之间通讯认证机制,
        auth_type PASS        #14.指定认证方式。PASS简单密码认证(推荐),AH:IPSEC认证(不推荐)
        auth_pass 1111        #15.指定认证所使用的密码。最多8位
    }
    virtual_ipaddress {        #16.设置虚拟IP地址信息
        192.168.158.123/24    #17.这里设置VIP
    }
    track_script {
        chk_nginx
    }

4. 主节点 nginx-keepalived-docker-compose.yml
[test@zkm01 ~/ha-nginx]$ cat /home/test/ha-nginx/nginx-keepalived-docker-compose.yml 
version: '3'
services:
  # Nginx服务
  nginx:
    image: nginx:1.29.7
    container_name: nginx-ha
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - /home/test/nginx/conf/nginx.conf:/etc/nginx/nginx.conf
      - /home/test/nginx/html:/usr/share/nginx/html
      - /home/test/nginx/certs:/usr/share/nginx/certs
      - /home/test/nginx/logs:/var/log/nginx
      - /home/test/nginx/conf/conf.d:/etc/nginx/conf.d
    #开启network_mode: host,端口配置可以忽略配置
    ports:
      - 6001:6001
      - 6002:6002
  # Keepalived服务
  keepalived:
    image: keepalived:2.3.4
    container_name: keepalived-ha
    restart: always
    network_mode: host            # 必须 host 模式,否则 VIP 绑定失败
    privileged: true              # 必须开启特权,才能操作网卡
    cap_add:
      - NET_ADMIN
      - NET_BROADCAST
      - NET_RAW
    volumes:
      - /home/test/keepalived/conf/keepalived.conf:/etc/keepalived/keepalived.conf        # keepalived 配置文件挂载路径
      - /home/test/keepalived/conf/docker-healthcheck.sh:/docker-healthcheck.sh            # 挂载健康检查脚本
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      #- KEEPALIVED_AUTOCONF=false
      - KEEPALIVED_INTERFACE=enp3s0    # 根据实际网卡名调整
    depends_on:
      - nginx
五、备节点(192.168.158.121)配置
1. Nginx 配置
与主节点完全一致:
    拷贝 /home/test/nginx/ 所有文件到备节点
    证书、配置、目录结构保持相同
2. Keepalived 备节点配置
创建 /home/test/keepalived/conf/keepalived.conf
[test@zkm02 ~]$  cat /home/test/keepalived/conf/keepalived.conf
global_defs {
    router_id NGINX_BACKUP        # 1.备节点标识
    vrrp_strict false              # 2.关闭严格模式
    script_user root               # 3.建议脚本执行用户改为 root,避免权限问题
    enable_script_security
}

vrrp_script chk_nginx {
    script "/docker-healthcheck.sh nginx"
    interval 2
    weight -20
    user root
}

vrrp_instance VI_1 {
    state BACKUP
    interface enp3s0              # 4. 修正为宿主机真实网卡
    virtual_router_id 51
    priority 100                # 5.低于主节点
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.158.123/24
    }
    track_script {
        chk_nginx
    }
}

[test@zkm02 ~/ha-nginx]$ 
3. 备节点 nginx-keepalived-docker-compose.yml
与主节点完全一致,直接拷贝即可。
[test@zkm02 ~]$  cat /home/test/ha-nginx/nginx-keepalived-docker-compose.yml 
version: '3'
services:
  # Nginx服务
  nginx:
    image: nginx:1.29.7
    container_name: nginx-ha
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - /home/test/nginx/conf/nginx.conf:/etc/nginx/nginx.conf
      - /home/test/nginx/html:/usr/share/nginx/html
      - /home/test/nginx/certs:/usr/share/nginx/certs
      - /home/test/nginx/logs:/var/log/nginx
      - /home/test/nginx/conf/conf.d:/etc/nginx/conf.d
    ports:
      - 6001:6001
      - 6002:6002
  # Keepalived服务
  keepalived:
    image: keepalived:2.3.4
    container_name: keepalived-ha
    restart: always
    network_mode: host
    privileged: true  # 关键修复
    cap_add:
      - NET_ADMIN
      - NET_BROADCAST
      - NET_RAW
    volumes:
      - /home/test/keepalived/conf/keepalived.conf:/etc/keepalived/keepalived.conf
      - /home/test/keepalived/conf/docker-healthcheck.sh:/docker-healthcheck.sh
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
     #- KEEPALIVED_AUTOCONF=false
      - KEEPALIVED_INTERFACE=enp3s0  # 根据实际网卡名调整
    depends_on:
      - nginx
六、启动服务(两台服务器分别执行)
# 进入目录
cd /home/test/ha-nginx
# 后台启动容器
sudo docker-compose -f /home/test/ha-nginx/nginx-keepalived-docker-compose.yml up -d
sudo docker-compose -f /home/test/ha-nginx/nginx-keepalived-docker-compose.yml down
# 查看容器状态
sudo docker ps
# 查看日志
sudo docker ps -a
sudo docker logs -f -t -n=5 nginx-ha
sudo docker logs -f -t -n=5 keepalived-ha
七、创建 Nginx 目录(两台都执行)
echo "MASTER Nginx" > /home/test/nginx/html/index.html   # 主节点
echo "BACKUP Nginx" > /home/test/nginx/html/index.html   # 备节点
--权限
chmod -R 755 /home/test/nginx/html/
chmod -R 755 /home/test/nginx/certs/
/home/test/keepalived
cat > docker-healthcheck.sh << 'EOF'
#!/bin/bash
# 检查 Nginx 是否存活
if ps aux | grep nginx | grep -v grep > /dev/null; then
    exit 0
else
    exit 1
fi
EOF
# 赋予执行权限
chmod +x docker-healthcheck.sh
八、高可用验证
1. 查看 VIP 绑定
ip addr | grep 192.168.158.123
# 主节点执行,VIP应在主节点
ip addr show enp3s0
2. 访问测试
# 浏览器/命令访问VIP(HTTPS)
curl -k https://192.168.158.123:6001/index.html
curl -k https://192.168.158.123:6002/index.html
3. 故障模拟(主节点宕机)
# 主节点停止Nginx
docker stop nginx-ha
# 查看VIP是否漂移到备节点
ip addr show enp3s0
# 访问VIP,服务正常则高可用生效
4. 恢复主节点
# 主节点启动Nginx
docker start nginx-ha
# VIP自动切回主节点
九、常用运维命令
# 重启服务
docker-compose restart
# 停止服务
docker-compose down
# 查看VIP
ip addr | grep 192.168.158.123
# 查看容器日志
docker-compose logs -f
总结
    全套离线 aarch64 架构部署,无外网依赖
    Nginx 双端口 HTTPS 服务,自定义目录 + 证书挂载
    Keepalived 自动检测 Nginx 存活,VIP 自动漂移,实现秒级切换
    主备配置仅需修改 Keepalived 的state和priority,操作极简
    Docker-compose 统一管理,运维便捷,可直接用于生产环境