From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] keepalived: Update to version 2.2.7 Date: Tue, 12 Apr 2022 12:34:28 +0200 Message-ID: <20220412103428.59367-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1933135407970111341==" List-Id: --===============1933135407970111341== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Update from 2.2.4 to 2.2.7 - Update of rootfile - Changelog Release 2.2.7 brings lots of improvements and fix some minor issues report= ed. It add some new VRRP features as well. Stability has been even more extended. New ipvs: Add support to twos scheduler. vrrp: Add vrf option for unicast without specifying an interface. vrrp: Add option unicast_fault_no_peer. Previously if unicast_src_ip (or= any other unicast option) was specified, but no unicast peers w= ere configured, then the VRRP instance would operate in multica= st mode. A user has identified that, due to automatic configuration ge= neration, they could have a configuration that should operate in unic= ast mode, but that no unicast peers were configured. In this case, th= ey did not want the VRRP instance to revert to multicast mode. In orde= r to maintain backward compatibility, keepalived can=E2=80=99t s= imply change to not allowing no unicast peers. Instead, this commit adds the co= nfiguration option =E2=80=9Cunicast_fault_no_peer=E2=80=9D, which if sp= ecified causes the VRRP instance to go to fault state if no unicast peers are confi= gured. vrrp: Allow specification of multicast address to be used. vrrp: Add vrf option to static and vrrp routes. vrrp: Add option to resend vrrp states on fifos after reload. Since keepalived restarts FIFOs scripts it is managing when a rel= oad occurs, it can be helpful to send the VRRP instance and group state= s after a reload. This commit adds option fifo_write_vrrp_states_on_r= eload to do that, and it means that what is written to the FIFOs with d= efault configuration does not change. vrrp: Allow duplication of VRIDs on an interface with unicast peers. If = two VRRP instances are using unicast peers and there is no over= lap of unicast peers between the vrrp instances, then the vrrp ins= tances can use the same VRIDs. global: Don=E2=80=99t assume running as user root. systemd: Add keepalived-non-root.service systemd service file. keepalived-non-root.service allows keepalived to be run = as a non root user, but with specific added capabilities to allow= all the functionality that keepalived needs. Improvements vrrp: Stop receiving any data on garp and ndisc sockets. This is a send-= only channel. vrrp: Open gratuitous ARP socket as an ARP socket rather than RARP. Now = that the receiving of packets on the garp socket has been stoppe= d, we can open the socket with the correct type of binding, and we wo= n=E2=80=99t have a queue of received messages build up. vrrp: Extend cBPF filtering code to support standard definition. vrrp: Optimise nftables configuration to limit some rules to macvlans. I= f we are moving messages that have been generated on a macvlan, = we nftables rules can be optimised to restrict them to macvlan interfac= es. vrrp: Drop ICMPV6 Router Solicitation messages from vmac interfaces. Whe= n we create a vmac interface, a short time afterwards the kernel= sends a router solicition message with the source MAC address of th= e vmac interface. The problem is that this will upset snooping swi= tches if the VRRP instance is in backup state. Furthermore, we can= =E2=80=99t simply move the packet onto the underlying interface since the ICM= PV6 payload also contains the MAC address of the vmac interface. We can= =E2=80=99t just change the MAC address in the ICMPV6 message, since there i= s also a checksum which would need to be recalculated. The only solu= tion at the moment is to drop the packet. This shouldn=E2=80=99t be a p= roblem since the underlying interface should have sent a Router solicitation= message when it came up. vrrp: Add option to specify MAC address for VMACs. vrrp: Don=E2=80=99t lose some configuration faults. The following errors= were being detected in vrrp_complete_instance() and the VRRP instance = was then supposed to be put into fault state since it couldn=E2=80= =99t operate. However, the need to go to fault state was subsequently bei= ng lost. The configuration errors that were being lost were: (a) Con= figuring use of a VMAC on a non Ethernet interface (b) Attempting to= use multicast on an interface that doesn=E2=80=99t support it (= c) Using an ipvlan without a source IP address (d) ipvlan address family not m= atching VRRP isntance=E2=80=99s (e) VRID conflicts on an interface = which could be deleted an recreated on a different interface (f) An interf= ace specified for a VIP is the same as the VRRP instance=E2=80= =99s VMAC or another VRRP instance=E2=80=99s VMAC. This improvement ensures that= the VRRP instance will be put into, and remain in, fault state, since it cann= ot successfully operate. As can be seen from the list of circu= mstances above, they were very unlikely to occur, but were possible. vrrp: Bind IPv6 socket to multicast address. Previously IPv6 sockets were being bound to the ::1 address, since trying to bind to the= multicast address was failing. The reason for failing has now been di= scovered to be that the scope_id needed to be set (i.e. the interface i= ndex), since the multicast addresses that we use are link-local mu= lticast addresses. This improvement now sets the scope_id, so the s= ocket can successfully be bound to the multicast address. vrrp: Set IPV6_MULTICAST_ALL on IPv6 sockets if available. vrrp: Some SNMP extension and improvements: - Correct FastOpenNoCookie a= nd L3Mdev variable types - Don=E2=80=99t write multicast addre= ss to SNMP when using unicast. - Don=E2=80=99t write unconfigured LVS sync = daemon address to SNMP. - Define and use SNMP_TruthValue. - Define and use SNMP_InetAddressType. - Correct reporting accept mode for V= RRPv3 SNMP. vrrp: Misc DBus improvements (Opening, logging, data_dir, policy, =E2=80= =A6) vrrp: Handle VMAC=E2=80=99s interface changing on reload properly. vrrp: If accept traffic for VIPs changes on reload, update firewall. vrrp: Stop going to backup if reload IPv6 and change vmac_xmit_base. vrrp: Add add/prepend/append options to static and virtual routes. The kernel by default prepends routes, whereas the ip (iproute2= ) utility be default adds routes (adding a route does not allow dupli= cates whereas appending or prepending does). keepalived previousl= y has not set the flags relating to this, and so has always prepended= routes. This means that duplicate routes could be created. lib: Update Red Black tree code to Linux 5.15-rc4. script: Extend sample_notify_fifo.sh. doc: Misc documentation updates. docker: Upate docker file. init: Init handling extensions. Make parent process exit with meaningful status on error. Ensure systemd is not notified of successf= ul start if failed. fix building without systemd notify suport. bfd: handle unexpected closure of pipe to checker and vrrp processes. If= the parent process abnormally terminates and then the BFD process terminates due to PDEATHSIG before the vrrp or checker proce= sses terminate, the vrrp and checker processes can get a read err= or on the pipes used to communicate with the BFD process. bfd: make BFD work when IPv6 disabled on system. Fixes lib: Fix calculating CLOCK_REALTIME and CLOCK_MONOTONIC offsets. lib: scheduler: Handle cancelling timer thread on ready queue. The timer thread on the ready queue, if cancelled, was corrupting the = read list_head, since it assumed it was on a red black tree. snap: Fix building snaps. ipvs: Fix building with glibc prior to v2.19 (released 2014). bfd: Handle interface down/address missing when keepalived starts. This resolves a segfault, and also makes bfd retry once per minut= e to create send socket if it cannot do so due to no address to bind to = on an interface. vrrp: Fix unicast with interface in a VRF domain. vrrp: Fix moving excess VIPs to eVIPs, by properly handling vip_cnt. vrrp: Fix configured IPv6 multicast addresses with VMACs. Using different multicast addresses with IPv6 on the same interface without= using VMACs is only supported if the kernel supports IPV6_MULTICA= ST_ALL (from Linux v4.20). vrrp: Fix checking for unicast with VMAC/ipvlan and no peers. vrrp: Fix checking if have unicast ppers if unicast_ttl specified. vrrp: Don=E2=80=99t segfault if duplicate VMAC name, but ignore second n= ame. vrrp: Don=E2=80=99t delete and recreate VMAC on reload if only VRID has = changed. There seems to be an issue deleting and then immediately re= creating a VMAC on the same interface. This commit therefore simply ch= anges the MAC address if the only change is the VRID. vrrp: Fix nftables config if VMAC interface changed on reload. vrrp: Don=E2=80=99t segfault if don=E2=80=99t have permission for ARP/ND= ISC socket. vrrp: Fix IPv6 with vmac_xmit_base. vrrp: fix disabling vmac-xmit-base with VRRPv3 IPv6 use_vmac. vrrp: Fix specifying user/group for vrrp_scripts. Signed-off-by: Adolf Belka --- config/rootfiles/packages/keepalived | 5 +---- lfs/keepalived | 6 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/packages/keepalived b/config/rootfiles/packages= /keepalived index 4865db0b0..b0fbe7363 100644 --- a/config/rootfiles/packages/keepalived +++ b/config/rootfiles/packages/keepalived @@ -1,8 +1,6 @@ #etc/keepalived -etc/keepalived/keepalived.conf +etc/keepalived/keepalived.conf.sample etc/keepalived/samples -#etc/keepalived/samples/client.pem -#etc/keepalived/samples/dh1024.pem #etc/keepalived/samples/keepalived.conf.HTTP_GET.port #etc/keepalived/samples/keepalived.conf.IPv6 #etc/keepalived/samples/keepalived.conf.PING_CHECK @@ -28,7 +26,6 @@ etc/keepalived/samples #etc/keepalived/samples/keepalived.conf.vrrp.scripts #etc/keepalived/samples/keepalived.conf.vrrp.static_ipaddress #etc/keepalived/samples/keepalived.conf.vrrp.sync -#etc/keepalived/samples/root.pem #etc/keepalived/samples/sample.misccheck.smbcheck.sh #etc/keepalived/samples/sample_notify_fifo.sh etc/rc.d/init.d/keepalived diff --git a/lfs/keepalived b/lfs/keepalived index 0b45f24d9..d6c913f7a 100644 --- a/lfs/keepalived +++ b/lfs/keepalived @@ -26,7 +26,7 @@ include Config =20 SUMMARY =3D A keepalive facility for Linux =20 -VER =3D 2.2.4 +VER =3D 2.2.7 =20 THISAPP =3D keepalived-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D keepalived -PAK_VER =3D 10 +PAK_VER =3D 11 =20 DEPS =3D =20 @@ -48,7 +48,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_BLAKE2 =3D 835198fb23312e87894e7740427411d974c00f71029b273d8da3e7= 87ef92848127d896b456fb40db8d802b6c7555e6524872f136f868e19c62387a9471e44b0f +$(DL_FILE)_BLAKE2 =3D 62c4534eb1eebeac596b628a1fa5fb4069498d532fdeff0dc51afb= c71e90125bff7fcffb897da3fd34765c64f43d7b04dcf184169b1bc2cf33413e109f9f5cdc =20 install : $(TARGET) =20 --=20 2.35.1 --===============1933135407970111341==--