change keepalived default config to
/var/ipfire/keepalived/keepalived.conf so keepalived WebUI
could read/write the configuration file. also add
/var/ipfire/keepalived directory
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
keepalived: create /var/ipfire/keepalived
- Update from version 2.2.7 to 2.2.8
- Update of rootfile not required
- Changelog
2.2.8 31th May 2023
This release brings improvements and fix some minor issues reported. It add some
new VRRP and BFD features as well.
New
vrrp: Add support for Infiniband over IPv6. Github issue #2100 reported that
attempting to use IPv6 over Infinband was causing keepalived to segfault
It turned out that vrrp_ndisc.c had a comment that it still needed to be
implemented, which we have now been able to do with someone in a position
to test it. With many thanks for Itel Levy of NVIDIA, Israel for
reporting the issue and and testing the patch to confirm that it works.
vrrp: Add no_virtual_ipaddress keyword. This keyword suppresses warnings for
no virtual ipaddresses configured and allows none to be configured when
using VRRPv3.
vrrp: Add –enable-nm configure option. –enable-nm adds support for Keepalived
telling NetworkManager not to manage VMAC interfaces the keepalived
creates. Early versions of NM (i.e. at least up to v1.12, but resolved
at the latest by v1.18) would set the VMAC inerfaces as managed by
NetworkManager, and then if the underlying interface went down, NM
would down the VMAC interface and the VRRP instance would never recover
from fault state.
vrrp: add v3_checksum_as_v2 configuration option. RFC 5798 (the VRRPv3 RFC)
states regarging the checksum:
5.2.8. Checksum
The checksum field is used to detect data corruption in the VRRP
message. The checksum is the 16-bit one’s complement of the one’s
complement sum of the entire VRRP message starting with the
version field and a “pseudo-header” as defined in Section 8.1 of
[RFC2460]. The next header field in the “pseudo-header” should be
set to 112 (decimal) for VRRP. For computing the checksum, the
checksum field is set to zero. See RFC1071 for more detail
Some manufacturers (e.g. Cisco) interpret this to mean that the
pseudo- header is not included in the checksum calculation, since
RFC2460 only defines a pseudo-header for IPv6. RFC3768 (the last
VRRPv2 RFC) did not include a pseudo-header in the checksum.
However, keepalived has always included a pseudo-header in the
VRRPv3 IPv4 checksum, which is also consistent with the default
setting in Wireshark. In order to allow interoperation with
Cisco routers, and possibly other manufacturers, the
“v3_checksum_as_v2” keyword, when configured in global_defs to
set the default for all vrrp_instances, or in individual
vrrp_instances, causes those vrrp_instances to exclude the
pseudo- header from the checksum. The default action of including
the pseudo- header in the checksum remains unchanged.
vrrp: Add option to revert to backup if thread timer expires. If the VRRP
process is not scheduled for sufficiently long, another VRRP instance
may have taken over as master. For some users, minimising the number of
master switches is desired, and so if nopreempt is configured (if it is
not configured the highest priority instance will take over as master
again), and if it is too long after a thread timer expires before
keepalived is scheduled to run so that another instance will probably
have taken over as master, we will just revert to backup state rather
than sending further adverts. The keyword that configures this is
thread_timer_expired.
vrrp: Add optional new JSON format including track_process details. The
original JSON format did not allow for adding additional object types
other than the original vrrp instances. This commit adds a json_version
2, which puts the vrrp instances in a named array and adds an array of
the track_processes.
core: add option to check for malloc’s etc returning NULL. Configure option
–enable-malloc-check will cause the returned value of
malloc/realloc/strdup/strndup to be checked to ensure that they do not
return NULL. If any such call does return NULL a message will be logged
and the process will terminate. Unless sysctl vm.overcommit_memory == 2
(default is usually 0), or the malloc would cause the process virtual
address space to exceed the limit, malloc etc will not return NULL. It
is only once there is a write into the memory block that the memory is
actually allocated, and if there is insufficient memory (including swap
space), then the OOM killer will step in to either kill keepalived, or
kill another process. Consequently checking for NULL being returned is
generally a waste of time and program size.
ipvs: Add option to check OpenSSL mallocs/frees for validity.
ipvs: Add option to let SSL_GET shutdown comply with TLS spec.
bfd: Add multihop option to conform with RFC5883. RFCs 5881 and 5883 state
that port 3784 is used for single hop BFD and port 4784 is used for
multihop. The commit adds configuration option “multihop” to use port
4784 rather than port 3784.
Improvements
vrrp: Don’t adjust vrrp receive timeout during delayed start. The timeout for
a vrrp instance to become master should not be changed if an advert is
received during the delayed start - the timeout is set to include the
delayed start and the (3 to 4) * advert int delay to take over as master.
vrrp: Remove redundant checks of snmp_option.
vrrp: deley freeing vrrp instances until all references are freed. Trackers
etc have lists for vrrp instances that are tracking them. Therefore the
trackers, and their references, must be freed before the vrrp instances
are freed.
vrrp: restore the vmac ipv6 link-local after flapping. The user is not
supposed to shutdown a vmac interface created by keepalived. However,
it can mistakenly happen. When the link is re-established, the
link-local has disappear (the kernel removes all IPv6 addresses on link
down except if keep_addr_on_down sysctl is on) and sending VRRP packet
is no nore possible. Restore the IPv6 Link-Local after a VMAC interface
flapping. A Link-Local is not set when the VRRP packets are sent from
the base interface (vmac-xmit-base). Note that the IPv6 Virtual
Addresses are also removed on link down which is the desired behavior.
Enabling keep_addr_on_down sysctl would keep the link-local without
this patch but would break this behavior.
doc: Man pages and documentation updates. Add explanation of why unicast
VRRPv3 checksum changed.
configure: Add systemd auto option. fix default config file with ${prefix}
use. use back-ticks rather than $(…) for commmands. Improve
checking for ${prefix}.
ipvs: Don’t report HTTP_CHECK when it is an SSL_CHECK.
ipvs: Work around OpenSSL memory leak in versions 3.0.0 to 3.0.4. The memory
leak was observed with OpenSSL 3.0.1, and it is resolved by version
3.0.5. Also the leak is not observed in v1.1.1n.
ipvs: Simplify SSL_GET handling code.
Fixes
rpm: Fix RPM spec file to use kmod-lib and kmod-devel rather than libkmod.
vrrp: Fix NFT support to properly handle build with L4PROTO support.
vrrp: Resolve segfault when enable_snmp_vrrp is added at a reload.
vrrp: workaround GCC LTO bug causing incorrect VRRPv3 checksum. The problem
was observed with GCC versions 11.2, 11.3.1 and 12.1.1, on Ubuntu 22.04,
Fedora 34, Fedora 36 and Fedora 37 (Rawhide). The problem did not occur
when not using LTO, nor when using clang, even with LTO.
vrrp: fix ipv6 vrrp in fault state because no ipv4 address. Setting an IPv6
VRRP virtual address on an interface that has no IPv4 address results
in a persistent FAULT state.
core: Fix segfault when receive netlink message for static default route added.
build: Fix order of -lssl -lcrypto. This needs to be correct in order to be
able to use static library linking on Alpine Linux.
build: Fix build with libressl. SSL_set0_rbio is provided by libressl since
version 3.4.0 and libressl/openbsd@c99939f but SSL_set0_wbio is not
provided resulting in build failure.
build: Fix out of tree builds. Fix build error with –disable-track-process.
build: Fix building with –disable-vmac.
build: Fix compiler warning when building without VRRP authentication.
parser: Fix segfault caused by extra ‘}’ and other parser fixes. If there was
a configuration error in a block, e.g. a vrrp_instance, keepalived
would apply the configuration in the rest of the block to the
previous object of that type, e.g. the previous vrrp instance. If
there had been no previous instance, keepalived would probably
segfault. This commit changes the way the parser works. A new
instance of an object, e.g. a VRRP instance or a virtual server, is
only added to the list of those objects once the configuration of
that object is complete. In particular it no longer applies the
configuration to the last entry on the list of the relevant object
type, but keeps a point to the object currently being configured.
parser: Optimise fixing recalculating updated line length.
ipvs: Fix memory leaks when configuration is repeated. Use last entry if
duplicate definition.
lib: Fix malloc check code for CPUs without unaligned memory access.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Since we have extended services.cgi that it reads the Services field
from the Pakfire metadata, we will need to make sure that that metadata
is going to be on those systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.2.4 to 2.2.7
- Update of rootfile
- Changelog
Release 2.2.7 brings lots of improvements and fix some minor issues reported. It add
some new VRRP features as well. Stability has been even more extended.
New
ipvs: Add support to twos scheduler.
vrrp: Add vrf option for unicast without specifying an interface.
vrrp: Add option unicast_fault_no_peer. Previously if unicast_src_ip (or any
other unicast option) was specified, but no unicast peers were
configured, then the VRRP instance would operate in multicast mode. A
user has identified that, due to automatic configuration generation,
they could have a configuration that should operate in unicast mode,
but that no unicast peers were configured. In this case, they did not
want the VRRP instance to revert to multicast mode. In order to
maintain backward compatibility, keepalived can’t simply change to not
allowing no unicast peers. Instead, this commit adds the configuration
option “unicast_fault_no_peer”, which if specified causes the VRRP
instance to go to fault state if no unicast peers are configured.
vrrp: Allow specification of multicast address to be used.
vrrp: Add vrf option to static and vrrp routes.
vrrp: Add option to resend vrrp states on fifos after reload. Since
keepalived restarts FIFOs scripts it is managing when a reload occurs,
it can be helpful to send the VRRP instance and group states after a
reload. This commit adds option fifo_write_vrrp_states_on_reload to do
that, and it means that what is written to the FIFOs with default
configuration does not change.
vrrp: Allow duplication of VRIDs on an interface with unicast peers. If two
VRRP instances are using unicast peers and there is no overlap of
unicast peers between the vrrp instances, then the vrrp instances can
use the same VRIDs.
global: Don’t assume running as user root.
systemd: Add keepalived-non-root.service systemd service file.
keepalived-non-root.service allows keepalived to be run as a non
root user, but with specific added capabilities to allow all the
functionality that keepalived needs.
Improvements
vrrp: Stop receiving any data on garp and ndisc sockets. This is a send-only
channel.
vrrp: Open gratuitous ARP socket as an ARP socket rather than RARP. Now that
the receiving of packets on the garp socket has been stopped, we can
open the socket with the correct type of binding, and we won’t have a
queue of received messages build up.
vrrp: Extend cBPF filtering code to support standard definition.
vrrp: Optimise nftables configuration to limit some rules to macvlans. If we
are moving messages that have been generated on a macvlan, we nftables
rules can be optimised to restrict them to macvlan interfaces.
vrrp: Drop ICMPV6 Router Solicitation messages from vmac interfaces. When we
create a vmac interface, a short time afterwards the kernel sends a
router solicition message with the source MAC address of the vmac
interface. The problem is that this will upset snooping switches if
the VRRP instance is in backup state. Furthermore, we can’t simply
move the packet onto the underlying interface since the ICMPV6 payload
also contains the MAC address of the vmac interface. We can’t just
change the MAC address in the ICMPV6 message, since there is also a
checksum which would need to be recalculated. The only solution at the
moment is to drop the packet. This shouldn’t be a problem since the
underlying interface should have sent a Router solicitation message
when it came up.
vrrp: Add option to specify MAC address for VMACs.
vrrp: Don’t lose some configuration faults. The following errors were being
detected in vrrp_complete_instance() and the VRRP instance was then
supposed to be put into fault state since it couldn’t operate.
However, the need to go to fault state was subsequently being lost.
The configuration errors that were being lost were: (a) Configuring
use of a VMAC on a non Ethernet interface (b) Attempting to use
multicast on an interface that doesn’t support it (c) Using an ipvlan
without a source IP address (d) ipvlan address family not matching
VRRP isntance’s (e) VRID conflicts on an interface which could be
deleted an recreated on a different interface (f) An interface
specified for a VIP is the same as the VRRP instance’s VMAC or another
VRRP instance’s VMAC. This improvement ensures that the VRRP instance
will be put into, and remain in, fault state, since it cannot
successfully operate. As can be seen from the list of circumstances
above, they were very unlikely to occur, but were possible.
vrrp: Bind IPv6 socket to multicast address. Previously IPv6 sockets were
being bound to the ::1 address, since trying to bind to the multicast
address was failing. The reason for failing has now been discovered to
be that the scope_id needed to be set (i.e. the interface index),
since the multicast addresses that we use are link-local multicast
addresses. This improvement now sets the scope_id, so the socket can
successfully be bound to the multicast address.
vrrp: Set IPV6_MULTICAST_ALL on IPv6 sockets if available.
vrrp: Some SNMP extension and improvements: - Correct FastOpenNoCookie and
L3Mdev variable types - Don’t write multicast address to SNMP when
using unicast. - Don’t write unconfigured LVS sync daemon address to
SNMP. - Define and use SNMP_TruthValue. - Define and use
SNMP_InetAddressType. - Correct reporting accept mode for VRRPv3 SNMP.
vrrp: Misc DBus improvements (Opening, logging, data_dir, policy, …)
vrrp: Handle VMAC’s interface changing on reload properly.
vrrp: If accept traffic for VIPs changes on reload, update firewall.
vrrp: Stop going to backup if reload IPv6 and change vmac_xmit_base.
vrrp: Add add/prepend/append options to static and virtual routes. The
kernel by default prepends routes, whereas the ip (iproute2) utility
be default adds routes (adding a route does not allow duplicates
whereas appending or prepending does). keepalived previously has not
set the flags relating to this, and so has always prepended routes.
This means that duplicate routes could be created.
lib: Update Red Black tree code to Linux 5.15-rc4.
script: Extend sample_notify_fifo.sh.
doc: Misc documentation updates.
docker: Upate docker file.
init: Init handling extensions. Make parent process exit with meaningful
status on error. Ensure systemd is not notified of successful start if
failed. fix building without systemd notify suport.
bfd: handle unexpected closure of pipe to checker and vrrp processes. If the
parent process abnormally terminates and then the BFD process
terminates due to PDEATHSIG before the vrrp or checker processes
terminate, the vrrp and checker processes can get a read error on the
pipes used to communicate with the BFD process.
bfd: make BFD work when IPv6 disabled on system.
Fixes
lib: Fix calculating CLOCK_REALTIME and CLOCK_MONOTONIC offsets.
lib: scheduler: Handle cancelling timer thread on ready queue. The timer
thread on the ready queue, if cancelled, was corrupting the read
list_head, since it assumed it was on a red black tree.
snap: Fix building snaps.
ipvs: Fix building with glibc prior to v2.19 (released 2014).
bfd: Handle interface down/address missing when keepalived starts. This
resolves a segfault, and also makes bfd retry once per minute to create
send socket if it cannot do so due to no address to bind to on an
interface.
vrrp: Fix unicast with interface in a VRF domain.
vrrp: Fix moving excess VIPs to eVIPs, by properly handling vip_cnt.
vrrp: Fix configured IPv6 multicast addresses with VMACs. Using different
multicast addresses with IPv6 on the same interface without using
VMACs is only supported if the kernel supports IPV6_MULTICAST_ALL
(from Linux v4.20).
vrrp: Fix checking for unicast with VMAC/ipvlan and no peers.
vrrp: Fix checking if have unicast ppers if unicast_ttl specified.
vrrp: Don’t segfault if duplicate VMAC name, but ignore second name.
vrrp: Don’t delete and recreate VMAC on reload if only VRID has changed.
There seems to be an issue deleting and then immediately recreating a
VMAC on the same interface. This commit therefore simply changes the
MAC address if the only change is the VRID.
vrrp: Fix nftables config if VMAC interface changed on reload.
vrrp: Don’t segfault if don’t have permission for ARP/NDISC socket.
vrrp: Fix IPv6 with vmac_xmit_base.
vrrp: fix disabling vmac-xmit-base with VRRPv3 IPv6 use_vmac.
vrrp: Fix specifying user/group for vrrp_scripts.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This patch re-enables this package for build and it builds against next
with Linux 5.15.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since this update is a mayor version update, it brings a lot of changes.
The changelog can be found in here --> http://www.keepalived.com/changelog.html .
Added /etc/sysconfig/keepalived in ROOTFILE and in backup/includes.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The setting cannot be set on the default system because the ip_vs
module is not loaded by default and there is no reason to load it
just because we would be able to set the setting.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This path to keepalived was just incorrect and therefore
the daemon could not easily be reloaded.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
