[lvs-users] [ANNOUNCE] Keepalived 1.3.0

Alexandre Cassen acassen at gmail.com
Sun Nov 20 17:48:28 GMT 2016


this quick email to announce new major keepalived release. We are planing with Quentin to push a new release soon as 2.0.0 release. This one fix and extend previous parts. It also came with a Security fix for those making extensive use of scripts.

ChangeLog looks like :
2016-11-20 Alexandre Cassen  <acassen at linux-vs.org>
	* keepalived-1.3.0 released.
	* Add DBus functionality to VRRP.
	  Add new pthread off VRRP to expose DBUs service org.keepalived.Vrrp1
	  through a GMainLoop.
	  Create a general /org/keepalived/Vrrp1/Vrrp DBus
	  object and a /org/keepalived/Vrrp1/Instance/#interface#/#group# object for
	  each VRRP instance.
	  Interface org.keepalived.Vrrp1.Vrrp implements methods PrintData,
	  PrintStats and signal VrrpStopped.
	  Interface com.keepalived.Vrrp1.Instance implements method SendGarp
	  (sends a single Gratuitous ARP from the given Instance),
	  signal VrrpStatusChange, and properties Name and State (retrievable
	  through calls to org.freedesktop.DBus.Properties.Get)
	  Interface files are located at location /usr/share/dbus-1/interfaces/
	  A policy file, which determines who has access to the service, is
	  located at /etc/dbus-1/system.d/
	* Resolve DBus working after a reload
	  thread_destroy_list() was closing file descriptors of read and write
	  threads, but we wanted the DBus pipes to remain open. It transpires that
	  closing the fds in thread_destroy_list() is unnecessary, since they are
	  closed elsewhere anyway, so stop closing the fds in thread_destroy_list().
	* Add stronger compiler warnings (-Wextra).
	  The following bugs were discovered:
		comparison if unsigned value < 0
	    comparison of unsigned == -1 and not checking
	    return status of find_rttables_scope() correctly
	    accessing element buf[18446744073709551615]
	    ie. buf[2^64-1], which is the same as buf[-1].
	  The following improvements to the code were made:
	  Many unused function parameters
	  either removed or marked unused
	  Many signed vs. unsigned comparisons
	  In most cases variables change to be unsigned
	  Lengths being stored in signed variables
	* Rationalise checking of libnl-3.
	* Bring generation of rpmbuild keepalived.spec file up to date
	  The keepalived.spec file is now created to match the options passed
	  to configure. It also detects if the system init process is systemd,
	  upstart or the traditional SYSV init system.
	* Add more BuildRequires to keepalived.spec.in.
	* Further improvements to keepalived.spec.in for systemd systems
	* Change some configure.ac variable names due to using PKG_PROG_PKG_CONFIG
	* Fix configure.ac to make RedHat hardened rpm builds work
	  CFLAGS, CPPFLAGS and LIBS variables were not being preserved by
	  configure.ac, and this caused needed CFLAGS to be lost when
	  configure was run, resulting in a build failure.
	  This commit ensures the flags are all preserved.
	* Allow for automake macro AM_PROG_AR not existing.
	* Add support for UDP socket to layer4 library.
	* Add DNS checker.
	* Update documentation for DNS health checker.
	* Fix compile check for PE selection support.
	* Add file missing from add-dns-checker commit.
	* Update commits for correctly checking for IPVS_SVC_ATTR_PE_NAME.
	  The upadted configure and lib/config.h.in weren't included in the commits,
	  and to be consistent the comment on what Linux version introduced the feature
	  is in configure.ac if the test exists in configure.ac
	* Fix conditional compilation test for FRA_OIFNAME.
	* Fix compilation test for IFLA_INET6_ADDR_GEN_MODE.
	* Fix compilation test for IPVS_DEST_ATTR_ADDR_FAMILY.
	* Fix compilation test for IPVS_DEST_ATTR_STATS64 and IPVS_SVC_ATTR_STATS64.
	* Fix compilation test for RTA_VIA.
	* Fix compilation test for CLONE_NEWNET for DBus.
	* Fix issue of overwriting the original disposition of signals.
	* Improve forced termination of script execution process and its offspring.
	* Improve propagate important signal for the script process groups.
	* Use argument instead of static variable.
	* Fix bug around the process group.
	* Use SIGTERM instead of SIGHUP.
	* Stop linking with -lipset.
	  libipset (if used) is dynamically linked at runtime, and so keepalived
	  shouldn't be linked with -lipset.
	  Linking with -lipset was erroneously added when converting the build
	  system to use automake.
	* Report diagnostic message if dlopen() fails.
	* Fix loading of ipset library when development library not installed.
	* Don't use ipsets with namespaces on Linux < 3.13 by default.
	  On Linux prior to version 3.13, ipsets were not network namespace
	  aware, so by default the use if ipsets is disabled if keepalived
	  is running in a network namespace. Configuration keyword
	  'namespace_with_ipsets' enables ipset use with a network namespace
	  on these older kernels.
	* Fix reporting of script exit status.
	* Update documentation and fix compiler warning re ipset with Linux < 3.13
	* Make report_child_status() check for vrrp and checker child processes
	  report_child_status() checks for exit status KEEPALIVED_EXIT_FATAL
	  and KEEPALIVED_EXIT_CONFIG, but these are only relevant for the vrrp
	  and checker child processes, and not for track scripts etc. This commit
	  adds a check that the terminating process is the vrrp or checker process
	  before checking those exit statuses.
	* Add no_accept mode for VRRPv2 and standardise VRRPv3 with it
	  RFC3768, for VRRPv2, specifies that packets addressed to the VIPs
	  should not be accepted, unless the router is the address owner.
	  This commit implements not accepting the packets when running VRRPv2,
	  but only if no_accept is specified, or running in strict mode. The reason
	  for not making no_accept the default (which would confirm to the RFCs) is
	  that if running IPVS, or any other service on top of the VIPs, we need to
	  be able to accept the packets, and requiring everyone to specify accept
	  in that case would not be reasonable.
	  Prior to this commit, VRRPv3 was blocking packets sent to VIPs (and eVIPS),
	  unless the vrrp instance was the address owner, or accept mode was set. This
	  commit changes the default behaviour for VRRPv3 to make it consistent with
	  VRRPv2 (i.e. either strict mode or no_accept needs to be specified to be
	  conformant with RFC5978).
	* Tidy up logged messages if ipset initialisation fails.
	* Streamline MII polling.
	  We only need to read 2 MII registers, and not 32 as was previously being
	  This commit also uses the <linux/mii.h> header file for field and
	  register definitions.
	* Simplify bitops.h code.
	* Resolve warnings generated with compiler option -Dconversion.
	  Most of the warnings were resolved by changing the data types of some
	  variables. Others required casting, particularly where kernel interfaces
	  are involved.
	  There were a few instances discovered that were errors, for example comparing
	  an unsigned int against -1, and assigning a 16 bit value to a uint8_t.
	  This commit also adds configure options --enable-conversion-checks and
	  --enable-force-conversion-checks, the former adds compiler option -Dconversion
	  unless the compiler is an old version that throws up false warnings. Option
	  --enable-force-conversion-checks adds -Dconversion even if the compiler throws
	  up known false warnings.
	* Fix some minor errors/typos in doc/keepalived.conf.SYNOPSIS.
	* Fix keyword error in sample configuration.
	* Fix typo in genhash error message.
	* Fix address ranges for virtual server groups
	  The handling of address ranges was only written for IPv4 addresses, and
	  only worked on little endian systems.
	  This commit enables IPv6 address ranges to work, and also should now
	  work on big endian systems (but I don't have access to a big endian system
	  to test it). Validation is added to ensure that the end of the range is after
	  the start of the range, and that the value of the range end does not exceed
	  255 (for IPv4) of ffff (for IPv6).
	  There is also some optimisation of the code, so that netmask is not set (since
	  it isn't used by the kernel), and the port is set once only, before the loop
	  through the addresses.
	* Add --enable-Werror configure option.
	* Add promote_secondaries keyword for vrrp_instance block.
	  If two IPv4 VIP addresses are in the same CIDR, and the primary
	  address is removed, then by default any other address in the same CIDR is
	  also removed. To stop this happening, the promote_secondaries flag
	  needs to be set on the interface.
	  Commit e5526cf added setting the promote_secondaries option on
	  VMAC interfaces, and stated that adding the option for non-VMAC
	  interfaces would be added later. This commit now adds a
	  promote_secondaries configuration option in order to set the flag
	  on the interface.
	* Add reporting of promote_secondaries configuration setting.
	* Add conditional configuration feature
	  It is usually the case that the configurations for keepalived for
	  systems operating together are virtually identical, and only differ
	  in vrrp instance priorities, router id, and unicast addresses if
	  those are being used.
	  It is a nuisance to have to edit one file for each server to make
	  identical changes, so this commit adds the facility for conditional
	  configuration entries.
	  Any line starting with the '@' character is a conditional line.
	  Immediately following the '@' character is a config id. The line is
	  only included in the configuration if the config id matches the
	  argument passed to keepalived with the -i option on the command line.
	  For example, consider the following configuration snippet:
	    @main       router_id main_router
	    @backup router_id backup_router
	  If keepalived is started with -i main, then the router id will be
	  main_router, if started with -i backup, then backup_router. If
	  keepalived is started without the -i option, or -i anything else,
	  then the above snippet will not configure any router id.
	* Fix building with --disable-vrrp.
	* Stop segfaulting when configuration keyword is missing its parameter
	  There are many places where during configuration parsing the code
	  assumes that if a keyword is specified that requires a parameter, then
	  the parameter exists. If the parameter doesn't exist, then the code
	  indexes past the end of the vector, and at best segfaults, and at worst
	  may carry on, parsing random data.
	  This commit adds strvec_slot() which checks for the presence of the
	  parameter, and if configured will call a function that can handle the
	  error. Currently this logs that the parameter is missing, with as much
	  helpful information as it can provide, and then terminates.
	* Use FMT_STR_VSLOT where appropriate.
	* Use TIMER_HZ where appropriate.
	* Fix comment and error message re http write timeout.
	* More verbose logging on (effective) priorities pt. 2.
	* Change configure option --enable-snmp-keepalived to --enable-snmp-vrrp
	  The option was enabling snmp for vrrp, not all of keepalived (the
	  --enable-snmp option does that), so this commit renames it to reflect
	  what it is actually doing.
	  The --enable-snmp-keepalived option is retained but marked as obsolete.
	* Use AS_HELP_STRING autoconf macro.
	* Fix process increase
	* Add forcing termination of children of scripts if script times out
	  Commits fe9638b..cebfbf5 resolved problems around forced termination
	  of scripts if they didn't terminate within the proscribed time. During
	  the development of the patches, it was identified that after a script
	  had been terminated by SIGTERM, any child processes created by the
	  script also need to be kill.
	  This commit adds the forced termination of any such children.
	* Correctly handle existing VMACs on reload.
	  Anthony Dempsey in issue #449 identified that
	  keepalived attempts to recreate existing VMAC interfaces on a reload,
	  and that the subsequent failure causes keepalived not to use the VMAC.
	  This then identified further issues such as the check for an existing
	  VMAC in netlink_link_add_vmac() didn't also check the interface a
	  VMAC was on, and that the checks for conflicts of VMAC interface names
	  with existing interfaces weren't sufficient.
	  This patch builds on the patch provided by Anthony Dempsey to also
	  resolve the additional issues identified.
	* Fix check of matching VRRP instances on reload.
	  On a reload, clear_diff_vrrp() removes vrrp instances that are no
	  longer in the configuration. The check, however, was based on vrrp
	  instance name, which might have changed. The check is now based on
	  VRID, address family and interface, since it is this triplet that
	  uniquely defines a vrrp instance.
	* Fix clearing addresses no longer used after a reload.
	  The address comparison was including ifa_index, but that wasn't being
	  set up until after clear_diff_vrrp() was called.
	* Don't zero the mem_allocated count during reload.
	  We want to know if there is a leak during reload, so don't zero the
	* Ensure iptables/sets entries and ip routes/rules not lost on reload.
	  There were several places in the code that were causing existing
	  iptables/ipsets entries to be lost on reload, and also new entries
	  for additional ip addresses were deleted after being added. In
	  addition, ip rules/routes for existing entries were being removed.
	* Ensure GARPs/GNAs are sent after reload if VIP/eVIP addresses added.
	  Although there have been versions of keepalived when GARPs/GNAs were
	  sent after a reload, this was due to a bug in determining if the VRRP
	  instance had existed before. Resolving that bug (commit aaea8a4),
	  caused keepalived to stop sending GARPs after a reload. This commit
	  now specifically adds code to send GARPs on a VRRP instance for all
	  addresses on that instance. It would be better if GARPs were sent only
	  for the added addresses, and that may be resolved in a future commit.
	* Use correct interface for iptables/ipset entries when not accept mode
	  If an interface was specified for a VIP/eVIP, the iptables/ipset block
	  if not in accept mode for link local IPV6 addresses was specifying the
	  interface the vrrp instance was on rather than the interface the address
	  was added to.
	  This commit now makes the iptables/ipset entry specify the interface that
	  the address has been added to.
	* Resolve "Netlink: error: message truncated" messages.
	  On systems with a page size larger than 4096 keepalived may report:
	  "Netlink: error: message truncated" messages
	  This error was reported on a ppc64le in an OpenStack/Nutron environment.
	  Ppc64le is using a 64k pages size. I found that keepalived's netlink recvmsg
	  buffer was too small causing messages to be truncated. The size of the read
	  buffer for the netlink socket should be based on page size however, it should
	  not exceed 8192. See the comment in the patch.
	  I tested the fix by creating 100 veth interfaces and verifying the errors
	  did not return.
	* Use ipsets with namespaces on Linux < 3.13 if ipset names configured.
	  The problem with using ipsets with namespaces on Linux < 3.13 is that
	  ipsets were not namespace aware, and so all ipset entries added are
	  global to the system, including all network namespaces. This causes
	  problems if the default ipset names are used, but if set names have
	  been specified, it is reasonable that they have been set to be
	  different for each namespace, and hence there will be no clashes.
	  The documentation is also updated for vrrp_ipsets keyword.
	* Don't write MEM_CHECK data to log when forked script child terminates.
	  The mem check log file was being filled with extraneous termination
	  information every time a forked child terminated. When a child is forked
	  it now sets a flag to stop the termination dump.
	* Fix illegal syntax in configure script
	  Indirect expansion (`${!foo}`) is a bashism, it's not POSIX-sh
	  compatible and is not supported by common shells except Bash and ZSH!
	  Configure script should be portable, hence strictly POSIX compliant.
	  Moreover it has shebang /bin/sh.
	* Make running scripts more secure
	  Previously, keepalived ran all scripts as root. This is potentially
	  dangerous if a non-root user can modify the script, or has write
	  access to any part of the path to the script.
	  This commit does the following:
	  1) Adds configuration options to specify the user/group under which to
	     run each script
	  2) Adds an option to set the default script user/group. If this is not
	     set it will default to user keepalived_script if that user exists,
	     otherwise it will default to root, as before.
	  3) If a script is to be executed with root privilege, report if it is
	     writeable in any way by a non-root user.
	  4) Add an option enable_script_security so that any scripts failing
	  3) above won't be executed.
	  5) Report if any scripts are not executable by the relevant user.
	* Fix some lead tab/space issues.
	* Fix segfault when terminating with no notify script configured.
	* Fix compiler warning generated with --enable-conversion-checks.
	* Don't segfault if modules ip_tables or ip6_tables not loaded
	  If either of the modules is not loaded, then don't use ip(6)tables for
	  that address family. We could load the module, but there would be no
	  entries pointing to the chains that we use, and so there is no point
	  adding entries to chains that won't be traversed.
	* Resolve some type mismatch warnings on 32 bit systems.
	* Fix checking security of misc_check scripts.


More information about the lvs-users mailing list