From 981b2e27ac1140934dca30f05c48f46cf2bfee8f Mon Sep 17 00:00:00 2001 From: Quentin Armitage Date: Tue, 25 Jul 2023 16:08:43 +0100 Subject: [PATCH 1/5] systemd: Change NotifyAccess to be main rather than all for non-root Signed-off-by: Quentin Armitage --- keepalived/keepalived-non-root.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keepalived/keepalived-non-root.service.in b/keepalived/keepalived-non-root.service.in index c756d2c221..b61b0e3dfa 100644 --- a/keepalived/keepalived-non-root.service.in +++ b/keepalived/keepalived-non-root.service.in @@ -15,7 +15,7 @@ StartLimitIntervalSec=10 [Service] Type=@SYSTEMD_SERVICE_TYPE@ -NotifyAccess=all +NotifyAccess=main PIDFile=@RUN_DIR@/run/%N/%N.pid # CAP_CHOWN needed if using FIFOs and specify the owner/group AmbientCapabilities=CAP_CHOWN From 09fa1181b209e0cdec75a8a4a3089c1f67bda201 Mon Sep 17 00:00:00 2001 From: Quentin Armitage Date: Tue, 25 Jul 2023 16:12:04 +0100 Subject: [PATCH 2/5] systemd Add KEEPALIVED_OPTION for non-root service file The default /etc/sysconfig/keepalived sets $KEEPALIVED_OPTIONS so this needs to be specified as a parameter to keepalived in ExecStart. Signed-off-by: Quentin Armitage --- keepalived/keepalived-non-root.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keepalived/keepalived-non-root.service.in b/keepalived/keepalived-non-root.service.in index b61b0e3dfa..0133186d80 100644 --- a/keepalived/keepalived-non-root.service.in +++ b/keepalived/keepalived-non-root.service.in @@ -62,7 +62,7 @@ DynamicUser=yes # Edit the following line if needed - for Ubuntu it should be -@sysconfdir/default/%N EnvironmentFile=-@sysconfdir@/sysconfig/%N ExecReload=/bin/kill -HUP $MAINPID -ExecStart=@sbindir@/keepalived --dont-fork $DAEMON_ARGS --pid=@RUN_DIR@/run/%N/%N.pid --vrrp_pid=@RUN_DIR@/run/%N/vrrp.pid --checkers_pid=@RUN_DIR@/run/%N/%N_checkers.pid --bfd_pid=@RUN_DIR@/run/%N/%N_bfd.pid +ExecStart=@sbindir@/keepalived --dont-fork $DAEMON_ARGS $KEEPALIVED_OPTIONS --pid=@RUN_DIR@/run/%N/%N.pid --vrrp_pid=@RUN_DIR@/run/%N/vrrp.pid --checkers_pid=@RUN_DIR@/run/%N/%N_checkers.pid --bfd_pid=@RUN_DIR@/run/%N/%N_bfd.pid IOSchedulingClass=realtime KillMode=process KillSignal=SIGTERM From c2fa031f45c1c72e636490af711fb9ac8cb00c7d Mon Sep 17 00:00:00 2001 From: Quentin Armitage Date: Tue, 25 Jul 2023 16:13:26 +0100 Subject: [PATCH 3/5] systemd: Fix typo in non-root service file Signed-off-by: Quentin Armitage --- keepalived/keepalived-non-root.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keepalived/keepalived-non-root.service.in b/keepalived/keepalived-non-root.service.in index 0133186d80..2a51f929de 100644 --- a/keepalived/keepalived-non-root.service.in +++ b/keepalived/keepalived-non-root.service.in @@ -32,7 +32,7 @@ AmbientCapabilities=CAP_SETUID AmbientCapabilities=CAP_SETGID # CAP_NET_MODULE needed to load ip_vs module (IPVS) and xt_set (VRRP with iptables) # Alternatively add a file in /usr/lib/modules-load.d with ip_vs and xt_set and -# don't enable CAP_NET_MODULE, at set ProtectKernelModules=yes +# don't enable CAP_NET_MODULE, and set ProtectKernelModules=yes AmbientCapabilities=CAP_SYS_MODULE # CAP_SYS_NICE needed for keepalived to set its nice priority. If in use, also remove LimitNICE=0 AmbientCapabilities=CAP_SYS_NICE From 9eb47044ecc45a5922d990c5e2dec289d00034a6 Mon Sep 17 00:00:00 2001 From: Quentin Armitage Date: Tue, 25 Jul 2023 16:14:17 +0100 Subject: [PATCH 4/5] systemd: Add comment in non-root service file for old systemds Signed-off-by: Quentin Armitage --- keepalived/keepalived-non-root.service.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/keepalived/keepalived-non-root.service.in b/keepalived/keepalived-non-root.service.in index 2a51f929de..ad1dbd768b 100644 --- a/keepalived/keepalived-non-root.service.in +++ b/keepalived/keepalived-non-root.service.in @@ -1,6 +1,11 @@ # This systemd service file allows keepalived to be run as a non-root user. # To use this, edit the permissions according to your needs, and install the # file in /usr/lib/systemd/system as keepalived.service +# +# If your version of systemd is v228 or older, edit this file to change +# "AmbientCapabilities=" to "Capabilities=". If that still doesn't work, +# use setcap(8) to set the capabilities listed below on the keepalived +# executable file. [Unit] Description=LVS and VRRP High Availability Monitor After=network-online.target syslog.target # @SNMP_SERVICE@ From e99a72509f5aebad35d3adcd8ccb226d7a2a2d29 Mon Sep 17 00:00:00 2001 From: Quentin Armitage Date: Tue, 25 Jul 2023 17:36:56 +0100 Subject: [PATCH 5/5] systemd: Fix snmp option in non-root service file Signed-off-by: Quentin Armitage --- keepalived/Makefile.am | 3 ++- keepalived/keepalived-non-root.service.in | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/keepalived/Makefile.am b/keepalived/Makefile.am index 0254e1beb4..db22985557 100644 --- a/keepalived/Makefile.am +++ b/keepalived/Makefile.am @@ -18,7 +18,8 @@ edit = echo " EDIT $@"; \ -e 's|@RUN_DIR[@]|$(RUN_DIR)|g' \ -e 's|@SNMP_SERVICE[@]|$(SNMP_SERVICE)|g' \ -e 's|@SYSTEMD_SERVICE_TYPE[@]|$(SYSTEMD_SERVICE_TYPE)|g' \ - -e 's|@SYSTEMD_EXEC_START_OPTIONS[@]|$(SYSTEMD_EXEC_START_OPTIONS)|g' + -e 's|@SYSTEMD_EXEC_START_OPTIONS[@]|$(SYSTEMD_EXEC_START_OPTIONS)|g' \ + -e '/^Wants= *$$/d' sbin_PROGRAMS = keepalived keepalived_SOURCES = main.c diff --git a/keepalived/keepalived-non-root.service.in b/keepalived/keepalived-non-root.service.in index ad1dbd768b..160eea47d2 100644 --- a/keepalived/keepalived-non-root.service.in +++ b/keepalived/keepalived-non-root.service.in @@ -8,9 +8,9 @@ # executable file. [Unit] Description=LVS and VRRP High Availability Monitor -After=network-online.target syslog.target # @SNMP_SERVICE@ +After=network-online.target syslog.target @SNMP_SERVICE@ Requires=network-online.target -# Wants=@SNMP_SERVICE@ +Wants=@SNMP_SERVICE@ Documentation=man:keepalived(8) Documentation=man:keepalived.conf(5) Documentation=man:genhash(1)