Permalink
Browse files

Merge pull request #825 from pqarmitage/beta

Merge fixes branch
  • Loading branch information...
pqarmitage committed Mar 30, 2018
2 parents 8b18495 + 9c2d63f commit 8ecbb591994a567375d78239d075ed032d9f9b07
@@ -6978,6 +6978,65 @@ if test $NEED_SSL = yes; then
KA_LIBS="$KA_LIBS $LIBS"
fi
GENHASH_LIBS="$GENHASH_LIBS $LIBS"

# Introduced in OpenSSL ver 0.9.9
LIBS=$OPENSSL_LIBS
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking SSL_set_tlsext_host_name() - may be a definition" >&5
$as_echo_n "checking SSL_set_tlsext_host_name() - may be a definition... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/ssl.h>
int main(void)
{
request_t req;
SSL_set_tlsext_host_name(req.ssl, "SSL");
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :

{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }

else

{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }

$as_echo "#define _HAVE_SSL_SET_TLSEXT_HOST_NAME_ 1 " >>confdefs.h


fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext

# SSL_CTX_set_verify_depth() introduced OpenSSL v0.9.5a
for ac_func in SSL_CTX_set_verify_depth
do :
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_verify_depth" "ac_cv_func_SSL_CTX_set_verify_depth"
if test "x$ac_cv_func_SSL_CTX_set_verify_depth" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_SSL_CTX_SET_VERIFY_DEPTH 1
_ACEOF

fi
done


# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
for ac_func in SSL_set0_rbio OPENSSL_init_crypto
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF

fi
done


unset LIBS

if test $BUILD_GENHASH = No; then
@@ -566,6 +566,30 @@ if test $NEED_SSL = yes; then
add_to_var([KA_LIBS], [$LIBS])
fi
add_to_var([GENHASH_LIBS], [$LIBS])

# Introduced in OpenSSL ver 0.9.9
LIBS=$OPENSSL_LIBS
AC_MSG_CHECKING([SSL_set_tlsext_host_name() - may be a definition])
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
#include <openssl/ssl.h>
int main(void)
{
request_t req;
SSL_set_tlsext_host_name(req.ssl, "SSL");
}
]])], [
AC_MSG_RESULT([no])
], [
AC_MSG_RESULT([yes])
AC_DEFINE([_HAVE_SSL_SET_TLSEXT_HOST_NAME_], [ 1 ], [Define to 1 if have SSL_set_tlsext_host_name()])
])

# SSL_CTX_set_verify_depth() introduced OpenSSL v0.9.5a
AC_CHECK_FUNCS([SSL_CTX_set_verify_depth])

# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])

unset LIBS

if test $BUILD_GENHASH = No; then
@@ -105,15 +105,16 @@ After opening an included file, the current directory is set to the directory of
the file itself, so any relative paths included from a file are relative to the
directory of the including file itself.

0.4 Parameter substitution
0.5 Parameter substitution

Substitutable parameters can be specified. The format for defining a parameter is:
$PARAMETER=VALUE
where there must be no space before the '=' and only whitespace may preceed to '$'.
Empty values are allowed.

Parameter names can be made up of any combination of A-Za-z0-9 and _, but cannot start
with a digit.
with a digit. Parameter names starting with an underscore should be considered
reserved names that keepalived will define for various pre-defined options.

After a parameter is defined, any occurrence of $PARAMETER followed by
whitespace, or any occurrence of ${PARAMETER} (which need not be followed by
@@ -199,6 +200,17 @@ $INSTANCE
$NUM=1
$INSTANCE

0.5.1 Pre-defined definitions

The following pre-defined definitions are defined:
${_PWD} The directory of the current configuration file
(this can be changed if using the include directive).

Additional pre-defiend definitions will be added as their need is identified.
It will normally be quite straightforward to add additional pre-defiend
definitions, so if you need one, or have a good idea for one, then raise
an issue at https://github.com/acasson/keepalived/issues requesting it.

0.6 Configuration file syntax parser

Traditionally the configuration file parser has not been one of the strengths of
@@ -324,7 +336,7 @@ global_defs { # Block identification
# Note: keepalived, checker and rfc support can be
# individually enabled/disabled
snmp_socket <PROTOCOL>:<ADDRESS>[:<PORT>] # specify socket to use for connecting to SNMP master agent (default unix:/var/agentx/master)
# unless using a network namespace, when the default is udp:localhost:705
# (see source module keepalived/vrrp/vrrp_snmp.c for more details)
enable_snmp_vrrp # enable SNMP handling of vrrp element of KEEPALIVED MIB
enable_snmp_checker # enable SNMP handling of checker element of KEEPALIVED MIB
enable_snmp_rfc # enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
@@ -1038,6 +1050,10 @@ virtual_server group <STRING> { # VS group declaration
# virtual_server.
}

SSL_GET {
enable_sni # send Server Name Indication during SSL handshake
}

TCP_CHECK { # TCP healthchecker
# No additional options
}
@@ -79,7 +79,8 @@ where there must be no space before the '=' and only whitespace may preceed to '
Empty values are allowed.

Parameter names can be made up of any combination of A-Za-z0-9 and _, but cannot start
with a digit.
with a digit. Parameter names starting with an underscore should be considered
reserved names that keepalived will define for various pre-defined options.

After a parameter is defined, any occurrence of $PARAMETER followed by
whitespace, or any occurrence of ${PARAMETER} (which need not be followed by
@@ -170,6 +171,16 @@ vrrp_instance VI_${NUM} { \e
.PP
$NUM=1
$INSTANCE
.SH Pre-defined definitions
The following pre-defined definitions are defined:
.PP
${_PWD} The directory of the current configuration file
(this can be changed if using the include directive).

Additional pre-defined definitions will be added as their need is identified.
It will normally be quite straightforward to add additional pre-defined
definitions, so if you need one, or have a good idea for one, then raise
an issue at https://github.com/acasson/keepalived/issues requesting it.
.SH SCRIPTS
There are three classes of scripts can be configured to be executed.

@@ -357,7 +368,7 @@ and
# If Keepalived has been build with SNMP support, the following keywords are available
# Note: Keepalived, checker and RFC support can be individually enabled/disabled
snmp_socket udp:1.2.3.4:705 # specify socket to use for connecting to SNMP master agent (default unix:/var/agentx/master)
# unless using a network namespace, when the default is udp:localhost:705
# (see source module keepalived/vrrp/vrrp_snmp.c for more details)
enable_snmp_vrrp # enable SNMP handling of vrrp element of KEEPALIVED MIB
enable_snmp_checker # enable SNMP handling of checker element of KEEPALIVED MIB
enable_snmp_rfc # enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
@@ -1206,6 +1217,11 @@ A virtual_server can be a declaration of one of
}
}

SSL_GET {
# when provided, send Server Name Indicator during SSL handshake
enable_sni
}

# TCP healthchecker
TCP_CHECK
{
@@ -3,10 +3,10 @@ Software Design
###############


Keepalived is written is pure ANSI/ISO C. The software is articulated around a
Keepalived is written in pure ANSI/ISO C. The software is articulated around a
central I/O multiplexer that provides realtime networking design. The main
design focus is to provide a homogenous modularity between all elements. This
why a core library was created to remove code duplication. The goal is to
is why a core library was created to remove code duplication. The goal is to
produce a safe and secure code, ensuring production robustness and stability.

To ensure robustness and stability, daemon is split into 3 distinct processes:
@@ -16,15 +16,15 @@ To ensure robustness and stability, daemon is split into 3 distinct processes:

Each children process has its own scheduling I/O multiplexer, that way VRRP
scheduling jitter is optimized since VRRP scheduling is more sensible/critical
than healthcheckers. This split design minimalize for healthchecking the usage
of foreign libraries and minimalize its own action down to and idle mainloop in
order to avoid malfunctions caused by itself.
than healthcheckers. This split design minimalizes for healthchecking the usage
of foreign libraries and minimalizes its own action down to and idle mainloop in
order to avoid malfunctions caused by itself.

The parent process monitoring framework is called watchdog, the design is each
children process open an accept unix domain socket, then while daemon
children process opens an accept unix domain socket, then while daemon
bootstrap, parent process connect to those unix domain socket and send periodic
(5s) hello packets to children. If parent cannot send hello packet to remote
connected unix domain socket it simply restart children process.
connected unix domain socket it simply restarts children process.

This watchdog design offers 2 benefits, first of all hello packets sent from
parent process to remote connected children is done throught I/O multiplexer
@@ -58,88 +58,88 @@ Atomic Elements
Control Plane
=============

Keepalived configuration is done throught the file keepalived.conf. A compiler
Keepalived configuration is done through the file keepalived.conf. A compiler
design is used for parsing. Parser work with a keyword tree hierarchy for
mapping each configuration keyword with specifics handler. A central
multi-level recursive function read the configuration file and traverse the
multi-level recursive function reads the configuration file and traverses the
keyword tree. During parsing, configuration file is translated into an internal
memory representation.

Scheduler - I/O Multiplexer
===========================

All the event are scheduled into the same process. Keepalived is a single
All the events are scheduled into the same process. Keepalived is a single
process. Keepalived is a network routing software, it is so closed to I/O. The
design used here is a central select(...) that is in charge of scheduling all
internal task. POSIX thread libs are NOT used. This framework provide its own
internal task. POSIX thread libs are NOT used. This framework provides its own
thread abstraction optimized for networking purpose.

Memory Management
=================

This framework provides acces to some generic memory managements functions like
This framework provides access to some generic memory managements functions like
allocation, reallocation, release,... This framework can be used in two mode :
normal_mode & debug_mode. When using debug_mode it provide a strong way to
eradicate and track memory leaks. This low level env provide buffer under-run
protection by tracking allocation memory and released. All the buffer used are
eradicate and track memory leaks. This low level env provides buffer under-run
protection by tracking allocation and release of memory. All the buffer used are
length fixed to prevent against eventual buffer-overflow.

Core Components
===============

This framework define some common and global libraries that are used in all the
This framework defines some common and global libraries that are used in all the
code. Those libraries are : html parsing, link-list, timer, vector, string
formating, buffer dump, networking utils, daemon management, pid handling, low
level TCP layer4. The goal here is to factorize code to the max to limite as
level TCP layer4. The goal here is to factorize code to the max to limit as
possible code duplication to increase modularity.

WatchDog
========

This framework provide children processes monitoring (VRRP & Healthchecking).
Each child accept connection to its own watchdog unix domain socket. Parent
This framework provides children processes monitoring (VRRP & Healthchecking).
Each child accepts connection to its own watchdog unix domain socket. Parent
process send "hello" messages to this child unix domain socket. Hello messages
are sent using I/O multiplexer on the parent side and accepted/processed using
I/O multiplexer on children side. If parent detect broken pipe it test using
sysV signal if child is still alive and restart it.
I/O multiplexer on children side. If parent detects broken pipe it tests using
sysV signal if child is still alive and restarts it.

Checkers
========

This is one of the main Keepalived functionality. Checkers are in charge of
realserver healthchecking. A checker test if realserver is alive, this test end
realserver healthchecking. A checker tests if realserver is alive, this test ends
on a binary decision : remove or add realserver from/into the LVS topology. The
internal checker design is realtime networking software, it use a fully
multi-threaded FSM design (Finite State Machine). This checker stack provide
LVS topology manipulation accoring to layer4 to layer5/7 test results. Its run
internal checker design is realtime networking software, it uses a fully
multi-threaded FSM design (Finite State Machine). This checker stack provides
LVS topology manipulation accoring to layer4 to layer5/7 test results. It's run
in an independent process monitored by parent process.

VRRP Stack
==========

The other most important Keepalived functionality. VRRP (Virtual Router
Redundancy Protocol : RFC2338) is focused on director takeover, it provide
Redundancy Protocol : RFC2338) is focused on director takeover, it provides
low-level design for router backup. It implements full IETF RFC2338 standard
with some provisions and extensions for LVS and Firewall design. It implements
the vrrp_sync_group extension that guarantee persistence routing path after
the vrrp_sync_group extension that guarantees persistence routing path after
protocol takeover. It implements IPSEC-AH using MD5-96bit crypto provision for
securing protocol adverts exchange. For more informations on VRRP please read
the RFC. Important things : VRRP code can be used without the LVS support, it
has been designed for independant use.Its run in an independent process
has been designed for independent use. It's run in an independent process
monitored by parent process.

System Call
===========

This framework offer the ability to launch extra system script. It is mainly
This framework offers the ability to launch extra system script. It is mainly
used in the MISC checker. In VRRP framework it provides the ability to launch
extra script during protocol state transition. The system call is done into a
forked process to not pertube the global scheduling timer.

Netlink Reflector
=================

Same as IPVS wrapper. Keepalived work with its own network interface
Same as IPVS wrapper. Keepalived works with its own network interface
representation. IP address and interface flags are set and monitored through
kernel Netlink channel. The Netlink messaging sub-system is used for setting
VRRP VIPs. On the other hand, the Netlink kernel messaging broadcast capability
@@ -199,7 +199,7 @@ health check worker threads implement the following types of health checks:
Working at layer4. To ensure this check, we use a TCP Vanilla check using nonblocking/timed-out TCP connections. If the remote server does not reply to this request (timed-out), then the test is wrong and the server is removed from the server pool.

HTTP_GET
Working at layer5. Performs a HTTP GET to a specified URL. The HTTP GET result is then summed using the MD5 algorithm. If this sum does not match with the expected value, the test is wrong and the server is removed from the server pool. This module implements a multi-URL get check on the same service. This functionality is useful if you are using a server hosting more than one application server. This functionality gives you the ability to check if an application server is working properly. The MD5 digests are generated using the genhash utility (included in the keepalived package).
Working at layer5. Performs a HTTP GET to a specified URL. The HTTP GET result is then summed using the MD5 algorithm. If this sum does not match with the expected value, the test is wrong and the server is removed from the server pool. This module implements a multi-URL get check on the same service. This functionality is useful if you are using a server hosting more than one application servers. This functionality gives you the ability to check if an application server is working properly. The MD5 digests are generated using the genhash utility (included in the keepalived package).

SSL_GET
Same as HTTP_GET but uses a SSL connection to the remote webservers.
@@ -70,6 +70,9 @@ typedef struct {
char *vhost;
int verbose;
int ssl;
#ifdef _HAVE_SSL_SET_TLSEXT_HOST_NAME_
int sni;
#endif
SSL_CTX *ctx;
const SSL_METHOD *meth;
enum feat_hashes hash;
Oops, something went wrong.

0 comments on commit 8ecbb59

Please sign in to comment.