From cf13a369762cd3e414c9b468da36cbd8bd81969b Mon Sep 17 00:00:00 2001 From: Alexandre Cassen Date: Mon, 14 Aug 2017 17:48:23 +0200 Subject: [PATCH] keepalived-1.3.6 --- ChangeLog | 277 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 277 insertions(+) diff --git a/ChangeLog b/ChangeLog index 9006cda525..bcbd201966 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,280 @@ +2017-09-15 Alexandre Cassen + * keepalived-1.3.6 released. + * Ensure locations of pid files is consistent + Issue #563 identified that the generated keepalived.service has the + wrong location for the pid file. On investigating this it was discovered + that keepalived isn't following the GNU coding standards for location of + pid files; however, we can't now move the default location of pid files. + This commit ensures that the keepalived.service file's location for pid + files is consistent with where keepalived is placing them, but also adds + a configure option --enable-gnu-std-paths, which means that keepalived + will use ${localstatedir} for the location of pid files, while the default + remains /var/run + * Stop logging that preferred_lft has been set to 0. + Some users are interpreting the message as a warning, and hence are + unnecessarily avoiding using a /128 netmask for IPv6 addresses. The + message doesn't really tell us anything useful, so remove it. + * Handle not being able to load ip_tables or ip6_tables modules. + When running in a docker container it isn't possible to load kernel + modules, so we need to cleanly handle a failure to load the modules. + * Don't segfault if unable to load ip_vs module. + In a docker container it isn't possible to load a kernel module. The + check code was detecting that it couldn't load the module, but the + checker process, when cleaning up prior to exiting, was assuming that + certain pointers had been initialised which hadn't been when an error + was detected so early in the initialisation. + This commit adds testing for uninitialised pointers during the exit + sequence. + * Fix releasing malloc'd memory for saved core pattern. + * Fix memory leak when adding iptables entries. + * Handle missing virtual server configuration. + keepalived was segfaulting if a virtual server had no real servers + configured. There were also issues of checkers running even if there + was missing essential configuration from a virtual server which meant + it could be set up. The problems were a virtual server group specified + but it didn't exist, a virtual server group with no configuration, and + a virtual server address family not match the address family of a virtual + server group. + * Don't attempt to remove ipsets if ipset handling not initialised. + * Delay initialising IPVS until affter processing configuration. + If IPVS isn't configured, there is not point in loading the ip_vs + module. + * Fix conditional compilation tests for _HAVE_LIBNL3_ + * Make dynamic flag bool. + * Don't report exit status of misc_check scripts. + The result of a change in status from a misc_check script is reported + by the code anyway, so to log any non-zero exit code is superfluous and + annoying. + * Work around conflict between kernel and libipset header files. + ipset copies linux/netfilter/ipset/ip_set.h (and other) header + files, producing local copies that are installed as + libipset/linux_ip_set.h etc as part of the libipset development + package. Unfortunately although the kernel changes the include + guards when processing its source code, ipset does not, and so + the duplicated header files have different include guards. + This patch detects if the include guards don't match, and if so + if linux/netfilter/ipset/ip_set.h is included, it defines the + include guard used by libipset/linux_ip_set.h before the latter is + indirectly included. + * add Dockerfile. + * Fix detecting default script uid/gid. + * Stop segfault when keepalived can't load ip_vs module. + * Add some additional docker support files and add make target docker. + The configuration file installed by make install isn't ideal to run + keepalived with, so add a simple keepalived.conf that will be + installed into the container. + Add make target docker, to build the docker image. + Add docker/README to give some information about building and using + containers (this is mainly so that I don't forget how to the details). + * Remove a line of debugging code. + * Don't complain about keepalived_script user if not needed. + keepalived logged a warning every time if the keepalived_script user + didn't exist. We only need that warning if there is a script that uses + the default user, and an alternative defult user isn't specified. + * Fix relative script path names with embedded spaces. + The space wasn't being restored after resolving the path name. + * Fix memory leak if notify scripts specified multiple times. + * Remove some residual debugging messages. + * Fix memory leak if quorum up/down scripts specified multiple times. + * Use realpath() to canonicalize script names. + * Fix missing PARAMETER_UNSET, which caused the global value of + vrrp_higher_prio_send_advert not to be used for each VRRP instance. + * Remove unused variable introduced in commit 1c5bfa29. + * Fix using virtual server groups following commit 5ca36cb. + * Set address port to be sequence number for virtual server group. + The format_vs() function uses the virtual server address port as + the sequence number of the virtual server instance using the virtual + server group, so we need to set it up. + * Warn if real server has no checkers when alpha mode. + If a virtual server is configured with alpha mode, and a real server + has no checkers, the real server will never be able to be activated, + so generate an appropriate warning. + * Only delete virtual server once if using a virtual server group. + If multiple virtual servers are using a virtual server group, the + virtual servers are defined by the virtual server group, and so they + should only be deleted for the first virtual server using the group. + There is still an issue that the configuration of all virtual servers + using the virtual server group needs to be consistent. + * Add further checks for LVS configuration. + * Document additional scheduling algorithms for IPVS. + * Change virtual_server_t loadbalancing_kind to forwarding_method. + The variable name loadbalancing_kind didn't represent the meaning of + the parameter, so change it to forwarding_method. + * Add fo and ovf scheduling types to SNMP. + * Only check one packet scheduling if supported. + * Add lvs_method per real server. + The lvs_method should be settable for each real server within a + virtual server. This commit maintains existing default behaviour + by using the lvs_method set against the virtual server as the default + for the real servers, but adds the option to configure the lvs_method + individually for each real server. + * Fix type in printing config of scripts. + * Convert some spaces to tabs. + * logger: output timestamps to console logs. + * Optimise handling of config_id in parser. + * Fix some typos. + * prog_type variable doesn't make sense when building a DEBUG version. + The DEBUG version runs everything in a single process, and to the + prog_type variable is meaningless in this case. This commit excludes + the prog_type variable by conditional compilation when building a + DEBUG version. + * Add home, -nodad, mngtmpaddr, noprefixroute, and autojoin address flags. + * Update documentation for commit cc67476. + * Add notify FIFO. + pull requests #568 and #587 and issue #584 have all identified that if + notify scripts are run in close succession, then order if processing of + those scripts is indeterminate, and this is causing systems that are + monitoring the state of vrrp instances to have the wrong state. + There have been various suggestions about how this should be resolved, + principally along the lines that the notify scripts should be run + synchronously, i.e. a notify script should not be run until the previous + notify script completed. While this would work, it adds some overhead to + keepalived, which currently does not monitor the exit status of notify + scripts. + There is a further issue with notify scripts that if a large number of + events occur in rapid succession (e.g. due to an interface flapping), this + can cause a large number of child processes to be created very rapidly. + This commit adds an alternative method for external processes receiving + notification of events. Instead of forking a script for each event, keepalived + will write to a named pipe. An external process can then read the pipe to + receive notification of events, and process them appropriately. This is + guaranteed to deliver events in the correct order. It also has the benefit + that there isn't the overhead of forking a child process for each event. + * If can't get local host name, set default router_id to "[unknown]". + Issue #588 reported that keepalived was segfaulting when generating + an SNMP trap in strlen(global_data->router_id), which presumable is + due to global_data->router_id being NULL. As a precaution set + router_id to "[unknown]" if get_local_name() fails". + * Implement SNMP reporting smtpServerPort. + Commit 128cd24 added functionality for specifying smtp server port + and commit bcb09b8a added smtpServerPort to the keepalived MIB, but + no code was added to report the port. This commit adds that functionality. + * Don't use PATH when executing FIFO script. + The path has already been resolved as part of checking the script + security, so there is no need to search the path. + * Log error if unable to execute FIFO notify script. + * Pass FIFO name to notify_fifo_script as parameter. + * Add FIFO notify for LVS notifies. + To match the FIFO notifies for VRRP, this commit adds FIFO notifies + for LVS. There are now three FIFOs available, a global one that + will send output for VRRP and LVS, one for VRRP only and one for + LVS only. + * Fix conditional compilation for --enable-debug + Commit 7947247 attempted to sort out making keepalived work with + --enable-debug, but unfortunately it used the wrong conditional + compilation variable (DEBUG instead of _DEBUG_). This commit + corrects the conditional compilation tests. + * Include protocol in virtual and real server output. + * Stop segfaulting if no script given for a vrrp_script. + * Fix a _DEBUG_ conditional compilation test. + * Fix incorrect expression in clear_services(). + * Fix use htons() instead of ntohs(). + * Fix bad file descriptor error at reload with no virtual servers. + * Delete disabled inhibit servers at reload. + * Add logging to remove sorry server at reload. + * Fix bad file descriptor error at reload with no virtual servers. + * Delete disabled inhibit servers at reload. + * Fix thread_cancel() for timed out threads. + * build: add basic .travis.yml file + * README.md: rename from README. + * build: add build status tag in readme file + All that's needed now, is for user `acassen` to + go to `https://travis-ci.org/` login with the Github + account, import repos from Github, and enable build + for keepalived [a checkbox/button]. + * Set sorry_server's fowarding_method. + * Further fix for thread_cancel() for child timeout threads. + Commit ade3d699 fixed removing read and write timeout threads + from the ready queue when they are cancelled. This commits adds + removing child timeout threads from the ready queue too. + * Fix warnings from ignoring seteuid/setegid return results. + * Fix dynamic linking with early versions of libnl3 without nla_get_s32. + * Updated autoconf files due to autoconf upgrade. + * Fix compiling with namespace collisions in net/if.h and linux.if.h. + * Update travis configuration. + This commit includes the installation of development library + packages, updated kernel header files, using trusty for the builds, + and adding more build options. + * Reinstate distributing (renamed) README.md file. + * More updates for updated automake/autoconf. + * Fix new warnings produced by gcc 7. + * Migrate failed checkers at reload (provisional implementation). + * Implement comparison of checkers. + genhash: libraries to link with should be put in LDADD, not LDFLAGS. + * configure.ac: fixed build on older systems, namely CentOS 6. + Provide AS_VAR_COPY if missing and downgrade autoconf dep to 2.63. + * Fix worng migrate of checker-id. + * Set active if new failed_checkers is empty. + * Fix typo in interface details printing. + * Enable vmacs to work when sysctl net.ipv4.conf.all.rp_filter > 0. + A number of distros now set net.ipv4.conf.all.rp_filter = 1 by default. + This means that when a vrrp instance is in the master state, it cannot + receive adverts sent by a higher priority master, and hence we end up + with 2 masters. + I tried an alternative of receiving on the base interface, but no packets + that have the same source MAC address as an interface on the system + (i.e. the vmac interface) get delivered to the socket. + For distros such as Fedora, RHEL, CentOS, ArchLinux, all.rp_filter = 1 + due to systemd commit + https://github.com/systemd/systemd/commit/1836bf9e1d70240c8079e4db4312309f4f1f91fd + The reason given for the commit is to work around a boot-time race condition + where interfaces created before default.rp_filter is set do not get the + updated default.rp_filter setting, and so the all.rp_filter setting is used + to override the individual interface settings. This doesn't seem the right + solution to the problem, since it prevents any interface running with + rp_filter = 0, and that is what we need for vmacs. I have filed an issue + report for systemd at https://github.com/systemd/systemd/issues/6282, but + in the mean time we need to work around the issue. Ubuntu sets all.rp_filter=1 + in /etc/sysctl.d/10-network-security.conf provided by the procps package. + Debian doesn't set all.rp_filter. + The only solution I have found, and I am not entirely happy with this since + it has effects beyond keepalived and affects the system as a whole, is to set + all.rp_filter = 0. In order to seek not to change the operation of the system, + if default.rp_filter < all.rp_filter, default.rp_filter is set to all.rp_filter, + thereby ensuring that any new interfaces created will take the original value + of all.rp_filter. It then iterates through all existing interfaces, and + {interface}.rp_filter is set to the value of all.rp_filter if + {interface}.rp_filter < all.rp_filter. all.rp_filter is then set to 0. + This means that all interfaces should behave in the same way as before, since + the behaviour of rp_filter is defined by the maximum of + {interface,all}.rp_filter, but we are not able to operate the vmac interfaces + with rp_filter = 0. When keepalived exists, it restores the original settings + of rp_filter if they are the same as what we set them to. + * Only restore rp_filter on interfaces if same as we set them to. + If rp_filter has been altered since we set it, then do not restore + it to the original value. + * Update files for build fix commits. + Commits 2cccc97 and a932cf2 provided fixes for building on CentOS6. + This commit updates genhash/Makefile.in in line with + genhash/Makefile.am and adds a comment to autoconf.ac regarding + when autoconf introduced support of AS_VAR_COPY. + * Fix build error at when _HAVE_IPV4_DEVCONF_ was undefined. + * Remove unnecessary parameter compare. + * Resolve compiler warning introduced by commit 8361b11. + * Remove debugging log messages added in commits 99fe626 and 6ec26e0. + * Fix compiler warning and remove unwanted log messages. + * Make a couple of checker variables non global. + * Correct comparison for checker compare in migrate_failed_checkers. + Commit 2ff6b3f changed the sense of the comparisons of checkers, + but didn't make the corresponding change to checking the result. + * Fix keepalived.doc(5) man page. + * Add virtualhost config for real servers. + Different real servers may want different virtualhost config + settings. The real server virtualhost setting overrides the + virtual server virtualhost setting. + * Allow virtualhost to be specified per checker and per url. + * Fix compiling with SNMP enabled. + * Fix compiler warnings when use configure --enable-conversion-checks. + * Fix an unintentional case fall-through. + gcc 7 identified two case statement fall-throughs. One was intentional, + but the other was a bug. The latter is now fixed, a comment is added + for the former so the warning isn't generated. + * Fix commit cc67476 to allow flags for static and virtual ip addresses. + * Fix handling of more recent ip address flags. + Recent ip address flags have exceeded 8 bits, and so the IFA_FLAGS + attribute needs to be used, rather than the ifa_flags field. + * Fix typo in help. + 2017-03-19 Alexandre Cassen * keepalived-1.3.5 released. * Ensure nopreempt is not set if address owner.