#!/usr/bin/env python3 # # Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os import time from sys import exit from ipaddress import ip_interface from ipaddress import IPv4Interface from ipaddress import IPv6Interface from vyos.base import Warning from vyos.config import Config from vyos.configdict import leaf_node_changed from vyos.ifconfig.vrrp import VRRP from vyos.template import render from vyos.template import is_ipv4 from vyos.template import is_ipv6 from vyos.utils.network import is_ipv6_tentative from vyos.utils.process import call from vyos import ConfigError from vyos import airbag airbag.enable() systemd_override = r'/run/systemd/system/keepalived.service.d/10-override.conf' def get_config(config=None): if config: conf = config else: conf = Config() base = ['high-availability'] if not conf.exists(base): return None ha = conf.get_config_dict(base, key_mangling=('-', '_'), no_tag_node_value_mangle=True, get_first_key=True, with_defaults=True) ## Get the sync group used for conntrack-sync conntrack_path = ['service', 'conntrack-sync', 'failover-mechanism', 'vrrp', 'sync-group'] if conf.exists(conntrack_path): ha['conntrack_sync_group'] = conf.return_value(conntrack_path) if leaf_node_changed(conf, base + ['vrrp', 'snmp']): ha.update({'restart_required': {}}) return ha def verify(ha): if not ha or 'disable' in ha: return None used_vrid_if = [] if 'vrrp' in ha and 'group' in ha['vrrp']: for group, group_config in ha['vrrp']['group'].items(): # Check required fields if 'vrid' not in group_config: raise ConfigError(f'VRID is required but not set in VRRP group "{group}"') if 'interface' not in group_config: raise ConfigError(f'Interface is required but not set in VRRP group "{group}"') if 'address' not in group_config: raise ConfigError(f'Virtual IP address is required but not set in VRRP group "{group}"') if 'authentication' in group_config: if not {'password', 'type'} <= set(group_config['authentication']): raise ConfigError(f'Authentication requires both type and passwortd to be set in VRRP group "{group}"') if 'health_check' in group_config: health_check_types = ["script", "ping"] from vyos.utils.dict import check_mutually_exclusive_options try: check_mutually_exclusive_options(group_config["health_check"], health_check_types, required=True) except ValueError: Warning(f'Health check configuration for VRRP group "{group}" will remain unused ' \ f'until it has one of the following options: {health_check_types}') # XXX: health check has default options so we need to remove it # to avoid generating useless config statements in keepalived.conf del group_config["health_check"] # Keepalived doesn't allow mixing IPv4 and IPv6 in one group, so we mirror that restriction # We also need to make sure VRID is not used twice on the same interface with the # same address family. interface = group_config['interface'] vrid = group_config['vrid'] # XXX: filter on map object is destructive, so we force it to list. # Additionally, filter objects always evaluate to True, empty or not, # so we force them to lists as well. vaddrs = list(map(lambda i: ip_interface(i), group_config['address'])) vaddrs4 = list(filter(lambda x: isinstance(x, IPv4Interface), vaddrs)) vaddrs6 = list(filter(lambda x: isinstance(x, IPv6Interface), vaddrs)) if vaddrs4 and vaddrs6: raise ConfigError(f'VRRP group "{group}" mixes IPv4 and IPv6 virtual addresses, this is not allowed.\n' \ 'Create individual groups for IPv4 and IPv6!') if vaddrs4: tmp = {'interface': interface, 'vrid': vrid, 'ipver': 'IPv4'} if tmp in used_vrid_if: raise ConfigError(f'VRID "{vrid}" can only be used once on interface "{interface} with address family IPv4"!') used_vrid_if.append(tmp) if 'hello_source_address' in group_config: if is_ipv6(group_config['hello_source_address']): raise ConfigError(f'VRRP group "{group}" uses IPv4 but hello-source-address is IPv6!') if 'peer_address' in group_config: if is_ipv6(group_config['peer_address']): raise ConfigError(f'VRRP group "{group}" uses IPv4 but peer-address is IPv6!') if vaddrs6: tmp = {'interface': interface, 'vrid': vrid, 'ipver': 'IPv6'} if tmp in used_vrid_if: raise ConfigError(f'VRID "{vrid}" can only be used once on interface "{interface} with address family IPv6"!') used_vrid_if.append(tmp) if 'hello_source_address' in group_config: if is_ipv4(group_config['hello_source_address']): raise ConfigError(f'VRRP group "{group}" uses IPv6 but hello-source-address is IPv4!') if 'peer_address' in group_config: if is_ipv4(group_config['peer_address']): raise ConfigError(f'VRRP group "{group}" uses IPv6 but peer-address is IPv4!') # Check sync groups if 'vrrp' in ha and 'sync_group' in ha['vrrp']: for sync_group, sync_config in ha['vrrp']['sync_group'].items(): if 'member' in sync_config: for member in sync_config['member']: if member not in ha['vrrp']['group']: raise ConfigError(f'VRRP sync-group "{sync_group}" refers to VRRP group "{member}", '\ 'but it does not exist!') # Virtual-server if 'virtual_server' in ha: for vs, vs_config in ha['virtual_server'].items(): if 'address' not in vs_config and 'fwmark' not in vs_config: raise ConfigError('Either address or fwmark is required ' f'but not set for virtual-server "{vs}"') if 'port' not in vs_config and 'fwmark' not in vs_config: raise ConfigError(f'Port or fwmark is required but not set for virtual-server "{vs}"') if 'port' in vs_config and 'fwmark' in vs_config: raise ConfigError(f'Cannot set both port and fwmark for virtual-server "{vs}"') if 'real_server' not in vs_config: raise ConfigError(f'Real-server ip is required but not set for virtual-server "{vs}"') # Real-server for rs, rs_config in vs_config['real_server'].items(): if 'port' not in rs_config: raise ConfigError(f'Port is required but not set for virtual-server "{vs}" real-server "{rs}"') def generate(ha): if not ha or 'disable' in ha: if os.path.isfile(systemd_override): os.unlink(systemd_override) return None render(VRRP.location['config'], 'high-availability/keepalived.conf.j2', ha) render(systemd_override, 'high-availability/10-override.conf.j2', ha) return None def apply(ha): service_name = 'keepalived.service' call('systemctl daemon-reload') if not ha or 'disable' in ha: call(f'systemctl stop {service_name}') return None # Check if IPv6 address is tentative T5533 for group, group_config in ha.get('vrrp', {}).get('group', {}).items(): if 'hello_source_address' in group_config: if is_ipv6(group_config['hello_source_address']): ipv6_address = group_config['hello_source_address'] interface = group_config['interface'] checks = 20 interval = 0.1 for _ in range(checks): if is_ipv6_tentative(interface, ipv6_address): time.sleep(interval) systemd_action = 'reload-or-restart' if 'restart_required' in ha: systemd_action = 'restart' call(f'systemctl {systemd_action} {service_name}') return None if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1)