make clustering work with conntrack-sync

5 files changed, 182 insertions, 13 deletions

diff --git a/Makefile.am b/Makefile.am
index bec9339..8a8c1ea 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,12 +3,14 @@ opdir = $(datadir)/vyatta-op/templates
 share_perl5dir = $(datadir)/perl5/Vyatta/Cluster
 curverdir = $(sysconfdir)/config-migrate/current
 
+etc_initdir = /etc/init.d/
 etc_ha_resourcedir = /etc/ha.d/resource.d
 lib_ocf_resourcedir = /usr/lib/ocf/resource.d/heartbeat
 
 sbin_SCRIPTS = scripts/vyatta-update-cluster.pl
 sbin_SCRIPTS += scripts/vyatta-show-cluster.pl
 
+etc_init_SCRIPTS = etc/init.d/primary-secondary
 share_perl5_DATA = lib/Vyatta/Cluster/Config.pm
 curver_DATA = cfg-version/cluster@1
 
diff --git a/etc/init.d/primary-secondary b/etc/init.d/primary-secondary
new file mode 100644
index 0000000..151fb82
--- /dev/null
+++ b/etc/init.d/primary-secondary
@@ -0,0 +1,121 @@
+#!/bin/sh
+#
+# (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org>
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+#
+# Description:
+#
+# This is the script for primary-backup setups for keepalived
+# (http://www.keepalived.org). You may adapt it to make it work with other
+# high-availability managers.
+#
+# Modified by : Mohit Mehta <mohit@vyatta.com>
+# Slight modifications were made to this script for running with heartbeat
+# The original script came from 0.9.14 debian conntrack-tools package
+#
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+FACILITY=daemon
+LEVEL=notice
+TAG=conntrack-tools
+LOGCMD="logger -t $TAG -p $FACILITY.$LEVEL"
+
+$LOGCMD "primary-secondary invoked at `date`"
+
+case "$1" in
+  start)
+    $LOGCMD "`uname -n` transitioning to PRIMARY"
+    #
+    # commit the external cache into the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+    if [ $? -eq 1 ]
+    then
+        $LOGCMD "ERROR: failed to invoke conntrackd -c"
+    fi
+
+    #
+    # flush the internal and the external caches
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+    if [ $? -eq 1 ]
+    then
+        $LOGCMD "ERROR: failed to invoke conntrackd -f"
+    fi
+
+    #
+    # resynchronize my internal cache to the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+    if [ $? -eq 1 ]
+    then
+        $LOGCMD "ERROR: failed to invoke conntrackd -R"
+    fi
+
+    #
+    # send a bulk update to secondaries
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+    if [ $? -eq 1 ]
+    then
+        $LOGCMD "ERROR: failed to invoke conntrackd -B"
+    fi
+    ;;
+  stop)
+    $LOGCMD "`uname -n` transitioning to SECONDARY"
+    #
+    # is conntrackd running? request some statistics to check it
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+    if [ $? -eq 1 ]
+    then
+        #
+        # something's wrong, do we have a lock file?
+        #
+        if [ -f $CONNTRACKD_LOCK ]
+        then
+            $LOGCMD "WARNING: conntrackd was not cleanly stopped."
+            $LOGCMD "If you suspect that it has crashed:"
+            $LOGCMD "1) Enable coredumps"
+            $LOGCMD "2) Try to reproduce the problem"
+            $LOGCMD "3) Post the coredump to netfilter-devel@vger.kernel.org"
+            rm -f $CONNTRACKD_LOCK
+        fi
+        $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+        if [ $? -eq 1 ]
+        then
+            $LOGCMD "ERROR: cannot launch conntrackd"
+            exit 1
+        fi
+    fi
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+        $LOGCMD "ERROR: failed to invoke conntrackd -t"
+    fi
+
+    #
+    # request resynchronization with master firewall replica (if any)
+    # Note: this does nothing in the alarm approach.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+    if [ $? -eq 1 ]
+    then
+        $LOGCMD "ERROR: failed to invoke conntrackd -n"
+    fi
+    ;;
+  *)
+    $LOGCMD "ERROR: `uname -n` unknown state transition"
+    echo "Usage: primary-secondary {start|stop}"
+    exit 1
+    ;;
+esac
+
+exit 0
diff --git a/lib/Vyatta/Cluster/Config.pm b/lib/Vyatta/Cluster/Config.pm
index 57032a8..851f416 100644
--- a/lib/Vyatta/Cluster/Config.pm
+++ b/lib/Vyatta/Cluster/Config.pm
@@ -5,7 +5,6 @@ use lib "/opt/vyatta/share/perl5";
 use Vyatta::Config;
 
 my $DEFAULT_INITDEAD = 30000;
-my $DEFAULT_DEADPING = 30000;
 my $MIN_DEAD = 300;
 my $MIN_KEEP = 100;
 my $DEFAULT_LOG_FACILITY = 'daemon';
@@ -20,13 +19,14 @@ my $DEFAULT_TTL = '1';
 my $HA_WATCHLINK_ID = 'ha';
 
 my %fields = (
-  _interface        => undef,
-  _mcast_grp        => undef,
-  _pre_shared       => undef,
-  _keepalive_itvl   => undef,
-  _dead_itvl        => undef,
-  _groups           => {},
-  _is_empty         => 1,
+  _interface        	=> undef,
+  _mcast_grp        	=> undef,
+  _pre_shared       	=> undef,
+  _keepalive_itvl   	=> undef,
+  _dead_itvl        	=> undef,
+  _monitor_dead_itvl	=> undef,
+  _groups           	=> {},
+  _is_empty         	=> 1,
 );
 
 sub new {
@@ -59,6 +59,7 @@ sub setup {
   $self->{_pre_shared} = $config->returnValue("pre-shared-secret");
   $self->{_keepalive_itvl} = $config->returnValue("keepalive-interval");
   $self->{_dead_itvl} = $config->returnValue("dead-interval");
+  $self->{_monitor_dead_itvl} = $config->returnValue("monitor-dead-interval");
 
   $config->setLevel("$level group");
   my @groups = $config->listNodes();
@@ -99,6 +100,7 @@ sub setupOrig {
   $self->{_pre_shared} = $config->returnOrigValue("pre-shared-secret");
   $self->{_keepalive_itvl} = $config->returnOrigValue("keepalive-interval");
   $self->{_dead_itvl} = $config->returnOrigValue("dead-interval");
+  $self->{_monitor_dead_itvl} = $config->returnOrigValue("monitor-dead-interval");
 
   $config->setLevel("$level group");
   my @groups = $config->listOrigNodes();
@@ -206,6 +208,7 @@ sub ha_cf {
 
   my $kitvl = $self->{_keepalive_itvl};
   my $ditvl = $self->{_dead_itvl};
+  my $mditvl = $self->{_monitor_dead_itvl};
 
   my $hashref = $self->{_groups}->{$groups[0]};
   my $primary = $hashref->{_primary};
@@ -219,6 +222,7 @@ sub ha_cf {
   return (undef, "heartbeat interface(s) not defined") if ($interfaces eq "");
   return (undef, "keepalive interval not defined") if (!defined($kitvl));
   return (undef, "dead interval not defined") if (!defined($ditvl));
+  return (undef, "monitor dead interval not defined") if (!defined($mditvl));
   return (undef, "cluster primary system not defined")
     if (!defined($primary));
   return (undef, "cluster secondary node(s) not defined")
@@ -229,15 +233,24 @@ sub ha_cf {
           "dead interval must be at least $MIN_DEAD milliseconds")
     if ($ditvl < $MIN_DEAD);
   return (undef,
+          "monitor dead interval must be at least $MIN_DEAD milliseconds")
+    if ($mditvl < $MIN_DEAD);
+  return (undef,
           "keepalive interval must be at least $MIN_KEEP milliseconds")
     if ($kitvl < $MIN_KEEP);
   return (undef,
           "dead interval must be more than twice the keepalive interval")
     if ($ditvl <= (2 * $kitvl));
   return (undef,
+          "monitor dead interval must be more than twice the keepalive interval")
+    if ($mditvl <= (2 * $kitvl));
+  return (undef,
           "dead interval must be smaller than $DEFAULT_INITDEAD milliseconds")
     if ($ditvl >= $DEFAULT_INITDEAD);
   return (undef,
+          "monitor dead interval must be smaller than $DEFAULT_INITDEAD milliseconds")
+    if ($mditvl >= $DEFAULT_INITDEAD);
+  return (undef,
           "the current node '$my_name' is not defined in the configuration")
     if (($my_name ne $primary) && ($my_name ne $secondaries[0]));
  
@@ -260,7 +273,7 @@ keepalive ${kitvl}ms
 deadtime ${ditvl}
 warntime ${wtime}ms
 initdead ${DEFAULT_INITDEAD}ms
-deadping ${DEFAULT_DEADPING}ms
+deadping ${mditvl}ms
 logfacility $DEFAULT_LOG_FACILITY
 ${interfaces}auto_failback $auto_failback
 node $primary $secondaries[0]$monitor_str
@@ -318,7 +331,7 @@ sub isValidService {
 }
 
 sub haresources {
-  my ($self) = @_;
+  my ($self, $conntrackd_service) = @_;
   my @groups = keys %{$self->{_groups}};
   return (undef, "no resource group defined") if ($#groups < 0);
   return (undef, "using multiple resource groups is not supported yet")
@@ -358,6 +371,15 @@ sub haresources {
   return (undef, "cluster primary system not defined") if (!defined($primary));
   return (undef, "cluster service(s) not defined") if ($services eq "");
 
+
+  # check if conntrack-sync is configured to use clustering
+  my $config = new Vyatta::Config;
+  $config->setLevel('service conntrack-sync failover-mechanism');
+  my @nodes = $config->listOrigPlusComNodes();
+  if (grep(/^cluster$/, @nodes)) {
+    $conntrackd_service = "primary-secondary";
+  }
+  $services = join " ", ($services, "$conntrackd_service") if defined $conntrackd_service;
   my $str =<<EOS;
 $primary $services
 EOS
@@ -372,6 +394,7 @@ sub print_str {
   $str .= "\n  pre-shared-secret $self->{_pre_shared}";
   $str .= "\n  keepalive-interval $self->{_keepalive_itvl}";
   $str .= "\n  dead-interval $self->{_dead_itvl}";
+  $str .= "\n  monitor-dead-interval $self->{_monitor_dead_itvl}";
   my $group;
   foreach $group (keys %{$self->{_groups}}) {
     $str .= "\n  group $group";
diff --git a/scripts/vyatta-update-cluster.pl b/scripts/vyatta-update-cluster.pl
index ddce2f2..b8c22bf 100755
--- a/scripts/vyatta-update-cluster.pl
+++ b/scripts/vyatta-update-cluster.pl
@@ -1,5 +1,6 @@
 #!/usr/bin/perl
 
+use Getopt::Long;
 use strict;
 use lib "/opt/vyatta/share/perl5";
 use Vyatta::Cluster::Config;
@@ -8,13 +9,28 @@ my $HA_DIR = "/etc/ha.d";
 my $HA_INIT = "/etc/init.d/heartbeat";
 my $SERVICE_DIR = "/etc/init.d";
 
+my $conntrackd_service = undef;
+GetOptions("conntrackd_service=s"         => \$conntrackd_service,
+);
+
 my $config = new Vyatta::Cluster::Config;
 $config->setup("cluster");
 if ($config->isEmpty()) {
+
+  # check if conntrack-sync is using clustering as failover-mechanism
+  my $vconfig = new Vyatta::Config;
+  $vconfig->setLevel('service conntrack-sync failover-mechanism');
+  my @nodes = $vconfig->listNodes();
+  if (grep(/^cluster$/, @nodes)) {
+    print STDERR "cluster is being used as failover-mechanism in conntrack-sync\n";
+    exit 1;
+  }
+
   # config is empty => deleted.
   # shutdown clustering.
-  system("$HA_INIT stop");
-  
+  print "Stopping clustering...";
+  system("$HA_INIT stop >&/dev/null");
+  print " Done\n";  
   exit 0;
 }
 
@@ -22,7 +38,11 @@ my ($authkeys, $haresources, $ha_cf, $err, @init_services);
 while (1) {
   ($authkeys, $err) = $config->authkeys();
   last if (!defined($authkeys));
-  ($haresources, $err, @init_services) = $config->haresources();
+  if (defined $conntrackd_service) {
+    ($haresources, $err, @init_services) = $config->haresources("$conntrackd_service") if defined $conntrackd_service;
+  } else {
+    ($haresources, $err, @init_services) = $config->haresources();
+  }
   last if (!defined($haresources));
   ($ha_cf, $err) = $config->ha_cf();
   last;
diff --git a/templates-cfg/cluster/monitor-dead-interval/node.def b/templates-cfg/cluster/monitor-dead-interval/node.def
new file mode 100644
index 0000000..c898021
--- /dev/null
+++ b/templates-cfg/cluster/monitor-dead-interval/node.def
@@ -0,0 +1,3 @@
+type: u32
+help: Set how long until a monitor node is considered dead (milliseconds)
+default: 20000