summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-05-15 11:55:03 +0200
committerChristian Poessinger <christian@poessinger.com>2021-05-15 11:55:03 +0200
commitd7f0cbdc102a1186cec80d0ebf29b8f4ef415435 (patch)
tree41f9a169952b0e47f5a99fcfa7412feeccb55422
parent7792b5319695098418de562dad87bbc0fef6d19c (diff)
downloadvyos-1x-d7f0cbdc102a1186cec80d0ebf29b8f4ef415435.tar.gz
vyos-1x-d7f0cbdc102a1186cec80d0ebf29b8f4ef415435.zip
conntrack: T3535: add keepalived notifications for node transitions
-rw-r--r--data/templates/conntrackd/conntrackd.conf.tmpl2
-rw-r--r--data/templates/vrrp/keepalived.conf.tmpl7
-rw-r--r--debian/vyos-1x.install1
-rwxr-xr-xsrc/conf_mode/conntrack_sync.py19
-rwxr-xr-xsrc/helpers/vyos-vrrp-conntracksync.sh154
5 files changed, 179 insertions, 4 deletions
diff --git a/data/templates/conntrackd/conntrackd.conf.tmpl b/data/templates/conntrackd/conntrackd.conf.tmpl
index fdaac7275..1a7b83cc7 100644
--- a/data/templates/conntrackd/conntrackd.conf.tmpl
+++ b/data/templates/conntrackd/conntrackd.conf.tmpl
@@ -74,7 +74,7 @@ General {
Syslog on
LockFile /var/lock/conntrack.lock
UNIX {
- Path /run/conntrackd/conntrackd.ctl
+ Path /var/run/conntrackd.ctl
}
NetlinkBufferSize {{ 2 *1024 *1024 }}
NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }}
diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl
index d51522e45..c01101d85 100644
--- a/data/templates/vrrp/keepalived.conf.tmpl
+++ b/data/templates/vrrp/keepalived.conf.tmpl
@@ -96,9 +96,10 @@ vrrp_sync_group {{ sync_group.name }} {
}
{% if sync_group.conntrack_sync %}
- notify_master "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh master {{ sync_group.name }}"
- notify_backup "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh backup {{ sync_group.name }}"
- notify_fault "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh fault {{ sync_group.name }}"
+ {% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %}
+ notify_master "{{ vyos_helper }} master {{ sync_group.name }}"
+ notify_backup "{{ vyos_helper }} backup {{ sync_group.name }}"
+ notify_fault "{{ vyos_helper }} fault {{ sync_group.name }}"
{% endif %}
}
diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install
index bfc30f7e6..51a1bb38a 100644
--- a/debian/vyos-1x.install
+++ b/debian/vyos-1x.install
@@ -22,4 +22,5 @@ usr/libexec/vyos/services
usr/libexec/vyos/system
usr/libexec/vyos/validators
usr/libexec/vyos/*.py
+usr/libexec/vyos/*.sh
usr/share
diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/conntrack_sync.py
index e0a414745..7f22fa2dd 100755
--- a/src/conf_mode/conntrack_sync.py
+++ b/src/conf_mode/conntrack_sync.py
@@ -22,7 +22,9 @@ from vyos.configdict import dict_merge
from vyos.configverify import verify_interface_exists
from vyos.util import call
from vyos.util import dict_search
+from vyos.util import process_named_running
from vyos.util import read_file
+from vyos.util import run
from vyos.template import render
from vyos.template import get_ipv4
from vyos.validate import is_addr_assigned
@@ -33,6 +35,11 @@ airbag.enable()
config_file = '/run/conntrackd/conntrackd.conf'
+def resync_vrrp():
+ tmp = run('/usr/libexec/vyos/conf_mode/vrrp.py')
+ if tmp > 0:
+ print('ERROR: error restarting VRRP daemon!')
+
def get_config(config=None):
if config:
conf = config
@@ -99,9 +106,21 @@ def generate(conntrack):
def apply(conntrack):
if not conntrack:
+ # Failover mechanism daemon should be indicated that it no longer needs
+ # to execute conntrackd actions on transition. This is only required
+ # once when conntrackd is stopped and taken out of service!
+ if process_named_running('conntrackd'):
+ resync_vrrp()
+
call('systemctl stop conntrackd.service')
return None
+ # Failover mechanism daemon should be indicated that it needs to execute
+ # conntrackd actions on transition. This is only required once when conntrackd
+ # is started the first time!
+ if not process_named_running('conntrackd'):
+ resync_vrrp()
+
call('systemctl restart conntrackd.service')
return None
diff --git a/src/helpers/vyos-vrrp-conntracksync.sh b/src/helpers/vyos-vrrp-conntracksync.sh
new file mode 100755
index 000000000..4501aa63e
--- /dev/null
+++ b/src/helpers/vyos-vrrp-conntracksync.sh
@@ -0,0 +1,154 @@
+#!/bin/sh
+#
+# (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org>
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+#
+# Description:
+#
+# This is the script for primary-backup setups for keepalived
+# (http://www.keepalived.org). You may adapt it to make it work with other
+# high-availability managers.
+#
+# Modified by : Mohit Mehta <mohit@vyatta.com>
+# Slight modifications were made to this script for running with Vyatta
+# The original script came from 0.9.14 debian conntrack-tools package
+#
+#
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+FACILITY=daemon
+LEVEL=notice
+TAG=conntrack-tools
+LOGCMD="logger -t $TAG -p $FACILITY.$LEVEL"
+VRRP_GRP="VRRP sync-group [$2]"
+FAILOVER_STATE="/var/run/vyatta-conntrackd-failover-state"
+
+$LOGCMD "vyatta-vrrp-conntracksync invoked at `date`"
+
+
+if [ ! -e $FAILOVER_STATE ]; then
+ mkdir -p /var/run
+ touch $FAILOVER_STATE
+fi
+
+case "$1" in
+ master)
+ echo MASTER at `date` > $FAILOVER_STATE
+ $LOGCMD "`uname -n` transitioning to MASTER state for $VRRP_GRP"
+ #
+ # commit the external cache into the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -c"
+ fi
+
+ #
+ # commit the expect entries to the kernel
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c exp
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -ce exp"
+ fi
+
+ #
+ # flush the internal and the external caches
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -f"
+ fi
+
+ #
+ # resynchronize my internal cache to the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -R"
+ fi
+
+ #
+ # send a bulk update to backups
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -B"
+ fi
+ ;;
+ backup)
+ echo BACKUP at `date` > $FAILOVER_STATE
+ $LOGCMD "`uname -n` transitioning to BACKUP state for $VRRP_GRP"
+ #
+ # is conntrackd running? request some statistics to check it
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+ if [ $? -eq 1 ]
+ then
+ #
+ # something's wrong, do we have a lock file?
+ #
+ if [ -f $CONNTRACKD_LOCK ]
+ then
+ $LOGCMD "WARNING: conntrackd was not cleanly stopped."
+ $LOGCMD "If you suspect that it has crashed:"
+ $LOGCMD "1) Enable coredumps"
+ $LOGCMD "2) Try to reproduce the problem"
+ $LOGCMD "3) Post the coredump to netfilter-devel@vger.kernel.org"
+ rm -f $CONNTRACKD_LOCK
+ fi
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: cannot launch conntrackd"
+ exit 1
+ fi
+ fi
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -t"
+ fi
+
+ #
+ # request resynchronization with master firewall replica (if any)
+ # Note: this does nothing in the alarm approach.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -n"
+ fi
+ ;;
+ fault)
+ echo FAULT at `date` > $FAILOVER_STATE
+ $LOGCMD "`uname -n` transitioning to FAULT state for $VRRP_GRP"
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ $LOGCMD "ERROR: failed to invoke conntrackd -t"
+ fi
+ ;;
+ *)
+ echo UNKNOWN at `date` > $FAILOVER_STATE
+ $LOGCMD "ERROR: `uname -n` unknown state transition for $VRRP_GRP"
+ echo "Usage: vyatta-vrrp-conntracksync.sh {master|backup|fault}"
+ exit 1
+ ;;
+esac
+
+exit 0