diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-05-15 11:55:03 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-05-15 11:55:03 +0200 |
commit | d7f0cbdc102a1186cec80d0ebf29b8f4ef415435 (patch) | |
tree | 41f9a169952b0e47f5a99fcfa7412feeccb55422 | |
parent | 7792b5319695098418de562dad87bbc0fef6d19c (diff) | |
download | vyos-1x-d7f0cbdc102a1186cec80d0ebf29b8f4ef415435.tar.gz vyos-1x-d7f0cbdc102a1186cec80d0ebf29b8f4ef415435.zip |
conntrack: T3535: add keepalived notifications for node transitions
-rw-r--r-- | data/templates/conntrackd/conntrackd.conf.tmpl | 2 | ||||
-rw-r--r-- | data/templates/vrrp/keepalived.conf.tmpl | 7 | ||||
-rw-r--r-- | debian/vyos-1x.install | 1 | ||||
-rwxr-xr-x | src/conf_mode/conntrack_sync.py | 19 | ||||
-rwxr-xr-x | src/helpers/vyos-vrrp-conntracksync.sh | 154 |
5 files changed, 179 insertions, 4 deletions
diff --git a/data/templates/conntrackd/conntrackd.conf.tmpl b/data/templates/conntrackd/conntrackd.conf.tmpl index fdaac7275..1a7b83cc7 100644 --- a/data/templates/conntrackd/conntrackd.conf.tmpl +++ b/data/templates/conntrackd/conntrackd.conf.tmpl @@ -74,7 +74,7 @@ General { Syslog on LockFile /var/lock/conntrack.lock UNIX { - Path /run/conntrackd/conntrackd.ctl + Path /var/run/conntrackd.ctl } NetlinkBufferSize {{ 2 *1024 *1024 }} NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }} diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl index d51522e45..c01101d85 100644 --- a/data/templates/vrrp/keepalived.conf.tmpl +++ b/data/templates/vrrp/keepalived.conf.tmpl @@ -96,9 +96,10 @@ vrrp_sync_group {{ sync_group.name }} { } {% if sync_group.conntrack_sync %} - notify_master "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh master {{ sync_group.name }}" - notify_backup "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh backup {{ sync_group.name }}" - notify_fault "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh fault {{ sync_group.name }}" + {% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %} + notify_master "{{ vyos_helper }} master {{ sync_group.name }}" + notify_backup "{{ vyos_helper }} backup {{ sync_group.name }}" + notify_fault "{{ vyos_helper }} fault {{ sync_group.name }}" {% endif %} } diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install index bfc30f7e6..51a1bb38a 100644 --- a/debian/vyos-1x.install +++ b/debian/vyos-1x.install @@ -22,4 +22,5 @@ usr/libexec/vyos/services usr/libexec/vyos/system usr/libexec/vyos/validators usr/libexec/vyos/*.py +usr/libexec/vyos/*.sh usr/share diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/conntrack_sync.py index e0a414745..7f22fa2dd 100755 --- a/src/conf_mode/conntrack_sync.py +++ b/src/conf_mode/conntrack_sync.py @@ -22,7 +22,9 @@ from vyos.configdict import dict_merge from vyos.configverify import verify_interface_exists from vyos.util import call from vyos.util import dict_search +from vyos.util import process_named_running from vyos.util import read_file +from vyos.util import run from vyos.template import render from vyos.template import get_ipv4 from vyos.validate import is_addr_assigned @@ -33,6 +35,11 @@ airbag.enable() config_file = '/run/conntrackd/conntrackd.conf' +def resync_vrrp(): + tmp = run('/usr/libexec/vyos/conf_mode/vrrp.py') + if tmp > 0: + print('ERROR: error restarting VRRP daemon!') + def get_config(config=None): if config: conf = config @@ -99,9 +106,21 @@ def generate(conntrack): def apply(conntrack): if not conntrack: + # Failover mechanism daemon should be indicated that it no longer needs + # to execute conntrackd actions on transition. This is only required + # once when conntrackd is stopped and taken out of service! + if process_named_running('conntrackd'): + resync_vrrp() + call('systemctl stop conntrackd.service') return None + # Failover mechanism daemon should be indicated that it needs to execute + # conntrackd actions on transition. This is only required once when conntrackd + # is started the first time! + if not process_named_running('conntrackd'): + resync_vrrp() + call('systemctl restart conntrackd.service') return None diff --git a/src/helpers/vyos-vrrp-conntracksync.sh b/src/helpers/vyos-vrrp-conntracksync.sh new file mode 100755 index 000000000..4501aa63e --- /dev/null +++ b/src/helpers/vyos-vrrp-conntracksync.sh @@ -0,0 +1,154 @@ +#!/bin/sh +# +# (C) 2008 by Pablo Neira Ayuso <pablo@netfilter.org> +# +# This software may be used and distributed according to the terms +# of the GNU General Public License, incorporated herein by reference. +# +# Description: +# +# This is the script for primary-backup setups for keepalived +# (http://www.keepalived.org). You may adapt it to make it work with other +# high-availability managers. +# +# Modified by : Mohit Mehta <mohit@vyatta.com> +# Slight modifications were made to this script for running with Vyatta +# The original script came from 0.9.14 debian conntrack-tools package +# +# + +CONNTRACKD_BIN=/usr/sbin/conntrackd +CONNTRACKD_LOCK=/var/lock/conntrack.lock +CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf +FACILITY=daemon +LEVEL=notice +TAG=conntrack-tools +LOGCMD="logger -t $TAG -p $FACILITY.$LEVEL" +VRRP_GRP="VRRP sync-group [$2]" +FAILOVER_STATE="/var/run/vyatta-conntrackd-failover-state" + +$LOGCMD "vyatta-vrrp-conntracksync invoked at `date`" + + +if [ ! -e $FAILOVER_STATE ]; then + mkdir -p /var/run + touch $FAILOVER_STATE +fi + +case "$1" in + master) + echo MASTER at `date` > $FAILOVER_STATE + $LOGCMD "`uname -n` transitioning to MASTER state for $VRRP_GRP" + # + # commit the external cache into the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -c" + fi + + # + # commit the expect entries to the kernel + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c exp + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -ce exp" + fi + + # + # flush the internal and the external caches + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -f" + fi + + # + # resynchronize my internal cache to the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -R" + fi + + # + # send a bulk update to backups + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -B" + fi + ;; + backup) + echo BACKUP at `date` > $FAILOVER_STATE + $LOGCMD "`uname -n` transitioning to BACKUP state for $VRRP_GRP" + # + # is conntrackd running? request some statistics to check it + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s + if [ $? -eq 1 ] + then + # + # something's wrong, do we have a lock file? + # + if [ -f $CONNTRACKD_LOCK ] + then + $LOGCMD "WARNING: conntrackd was not cleanly stopped." + $LOGCMD "If you suspect that it has crashed:" + $LOGCMD "1) Enable coredumps" + $LOGCMD "2) Try to reproduce the problem" + $LOGCMD "3) Post the coredump to netfilter-devel@vger.kernel.org" + rm -f $CONNTRACKD_LOCK + fi + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: cannot launch conntrackd" + exit 1 + fi + fi + # + # shorten kernel conntrack timers to remove the zombie entries. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -t" + fi + + # + # request resynchronization with master firewall replica (if any) + # Note: this does nothing in the alarm approach. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -n" + fi + ;; + fault) + echo FAULT at `date` > $FAILOVER_STATE + $LOGCMD "`uname -n` transitioning to FAULT state for $VRRP_GRP" + # + # shorten kernel conntrack timers to remove the zombie entries. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t + if [ $? -eq 1 ] + then + $LOGCMD "ERROR: failed to invoke conntrackd -t" + fi + ;; + *) + echo UNKNOWN at `date` > $FAILOVER_STATE + $LOGCMD "ERROR: `uname -n` unknown state transition for $VRRP_GRP" + echo "Usage: vyatta-vrrp-conntracksync.sh {master|backup|fault}" + exit 1 + ;; +esac + +exit 0 |