Package: keepalived
Version: 1:2.1.5-0.2
Severity: important
Tags: upstream
X-Debbugs-Cc: sebastian.phil...@adfinis.com
Dear Maintainer,
upstream keepalived 2.1 contains a bug which causes unweighted
track_scripts assigned directly to a vrrp_instance to be removed and
unintuitively logged as "script is not used".
The bug is tracked upstream as
https://github.com/acassen/keepalived/issues/1813 and
is fixed in the 2.2 release line. A patch is available, it is linked
in the upstream issue ticket. According to an upstream maintainer, this
patch should apply cleanly to 2.1.5.
## Example keepalived configuration
```
global_defs {
router_id ha01
enable_script_security
}
vrrp_script check_haproxy {
script "/usr/bin/killall -0 haproxy"
interval 1
weight 0
user root
}
vrrp_instance vi_haproxy {
interface enp1s0
state MASTER
priority 255
advert_int 1
virtual_router_id 42
virtual_ipaddress {
fe80::42/64
2001:db8::42/64
}
track_script {
check_haproxy
}
}
```
(Yes, I'm aware of vrrp_track_process; this is just an example for
reproducing the issue.)
The example in the upstream bug report uses a configuration with
multiple instances grouped together in a vrrp_sync_group, but the issue
appears with a single vrrp_instance as well.
## Expected behavior
The check script should be applied, regularly executed and vi_haproxy
set to MASTER or FAULT depending on the script outcome.
## Actual behavior
keepalived mistakenly emties out the track_script list; the vi_haproxy
instance then does not have any health checks assigned and will always
be in MASTER state.
On startup, keepalived logs that the script is not used:
Oct 26 16:23:04 ha01 Keepalived_vrrp[132483]: Opening file
'/etc/keepalived/keepalived.conf'.
Oct 26 16:23:04 ha01 Keepalived_vrrp[132483]: Warning - script
check_haproxy is not used
Oct 26 16:23:04 ha01 Keepalived_vrrp[132483]: Registering gratuitous
NDISC shared channel
Oct 26 16:23:04 ha01 Keepalived_vrrp[132483]: (vi_haproxy) Entering
MASTER STATE
Oct 26 16:23:04 ha01 Keepalived_vrrp[132483]: (vi_haproxy) using locally
configured advertisement interval (1000 milli-sec)
## Workaround
The upstream maintainer proposes a workaround: Apply the track_script
to a vrrp_sync_group instead of the vrrp_instance. In the config
example in the upstream bug report, this is easily done, as sync groups
are already used, however in this simple case this introduces quite some
overhead, as keepalived doesn't allow sync groups with only one member,
so a second dummy instance is required to use the workaround.
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages keepalived depends on:
ii init-system-helpers 1.60
ii iproute2 5.10.0-4
ii libc6 2.31-13+deb11u2
ii libglib2.0-0 2.66.8-1
ii libmnl0 1.0.4-3
ii libnftnl11 1.1.9-1
ii libnl-3-200 3.4.0-1+b1
ii libnl-genl-3-200 3.4.0-1+b1
ii libpcre2-8-0 10.36-2
ii libsnmp40 5.9+dfsg-3+b1
ii libssl1.1 1.1.1k-1+deb11u1
Versions of packages keepalived recommends:
ii ipvsadm 1:1.31-1+b1
keepalived suggests no packages.
-- no debconf information
