Thanks for the fix BenoƮt.
The upstream fix is attached, it's a one line yaml fix to openstack-
ansible's keepalived configuration. The fix looks straightforward
enough, though this bug will need a test case described to reproduce the
fault, esp. if this needs sru'd to bionic or other stable releases.
** Changed in: keepalived (Ubuntu)
Importance: Undecided => High
** Changed in: keepalived (Ubuntu)
Status: New => Triaged
** Patch added: "0001-Set-Keepalived-script_user-to-root.patch"
https://bugs.launchpad.net/ubuntu/+source/keepalived/+bug/1806004/+attachment/5308273/+files/0001-Set-Keepalived-script_user-to-root.patch
--
You received this bug notification because you are a member of Ubuntu
High Availability Team, which is subscribed to keepalived in Ubuntu.
https://bugs.launchpad.net/bugs/1806004
Title:
Keepalived scripts are not getting executed
Status in openstack-ansible:
Fix Released
Status in keepalived package in Ubuntu:
Triaged
Bug description:
After deploying OpenStack Ansible 18.1.0 on Ubuntu 18.04, I noticed
the following Keepalived logs:
root@controller-dc1r02n01:~# journalctl -eu keepalived.service
Nov 28 11:11:39 controller-dc1r02n01 systemd[1]: Starting Keepalive Daemon
(LVS and VRRP)...
Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24979]: Starting Keepalived
v1.3.9 (10/21,2017)
Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24979]: Opening file
'/etc/keepalived/keepalived.conf'.
Nov 28 11:11:39 controller-dc1r02n01 systemd[1]: Started Keepalive Daemon
(LVS and VRRP).
Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24980]: Starting Healthcheck
child process, pid=24981
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_healthcheckers[24981]:
Opening file '/etc/keepalived/keepalived.conf'.
Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24980]: Starting VRRP child
process, pid=24982
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Registering
Kernel netlink reflector
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Registering
Kernel netlink command channel
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Registering
gratuitous ARP shared channel
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Opening file
'/etc/keepalived/keepalived.conf'.
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: WARNING -
default user 'keepalived_script' for script execution does not exist - please
create.
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Failed to set
default user for notify script /etc/keepalived/haproxy_notify.sh - ignoring
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Unable to set
default user for vrrp script haproxy_check_script - removing
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Unable to set
default user for vrrp script pingable_check_script - removing
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Truncating
auth_pass to 8 characters
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (internal):
track script haproxy_check_script not found, ignoring...
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (internal):
track script pingable_check_script not found, ignoring...
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Truncating
auth_pass to 8 characters
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (external):
track script haproxy_check_script not found, ignoring...
Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (external):
track script pingable_check_script not found, ignoring...
None of the check scripts are getting executed because the
keepalived_script user doesn't exist on the system, and in any case,
the haproxy_check_script (which is "/bin/kill -0 `cat
/var/run/haproxy.pid`") needs to run as root.
The keepalived.conf man page says that "If [script_user] is not
specified, the user defaults to keepalived_script if that user exists,
otherwise root", but it doesn't seem to fallback to root in this case
(maybe because of enable_script_security, but it's only supposed to
prevent scripts from running as root if part of the path is writable
by non-root, which isn't the case here).
Anyway, setting
keepalived_global_defs:
- enable_script_security
- script_user root
in user_variables.yml fixes the issue:
root@controller-dc1r02n01:~# journalctl -eu keepalived.service
Nov 30 09:07:13 controller-dc1r02n01 systemd[1]: Starting Keepalive Daemon
(LVS and VRRP)...
Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17543]: Starting Keepalived
v1.3.9 (10/21,2017)
Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17543]: Opening file
'/etc/keepalived/keepalived.conf'.
Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17544]: Starting Healthcheck
child process, pid=17546
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_healthcheckers[17546]:
Opening file '/etc/keepalived/keepalived.conf'.
Nov 30 09:07:14 controller-dc1r02n01 systemd[1]: Started Keepalive Daemon
(LVS and VRRP).
Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17544]: Starting VRRP child
process, pid=17549
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Registering
Kernel netlink reflector
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Registering
Kernel netlink command channel
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Registering
gratuitous ARP shared channel
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Opening file
'/etc/keepalived/keepalived.conf'.
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Truncating
auth_pass to 8 characters
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Truncating
auth_pass to 8 characters
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Using LinkWatch
kernel netlink reflector...
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]:
VRRP_Script(pingable_check_script) succeeded
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]:
VRRP_Script(haproxy_check_script) succeeded
Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]:
VRRP_Instance(internal) Transition to MASTER STATE
Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]:
VRRP_Instance(external) Transition to MASTER STATE
Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]:
VRRP_Instance(internal) Entering MASTER STATE
Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]:
VRRP_Group(haproxy) Syncing instances to MASTER state
Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]: Opening script
file /etc/keepalived/haproxy_notify.sh
Nov 30 09:07:16 controller-dc1r02n01 Keepalived_vrrp[17549]:
VRRP_Instance(external) Entering MASTER STATE
I'll submit a patch to set "script_user root" by default.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1806004/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to : [email protected]
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help : https://help.launchpad.net/ListHelp
