Thanks for the fix BenoƮt.

The upstream fix is attached, it's a one line yaml fix to openstack-
ansible's keepalived configuration.  The fix looks straightforward
enough, though this bug will need a test case described to reproduce the
fault, esp. if this needs sru'd to bionic or other stable releases.

** Changed in: keepalived (Ubuntu)
   Importance: Undecided => High

** Changed in: keepalived (Ubuntu)
       Status: New => Triaged

** Patch added: "0001-Set-Keepalived-script_user-to-root.patch"
   
https://bugs.launchpad.net/ubuntu/+source/keepalived/+bug/1806004/+attachment/5308273/+files/0001-Set-Keepalived-script_user-to-root.patch

-- 
You received this bug notification because you are a member of Ubuntu
High Availability Team, which is subscribed to keepalived in Ubuntu.
https://bugs.launchpad.net/bugs/1806004

Title:
  Keepalived scripts are not getting executed

Status in openstack-ansible:
  Fix Released
Status in keepalived package in Ubuntu:
  Triaged

Bug description:
  After deploying OpenStack Ansible 18.1.0 on Ubuntu 18.04, I noticed
  the following Keepalived logs:

  root@controller-dc1r02n01:~# journalctl -eu keepalived.service
  Nov 28 11:11:39 controller-dc1r02n01 systemd[1]: Starting Keepalive Daemon 
(LVS and VRRP)...
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24979]: Starting Keepalived 
v1.3.9 (10/21,2017)
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24979]: Opening file 
'/etc/keepalived/keepalived.conf'.
  Nov 28 11:11:39 controller-dc1r02n01 systemd[1]: Started Keepalive Daemon 
(LVS and VRRP).
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24980]: Starting Healthcheck 
child process, pid=24981
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_healthcheckers[24981]: 
Opening file '/etc/keepalived/keepalived.conf'.
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived[24980]: Starting VRRP child 
process, pid=24982
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Registering 
Kernel netlink reflector
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Registering 
Kernel netlink command channel
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Registering 
gratuitous ARP shared channel
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Opening file 
'/etc/keepalived/keepalived.conf'.
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: WARNING - 
default user 'keepalived_script' for script execution does not exist - please 
create.
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Failed to set 
default user for notify script /etc/keepalived/haproxy_notify.sh - ignoring
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Unable to set 
default user for vrrp script haproxy_check_script - removing
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Unable to set 
default user for vrrp script pingable_check_script - removing
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Truncating 
auth_pass to 8 characters
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (internal): 
track script haproxy_check_script not found, ignoring...
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (internal): 
track script pingable_check_script not found, ignoring...
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: Truncating 
auth_pass to 8 characters
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (external): 
track script haproxy_check_script not found, ignoring...
  Nov 28 11:11:39 controller-dc1r02n01 Keepalived_vrrp[24982]: (external): 
track script pingable_check_script not found, ignoring...

  None of the check scripts are getting executed because the
  keepalived_script user doesn't exist on the system, and in any case,
  the haproxy_check_script (which is "/bin/kill -0 `cat
  /var/run/haproxy.pid`") needs to run as root.

  The keepalived.conf man page says that "If [script_user] is not
  specified, the user defaults to keepalived_script if that user exists,
  otherwise root", but it doesn't seem to fallback to root in this case
  (maybe because of enable_script_security, but it's only supposed to
  prevent scripts from running as root if part of the path is writable
  by non-root, which isn't the case here).

  Anyway, setting

  keepalived_global_defs:
    - enable_script_security
    - script_user root

  in user_variables.yml fixes the issue:

  root@controller-dc1r02n01:~# journalctl -eu keepalived.service
  Nov 30 09:07:13 controller-dc1r02n01 systemd[1]: Starting Keepalive Daemon 
(LVS and VRRP)...
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17543]: Starting Keepalived 
v1.3.9 (10/21,2017)
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17543]: Opening file 
'/etc/keepalived/keepalived.conf'.
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17544]: Starting Healthcheck 
child process, pid=17546
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_healthcheckers[17546]: 
Opening file '/etc/keepalived/keepalived.conf'.
  Nov 30 09:07:14 controller-dc1r02n01 systemd[1]: Started Keepalive Daemon 
(LVS and VRRP).
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived[17544]: Starting VRRP child 
process, pid=17549
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Registering 
Kernel netlink reflector
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Registering 
Kernel netlink command channel
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Registering 
gratuitous ARP shared channel
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Opening file 
'/etc/keepalived/keepalived.conf'.
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Truncating 
auth_pass to 8 characters
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Truncating 
auth_pass to 8 characters
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: Using LinkWatch 
kernel netlink reflector...
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: 
VRRP_Script(pingable_check_script) succeeded
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: 
VRRP_Script(haproxy_check_script) succeeded
  Nov 30 09:07:14 controller-dc1r02n01 Keepalived_vrrp[17549]: 
VRRP_Instance(internal) Transition to MASTER STATE
  Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]: 
VRRP_Instance(external) Transition to MASTER STATE
  Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]: 
VRRP_Instance(internal) Entering MASTER STATE
  Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]: 
VRRP_Group(haproxy) Syncing instances to MASTER state
  Nov 30 09:07:15 controller-dc1r02n01 Keepalived_vrrp[17549]: Opening script 
file /etc/keepalived/haproxy_notify.sh
  Nov 30 09:07:16 controller-dc1r02n01 Keepalived_vrrp[17549]: 
VRRP_Instance(external) Entering MASTER STATE

  I'll submit a patch to set "script_user root" by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1806004/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to     : ubuntu-ha@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help   : https://help.launchpad.net/ListHelp

Reply via email to