1872 lines
96 KiB
Plaintext
1872 lines
96 KiB
Plaintext
|
-------------------------------------------------------------------
|
|||
|
Wed May 31 21:32:46 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- Update to 2.2.8
|
|||
|
https://www.keepalived.org/release-notes/Release-2.2.8.html
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Apr 12 14:50:58 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- Own /etc/keepalived/keepalived.conf as %ghost entry
|
|||
|
otherwise upgrading the package will always move the
|
|||
|
/etc/keepalived/keepalived.conf to
|
|||
|
/etc/keepalived/keepalived.conf.rpmsave
|
|||
|
- make permissions of config files more secure
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Feb 24 18:36:08 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
|
|||
|
|
|||
|
- Update to 2.2.7
|
|||
|
* Fix CVE-2021-44225: The D-Bus policy does not sufficiently
|
|||
|
restrict the message destination, allowing any user to inspect
|
|||
|
and manipulate any property.
|
|||
|
* New features:
|
|||
|
* global: Don’t assume running as user root.
|
|||
|
* ipvs: Add support to twos scheduler.
|
|||
|
* vrrp: New features:
|
|||
|
* Add vrf option for unicast without specifying an interface.
|
|||
|
* Add option unicast_fault_no_peer.
|
|||
|
* Allow specification of multicast address to be used.
|
|||
|
* Add vrf option to static and vrrp routes.
|
|||
|
* Add option to resend vrrp states on fifos after reload.
|
|||
|
* Allow duplication of VRIDs on an interface with unicast peers.
|
|||
|
* systemd: Add keepalived-non-root.service systemd service file.
|
|||
|
* make BFD work when IPv6 disabled on system.
|
|||
|
* Fix calculating CLOCK_REALTIME and CLOCK_MONOTONIC offsets.
|
|||
|
* bfd: Handle interface down/address missing when keepalived starts.
|
|||
|
This resolves a segfault, and also makes bfd retry once per minute
|
|||
|
to create send socket if it cannot do so due to no address to bind
|
|||
|
to on an interface.
|
|||
|
* vrrp:
|
|||
|
* Fix configured IPv6 multicast addresses with VMACs.
|
|||
|
* Don’t segfault if duplicate VMAC name, but ignore second name.
|
|||
|
* Don’t delete and recreate VMAC on reload if only VRID has changed.
|
|||
|
* Don’t segfault if don’t have permission for ARP/NDISC socket.
|
|||
|
* Fix IPv6 with vmac_xmit_base.
|
|||
|
* Fix disabling vmac-xmit-base with VRRPv3 IPv6 use_vmac.
|
|||
|
* Fix specifying user/group for vrrp_scripts.
|
|||
|
* Various other fixes and improvements
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Dec 9 18:58:23 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
|
|||
|
|
|||
|
- Update to 2.2.4
|
|||
|
* Bug fixes
|
|||
|
- Update to 2.2.3
|
|||
|
* Added some new features and minor bug fixes
|
|||
|
* genhash utility is now part of the mainline daemon
|
|||
|
* https://www.keepalived.org/release-notes/Release-2.2.3.html
|
|||
|
- Drop 1915.patch, merged upstream
|
|||
|
- Drop outdated suse_version check
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Sep 27 07:39:33 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|||
|
|
|||
|
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
|
|||
|
* harden_keepalived.service.patch
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Jul 21 12:03:14 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
|||
|
|
|||
|
- add 1915.patch to fix build on tumbleweed
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Mar 8 17:44:29 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- drop linux-4.15.patch: No longer needed as it was a backport from
|
|||
|
upstream
|
|||
|
- Cleanup configure options after consultation with upstream:
|
|||
|
- --enable-regex-timers is for debugging purposes
|
|||
|
- --enable-snmp-checker and --enable-snmp-vrrp are enabled by
|
|||
|
--enable-snmp
|
|||
|
- --enable-snmp-rfcv2 and --enable-snmp-rfcv3 anre enabled by
|
|||
|
--enable-snmp-rfc
|
|||
|
- --enable-stacktrace is definitely a debugging option
|
|||
|
- on systems where we have nftables support we will only ship with
|
|||
|
nftables support (>= 15.0) and use iptables support only on older
|
|||
|
distributions.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Sun Mar 7 00:34:36 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- Update to 2.2.2
|
|||
|
https://www.keepalived.org/release-notes/Release-2.2.2.html
|
|||
|
- change how we install documentation to avoid duplicated files
|
|||
|
- Link all the files for ipset, iptables, libnl instead of dlopen.
|
|||
|
Drop the previous workaround for generating requires for the
|
|||
|
dlopen-ed libaries.
|
|||
|
- remove unsupported configure option: --enable-libiptc
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Feb 18 16:17:02 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- Make sure we pull in the libraries we need for dlopen, by
|
|||
|
following the symlinks from the .so symlinks with the
|
|||
|
requires_file macro.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jan 26 14:58:01 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- Update to 2.2.1
|
|||
|
https://www.keepalived.org/release-notes/Release-2.2.1.html
|
|||
|
https://www.keepalived.org/release-notes/Release-2.2.0.html
|
|||
|
https://www.keepalived.org/release-notes/Release-2.1.5.html
|
|||
|
https://www.keepalived.org/release-notes/Release-2.1.4.html
|
|||
|
https://www.keepalived.org/release-notes/Release-2.1.3.html
|
|||
|
https://www.keepalived.org/release-notes/Release-2.1.2.html
|
|||
|
https://www.keepalived.org/release-notes/Release-2.1.1.html
|
|||
|
https://www.keepalived.org/release-notes/Release-2.1.0.html
|
|||
|
- enable systemd integration via libsystemd (new BR: libsystemd)
|
|||
|
- switch to systemd_ordering instead of systemd_requires
|
|||
|
- sync configure options with the configure script
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Mar 13 15:25:31 UTC 2020 - Diego Akechi <dakechi@suse.com>
|
|||
|
|
|||
|
- Inclusion into SLE as ACC supported packages
|
|||
|
(bsc#1158280, ECO#223)
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Nov 7 02:20:31 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- new BR pkgconfig(libnftnl) to fix nftables support
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Nov 7 02:03:15 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.19
|
|||
|
Fix minor IPVS features support. Extend BFD to support more than
|
|||
|
one BFD instance with a neighnour. Extend nftable support. Script
|
|||
|
timeout extension. Properly filter IGMP/MLD packets on VMAC
|
|||
|
interface. Refer to ChangeLog for more infos.
|
|||
|
|
|||
|
https://keepalived.org/changelog.html
|
|||
|
- changes from 2.0.18
|
|||
|
Add support to IPVS new GUE tunnel type. New feature 'weight
|
|||
|
reverse' available in all trackers. Resolve all outstanding
|
|||
|
coverity issues. Some fixes and performance extensions. Refer to
|
|||
|
ChangeLog for more infos.
|
|||
|
|
|||
|
https://keepalived.org/changelog.html
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jul 23 17:30:04 UTC 2019 - chris@computersalat.de
|
|||
|
|
|||
|
- Update to 2.0.17 (2019-06-25)
|
|||
|
* https://www.keepalived.org/changelog.html
|
|||
|
- remove obsolete patch
|
|||
|
* systemd-after-snmp.patch
|
|||
|
- rebase patch
|
|||
|
* linux-4.15.patch
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Apr 16 19:04:13 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- added systemd-after-snmp.patch:
|
|||
|
If you want to use the snmp support the masterx socket needs be
|
|||
|
available otherwise the snmp support is broken
|
|||
|
strictly speaking we would need to use BindsTo= here but that
|
|||
|
would require that add a Requires for net-snmp to the keepalived
|
|||
|
package. to be discussed.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Apr 16 19:01:38 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.15
|
|||
|
- Fix uninitialised variable.
|
|||
|
- Fix rpmbuild on CentOS7, and rely on auto-requires.
|
|||
|
- Add option to flush lvs on shutdown. Currently all known
|
|||
|
virtual servers and their real servers are removed one at a
|
|||
|
time at shutdown. With large configurations on a busy system,
|
|||
|
this can take some time. Add an option just like the existing
|
|||
|
'lvs_flush' which operates on shutdown. Typical environments
|
|||
|
with a single keepalived instance can take advantage of this
|
|||
|
option to achieve a faster shutdown or restart cycle.
|
|||
|
- Make alpha mode checkers on new real servers start down on
|
|||
|
reload. Patch #1180 identified that new real servers with
|
|||
|
alpha mode checkers were being added online immediately, and if
|
|||
|
the checker then failed were being removed. This commit makes
|
|||
|
real servers that didn't exist before the reload start in down
|
|||
|
state if they have alpha mode checkers.
|
|||
|
- Remove duplicate config dump entry.
|
|||
|
- Make new real servers at reload start down if have alpha mode
|
|||
|
checkers.
|
|||
|
- Close checker and smtp_alert sockets on reload. Issue #1177
|
|||
|
identified that sockets were being left open (lost) after a
|
|||
|
reload. It transpired that these were sockets opened by
|
|||
|
TCP_CHECK, HTTP_GET, SSL_GET, DNS_CHECK and SMTP_CHECK
|
|||
|
checkers, and by smtp_alerts in the process of being sent.
|
|||
|
This commit adds an extra parameter to thread_add_read() and
|
|||
|
thread_add_write() to allow indicating that the scheduler
|
|||
|
should close the socket when destroying threads.
|
|||
|
- Send vrrp group backup notifies at startup.
|
|||
|
- Make inhibit_on_failure be inherited by real server from
|
|||
|
virtual server.
|
|||
|
- Allow real and sorry servers to be configured with port 0 This
|
|||
|
is to maintain backwards compatibility with keepalived prior to
|
|||
|
commit d87f07c - "Ensure always check return from
|
|||
|
inet_stosockaddr when parsing config". The proper way to
|
|||
|
configure this is to omit the port, which requires the next
|
|||
|
commit.
|
|||
|
- Don't setup IPVS config with real and virtual servers ports
|
|||
|
different. If the real server is using DR or TUN, the port of
|
|||
|
the real server must be the same as the port of the virtual
|
|||
|
server. This commit uses the virtual server port for the real
|
|||
|
server when configuring IPVS.
|
|||
|
- Log warnings if real server and virtual server ports don't
|
|||
|
match This commit adds logging warnings if virtual and real
|
|||
|
server ports, when using TUN or DR, don't match. It also sets
|
|||
|
the real server ports to be the same as the virtual server
|
|||
|
ports. Although listing the IPVS configuration with ipvsadm
|
|||
|
will look different, the kernel ignored the port of a real
|
|||
|
server when using DR or TUN, so the behaviour isn't changed,
|
|||
|
but when looking at the configuration it now shows what is
|
|||
|
actually happening.
|
|||
|
- Fix warning when protocol specified for virtual server with
|
|||
|
fwmark.
|
|||
|
- Add log message that nb_get_retry is deprecated.
|
|||
|
- Fix whitespace in configure.ac.
|
|||
|
- Fix configure error when systemd not installed configure was
|
|||
|
trying to execute pkg-config --variable=systemdsystemunitdir
|
|||
|
systemd even if systemd was not available. This commit makes
|
|||
|
configure only execute the above if it has determined that
|
|||
|
systemd is the correct init package to use.
|
|||
|
- Correct references to RFC6527 (VRRPv3 SNMP RFC).
|
|||
|
- nsure checker->has_run is always set once a checker has run.
|
|||
|
- Fix some indentation in configure.ac.
|
|||
|
- Update fopen_safe() to open temporary file in destination
|
|||
|
directory rename() in fopen_safe() was failing if the file
|
|||
|
being created was not on the same filesystem as /tmp.
|
|||
|
- Add ${_RANDOM} configuration keyword. It might seem strange to
|
|||
|
introduce random elements to configuration files, but it can be
|
|||
|
useful for testing.
|
|||
|
- Fix using ~SEQ() in multiline configuration definitions.
|
|||
|
- Make blank lines terminate a multiline definition.
|
|||
|
- Minor updates for lvs_flush_on_stop.
|
|||
|
- Add option to skip deleting real servers on shutdown or reload
|
|||
|
If a virtual server is removed, the kernel will remove its real
|
|||
|
servers, so keepalived doesn't explicitly need to do so. The
|
|||
|
lvs_flush_onstop option removes all LVS configuration, whereas
|
|||
|
this new option will only remove the virtual servers managed by
|
|||
|
keepalived.
|
|||
|
- Correct error message re checker_log_all_failures.
|
|||
|
- Fix syntax error in configure.ac.
|
|||
|
- Fix track_process initialisation for processes with PIDs
|
|||
|
starting 9.
|
|||
|
- Remove debugging log message.
|
|||
|
- Remove inappropriate function const attributes They were
|
|||
|
causing iptables/ipsets not to be initialised.
|
|||
|
- Stop warning: function might be candidate for attribute
|
|||
|
"const" Depending on what configure options are selected,
|
|||
|
gcc can output the above warning for
|
|||
|
initialise_debug_options(). This commit ensures that the
|
|||
|
warning is not produced.
|
|||
|
- Enable strict-config-checks option in keepalived.spec RPM file.
|
|||
|
- vrrp: relax attribute 'const' warning at iptables helpers.
|
|||
|
- Propagate libm to KA_LIBS.
|
|||
|
- Fix building on Alpine Linux. Alpine (musl) doesn't have a
|
|||
|
definition of __GNU_PREREQ, so create a dummy definition.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Apr 3 13:52:51 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- add buildrequires for file-devel
|
|||
|
- used in the checker to verify scripts
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Apr 3 13:46:22 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.14
|
|||
|
- Add compiler warning -Wfloat-conversion and fix new warnings.
|
|||
|
It was discovered that passing 0.000001 as a parameter
|
|||
|
specified as uint32_t to a function did not generate any
|
|||
|
warning of type mismatch, or loss of precision. This commit
|
|||
|
adds -Wfloat-conversion and fixes 3 instances of new warnings
|
|||
|
that were generated.
|
|||
|
- For non systemd enviroment, it occurs syntax error 'fi'. To
|
|||
|
avoid syntax error, modify keepalived.spec.in.
|
|||
|
- When uninstall keepalived with init upstart, stop keepalived
|
|||
|
process.
|
|||
|
- Fix type re LOG_INGO should be LOG_INFO - 6git stash --cached.
|
|||
|
The code was actualy in a #ifdef INCLUDE_UNUSED_CODE block, and
|
|||
|
so isn't currently compiled.
|
|||
|
- Register missing thread function for thread debugging.
|
|||
|
- Fix reutrn value of notify_script_compare misusing issue.
|
|||
|
- Fix typo in keepalived.conf man page re BFD min_rx.
|
|||
|
- Fix segfault when bfd process reloads config. Issue #1145
|
|||
|
reported the bdf process was segfaulting when reloading. The
|
|||
|
bfd process was freeing and allocating a new thread_master_t
|
|||
|
when reloading, which doesn't work. This commit changes the bfd
|
|||
|
process to clean and reinitialise the thread_master_t.
|
|||
|
- Fix segfault in handle_proc_ev(). On Linux 3.10 the ack bit
|
|||
|
can be set in a connector message, and the CPU number is set to
|
|||
|
UINT32_MAX. This commit skips acks, and also checks that CPU
|
|||
|
number is within range of the number of CPUs on the system.
|
|||
|
- Fix OpenSSL init failure with OpenSSL v1.1.1. OpenSSL v1.1.1,
|
|||
|
but not v1.1.0h or v1.1.1b failed in SSL_CTX_new() if
|
|||
|
OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously
|
|||
|
been called. This commit doesn't call OPENSSL_init_crypto() if
|
|||
|
doing so causes SSL_CTX_new() to fail.
|
|||
|
- Remove all references to libnfnetlink. Commit 2899da6 (Stop
|
|||
|
using linbl for mcast group membership and setting rx buf
|
|||
|
sizes) stopped using libnfnetlink, but INSTALL and
|
|||
|
keepalived.spec.in were not updated accordingly.
|
|||
|
- Fix genhash re OPENSSL_init_crypto bug and improve
|
|||
|
configure.ac. Commit fe6d6ac (Fix OpenSSL init failure with
|
|||
|
OpenSSL v1.1.1) didn't update the identical code in
|
|||
|
genhash/ssl.c. Also, an improvement for the test in
|
|||
|
configure.ac was suggested.
|
|||
|
- Fix log output when real server removed. FMT_VS() and FMT_RS()
|
|||
|
both call inet_sockaddrtotrio which uses a static buffer to
|
|||
|
return the formatted string, but since FMT_VS(), wheich simply
|
|||
|
calls format_vs() copies the returned string to its own static
|
|||
|
buffer, if FMT_VS() was called before FMT_RS() then the
|
|||
|
returned strings from both could be used. The problem occurs
|
|||
|
when both FMT_VS() and FMT_RS() are used as parameters to
|
|||
|
log_message() (or printf etc). It appeared to work fine on
|
|||
|
x86_64, but was writing the same IP address for both the real
|
|||
|
server and virtual server on ARM architectures. This is due to
|
|||
|
the compiler evaluating parameters to the log_message()
|
|||
|
function call in a different order on the different
|
|||
|
architectures. This commit adds inet_sockaddrtotrio_r() which
|
|||
|
allows the output to be in a buffer specified by the caller,
|
|||
|
and so FMT_VS() and FMT_RS() can now be called in either order
|
|||
|
without one overwriting a buffer used by the other.
|
|||
|
- Streamline some string formatting with FMT_RS() and FMR_VS().
|
|||
|
Following commit 9fe353d (Fix log output when real server
|
|||
|
removed) some code can be streamlined now that the order of
|
|||
|
calling FMT_VS() and FMT_RS() does not matter.
|
|||
|
- Replace FMT_HTTP_RS(), FMT_TCP_RS() and FMT_DNS_RS() with
|
|||
|
FMT_CHK(). They were all simply defined to be FMT_CHK() so
|
|||
|
just replace them with that. This made it much simpler to find
|
|||
|
all used of FMT_CHK().
|
|||
|
- Fix building with gcc 4.4.7 (Centos 6.5). gcc v4.4.7 doesn't
|
|||
|
support -Wfloat-conversion, so check for it at configure time.
|
|||
|
- Add dumping checker config/status when receive SIGUSR1.
|
|||
|
- Don't put alpha mode checkers into failed state at reload If a
|
|||
|
new checker is added at a reload, unless the real server aleady
|
|||
|
has failed checkers, then ignore the alpha mode of the checker.
|
|||
|
This means that the real server, if up, won't be taken down and
|
|||
|
then brought back up again almost straight away. If the real
|
|||
|
server already has failed checkers, then setting an alpha mode
|
|||
|
checker down initially won't take down the real server, so we
|
|||
|
can allow the alpha mode setting to apply.
|
|||
|
- Handle alpha mode checkers initial failure at startup better.
|
|||
|
- Fix compile failure discovered by Travis-CI.
|
|||
|
- Fix calling syslog when not using signalfd(). Pull request
|
|||
|
#1149 identified that syslog is AS-Unsafe (see signal-safety
|
|||
|
man page), and that therefore signals should be blocked when
|
|||
|
calling it. This commit blocks signals when calling
|
|||
|
syslog()/vsyslog() when signalfd() is not being used.
|
|||
|
- Rationalise function attributes.
|
|||
|
- Fix enable-optimise configure option.
|
|||
|
- Use AS_HELP_STRING for all options in configure.ac.
|
|||
|
- Streamline genhash -h option.
|
|||
|
- Make genhash -v version match keepalived.
|
|||
|
- Fix config check of virtual server quorum against weights of
|
|||
|
real servers.
|
|||
|
- Fix some configure tested checks for OPENSSL_init_crypto.
|
|||
|
- Add infrastructure for adding additional compiler warnings.
|
|||
|
- Add standard and extra compiler warnings.
|
|||
|
- Add and resolve missing-declarations and missing-prototypes
|
|||
|
warnings Approximately 16 additional functions are now declared
|
|||
|
static.
|
|||
|
- Add and resolve old-style-definitions warnings
|
|||
|
- Add and resolve redundant-decls warnings
|
|||
|
- Add and resolve jump-misses-init warnings
|
|||
|
- Add and resolve shadow warnings
|
|||
|
- Add and resolve unsuffixed-float-constants warnings
|
|||
|
- Add and resolve suggest-attribute=const warnings
|
|||
|
- Add and resolve suggest-attribute=format warnings
|
|||
|
- Add and resolve suggest-attribute=malloc warnings
|
|||
|
- Add and resolve suggest-attribute=noreturn warnings
|
|||
|
- Add and resolve suggest-attribute=pure warnings
|
|||
|
- Add and resolve unused-macros warnings
|
|||
|
- Add and resolve null-dereference warnings
|
|||
|
- Add and resolve float-equal warnings
|
|||
|
- Add and resolve stack-protector warnings
|
|||
|
- Add and resolve strict-overflow=4 warnings
|
|||
|
- Add and resolve pointer-arith warnings This particularly
|
|||
|
includes adding a number of bytes to a void -.
|
|||
|
- Add and resolve cast-qual warnings
|
|||
|
- Resolve additional warnings identified on Centos 6.5/gcc 4.4.7
|
|||
|
- Remove static from zalloc()
|
|||
|
- Fix some compiler warnings on Ubuntu Xenial, and add comments
|
|||
|
re others.
|
|||
|
- Rename LIST parameters to lst in list_head.h to avoid upper
|
|||
|
case.
|
|||
|
- Fix real server checkers moving from failed to OK on reload.
|
|||
|
- add rs judgement in migrate_checkers.
|
|||
|
- Detect connection failure in genhash and exit rather than loop.
|
|||
|
- Add another function pure attribute.
|
|||
|
- Fix sending notifies for vrrp instances at startup when in sync
|
|||
|
group Issue #1155 idenfified that notify scripts for vrrp
|
|||
|
instance transition to backup state when keepalived started up
|
|||
|
were not being sent if the vrrp instance was in a sync group.
|
|||
|
It was also the case that SNMP traps, SMTP alerts and FIFO
|
|||
|
notifies were not being sent either. This commit make
|
|||
|
keepalived send the initial notifies when the vrrp instance is
|
|||
|
in a sync group.
|
|||
|
- Fix building keepalived RPM on Fedora 26. For some reason
|
|||
|
-fPIC is needed when testing for the presence of setns().
|
|||
|
- Add vrrp_startup_delay configuration option. Some systems that
|
|||
|
start keepalived at boot time need to delay the startup of the
|
|||
|
vrrp instances, due to network interfaces taking time to
|
|||
|
properly come up. This commit adds a global configuration
|
|||
|
option vrrp_startup_delay that delays the vrrp instances
|
|||
|
starting up, for the specified number of seconds.
|
|||
|
- Handle checkers properly when reload immediately after startup.
|
|||
|
- Streamline some of the SMTP checker code.
|
|||
|
- Create separate checker for each host in SMTP_CHECK block
|
|||
|
Having multiple host entries in an SMTP_CHECK block is
|
|||
|
deprecated. This commit streamlines the SMTP_CHECK code by
|
|||
|
creating a separate SMTP checker for each host declared in the
|
|||
|
SMTP_CHECK block, so that apart from parsing the configuration,
|
|||
|
the code no longer handles multiple hosts per checker. The
|
|||
|
support for parsing configuration with multiple hosts is only
|
|||
|
enabled if WITH_HOST_ENTRIES is defined in check_smtp.c. It is
|
|||
|
currently enabled, but when support for multiple hosts in the
|
|||
|
SMTP_CHECK block is finally removed, it will simply be a matter
|
|||
|
of deleting all code in the WITH_HOST_ENTRIES conditional
|
|||
|
blocks.
|
|||
|
- Make checker fail if ENETUNREACH returned by connect(). The
|
|||
|
connect() call can return some immediate errors such as
|
|||
|
ENETUNREACH. These were not being treated as a failure of the
|
|||
|
checker, since the code used to assume that any non success
|
|||
|
return by connect() meant that the connection was in progress.
|
|||
|
keepalived will now treat ENETUNREACH, EHOSTUNREACH,
|
|||
|
ECONNREFUSED, EHOSTDOWN, ENETDOWN, ECONNRESET, ECONNABORTED,
|
|||
|
ETIMEDOUT, when returned by connect(), as meaning that the
|
|||
|
checker has failed.
|
|||
|
- Don't set SO_LINGER with a timeout of 0 SO_LINGER with a
|
|||
|
timeout of 0 causes a TCP connection to be reset rather than
|
|||
|
cleanly closed. Instead of specifying a timeout of 0, use 5
|
|||
|
seconds, so that there is an orderly shutdown of the TCP
|
|||
|
connection, but the close socket doesn't remain in TIMED_WAIT
|
|||
|
state for more than a short time.
|
|||
|
- nftables: fix build with kernel lower than 4.1.
|
|||
|
- Remove dead code and cosmectics. Remove code marked as UNUSED
|
|||
|
where things simply go nowhere even if define is set. We keep
|
|||
|
for the moment UNUSED code related to debug helpers used during
|
|||
|
coding process.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Mar 20 23:31:55 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.13
|
|||
|
- Add BFD build option to keepalived.spec rpm file
|
|||
|
Issue #1114 identified that the keepalived.spec file was not being
|
|||
|
generated to build BFD support even if keepalived had been configured
|
|||
|
to support it.
|
|||
|
- Copy tarball to rpmbuild/SOURCES when building in place
|
|||
|
It seems that even when building in place, rpmbuild expects the
|
|||
|
tarball to be in the rpmbuild/SOURCES directory.
|
|||
|
- Fix configure check for __always_inline
|
|||
|
- Handle interface MAC addresses changing
|
|||
|
When an interface is added to a bond interface, if it is the first
|
|||
|
interface added, the MAC address of the bond interface is changed
|
|||
|
to the MAC address of the added interface. When subsequent interfaces
|
|||
|
are added, their MAC addresses are changed to that of the bond
|
|||
|
interface.
|
|||
|
Issue #1112 identified that if a bond interface is deleted and
|
|||
|
recreated, the gratuitous ARPs were sent with the wrong source MAC
|
|||
|
address.
|
|||
|
This commit now updates interface MAC addresses from the netlink
|
|||
|
RTM_NEWLINK messages, so that the correct MAC address is always
|
|||
|
used.
|
|||
|
- Minor tidying up of opening gratuitous ARP socket.
|
|||
|
- Streamline setting SOCK_NONBLOCK on vrrp sockets.
|
|||
|
- Use netlink reported hardware address length for unsolicited NAs
|
|||
|
ETH_ALEN is correct for Ethernet type interaces, but is not right
|
|||
|
for Infiniband interfaces.
|
|||
|
- Minor tidying up of opening gratuitous NA socket.
|
|||
|
- Make gratuitous ARP/NA sockets non blocking
|
|||
|
keepalived shouldn't block when sending gratutious ARP/NA messages.
|
|||
|
It is better to lose the messages than for keepalived to block, so
|
|||
|
set the sockets non blocking.
|
|||
|
- Use netlink provided broadcast address for gratuitous ARP
|
|||
|
If an interface has a non-standard broadcast address, we should
|
|||
|
honour it.
|
|||
|
- Fix building on pre 3.10 kernels re track_process
|
|||
|
Issue #1119 reported that keepalived wouldn't build on CentOS 6.
|
|||
|
Various PROC_EVENT_- declarations were assumed to exist, some of which
|
|||
|
were not introduced until Linux v3.10. Most of them are not needed, but
|
|||
|
PROC_EVENT_COMM is used by the track_process code.
|
|||
|
This commit now checks for the existence of the PROC_EVENT_- declarations,
|
|||
|
but since keepalived uses PROC_EVENT_COMM, track_process is not supported
|
|||
|
prior to Linux v3.2.
|
|||
|
- Make track_process work prior to Linux 3.2, but with limitations
|
|||
|
Prior to Linux 3.2 the PROC_EVENT_COMM event did not exist, which
|
|||
|
means that keepalived is unable to detect changes to process name
|
|||
|
(/proc/PID/comm) prior to Linux 3.2. most processes do not change
|
|||
|
their process name, and so using track_process prior to Linux 3.2
|
|||
|
is safe so long as the monitored processes are known not to change
|
|||
|
their process name.
|
|||
|
- Stop configure failing when nftables is not supported.
|
|||
|
- Streamline socket use with linkbeat.
|
|||
|
Previously the socket used for ioctls was opened and closed twice per
|
|||
|
poll if using MII or ETHTOOL polling, and once per poll if using ioctl
|
|||
|
polling. This commit opens the socket once at startup, uses that socket
|
|||
|
for all linkbeat polls, and closes it on termination.
|
|||
|
- Enable linkbeat polling to work with dynamic interfaces.
|
|||
|
- Add linkbeat_interfaces configuration block
|
|||
|
It was not possible to indicate that an interface that wasn't used
|
|||
|
as the interface of a vrrp instance, but was used either as a track
|
|||
|
interface, or for virtual/static ip addresses or routes should use
|
|||
|
linkbeat. This commit adds that capability.
|
|||
|
- Add ability to specify linkbeat type in linkbeat_interfaces block.
|
|||
|
- Add --disable-linkbeat configure option
|
|||
|
Does anyone use linkbeat anymore? This commit enables keepalived to
|
|||
|
be build without the linkbeat code.
|
|||
|
- Don't remove link local IPv6 address from VMAC that isn't keepalived's
|
|||
|
If IFLA_INET6_ADDR_GEN_MODE isn't supported and a macvlan interface
|
|||
|
already had a (non-default) link local addresss and the link local
|
|||
|
address that matched the interface's MAC address was added, keepalived
|
|||
|
was removing it as soon as it was added. This commit stop keepalived
|
|||
|
removing the address when we shouldn't.
|
|||
|
- Set configure init type correctly in keepalived.spec file.
|
|||
|
- Fix handling of VMACs with multiple reloads
|
|||
|
If a configuration is loaded that has a VRRP instance using a VMAC,
|
|||
|
then the configuration is updated to remove that VRRP instance and
|
|||
|
keepalived reloads its configuration, then the configuration is
|
|||
|
updated again to reinstate the VRRP instance and the configuration
|
|||
|
is again reloaded, keepalived thought the VMAC interface still
|
|||
|
existed, whereas it was deleted following the first reload.
|
|||
|
This commit ensures that keepalived properly detects whether an
|
|||
|
interface exists following a reload.
|
|||
|
- Remember more than one interface local address per interface
|
|||
|
Keepalived needs a local address for each interface it sends adverts
|
|||
|
on. If the address keepalived is using is deleted and another address
|
|||
|
is configured on the interface, then keepalived should start using
|
|||
|
that address. To do this, a list of configured address on each
|
|||
|
interfaces needs to be maintained.
|
|||
|
- Don't consider VIPs as local addresses when restart after crash
|
|||
|
Keepalived maintains a list of addresses per interface that can be
|
|||
|
used as source adddresses for adverts. To build the list, keepalived
|
|||
|
reads the addresses configured on interfaces when it starts. However,
|
|||
|
if keepalived crashed it will have left VIPs configured on interfaces,
|
|||
|
and we don't want to use them as advert source addresses.
|
|||
|
This commit makes keepalived compare the addresses on interfaces
|
|||
|
to VIPs, and ignores any addresses that are VIPs.
|
|||
|
- Fix removing left over VIPs at startup.
|
|||
|
- Use read_timer() when parsing config where appropriate.
|
|||
|
- Allow fractional warmup, delay_loop and delay_before_retry for checkers
|
|||
|
To shorten the real server monitoring interval, make it possible to specify
|
|||
|
decimal value for following items:
|
|||
|
warmup
|
|||
|
delay_loop
|
|||
|
delay_before_retry
|
|||
|
- Update connect_timeout configuration options
|
|||
|
Based on the patch submitted by tamu.0.0.tamu@gmail.com this patch
|
|||
|
allows setting the connect_timeout to a resolution of micro-seconds.
|
|||
|
The patch also adds the ability to set a default value at the virtual
|
|||
|
server and real server levels.
|
|||
|
- Fix unused variable warning when building only with RFC compliant
|
|||
|
SNMP.
|
|||
|
- It enable to set zero value as mintime for delay_loop and connect_timeout.
|
|||
|
- Add option not to check for EINTR if using signalfd()
|
|||
|
If keepalived is using signalfd(), there are no asynchronous signal
|
|||
|
handlers, and therefore EINTR cannot be returned.
|
|||
|
Currently the check for EINTR is enabled by default, and configure
|
|||
|
option --disable-eintr-debug disables the check, while
|
|||
|
--enable-eintr-debug enables writing log entries if EINTR is returned.
|
|||
|
Once sufficient testing has been performed, the default will be
|
|||
|
changed not to test for EINTR if signalfd() is supported.
|
|||
|
- Make checking for EAGAIN/EWOULDBLOCK consistent
|
|||
|
The code in some places checked errno for EAGAIN and EWOULDBLOCK
|
|||
|
and in other places only checked EAGAIN. On Linux EAGAIN == EWOULDBLOCK,
|
|||
|
so the check is not necessary, but EAGAIN is not guaranteed to be the
|
|||
|
same value as EWOULDBLOCK, so define check_EAGAIN that only checks EAGAIN
|
|||
|
if they are the same value, but checks both if they are different.
|
|||
|
- Ensure default connection timeout for smtp checker hosts set.
|
|||
|
- Set default connection timeout if no smtp check host specified.
|
|||
|
- Fix min timer value, zero to 0.000001Sec.
|
|||
|
- Add fixing min time for vs_co_timeout_handler() and rs_co_timeout_handler().
|
|||
|
- Fix parameter of read_timer(), it treat Mintime and Maxtime as microseconds.
|
|||
|
- vrrp: vrrp_dispatcher_read() performance extension
|
|||
|
We took time with Quentin to simulate and rework this code. We introduced
|
|||
|
2 imbricated while loop:
|
|||
|
(1) First one is catching recvfrom EINTR (this code trig
|
|||
|
only on kernel older than 2.6.22 where signalfd was firstly introduced).
|
|||
|
Newer kernel will immediately break the loop (hey guys: if you are running
|
|||
|
older than 2.6.22 it is worth considering upgrading).
|
|||
|
(2) Second loop will continue reading from socket until same VRID advert
|
|||
|
has been received during the same cycle. After simulating, it appears that
|
|||
|
during contention with a lot of VRRP instances (around 1500), this design
|
|||
|
is needed to relax socket recvq from growing. This can be viewed as a
|
|||
|
Poll-Mode activation during contention and fallback to regular I/O MUX
|
|||
|
during normal operations. This loop breaks immediately and re-submit
|
|||
|
opration to I/O MUX when there is no more to be read.
|
|||
|
- Fix conversion from long for double in read_timer().
|
|||
|
- Remove variable timer of unsigned long cast in read_timer().
|
|||
|
When Double type variable timer is cast to long type, it's scale falls.
|
|||
|
- changes from2.0.12
|
|||
|
- Documentation related.
|
|||
|
Remove keepalived.conf.SYNOPSIS content to make a pointer to manpage.
|
|||
|
Update README manifest to reflect actual Keepalived goal and features.
|
|||
|
- Improve error message if process events connector not enabled in
|
|||
|
kernel.
|
|||
|
- Add option to disable track-process functionality
|
|||
|
Issue #1099 reported that their kernel did not support the proc events
|
|||
|
connector, and it would therefore be helpful to have an option to build
|
|||
|
keepalived without the track-process functionality.
|
|||
|
This commit adds the --disable-track-process configure option.
|
|||
|
- Fix vrrp instances going to fault state when have virtual routes
|
|||
|
If an interface going down caused a vrrp instance to go to fault
|
|||
|
state, and the vrrp instance also had virtual routes, the state
|
|||
|
of the vrrp instance would be set to backup when the deletion of
|
|||
|
the virtual route was detected. This commit ensures that the vrrp
|
|||
|
instance stays in fault state until the interface is brought up
|
|||
|
again.
|
|||
|
- Remove Red Hat Linux 9 and RH Enterprise Linux 3 from spec file.
|
|||
|
Red Hat Linux 9 and Red Hat Enterprise Linux 3 are both based on
|
|||
|
Linux 2.4, which is no longer supported by keepalived. The options
|
|||
|
in the spec file for Reh Hat Linux 9 have twice caused people to
|
|||
|
specify wrong options to configure when trying to build keepalived,
|
|||
|
so the options are removed to i) avoid confusion and ii) they are
|
|||
|
not longer relevant.
|
|||
|
- Add global option vrrp_min_garp.
|
|||
|
By default keepalived sends 5 gratuitous ARP/NA messages after
|
|||
|
transitioning to master, and 5 more 5 seconds later. This isn't
|
|||
|
necessary with modern switches, and so if the vrrp_min_garp option
|
|||
|
is set, only one gratuitious ARP/NA message is sent after transition
|
|||
|
to master, and no repeat messages are sent 4 seconds later.
|
|||
|
- Standardise definition of _INCLUDE_UNUSED_CODE_
|
|||
|
- Remove out of date comment re VRRP over IPv6.
|
|||
|
- Correct typo in keepalived.conf.5.
|
|||
|
- Directly use structure sizes for packet header lengths.
|
|||
|
- vrrp_state_fault_rx() is not used.
|
|||
|
Wrap the function in conditional compilation so it is not compiled
|
|||
|
- Convert so list loops to use LIST_FOREACH.
|
|||
|
- Don't recalculate vrrp packet header address.
|
|||
|
vrrp_get_header() calculates the address of the vrrp header in a
|
|||
|
received packet, but it was being recalculated in vrrp_in_chk().
|
|||
|
This commit passes the already calculated address to vrrp_in_chk().
|
|||
|
- Ensure a received packet has an AH header if and only if AH auth.
|
|||
|
Ensure that a received packet has an AH header if we expect AH
|
|||
|
authentication, and doesn't have an AH header if we don't expect
|
|||
|
AH authentication.
|
|||
|
- Ensure all protocol headers received before return pointer to vrrp header
|
|||
|
vrrp_get_header() returns a pointer to the vrrp header, but it now returns
|
|||
|
NULL if insufficient data has been received to include all the (IP,
|
|||
|
possibly AH, and VRRP) headers (this does not include the VIPs in the VRRP
|
|||
|
packet).
|
|||
|
This means that when a pointer to the VRRP header is returned, all fields in
|
|||
|
all protocol headers can safely be accessed.
|
|||
|
- Add check of received IPv6 hop count in multicast adverts
|
|||
|
The VRRP RFC requires that IPv6 hop count MUST be checked to be 255,
|
|||
|
just as the TTL for IPv6 must be 255. Previously that wasn't being
|
|||
|
checked, since IPv6 raw sockets don't provide access to the IPv6
|
|||
|
header.
|
|||
|
Using recvmsg() rather than recvfrom(), and setting socket option
|
|||
|
IPV6_RECVHOPLIMIT allows keepalived to receive the hop count as
|
|||
|
ancillary data, and that can now be checked.
|
|||
|
- Improve reading from vrrp receive sockets.
|
|||
|
Previously no check was made of the return value from recvfrom()/
|
|||
|
recvmsg(). This meant than an error could occur (e.g. EINTR), or no
|
|||
|
data might be returned, and keepalived would still attempt to process
|
|||
|
the receive buffer as though data had been received.
|
|||
|
- Enhance and streamline checking of validity of received VRRP packet
|
|||
|
This includes checking that a packet is multicast, unless unicast is
|
|||
|
expected in which case it is checked for unicast, ensuring that if
|
|||
|
AH authentication is used, the next header protocol is VRRP.
|
|||
|
The sequence of some checks is revised to ensure that the fields being
|
|||
|
checked are valid to be accessed prior to accessing them, e.g. check
|
|||
|
that the packet is VRRP version 2 before checking the authentication.
|
|||
|
- Stop clearing receive buffer before receiving VRRP packets.
|
|||
|
This is no longer necessary now that the appropriate checks are
|
|||
|
made of the return status of recvmsg(), and also that the checks
|
|||
|
of received packet length and packet headers now do all necessary
|
|||
|
checks.
|
|||
|
- Add compile time checks for IPV6_RECVHOPLIMIT/IPV6_RECVPKTINFO
|
|||
|
support.
|
|||
|
- Update keepalived.spec.in build-requires.
|
|||
|
The kernel package required for building keepalived is kernel-headers
|
|||
|
not kernel-devel. Also, it is superfluous to have package kernel in
|
|||
|
the build-requires!
|
|||
|
- Add missing file (build.setup) to tarball.
|
|||
|
- Fix calculating print format to rlim_t in configure.ac.
|
|||
|
- Fix compiler warnings on 32 bit systems re HASH_UPDATE.
|
|||
|
Removing all the casts stopped the warnings.
|
|||
|
- Use PRI_rlim_t when printing rlim_t types.
|
|||
|
- Use %zd/%zu for ssize_t/size_t to avoid warnings on 32 bit systems.
|
|||
|
- Fix some space/tab formatting.
|
|||
|
- Stop declaring some timer definitions unsigned to stop compiler
|
|||
|
warnings.
|
|||
|
TIMER_HZ, TIMER_CENTI_HZ, NSEC_PER_SEC were causing some compiler warnings
|
|||
|
on some systems due to being defined with a 'U' unsigned suffix. Removing
|
|||
|
the unsigned specifier stopped the compiler warnings.
|
|||
|
- Fix compiler warning due to incorrect format specifier.
|
|||
|
An int64_t should use % PRIi64 and not %ld
|
|||
|
- Stop an uninitialized variable compiler warning.
|
|||
|
- Fix MEM_CHECK debugging on processors without unaligned memory
|
|||
|
access.
|
|||
|
- Don't attempt to use unopened socket for getting ipset version.
|
|||
|
- Tidy up an error message.
|
|||
|
- vrrp: make vrrp_dispatcher_read() async while catching error.
|
|||
|
During investigations we decided to update previous patch to resubmit
|
|||
|
into I/O MUX on read error. It will make read procedure I/O MUX freindly
|
|||
|
by removing potential sync operation potentially leading to a global
|
|||
|
I/O MUX desync. We aggreed, the situation is really and very exceptionnal
|
|||
|
but could happen.
|
|||
|
- vrrp: vrrp_arp_thread split.
|
|||
|
Split the function for maintainability purpose.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Sat Jan 19 02:22:09 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- fix build on 42.3/sle12 by disabling http regexp check support
|
|||
|
- add nftables to the BR
|
|||
|
- cleanup BR support for sle11, moved almost all BR to pkgconfig
|
|||
|
style
|
|||
|
- disable dbus instance creation support as it is marked as
|
|||
|
dangerous
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Jan 18 15:39:47 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.11
|
|||
|
- Fix segfault while shutting down when SNMP activity occurs.
|
|||
|
Issue #1061 identified that keepalived could segfault when it
|
|||
|
shut down. It appears that this was caused by data being
|
|||
|
received on the file descriptors that the snmp agent requests
|
|||
|
keepalived to monitor with epoll(). Since the read threads
|
|||
|
weren't being processed during a shutdown, the first time an
|
|||
|
snmp fd was ready, keepalived discarded the read thread. The
|
|||
|
second time that fd became ready there was no thread to handle
|
|||
|
the fd, and, since the assert() statement was not compiled in,
|
|||
|
non existant data was queued to the thread ready queue. This
|
|||
|
commit changes the assert() calls to continue, so that non
|
|||
|
existant data is no longer queued to the thread ready queue.
|
|||
|
- While shutting down, continue to handle snmp agent fds. Since
|
|||
|
we don't shutdown the snmp connection until the very end of the
|
|||
|
shutdown process (we need to be able to send snmp traps), we
|
|||
|
should continue to handle the snmp fds on behalf of the snmp
|
|||
|
agent while shutting down.
|
|||
|
- Ensure snmp agent is in correct state when initialising/closing
|
|||
|
Make sure the snmp agent is not already initialised before
|
|||
|
initialising it, and make sure it has been initialised before
|
|||
|
closing it.
|
|||
|
- Disable asserts in bfd code by default and add --enable-asserts
|
|||
|
Asserts were enabled by default in the bfd code, which
|
|||
|
shouldn't be the case. Add --enable-asserts configure option
|
|||
|
so that the asserts tests can be enabled while debugging.
|
|||
|
- Remove debugging log message accidently left in.
|
|||
|
- Update receive buffers when interface is created. The receive
|
|||
|
buffer size used by keepalived is based on the largest MTU of
|
|||
|
any interface that keepalived uses. If dynamic interfaces are
|
|||
|
being used and an interface is created after keepalived has
|
|||
|
started, the MTU of the new interface may be larger than the
|
|||
|
previous largest, so the receive buffer may need to be
|
|||
|
increased in size. Further, if vrrp_rx_bufs_policy is MTU,
|
|||
|
then the kernel receive buffers on the receive socket may need
|
|||
|
to be increased.
|
|||
|
- Handle MTU sizes being changed. Issue #1068 identified that
|
|||
|
the MTU size wasn't being updated in keepalived if it changed.
|
|||
|
This commit now updates the MTU size and adjusts receive buffer
|
|||
|
sizes accordingly.
|
|||
|
- Fix syntax error in configure.ac.
|
|||
|
- Fix double free when global data smtp_helo_name copied from
|
|||
|
local_name Issue #1071 identified a double free fault. It
|
|||
|
occurred when smtp_helo_name was not set, in which case it was
|
|||
|
set to point to the same malloc'd memory as local_name. At
|
|||
|
termination keepalived freed both local_name and
|
|||
|
smtp_helo_name. If keepalived needs to use local_name for
|
|||
|
smtp_helo_name it now malloc's additional memory to copy the
|
|||
|
string into.
|
|||
|
- Rename TIMER_MAX to TIMER_MAXIMUM. ulibC defines TIMER_MAX, so
|
|||
|
to avoid naming conflict rename it. This issue was reported by
|
|||
|
Paul Gildea <gildeap@tcd.ie> who also provided the patch.
|
|||
|
- Fix segfault when smtp alerts configured.
|
|||
|
- First working version of nftables.
|
|||
|
- Restructed code around how iptables/nftables are called This
|
|||
|
commit also allows building keepalived without iptables
|
|||
|
support, thereby allowing only nftables support. Adding any
|
|||
|
other mechanism to handle no_accept mode, i.e. blocking
|
|||
|
receiving and sending to/from VIPs should be added to
|
|||
|
vrrp_firewall.c, in a similar way to how nftables/iptables are
|
|||
|
used.
|
|||
|
- Update doc files re nftables.
|
|||
|
- Make nftables handle dont_track_primary appropriately.
|
|||
|
- Fix config reload with nftables.
|
|||
|
- Set base chain priorities from configuration.
|
|||
|
- Use iptables by default if neither iptables or nftables
|
|||
|
configured. But if the build of keepalived does not include
|
|||
|
iptables, then use nftables default.
|
|||
|
- Stop dumping keywords - left turned on after debugging.
|
|||
|
- Make umask configuration apply to created file.
|
|||
|
- Add libmnl and libnftnl to travis file.
|
|||
|
- Fix compilation failure when NFTNL_EXPR_LOOKUP_FLAGS not
|
|||
|
defined.
|
|||
|
- Fix compilation failure when build with nftables but without
|
|||
|
iptables.
|
|||
|
- Fix order of include files in configure COLLISION test. Since
|
|||
|
Linux 4.4.11 (commit 1575c09) including linux/if.h after
|
|||
|
net/if.h works, whereas until glibc fix their headers including
|
|||
|
net/if.h after linux/if.h causes compiler redefinition errors.
|
|||
|
Unfortunately the test for the collision was done the wrong way
|
|||
|
round, as identified in issue #1079. The patch included in the
|
|||
|
issue report corrects the order of inclusion of the header
|
|||
|
files. What we should do is ensure that glibc header files are
|
|||
|
included before Linux header files, so that at least if kernel
|
|||
|
headers from 4.4.11 onwards are used, the conflict will not
|
|||
|
occur.
|
|||
|
- Set CLOEXEC on netlink sockets.
|
|||
|
- Correct error message for invalid route metric.
|
|||
|
- Add track_process for vrrp to monitor if another process is
|
|||
|
running. Configurations frequently include a track_script to
|
|||
|
check that a process is running, often haproxy or nginx. Using
|
|||
|
any of pgrep, pkill, killall, pidof, etc, has an overhead of
|
|||
|
reading all /proc/[1-9]*/status and/or /proc/[1-9]*/cmdline
|
|||
|
files. In particular reading the cmdline files has a
|
|||
|
significant overhead on a system that is swapping, since the
|
|||
|
cmdline files provide access to part of the address space of
|
|||
|
each process, which may need to be fetched from the swap space.
|
|||
|
This commit reads the /proc/[1-9]*/stat and/or the
|
|||
|
/proc/[1-9]*/cmdline files only when keepalived starts, and
|
|||
|
after that uses the process events connector to track process
|
|||
|
creation and termination. keepalived will ignore zombie
|
|||
|
processes, whereas pgrep etc include them. A minimum number of
|
|||
|
instances of a process can be specified, and also a delay so
|
|||
|
that if a process is restarted, it won't cause monitoring vrrp
|
|||
|
instances to immediately transition to fault state but to wait
|
|||
|
the configured time and it the monitored process starts again
|
|||
|
it won't transition to fault state. There are potential
|
|||
|
difficulties with the process event connector if a large number
|
|||
|
of process events occur very rapidly, since there can be a
|
|||
|
receive buffer overrun on the netlink socket. This code will
|
|||
|
detect that happening, increase the receive buffer size, and
|
|||
|
reread the processes from /proc.
|
|||
|
- Add missing #include to track_process.c.
|
|||
|
- Fix number of elements of fd_set read for snmp select info.
|
|||
|
- Remove thread_event_t when EPOLL_CTL_DEL fails. If snmpd
|
|||
|
closes a file descriptor, when keepalived attempts to
|
|||
|
unregister the fd from epoll an error is returned. However, we
|
|||
|
still need to remove the thread_event_t from the io_events
|
|||
|
rbtree.
|
|||
|
- Fix connection to snmpd after it has to reconnect. Issue #1080
|
|||
|
identified that keepalived wasn't handling a connection failure
|
|||
|
and reconnect to snmpd properly. The problem was created when
|
|||
|
the change from select() to epoll() was made. This commit
|
|||
|
makes keepalived unregister and reregister the snmp file
|
|||
|
descriptors after snmpd reconnects.
|
|||
|
- Fix retry count for SMTP_CHECK checker. The checker was doing
|
|||
|
one too few retries.
|
|||
|
- Make healthchecker failure reporting consistent Some
|
|||
|
healthcheckers were reporting all failures, and others only
|
|||
|
when the retries expired. This commit by default makes the
|
|||
|
checkers only report failure when the retries expire, unless
|
|||
|
the global keyword checker_log_all_failures or log_all_failures
|
|||
|
on the specific checker is configured.
|
|||
|
- After reload, reinitialise current track processes state.
|
|||
|
- Remove unused variable in track_process.c.
|
|||
|
- Add configure checks re --with-kernel-dir.
|
|||
|
- Convert remaining select() to epoll_wait(). keepalived was
|
|||
|
using select() for handling the termination of child processes,
|
|||
|
but the main scheduling loop now uses epoll_wait(), so convert
|
|||
|
the select() to epoll_wait() from consistency.
|
|||
|
- Stop keepalived leaving zombie child processes. keepalived
|
|||
|
wasn't reaping the termination of its child processes, so this
|
|||
|
commit adds waitpid() calls once it knows the processes have
|
|||
|
terminated.
|
|||
|
- Fix make distclean and make distcheck.
|
|||
|
- Also skip route not configured with down interface. Otherwise,
|
|||
|
if keepalived has virtual_routes configured, we create a
|
|||
|
virtual interface and bring it up and down, current code will
|
|||
|
bring VRRP state to FAULT and never return.
|
|||
|
- Stop vrrp process entering infinite loop when track script
|
|||
|
times out Issue #1093 identified that the vrrp process was
|
|||
|
entering an infinite loop after a track script timed out. This
|
|||
|
was due to a child process thread having an RB tree for PIDs as
|
|||
|
well as for the timeout, and if a child process timed out, the
|
|||
|
thread wasn't being removed from the PID RB tree. This commit
|
|||
|
now ensures it is removed.
|
|||
|
- Fix the abbreviation of Shortest Expected Delay.
|
|||
|
- Don't free unallocated memory if not tracking processes.
|
|||
|
- vrrp: Rewrote JSON code Remove dependency to json-c extralib by
|
|||
|
using a simple streaming JSON writter. Refactored code to make
|
|||
|
it simple to maintain.
|
|||
|
- vrrp: Fix JSON handling for v{route;rule}.
|
|||
|
- autoconf: fix nftables selection We need to inhibit nftable
|
|||
|
compilation if compiling system has kernel header file
|
|||
|
nf_tables.h but not libnftnl nor libmnl.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Nov 28 12:27:13 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.10
|
|||
|
- Fix compiling on Alpine Linux.
|
|||
|
- Stop printf compiler warning on Alpine Linux due to rlim_t.
|
|||
|
- manpage cosmetic.
|
|||
|
- Fix removing snmpd read threads when snmpd becomes unavailable.
|
|||
|
- Update to support libipset version 7.
|
|||
|
- Use ipset_printf for ipset messages so can go to log.
|
|||
|
- When opening files for write, ensure files can only be read by
|
|||
|
root. Issue #1048 referred to CVE-2018-19046 regarding files
|
|||
|
used for debugging purposes could potentially be read by non
|
|||
|
root users. This commit ensures that such log files cannot be
|
|||
|
opened by non root users.
|
|||
|
- Disable fopen_safe() append mode by default If a non privileged
|
|||
|
user creates /tmp/keepalived.log and has it open for read (e.g.
|
|||
|
tail -f), then even though keepalived will change the owner to
|
|||
|
root and remove all read/write permissions from non owners, the
|
|||
|
application which already has the file open will be able to
|
|||
|
read the added log entries. Accordingly, opening a file in
|
|||
|
append mode is disabled by default, and only enabled if
|
|||
|
--enable-smtp-alert-debug or --enable-log-file (which are
|
|||
|
debugging options and unset by default) are enabled. This
|
|||
|
should further alleviate security concerns related to
|
|||
|
CVE-2018-19046.
|
|||
|
- vrrp: add support to constant time memcmp. Just an update to
|
|||
|
use best practise security design pattern. While comparing
|
|||
|
password or hmac you need to ensure comparison function is time
|
|||
|
constant in order to figth against any timing attacks. We turn
|
|||
|
off potential compiler optimizations for this particular
|
|||
|
function to avoid any short circuit.
|
|||
|
- Make sure a non privileged user cannot read keepalived file
|
|||
|
output Ensure that when a file such as /tmp/keepalived.data is
|
|||
|
written, no non privileged can have a previous version of that
|
|||
|
file already open, thereby allowing them to read the data.
|
|||
|
This should fully resolve CVE-2018-19046.
|
|||
|
- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in
|
|||
|
update
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Sat Nov 10 21:01:14 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- added b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch to fix
|
|||
|
building with libipset >= 7
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Nov 9 16:07:40 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.9
|
|||
|
- Fix updating a timer thread's timeout. Issue #1042 identified
|
|||
|
that the BFD process could segfault. This was tracked down to a
|
|||
|
timer thread which had already expired having its timeout
|
|||
|
updated by timer_thread_update_timeout(). The sands timer
|
|||
|
should only be updated if the thread is on a waiting queue, and
|
|||
|
not if it has already timed out or it is unused.
|
|||
|
- Don't requeue read thread if it is not waiting. This update
|
|||
|
matches commit 09a2a37 - Fix updating a timer thread's timeout
|
|||
|
should.
|
|||
|
- Allow BFD instance to recover after send error. If sendto
|
|||
|
failed in bfd_send_packet(), the bfd instance was put into
|
|||
|
admin down state, but there was no means for the bfd instance
|
|||
|
to transition out of admin down state. This commit makes
|
|||
|
keepalived log the first instance of a sequence of failures to
|
|||
|
send a bfd packet, but does not bring the bfd instance down in
|
|||
|
case the error is a transient error. If the error is longer
|
|||
|
lasting, the remote system will timeout, transition to down
|
|||
|
state, and send a message saying it is down. Once the bfd
|
|||
|
instance can start sending again the bfd instance can now
|
|||
|
transition again to up state.
|
|||
|
- Make DGB definition use log_message() rather than syslog().
|
|||
|
- Fix building with --enable-debug configure option.
|
|||
|
- Start list of required kernel features in INSTALL file. Issue
|
|||
|
#1024 asked what kernel features are needed to support
|
|||
|
keepalived. The simple answer was that it isn't recorded
|
|||
|
anywhere, so this is a start of making a list of the features
|
|||
|
required.
|
|||
|
- Make list_remove() call list free function and add
|
|||
|
list_transfer(). If an element is being removed from a list,
|
|||
|
the free function should be called. list_transfer() allows a
|
|||
|
list element to be moved from one list to another without
|
|||
|
freeing and reallocating the list element control information.
|
|||
|
- Add mem_check diagnostics re calling functions of list
|
|||
|
functions. When using mem_check, mallocs and frees were
|
|||
|
recorded against the list functions, and the originating
|
|||
|
functions weren't identified. This patch adds recording of the
|
|||
|
functions calling the list functions so that the originating
|
|||
|
function is identified.
|
|||
|
- Simplify the processing of comments in configuration files.
|
|||
|
This commit moves the handling (and removal) of comments to a
|
|||
|
single function (called from read_line()) which simplifies the
|
|||
|
processing of config files.
|
|||
|
- Add ~SEQ(start, step, end) config functionality Where a
|
|||
|
configuration has repeated blocks of configuration where the
|
|||
|
only thing that changes is a numeric value (e.g. for VRIDs from
|
|||
|
1 to 255) this allows the block to be defined once, and a
|
|||
|
single line using ~SEQ can then generate all the blocks.
|
|||
|
- Use REALLOC when building a multiline definition. The code
|
|||
|
used to use MALLOC, strcpy() and FREE, but REALLOC can do all
|
|||
|
this for us.
|
|||
|
- Improve mem-check diagnostics. When using an allocation list
|
|||
|
of over 50,000 entries, it was quite slow searching thtough all
|
|||
|
the entries to find the matching memory allocation, and to find
|
|||
|
free entries. This commit changes to using malloc() to create
|
|||
|
entries, and a red-black tree to hold the entries. It also has
|
|||
|
a separate list of free entries. This commit also adds 4 more
|
|||
|
types of memory allocation error, and improves the consistency
|
|||
|
of the entries in the log files.
|
|||
|
- Don't attempt to delete VMAC when underlying interface is
|
|||
|
deleted. If the underlying interface of one of our vmacs is
|
|||
|
deleted, and we know the vmac has been deleted, don't attempt
|
|||
|
to delete it again.
|
|||
|
- Include master state in determining if vmacs are up or down
|
|||
|
Netlink doesn't send messages for a state change of a macvlan
|
|||
|
when the master device changes state, so we have to track that
|
|||
|
for ourselves.
|
|||
|
- Turn off parser debugging.
|
|||
|
- Make test/mk_if create iptables chains.
|
|||
|
- Handle interfaces not existing when keepalived terminates. If
|
|||
|
the underlying interface of a vmac we created has been deleted,
|
|||
|
the vmac will not exist so don't attempt to delete it again.
|
|||
|
Also, don't attempt to reset the configuration of the
|
|||
|
underlying interface.
|
|||
|
- Handle the underlying interface of a macvlan interface going
|
|||
|
up/down. The kernel doesn't send netlink messages for macvlans
|
|||
|
going up or down when the underlying interface transitions (it
|
|||
|
doesn't even update their status to say they are up/down), but
|
|||
|
the interfaces don't work. We need to track the state of the
|
|||
|
underlying interfaces and propagate that to the macvlan
|
|||
|
interfaces.
|
|||
|
- Fix duplicate value in track_t enum.
|
|||
|
- Fix check for matching track types.
|
|||
|
- Treat macvtap interfaces in the same way as macvlan interfaces.
|
|||
|
- Improve handling of interfaces not existing when keepalived
|
|||
|
starts.
|
|||
|
- Fix handling interface deletion and creation of vmacs on
|
|||
|
macvlan i/fs.
|
|||
|
- When interface created, open sockets on it if used by VRRP
|
|||
|
directly If an interface is created that has vrrp instances
|
|||
|
configured on it that don't use VMACs, or use vmac_xmit_base,
|
|||
|
then the raw sockets must be opened.
|
|||
|
- Force seeing a transition to up state when an interface is
|
|||
|
created.
|
|||
|
- Fix netlink remnant data error.
|
|||
|
- Add command line and configuration option to set umask. Issue
|
|||
|
#1048 identified that files created by keepalived are created
|
|||
|
with mode 0666. This commit changes the default to 0644, and
|
|||
|
also allows the umask to be specified in the configuration or
|
|||
|
as a command line option.
|
|||
|
- Fix compile warning introduced in commit c6247a9. Commit
|
|||
|
c6247a9 - "Add command line and configuration option to set
|
|||
|
umask" introduced a compile warning, although the code would
|
|||
|
have worked OK.
|
|||
|
- When opening files for write, ensure they aren't symbolic
|
|||
|
links. Issue #1048 identified that if, for example, a non
|
|||
|
privileged user created a symbolic link from
|
|||
|
/etc/keepalvied.data to /etc/passwd, writing to
|
|||
|
/etc/keepalived.data (which could be invoked via DBus) would
|
|||
|
cause /etc/passwd to be overwritten. This commit stops
|
|||
|
keepalived writing to pathnames where the ultimate component is
|
|||
|
a symbolic link, by setting O_NOFOLLOW whenever opening a file
|
|||
|
for writing. This might break some setups, where, for example,
|
|||
|
/etc/keepalived.data was a symbolic link to
|
|||
|
/home/fred/keepalived.data. If this was the case, instead
|
|||
|
create a symbolic link from /home/fred/keepalived.data to
|
|||
|
/tmp/keepalived.data, so that the file is still accessible
|
|||
|
via /home/fred/keepalived.data. There doesn't appear to be a
|
|||
|
way around this backward incompatibility, since even checking
|
|||
|
if the pathname is a symbolic link prior to opening for
|
|||
|
writing would create a race condition.
|
|||
|
- Make netlink error messages more meaningful.
|
|||
|
- Fix compiling without support for macvlans.
|
|||
|
- fix uninitialized structure. The linkinfo and linkattr
|
|||
|
structures were not initialized, so we should not expect that
|
|||
|
unexistant attributes are set to NULL. Add the missing
|
|||
|
memset().
|
|||
|
- fix socket allocation with dynamic interfaces. When there are
|
|||
|
several vrrp instance binding different interfaces that don't
|
|||
|
exist at startup, their ifindex is set to 0 in the sock. The
|
|||
|
function already_exist_sock() that lookup for an existing
|
|||
|
socket will always return the first sock because the ifindex is
|
|||
|
the same. Later, when an interface appears, the fd will be
|
|||
|
created for one instance, and all instances will wrongly use
|
|||
|
this fd to send the advertisments. Fix this by using the
|
|||
|
interface structure pointer instead of the ifindex as the key
|
|||
|
for sock lookup. The problem was identified by Olivier Matz
|
|||
|
who also provided a patch fixing the problem. This patch is a
|
|||
|
slight rework of Olivier's patch, better using the existing
|
|||
|
data structures that keepalived already holds.
|
|||
|
- When creating a macvlan interface, use AF_UNSPEC rather than
|
|||
|
AF_INET.
|
|||
|
- Stop using libnl for configuring interfaces. Since there is
|
|||
|
code to configure the interfaces using netlink without using
|
|||
|
libnl, there is no point in having code to do it using libnl.
|
|||
|
- Fix building on Centos 6.5.
|
|||
|
- Stop including some files not needed after libnl removal for
|
|||
|
i/fs.
|
|||
|
- Fix some compilation issues when building without vrrp support.
|
|||
|
- Stop using linbl for mcast group membership and setting rx buf
|
|||
|
sizes. Since there is code to handle multicast group
|
|||
|
membership and setting kernel netlink receive buffer sizes
|
|||
|
without using libnl, there is no point in having code to do it
|
|||
|
using libnl. This now means that the vrrp functionality no
|
|||
|
longer uses libnl.
|
|||
|
- Add some sanity checking of configure options. Certain invalid
|
|||
|
combinations of configure options could cause compile errors,
|
|||
|
e.g. --disable-vrrp --enable-vrrp-fd-debug. This commit ensures
|
|||
|
that invalid combinations aren't allowed, in order to stop the
|
|||
|
compile errors.
|
|||
|
- Fix invalid configuration combination caught by previous
|
|||
|
commit.
|
|||
|
- Use netlink to set/clear rp_filter on interfaces.
|
|||
|
- Fix configure for building without vrrp.
|
|||
|
- Actually update the .travis.yml file to fix the problem.
|
|||
|
- Fix conditional compilation re epoll-thread-dump debugging.
|
|||
|
- Update INSTALL file now no longer use libnl-route-3.
|
|||
|
- Stop cast to incompatible function type warnings from gcc 8.1.
|
|||
|
- Update snapcraft.yaml not to include libnl-route-3.
|
|||
|
- keepalived exit with non-zero exit code if config file not
|
|||
|
readable.
|
|||
|
- Allow specifying default config file at configure time.
|
|||
|
- Use keepalived define for exit code when malloc failure.
|
|||
|
- Fix configuring fixed interface type.
|
|||
|
- Add configuring keepalived default configuration file.
|
|||
|
- Fix return value in get_time_rtt() error path.
|
|||
|
- Update generation of git-commit.h.
|
|||
|
- snapcraft.yaml: Enable all sensible build options. Preserve
|
|||
|
build time version in the snap version. Expose genhash.
|
|||
|
- snapcraft.yaml: Build keepalived with Linux 3.13 headers.
|
|||
|
- snap: Add an install hook to make sure a keepalived
|
|||
|
configuration exists.
|
|||
|
- snap: Move the hooks to the correct location.
|
|||
|
- snap: Make sure /etc/keepalived exists.
|
|||
|
- Fix building with IP_MULTICAST_ALL in linux/in.h but not
|
|||
|
netinet/in.h Issue #1054 identified that configure was checking
|
|||
|
the definition of IP_MULTICAST_ALL in linux/in.h but including
|
|||
|
netinet/in.h, which also has the definition, but only from
|
|||
|
glibc 2.17. This commit creates a local definition (in
|
|||
|
lib/config.h) of IP_MULTICAST_ALL if it is defined in
|
|||
|
linux/in.h but not in netinet/in.h. The reason for this is that
|
|||
|
compiles using linux/in.h fail due to conflicting definitions.
|
|||
|
- Fix creating iptables tables in mk_if.
|
|||
|
- Update .travis.yml to use xenial.
|
|||
|
- Update .travis.yml to add --enable-regex option.
|
|||
|
- Tidy up .travis.yml file.
|
|||
|
- snap: Build multiple keepalived binaries.
|
|||
|
- Updated snapcraft builds to support multiple kernel versions.
|
|||
|
- drop patches:
|
|||
|
- 5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6.patch
|
|||
|
- c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067.patch
|
|||
|
- 04f2d32871bb3b11d7dc024039952f2fe2750306.patch
|
|||
|
- refreshed patch: linux-4.15.patch
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Nov 8 12:44:47 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.8
|
|||
|
- Improve identifing interface as macvlan when reading interface
|
|||
|
details
|
|||
|
- Enslave a VMAC to the VRF master of the underlying interface.
|
|||
|
- Use addattr32 rather than addattr_l for if_index.
|
|||
|
- Only include VRF support if kernel headers support it.
|
|||
|
- Fix --enable-timer-debug configure option.
|
|||
|
- Fix some configure.ac enable option tests.
|
|||
|
- Include stdbool.h in process.c.
|
|||
|
- Fix diagnostic message re ignoring weight of tracked interface.
|
|||
|
- Fix track_bfds with weights.
|
|||
|
- Correct conditional compilation definition name.
|
|||
|
- Fix memory leak in HTTP_GET/SSL_GET.
|
|||
|
- Fix two memory leaks in DNS_CHECK.
|
|||
|
- Don't consider retries for BFD_CHECK. The BFD_CHECKer doesn't
|
|||
|
support retries, and the check was causing the checker not to
|
|||
|
transition to down state.
|
|||
|
- Fix memory leak with BFD_CHECK.
|
|||
|
- Restart global notify FIFO handler after reload.
|
|||
|
- modify @WITH_REGEX@ to @WITH_REGEX_TRUE@
|
|||
|
- Fix compiling without BFD support.
|
|||
|
- Stop bfd process sending double the number of packets. If a
|
|||
|
bfd process received an initial bfd packet, it scheduled a
|
|||
|
second bfd_sender_thread thereby causing two packets to be sent
|
|||
|
in every interval.
|
|||
|
- Use timerfd for select timeouts rather than select timeout
|
|||
|
parameter This is a precursor to moving to using epoll.
|
|||
|
- Use epoll rather than select. epoll is both more efficient
|
|||
|
than select and also doesn't have a file descriptor limit of
|
|||
|
1024, which limited the number of vrrp instances that could be
|
|||
|
managed. This commit also introduces read-black trees and the
|
|||
|
list_head list type.
|
|||
|
- Add --enable-timer-check option for logging calls for getting
|
|||
|
time Calls to update the current time from the kernel are made
|
|||
|
too frequently, and this patch logs when the calls are made,
|
|||
|
and how long since the previous call, so unnecessary calls can
|
|||
|
be removed.
|
|||
|
- Add debug option for monitoring epoll queues. This is enabled
|
|||
|
by --enable-epoll-debug and replaces --enable-timer-debug.
|
|||
|
- Use system monotonic clock to generate a monotonic clock.
|
|||
|
Rather than have our own code for creating a monotonic clock,
|
|||
|
use the kernel's monotonic clock.
|
|||
|
- Make some functions in timer.c inline. The functions had one
|
|||
|
line of code so inlining them is more efficient.
|
|||
|
- Fix requeueing read and write threads after read/write
|
|||
|
timeouts.
|
|||
|
- Fix initial allocating and final freeing of thread_master
|
|||
|
epoll_events.
|
|||
|
- When cleaning up threads, also clean up their thread_events.
|
|||
|
- Add thread_close_fd() function to release thread_event_t on
|
|||
|
close When a file descriptor that has been monitored by epoll
|
|||
|
is closed the thread_event_t structure used for managing epoll
|
|||
|
for that fd has to be release. Therefore calls to close() and
|
|||
|
replace by calls to thread_close_fd().
|
|||
|
- Make parent process write log entry when it is reloading.
|
|||
|
- Move checking for thread timeouts to timerfd_handler There is
|
|||
|
no point in checking for thread timeouts if the timerfd isn't
|
|||
|
readable; in other words only check for thread timeouts if the
|
|||
|
timer has expired.
|
|||
|
- Make bfd reschuling timer threads more efficient.
|
|||
|
- Streamline DNS_CHECK code.
|
|||
|
- Fix buffer overrun with track file path names.
|
|||
|
- Add timestamp when writing mem_check entries to file.
|
|||
|
- Ensure thread_event_t released for ready threads at
|
|||
|
termination.
|
|||
|
- Increase open file limit if large number of VRRP instances.
|
|||
|
Each VRRP instance can use up to 2 file descriptors, and so if
|
|||
|
there are more than 500 ish VRRP instances the number of open
|
|||
|
files can exceed the default per process limit (1024 on my
|
|||
|
system). The commit allows 2 file descriptors per vrrp
|
|||
|
instance plus a few more, and if the RLIMIT_NOFILE value
|
|||
|
returned by getrlimit isn't high enough, keepalived will
|
|||
|
increase the limit.
|
|||
|
- Ensure that child processes run with standard
|
|||
|
priorities/limits. When child processes such as notify
|
|||
|
scripts, track_scripts and MISC_CHECK scripts are run, they
|
|||
|
should not inherit any elevated priorities, system limits etc
|
|||
|
from the parent keepalived process.
|
|||
|
- Change multiple spaces to tabs in scheduler.h.
|
|||
|
- Add family to sockpool listing.
|
|||
|
- Fix a multiline definition expansion issue.
|
|||
|
- Free allocated cache when closing/freeing netlink socket. When
|
|||
|
running on a system with 500+ interfaces configured and adding
|
|||
|
1000 VMAC interfaces, the heap was growing by 340Mb due the
|
|||
|
netlink cahce not being freed after creating each VMAC
|
|||
|
interface. With this patch the heap only grow by 3.7Mb (if
|
|||
|
creating 1000 VMAC interfaces the heap grep by 905Mb now
|
|||
|
reduced to 6.1Mb).
|
|||
|
- Stop using netlink cache when adding and configuring VMAC
|
|||
|
interfaces. When running on a system with 500+ interfaces
|
|||
|
configured and adding 1000 VMAC interfaces, it was taking 2.3
|
|||
|
seconds to add the interfaces. Without populating a netlink
|
|||
|
cache each time a VMAC interface is created it now takes 0.38
|
|||
|
seconds to add the interfaces (if creating 1000 VMAC interfaces
|
|||
|
it was taking 6.1 seconds, now reduced to 0.89 seconds, and the
|
|||
|
heap growth is reduced from 6.1Mb to 3.9Mb).
|
|||
|
- Add function rtnk_link_get_kernel for dynamic linking.
|
|||
|
- Fix compiling without JSON support.
|
|||
|
- Add support for recording perf profiling data for vrrp process.
|
|||
|
- Add comment re usage of MAX_ALLOC_LIST.
|
|||
|
- Some streamlining of scheduler.c.
|
|||
|
- Merge --enable-epoll-debug and --enable-dump-threads
|
|||
|
functionality.
|
|||
|
- Let thread_add_unuse() set thread type, and use
|
|||
|
thread_add_unuse() more.
|
|||
|
- Use break rather than return in process_threads().
|
|||
|
- Fix segfault when reloading with HTTP_GET and no regex
|
|||
|
configured.
|
|||
|
- Merge the next-generation scheduler.
|
|||
|
- Make all debug options need enabling at runtime. Previously if
|
|||
|
configure enabled a debug option its output was always
|
|||
|
recorded, which meant that if one didn't want the output,
|
|||
|
configure/ compile was needed. This commit adds command line
|
|||
|
options that need to be set in order to turn the debugging on.
|
|||
|
- Remove unwanted debug message.
|
|||
|
- Fix parsing --debug options.
|
|||
|
- Fix rb tree insertion with timers.
|
|||
|
- Add missing functions for thread debugging.
|
|||
|
- Add vrrp instance VMAC flags when dumping configuration.
|
|||
|
- Ensure parent thread terminates if child has permanant config
|
|||
|
error.
|
|||
|
- Ensure don't delete VMAC interface if keepalived didn't create
|
|||
|
it. and sundry fixes.
|
|||
|
- If receive lower priority advert, send GARP messages for sync
|
|||
|
group. A recent update to issue #542 identified that following
|
|||
|
recovery from a split brain situation, GARP messages weren't
|
|||
|
being sent. It transpired that, if a member of a sync group in
|
|||
|
master state received a lower priority advert and
|
|||
|
vrrp_higher_prio_send_advert is set, a further (lower priority)
|
|||
|
advert is sent, and the instance and all the members of the
|
|||
|
sync group transition to backup (the other members of the sync
|
|||
|
group don't send a further advert since they haven't received a
|
|||
|
higher priority advert). This meant that the other members of
|
|||
|
the sync group on the keepalived instance that remained master
|
|||
|
didn't receive a lower priority advert, and so didn't send
|
|||
|
further GARP messages. This commit changes keepalived's
|
|||
|
behaviour, so that if a vrrp instance is sending GARP messages
|
|||
|
due to receiving a lower priority advert and it is a member of
|
|||
|
a sync group, keepalived will also send GARP messages for any
|
|||
|
other member of the sync group that have garp_lower_prio_rep
|
|||
|
set.
|
|||
|
- Allow 0.0.0.0 and default/default6 for rule/route to/from
|
|||
|
addresses.
|
|||
|
- Check return value of SSL_CTX_new().
|
|||
|
- Check return values of SSL_new() and BIO_new_socket().
|
|||
|
- Only allow subnet masks with routes or virtual IP addresses.
|
|||
|
For example, if specifying a via address or preferred source
|
|||
|
address for a route, it isn't valid to specify a subnet mask.
|
|||
|
- Add inet/inet6 to specify ip route/rule family if ambiguous.
|
|||
|
- Remove superfluous parameter from parse_route().
|
|||
|
- Add "any" and "all" as synonyms for "default".
|
|||
|
- Fix memory leak if route destination address is wrong address
|
|||
|
family.
|
|||
|
- Add ttl-propagate route option.
|
|||
|
- Fix checking return status of kill().
|
|||
|
- Fix building with --enable-debug configure option.
|
|||
|
- Stop delay in reload when using network namespaces. If running
|
|||
|
in a network namespace, getaddrinfo() could take over 30
|
|||
|
seconds before timing out while trying to contact a name
|
|||
|
server. To alleviate this, the hostname is remembered from when
|
|||
|
keepalived started.
|
|||
|
- Fix spelling of propagate in propagate_signal().
|
|||
|
- Fix effective_priority after reload if tracked interface down.
|
|||
|
- Cosmetic grammatical changes.
|
|||
|
- Add debug option for dumping vrrp fd lists.
|
|||
|
- Fix calculation for vrrp fd timers. Starting or reloading
|
|||
|
keepalived when an interface that was tracked interface was
|
|||
|
failed was stopping other vrrp instances that were on the same
|
|||
|
interface but not using VMACs coming up.
|
|||
|
- Move code for initialising tracking priorities to vrrp_track.c.
|
|||
|
- Don't overwrite track file on reload.
|
|||
|
- Don't attempt to write track file if path not specified.
|
|||
|
- Fix compiling when not using --enable-vrrp-fd-debug.
|
|||
|
- Fix compiling with configure --enable-vrrp-fd-debug.
|
|||
|
- Add sync group track_bfds and track file status to config dump.
|
|||
|
- Move initialisation of track_files.
|
|||
|
- Don't alter effective_priority if track_file take vrrp instance
|
|||
|
down.
|
|||
|
- Don't log vrrp instance in fault state at reload if already
|
|||
|
fault.
|
|||
|
- Fix calculating fd timer if all vrrp sands are set to
|
|||
|
TIMER_DISABLED.
|
|||
|
- Don't make all sync groups transition to backup on reload If a
|
|||
|
sync group was in master state, and can still be after a reload
|
|||
|
then allow it to stay in master state.
|
|||
|
- Don't have track_bfd list in vrrp_sgroup_t in BFD not enabled.
|
|||
|
- Fix memory leak re vrrp_sgroup_t track lists.
|
|||
|
- Tidy up some freeing of MALLOC'd memory. Use FREE_PTR if it is
|
|||
|
not known if the pointer is valid, and don't clear the pointer
|
|||
|
afterr FREE/FREE_PTR since FREE does it anyway.
|
|||
|
- Add memory.c list size definition and move definition from
|
|||
|
memory.h.
|
|||
|
- Increase size of checksum value for MEM_CHECK.
|
|||
|
- Don't store checksum of memory allocation block. It can be
|
|||
|
calculated from the size, so do so.
|
|||
|
- Make the checksum for memory allocation blocks unsigned.
|
|||
|
- Use an enum for memory allocation block types.
|
|||
|
- Update comment re debug bit for memory detect error.
|
|||
|
- In memory alloc debug code report free or realloc for not
|
|||
|
alloc'd.
|
|||
|
- Allow for PIDs up to 2^22 (7 decimal digits).
|
|||
|
- Add function for dumping memory allocation while running.
|
|||
|
- Fix max memory allocation size calculations.
|
|||
|
- Fix reporting original and new file/line/func for realloc.
|
|||
|
- Check matching block for realloc is allocated. The same memory
|
|||
|
block may have been previously allocated and freed, so we need
|
|||
|
to make sure that the block we find is currently marked as
|
|||
|
allocated.
|
|||
|
- Use a new MEMCHECK struct for realloc overrun detected It was
|
|||
|
marking the allocated block as an overrun block, whereas it
|
|||
|
needs to be an allocated block, so use a new block to mark the
|
|||
|
overrun.
|
|||
|
- Tidy up working of a couple of memory allocation messages.
|
|||
|
- Use for loops rather than while blocks in memory allocation
|
|||
|
code.
|
|||
|
- Report number of mallocs and reallocs with MEMCHECK.
|
|||
|
- Attempt to log first free after double free in MEMCHECK.
|
|||
|
- Streamline use of buf/buffer in memory.c.
|
|||
|
- Always use first free entry in alloc_list for MEMCHECK.
|
|||
|
- Define MEMCHECK alloc_list size via configure.
|
|||
|
- Align keepalived_free() and keepalived_realloc().
|
|||
|
- Make char * const where possible for MEMCHECK.
|
|||
|
- Merge MEMCHECK keepalived_free() and keepalived_realloc().
|
|||
|
Most of the code was common between the two (or should have
|
|||
|
been), so it makes sense for them to use common code.
|
|||
|
- Ensure only relevant thread types run during shutdown.
|
|||
|
- Fix building without --enable-mem-check.
|
|||
|
- Use rbtree search for finding child thread on child
|
|||
|
termination. It was doing a linear search of the rbtree in
|
|||
|
timeout order. This commit adds another rbtree for child
|
|||
|
processes (vrrp track scripts and check_misc scripts), sorted
|
|||
|
by PID, to make the search by PID more efficient.
|
|||
|
- Make rbtree compare function thread_timer_cmp() more efficient.
|
|||
|
- Remove child_remover functionality - it was superfluous.
|
|||
|
- Fix checking that there are no duplicate vrrp instances
|
|||
|
configured The tuple {interface, family, vrid} must be unique.
|
|||
|
The check for this was being made completely incorrectly.
|
|||
|
- Delay creating vrrp notify FIFO.
|
|||
|
- Remove struct sockaddr_storage saddr from sock_t.
|
|||
|
- Use an rbtree for finding vrrp instance for received advert.
|
|||
|
Previously the code search a list of pointers to vrrp instances
|
|||
|
and looked for a matching fd and vrid. In order to optimise
|
|||
|
this, it was implemented using an mlist whose index was a hash
|
|||
|
of the fd and vrid. This commit changes the approach and uses
|
|||
|
an rbtree for each sock_t. Since the sock_t that the advert
|
|||
|
was received on is known, the rbtree search is only searching
|
|||
|
for a match on the vrid. Not only is this more efficient, but
|
|||
|
it is simpler, uses standard code, and reduces the code by
|
|||
|
over 60 lines.
|
|||
|
- Use an rbtree for finding vrrp instance for socket timeout.
|
|||
|
Previously the code search a list of pointers to vrrp instances
|
|||
|
and looked for matching file descriptor and sands < time_now.
|
|||
|
In order to optimise this, it was implemented using an mlist
|
|||
|
whose index was a hash of the fd. This commit changes the
|
|||
|
approach and uses a second rbtree for each sock_t. Since the
|
|||
|
sock_t that the timeout occurred on is known, the rbtree search
|
|||
|
is only searching for a match of the sands. Not only is this
|
|||
|
more efficient, but it is simpler, uses standard code, and
|
|||
|
reduces the code by over 220 lines.
|
|||
|
- Remove superfluous checks of rbtree node != NULL in rb_move().
|
|||
|
- Remove superfluous check of node != NULL in rb_next().
|
|||
|
- Update rbtree code to Linux 4.18.10.
|
|||
|
- Fix debug logging of sands timers before time_now.
|
|||
|
- Update rb_for_each_entry etc and rb_move to use rb_entry_safe.
|
|||
|
With the added definition of rb_entry_safe in the rbtree code
|
|||
|
updated to Linux 4.18.10, the refinition of rb_entry was
|
|||
|
reverted to the kernel definition. That meant that
|
|||
|
rb_for_each_entry, rb_for_eacn_entry_safe and rb_move neded to
|
|||
|
be updated to use rb_entry_safe rather than rb_entry.
|
|||
|
- Add support functions for rbtree rb_root_cached. This is in
|
|||
|
preparation for the use of rb_root_cached in the next patch.
|
|||
|
- Use cached rbtrees where the key is a timeval_t sands When the
|
|||
|
key of an rbtree is a timeval_t sands keepalived will
|
|||
|
frequently need to access the first node of the tree in order
|
|||
|
to calculate the next timeout. This applies to the read, write,
|
|||
|
child and timer threads queues, and also the vrrp queues on a
|
|||
|
sock_t. The use of cached rbtrees for these is ideal since it
|
|||
|
gives direct access to the first node of the queue.
|
|||
|
- Add thread_add_read_sands to avoid introducing timer errors.
|
|||
|
When using thread_add_read and the timeout was held as
|
|||
|
timeval_t, it was converted to and offset from time_now, and
|
|||
|
then converted back to a timeval_t, but time_now was updated,
|
|||
|
resulting in a slightly different value being used as the
|
|||
|
timeout. Using thread_add_read_sands() avoids the double
|
|||
|
conversion and results in the timeout being more accurate.
|
|||
|
- Replace NETLINK_TIMER with TIMER_NEVER. It makes the code
|
|||
|
easier to read, and since NETLINK_TIMER was defined to be
|
|||
|
TIMER_NEVER it doesn't change the functionality.
|
|||
|
- Handle preempt delays not expiring at same time on sync group
|
|||
|
If different vrrp instances in a sync group had preempt delays
|
|||
|
that expired at different times keepalived looped with very
|
|||
|
small to epoll_wait() until all preempt delays had expired,
|
|||
|
causing high CPU utilisation. Keepalived now reschedules vrrp
|
|||
|
instances with a delay of 3 * advert_int + skew time while
|
|||
|
waiting for all vrrp instances in the sync group to expire
|
|||
|
their preempt delays.
|
|||
|
- Fix segfault when receive netlink message for default route
|
|||
|
added.
|
|||
|
- Move vrf_master_index into conditional compilation block.
|
|||
|
- Store interface macvlan type.
|
|||
|
- Make vrp_master_ifp point to self for VRF master interfaces.
|
|||
|
- Log if cannot create a VMAC due to existing interface with same
|
|||
|
name.
|
|||
|
- Handle delete/create of macvlan i/fs which aren't keepalived's.
|
|||
|
- Tidying up keepalived_netlink.c.
|
|||
|
- Handle VRFs changing on macvlan i/fs which have VMACs
|
|||
|
configured on them.
|
|||
|
- Fix recreating our VMACs if they are deleted.
|
|||
|
- Fix detecting address add/deletion from underlying i/f of our
|
|||
|
vmacs.
|
|||
|
- Don't use configured_ifp or base_ifp if not _HAVE_VRRP_VMAC_.
|
|||
|
- Distinguish between VMAC on real i/f and no VMAC on macvlan i/f
|
|||
|
If keepalived is configured to have a non VMAC interface on a
|
|||
|
macvlan interface, we want to use the macvlan interface rather
|
|||
|
than the underlying interface, whereas if we have a VMAC
|
|||
|
interface on a macvlan interface, we create the VMAC on the
|
|||
|
underlying interface of the macvlan.
|
|||
|
- Update duplicate VRID check where vrrp instance configured on
|
|||
|
macvlan. If a VRRP instance is configured on a macvlan
|
|||
|
interface, the duplicate VRID check needs to be done on the
|
|||
|
underlying interface.
|
|||
|
- Check for VRID conflicts when changeable interfaces are added
|
|||
|
For example, a vrrp instance could be configured on a macvlan,
|
|||
|
and that macvlan could be deleted and recreated with another
|
|||
|
base interface. The VRIDs in this case need to be checked for
|
|||
|
duplicates against the base interface, and so the VRID check
|
|||
|
needs to be done dynamically. In order to allow VRID conflicts
|
|||
|
to produce config errors at startup, by default keepalived
|
|||
|
assumes that there won't be interface movements as described
|
|||
|
above, and will only handle it if the global_defs option
|
|||
|
'dynamic_interfaces' is used along with the option
|
|||
|
'allow_if_changes'.
|
|||
|
- Remove some comments inserted for tracking changes to code.
|
|||
|
- Fix building with --enable-debug configure option.
|
|||
|
- Check that '{'s and '}'s are balanced in the configuration
|
|||
|
file.
|
|||
|
- Allow more flexibility re placing of { and }.
|
|||
|
- Improve reporting additional '}'s in configuration.
|
|||
|
- Minor improvements re thread handling and cancellation.
|
|||
|
- Remove unused THREAD_IF_UP and THREAD_IF_DOWN.
|
|||
|
- Replace getpagesize() with sysconf(_SC_PAGESIZE).
|
|||
|
- Increase netlink receive buffer for dumps to 16KiB.
|
|||
|
- Dynamically set the netlink receive buffer size.
|
|||
|
- Sort out setting netlink receive buffer size.
|
|||
|
- added patches for changes found during the review of the dbus
|
|||
|
code: (boo#1015141)
|
|||
|
CVE-2018-19044 for
|
|||
|
https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306.patch
|
|||
|
CVE-2018-19045 for
|
|||
|
https://github.com/acassen/keepalived/commit/c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067.patch
|
|||
|
https://github.com/acassen/keepalived/commit/5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6.patch
|
|||
|
- enable dbus support on TW by default (boo#1015141)
|
|||
|
- enable json stats dump support
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Sep 13 07:28:25 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- use %license
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Sep 13 01:38:32 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
|
|||
|
|
|||
|
- update to 2.0.7
|
|||
|
see /usr/share/doc/packages/keepalived/ChangeLog
|
|||
|
- refreshed keepalive-init.patch:
|
|||
|
- reduced patch to minimal changes
|
|||
|
- made sure it actually reads our sysconfig file
|
|||
|
- refreshed linux-4.15.patch
|
|||
|
- enable http regexp support: new BR pcre2-devel
|
|||
|
- update rpmlintrc to actually match the error message: glob vs
|
|||
|
regexp
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Apr 30 14:41:46 UTC 2018 - crrodriguez@opensuse.org
|
|||
|
|
|||
|
- Only Require insserv on distributions without systemd.
|
|||
|
- Fix systemd related requires/buildRequires
|
|||
|
- Do not run scriptlets that use insserv when using systemd
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Feb 22 10:07:17 UTC 2018 - dmueller@suse.com
|
|||
|
|
|||
|
- add linux-4.15.patch
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Feb 21 14:52:29 UTC 2018 - dmueller@suse.com
|
|||
|
|
|||
|
- update to 1.4.1:
|
|||
|
* Improve and fix use of getopt_long().
|
|||
|
We musn't use a long option val of 1, since getopt_long() can return
|
|||
|
that value.
|
|||
|
getopt_long() also returns longindex == 0 when there is no matching
|
|||
|
long option, and there needs to be careful checking if there is an
|
|||
|
error to work out whether a long or short option was used, which is
|
|||
|
needed for meaningful error messages.
|
|||
|
* Write assert() messages to syslog.
|
|||
|
assert()s are nasty things, but at least let's get the benefit of
|
|||
|
them, and write the messages to syslog, rather than losing them down
|
|||
|
stderr.
|
|||
|
* Enable sorry server at startup if quorum down due to alpha mode
|
|||
|
If alpha mode is configured on sufficient checkers so that a
|
|||
|
virtual server doesn't have a quorum, we need to add the sorry
|
|||
|
server at startup, otherwise it won't be added until a quorum has
|
|||
|
been achieved and subsequently lost again. In the case where some
|
|||
|
of the checkers remain in the down state at startup, this would have
|
|||
|
meant that the sorry server never got added.
|
|||
|
* For virtual servers, ensure quorum <= number of real servers
|
|||
|
If the quorum were gigher than the number of real servers, the
|
|||
|
quorum for the real server to come up could never be achieved, so
|
|||
|
if the quorum is greater than the number of real servers, reduce it
|
|||
|
to the number of real servers.
|
|||
|
* Fix some SNMP keepalived checker integer types and default values.
|
|||
|
Some virtual server and real server values were being sent to SNMP
|
|||
|
with a signed type whereas the value is unsigned, so set the type
|
|||
|
field correctly.
|
|||
|
Some virtual server and real server values that apply to checkers
|
|||
|
are set to nonsense default values in order to determine if a
|
|||
|
value has been specified. Handle these values when reporting them
|
|||
|
to SNMP replying with 0 rather than a nonsense value.
|
|||
|
* Fix some MALLOC/FREE issues with notify FIFOs.
|
|||
|
* Add instance_name/config_id to alert emails' subjects if configured.
|
|||
|
If multiple instances of keepalived are running, either different
|
|||
|
instance_names and/or config_ids, it is useful to know which
|
|||
|
keepalived instance the email relates to.
|
|||
|
* Ensure that email body string isn't unterminated.
|
|||
|
Using strncpy() needs to ensure that there is a nul termination byte,
|
|||
|
so this commits adds always writing a nul byte to the end of the buffer.
|
|||
|
* Remove duplicate fault notification.
|
|||
|
* Fix problem with scripts found via PATH with a '/' in parameters.
|
|||
|
Recent discussions on issue #101 led to discovering that if an
|
|||
|
executable without a fully qualified name was specified as a script
|
|||
|
and there was a '/' character in the parameters, then the path
|
|||
|
resolution would not work.
|
|||
|
* Send SNMP traps when go from backup to fault due to sync group.
|
|||
|
Commit 020a9ab added executing notify_fault for vrrp instances
|
|||
|
transitioning from backup to fault state due to another instance
|
|||
|
in the sync group going to fault state. This commit adds sending
|
|||
|
SNMP traps in the same circumstance.
|
|||
|
* Revert "Add instance_name/config_id to alert emails' subjects if
|
|||
|
configured". This should be handled by setting router_id
|
|||
|
* Add config option to send smtp-alerts to file rather than send emails
|
|||
|
This is useful for debugging purposes.
|
|||
|
* Add additional entry to Travis-CI build matrix.
|
|||
|
* Fix segfault if no sorry server configured for a virtual server.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Jan 22 13:03:55 UTC 2018 - mrueckert@suse.de
|
|||
|
|
|||
|
- enable json stats and config dump support
|
|||
|
new BR: pkgconfig(json-c)
|
|||
|
- disable dynamic loading of libipset and link it instead
|
|||
|
- enable stacktrace support
|
|||
|
- turn on snmp-rfcv2 and snmp-rfcv3 support
|
|||
|
- do not reference the keepalived.socket in the rpm scriptlets
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Jan 12 08:53:51 UTC 2018 - lars@linux-schulserver.de
|
|||
|
|
|||
|
- update to 1.4.0
|
|||
|
* Add Linux build and runtime versions to -v output.
|
|||
|
* Log kernel version and build kernel version to log at startup.
|
|||
|
* Don't sleep for 1 send when exiting vrrp process if no vrrp instances.
|
|||
|
* With large configurations the syslog can get flooded and drop output.
|
|||
|
This commit adds options to not log to syslog, and also to log all
|
|||
|
output to files.
|
|||
|
* Add option to only flush log files before forking.
|
|||
|
* Don't poll netlink for all interfaces each time add a VMAC.
|
|||
|
We can poll for the individual interface details which significantly
|
|||
|
reduces what we have to process.
|
|||
|
* Print interface details in keepalived.data output.
|
|||
|
* Add high performace child finder code.
|
|||
|
The code to find the relevant thread to execute afer a child process
|
|||
|
(either a vrrp track script or a misc_check healthchecker) was doing
|
|||
|
a linear search for the matching pid, which if there are a large number
|
|||
|
of child processes running could become time consuming.
|
|||
|
The code now will enable high performance child finding, based on using
|
|||
|
mlists hashed by the pid, if there are 32 or more vrrp track scripts or
|
|||
|
misc check healthcheckers. The size of the mlist is based on the number
|
|||
|
of scripts, with a limit of 256.
|
|||
|
* Improve high performance child termination timeout code.
|
|||
|
* Preserve filename in script path name resolution.
|
|||
|
Some executables change their behaviour depending on the name by
|
|||
|
which they are invoked (e.g. /usr/sbin/pidof when it is a link to
|
|||
|
/usr/sbin/killall5). Using realpath() changes the file name part
|
|||
|
if it is a symbolic link. This commit resolves all symbolic links
|
|||
|
to directories, but leaves the file name part unaltered. It then
|
|||
|
checks the security of both the path to the link and the path to
|
|||
|
the real file.
|
|||
|
* Handle scripts names that are symbolic links properly.
|
|||
|
* Fix some RFC SNMP issues.
|
|||
|
* Fix removing left-over addresses if keepalived aborts.
|
|||
|
* Update openssl use to stop using deprecated functions
|
|||
|
openssl from version 1.1 deprecated certain functions that keepalived
|
|||
|
was using. This commit ceases using those functions if the version
|
|||
|
of openssl is >= 1.1.
|
|||
|
* Allow sync groups with only 1 member, but issue a warning.
|
|||
|
* Add replaceable parameters in configuration files.
|
|||
|
* Add multiline configuration definitions.
|
|||
|
* Fix keepalived.conf(5) man page.
|
|||
|
* Suppress error message when removing leftover addresses at startup.
|
|||
|
=> find more changes at /usr/share/doc/packages/keepalived/
|
|||
|
- rebase keepalive-init.patch
|
|||
|
- use upstream systemd service file instead providing an own one
|
|||
|
=> removed keepalived.service
|
|||
|
- remove executable bit from samples in docdir
|
|||
|
- check that LVS support is enabled
|
|||
|
- optionally enable dump configuration and stats as JSON (via bcond)
|
|||
|
=> BuildRequire libjson-c-devel
|
|||
|
- restrict /etc/keepalived permissions to root
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Nov 27 11:26:58 UTC 2017 - jengelh@inai.de
|
|||
|
|
|||
|
- Do not suppress errors from useradd.
|
|||
|
- Ensure neutrality of description.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Nov 27 09:11:55 UTC 2017 - igarcia@suse.com
|
|||
|
|
|||
|
- update to 1.3.9:
|
|||
|
Revert using github tarball and use original source again.
|
|||
|
Too many fixes and features to list, refer to
|
|||
|
/usr/share/doc/packages/keepalived/ChangeLog for a detailed list.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Nov 23 13:38:30 UTC 2017 - rbrown@suse.com
|
|||
|
|
|||
|
- Replace references to /var/adm/fillup-templates with new
|
|||
|
%_fillupdir macro (boo#1069468)
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Feb 16 12:27:53 UTC 2017 - mrueckert@suse.de
|
|||
|
|
|||
|
- use tarball from https://github.com/acassen/keepalived/issues/524
|
|||
|
the original tarball did not build. This has the necessary fix
|
|||
|
applied. for the 1.3.4 update see the TODO entry in the preamble.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Feb 15 11:38:16 UTC 2017 - mrueckert@suse.de
|
|||
|
|
|||
|
- update to 1.3.3
|
|||
|
Some minor fix, extensions and updates. snapcraft support. Refer
|
|||
|
to /usr/share/doc/packages/keepalived/ChangeLog for more infos.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Dec 12 14:05:25 UTC 2016 - mrueckert@suse.de
|
|||
|
|
|||
|
- fix building with libnfnetlink. the additional include path needs
|
|||
|
to be in CPPFLAGS instead of CFLAGS now.
|
|||
|
- enabled a few more features:
|
|||
|
- enhanced snmp support (V2/V3 RFC)
|
|||
|
- make sure we build with ipset/libiptc and routes support
|
|||
|
- prepared dbus support: waiting for boo#1015141
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Dec 12 12:59:54 UTC 2016 - mrueckert@suse.de
|
|||
|
|
|||
|
- update 1.3.2
|
|||
|
- Security focused on notify heplers. Some minor fix and
|
|||
|
extensions.
|
|||
|
- changes from 1.3.1
|
|||
|
- Quick script fix for regression brought by last release.
|
|||
|
- changes from 1.3.0
|
|||
|
- New MAJOR release with stabilization fixes. Support to DBus.
|
|||
|
Conf extensions. Parser error log. Security extensions to run
|
|||
|
scripts more secure.
|
|||
|
- changes from 1.2.24
|
|||
|
- MAJOR release with stabilization fixes and new features like
|
|||
|
support to network namespace.
|
|||
|
|
|||
|
Refer to /usr/share/doc/packages/keepalived/ChangeLog
|
|||
|
for more infos.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Jul 20 09:07:35 UTC 2016 - michael@stroeder.com
|
|||
|
|
|||
|
- update to 1.2.23
|
|||
|
Some VRRP fixes. Some Healthcheckers fixes.
|
|||
|
Refer to ChangeLog for more infos.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Fri Jul 8 10:32:22 UTC 2016 - mrueckert@suse.de
|
|||
|
|
|||
|
- update to 1.2.22
|
|||
|
Some VRRP fixes. Refer to ChangeLog for more infos.
|
|||
|
- update to 1.2.21
|
|||
|
Some fixes for last major release 1.2.20. Extensions on vrrp
|
|||
|
framework. Refer to ChangeLog for more infos.
|
|||
|
- update to 1.2.20
|
|||
|
BUNCH of extensions, fixes, cleanup & production considerations.
|
|||
|
Distro packages maintainers are strongly encouraged to upgrade.
|
|||
|
- new BR libnfnetlink-devel
|
|||
|
- we no longer ship the VRRP-MIB
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Feb 11 10:44:31 UTC 2016 - lars@linux-schulserver.de
|
|||
|
|
|||
|
- enhanced keepalive-init.patch :
|
|||
|
+ replace tabs with spaces
|
|||
|
+ read /etc/sysconfig/keepalived, if exists and use the settings
|
|||
|
there instead of the default KEEPALIVED_OPTIONS in case the
|
|||
|
user changed them
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jan 28 12:13:36 UTC 2016 - mrueckert@suse.de
|
|||
|
|
|||
|
- use package name buildrequires on sle11 to fix building
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jan 28 11:46:11 UTC 2016 - mrueckert@suse.de
|
|||
|
|
|||
|
- enable snmp for better monitoring
|
|||
|
- enable sha1 support
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Oct 7 11:45:41 UTC 2015 - dimstar@opensuse.org
|
|||
|
|
|||
|
- Update to version 1.2.19:
|
|||
|
+ vrrp: fix checksum computation in vrrp v2 for socket family
|
|||
|
AF_INET.
|
|||
|
+ Some cosmetics at Makefile stuff.
|
|||
|
- Changes from version 1.2.18:
|
|||
|
+ some cosmetics changes (in memory and parser).
|
|||
|
+ remove dead/not used code.
|
|||
|
+ revert notify script brought by last release.
|
|||
|
+ revert VRRP preemption speed up extension.
|
|||
|
+ vrrp: ix vrrp removes incorrect IPv4 address when VIPs are
|
|||
|
removed.
|
|||
|
+ vrrp: Re-enable VRRPv2 checksum on inbound pkts.
|
|||
|
- Changes from version 1.2.17:
|
|||
|
+ zalloc use xalloc for consistency.
|
|||
|
+ memory: fix wrong size calculation in zfree.
|
|||
|
+ Fix keepalived snmp configuration.
|
|||
|
+ Change comments to match kernel style.
|
|||
|
+ smtp: Fix wrong algorithm in RCPT-TO building.
|
|||
|
+ Lots of vrrp fixes.
|
|||
|
- Changes from version 1.2.16:
|
|||
|
+ Properly close netlink channel to avoid fd leak.
|
|||
|
+ Use getaddrinfo instead of gethostbyname to workaround glibc
|
|||
|
gethostbyname function buffer overflow (boo#949238).
|
|||
|
+ Lots of ipvs fixes.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Oct 7 10:31:50 UTC 2015 - mrueckert@suse.de
|
|||
|
|
|||
|
- no longer install the init script on systemd systems
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Wed Mar 11 13:21:29 UTC 2015 - dimstar@opensuse.org
|
|||
|
|
|||
|
- Update to version 1.2.15:
|
|||
|
+ Bugfixes.
|
|||
|
- Changes from version 1.2.14:
|
|||
|
+ VRRP bugfixes and extensions. IPVS bugfixes and code code
|
|||
|
cleanup.
|
|||
|
- Changes from version 1.2.13:
|
|||
|
+ VRRP fixes and extensions. Extrend and unify checker
|
|||
|
framework.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Mon Feb 2 01:32:37 UTC 2015 - crrodriguez@opensuse.org
|
|||
|
|
|||
|
- Build with -DOPENSSL_NO_SSL_INTERN, if package starts accessing
|
|||
|
the SSL library internals it must fail to build now, in upcoming
|
|||
|
openSSL versions structures are opaque.
|
|||
|
- BuildRequire libnl3
|
|||
|
- Do not strip binaries, fix -debuginfo packages.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Sun Nov 09 05:21:00 UTC 2014 - Led <ledest@gmail.com>
|
|||
|
|
|||
|
- fix bashisms in pre script
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Thu Jul 31 14:28:08 UTC 2014 - dimstar@opensuse.org
|
|||
|
|
|||
|
- Rename rpmlintrc to %{name}-rpmlintrc.
|
|||
|
Follow the packaging guidelines.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Feb 11 08:12:55 UTC 2014 - boris@steki.net
|
|||
|
|
|||
|
- updated to latest upstream version 1.2.12
|
|||
|
+ Fix reallocation issue introduced in last merge.
|
|||
|
+ Fix some minor memory leaks.
|
|||
|
+ Better libnl support and selection.
|
|||
|
+ VRRP unicast TTL fix.
|
|||
|
+ Support to newer libnl.
|
|||
|
+ More IPv6 support.
|
|||
|
+ Fix/extend VRRP gratuitous ARP handling.
|
|||
|
+ Support xmit VRRP packets from base VMAC interface.
|
|||
|
+ VRRP multicast group tweaking.
|
|||
|
+ Fixed VRRP socket sync while leaving FAULT state.
|
|||
|
+ Code cleanup and cosmetics.
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Jan 7 10:55:42 UTC 2014 - speilicke@suse.com
|
|||
|
|
|||
|
- Add cyrus-sasl for old distros
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Nov 19 14:01:47 UTC 2013 - speilicke@suse.com
|
|||
|
|
|||
|
- Update to version 1.2.9:
|
|||
|
+ Extended VRRP code for faster sync and transition.
|
|||
|
+ Fixed VRRP unicast code to support routed packet.
|
|||
|
+ Fixed VRRP checksum computation.
|
|||
|
+ Extended VRRP code tweaking IPv6 VIP install by disabling DAD algo and setting deprecated flag.
|
|||
|
+ Fixed some issues in checker framework while processing hysteresis.
|
|||
|
+ Extended checker framework to support use of status_code and digest at a time.
|
|||
|
- Changes from version 1.2.8:
|
|||
|
+ Add support for VRRP unicast.
|
|||
|
+ Add support for VRRP IPv6 routes.
|
|||
|
+ Add support to LVS One-Packet Scheduling.
|
|||
|
+ Add CLI core framework.
|
|||
|
+ Misc bugfixes, typo and cosmetics.
|
|||
|
- Drop keepalived_man_fix.patch: merged upstream
|
|||
|
|
|||
|
-------------------------------------------------------------------
|
|||
|
Tue Nov 20 16:11:59 UTC 2012 - mrueckert@suse.de
|
|||
|
|
|||
|
- initial package of 1.2.7
|