From 8b0ed32b30fb1fe385cf69eadbd2f60d8ca560511660ab6f3ff683d0e7acfa23 Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Mon, 12 Nov 2018 10:09:35 +0000 Subject: [PATCH 1/2] Accepting request 648192 from home:darix:playground - update to 2.0.9 OBS-URL: https://build.opensuse.org/request/show/648192 OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=47 --- ...8f9265ffb5927c4d54c9a30726c76e65bb52.patch | 217 +++++++ keepalive-init.patch | 155 +---- keepalive-rpmlintrc | 2 +- keepalived-1.4.1.tar.gz | 3 - keepalived-2.0.9.tar.gz | 3 + keepalived.changes | 588 ++++++++++++++++++ keepalived.spec | 26 +- linux-4.15.patch | 42 +- 8 files changed, 874 insertions(+), 162 deletions(-) create mode 100644 b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch delete mode 100644 keepalived-1.4.1.tar.gz create mode 100644 keepalived-2.0.9.tar.gz diff --git a/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch b/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch new file mode 100644 index 0000000..b0c78e6 --- /dev/null +++ b/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch @@ -0,0 +1,217 @@ +From b7a98f9265ffb5927c4d54c9a30726c76e65bb52 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Sat, 10 Nov 2018 19:03:47 +0000 +Subject: [PATCH] Update to support libipset version 7 + +Issue #1058 reported that keepalived failed to build with libipset +version 7. This commit updates keepalived to detect if the version +of the keepalived libraries is pre v7 or not, and compiles +appropriately. + +Signed-off-by: Quentin Armitage +--- + configure.ac | 21 ++++++++++++ + keepalived/include/vrrp_ipset.h | 2 +- + keepalived/vrrp/vrrp_ipset.c | 58 ++++++++++++++++++++++++++++++--- + keepalived/vrrp/vrrp_iptables.c | 2 +- + 4 files changed, 76 insertions(+), 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ecec32a2..708b04fe 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1212,6 +1212,27 @@ if test .${enable_libiptc} != .no -a .$enable_vrrp != .no; then + [AC_DEFINE([LIBIPSET_H_ADD_IP_SET_H_GUARD], [1], [Define to add guard _IP_SET_H before including ])]) + ]) + fi ++ ++ if test $USE_LIBIPSET = Yes; then ++ AC_MSG_CHECKING([for libipset version 7 or later]) ++ AC_COMPILE_IFELSE([AC_LANG_SOURCE( ++ [[ ++ #include ++ ++ void test_func(void) ++ { ++ ipset_session_init(NULL, NULL); ++ } ++ ]])], ++ [ ++ AC_MSG_RESULT([yes]) ++ ], ++ [ ++ AC_MSG_RESULT([no]) ++ AC_DEFINE([LIBIPSET_PRE_V7_COMPAT], [ 1 ], [Define to 1 if libipset library version prior to v7]) ++ add_system_opt[LIBIPSET_PRE_V7] ++ ]) ++ fi + ]) + LIBS="$SAV_LIBS" + fi +diff --git a/keepalived/include/vrrp_ipset.h b/keepalived/include/vrrp_ipset.h +index 5a1a9562..5d83b21a 100644 +--- a/keepalived/include/vrrp_ipset.h ++++ b/keepalived/include/vrrp_ipset.h +@@ -29,7 +29,7 @@ + bool add_ipsets(bool); + bool remove_ipsets(void); + bool has_ipset_setname(void*, const char *); +-bool ipset_init(void); ++bool ipset_initialise(void); + void* ipset_session_start(void); + void ipset_session_end(void*); + void ipset_entry(void*, int cmd, const ip_address_t*); +diff --git a/keepalived/vrrp/vrrp_ipset.c b/keepalived/vrrp/vrrp_ipset.c +index 4b3ab7cd..dbe248eb 100644 +--- a/keepalived/vrrp/vrrp_ipset.c ++++ b/keepalived/vrrp/vrrp_ipset.c +@@ -43,6 +43,9 @@ + #endif + #include + #include ++#ifndef LIBIPSET_PRE_V7_COMPAT ++#include ++#endif + #include + #include /* For __beXX types in userland */ + #include /* For nf_inet_addr */ +@@ -60,11 +63,18 @@ + #include + + /* The addresses of the functions we want */ ++#ifdef LIBIPSET_PRE_V7_COMPAT + struct ipset_session* (*ipset_session_init_addr)(ipset_outfn outfn); ++#else ++struct ipset_session* (*ipset_session_init_addr)(ipset_print_outfn outfn, void *p); ++#endif + int (*ipset_session_fini_addr)(struct ipset_session *session); + struct ipset_data* (*ipset_session_data_addr)(const struct ipset_session *session); +-const char* (*ipset_session_error_addr)(const struct ipset_session *session); ++#ifdef LIBIPSET_PRE_V7_COMPAT + int (*ipset_envopt_parse_addr)(struct ipset_session *session, int env, const char *str); ++#else ++void (*ipset_envopt_set_addr)(struct ipset_session *session, int env); ++#endif + const struct ipset_type* (*ipset_type_get_addr)(struct ipset_session *session, enum ipset_cmd cmd); + int (*ipset_data_set_addr)(struct ipset_data *data, enum ipset_opt opt, const void *value); + int (*ipset_cmd_addr)(struct ipset_session *session, enum ipset_cmd cmd, uint32_t lineno); +@@ -74,8 +84,11 @@ void (*ipset_load_types_addr)(void); + #define ipset_session_init (*ipset_session_init_addr) + #define ipset_session_fini (*ipset_session_fini_addr) + #define ipset_session_data (*ipset_session_data_addr) +-#define ipset_session_error (*ipset_session_error_addr) ++#ifdef LIBIPSET_PRE_V7_COMPAT + #define ipset_envopt_parse (*ipset_envopt_parse_addr) ++#else ++#define ipset_envopt_set (*ipset_envopt_set_addr) ++#endif + #define ipset_type_get (*ipset_type_get_addr) + #define ipset_data_set (*ipset_data_set_addr) + /* Unfortunately ipset_cmd conflicts with struct ipset_cmd */ +@@ -87,6 +100,22 @@ static void* libipset_handle; + #define ipset_cmd1 ipset_cmd + #endif + ++#ifndef LIBIPSET_PRE_V7_COMPAT ++static int ++ipset_printf(__attribute ((__unused__)) struct ipset_session *session, void *p, const char *fmt, ...) ++{ ++ va_list args; ++ ++ log_message(LOG_INFO, "libipset message from %s", (const char *)p); ++ ++ va_start(args, fmt); ++ vlog_message(LOG_INFO, fmt, args); ++ va_end(args); ++ ++ return 0; ++} ++#endif ++ + static bool + do_ipset_cmd(struct ipset_session* session, enum ipset_cmd cmd, const char *setname, + const ip_address_t *addr, uint32_t timeout, const char* iface) +@@ -162,7 +191,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i + { + struct ipset_session *session; + ++#ifdef LIBIPSET_PRE_V7_COMPAT + session = ipset_session_init(printf); ++#else ++ session = ipset_session_init(ipset_printf, "create_sets"); ++#endif + if (!session) { + log_message(LOG_INFO, "Cannot initialize ipset session."); + return false; +@@ -171,7 +204,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i + /* If we aren't reloading, don't worry if sets already exists. With the + * IPSET_ENV_EXIST option set, any existing entries in the set are removed. */ + if (!reload) ++#ifdef LIBIPSET_PRE_V7_COMPAT + ipset_envopt_parse(session, IPSET_ENV_EXIST, NULL); ++#else ++ ipset_envopt_set(session, IPSET_ENV_EXIST); ++#endif + + if (block_ipv4) { + if (!reload || !has_ipset_setname(session, addr4)) +@@ -220,7 +257,7 @@ bool set_match_loaded(void) + return found; + } + +-bool ipset_init(void) ++bool ipset_initialise(void) + { + #ifdef _LIBIPSET_DYNAMIC_ + if (libipset_handle) +@@ -252,8 +289,11 @@ bool ipset_init(void) + if (!(ipset_session_init_addr = dlsym(libipset_handle, "ipset_session_init")) || + !(ipset_session_fini_addr = dlsym(libipset_handle, "ipset_session_fini")) || + !(ipset_session_data_addr = dlsym(libipset_handle,"ipset_session_data")) || +- !(ipset_session_error_addr = dlsym(libipset_handle,"ipset_session_error")) || ++#ifdef LIBIPSET_PRE_V7_COMPAT + !(ipset_envopt_parse_addr = dlsym(libipset_handle,"ipset_envopt_parse")) || ++#else ++ !(ipset_envopt_set_addr = dlsym(libipset_handle,"ipset_envopt_set")) || ++#endif + !(ipset_type_get_addr = dlsym(libipset_handle,"ipset_type_get")) || + !(ipset_data_set_addr = dlsym(libipset_handle,"ipset_data_set")) || + !(ipset_cmd_addr = dlsym(libipset_handle,"ipset_cmd")) || +@@ -285,7 +325,11 @@ bool remove_ipsets(void) + return true; + #endif + ++#ifdef LIBIPSET_PRE_V7_COMPAT + session = ipset_session_init(printf); ++#else ++ session = ipset_session_init(ipset_printf, "remove_ipsets"); ++#endif + if (!session) { + log_message(LOG_INFO, "Cannot initialize ipset session."); + return false; +@@ -311,7 +355,11 @@ bool add_ipsets(bool reload) + + void* ipset_session_start(void) + { +- return ipset_session_init(NULL); ++#ifdef LIBIPSET_PRE_V7_COMPAT ++ return ipset_session_init(printf); ++#else ++ return ipset_session_init(ipset_printf, "session_start"); ++#endif + } + + void ipset_session_end(void* vsession) +diff --git a/keepalived/vrrp/vrrp_iptables.c b/keepalived/vrrp/vrrp_iptables.c +index 874b0d0b..9b05ca66 100644 +--- a/keepalived/vrrp/vrrp_iptables.c ++++ b/keepalived/vrrp/vrrp_iptables.c +@@ -468,7 +468,7 @@ iptables_init_lib(void) + #endif + + #ifdef _HAVE_LIBIPSET_ +- if (global_data->using_ipsets && !ipset_init()) ++ if (global_data->using_ipsets && !ipset_initialise()) + global_data->using_ipsets = false; + #endif + diff --git a/keepalive-init.patch b/keepalive-init.patch index 76f630e..9237e1a 100644 --- a/keepalive-init.patch +++ b/keepalive-init.patch @@ -1,8 +1,8 @@ -Index: keepalived-1.4.0/keepalived/etc/init.d/keepalived.suse.init.in +Index: keepalived-2.0.7/keepalived/etc/init.d/keepalived.suse.init.in =================================================================== ---- keepalived-1.4.0.orig/keepalived/etc/init.d/keepalived.suse.init.in -+++ keepalived-1.4.0/keepalived/etc/init.d/keepalived.suse.init.in -@@ -1,23 +1,23 @@ +--- keepalived-2.0.7.orig/keepalived/etc/init.d/keepalived.suse.init.in ++++ keepalived-2.0.7/keepalived/etc/init.d/keepalived.suse.init.in +@@ -1,23 +1,24 @@ #! /bin/sh ### BEGIN INIT INFO @@ -31,6 +31,7 @@ Index: keepalived-1.4.0/keepalived/etc/init.d/keepalived.suse.init.in +DAEMON_BIN='@sbindir@/keepalived' +DAEMON_CONF='@sysconfdir@/keepalived/keepalived.conf' +DAEMON_PIDFILE='@localstatedir@/run/keepalived.pid' ++DAEMON_SYSCONF='/etc/sysconfig/keepalived' +DAEMON_OPT='-d' #DAEMON_USER="root" -SUPPORTS_HUP="yes" @@ -38,7 +39,7 @@ Index: keepalived-1.4.0/keepalived/etc/init.d/keepalived.suse.init.in # PidFile @localstatedir@/run/keepalived.pid # DatabaseOwner root -@@ -25,6 +25,18 @@ pid_par=${DAEMON_PIDFILE:+"-p $DAEMON_PI +@@ -25,6 +26,18 @@ pid_par=${DAEMON_PIDFILE:+"-p $DAEMON_PI usr_par=${DAEMON_USER:+"-u $DAEMON_USER"} test -x $DAEMON_BIN || exit 5 @@ -57,140 +58,14 @@ Index: keepalived-1.4.0/keepalived/etc/init.d/keepalived.suse.init.in # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status -@@ -60,71 +72,70 @@ rc_reset - test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE - - case "$1" in -- start) -- echo -n "Starting $DAEMON " -- if test ! -f ${DAEMON_CONF}; then -- echo -n >&2 "Configuration file, ${DAEMON_CONF} does not exist. " -- rc_status -s -- exit 6 -- fi -- checkproc $pid_par ${DAEMON_BIN} -- case $? in -- 0) echo -n "- Warning: daemon already running. " ;; -- 1) echo -n "- Warning: ${DAEMON_PIDFILE} exists. " ;; -- esac +@@ -72,8 +85,8 @@ case "$1" in + 0) echo -n "- Warning: daemon already running. " ;; + 1) echo -n "- Warning: ${DAEMON_PIDFILE} exists. " ;; + esac -# echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT}" - startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT} -- rc_status -v -- ;; -- stop) -- echo -n "Shutting down $DAEMON " -- checkproc $pid_par ${DAEMON_BIN} || \ -- echo -n " Warning: daemon not running. " -- killproc $pid_par -t 10 ${DAEMON_BIN} -- rc_status -v -- ;; -- try-restart|condrestart) -- if test "$1" = "condrestart"; then -- echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" -- fi -- $0 status -- if test $? = 0; then -- $0 restart -- else -- rc_reset -- fi -- rc_status -- ;; -- restart) -- $0 stop -- $0 start -- rc_status -- ;; -- force-reload|reload) -- if test "$SUPPORTS_HUP" = "yes"; then -- echo -n "Reload service $DAEMON " -- checkproc $pid_par ${DAEMON_BIN} && \ -- touch ${DAEMON_PIDFILE} || \ -- echo -n >&2 " Warning: daemon not running. " -- killproc $pid_par -HUP ${DAEMON_BIN} -- rc_status -v -- else -- $0 stop && sleep 3 && $0 start -- rc_status -- fi -- ;; -- status) -- echo -n "Checking for $DAEMON " -- checkproc $pid_par ${DAEMON_BIN} -- rc_status -v -- ;; -- probe) -- test ${DAEMON_CONF} -nt ${DAEMON_PIDFILE} && echo reload -- ;; -- *) -- echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" -- exit 1 -- ;; -+ start) -+ echo -n "Starting $DAEMON " -+ if test ! -f ${DAEMON_CONF}; then -+ echo -n >&2 "Configuration file, ${DAEMON_CONF} does not exist. " -+ rc_status -s -+ exit 6 -+ fi -+ checkproc $pid_par ${DAEMON_BIN} -+ case $? in -+ 0) echo -n "- Warning: daemon already running. " ;; -+ 1) echo -n "- Warning: ${DAEMON_PIDFILE} exists. " ;; -+ esac -+# echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${KEEPALIVED_OPTIONS}" -+ startproc $usr_par $pid_par ${DAEMON_BIN} ${KEEPALIVED_OPTIONS} -+ rc_status -v -+ ;; -+ stop) -+ echo -n "Shutting down $DAEMON " -+ checkproc $pid_par ${DAEMON_BIN} || \ -+ echo -n " Warning: daemon not running. " -+ killproc $pid_par -t 10 ${DAEMON_BIN} -+ rc_status -v -+ ;; -+ try-restart|condrestart) -+ if test "$1" = "condrestart"; then -+ echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" -+ fi -+ $0 status -+ if test $? = 0; then -+ $0 restart -+ else -+ rc_reset -+ fi -+ rc_status -+ ;; -+ restart) -+ $0 stop -+ $0 start -+ rc_status -+ ;; -+ force-reload|reload) -+ if test "$SUPPORTS_HUP" = "yes"; then -+ echo -n "Reload service $DAEMON " -+ checkproc $pid_par ${DAEMON_BIN} && \ -+ touch ${DAEMON_PIDFILE} || \ -+ echo -n >&2 " Warning: daemon not running. " -+ killproc $pid_par -HUP ${DAEMON_BIN} -+ rc_status -v -+ else -+ $0 stop && sleep 3 && $0 start -+ rc_status -+ fi -+ ;; -+ status) -+ echo -n "Checking for $DAEMON " -+ checkproc $pid_par ${DAEMON_BIN} -+ rc_status -v -+ ;; -+ probe) -+ test ${DAEMON_CONF} -nt ${DAEMON_PIDFILE} && echo reload -+ ;; -+ *) -+ echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" -+ exit 1 -+ ;; - esac - rc_exit -- ++# echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT} ${KEEPALIVED_OPTIONS}" ++ startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT} ${KEEPALIVED_OPTIONS} + rc_status -v + ;; + stop) diff --git a/keepalive-rpmlintrc b/keepalive-rpmlintrc index 7a793d1..d9736ab 100644 --- a/keepalive-rpmlintrc +++ b/keepalive-rpmlintrc @@ -1,2 +1,2 @@ # Those PEM files are only examples: -addFilter("pem-certificate /usr/share/doc/packages/keepalived/samples/*.pem") +addFilter("pem-certificate /usr/share/doc/packages/keepalived/samples/.*.pem") diff --git a/keepalived-1.4.1.tar.gz b/keepalived-1.4.1.tar.gz deleted file mode 100644 index 7bde96d..0000000 --- a/keepalived-1.4.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:220407517ccad822d1ffa80f7bc37582abaf97da6f7bda2326fa6904b1855bd0 -size 735190 diff --git a/keepalived-2.0.9.tar.gz b/keepalived-2.0.9.tar.gz new file mode 100644 index 0000000..b5a670e --- /dev/null +++ b/keepalived-2.0.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3930b2e43bc8e7109ddb17d32f88cdd58071f2a9a41efa55852ca9ee26cd52c5 +size 924455 diff --git a/keepalived.changes b/keepalived.changes index 34d9b5b..21af91f 100644 --- a/keepalived.changes +++ b/keepalived.changes @@ -1,3 +1,591 @@ +------------------------------------------------------------------- +Sat Nov 10 21:01:14 UTC 2018 - Marcus Rueckert + +- added b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch to fix + building with libipset >= 7 + +------------------------------------------------------------------- +Fri Nov 9 16:07:40 UTC 2018 - Marcus Rueckert + +- update to 2.0.9 + - Fix updating a timer thread's timeout. Issue #1042 identified + that the BFD process could segfault. This was tracked down to a + timer thread which had already expired having its timeout + updated by timer_thread_update_timeout(). The sands timer + should only be updated if the thread is on a waiting queue, and + not if it has already timed out or it is unused. + - Don't requeue read thread if it is not waiting. This update + matches commit 09a2a37 - Fix updating a timer thread's timeout + should. + - Allow BFD instance to recover after send error. If sendto + failed in bfd_send_packet(), the bfd instance was put into + admin down state, but there was no means for the bfd instance + to transition out of admin down state. This commit makes + keepalived log the first instance of a sequence of failures to + send a bfd packet, but does not bring the bfd instance down in + case the error is a transient error. If the error is longer + lasting, the remote system will timeout, transition to down + state, and send a message saying it is down. Once the bfd + instance can start sending again the bfd instance can now + transition again to up state. + - Make DGB definition use log_message() rather than syslog(). + - Fix building with --enable-debug configure option. + - Start list of required kernel features in INSTALL file. Issue + #1024 asked what kernel features are needed to support + keepalived. The simple answer was that it isn't recorded + anywhere, so this is a start of making a list of the features + required. + - Make list_remove() call list free function and add + list_transfer(). If an element is being removed from a list, + the free function should be called. list_transfer() allows a + list element to be moved from one list to another without + freeing and reallocating the list element control information. + - Add mem_check diagnostics re calling functions of list + functions. When using mem_check, mallocs and frees were + recorded against the list functions, and the originating + functions weren't identified. This patch adds recording of the + functions calling the list functions so that the originating + function is identified. + - Simplify the processing of comments in configuration files. + This commit moves the handling (and removal) of comments to a + single function (called from read_line()) which simplifies the + processing of config files. + - Add ~SEQ(start, step, end) config functionality Where a + configuration has repeated blocks of configuration where the + only thing that changes is a numeric value (e.g. for VRIDs from + 1 to 255) this allows the block to be defined once, and a + single line using ~SEQ can then generate all the blocks. + - Use REALLOC when building a multiline definition. The code + used to use MALLOC, strcpy() and FREE, but REALLOC can do all + this for us. + - Improve mem-check diagnostics. When using an allocation list + of over 50,000 entries, it was quite slow searching thtough all + the entries to find the matching memory allocation, and to find + free entries. This commit changes to using malloc() to create + entries, and a red-black tree to hold the entries. It also has + a separate list of free entries. This commit also adds 4 more + types of memory allocation error, and improves the consistency + of the entries in the log files. + - Don't attempt to delete VMAC when underlying interface is + deleted. If the underlying interface of one of our vmacs is + deleted, and we know the vmac has been deleted, don't attempt + to delete it again. + - Include master state in determining if vmacs are up or down + Netlink doesn't send messages for a state change of a macvlan + when the master device changes state, so we have to track that + for ourselves. + - Turn off parser debugging. + - Make test/mk_if create iptables chains. + - Handle interfaces not existing when keepalived terminates. If + the underlying interface of a vmac we created has been deleted, + the vmac will not exist so don't attempt to delete it again. + Also, don't attempt to reset the configuration of the + underlying interface. + - Handle the underlying interface of a macvlan interface going + up/down. The kernel doesn't send netlink messages for macvlans + going up or down when the underlying interface transitions (it + doesn't even update their status to say they are up/down), but + the interfaces don't work. We need to track the state of the + underlying interfaces and propagate that to the macvlan + interfaces. + - Fix duplicate value in track_t enum. + - Fix check for matching track types. + - Treat macvtap interfaces in the same way as macvlan interfaces. + - Improve handling of interfaces not existing when keepalived + starts. + - Fix handling interface deletion and creation of vmacs on + macvlan i/fs. + - When interface created, open sockets on it if used by VRRP + directly If an interface is created that has vrrp instances + configured on it that don't use VMACs, or use vmac_xmit_base, + then the raw sockets must be opened. + - Force seeing a transition to up state when an interface is + created. + - Fix netlink remnant data error. + - Add command line and configuration option to set umask. Issue + #1048 identified that files created by keepalived are created + with mode 0666. This commit changes the default to 0644, and + also allows the umask to be specified in the configuration or + as a command line option. + - Fix compile warning introduced in commit c6247a9. Commit + c6247a9 - "Add command line and configuration option to set + umask" introduced a compile warning, although the code would + have worked OK. + - When opening files for write, ensure they aren't symbolic + links. Issue #1048 identified that if, for example, a non + privileged user created a symbolic link from + /etc/keepalvied.data to /etc/passwd, writing to + /etc/keepalived.data (which could be invoked via DBus) would + cause /etc/passwd to be overwritten. This commit stops + keepalived writing to pathnames where the ultimate component is + a symbolic link, by setting O_NOFOLLOW whenever opening a file + for writing. This might break some setups, where, for example, + /etc/keepalived.data was a symbolic link to + /home/fred/keepalived.data. If this was the case, instead + create a symbolic link from /home/fred/keepalived.data to + /tmp/keepalived.data, so that the file is still accessible + via /home/fred/keepalived.data. There doesn't appear to be a + way around this backward incompatibility, since even checking + if the pathname is a symbolic link prior to opening for + writing would create a race condition. + - Make netlink error messages more meaningful. + - Fix compiling without support for macvlans. + - fix uninitialized structure. The linkinfo and linkattr + structures were not initialized, so we should not expect that + unexistant attributes are set to NULL. Add the missing + memset(). + - fix socket allocation with dynamic interfaces. When there are + several vrrp instance binding different interfaces that don't + exist at startup, their ifindex is set to 0 in the sock. The + function already_exist_sock() that lookup for an existing + socket will always return the first sock because the ifindex is + the same. Later, when an interface appears, the fd will be + created for one instance, and all instances will wrongly use + this fd to send the advertisments. Fix this by using the + interface structure pointer instead of the ifindex as the key + for sock lookup. The problem was identified by Olivier Matz + who also provided a patch fixing the problem. This patch is a + slight rework of Olivier's patch, better using the existing + data structures that keepalived already holds. + - When creating a macvlan interface, use AF_UNSPEC rather than + AF_INET. + - Stop using libnl for configuring interfaces. Since there is + code to configure the interfaces using netlink without using + libnl, there is no point in having code to do it using libnl. + - Fix building on Centos 6.5. + - Stop including some files not needed after libnl removal for + i/fs. + - Fix some compilation issues when building without vrrp support. + - Stop using linbl for mcast group membership and setting rx buf + sizes. Since there is code to handle multicast group + membership and setting kernel netlink receive buffer sizes + without using libnl, there is no point in having code to do it + using libnl. This now means that the vrrp functionality no + longer uses libnl. + - Add some sanity checking of configure options. Certain invalid + combinations of configure options could cause compile errors, + e.g. --disable-vrrp --enable-vrrp-fd-debug. This commit ensures + that invalid combinations aren't allowed, in order to stop the + compile errors. + - Fix invalid configuration combination caught by previous + commit. + - Use netlink to set/clear rp_filter on interfaces. + - Fix configure for building without vrrp. + - Actually update the .travis.yml file to fix the problem. + - Fix conditional compilation re epoll-thread-dump debugging. + - Update INSTALL file now no longer use libnl-route-3. + - Stop cast to incompatible function type warnings from gcc 8.1. + - Update snapcraft.yaml not to include libnl-route-3. + - keepalived exit with non-zero exit code if config file not + readable. + - Allow specifying default config file at configure time. + - Use keepalived define for exit code when malloc failure. + - Fix configuring fixed interface type. + - Add configuring keepalived default configuration file. + - Fix return value in get_time_rtt() error path. + - Update generation of git-commit.h. + - snapcraft.yaml: Enable all sensible build options. Preserve + build time version in the snap version. Expose genhash. + - snapcraft.yaml: Build keepalived with Linux 3.13 headers. + - snap: Add an install hook to make sure a keepalived + configuration exists. + - snap: Move the hooks to the correct location. + - snap: Make sure /etc/keepalived exists. + - Fix building with IP_MULTICAST_ALL in linux/in.h but not + netinet/in.h Issue #1054 identified that configure was checking + the definition of IP_MULTICAST_ALL in linux/in.h but including + netinet/in.h, which also has the definition, but only from + glibc 2.17. This commit creates a local definition (in + lib/config.h) of IP_MULTICAST_ALL if it is defined in + linux/in.h but not in netinet/in.h. The reason for this is that + compiles using linux/in.h fail due to conflicting definitions. + - Fix creating iptables tables in mk_if. + - Update .travis.yml to use xenial. + - Update .travis.yml to add --enable-regex option. + - Tidy up .travis.yml file. + - snap: Build multiple keepalived binaries. + - Updated snapcraft builds to support multiple kernel versions. +- drop patches: + - 5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6.patch + - c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067.patch + - 04f2d32871bb3b11d7dc024039952f2fe2750306.patch +- refreshed patch: linux-4.15.patch + +------------------------------------------------------------------- +Thu Nov 8 12:44:47 UTC 2018 - Marcus Rueckert + +- update to 2.0.8 + - Improve identifing interface as macvlan when reading interface + details + - Enslave a VMAC to the VRF master of the underlying interface. + - Use addattr32 rather than addattr_l for if_index. + - Only include VRF support if kernel headers support it. + - Fix --enable-timer-debug configure option. + - Fix some configure.ac enable option tests. + - Include stdbool.h in process.c. + - Fix diagnostic message re ignoring weight of tracked interface. + - Fix track_bfds with weights. + - Correct conditional compilation definition name. + - Fix memory leak in HTTP_GET/SSL_GET. + - Fix two memory leaks in DNS_CHECK. + - Don't consider retries for BFD_CHECK. The BFD_CHECKer doesn't + support retries, and the check was causing the checker not to + transition to down state. + - Fix memory leak with BFD_CHECK. + - Restart global notify FIFO handler after reload. + - modify @WITH_REGEX@ to @WITH_REGEX_TRUE@ + - Fix compiling without BFD support. + - Stop bfd process sending double the number of packets. If a + bfd process received an initial bfd packet, it scheduled a + second bfd_sender_thread thereby causing two packets to be sent + in every interval. + - Use timerfd for select timeouts rather than select timeout + parameter This is a precursor to moving to using epoll. + - Use epoll rather than select. epoll is both more efficient + than select and also doesn't have a file descriptor limit of + 1024, which limited the number of vrrp instances that could be + managed. This commit also introduces read-black trees and the + list_head list type. + - Add --enable-timer-check option for logging calls for getting + time Calls to update the current time from the kernel are made + too frequently, and this patch logs when the calls are made, + and how long since the previous call, so unnecessary calls can + be removed. + - Add debug option for monitoring epoll queues. This is enabled + by --enable-epoll-debug and replaces --enable-timer-debug. + - Use system monotonic clock to generate a monotonic clock. + Rather than have our own code for creating a monotonic clock, + use the kernel's monotonic clock. + - Make some functions in timer.c inline. The functions had one + line of code so inlining them is more efficient. + - Fix requeueing read and write threads after read/write + timeouts. + - Fix initial allocating and final freeing of thread_master + epoll_events. + - When cleaning up threads, also clean up their thread_events. + - Add thread_close_fd() function to release thread_event_t on + close When a file descriptor that has been monitored by epoll + is closed the thread_event_t structure used for managing epoll + for that fd has to be release. Therefore calls to close() and + replace by calls to thread_close_fd(). + - Make parent process write log entry when it is reloading. + - Move checking for thread timeouts to timerfd_handler There is + no point in checking for thread timeouts if the timerfd isn't + readable; in other words only check for thread timeouts if the + timer has expired. + - Make bfd reschuling timer threads more efficient. + - Streamline DNS_CHECK code. + - Fix buffer overrun with track file path names. + - Add timestamp when writing mem_check entries to file. + - Ensure thread_event_t released for ready threads at + termination. + - Increase open file limit if large number of VRRP instances. + Each VRRP instance can use up to 2 file descriptors, and so if + there are more than 500 ish VRRP instances the number of open + files can exceed the default per process limit (1024 on my + system). The commit allows 2 file descriptors per vrrp + instance plus a few more, and if the RLIMIT_NOFILE value + returned by getrlimit isn't high enough, keepalived will + increase the limit. + - Ensure that child processes run with standard + priorities/limits. When child processes such as notify + scripts, track_scripts and MISC_CHECK scripts are run, they + should not inherit any elevated priorities, system limits etc + from the parent keepalived process. + - Change multiple spaces to tabs in scheduler.h. + - Add family to sockpool listing. + - Fix a multiline definition expansion issue. + - Free allocated cache when closing/freeing netlink socket. When + running on a system with 500+ interfaces configured and adding + 1000 VMAC interfaces, the heap was growing by 340Mb due the + netlink cahce not being freed after creating each VMAC + interface. With this patch the heap only grow by 3.7Mb (if + creating 1000 VMAC interfaces the heap grep by 905Mb now + reduced to 6.1Mb). + - Stop using netlink cache when adding and configuring VMAC + interfaces. When running on a system with 500+ interfaces + configured and adding 1000 VMAC interfaces, it was taking 2.3 + seconds to add the interfaces. Without populating a netlink + cache each time a VMAC interface is created it now takes 0.38 + seconds to add the interfaces (if creating 1000 VMAC interfaces + it was taking 6.1 seconds, now reduced to 0.89 seconds, and the + heap growth is reduced from 6.1Mb to 3.9Mb). + - Add function rtnk_link_get_kernel for dynamic linking. + - Fix compiling without JSON support. + - Add support for recording perf profiling data for vrrp process. + - Add comment re usage of MAX_ALLOC_LIST. + - Some streamlining of scheduler.c. + - Merge --enable-epoll-debug and --enable-dump-threads + functionality. + - Let thread_add_unuse() set thread type, and use + thread_add_unuse() more. + - Use break rather than return in process_threads(). + - Fix segfault when reloading with HTTP_GET and no regex + configured. + - Merge the next-generation scheduler. + - Make all debug options need enabling at runtime. Previously if + configure enabled a debug option its output was always + recorded, which meant that if one didn't want the output, + configure/ compile was needed. This commit adds command line + options that need to be set in order to turn the debugging on. + - Remove unwanted debug message. + - Fix parsing --debug options. + - Fix rb tree insertion with timers. + - Add missing functions for thread debugging. + - Add vrrp instance VMAC flags when dumping configuration. + - Ensure parent thread terminates if child has permanant config + error. + - Ensure don't delete VMAC interface if keepalived didn't create + it. and sundry fixes. + - If receive lower priority advert, send GARP messages for sync + group. A recent update to issue #542 identified that following + recovery from a split brain situation, GARP messages weren't + being sent. It transpired that, if a member of a sync group in + master state received a lower priority advert and + vrrp_higher_prio_send_advert is set, a further (lower priority) + advert is sent, and the instance and all the members of the + sync group transition to backup (the other members of the sync + group don't send a further advert since they haven't received a + higher priority advert). This meant that the other members of + the sync group on the keepalived instance that remained master + didn't receive a lower priority advert, and so didn't send + further GARP messages. This commit changes keepalived's + behaviour, so that if a vrrp instance is sending GARP messages + due to receiving a lower priority advert and it is a member of + a sync group, keepalived will also send GARP messages for any + other member of the sync group that have garp_lower_prio_rep + set. + - Allow 0.0.0.0 and default/default6 for rule/route to/from + addresses. + - Check return value of SSL_CTX_new(). + - Check return values of SSL_new() and BIO_new_socket(). + - Only allow subnet masks with routes or virtual IP addresses. + For example, if specifying a via address or preferred source + address for a route, it isn't valid to specify a subnet mask. + - Add inet/inet6 to specify ip route/rule family if ambiguous. + - Remove superfluous parameter from parse_route(). + - Add "any" and "all" as synonyms for "default". + - Fix memory leak if route destination address is wrong address + family. + - Add ttl-propagate route option. + - Fix checking return status of kill(). + - Fix building with --enable-debug configure option. + - Stop delay in reload when using network namespaces. If running + in a network namespace, getaddrinfo() could take over 30 + seconds before timing out while trying to contact a name + server. To alleviate this, the hostname is remembered from when + keepalived started. + - Fix spelling of propagate in propagate_signal(). + - Fix effective_priority after reload if tracked interface down. + - Cosmetic grammatical changes. + - Add debug option for dumping vrrp fd lists. + - Fix calculation for vrrp fd timers. Starting or reloading + keepalived when an interface that was tracked interface was + failed was stopping other vrrp instances that were on the same + interface but not using VMACs coming up. + - Move code for initialising tracking priorities to vrrp_track.c. + - Don't overwrite track file on reload. + - Don't attempt to write track file if path not specified. + - Fix compiling when not using --enable-vrrp-fd-debug. + - Fix compiling with configure --enable-vrrp-fd-debug. + - Add sync group track_bfds and track file status to config dump. + - Move initialisation of track_files. + - Don't alter effective_priority if track_file take vrrp instance + down. + - Don't log vrrp instance in fault state at reload if already + fault. + - Fix calculating fd timer if all vrrp sands are set to + TIMER_DISABLED. + - Don't make all sync groups transition to backup on reload If a + sync group was in master state, and can still be after a reload + then allow it to stay in master state. + - Don't have track_bfd list in vrrp_sgroup_t in BFD not enabled. + - Fix memory leak re vrrp_sgroup_t track lists. + - Tidy up some freeing of MALLOC'd memory. Use FREE_PTR if it is + not known if the pointer is valid, and don't clear the pointer + afterr FREE/FREE_PTR since FREE does it anyway. + - Add memory.c list size definition and move definition from + memory.h. + - Increase size of checksum value for MEM_CHECK. + - Don't store checksum of memory allocation block. It can be + calculated from the size, so do so. + - Make the checksum for memory allocation blocks unsigned. + - Use an enum for memory allocation block types. + - Update comment re debug bit for memory detect error. + - In memory alloc debug code report free or realloc for not + alloc'd. + - Allow for PIDs up to 2^22 (7 decimal digits). + - Add function for dumping memory allocation while running. + - Fix max memory allocation size calculations. + - Fix reporting original and new file/line/func for realloc. + - Check matching block for realloc is allocated. The same memory + block may have been previously allocated and freed, so we need + to make sure that the block we find is currently marked as + allocated. + - Use a new MEMCHECK struct for realloc overrun detected It was + marking the allocated block as an overrun block, whereas it + needs to be an allocated block, so use a new block to mark the + overrun. + - Tidy up working of a couple of memory allocation messages. + - Use for loops rather than while blocks in memory allocation + code. + - Report number of mallocs and reallocs with MEMCHECK. + - Attempt to log first free after double free in MEMCHECK. + - Streamline use of buf/buffer in memory.c. + - Always use first free entry in alloc_list for MEMCHECK. + - Define MEMCHECK alloc_list size via configure. + - Align keepalived_free() and keepalived_realloc(). + - Make char * const where possible for MEMCHECK. + - Merge MEMCHECK keepalived_free() and keepalived_realloc(). + Most of the code was common between the two (or should have + been), so it makes sense for them to use common code. + - Ensure only relevant thread types run during shutdown. + - Fix building without --enable-mem-check. + - Use rbtree search for finding child thread on child + termination. It was doing a linear search of the rbtree in + timeout order. This commit adds another rbtree for child + processes (vrrp track scripts and check_misc scripts), sorted + by PID, to make the search by PID more efficient. + - Make rbtree compare function thread_timer_cmp() more efficient. + - Remove child_remover functionality - it was superfluous. + - Fix checking that there are no duplicate vrrp instances + configured The tuple {interface, family, vrid} must be unique. + The check for this was being made completely incorrectly. + - Delay creating vrrp notify FIFO. + - Remove struct sockaddr_storage saddr from sock_t. + - Use an rbtree for finding vrrp instance for received advert. + Previously the code search a list of pointers to vrrp instances + and looked for a matching fd and vrid. In order to optimise + this, it was implemented using an mlist whose index was a hash + of the fd and vrid. This commit changes the approach and uses + an rbtree for each sock_t. Since the sock_t that the advert + was received on is known, the rbtree search is only searching + for a match on the vrid. Not only is this more efficient, but + it is simpler, uses standard code, and reduces the code by + over 60 lines. + - Use an rbtree for finding vrrp instance for socket timeout. + Previously the code search a list of pointers to vrrp instances + and looked for matching file descriptor and sands < time_now. + In order to optimise this, it was implemented using an mlist + whose index was a hash of the fd. This commit changes the + approach and uses a second rbtree for each sock_t. Since the + sock_t that the timeout occurred on is known, the rbtree search + is only searching for a match of the sands. Not only is this + more efficient, but it is simpler, uses standard code, and + reduces the code by over 220 lines. + - Remove superfluous checks of rbtree node != NULL in rb_move(). + - Remove superfluous check of node != NULL in rb_next(). + - Update rbtree code to Linux 4.18.10. + - Fix debug logging of sands timers before time_now. + - Update rb_for_each_entry etc and rb_move to use rb_entry_safe. + With the added definition of rb_entry_safe in the rbtree code + updated to Linux 4.18.10, the refinition of rb_entry was + reverted to the kernel definition. That meant that + rb_for_each_entry, rb_for_eacn_entry_safe and rb_move neded to + be updated to use rb_entry_safe rather than rb_entry. + - Add support functions for rbtree rb_root_cached. This is in + preparation for the use of rb_root_cached in the next patch. + - Use cached rbtrees where the key is a timeval_t sands When the + key of an rbtree is a timeval_t sands keepalived will + frequently need to access the first node of the tree in order + to calculate the next timeout. This applies to the read, write, + child and timer threads queues, and also the vrrp queues on a + sock_t. The use of cached rbtrees for these is ideal since it + gives direct access to the first node of the queue. + - Add thread_add_read_sands to avoid introducing timer errors. + When using thread_add_read and the timeout was held as + timeval_t, it was converted to and offset from time_now, and + then converted back to a timeval_t, but time_now was updated, + resulting in a slightly different value being used as the + timeout. Using thread_add_read_sands() avoids the double + conversion and results in the timeout being more accurate. + - Replace NETLINK_TIMER with TIMER_NEVER. It makes the code + easier to read, and since NETLINK_TIMER was defined to be + TIMER_NEVER it doesn't change the functionality. + - Handle preempt delays not expiring at same time on sync group + If different vrrp instances in a sync group had preempt delays + that expired at different times keepalived looped with very + small to epoll_wait() until all preempt delays had expired, + causing high CPU utilisation. Keepalived now reschedules vrrp + instances with a delay of 3 * advert_int + skew time while + waiting for all vrrp instances in the sync group to expire + their preempt delays. + - Fix segfault when receive netlink message for default route + added. + - Move vrf_master_index into conditional compilation block. + - Store interface macvlan type. + - Make vrp_master_ifp point to self for VRF master interfaces. + - Log if cannot create a VMAC due to existing interface with same + name. + - Handle delete/create of macvlan i/fs which aren't keepalived's. + - Tidying up keepalived_netlink.c. + - Handle VRFs changing on macvlan i/fs which have VMACs + configured on them. + - Fix recreating our VMACs if they are deleted. + - Fix detecting address add/deletion from underlying i/f of our + vmacs. + - Don't use configured_ifp or base_ifp if not _HAVE_VRRP_VMAC_. + - Distinguish between VMAC on real i/f and no VMAC on macvlan i/f + If keepalived is configured to have a non VMAC interface on a + macvlan interface, we want to use the macvlan interface rather + than the underlying interface, whereas if we have a VMAC + interface on a macvlan interface, we create the VMAC on the + underlying interface of the macvlan. + - Update duplicate VRID check where vrrp instance configured on + macvlan. If a VRRP instance is configured on a macvlan + interface, the duplicate VRID check needs to be done on the + underlying interface. + - Check for VRID conflicts when changeable interfaces are added + For example, a vrrp instance could be configured on a macvlan, + and that macvlan could be deleted and recreated with another + base interface. The VRIDs in this case need to be checked for + duplicates against the base interface, and so the VRID check + needs to be done dynamically. In order to allow VRID conflicts + to produce config errors at startup, by default keepalived + assumes that there won't be interface movements as described + above, and will only handle it if the global_defs option + 'dynamic_interfaces' is used along with the option + 'allow_if_changes'. + - Remove some comments inserted for tracking changes to code. + - Fix building with --enable-debug configure option. + - Check that '{'s and '}'s are balanced in the configuration + file. + - Allow more flexibility re placing of { and }. + - Improve reporting additional '}'s in configuration. + - Minor improvements re thread handling and cancellation. + - Remove unused THREAD_IF_UP and THREAD_IF_DOWN. + - Replace getpagesize() with sysconf(_SC_PAGESIZE). + - Increase netlink receive buffer for dumps to 16KiB. + - Dynamically set the netlink receive buffer size. + - Sort out setting netlink receive buffer size. +- added patches for changes found during the review of the dbus + code: (boo#1015141) + CVE-2018-19044 for + https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306.patch + CVE-2018-19045 for + https://github.com/acassen/keepalived/commit/c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067.patch + https://github.com/acassen/keepalived/commit/5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6.patch +- enable dbus support on TW by default (boo#1015141) +- enable json stats dump support + +------------------------------------------------------------------- +Thu Sep 13 07:28:25 UTC 2018 - Marcus Rueckert + +- use %license + +------------------------------------------------------------------- +Thu Sep 13 01:38:32 UTC 2018 - Marcus Rueckert + +- update to 2.0.7 + see /usr/share/doc/packages/keepalived/ChangeLog +- refreshed keepalive-init.patch: + - reduced patch to minimal changes + - made sure it actually reads our sysconfig file +- refreshed linux-4.15.patch +- enable http regexp support: new BR pcre2-devel +- update rpmlintrc to actually match the error message: glob vs + regexp + ------------------------------------------------------------------- Mon Apr 30 14:41:46 UTC 2018 - crrodriguez@opensuse.org diff --git a/keepalived.spec b/keepalived.spec index 1f7a27a..2f3cb09 100644 --- a/keepalived.spec +++ b/keepalived.spec @@ -26,11 +26,15 @@ %else %bcond_with systemd %endif -%bcond_with dbus -%bcond_with json +%if 0%{?suse_version} > 1500 +%bcond_without dbus +%else +%bcond_with dbus +%endif +%bcond_without json Name: keepalived -Version: 1.4.1 +Version: 2.0.9 Release: 0 Summary: A keepalive facility for Linux License: GPL-2.0-or-later @@ -41,6 +45,7 @@ Source2: keepalive-rpmlintrc Patch1: keepalive-init.patch # PATCH-FIX-UPSTREAM: https://github.com/acassen/keepalived/commit/947248af144bcab6376ccddab8dc40f313b14281.patch Patch2: linux-4.15.patch +Patch3: b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch BuildRequires: libnfnetlink-devel %if %{with json} BuildRequires: libjson-c-devel @@ -56,6 +61,7 @@ BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libipset) BuildRequires: pkgconfig(libiptc) BuildRequires: pkgconfig(libnl-3.0) +BuildRequires: pkgconfig(libpcre2-8) BuildRequires: pkgconfig(xtables) %else BuildRequires: dbus-1-devel @@ -64,6 +70,7 @@ BuildRequires: ipset-devel BuildRequires: libiptc-devel BuildRequires: libnl-devel BuildRequires: libxtables-devel +BuildRequires: pcre2-devel %endif BuildRequires: libnfnetlink-devel # BuildRequires: netsnmp-devel @@ -79,6 +86,10 @@ BuildRequires: systemd-rpm-macros %else Requires(pre): %insserv_prereq %endif +# remove when you remove b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -98,18 +109,22 @@ resilient infrastructures. %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 chmod 644 doc/samples/* %build +autoreconf -fi export STRIP=true export CPPFLAGS="$(pkg-config --cflags libnfnetlink libiptc libipset xtables)" export CFLAGS="%optflags -DOPENSSL_NO_SSL_INTERN" %configure \ --disable-silent-rules \ + --enable-bfd \ %if %{with json} --enable-json \ %endif --enable-snmp \ + --enable-snmp-checker \ --enable-snmp-vrrp \ --enable-snmp-rfc \ --enable-snmp-rfcv2 \ @@ -118,6 +133,8 @@ export CFLAGS="%optflags -DOPENSSL_NO_SSL_INTERN" --enable-dbus \ --enable-dbus-create-instance \ %endif + --enable-regex \ + --enable-regex-timers \ %if %{with systemd} --with-init=systemd \ --with-systemdsystemunitdir="%{_unitdir}" \ @@ -191,7 +208,8 @@ getent passwd %{name} >/dev/null || \ %files %defattr(-,root,root) -%doc AUTHOR ChangeLog CONTRIBUTORS COPYING README +%license COPYING +%doc AUTHOR ChangeLog CONTRIBUTORS README %doc %{_datadir}/doc/keepalived/ %doc doc/samples/ %doc doc/keepalived.conf.SYNOPSIS doc/NOTE_vrrp_vmac.txt diff --git a/linux-4.15.patch b/linux-4.15.patch index 5038c1b..7e891b7 100644 --- a/linux-4.15.patch +++ b/linux-4.15.patch @@ -28,27 +28,41 @@ Signed-off-by: Baruch Siach keepalived/vrrp/vrrp.c | 1 + 2 files changed, 2 insertions(+) -diff --git a/keepalived/include/vrrp_arp.h b/keepalived/include/vrrp_arp.h -index c2b4e6b5..9dd68f63 100644 ---- a/keepalived/include/vrrp_arp.h -+++ b/keepalived/include/vrrp_arp.h +Index: keepalived-2.0.9/keepalived/include/vrrp_arp.h +=================================================================== +--- keepalived-2.0.9.orig/keepalived/include/vrrp_arp.h ++++ keepalived-2.0.9/keepalived/include/vrrp_arp.h @@ -24,6 +24,7 @@ #define _VRRP_ARP_H /* system includes */ +#include - #include - #include + #include + #include -diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c -index 56395363..eaa9c567 100644 ---- a/keepalived/vrrp/vrrp.c -+++ b/keepalived/vrrp/vrrp.c -@@ -26,6 +26,7 @@ - #include "config.h" +Index: keepalived-2.0.9/keepalived/vrrp/vrrp.c +=================================================================== +--- keepalived-2.0.9.orig/keepalived/vrrp/vrrp.c ++++ keepalived-2.0.9/keepalived/vrrp/vrrp.c +@@ -40,6 +40,7 @@ + #include /* local include */ +#define _GNU_SOURCE + #include "parser.h" + #include "vrrp_arp.h" - #include "vrrp_ndisc.h" - #include "vrrp_scheduler.h" +Index: keepalived-2.0.9/keepalived/include/vrrp_if.h +=================================================================== +--- keepalived-2.0.9.orig/keepalived/include/vrrp_if.h ++++ keepalived-2.0.9/keepalived/include/vrrp_if.h +@@ -33,9 +33,7 @@ + #include + #include + #include +-#ifdef _HAVE_NET_LINUX_IF_H_COLLISION_ + #define _LINUX_IF_H +-#endif + #include + #ifdef _HAVE_VRRP_VMAC_ + #include From f0ed59c0a77f6472d6810d607028ab503bc3c3fc8ba682136b5b64eee991809c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 28 Nov 2018 12:34:36 +0000 Subject: [PATCH 2/2] Accepting request 652406 from home:darix:playground - update to 2.0.10 - Fix compiling on Alpine Linux. - Stop printf compiler warning on Alpine Linux due to rlim_t. - manpage cosmetic. - Fix removing snmpd read threads when snmpd becomes unavailable. - Update to support libipset version 7. - Use ipset_printf for ipset messages so can go to log. - When opening files for write, ensure files can only be read by root. Issue #1048 referred to CVE-2018-19046 regarding files used for debugging purposes could potentially be read by non root users. This commit ensures that such log files cannot be opened by non root users. - Disable fopen_safe() append mode by default If a non privileged user creates /tmp/keepalived.log and has it open for read (e.g. tail -f), then even though keepalived will change the owner to root and remove all read/write permissions from non owners, the application which already has the file open will be able to read the added log entries. Accordingly, opening a file in append mode is disabled by default, and only enabled if --enable-smtp-alert-debug or --enable-log-file (which are debugging options and unset by default) are enabled. This should further alleviate security concerns related to CVE-2018-19046. - vrrp: add support to constant time memcmp. Just an update to use best practise security design pattern. While comparing password or hmac you need to ensure comparison function is time constant in order to figth against any timing attacks. We turn off potential compiler optimizations for this particular function to avoid any short circuit. - Make sure a non privileged user cannot read keepalived file output Ensure that when a file such as /tmp/keepalived.data is written, no non privileged can have a previous version of that file already open, thereby allowing them to read the data. This should fully resolve CVE-2018-19046. - drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in update OBS-URL: https://build.opensuse.org/request/show/652406 OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=48 --- ...8f9265ffb5927c4d54c9a30726c76e65bb52.patch | 217 ------------------ keepalived-2.0.10.tar.gz | 3 + keepalived-2.0.9.tar.gz | 3 - keepalived.changes | 40 ++++ keepalived.spec | 11 +- 5 files changed, 44 insertions(+), 230 deletions(-) delete mode 100644 b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch create mode 100644 keepalived-2.0.10.tar.gz delete mode 100644 keepalived-2.0.9.tar.gz diff --git a/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch b/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch deleted file mode 100644 index b0c78e6..0000000 --- a/b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch +++ /dev/null @@ -1,217 +0,0 @@ -From b7a98f9265ffb5927c4d54c9a30726c76e65bb52 Mon Sep 17 00:00:00 2001 -From: Quentin Armitage -Date: Sat, 10 Nov 2018 19:03:47 +0000 -Subject: [PATCH] Update to support libipset version 7 - -Issue #1058 reported that keepalived failed to build with libipset -version 7. This commit updates keepalived to detect if the version -of the keepalived libraries is pre v7 or not, and compiles -appropriately. - -Signed-off-by: Quentin Armitage ---- - configure.ac | 21 ++++++++++++ - keepalived/include/vrrp_ipset.h | 2 +- - keepalived/vrrp/vrrp_ipset.c | 58 ++++++++++++++++++++++++++++++--- - keepalived/vrrp/vrrp_iptables.c | 2 +- - 4 files changed, 76 insertions(+), 7 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ecec32a2..708b04fe 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1212,6 +1212,27 @@ if test .${enable_libiptc} != .no -a .$enable_vrrp != .no; then - [AC_DEFINE([LIBIPSET_H_ADD_IP_SET_H_GUARD], [1], [Define to add guard _IP_SET_H before including ])]) - ]) - fi -+ -+ if test $USE_LIBIPSET = Yes; then -+ AC_MSG_CHECKING([for libipset version 7 or later]) -+ AC_COMPILE_IFELSE([AC_LANG_SOURCE( -+ [[ -+ #include -+ -+ void test_func(void) -+ { -+ ipset_session_init(NULL, NULL); -+ } -+ ]])], -+ [ -+ AC_MSG_RESULT([yes]) -+ ], -+ [ -+ AC_MSG_RESULT([no]) -+ AC_DEFINE([LIBIPSET_PRE_V7_COMPAT], [ 1 ], [Define to 1 if libipset library version prior to v7]) -+ add_system_opt[LIBIPSET_PRE_V7] -+ ]) -+ fi - ]) - LIBS="$SAV_LIBS" - fi -diff --git a/keepalived/include/vrrp_ipset.h b/keepalived/include/vrrp_ipset.h -index 5a1a9562..5d83b21a 100644 ---- a/keepalived/include/vrrp_ipset.h -+++ b/keepalived/include/vrrp_ipset.h -@@ -29,7 +29,7 @@ - bool add_ipsets(bool); - bool remove_ipsets(void); - bool has_ipset_setname(void*, const char *); --bool ipset_init(void); -+bool ipset_initialise(void); - void* ipset_session_start(void); - void ipset_session_end(void*); - void ipset_entry(void*, int cmd, const ip_address_t*); -diff --git a/keepalived/vrrp/vrrp_ipset.c b/keepalived/vrrp/vrrp_ipset.c -index 4b3ab7cd..dbe248eb 100644 ---- a/keepalived/vrrp/vrrp_ipset.c -+++ b/keepalived/vrrp/vrrp_ipset.c -@@ -43,6 +43,9 @@ - #endif - #include - #include -+#ifndef LIBIPSET_PRE_V7_COMPAT -+#include -+#endif - #include - #include /* For __beXX types in userland */ - #include /* For nf_inet_addr */ -@@ -60,11 +63,18 @@ - #include - - /* The addresses of the functions we want */ -+#ifdef LIBIPSET_PRE_V7_COMPAT - struct ipset_session* (*ipset_session_init_addr)(ipset_outfn outfn); -+#else -+struct ipset_session* (*ipset_session_init_addr)(ipset_print_outfn outfn, void *p); -+#endif - int (*ipset_session_fini_addr)(struct ipset_session *session); - struct ipset_data* (*ipset_session_data_addr)(const struct ipset_session *session); --const char* (*ipset_session_error_addr)(const struct ipset_session *session); -+#ifdef LIBIPSET_PRE_V7_COMPAT - int (*ipset_envopt_parse_addr)(struct ipset_session *session, int env, const char *str); -+#else -+void (*ipset_envopt_set_addr)(struct ipset_session *session, int env); -+#endif - const struct ipset_type* (*ipset_type_get_addr)(struct ipset_session *session, enum ipset_cmd cmd); - int (*ipset_data_set_addr)(struct ipset_data *data, enum ipset_opt opt, const void *value); - int (*ipset_cmd_addr)(struct ipset_session *session, enum ipset_cmd cmd, uint32_t lineno); -@@ -74,8 +84,11 @@ void (*ipset_load_types_addr)(void); - #define ipset_session_init (*ipset_session_init_addr) - #define ipset_session_fini (*ipset_session_fini_addr) - #define ipset_session_data (*ipset_session_data_addr) --#define ipset_session_error (*ipset_session_error_addr) -+#ifdef LIBIPSET_PRE_V7_COMPAT - #define ipset_envopt_parse (*ipset_envopt_parse_addr) -+#else -+#define ipset_envopt_set (*ipset_envopt_set_addr) -+#endif - #define ipset_type_get (*ipset_type_get_addr) - #define ipset_data_set (*ipset_data_set_addr) - /* Unfortunately ipset_cmd conflicts with struct ipset_cmd */ -@@ -87,6 +100,22 @@ static void* libipset_handle; - #define ipset_cmd1 ipset_cmd - #endif - -+#ifndef LIBIPSET_PRE_V7_COMPAT -+static int -+ipset_printf(__attribute ((__unused__)) struct ipset_session *session, void *p, const char *fmt, ...) -+{ -+ va_list args; -+ -+ log_message(LOG_INFO, "libipset message from %s", (const char *)p); -+ -+ va_start(args, fmt); -+ vlog_message(LOG_INFO, fmt, args); -+ va_end(args); -+ -+ return 0; -+} -+#endif -+ - static bool - do_ipset_cmd(struct ipset_session* session, enum ipset_cmd cmd, const char *setname, - const ip_address_t *addr, uint32_t timeout, const char* iface) -@@ -162,7 +191,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i - { - struct ipset_session *session; - -+#ifdef LIBIPSET_PRE_V7_COMPAT - session = ipset_session_init(printf); -+#else -+ session = ipset_session_init(ipset_printf, "create_sets"); -+#endif - if (!session) { - log_message(LOG_INFO, "Cannot initialize ipset session."); - return false; -@@ -171,7 +204,11 @@ static bool create_sets(const char* addr4, const char* addr6, const char* addr_i - /* If we aren't reloading, don't worry if sets already exists. With the - * IPSET_ENV_EXIST option set, any existing entries in the set are removed. */ - if (!reload) -+#ifdef LIBIPSET_PRE_V7_COMPAT - ipset_envopt_parse(session, IPSET_ENV_EXIST, NULL); -+#else -+ ipset_envopt_set(session, IPSET_ENV_EXIST); -+#endif - - if (block_ipv4) { - if (!reload || !has_ipset_setname(session, addr4)) -@@ -220,7 +257,7 @@ bool set_match_loaded(void) - return found; - } - --bool ipset_init(void) -+bool ipset_initialise(void) - { - #ifdef _LIBIPSET_DYNAMIC_ - if (libipset_handle) -@@ -252,8 +289,11 @@ bool ipset_init(void) - if (!(ipset_session_init_addr = dlsym(libipset_handle, "ipset_session_init")) || - !(ipset_session_fini_addr = dlsym(libipset_handle, "ipset_session_fini")) || - !(ipset_session_data_addr = dlsym(libipset_handle,"ipset_session_data")) || -- !(ipset_session_error_addr = dlsym(libipset_handle,"ipset_session_error")) || -+#ifdef LIBIPSET_PRE_V7_COMPAT - !(ipset_envopt_parse_addr = dlsym(libipset_handle,"ipset_envopt_parse")) || -+#else -+ !(ipset_envopt_set_addr = dlsym(libipset_handle,"ipset_envopt_set")) || -+#endif - !(ipset_type_get_addr = dlsym(libipset_handle,"ipset_type_get")) || - !(ipset_data_set_addr = dlsym(libipset_handle,"ipset_data_set")) || - !(ipset_cmd_addr = dlsym(libipset_handle,"ipset_cmd")) || -@@ -285,7 +325,11 @@ bool remove_ipsets(void) - return true; - #endif - -+#ifdef LIBIPSET_PRE_V7_COMPAT - session = ipset_session_init(printf); -+#else -+ session = ipset_session_init(ipset_printf, "remove_ipsets"); -+#endif - if (!session) { - log_message(LOG_INFO, "Cannot initialize ipset session."); - return false; -@@ -311,7 +355,11 @@ bool add_ipsets(bool reload) - - void* ipset_session_start(void) - { -- return ipset_session_init(NULL); -+#ifdef LIBIPSET_PRE_V7_COMPAT -+ return ipset_session_init(printf); -+#else -+ return ipset_session_init(ipset_printf, "session_start"); -+#endif - } - - void ipset_session_end(void* vsession) -diff --git a/keepalived/vrrp/vrrp_iptables.c b/keepalived/vrrp/vrrp_iptables.c -index 874b0d0b..9b05ca66 100644 ---- a/keepalived/vrrp/vrrp_iptables.c -+++ b/keepalived/vrrp/vrrp_iptables.c -@@ -468,7 +468,7 @@ iptables_init_lib(void) - #endif - - #ifdef _HAVE_LIBIPSET_ -- if (global_data->using_ipsets && !ipset_init()) -+ if (global_data->using_ipsets && !ipset_initialise()) - global_data->using_ipsets = false; - #endif - diff --git a/keepalived-2.0.10.tar.gz b/keepalived-2.0.10.tar.gz new file mode 100644 index 0000000..f1468c7 --- /dev/null +++ b/keepalived-2.0.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40e0e55afed9ca313d621a9c5878579696fafb5504dab521aadaf20ba6e7f597 +size 927631 diff --git a/keepalived-2.0.9.tar.gz b/keepalived-2.0.9.tar.gz deleted file mode 100644 index b5a670e..0000000 --- a/keepalived-2.0.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3930b2e43bc8e7109ddb17d32f88cdd58071f2a9a41efa55852ca9ee26cd52c5 -size 924455 diff --git a/keepalived.changes b/keepalived.changes index 21af91f..a18b7d6 100644 --- a/keepalived.changes +++ b/keepalived.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Wed Nov 28 12:27:13 UTC 2018 - Marcus Rueckert + +- update to 2.0.10 + - Fix compiling on Alpine Linux. + - Stop printf compiler warning on Alpine Linux due to rlim_t. + - manpage cosmetic. + - Fix removing snmpd read threads when snmpd becomes unavailable. + - Update to support libipset version 7. + - Use ipset_printf for ipset messages so can go to log. + - When opening files for write, ensure files can only be read by + root. Issue #1048 referred to CVE-2018-19046 regarding files + used for debugging purposes could potentially be read by non + root users. This commit ensures that such log files cannot be + opened by non root users. + - Disable fopen_safe() append mode by default If a non privileged + user creates /tmp/keepalived.log and has it open for read (e.g. + tail -f), then even though keepalived will change the owner to + root and remove all read/write permissions from non owners, the + application which already has the file open will be able to + read the added log entries. Accordingly, opening a file in + append mode is disabled by default, and only enabled if + --enable-smtp-alert-debug or --enable-log-file (which are + debugging options and unset by default) are enabled. This + should further alleviate security concerns related to + CVE-2018-19046. + - vrrp: add support to constant time memcmp. Just an update to + use best practise security design pattern. While comparing + password or hmac you need to ensure comparison function is time + constant in order to figth against any timing attacks. We turn + off potential compiler optimizations for this particular + function to avoid any short circuit. + - Make sure a non privileged user cannot read keepalived file + output Ensure that when a file such as /tmp/keepalived.data is + written, no non privileged can have a previous version of that + file already open, thereby allowing them to read the data. + This should fully resolve CVE-2018-19046. +- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in + update + ------------------------------------------------------------------- Sat Nov 10 21:01:14 UTC 2018 - Marcus Rueckert diff --git a/keepalived.spec b/keepalived.spec index 2f3cb09..39c675d 100644 --- a/keepalived.spec +++ b/keepalived.spec @@ -34,7 +34,7 @@ %bcond_without json Name: keepalived -Version: 2.0.9 +Version: 2.0.10 Release: 0 Summary: A keepalive facility for Linux License: GPL-2.0-or-later @@ -45,7 +45,6 @@ Source2: keepalive-rpmlintrc Patch1: keepalive-init.patch # PATCH-FIX-UPSTREAM: https://github.com/acassen/keepalived/commit/947248af144bcab6376ccddab8dc40f313b14281.patch Patch2: linux-4.15.patch -Patch3: b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch BuildRequires: libnfnetlink-devel %if %{with json} BuildRequires: libjson-c-devel @@ -86,12 +85,6 @@ BuildRequires: systemd-rpm-macros %else Requires(pre): %insserv_prereq %endif -# remove when you remove b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool - -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This project provides facilities for load balancing and high-availability to @@ -109,11 +102,9 @@ resilient infrastructures. %setup -q %patch1 -p1 %patch2 -p1 -%patch3 -p1 chmod 644 doc/samples/* %build -autoreconf -fi export STRIP=true export CPPFLAGS="$(pkg-config --cflags libnfnetlink libiptc libipset xtables)" export CFLAGS="%optflags -DOPENSSL_NO_SSL_INTERN"