Recommended update for keepalived

SUSE Recommended Update: Recommended update for keepalived
Announcement ID: SUSE-RU-2019:0407-1
Rating: moderate
References: #1109991
Affected Products:
  • SUSE OpenStack Cloud Crowbar 8
  • SUSE OpenStack Cloud 8
  • HPE Helion Openstack 8

An update that has one recommended fix can now be installed.


This update for keepalived fixes the following issues:

  • update to 1.4.5: * Update snapcraft.yaml for 1.4.x+git * Fix generation of git-commit.h with git commit number. * Set virtual server address family correctly. * Set virtual server address family correctly when using tunnelled real servers. * Fix handling of virtual servers with no real servers at config time. * Add warning if virtual and real servers are different address families. Although normally the virtual server and real servers must have the same address family, if a real server is tunnelled, the address families can be different. However, the kernel didn't support that until 3.18, so add a check that the address families are the same if different address families are not supported by the kernel. * Send correct status in Dbus VrrpStatusChange notification. When an instance transitioned from BACKUP to FAULT, the Dbus status change message reported the old status (BACKUP) rather than the new status (FAULT). This commit attempts to resolved that. * doc: ipvs schedulers update * Fix a couple of typos in * Fix namespace collision with musl if_ether.h. * Check if return value from read_value_block() is null before using. * Fix reporting real server stats via SNMP. * Make checker process handle RTM_NEWLINK messages with -a option Even though the checker process doesn't subscribe to RTNLGRP_LINK messages, it appears that older kernels (certainly 2.6.32) can send RTM_NEWLINK (but not RTM_DELLINK) messages. This occurs when the link is set to up state. Only the VRRP process is interested in link messages, and so the checker process doesn't do the necessary initialisation to be able to handle RTM_NEWLINK messages. This commit makes the checker process simply discard RTM_NEWLINK and RTM_DELLINK messages, rather than assuming that if it receives an RTM_NEWLINK message it must be the VRRP process. This problem was reported in issue #848 since the checker process was segfaulting when a new interface was added when the -a command line option was specified. * Fix handling RTM_NEWLINK when building without VRRP code. * Fix building on Fedora 28. net-snmp-config output can include compiler and linker flags that refer to spec files that were used to build net-snmp but may not exist on the system building keepalived. That would cause the build done by configure to test for net-snmp support to fail; in particular on a Fedora 28 system that doesn't have the redhat-rpm-config package installed. This commit checks that any spec files in the compiler and linker flags returned by net-snmp-config exist on the system building keepalived, and if not it removes the reference(s) to the spec file(s). * keepalived-1.4.3 released. * vrrp: setting '0' as default value for ifa_flags to make gcc happy. * Add additional libraries when testing for presence of SSL_CTX_new(). It appears that some systems need -lcrypto when linking with -lssl. * Sanitise checking of libnl3 in * Report and handle missing '}'s in config files. * Add missing '\n' in output. * Stop backup taking over as master while master reloads. If a reload was initiated just before an advert, and since it took one advert interval after a reload before an advert was sent, if the reload itself took more than one advert interval, the backup could time out and take over as master. This commit makes keepalived send adverts for all instances that are master immediately before a reload, and also sends adverts immediately after a reload, thereby trippling the time available for the reload to complete. * Add route option fastopen_no_cookie and rule option l3mdev. * Fix errors in KEEPALIVED-MIB.txt. * Simplify setting on IN6_ADDR_GEN_MODE. * Cosmetic changes to keepalived(8) man page. * Don't set ipvs sync daemon to master state before becoming master If a vrrp instance which was the one specified for the ipvs sync daemon was configured with initial state master, the sync daemon was being set to master mode before the vrrp instance transitioned to master mode. This caused an error message when the vrrp instance transitioned to master and attempted to make the sync daemon go from backup to master mode. This commit stops setting the sync daemon to master mode at initialisation time, and it is set to master mode when the vrrp instance transitions to master. * Fix freeing vector which has not had any entries allocated. * Add additional mem-check disgnostics vector_alloc, vectot_alloc_slot, vector_free and alloc_strvec all call MALLOC/FREE but the functions written in the mem_check log are vector_alloc etc, not the functions that call them. This commit adds logging of the originating calling function. * Fix memory leak in parser.c. * Improve alignment of new mem-check logging. * Disable all checkers on a virtual server when ha_suspend set. Only the first checker was being disabled; this commit now disables all of them. Also, make the decision to disable a checker when starting/reloading when scheduling the checker, so that the existance of the required address can be checked. * Stop genhash segfaulting when built with --enable-mem-check. * Fix memory allocation problems in genhash. * Properly fix memory allocation problems in genhash. * Fix persistence_granularity IPv4 netmask validation. The logic test from inet_aton() appears to be inverted. * Fix segfault when checker configuration is missing expected parameter Issue #806 mentioned as an aside that "nb_get_retry" without a parameter was sigfaulting. Commit be7ae80 - "Stop segfaulting when configuration keyword is missing its parameter" missed the "hidden" uses of vector_slot() (i.e. those used via definitions in header files). This commit now updates those uses of vector_slot() to use strvec_slot() instead. * Fix compiling on Linux 2.x kernels. There were missing checks for HAVE_DECL_CLONE_NEWNET causing references to an undeclared variable if CLONE_NEWNET wasn't defined. * Improve parsing of kernel release. The kernel EXTRAVERSION can start with any character (although starting with a digit would be daft), so relax the check for it starting with a '-'. Kernels using both '+' and '.' being the first character of EXTRAVERSION have been reported. * Improve grammer. * add support for SNI in SSL_GET check. this adds a `enable_sni` parameter to SSL_GET, making sure the check passes the virtualhost in the SNI extension during SSL handshake. * Optimise setting host name for SSL_GET requests with SNI. * Allow SNI to be used with SSL_GET with OpenSSL v1.0.0 and LibreSSL. * Use configure to check for SSL_set_tlsext_host_name() Rather than checking for a specific version of the OpenSSL library (and it would also need checking the version of the LibreSSL library) let configure check for the presence of SSL_set_tlsext_host_name(). Also omit all code related to SNI of SSL_set_tlsext_host_name() is not available. * Use configure to determine available OpenSSL functionality Rather than using version numbers of the OpenSSL library to determine what functions are available, let configure determine whether the functions are supported. The also means that the same tests work for LibreSSL. * Add support for gratuitous ARPs for IP over Infiniband. * Use system header definition instead of local definition IF_HWADDR_MAX linux/netdevice.h has definition MAX_ADDR_LEN, which is 32, whereas IF_HWADDR_MAX was locally defined to be 20. Unfortunately we end up with more system header file juggling to ensure we don't have duplicate definitions. * Fix vrrp_script and check_misc scripts of type /tcp/ * Add the first pre-defined config definition (${_PWD}) ${_PWD} in a configuration file will be replaced with the full path name of the directory that keepalived is reading the current configuration file from. * Open and run the notify fifo and script if no other fifo Due to the way the code was structured the notify_fifo for both checker and vrrp messages wasn't run if neither the vrrp or checker fifo wasn't configured. Also, if all three fifos were configured, the general fifo script was executed by both the vrrp and checker process, causing problems. * Add support for Infiniband interfaces when dumping configuration. * Tidy up layout in vrrp_arp.c. * Add configure check for support of position independant executables (PIE). * Add check for -pie support, and fix writing to * keepalived-1.4.2 released. * Make genhash exit with exit code 1 on error. Issue #766 identified that genhash always exits with exit code 1 even if an error has occurred. * Rationalise printing of http header in genhash. * Use http header Content-Length field in HTTP_CHECK/SSL_CHECK. If a Content-Length is supplied in the http header, use that as a limit to the data length (as wget does). If the length of data received does not match the Content-Length log a warning. * Optimise parameter passing to fprintf in genhash. * Don't declare mark variable if don't have MARK socket option. * Fix sync groups with only one member. Commit c88744a0 allowed sync groups with only 1 member again, but didn't stop removing the sync group if there was only 1 member. This commit now doesn't remove sync groups with only one member. * Make track scripts work with --enable-debug config option. * Add warning if --enable-debug configure option is used. * Allow more flexibility of layout of { and } in config files. keepalived was a bit fussy about where '{'s and '}'s (braces) could be placed in terms of after the keyword, or on a line on their own. It certainly was not possible to have multiple braces on one line. This commit now provides complete flexibility of where braces are, so long as they occur in the correct order. * Make alloc_value_block() report block type if there is an error. * Simplify alloc_value_block() by using libc string functions. * Add dumping of garp delay config when using -d option. * Fix fractions of seconds for garp group garp_interval. * Make read_value_block() use alloc_value_block(). This removes quite a bit of duplication of functionality, and ensures the configuration parsing will be more consistent. * Fix build with Linux kernel headers v4.15. Linux kernel version 4.15 changed the libc/kernel headers suppression logic in a way that introduces collisions. * Add missing command line options to keepalived(8) man page. * Fix --dont-release-vrrp. On github, ushuz reported that commit 62e8455 - "Don't delete vmac interfaces before dropping multicast membership" broke --dont-release-vrrp. This commit restores the correct functionality. * Define _GNU_SOURCE for all compilation units. Rather than defining _GNU_SOURCE when needed, let configure add it to the flags passed to the C compiler, so that it is defined for all compilation units. This ensures consistence. * Fix new warnings procuded by gcc 8. * Fix dumping empty lists. Add a check in dump_list() for an empty list, and don't attempt to dump it if it is empty. * Resolve conversion-check compiler warnings. * Add missing content to installing_keepalived.rst documentation. Issue #778 identified that there was text missing at the end of the document, and that is now added. * Fix systemd service to start after This fix was merged downstream by RedHat in response to RHBZ #1413320. * Update INSTALL file to describe packages needed for building documentation. * INSTALL: note linux distro package that provides 'sphinx_rtd_theme' * Clear /proc/sys/net/ipv6/conf/IF/disable_ipv6 when create VMACs. An issue was identified where keepalived was reporting permission denied when attempting to add an IPv6 address to a VMAC interface. It turned out that this was because /proc/sys/net/ipv6/conf/default/disable_ipv6 was set to 1, causing IPv6 to be disables on all interfaces that keepalived created. This commit clears disable_ipv6 on any VMAC interfaces that keepalived creates if the vrrp instance is using IPv6.
  • remove linux-4.15 patch: does not apply anymore and not needed (the distros using 4.15 have moved on to keepalived 2.x)

  • Only Require insserv on distributions without systemd.
  • Fix systemd related requires/buildRequires
  • Do not run scriptlets that use insserv when using systemd

Patch Instructions:

To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE OpenStack Cloud Crowbar 8:
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-407=1
  • SUSE OpenStack Cloud 8:
    zypper in -t patch SUSE-OpenStack-Cloud-8-2019-407=1
  • HPE Helion Openstack 8:
    zypper in -t patch HPE-Helion-OpenStack-8-2019-407=1

Package List:

  • SUSE OpenStack Cloud Crowbar 8 (x86_64):
    • keepalived-1.4.5-3.3.1
    • keepalived-debuginfo-1.4.5-3.3.1
    • keepalived-debugsource-1.4.5-3.3.1
  • SUSE OpenStack Cloud 8 (x86_64):
    • keepalived-1.4.5-3.3.1
    • keepalived-debuginfo-1.4.5-3.3.1
    • keepalived-debugsource-1.4.5-3.3.1
  • HPE Helion Openstack 8 (x86_64):
    • keepalived-1.4.5-3.3.1
    • keepalived-debuginfo-1.4.5-3.3.1
    • keepalived-debugsource-1.4.5-3.3.1