From fe27bc813543ea7f743bfb5e12c2c5fc8fd4eab9 Mon Sep 17 00:00:00 2001 From: Christine Caulfield Date: Fri, 31 Jan 2025 10:00:03 +0000 Subject: [PATCH] * Fri Jan 31 2025 Christine Caulfield - 2.1.5-11 - ipvs: Allow real servers to be specified with a weight of 0 Resolves: RHEL-7699 - vrrp: Fix using VMACs with unicast peers Resolves: RHEL-7694 - lvs: if lost misc check child register checker again Resolves: RHEL-66742 --- RHEL-66742.patch | 41 +++++++++++++++++++ RHEL-7694-dep.patch | 23 +++++++++++ RHEL-7694.patch | 97 +++++++++++++++++++++++++++++++++++++++++++++ RHEL-7699.patch | 40 +++++++++++++++++++ keepalived.spec | 19 ++++++++- 5 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 RHEL-66742.patch create mode 100644 RHEL-7694-dep.patch create mode 100644 RHEL-7694.patch create mode 100644 RHEL-7699.patch diff --git a/RHEL-66742.patch b/RHEL-66742.patch new file mode 100644 index 0000000..5f30bbf --- /dev/null +++ b/RHEL-66742.patch @@ -0,0 +1,41 @@ +commit d2f5e5595a511ff62934c77cb62f82bdb2320e29 +Author: Yonglong Li +Date: Fri Dec 29 11:03:08 2023 +0800 + + lvs: if lost misc check child register checker agagin + + issue: misc check_child_thread timeout and remove child_pid + form rb_data, timeout callback of check_child_thread is not be + called, if at this time misc script done and exit, and child + termination will do nothing because child_pid was remove form + rb_data. in this case timeou callback will not register checker + again, the checker will lost. + + fix: if lost misc check child register checker again + + Signed-off-by: Yonglong Li + +diff --git a/keepalived/check/check_misc.c b/keepalived/check/check_misc.c +index b2260d5f..c388e89d 100644 +--- a/keepalived/check/check_misc.c ++++ b/keepalived/check/check_misc.c +@@ -337,9 +337,10 @@ misc_check_child_thread(thread_ref_t thread) + /* The process does not exist, and we should + * have reaped its exit status, otherwise it + * would exist as a zombie process. */ +- log_message(LOG_INFO, "Misc script %s child (PID %d) lost", misck_checker->script.args[0], pid); ++ log_message(LOG_INFO, "Misc script %s child (PID %d) lost, register checker again", misck_checker->script.args[0], pid); + misck_checker->state = SCRIPT_STATE_IDLE; + timeout = 0; ++ goto recheck; + } else { + log_message(LOG_INFO, "kill -%d of process %s(%d) with new state %u failed with errno %d", sig_num, misck_checker->script.args[0], pid, misck_checker->state, errno); + timeout = 1000; +@@ -488,6 +489,7 @@ misc_check_child_thread(thread_ref_t thread) + } + } + ++recheck: + /* Register next timer checker */ + next_time = timer_add_long(misck_checker->last_ran, checker->retry_it ? checker->delay_before_retry : checker->delay_loop); + next_time = timer_sub_now(next_time); diff --git a/RHEL-7694-dep.patch b/RHEL-7694-dep.patch new file mode 100644 index 0000000..2f5f8fd --- /dev/null +++ b/RHEL-7694-dep.patch @@ -0,0 +1,23 @@ +commit 4a56ddf74b310d75c31bb98fee6f6789b04f6891 +Author: Quentin Armitage +Date: Mon Jul 20 07:03:54 2020 +0100 + + vrrp: Fix building without VMAC support + + Signed-off-by: Quentin Armitage + +diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c +index 1d19c684..3e05f698 100644 +--- a/keepalived/vrrp/vrrp_parser.c ++++ b/keepalived/vrrp/vrrp_parser.c +@@ -412,9 +412,9 @@ vrrp_handler(const vector_t *strvec) + static void + vrrp_end_handler(void) + { +-#ifdef _HAVE_VRRP_VMAC_ + vrrp_t *vrrp = list_last_entry(&vrrp_data->vrrp, vrrp_t, e_list); + ++#ifdef _HAVE_VRRP_VMAC_ + if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) { + report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname); + vrrp->vmac_flags = 0; diff --git a/RHEL-7694.patch b/RHEL-7694.patch new file mode 100644 index 0000000..48bcf29 --- /dev/null +++ b/RHEL-7694.patch @@ -0,0 +1,97 @@ +commit 97429b3b7e6ec2f5b9c93a5d507b152bab30f919 +Author: Quentin Armitage +Date: Wed Sep 16 15:35:44 2020 +0100 + + vrrp: Fix using VMACs with unicast peers + + Signed-off-by: Quentin Armitage + +diff --git a/doc/man/man5/keepalived.conf.5 b/doc/man/man5/keepalived.conf.5 +index e6b230c6..83a5915f 100644 +--- a/doc/man/man5/keepalived.conf.5 ++++ b/doc/man/man5/keepalived.conf.5 +@@ -1359,6 +1359,8 @@ The syntax for vrrp_instance is : + # all.rp_filter, as will default.rp_filter, and all.rp_filter + # will be set to 0. + # The original settings are restored on termination. ++ # \fBNOTE 2\fR: If using use_vmac with unicast peers, ++ # vmac_xmit_base must be set. + \fBuse_vmac \fR[] + + # Send/Recv VRRP messages from base interface instead of +diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c +index 5cf1eea1..d1e2d8ea 100644 +--- a/keepalived/vrrp/vrrp_parser.c ++++ b/keepalived/vrrp/vrrp_parser.c +@@ -416,9 +416,14 @@ vrrp_end_handler(void) + + #ifdef _HAVE_VRRP_VMAC_ + if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) { +- report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname); +- vrrp->vmac_flags = 0; +- vrrp->vmac_ifname[0] = '\0'; ++ if (!vrrp->ifp) { ++ report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers and no interface - clearing use_vmac", vrrp->iname); ++ vrrp->vmac_flags = 0; ++ vrrp->vmac_ifname[0] = '\0'; ++ } else if (!__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) { ++ report_config_error(CONFIG_GENERAL_ERROR, "(%s) unicast with use_vmac requires vmac_xmit_base - setting", vrrp->iname); ++ __set_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags); ++ } + } + #endif + +diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c +index 2fb859e1..d9271720 100644 +--- a/keepalived/vrrp/vrrp_scheduler.c ++++ b/keepalived/vrrp/vrrp_scheduler.c +@@ -459,17 +459,17 @@ vrrp_create_sockpool(list_head_t *l) + struct sockaddr_storage *unicast_src; + + list_for_each_entry(vrrp, &vrrp_data->vrrp, e_list) { +- if (list_empty(&vrrp->unicast_peer)) { +- ifp = +-#ifdef _HAVE_VRRP_VMAC_ +- (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp : +-#endif +- vrrp->ifp; ++ if (list_empty(&vrrp->unicast_peer)) + unicast_src = NULL; +- } else { ++ else + unicast_src = &vrrp->saddr; +- ifp = vrrp->ifp; +- } ++ ++ ifp = ++#ifdef _HAVE_VRRP_VMAC_ ++ (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp : ++#endif ++ vrrp->ifp; ++ + proto = IPPROTO_VRRP; + #if defined _WITH_VRRP_AUTH_ + if (vrrp->auth_type == VRRP_AUTH_AH) +@@ -607,13 +607,6 @@ vrrp_lower_prio_gratuitous_arp_thread(thread_ref_t thread) + vrrp_send_link_update(vrrp, vrrp->garp_lower_prio_rep); + } + +-static void +-vrrp_master(vrrp_t * vrrp) +-{ +- /* Send the VRRP advert */ +- vrrp_state_master_tx(vrrp); +-} +- + void + try_up_instance(vrrp_t *vrrp, bool leaving_init) + { +@@ -802,7 +795,7 @@ vrrp_dispatcher_read_timeout(sock_t *sock) + vrrp_goto_master(vrrp); + } + else if (vrrp->state == VRRP_STATE_MAST) +- vrrp_master(vrrp); ++ vrrp_state_master_tx(vrrp); + + /* handle instance synchronization */ + #ifdef _TSM_DEBUG_ diff --git a/RHEL-7699.patch b/RHEL-7699.patch new file mode 100644 index 0000000..584fe83 --- /dev/null +++ b/RHEL-7699.patch @@ -0,0 +1,40 @@ +commit e2b4d108d68ada3af8ad437e2e291fcac1fd0ff7 +Author: Quentin Armitage +Date: Tue Oct 20 11:24:48 2020 +0100 + + ipvs: Allow real servers to be specified with a weight of 0 + + This currently only really makes sense when also having a FILE_CHECK + with non-zero weight configured, or a MISC_CHECK with "misc_dynamic", + since otherwise there is no way that the weight of the real server can + be changed to be non-zero. + + Signed-off-by: Quentin Armitage + +diff --git a/keepalived/check/ipwrapper.c b/keepalived/check/ipwrapper.c +index a4c40d6c..4b9ccb6f 100644 +--- a/keepalived/check/ipwrapper.c ++++ b/keepalived/check/ipwrapper.c +@@ -410,8 +410,8 @@ init_service_rs(virtual_server_t *vs) + rs->num_failed_checkers++; + } + +- if (rs->effective_weight < 1) +- rs->weight = 1; ++ if (rs->effective_weight < 0) ++ rs->weight = 0; + else if (rs->effective_weight > IPVS_WEIGHT_MAX - 1) + rs->weight = IPVS_WEIGHT_MAX - 1; + else +@@ -667,9 +667,8 @@ update_svr_wgt(int weight, virtual_server_t * vs, real_server_t * rs + { + rs->effective_weight = weight; + +-/* TODO - handle weight = 0 - ? affects quorum */ +- if (weight <= 0) +- weight = 1; ++ if (weight < 0) ++ weight = 0; + #if IPVS_WEIGHT_MAX != INT_MAX + else if (weight > IPVS_WEIGHT_MAX) + weight = IPVS_WEIGHT_MAX; diff --git a/keepalived.spec b/keepalived.spec index 42994d9..c12b8f6 100644 --- a/keepalived.spec +++ b/keepalived.spec @@ -10,7 +10,7 @@ Name: keepalived Summary: High Availability monitor built upon LVS, VRRP and service pollers Version: 2.1.5 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ URL: http://www.keepalived.org/ Group: System Environment/Daemons @@ -23,6 +23,10 @@ Patch2: bz1977716-use-LOG_DAEMON-facility-by-default.patch Patch3: bz2028350-fix-dbus-policy-restrictions.patch Patch4: bz2054249-fix-unweighted-track-scripts.patch Patch5: RHEL-49561-validate-ipset-names-better.patch +Patch6: RHEL-7694-dep.patch +Patch7: RHEL-7694.patch +Patch8: RHEL-7699.patch +Patch9: RHEL-66742.patch Requires(post): systemd Requires(preun): systemd @@ -63,6 +67,10 @@ infrastructures. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 %build %configure \ @@ -113,6 +121,15 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived %{_mandir}/man8/keepalived.8* %changelog + +* Fri Jan 31 2025 Christine Caulfield - 2.1.5-11 +- ipvs: Allow real servers to be specified with a weight of 0 + Resolves: RHEL-7699 +- vrrp: Fix using VMACs with unicast peers + Resolves: RHEL-7694 +- lvs: if lost misc check child register checker again + Resolves: RHEL-66742 + * Mon Dec 2 2024 Christine Caulfield - 2.1.5-10 - CVE-2024-41184 Resolves: RHEL-49561