SUSE-RU-2019:0407-1: moderate: Recommended update for keepalived

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Feb 14 10:32:40 MST 2019


   SUSE Recommended Update: Recommended update for keepalived
______________________________________________________________________________

Announcement ID:    SUSE-RU-2019:0407-1
Rating:             moderate
References:         #1109991 
Affected Products:
                    SUSE OpenStack Cloud Crowbar 8
                    SUSE OpenStack Cloud 8
                    HPE Helion Openstack 8
______________________________________________________________________________

   An update that has one recommended fix can now be installed.

Description:

   This update for keepalived fixes the following issues:

   - update to 1.4.5:
     * Update snapcraft.yaml for 1.4.x+git
     * Fix generation of git-commit.h with git commit number.
     * Set virtual server address family correctly.
     * Set virtual server address family correctly when using tunnelled real
       servers.
     * Fix handling of virtual servers with no real servers at config time.
     * Add warning if virtual and real servers are different address
       families. Although normally the virtual server and real servers must
       have the same address family, if a real server is tunnelled, the
       address families can be different. However, the kernel didn't support
       that until 3.18, so add a check that the address families are the same
       if different address families are not supported by the kernel.
     * Send correct status in Dbus VrrpStatusChange notification. When an
       instance transitioned from BACKUP to FAULT, the Dbus status change
       message reported the old status (BACKUP) rather than the new status
       (FAULT). This commit attempts to resolved that.
     * doc: ipvs schedulers update
     * Fix a couple of typos in configure.ac.
     * Fix namespace collision with musl if_ether.h.
     * Check if return value from read_value_block() is null before using.
     * Fix reporting real server stats via SNMP.
     * Make checker process handle RTM_NEWLINK messages with -a option Even
       though the checker process doesn't subscribe to RTNLGRP_LINK messages,
       it appears that older kernels (certainly 2.6.32) can send RTM_NEWLINK
       (but not RTM_DELLINK) messages. This occurs when the link is set to up
       state. Only the VRRP process is interested in link messages, and so
       the checker process doesn't do the necessary initialisation to be able
       to handle RTM_NEWLINK messages. This commit makes the checker process
       simply discard RTM_NEWLINK and RTM_DELLINK messages, rather than
       assuming that if it receives an RTM_NEWLINK message it must be the
       VRRP process. This problem was reported in issue #848 since the
       checker process was segfaulting when a new interface was added when
       the -a command line option was specified.
     * Fix handling RTM_NEWLINK when building without VRRP code.
     * Fix building on Fedora 28. net-snmp-config output can include compiler
       and linker flags that refer to spec files that were used to build
       net-snmp but may not exist on the system building keepalived. That
       would cause the build done by configure to test for net-snmp support
       to fail; in particular
       on a Fedora 28 system that doesn't have the redhat-rpm-config package
        installed. This commit checks that any spec files in the compiler and
        linker flags returned by net-snmp-config exist on the system building
        keepalived, and if not it removes the reference(s) to the spec
        file(s).
     * keepalived-1.4.3 released.
     * vrrp: setting '0' as default value for ifa_flags to make gcc happy.
     * Add additional libraries when testing for presence of SSL_CTX_new().
       It appears that some systems need -lcrypto when linking with -lssl.
     * Sanitise checking of libnl3 in configure.ac.
     * Report and handle missing '}'s in config files.
     * Add missing '\n' in keepalived.data output.
     * Stop backup taking over as master while master reloads. If a reload
       was initiated just before an advert, and since it took
       one advert interval after a reload before an advert was sent, if the
        reload itself took more than one advert interval, the backup could
        time out and take over as master. This commit makes keepalived send
        adverts for all instances that are master immediately before a
        reload, and also sends adverts immediately after a reload, thereby
        trippling the time available for the reload to complete.
     * Add route option fastopen_no_cookie and rule option l3mdev.
     * Fix errors in KEEPALIVED-MIB.txt.
     * Simplify setting on IN6_ADDR_GEN_MODE.
     * Cosmetic changes to keepalived(8) man page.
     * Don't set ipvs sync daemon to master state before becoming master If a
       vrrp instance which was the one specified for the ipvs sync daemon was
       configured with initial state master, the sync daemon was being set to
       master mode before the vrrp instance transitioned to master mode. This
       caused an error message when the vrrp instance transitioned to master
       and attempted to make the sync daemon go from backup to master mode.
       This commit stops setting the sync daemon to master mode at
       initialisation time, and it is set to master mode when the vrrp
       instance transitions to master.
     * Fix freeing vector which has not had any entries allocated.
     * Add additional mem-check disgnostics vector_alloc, vectot_alloc_slot,
       vector_free and alloc_strvec all call MALLOC/FREE but the functions
       written in the mem_check log are vector_alloc etc, not the functions
       that call them. This commit adds logging of the originating calling
       function.
     * Fix memory leak in parser.c.
     * Improve alignment of new mem-check logging.
     * Disable all checkers on a virtual server when ha_suspend set. Only the
       first checker was being disabled; this commit now disables all of
       them. Also, make the decision to disable a checker when
       starting/reloading when scheduling the checker, so that the existance
       of the required address can be checked.
     * Stop genhash segfaulting when built with --enable-mem-check.
     * Fix memory allocation problems in genhash.
     * Properly fix memory allocation problems in genhash.
     * Fix persistence_granularity IPv4 netmask validation. The logic test
       from inet_aton() appears to be inverted.
     * Fix segfault when checker configuration is missing expected parameter
       Issue #806 mentioned as an aside that "nb_get_retry" without a
       parameter was sigfaulting. Commit be7ae80 - "Stop segfaulting when
       configuration keyword is missing its parameter" missed the "hidden"
       uses of vector_slot() (i.e. those used via definitions in header
       files). This commit now updates those uses of vector_slot() to use
       strvec_slot() instead.
     * Fix compiling on Linux 2.x kernels. There were missing checks for
       HAVE_DECL_CLONE_NEWNET causing references to an undeclared variable if
       CLONE_NEWNET wasn't defined.
     * Improve parsing of kernel release. The kernel EXTRAVERSION can start
       with any character (although starting with a digit would be daft), so
       relax the check for it starting with a '-'. Kernels using both '+' and
       '.' being the first character of EXTRAVERSION have been reported.
     * Improve grammer.
     * add support for SNI in SSL_GET check. this adds a `enable_sni`
       parameter to SSL_GET, making sure the check passes the virtualhost in
       the SNI extension during SSL handshake.
     * Optimise setting host name for SSL_GET requests with SNI.
     * Allow SNI to be used with SSL_GET with OpenSSL v1.0.0 and LibreSSL.
     * Use configure to check for SSL_set_tlsext_host_name() Rather than
       checking for a specific version of the OpenSSL library (and it would
       also need checking the version of the LibreSSL library) let configure
       check for the presence of SSL_set_tlsext_host_name(). Also omit all
       code related to SNI of SSL_set_tlsext_host_name() is not available.
     * Use configure to determine available OpenSSL functionality Rather than
       using version numbers of the OpenSSL library to determine what
       functions are available, let configure determine whether the functions
       are supported. The also means that the same tests work for LibreSSL.
     * Add support for gratuitous ARPs for IP over Infiniband.
     * Use system header definition instead of local definition IF_HWADDR_MAX
       linux/netdevice.h has definition MAX_ADDR_LEN, which is 32, whereas
       IF_HWADDR_MAX was locally defined to be 20. Unfortunately we end up
       with more system header file juggling to ensure we don't have
       duplicate definitions.
     * Fix vrrp_script and check_misc scripts of type </dev/tcp/127.0.0.1/80.
     * Add the first pre-defined config definition (${_PWD}) ${_PWD} in a
       configuration file will be replaced with the full path name of the
       directory that keepalived is reading the current configuration file
       from.
     * Open and run the notify fifo and script if no other fifo Due to the
       way the code was structured the notify_fifo for both checker and vrrp
       messages wasn't run if neither the vrrp or checker fifo wasn't
       configured. Also, if all three fifos were configured, the general fifo
       script was executed by both the vrrp and checker process, causing
       problems.
     * Add support for Infiniband interfaces when dumping configuration.
     * Tidy up layout in vrrp_arp.c.
     * Add configure check for support of position independant executables
       (PIE).
     * Add check for -pie support, and fix writing to keepalived.data.
     * keepalived-1.4.2 released.
     * Make genhash exit with exit code 1 on error. Issue #766 identified
       that genhash always exits with exit code 1 even if an error has
       occurred.
     * Rationalise printing of http header in genhash.
     * Use http header Content-Length field in HTTP_CHECK/SSL_CHECK. If a
       Content-Length is supplied in the http header, use that as a limit to
       the data length (as wget does). If the length of data received does
       not match the Content-Length log a warning.
     * Optimise parameter passing to fprintf in genhash.
     * Don't declare mark variable if don't have MARK socket option.
     * Fix sync groups with only one member. Commit c88744a0 allowed sync
       groups with only 1 member again, but didn't stop removing the sync
       group if there was only 1 member. This commit now doesn't remove sync
       groups with only one member.
     * Make track scripts work with --enable-debug config option.
     * Add warning if --enable-debug configure option is used.
     * Allow more flexibility of layout of { and } in config files.
       keepalived was a bit fussy about where '{'s and '}'s (braces) could be
       placed in terms of after the keyword, or on a line on their own. It
       certainly was not possible to have multiple braces on one line. This
       commit now provides complete flexibility of where braces are, so long
       as they occur in the correct order.
     * Make alloc_value_block() report block type if there is an error.
     * Simplify alloc_value_block() by using libc string functions.
     * Add dumping of garp delay config when using -d option.
     * Fix fractions of seconds for garp group garp_interval.
     * Make read_value_block() use alloc_value_block(). This removes quite a
       bit of duplication of functionality, and ensures the configuration
       parsing will be more consistent.
     * Fix build with Linux kernel headers v4.15. Linux kernel version 4.15
       changed the libc/kernel headers suppression logic in a way that
       introduces collisions.
     * Add missing command line options to keepalived(8) man page.
     * Fix --dont-release-vrrp. On github, ushuz reported that commit 62e8455
       - "Don't delete vmac interfaces before dropping multicast membership"
       broke --dont-release-vrrp. This commit restores the correct
       functionality.
     * Define _GNU_SOURCE for all compilation units. Rather than defining
       _GNU_SOURCE when needed, let configure add it to the flags passed to
       the C compiler, so that it is defined for all compilation units. This
       ensures consistence.
     * Fix new warnings procuded by gcc 8.
     * Fix dumping empty lists. Add a check in dump_list() for an empty list,
       and don't attempt to dump it if it is empty.
     * Resolve conversion-check compiler warnings.
     * Add missing content to installing_keepalived.rst documentation. Issue
       #778 identified that there was text missing at the end of the
       document, and that is now added.
     * Fix systemd service to start after network-online.target. This fix was
       merged downstream by RedHat in response to RHBZ #1413320.
     * Update INSTALL file to describe packages needed for building
       documentation.
     * INSTALL: note linux distro package that provides 'sphinx_rtd_theme'
     * Clear /proc/sys/net/ipv6/conf/IF/disable_ipv6 when create VMACs. An
       issue was identified where keepalived was reporting permission denied
       when attempting to add an IPv6 address to a VMAC interface. It turned
       out that this was because /proc/sys/net/ipv6/conf/default/disable_ipv6
       was set to 1, causing IPv6 to be disables on all interfaces that
       keepalived created. This commit clears disable_ipv6 on any VMAC
       interfaces that keepalived creates if the vrrp instance is using IPv6.
   - remove linux-4.15 patch: does not apply anymore and not needed (the
     distros using 4.15 have moved on to keepalived 2.x)

   - Only Require insserv on distributions without systemd.
   - Fix systemd related requires/buildRequires
   - Do not run scriptlets that use insserv when using systemd


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 8:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-407=1

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2019-407=1

   - HPE Helion Openstack 8:

      zypper in -t patch HPE-Helion-OpenStack-8-2019-407=1



Package List:

   - SUSE OpenStack Cloud Crowbar 8 (x86_64):

      keepalived-1.4.5-3.3.1
      keepalived-debuginfo-1.4.5-3.3.1
      keepalived-debugsource-1.4.5-3.3.1

   - SUSE OpenStack Cloud 8 (x86_64):

      keepalived-1.4.5-3.3.1
      keepalived-debuginfo-1.4.5-3.3.1
      keepalived-debugsource-1.4.5-3.3.1

   - HPE Helion Openstack 8 (x86_64):

      keepalived-1.4.5-3.3.1
      keepalived-debuginfo-1.4.5-3.3.1
      keepalived-debugsource-1.4.5-3.3.1


References:

   https://bugzilla.suse.com/1109991



More information about the sle-updates mailing list