SUSE-RU-2019:0407-1: moderate: Recommended update for keepalived
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Thu Feb 14 10:32:40 MST 2019
SUSE Recommended Update: Recommended update for keepalived
______________________________________________________________________________
Announcement ID: SUSE-RU-2019:0407-1
Rating: moderate
References: #1109991
Affected Products:
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 8
HPE Helion Openstack 8
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for keepalived fixes the following issues:
- update to 1.4.5:
* Update snapcraft.yaml for 1.4.x+git
* Fix generation of git-commit.h with git commit number.
* Set virtual server address family correctly.
* Set virtual server address family correctly when using tunnelled real
servers.
* Fix handling of virtual servers with no real servers at config time.
* Add warning if virtual and real servers are different address
families. Although normally the virtual server and real servers must
have the same address family, if a real server is tunnelled, the
address families can be different. However, the kernel didn't support
that until 3.18, so add a check that the address families are the same
if different address families are not supported by the kernel.
* Send correct status in Dbus VrrpStatusChange notification. When an
instance transitioned from BACKUP to FAULT, the Dbus status change
message reported the old status (BACKUP) rather than the new status
(FAULT). This commit attempts to resolved that.
* doc: ipvs schedulers update
* Fix a couple of typos in configure.ac.
* Fix namespace collision with musl if_ether.h.
* Check if return value from read_value_block() is null before using.
* Fix reporting real server stats via SNMP.
* Make checker process handle RTM_NEWLINK messages with -a option Even
though the checker process doesn't subscribe to RTNLGRP_LINK messages,
it appears that older kernels (certainly 2.6.32) can send RTM_NEWLINK
(but not RTM_DELLINK) messages. This occurs when the link is set to up
state. Only the VRRP process is interested in link messages, and so
the checker process doesn't do the necessary initialisation to be able
to handle RTM_NEWLINK messages. This commit makes the checker process
simply discard RTM_NEWLINK and RTM_DELLINK messages, rather than
assuming that if it receives an RTM_NEWLINK message it must be the
VRRP process. This problem was reported in issue #848 since the
checker process was segfaulting when a new interface was added when
the -a command line option was specified.
* Fix handling RTM_NEWLINK when building without VRRP code.
* Fix building on Fedora 28. net-snmp-config output can include compiler
and linker flags that refer to spec files that were used to build
net-snmp but may not exist on the system building keepalived. That
would cause the build done by configure to test for net-snmp support
to fail; in particular
on a Fedora 28 system that doesn't have the redhat-rpm-config package
installed. This commit checks that any spec files in the compiler and
linker flags returned by net-snmp-config exist on the system building
keepalived, and if not it removes the reference(s) to the spec
file(s).
* keepalived-1.4.3 released.
* vrrp: setting '0' as default value for ifa_flags to make gcc happy.
* Add additional libraries when testing for presence of SSL_CTX_new().
It appears that some systems need -lcrypto when linking with -lssl.
* Sanitise checking of libnl3 in configure.ac.
* Report and handle missing '}'s in config files.
* Add missing '\n' in keepalived.data output.
* Stop backup taking over as master while master reloads. If a reload
was initiated just before an advert, and since it took
one advert interval after a reload before an advert was sent, if the
reload itself took more than one advert interval, the backup could
time out and take over as master. This commit makes keepalived send
adverts for all instances that are master immediately before a
reload, and also sends adverts immediately after a reload, thereby
trippling the time available for the reload to complete.
* Add route option fastopen_no_cookie and rule option l3mdev.
* Fix errors in KEEPALIVED-MIB.txt.
* Simplify setting on IN6_ADDR_GEN_MODE.
* Cosmetic changes to keepalived(8) man page.
* Don't set ipvs sync daemon to master state before becoming master If a
vrrp instance which was the one specified for the ipvs sync daemon was
configured with initial state master, the sync daemon was being set to
master mode before the vrrp instance transitioned to master mode. This
caused an error message when the vrrp instance transitioned to master
and attempted to make the sync daemon go from backup to master mode.
This commit stops setting the sync daemon to master mode at
initialisation time, and it is set to master mode when the vrrp
instance transitions to master.
* Fix freeing vector which has not had any entries allocated.
* Add additional mem-check disgnostics vector_alloc, vectot_alloc_slot,
vector_free and alloc_strvec all call MALLOC/FREE but the functions
written in the mem_check log are vector_alloc etc, not the functions
that call them. This commit adds logging of the originating calling
function.
* Fix memory leak in parser.c.
* Improve alignment of new mem-check logging.
* Disable all checkers on a virtual server when ha_suspend set. Only the
first checker was being disabled; this commit now disables all of
them. Also, make the decision to disable a checker when
starting/reloading when scheduling the checker, so that the existance
of the required address can be checked.
* Stop genhash segfaulting when built with --enable-mem-check.
* Fix memory allocation problems in genhash.
* Properly fix memory allocation problems in genhash.
* Fix persistence_granularity IPv4 netmask validation. The logic test
from inet_aton() appears to be inverted.
* Fix segfault when checker configuration is missing expected parameter
Issue #806 mentioned as an aside that "nb_get_retry" without a
parameter was sigfaulting. Commit be7ae80 - "Stop segfaulting when
configuration keyword is missing its parameter" missed the "hidden"
uses of vector_slot() (i.e. those used via definitions in header
files). This commit now updates those uses of vector_slot() to use
strvec_slot() instead.
* Fix compiling on Linux 2.x kernels. There were missing checks for
HAVE_DECL_CLONE_NEWNET causing references to an undeclared variable if
CLONE_NEWNET wasn't defined.
* Improve parsing of kernel release. The kernel EXTRAVERSION can start
with any character (although starting with a digit would be daft), so
relax the check for it starting with a '-'. Kernels using both '+' and
'.' being the first character of EXTRAVERSION have been reported.
* Improve grammer.
* add support for SNI in SSL_GET check. this adds a `enable_sni`
parameter to SSL_GET, making sure the check passes the virtualhost in
the SNI extension during SSL handshake.
* Optimise setting host name for SSL_GET requests with SNI.
* Allow SNI to be used with SSL_GET with OpenSSL v1.0.0 and LibreSSL.
* Use configure to check for SSL_set_tlsext_host_name() Rather than
checking for a specific version of the OpenSSL library (and it would
also need checking the version of the LibreSSL library) let configure
check for the presence of SSL_set_tlsext_host_name(). Also omit all
code related to SNI of SSL_set_tlsext_host_name() is not available.
* Use configure to determine available OpenSSL functionality Rather than
using version numbers of the OpenSSL library to determine what
functions are available, let configure determine whether the functions
are supported. The also means that the same tests work for LibreSSL.
* Add support for gratuitous ARPs for IP over Infiniband.
* Use system header definition instead of local definition IF_HWADDR_MAX
linux/netdevice.h has definition MAX_ADDR_LEN, which is 32, whereas
IF_HWADDR_MAX was locally defined to be 20. Unfortunately we end up
with more system header file juggling to ensure we don't have
duplicate definitions.
* Fix vrrp_script and check_misc scripts of type </dev/tcp/127.0.0.1/80.
* Add the first pre-defined config definition (${_PWD}) ${_PWD} in a
configuration file will be replaced with the full path name of the
directory that keepalived is reading the current configuration file
from.
* Open and run the notify fifo and script if no other fifo Due to the
way the code was structured the notify_fifo for both checker and vrrp
messages wasn't run if neither the vrrp or checker fifo wasn't
configured. Also, if all three fifos were configured, the general fifo
script was executed by both the vrrp and checker process, causing
problems.
* Add support for Infiniband interfaces when dumping configuration.
* Tidy up layout in vrrp_arp.c.
* Add configure check for support of position independant executables
(PIE).
* Add check for -pie support, and fix writing to keepalived.data.
* keepalived-1.4.2 released.
* Make genhash exit with exit code 1 on error. Issue #766 identified
that genhash always exits with exit code 1 even if an error has
occurred.
* Rationalise printing of http header in genhash.
* Use http header Content-Length field in HTTP_CHECK/SSL_CHECK. If a
Content-Length is supplied in the http header, use that as a limit to
the data length (as wget does). If the length of data received does
not match the Content-Length log a warning.
* Optimise parameter passing to fprintf in genhash.
* Don't declare mark variable if don't have MARK socket option.
* Fix sync groups with only one member. Commit c88744a0 allowed sync
groups with only 1 member again, but didn't stop removing the sync
group if there was only 1 member. This commit now doesn't remove sync
groups with only one member.
* Make track scripts work with --enable-debug config option.
* Add warning if --enable-debug configure option is used.
* Allow more flexibility of layout of { and } in config files.
keepalived was a bit fussy about where '{'s and '}'s (braces) could be
placed in terms of after the keyword, or on a line on their own. It
certainly was not possible to have multiple braces on one line. This
commit now provides complete flexibility of where braces are, so long
as they occur in the correct order.
* Make alloc_value_block() report block type if there is an error.
* Simplify alloc_value_block() by using libc string functions.
* Add dumping of garp delay config when using -d option.
* Fix fractions of seconds for garp group garp_interval.
* Make read_value_block() use alloc_value_block(). This removes quite a
bit of duplication of functionality, and ensures the configuration
parsing will be more consistent.
* Fix build with Linux kernel headers v4.15. Linux kernel version 4.15
changed the libc/kernel headers suppression logic in a way that
introduces collisions.
* Add missing command line options to keepalived(8) man page.
* Fix --dont-release-vrrp. On github, ushuz reported that commit 62e8455
- "Don't delete vmac interfaces before dropping multicast membership"
broke --dont-release-vrrp. This commit restores the correct
functionality.
* Define _GNU_SOURCE for all compilation units. Rather than defining
_GNU_SOURCE when needed, let configure add it to the flags passed to
the C compiler, so that it is defined for all compilation units. This
ensures consistence.
* Fix new warnings procuded by gcc 8.
* Fix dumping empty lists. Add a check in dump_list() for an empty list,
and don't attempt to dump it if it is empty.
* Resolve conversion-check compiler warnings.
* Add missing content to installing_keepalived.rst documentation. Issue
#778 identified that there was text missing at the end of the
document, and that is now added.
* Fix systemd service to start after network-online.target. This fix was
merged downstream by RedHat in response to RHBZ #1413320.
* Update INSTALL file to describe packages needed for building
documentation.
* INSTALL: note linux distro package that provides 'sphinx_rtd_theme'
* Clear /proc/sys/net/ipv6/conf/IF/disable_ipv6 when create VMACs. An
issue was identified where keepalived was reporting permission denied
when attempting to add an IPv6 address to a VMAC interface. It turned
out that this was because /proc/sys/net/ipv6/conf/default/disable_ipv6
was set to 1, causing IPv6 to be disables on all interfaces that
keepalived created. This commit clears disable_ipv6 on any VMAC
interfaces that keepalived creates if the vrrp instance is using IPv6.
- remove linux-4.15 patch: does not apply anymore and not needed (the
distros using 4.15 have moved on to keepalived 2.x)
- Only Require insserv on distributions without systemd.
- Fix systemd related requires/buildRequires
- Do not run scriptlets that use insserv when using systemd
Patch Instructions:
To install this SUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-407=1
- SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2019-407=1
- HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2019-407=1
Package List:
- SUSE OpenStack Cloud Crowbar 8 (x86_64):
keepalived-1.4.5-3.3.1
keepalived-debuginfo-1.4.5-3.3.1
keepalived-debugsource-1.4.5-3.3.1
- SUSE OpenStack Cloud 8 (x86_64):
keepalived-1.4.5-3.3.1
keepalived-debuginfo-1.4.5-3.3.1
keepalived-debugsource-1.4.5-3.3.1
- HPE Helion Openstack 8 (x86_64):
keepalived-1.4.5-3.3.1
keepalived-debuginfo-1.4.5-3.3.1
keepalived-debugsource-1.4.5-3.3.1
References:
https://bugzilla.suse.com/1109991
More information about the sle-updates
mailing list