[conntrack-tools] script: rework scripts that enable interaction with keepalived

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Sat Aug 2 18:51:40 CEST 2008


Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=c403246424350bae14a30fc6a115608ca15f2aa1
commit c403246424350bae14a30fc6a115608ca15f2aa1
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Aug 2 18:51:34 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Aug 2 18:51:34 2008 +0200

    script: rework scripts that enable interaction with keepalived
    
    This patch reworks the documentation section. It removes the replicated
    keepalived.conf files and merge all the scripts into one to reduce
    confusion and improve maintainability.
    
    It's likely that the documentation directory will suffer more
    restructurations in the near future.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  c403246424350bae14a30fc6a115608ca15f2aa1 (commit)
      from  03f7de56efc6747eb6b4895c03aa2efaaed80efe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c403246424350bae14a30fc6a115608ca15f2aa1
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Sat Aug 2 18:51:34 2008 +0200

    script: rework scripts that enable interaction with keepalived
    
    This patch reworks the documentation section. It removes the replicated
    keepalived.conf files and merge all the scripts into one to reduce
    confusion and improve maintainability.
    
    It's likely that the documentation directory will suffer more
    restructurations in the near future.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 doc/sync/alarm/script_backup.sh      |    3 -
 doc/sync/alarm/script_master.sh      |    4 --
 doc/sync/ftfw/keepalived.conf        |   39 --------------
 doc/sync/ftfw/script_backup.sh       |    3 -
 doc/sync/ftfw/script_master.sh       |    5 --
 doc/sync/{alarm => }/keepalived.conf |    9 ++-
 doc/sync/notrack/keepalived.conf     |   39 --------------
 doc/sync/notrack/script_backup.sh    |    3 -
 doc/sync/notrack/script_master.sh    |    5 --
 doc/sync/primary-backup.sh           |   94 ++++++++++++++++++++++++++++++++++
 10 files changed, 100 insertions(+), 104 deletions(-)
 delete mode 100644 doc/sync/alarm/script_backup.sh
 delete mode 100644 doc/sync/alarm/script_master.sh
 delete mode 100644 doc/sync/ftfw/keepalived.conf
 delete mode 100644 doc/sync/ftfw/script_backup.sh
 delete mode 100644 doc/sync/ftfw/script_master.sh
 rename doc/sync/{alarm => }/keepalived.conf (81%)
 delete mode 100644 doc/sync/notrack/keepalived.conf
 delete mode 100644 doc/sync/notrack/script_backup.sh
 delete mode 100644 doc/sync/notrack/script_master.sh
 create mode 100755 doc/sync/primary-backup.sh
This patch reworks the documentation section. It removes the replicated
keepalived.conf files and merge all the scripts into one to reduce
confusion and improve maintainability.

It's likely that the documentation directory will suffer more
restructurations in the near future.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/doc/sync/alarm/keepalived.conf b/doc/sync/alarm/keepalived.conf
deleted file mode 100644
index f937467..0000000
--- a/doc/sync/alarm/keepalived.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-vrrp_sync_group G1 {   # must be before vrrp_instance declaration
-  group {
-    VI_1
-    VI_2
-  }
-  notify_master /etc/conntrackd/script_master.sh
-  notify_backup /etc/conntrackd/script_backup.sh
-#  notify_fault /etc/conntrackd/script_fault.sh
-}
-
-vrrp_instance VI_1 {
-    interface eth1
-    state SLAVE
-    virtual_router_id 61
-    priority 80
-    advert_int 3
-    authentication {
-      auth_type PASS
-      auth_pass papas_con_tomate
-    }
-    virtual_ipaddress {
-        192.168.0.100   # default CIDR mask is /32
-    }
-}
-
-vrrp_instance VI_2 {
-    interface eth0
-    state SLAVE
-    virtual_router_id 62
-    priority 80
-    advert_int 3
-    authentication {
-      auth_type PASS
-      auth_pass papas_con_tomate
-    }
-    virtual_ipaddress {
-        192.168.1.100
-    }
-}
diff --git a/doc/sync/alarm/script_backup.sh b/doc/sync/alarm/script_backup.sh
deleted file mode 100644
index 8ea2ad8..0000000
--- a/doc/sync/alarm/script_backup.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/conntrackd -B
diff --git a/doc/sync/alarm/script_master.sh b/doc/sync/alarm/script_master.sh
deleted file mode 100644
index 70c26c9..0000000
--- a/doc/sync/alarm/script_master.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/conntrackd -c
-/usr/sbin/conntrackd -R
diff --git a/doc/sync/ftfw/keepalived.conf b/doc/sync/ftfw/keepalived.conf
deleted file mode 100644
index f937467..0000000
--- a/doc/sync/ftfw/keepalived.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-vrrp_sync_group G1 {   # must be before vrrp_instance declaration
-  group {
-    VI_1
-    VI_2
-  }
-  notify_master /etc/conntrackd/script_master.sh
-  notify_backup /etc/conntrackd/script_backup.sh
-#  notify_fault /etc/conntrackd/script_fault.sh
-}
-
-vrrp_instance VI_1 {
-    interface eth1
-    state SLAVE
-    virtual_router_id 61
-    priority 80
-    advert_int 3
-    authentication {
-      auth_type PASS
-      auth_pass papas_con_tomate
-    }
-    virtual_ipaddress {
-        192.168.0.100   # default CIDR mask is /32
-    }
-}
-
-vrrp_instance VI_2 {
-    interface eth0
-    state SLAVE
-    virtual_router_id 62
-    priority 80
-    advert_int 3
-    authentication {
-      auth_type PASS
-      auth_pass papas_con_tomate
-    }
-    virtual_ipaddress {
-        192.168.1.100
-    }
-}
diff --git a/doc/sync/ftfw/script_backup.sh b/doc/sync/ftfw/script_backup.sh
deleted file mode 100644
index 813e375..0000000
--- a/doc/sync/ftfw/script_backup.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/conntrackd -n # request a resync from other nodes via multicast
diff --git a/doc/sync/ftfw/script_master.sh b/doc/sync/ftfw/script_master.sh
deleted file mode 100644
index ff1dbc0..0000000
--- a/doc/sync/ftfw/script_master.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/conntrackd -c # commit the cache
-/usr/sbin/conntrackd -f # flush the caches
-/usr/sbin/conntrackd -R # resync with kernel conntrack table
diff --git a/doc/sync/keepalived.conf b/doc/sync/keepalived.conf
new file mode 100644
index 0000000..b7638a7
--- /dev/null
+++ b/doc/sync/keepalived.conf
@@ -0,0 +1,42 @@
+#
+# Simple script for primary-backup setups
+#
+
+vrrp_sync_group G1 {   # must be before vrrp_instance declaration
+  group {
+    VI_1
+    VI_2
+  }
+  notify_master /etc/conntrackd/primary-backup.sh
+  notify_backup /etc/conntrackd/primary-backup.sh
+}
+
+vrrp_instance VI_1 {
+    interface eth1
+    state SLAVE
+    virtual_router_id 61
+    priority 80
+    advert_int 3
+    authentication {
+      auth_type PASS
+      auth_pass papas_con_tomate
+    }
+    virtual_ipaddress {
+        192.168.0.100   # default CIDR mask is /32
+    }
+}
+
+vrrp_instance VI_2 {
+    interface eth0
+    state SLAVE
+    virtual_router_id 62
+    priority 80
+    advert_int 3
+    authentication {
+      auth_type PASS
+      auth_pass papas_con_tomate
+    }
+    virtual_ipaddress {
+        192.168.1.100
+    }
+}
diff --git a/doc/sync/notrack/keepalived.conf b/doc/sync/notrack/keepalived.conf
deleted file mode 100644
index f937467..0000000
--- a/doc/sync/notrack/keepalived.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-vrrp_sync_group G1 {   # must be before vrrp_instance declaration
-  group {
-    VI_1
-    VI_2
-  }
-  notify_master /etc/conntrackd/script_master.sh
-  notify_backup /etc/conntrackd/script_backup.sh
-#  notify_fault /etc/conntrackd/script_fault.sh
-}
-
-vrrp_instance VI_1 {
-    interface eth1
-    state SLAVE
-    virtual_router_id 61
-    priority 80
-    advert_int 3
-    authentication {
-      auth_type PASS
-      auth_pass papas_con_tomate
-    }
-    virtual_ipaddress {
-        192.168.0.100   # default CIDR mask is /32
-    }
-}
-
-vrrp_instance VI_2 {
-    interface eth0
-    state SLAVE
-    virtual_router_id 62
-    priority 80
-    advert_int 3
-    authentication {
-      auth_type PASS
-      auth_pass papas_con_tomate
-    }
-    virtual_ipaddress {
-        192.168.1.100
-    }
-}
diff --git a/doc/sync/notrack/script_backup.sh b/doc/sync/notrack/script_backup.sh
deleted file mode 100644
index 813e375..0000000
--- a/doc/sync/notrack/script_backup.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/conntrackd -n # request a resync from other nodes via multicast
diff --git a/doc/sync/notrack/script_master.sh b/doc/sync/notrack/script_master.sh
deleted file mode 100644
index ff1dbc0..0000000
--- a/doc/sync/notrack/script_master.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/conntrackd -c # commit the cache
-/usr/sbin/conntrackd -f # flush the caches
-/usr/sbin/conntrackd -R # resync with kernel conntrack table
diff --git a/doc/sync/primary-backup.sh b/doc/sync/primary-backup.sh
new file mode 100755
index 0000000..fddff3b
--- /dev/null
+++ b/doc/sync/primary-backup.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+# 
+# (C) 2008 by Pablo Neira Ayuso <pablo at netfilter.org>
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+#
+# Description:
+#
+# This is the script for primary-backup setups for keepalived
+# (http://www.keepalived.org). You may adapt it to make it work with other
+# high-availability managers.
+#
+# Do not forget to include the required modifications to your keepalived.conf
+# file to invoke this script during keepalived's state transitions.
+#
+# Contributions to improve this script are welcome :).
+#
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+
+case "$1" in
+  master)
+    #
+    # commit the external cache into the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+    if [ $? -eq 1 ]
+        logger "ERROR: failed to invoke conntrackd -c"
+
+    #
+    # flush the internal and the external caches
+    #
+    $CONNTRACKD_BIN -C $CONNTRACK_CONFIG -f
+    if [ $? -eq 1 ]
+    	logger "ERROR: failed to invoke conntrackd -f"
+
+    #
+    # resynchronize my internal cache to the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+    if [ $? -eq 1 ]
+    	logger "ERROR: failed to invoke conntrackd -R"
+    ;;
+  backup)
+    #
+    # is conntrackd running? request some statistics to check it
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+    if [ $? -eq 1 ]
+    then
+        #
+	# something's wrong, do we have a lock file?
+	#
+    	if [ -f $CONNTRACKD_LOCK ]
+	then
+	    logger "WARNING: conntrackd was not cleanly stopped."
+	    logger "If you suspect that it has crashed:"
+	    logger "1) Enable coredumps"
+	    logger "2) Try to reproduce the problem"
+	    logger "3) Post the coredump to netfilter-devel at vger.kernel.org"
+	    rm -f $CONNTRACKD_LOCK
+	fi
+	$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+	if [ $? -eq 1 ]
+	then
+	    logger "ERROR: cannot launch conntrackd"
+	    exit 1
+	fi
+    fi
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    	logger "ERROR: failed to invoke conntrackd -t"
+
+    #
+    # request resynchronization with master firewall replica (if any)
+    # Note: this does nothing in the alarm approach.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+    if [ $? -eq 1 ]
+    	logger "ERROR: failed to invoke conntrackd -n"
+    ;;
+  *)
+    echo "Usage: primary-backup.sh {primary|backup}"
+    exit 1
+    ;;
+esac
+
+exit 0



More information about the netfilter-cvslog mailing list