From b2b1270b8583110d3c3cb5c9fa7eda9da2b160ee Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 7 Aug 2019 18:40:48 +0200 Subject: [PATCH] keepalived: Add support for VRRP over unicast. Run the check script using an unprivileged user. --- library/roles/keepalived/defaults/main.yml | 9 +++++ library/roles/keepalived/tasks/main.yml | 38 ++++++++++++++----- .../keepalived/templates/keepalived.conf.j2 | 38 +++++++++++++++++-- 3 files changed, 72 insertions(+), 13 deletions(-) diff --git a/library/roles/keepalived/defaults/main.yml b/library/roles/keepalived/defaults/main.yml index d960786..7a24eff 100644 --- a/library/roles/keepalived/defaults/main.yml +++ b/library/roles/keepalived/defaults/main.yml @@ -10,11 +10,20 @@ keepalived_pkg_state: latest keepalived_pkgs: - keepalived +keepalived_use_unicast: False +keepalived_unicast_src_ip: '{{ ansible_default_ipv4.address }}' +keepalived_unicast_peer_ip: + - 127.0.0.1 + - 127.0.0.2 keepalived_mcast_addr: 224.0.0.0/8 keepalived_floating_ip1: 127.0.0.1 keepalived_script1_name: chk_haproxy keepalived_inst_priority: 100 keepalived_vrouter_id: 51 +keepalived_non_local_bind: True + +keepalived_enable_script_security: True +keepalived_script_username: keepalived_script keepalived_nagios_check: False keepalived_notify_script: /usr/local/bin/keepalived_notify diff --git a/library/roles/keepalived/tasks/main.yml b/library/roles/keepalived/tasks/main.yml index d0fa892..b76a6fa 100644 --- a/library/roles/keepalived/tasks/main.yml +++ b/library/roles/keepalived/tasks/main.yml @@ -1,22 +1,43 @@ --- - block: - - name: Install the keepalived repository apt_repository: repo={{ keepalived_repo }} update_cache=yes when: ansible_distribution_major_version <= '16' - name: Install the keepalived package - apt: name={{ item }} state={{ keepalived_pkg_state }} update_cache=yes cache_valid_time=1800 - with_items: '{{ keepalived_pkgs }}' + apt: name={{ keepalived_pkgs }} state={{ keepalived_pkg_state }} cache_valid_time=1800 + + - name: Install the user that the keepalived scripts will run under + user: name={{ keepalived_script_username }} home=/var/lib/keepalived createhome=no shell=/usr/sbin/nologin system=yes - name: Install the keepalived configuration - template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf + template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf owner=root group=root mode=0600 notify: restart keepalived - name: Install the keepalived notify scripts - template: src=keepalived_notify.sh.j2 dest={{ item.notify }} owner=root group=root mode=0754 + template: src=keepalived_notify.sh.j2 dest={{ item.notify }} owner=root group={{ keepalived_script_username }} mode=0754 with_items: '{{ keepalived_instances }}' - + + - name: Set the kernel net.ipv4.ip_nonlocal_bind sysctl + sysctl: + reload: yes + state: present + name: net.ipv4.ip_nonlocal_bind + sysctl_set: yes + sysctl_file: /etc/sysctl.d/90-keepalived + value: 1 + when: keepalived_non_local_bind + + - name: Disable the kernel net.ipv4.ip_nonlocal_bind sysctl if not needed + sysctl: + reload: yes + state: absent + name: net.ipv4.ip_nonlocal_bind + sysctl_set: yes + sysctl_file: /etc/sysctl.d/90-keepalived + value: 1 + when: not keepalived_non_local_bind + - name: Install the keepalived NRPE nagios check copy: src=check_keepalived_state dest={{ nagios_plugins_dir }}/check_keepalived_state owner=root group=root mode=0555 with_items: '{{ keepalived_instances }}' @@ -38,12 +59,9 @@ tags: keepalived when: keepalived_install - - block: - - name: Remove the keepalived package if we do not want it - apt: name={{ item }} state=absent - with_items: '{{ keepalived_pkgs }}' + apt: name={{ keepalived_pkgs }} state=absent - name: Remove the keepalived notify scripts file: dest={{ item.notify }} state=absent diff --git a/library/roles/keepalived/templates/keepalived.conf.j2 b/library/roles/keepalived/templates/keepalived.conf.j2 index 68c3f63..e7ce9db 100644 --- a/library/roles/keepalived/templates/keepalived.conf.j2 +++ b/library/roles/keepalived/templates/keepalived.conf.j2 @@ -1,11 +1,20 @@ +global_defs { + {% if keepalived_enable_script_security %} + + enable_script_security + script_user {{ keepalived_script_username }} + + {% endif %} +} + {% for script in keepalived_scripts %} vrrp_script {{ script.name }} { script "{{ script.script }}" interval {{ script.interval | default(1) }} weight {{ script.weight | default(2) }} - fall: {{ script.fall | default(3) }} - raise: {{ script.raise | default(2) }} - timeout: {{ script.timeout | default(5) }} + fall {{ script.fall | default(3) }} + rise {{ script.raise | default(2) }} + timeout {{ script.timeout | default(5) }} } {% endfor %} @@ -13,20 +22,29 @@ vrrp_script {{ script.name }} { vrrp_instance {{ instance.name }} { interface {{ instance.interface }} {% if instance.state is defined %} + state {{ instance.state }} + {% endif %} virtual_router_id {{ instance.vrouter_id }} priority {{ instance.priority }} {% if instance.notify is defined %} + notify {{ instance.notify }} + {% endif %} {% if instance.nopreempt is defined and instance.nopreempt %} + nopreempt + {% endif %} {% if instance.authentication is defined %} + authentication { auth_type {{ instance.authentication }} auth_pass {{ instance.authpass }} + } + {% endif %} virtual_ipaddress { {% for addr in instance.v_addr %} @@ -39,11 +57,25 @@ vrrp_instance {{ instance.name }} { {% endfor %} } {% if instance.track_interface is defined %} + track_interface { {% for if in instance.track_interface %} {{ if }} {% endfor %} } + + {% endif %} + {% if keepalived_use_unicast %} + + unicast_src_ip {{ keepalived_unicast_src_ip }} + unicast_peer { + + {% for ipaddr in keepalived_unicast_peer_ip %} + {{ ipaddr }} + {% endfor %} + + } + {% endif %} } {% endfor %}