keepalived: Add support for VRRP over unicast. Run the check script using an unprivileged user.

2019-08-07 18:40:48 +02:00 · 2019-08-07 18:40:48 +02:00 · b2b1270b85
parent 60128ad596
commit b2b1270b85
3 changed files with 72 additions and 13 deletions
--- a/library/roles/keepalived/defaults/main.yml
+++ b/library/roles/keepalived/defaults/main.yml
@ -10,11 +10,20 @@ keepalived_pkg_state: latest
 keepalived_pkgs:
  - keepalived

+keepalived_use_unicast: False
+keepalived_unicast_src_ip: '{{ ansible_default_ipv4.address }}'
+keepalived_unicast_peer_ip:
+  - 127.0.0.1
+  - 127.0.0.2
 keepalived_mcast_addr: 224.0.0.0/8
 keepalived_floating_ip1: 127.0.0.1
 keepalived_script1_name: chk_haproxy
 keepalived_inst_priority: 100
 keepalived_vrouter_id: 51
+keepalived_non_local_bind: True
+
+keepalived_enable_script_security: True
+keepalived_script_username: keepalived_script

 keepalived_nagios_check: False
 keepalived_notify_script: /usr/local/bin/keepalived_notify
--- a/library/roles/keepalived/tasks/main.yml
+++ b/library/roles/keepalived/tasks/main.yml
@ -1,22 +1,43 @@
 ---
 - block:
-    
    - name: Install the keepalived repository
      apt_repository: repo={{ keepalived_repo }} update_cache=yes
      when: ansible_distribution_major_version <= '16'

    - name: Install the keepalived package
-      apt: name={{ item }} state={{ keepalived_pkg_state }}  update_cache=yes cache_valid_time=1800
-      with_items: '{{ keepalived_pkgs }}'
+      apt: name={{ keepalived_pkgs }} state={{ keepalived_pkg_state }} cache_valid_time=1800
+
+    - name: Install the user that the keepalived scripts will run under
+      user: name={{ keepalived_script_username }} home=/var/lib/keepalived createhome=no shell=/usr/sbin/nologin system=yes

    - name: Install the keepalived configuration
-      template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf
+      template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf owner=root group=root mode=0600
      notify: restart keepalived

    - name: Install the keepalived notify scripts
-      template: src=keepalived_notify.sh.j2 dest={{ item.notify }} owner=root group=root mode=0754
+      template: src=keepalived_notify.sh.j2 dest={{ item.notify }} owner=root group={{ keepalived_script_username }} mode=0754
      with_items: '{{ keepalived_instances }}'
-      
+
+    - name: Set the kernel net.ipv4.ip_nonlocal_bind sysctl
+      sysctl: 
+        reload: yes
+        state: present
+        name: net.ipv4.ip_nonlocal_bind
+        sysctl_set: yes
+        sysctl_file: /etc/sysctl.d/90-keepalived
+        value: 1
+      when: keepalived_non_local_bind
+
+    - name: Disable the kernel net.ipv4.ip_nonlocal_bind sysctl if not needed
+      sysctl: 
+        reload: yes
+        state: absent
+        name: net.ipv4.ip_nonlocal_bind
+        sysctl_set: yes
+        sysctl_file: /etc/sysctl.d/90-keepalived
+        value: 1
+      when: not keepalived_non_local_bind
+
    - name: Install the keepalived NRPE nagios check
      copy: src=check_keepalived_state dest={{ nagios_plugins_dir }}/check_keepalived_state  owner=root group=root mode=0555
      with_items: '{{ keepalived_instances }}'
@ -38,12 +59,9 @@
  tags: keepalived
  when: keepalived_install

-
 - block:
-    
    - name: Remove the keepalived package if we do not want it
-      apt: name={{ item }} state=absent
-      with_items: '{{ keepalived_pkgs }}'
+      apt: name={{ keepalived_pkgs }} state=absent

    - name: Remove the keepalived notify scripts
      file: dest={{ item.notify }} state=absent
--- a/library/roles/keepalived/templates/keepalived.conf.j2
+++ b/library/roles/keepalived/templates/keepalived.conf.j2
@ -1,11 +1,20 @@
+global_defs {
+    {% if keepalived_enable_script_security %}
+
+    enable_script_security
+    script_user {{ keepalived_script_username }}
+
+    {% endif %}
+}
+
 {% for script in keepalived_scripts %}
 vrrp_script {{ script.name }} {
        script "{{ script.script }}"
        interval {{ script.interval | default(1) }}
        weight {{ script.weight | default(2) }}
-        fall: {{ script.fall | default(3) }}
-        raise: {{ script.raise | default(2) }}
-        timeout: {{ script.timeout | default(5) }}
+        fall {{ script.fall | default(3) }}
+        rise {{ script.raise | default(2) }}
+        timeout {{ script.timeout | default(5) }}
 }
 {% endfor %}

@ -13,20 +22,29 @@ vrrp_script {{ script.name }} {
 vrrp_instance {{ instance.name }} {
        interface {{ instance.interface }}
        {% if instance.state is defined %}
+
        state {{ instance.state }}
+
        {% endif %}
        virtual_router_id {{ instance.vrouter_id }}
        priority {{ instance.priority }}
        {% if instance.notify is defined %}
+
        notify {{ instance.notify }}
+
        {% endif %}
        {% if instance.nopreempt is defined and instance.nopreempt %}
+
        nopreempt
+
        {% endif %}
        {% if instance.authentication is defined %}
+
        authentication {
            auth_type {{ instance.authentication }}
            auth_pass {{ instance.authpass }}
+        }
+
        {% endif %}
        virtual_ipaddress {
        {% for addr in instance.v_addr %}
@ -39,11 +57,25 @@ vrrp_instance {{ instance.name }} {
        {% endfor %}
        }
        {% if instance.track_interface is defined %}
+
        track_interface {
        {% for if in instance.track_interface %}
            {{ if }}
        {% endfor %}
        }
+
+        {% endif %}
+        {% if keepalived_use_unicast %}
+
+        unicast_src_ip {{ keepalived_unicast_src_ip }}
+        unicast_peer {
+
+            {% for ipaddr in keepalived_unicast_peer_ip %}
+            {{ ipaddr }}
+            {% endfor %}
+
+        }
+
        {% endif %}
 }
 {% endfor %}