Hi,
The vrrp health-check script is not working in vyos1.3.
vyos vrrp configuratuon is as follows:
Master node:
group INSIDE {
interface eth2
no-preempt
priority 200
virtual-address 10.1.4.3/24
vrid 20
}
group OUTERSIDE {
health-check {
failure-count 1
interval 30
script /config/scripts/vrrp-check.sh
}
interface eth1
no-preempt
priority 200
transition-script {
backup /config/scripts/dmvpn-backup.sh
fault /config/scripts/dmvpn-backup.sh
master /config/scripts/dmvpn-master.sh
}
virtual-address 33.1.4.6/24
vrid 10
}
sync-group MAIN {
member INSIDE
member OUTERSIDE
}Backup node:
group INSIDE {
interface eth2
no-preempt
priority 50
virtual-address 10.1.4.3/24
vrid 20
}
group OUTSIDE {
health-check {
failure-count 1
interval 30
script /config/scripts/vrrp-check.sh
}
interface eth1
no-preempt
priority 50
transition-script {
backup /config/scripts/dmvpn-backup.sh
fault /config/scripts/dmvpn-backup.sh
master /config/scripts/dmvpn-master.sh
}
virtual-address 33.1.4.6/24
vrid 10
}
sync-group MAIN {
member INSIDE
member OUTSIDE
}First of all, start vrrp and check the vrrp log
vyos Keepalived_vrrp[31108]:Registering Kernel netlink reflector vyos Keepalived_vrrp[31108]:Registering Kernel netlink command channel vyos Keepalived_vrrp[31108]:Opening file '/etc/keepalived/keepalived.conf' vyos Keepalived_vrrp[31108]:Starting SNMP subagent vyos Keepalived_vrrp[31108]:NET-SNMP version 5.7.3 AgentX subagent connected vyos Keepalived_vrrp[31108]:Unsafe permissions found for script '/config/scripts/vrrp-check.sh' vyos Keepalived_vrrp[31108]:SECURITY VIOLATION - scripts are being executed but script_security not enabled. There are insecure scripts. vyos Keepalived_vrrp[31108]:Registering gratuitous ARP shared channel vyos Keepalived_vrrp[31108]:Script 'healthcheck_OUTSIDE' now returning 1 vyos Keepalived_vrrp[31108]:VRRP_Script(healthcheck_OUTSIDE)failed (exited with status 1) vyos Keepalived_vrrp[31108]:(OUTSIDE) Entering FAULT STATE vyos Keepalived_vrrp[31108]:VRRP_Group(MAIN) Syncing instances to FAULT state vyos Keepalived_vrrp[31108]:(INSIDE) Entering FAULT STATE
Then, I add 'enable_script_security' in global_defs section in '/etc/keepalived/keepalived.conf'
global_defs {
dynamic_interfaces
script_user root
enable_script_security
notify_fifo /run/keepalived_notify_fifo
notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}Restart vrrp and check the vrrp log again
vyos Keepalived_vrrp[31591]:Registering Kernel netlink reflector vyos Keepalived_vrrp[31591]:Registering Kernel netlink command channel vyos Keepalived_vrrp[31591]:Opening file '/etc/keepalived/keepalived.conf' vyos Keepalived_vrrp[31591]:Starting SNMP subagent vyos Keepalived_vrrp[31591]:NET-SNMP version 5.7.3 AgentX subagent connected vyos Keepalived_vrrp[31591]:Unsafe permissions found for script '/config/scripts/vrrp-check.sh' - disabling. vyos Keepalived_vrrp[31591]:Disabling track script healthcheck_OUTSIDE due to insecure vyos Keepalived_vrrp[31591]:Registering gratuitous ARP shared channel vyos Keepalived_vrrp[31591]:(INSDIE) Entering BACKUP STATE (init) vyos Keepalived_vrrp[31591]:(OUTSIDE) Entering BACKUP STATE (init)
The scripts attributes are as follows:
ls -al /config/scripts -rwxr-xr-x 1 root vyattacfg 24 Feb 23 02:10 dmvpn-backup.sh -rwxr-xr-x 1 root vyattacfg 131 Feb 23 06:46 dmvpn-master.sh -rwxr-xr-x 1 root vyattacfg 254 Feb 23 08:24 vrrp-check.sh -rwxr-xr-x 1 root vyattacfg 230 Jan 26 04:29 vyos-postconfig-bootup.script
I tried to change the script permission and group to solve this issue, but unfortunately I did not get the key point.
Really appreciate if you have any ideas!
Best regards,
Arvin