Hi,
The vrrp health-check script is not working in vyos1.3.
vyos vrrp configuratuon is as follows:
Master node:
group INSIDE { interface eth2 no-preempt priority 200 virtual-address 10.1.4.3/24 vrid 20 } group OUTERSIDE { health-check { failure-count 1 interval 30 script /config/scripts/vrrp-check.sh } interface eth1 no-preempt priority 200 transition-script { backup /config/scripts/dmvpn-backup.sh fault /config/scripts/dmvpn-backup.sh master /config/scripts/dmvpn-master.sh } virtual-address 33.1.4.6/24 vrid 10 } sync-group MAIN { member INSIDE member OUTERSIDE }
Backup node:
group INSIDE { interface eth2 no-preempt priority 50 virtual-address 10.1.4.3/24 vrid 20 } group OUTSIDE { health-check { failure-count 1 interval 30 script /config/scripts/vrrp-check.sh } interface eth1 no-preempt priority 50 transition-script { backup /config/scripts/dmvpn-backup.sh fault /config/scripts/dmvpn-backup.sh master /config/scripts/dmvpn-master.sh } virtual-address 33.1.4.6/24 vrid 10 } sync-group MAIN { member INSIDE member OUTSIDE }
First of all, start vrrp and check the vrrp log
vyos Keepalived_vrrp[31108]:Registering Kernel netlink reflector vyos Keepalived_vrrp[31108]:Registering Kernel netlink command channel vyos Keepalived_vrrp[31108]:Opening file '/etc/keepalived/keepalived.conf' vyos Keepalived_vrrp[31108]:Starting SNMP subagent vyos Keepalived_vrrp[31108]:NET-SNMP version 5.7.3 AgentX subagent connected vyos Keepalived_vrrp[31108]:Unsafe permissions found for script '/config/scripts/vrrp-check.sh' vyos Keepalived_vrrp[31108]:SECURITY VIOLATION - scripts are being executed but script_security not enabled. There are insecure scripts. vyos Keepalived_vrrp[31108]:Registering gratuitous ARP shared channel vyos Keepalived_vrrp[31108]:Script 'healthcheck_OUTSIDE' now returning 1 vyos Keepalived_vrrp[31108]:VRRP_Script(healthcheck_OUTSIDE)failed (exited with status 1) vyos Keepalived_vrrp[31108]:(OUTSIDE) Entering FAULT STATE vyos Keepalived_vrrp[31108]:VRRP_Group(MAIN) Syncing instances to FAULT state vyos Keepalived_vrrp[31108]:(INSIDE) Entering FAULT STATE
Then, I add 'enable_script_security' in global_defs section in '/etc/keepalived/keepalived.conf'
global_defs { dynamic_interfaces script_user root enable_script_security notify_fifo /run/keepalived_notify_fifo notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py }
Restart vrrp and check the vrrp log again
vyos Keepalived_vrrp[31591]:Registering Kernel netlink reflector vyos Keepalived_vrrp[31591]:Registering Kernel netlink command channel vyos Keepalived_vrrp[31591]:Opening file '/etc/keepalived/keepalived.conf' vyos Keepalived_vrrp[31591]:Starting SNMP subagent vyos Keepalived_vrrp[31591]:NET-SNMP version 5.7.3 AgentX subagent connected vyos Keepalived_vrrp[31591]:Unsafe permissions found for script '/config/scripts/vrrp-check.sh' - disabling. vyos Keepalived_vrrp[31591]:Disabling track script healthcheck_OUTSIDE due to insecure vyos Keepalived_vrrp[31591]:Registering gratuitous ARP shared channel vyos Keepalived_vrrp[31591]:(INSDIE) Entering BACKUP STATE (init) vyos Keepalived_vrrp[31591]:(OUTSIDE) Entering BACKUP STATE (init)
The scripts attributes are as follows:
ls -al /config/scripts -rwxr-xr-x 1 root vyattacfg 24 Feb 23 02:10 dmvpn-backup.sh -rwxr-xr-x 1 root vyattacfg 131 Feb 23 06:46 dmvpn-master.sh -rwxr-xr-x 1 root vyattacfg 254 Feb 23 08:24 vrrp-check.sh -rwxr-xr-x 1 root vyattacfg 230 Jan 26 04:29 vyos-postconfig-bootup.script
I tried to change the script permission and group to solve this issue, but unfortunately I did not get the key point.
Really appreciate if you have any ideas!
Best regards,
Arvin