Bug 1517723
| Summary: | Warning messages about the keepalived script appear in the pod log | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Meng Bo <bmeng> |
| Component: | Networking | Assignee: | Ivan Chavero <ichavero> |
| Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED DUPLICATE | Docs Contact: | |
| Severity: | low | ||
| Priority: | medium | CC: | aglotov, aos-bugs, bbennett, bperkins, glamb, marc.popp, openshift-bugs-escalate |
| Version: | 3.7.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 3.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-06-05 17:39:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FYI: using the custom config by `oadm ipfailover ipf --create --virtual-ips=172.16.120.200 --check-script=/root/check.sh --notify-script=/root/notify.sh` are working, see logs VRRP_Instance(ipf_VIP_1) removing protocol VIPs. Unsafe permissions found for script '/root/notify.sh'. Unsafe permissions found for script '/root/check.sh'. SECURITY VIOLATION - scripts are being executed but script_security not enabled. There are insecure scripts. Using LinkWatch kernel netlink reflector... VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(9,10)] VRRP_Script(chk_ipf) succeeded VRRP_Instance(ipf_VIP_1) Transition to MASTER STATE VRRP_Instance(ipf_VIP_1) Entering MASTER STATE VRRP_Instance(ipf_VIP_1) setting protocol VIPs. Sending gratuitous ARP on eth0 for 172.16.120.200 VRRP_Instance(ipf_VIP_1) Sending/queueing gratuitous ARPs on eth0 for 172.16.120.200 Sending gratuitous ARP on eth0 for 172.16.120.200 Sending gratuitous ARP on eth0 for 172.16.120.200 Sending gratuitous ARP on eth0 for 172.16.120.200 Sending gratuitous ARP on eth0 for 172.16.120.200 Opening script file /root/notify.sh Sending gratuitous ARP on eth0 for 172.16.120.200 There is a Bug in keepalived, that is related to this: https://github.com/acassen/keepalived/issues/653 We are chasing this over on https://bugzilla.redhat.com/show_bug.cgi?id=1576398. They are the same issue. *** This bug has been marked as a duplicate of bug 1576398 *** |
Description of problem: After create the keepalived ipfailover pod, there are some warning messages about the script issue appear in the pod log. Version-Release number of selected component (if applicable): openshift3/ose-keepalived-ipfailover:v3.7.9 How reproducible: always Steps to Reproduce: 1. Create routers on each node 2. Create ipfailover on each node which is monitoring the 80 port 3. Check the ipfailover pods log after created [root@ose-master ~]# oc logs ipfailover-1-794pn .... Unable to resolve default script username 'keepalived_script' - ignoring .... Unable to access script `</dev/tcp/10.66.140.199/80` Disabling track script chk_ipfailover since not found Using LinkWatch kernel netlink reflector... .... 4. Run the script in the pod manually and the script works well [root@ose-master ~]# oc rsh ipfailover-1-794pn sh-4.2# </dev/tcp/10.66.140.199/80 sh-4.2# echo $? 0 Actual results: There are some warning related to the script on each pod. Expected results: Should not have such script issues. Additional info: The keepalived conf on pod: sh-4.2# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { root@localhost } notification_email_from ipfailover smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id ipfailover } vrrp_script chk_ipfailover { script "</dev/tcp/10.66.140.199/80" interval 2 } vrrp_instance ipfailover_VIP_1 { interface eth0 virtual_router_id 21 priority 19 preempt_delay 300 authentication { auth_type PASS auth_pass ipfailover } track_script { chk_ipfailover } virtual_ipaddress { 10.66.140.100 dev eth0 } } For the username issue in the first line, there is a RHEL bug https://bugzilla.redhat.com/show_bug.cgi?id=1477563 which should been fixed in keepalived-1.3.5-3.el7 and we are using version keepalived-1.3.5-1.el7.x86_64.