umich-arc / keepalived Goto Github PK
View Code? Open in Web Editor NEWAlpine based container for keepalived
License: MIT License
keepalived's People
Stargazers
Watchers
Forkers
whloyi kuzhuxuan raghulmz aleks-mariusz sangkyunyoon haoling qianchenglong novit-io jiazemin claudio-walser net-sec yuuichihosomi litalidev josonjiang phozzy imwower quiquecmtt marksims therevomankeepalived's Issues
error when container is not cleanly shut down: "daemon is already running"
doing some HA testing, i powered down the host running docker that has this keepalived docker container running.. when the host came back up, the keepalive daemon continually complains about it already running:
Tue Aug 7 19:09:56 2018: Starting Keepalived v1.3.9 (11/11,2017)
Tue Aug 7 19:09:56 2018: Opening file '/etc/keepalived/keepalived.conf'.
Tue Aug 7 19:09:56 2018: daemon is already running
Tue Aug 7 19:09:57 2018: Starting Keepalived v1.3.9 (11/11,2017)
Tue Aug 7 19:09:57 2018: Opening file '/etc/keepalived/keepalived.conf'.
Tue Aug 7 19:09:57 2018: daemon is already running
Tue Aug 7 19:09:57 2018: Starting Keepalived v1.3.9 (11/11,2017)
Tue Aug 7 19:09:57 2018: Opening file '/etc/keepalived/keepalived.conf'.
Tue Aug 7 19:09:57 2018: daemon is already running
Tue Aug 7 19:09:59 2018: Starting Keepalived v1.3.9 (11/11,2017)
Tue Aug 7 19:09:59 2018: Opening file '/etc/keepalived/keepalived.conf'.
Tue Aug 7 19:09:59 2018: daemon is already running
Tue Aug 7 19:10:00 2018: Starting Keepalived v1.3.9 (11/11,2017)
Tue Aug 7 19:10:00 2018: Opening file '/etc/keepalived/keepalived.conf'.
Tue Aug 7 19:10:00 2018: daemon is already running
Tue Aug 7 19:10:02 2018: Starting Keepalived v1.3.9 (11/11,2017)
Tue Aug 7 19:10:02 2018: Opening file '/etc/keepalived/keepalived.conf'.
Tue Aug 7 19:10:02 2018: daemon is already running
anyway to clear this condition? or modify the dockerfile/scripts to recover from this situation ?
Clarification for SERVICE_KEEPALIVED_CMD env variable
Please clarify the usage of SERVICE_KEEPALIVED_CMD env variable at row 130 of the init.sh script.
Thanks
understanding chk_kube_apiserver.sh functionality
one of the reasons i love this particular container image for keepalived (there are quite a few out there) is the promise of integrating detection of available apiserver daemon running.
it was not something i was prepared to play with initially (as i was still getting familiar with kubernetes itself), but once i felt ready and started to look at this functionality, i couldn't get it to work properly. i might just be misunderstanding its design, so i'm opening this issue to discuss and hopefully figure out if it is designed in a way that would fit for my use-case, or if maybe it can/should be adjusted to work for me.
so as i'm trying to lab up a k8s cluster w/ HA, i have 3 master nodes that all have the api-server running. i bring up the first master node, and use this docker image with keepalived (along with a second nginx container to proxy across the 2 other systems also running api-server). this docker container starts and takes the VIP and i use the VIP address to apiserver as the advertise address, and the primary/main IP (so non-loopback) address as the listen-address.
the idea that keepalived should only take/serve the VIP if the apiserver is running, is brililant. unfortunately because of the way i have my apiserver NOT listening on localhost, this check doesn't ever succeed with the script on my host. and i continually see this from the container log:
Tue Aug 7 19:56:16 2018: /usr/lib/keepalived/scripts/chk_kube_apiserver.sh x.x.x.131 6443 exited with status 1
Tue Aug 7 19:56:19 2018: /usr/lib/keepalived/scripts/chk_kube_apiserver.sh x.x.x.131 6443 exited with status 1
Tue Aug 7 19:56:22 2018: /usr/lib/keepalived/scripts/chk_kube_apiserver.sh x.x.x.131 6443 exited with status 1
but I notice that on the next line, the script checks to see if the $vip is available on any interface, and the value of $vip passed into the script, in my case is the actual main IP of the node hosting the container (not the VIP), and this check fails (so it never tries the second curl)
So for example, the above log entries are from a host on x.x.x.131, and here is how i am starting the container when i have this issue:
docker run -d --net=host --cap-add NET_ADMIN \
--name k8s_api_keepalived --restart always \
-e KEEPALIVED_AUTOCONF=true \
-e KEEPALIVED_STATE=MASTER \
-e KEEPALIVED_INTERFACE=$INTERFACE \
-e KEEPALIVED_VIRTUAL_ROUTER_ID=2 \
-e KEEPALIVED_UNICAST_PEER_1=x.x.x.132 \
-e KEEPALIVED_UNICAST_PEER_2=x.x.x.133 \
-e KEEPALIVED_KUBE_APISERVER_CHECK=true \
-e KUBE_APISERVER_ADDRESS=x.x.x.131 \
-e KEEPALIVED_TRACK_INTERFACE_1=$INTERFACE \
-e KEEPALIVED_VIRTUAL_IPADDRESS_1="x.x.x.130/24 dev $INTERFACE" \
arcts/keepalived
So could you please comment and help me figure out if/how the init.sh/chk_kube_apiserver.sh script can/should be modified to work in my use case, when the apiserver is NOT listening on localhost (and i can't have it simply bind to 0.0.0.0 as then it would also bind on the VIP), and the vip passed into the script is the main IP (and not detected in the container).
should i be passing in the .130 address as KUBE_APISERVER_ADDRESS? I would think that keepalived would not take this address until the script succeeds, which would never happen as the address isn't listed.
i am also confused why this check fails, since when i'm in the container and i run ip addr, it successfully sees the main IP:
/usr/lib/keepalived/scripts # ip addr | grep -c x.x.x.131
1
Health Check for chk_kube_apiserver.sh script
Hello,
thanks for sharing this awesome project. I noticed that the chk_kube_apiserver.sh script checks the / of the APIs server and having authorisation errors in the APIs server logs.
curl --silent --max-time 2 --insecure "https://$vip:$port/"
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
I would suggest to use the health check instead /healthz
Here a rewite
#!/bin/sh
vip="$1"
port="$2"
errorExit() {
echo "*** $*" 1>&2
exit 1
}
curl --silent --max-time 2 --insecure "https://localhost:$port/healthz" -o /dev/null || errorExit "Error GET https://localhost:$port/healthz"
if ip addr | grep -q "$vip"; then
curl --silent --max-time 2 --insecure "https://$vip:$port/healthz" -o /dev/null || errorExit "Error GET https://$vip:$port/healthz"
fi
Thanks
Use GH actions for the scheduled image build
The current image is quite old. I propose to create a GH actions workflow for a scheduled image build.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.