|
Hi ratz,
As you can see, my code need to be cleaned :). I have just implement this
on the scratch for a quick installation.
o Your signalhandling code looks somewhat fishy in keepalived.c.
What if a signal occurs during the execution of logmessage? Why
don't you use sigaction with that installs the signalhandler back
after exec? This is the code I mean:
if (signal(SIGTERM,sig_handler) == SIG_IGN)
signal(SIGTERM,SIG_IGN);
signal(SIGINT,sig_handler);
signal(SIGHUP,sig_handler);
void sig_handler(int signum)
{
keep_going=0;
ClearLst(lstVS);
logmessage("Ending keepalived daemon\n",getpid());
signal(signum,sig_handler);
}
You are right, this one of the things that I must update. In fact I will
probably use syslog call to log daemon message.
o What happens if your tcpcheck can't connect? eg firewall,
tcpwrapper? IMHO your code will timeout for some long time.
How about implementing some kind of timer in tcpcheck.c?
Just think about if this tcpcheck blocks the further checks
until it's timeouted? Maybe I've overseen something in your
code but I can't see how you handle this problem.
In fact, the tcpcheck perform an half open connection check. Tcpcheck build
a TCP SYN packet and send it to the remote destination. Then a recvfrom
process incoming packets. If the SYN ACK is not received then the check
return false. I have tested this tcpcheck.c scanning windows, solaris,
linux, ... and it seems to work.
For me this tcpcheck fonction is quick and dirty for many reasons, like : I
only check is the SYN ACK flag for the test, i do not consider SEQ number,
nor IP/TCPPORT to be sure that this packet came from the right server
tested. So if you implement a quick progy that send to the daemon tcp
packets flagged to SYN ACK, the tcpcheck will allways consider that the
server is not corrupt (and it can be).
Tcpcheck is a mission critical fonction. I am working with the new version
that will consider all TCP/IP pacquet incoming feild to return the state of
the tcp destination port tested. The main change must be :
1. Create a timer pool check : i send 3 SYN until a SYN ACK from the remote
destination is recieved, if not the check is false
2. To prevent keepalived against abuse attack, tcpcheck.c must consider the
tcp sequence (even ethernet MAC) => as you know you can abuse this strategy
but I think it must be done at once.
o I suggest you have a look at the http_get attached in this
mail. With it you could even perform simple base64 and ssl
authentication. So SSL healthchecks would be a part of your
deamon too.
Great ! :) i have planed to integrated openssl to perform this check, but
it will help me if I can start wih an existing check.
I hope that too and I hope I haven't insulted you with my
suggestions.
Of course NOT ! I am working for learning. So if you have any other
suggestions or source codes, no problems for me !
regards,
Alexandre
|
