{"id":19015152,"url":"https://github.com/adfinis/base4kids2-keepalived-scripts","last_synced_at":"2025-06-10T11:34:09.251Z","repository":{"id":68508327,"uuid":"167151384","full_name":"adfinis/base4kids2-keepalived-scripts","owner":"adfinis","description":"Keepalived notify, alerts and check scripts for Base4Kids2","archived":false,"fork":false,"pushed_at":"2019-02-12T14:53:14.000Z","size":44,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T08:33:20.168Z","etag":null,"topics":["base4kids","keepalived"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adfinis.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-23T09:02:44.000Z","updated_at":"2019-02-12T14:53:17.000Z","dependencies_parsed_at":"2023-03-11T03:46:03.669Z","dependency_job_id":null,"html_url":"https://github.com/adfinis/base4kids2-keepalived-scripts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fbase4kids2-keepalived-scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fbase4kids2-keepalived-scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fbase4kids2-keepalived-scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fbase4kids2-keepalived-scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adfinis","download_url":"https://codeload.github.com/adfinis/base4kids2-keepalived-scripts/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fbase4kids2-keepalived-scripts/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259067299,"owners_count":22800306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["base4kids","keepalived"],"created_at":"2024-11-08T19:35:49.140Z","updated_at":"2025-06-10T11:34:09.186Z","avatar_url":"https://github.com/adfinis.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# base4kids2-keepalived-scripts\n[Keepalived](http://www.keepalived.org/) notify, alerts and check scripts for\n[Base4Kids](http://www.base4kids.ch).\n\nThis repository contains a collection of Keepalived VRRP scripts that can be\ndeployed in the appropriate `/usr/libexec/keepalived` directory. Further\ninstructions on configuration and usage for these scripts can be found in the\nrespective sections below.\n\n## VRRP scripts overview\nThis section outlines how the VRRP scripts work internally.\n\n### Generic process check\nThe [`keepalived-check-process.sh`](libexec/keepalived-check-process.sh) script\ncan be used to check the precence of a local process which resides behind a\ncommon virtual IP address coordinated by Keepalived and VRRP. It requires no\nfurther configuration on part of the services.\n\nThis VRRP script checks for the existence of the process `$processName` on the\nlocal host using the command:\n\n`killall -0 $processName`\n\nThe `-0` (SIGNULL) flag does not send a real signal to the process, but rather\nchecks if Keepalived would be allowed to send a signal to the process (i.e., a\nprobe). In case the `killall` operation fails (return code != 0), Keepalived\nwill remove a possible active VRRP virtual IP from this host.\n\nEven though the script only executes the single `killall` command, it was\ndecided to create a dedicated script in order to deploy it into the correct\nSELinux location. Otherwise, SELinux blocks the execution of `killall`.\n\n### Keepalived LDAP multi-master check\nThe [`keepalived-check-ldap.sh`](libexec/keepalived-check-ldap.sh) script is\nintended to be used together with an LDAP multi-master setup which resides\nbehind a common virtual IP address coordinated by Keepalived and VRRP.\n\nIt tries to bind to an LDAP service and modifies a certain attribute in order\nto check if the service is available. It returns 0 on success or a non-zero\nexit status on failures, so it can be easily integrated as a Keepalived\ntracking script.\n\nThe script needs to be installed on all LDAP multi-master systems and\nreferenced by the local Keepalived. It was tested on a [389\ndirectory](https://directory.fedoraproject.org/) multi-master setup.\n\nA dedicated service user will be used to bind to the directory and perform the\nperiodic LDAP modify operations. Every LDAP master has a dedicated LDAP leaf\nentry corresponding to its hostname, such as:\n* `cn=keepalived-ldap-01,ou=Monitoring,dc=example,dc=com`\n* `cn=keepalived-ldap-02,ou=Monitoring,dc=example,dc=com`\n\nOn the above entries the `description` attribute (by default) will be change to\nthe following value:\n`\u003cSCRIPT-NAME\u003e: Last update from \u003cHOSTNAME\u003e on \u003cYYYY\u003e-\u003cMM\u003e-\u003cDD\u003eT\u003cHH\u003e:\u003cMM\u003e:\u003cSS\u003e+00:00`.\n\nIn case the `ldapmodify` operation fails, Keepalived will remove a possible\nactive VRRP virtual IP from this host.\n\n## Usage\n### General usage instructions\nTo use the keepalived scripts, install [Keepalived](http://www.keepalived.org/)\nfrom your distribution's package repository (or build it from source), clone\nthis repository and use the provided [Makefile](Makefile) to configure and\ninstall the files.\n```bash\n# install keepalived (example for RedHat/CentOS based systems)\nyum install keepalived\n\n# Clone the repository (either via HTTPS or SSH)\ngit clone https://github.com/adfinis-sygroup/base4kids2-keepalived-scripts.git\ngit clone git@github.com:adfinis-sygroup/base4kids2-keepalived-scripts.git\n\n# Install the provided scripts and configuration\ncd base4kids2-keepalived-scripts\nmake install prefix=/usr sysconfdir=/etc\n\n# If you don't feel comfortable to install directly into /usr, make sure to\n# install at least the scripts into the Keepalived libexec folder (this will\n# ensure, that possible SELinux contexts will be applied correctly).\ncd base4kids2-keepalived-scripts\nmake install keepalivedlibexecdir=/usr/libexec/keepalived\n```\n\n### Usage instructions for the generic process check\nFollow the [general usage instructions above](#general-usage-instructions).\n\nConfigure Keepalived to include the script on all nodes (make sure to adapt the\nprocess name, host names, interface, IP addresses and VRRP secret accordingly).\n```bash\nvi /etc/keepalived/keepalived.conf\n```\n\nFor instance, to probe a `haproxy` process, use this configuration:\n```\nvrrp_script check_proces {\n  script \"/usr/libexec/keepalived/keepalived-check-process.sh -p haproxy\n  interval 15\n  fall 2\n  rise 2\n}\n\nvrrp_instance VI_1 {\n  state MASTER\n  interface ens33\n  virtual_router_id 34\n  priority 100\n  advert_int 1\n  authentication {\n    auth_type PASS\n    auth_pass MY-VRRP-SECRET\n  }\n\n  unicast_src_ip 192.168.0.11\n  unicast_peer {\n    192.168.0.12\n  }\n\n\n  virtual_ipaddress {\n    192.168.0.10/24\n  }\n  track_script {\n   check_process\n  }\n}\n```\nRestart Keepalived:\n```bash\nsystemctl restart keepalived.service\njournalctl -f -u keepalived.service\n```\n\nScript usage:\n```bash\n./libexec/keepalived-check-process.sh -h\n```\n```\nUsage: keepalived-check-process.sh [-p KEEPALIVED_CHECK_PROCESS_NAME] [-dhv]\n                                   KEEPALIVED_CHECK_PROCESS_NAME\n    -p   Process name to check\n    -d   Enable debug messages\n    -h   Display this help and exit\n    -v   Display the version and exit\n\n    Note, that the process name is also overridable via environment variables.\n```\n\n### Usage instructions for Keepalived LDAP multi-master check\nFollow the [general usage instructions above](#general-usage-instructions). For\nthis VRRP script it is assumed, that you already have a working LDAP\nmulti-master setup up and running. Afterwards, you will have to create an LDAP\nservice user as well as the basic DIT structure required for the service check.\n\nThe following example LDIFs are provided, you need to modify them to suite your\nenvironment.\n* [`keepalived-service-user.ldif`](share/keepalived-service-user.ldif)\n* [`keepalived-check-ldap.ldif`](share/keepalived-check-ldap.ldif)\n\nThose were also installed and are available at\n`\u003cPREFIX\u003e/share/base4kids2-keepalived-scripts`.\n\nCreate the service user:\n```bash\n# Modify the service user LDIF to suite your environment (DN and userPassword)\nvi share/keepalived-service-user.ldif\n\n# Load the LDIF (adapt the bind DN and LDAP URI)\nldapadd -f share/keepalived-service-user.ldif \\\n        -x \\\n        -D \"cn=Directory Manager\" \\\n        -W \\\n        -H ldaps://ldap-01.example.com\n```\n\nCreate the basis entries for the check script:\n```bash\n# Modify the keepalived check ldap LDIF to suite your environment (DN and\n# hostnames for all LDAP multi master hosts)\nvi share/keepalived-check-ldap.ldif\n\n# Load the LDIF (adapt the bind DN and LDAP URI)\nldapadd -f share/keepalived-check-ldap.ldif \\\n        -x \\\n        -D \"cn=Directory Manager\" \\\n        -W \\\n        -H ldaps://ldap-01.example.com\n```\n\nWrite the LDAP service user's password to the LDAP passwd file (make sure that\nthere is no trailing newline).\n```bash\necho -n \"changeme\" \u003e \u003cPREFIX\u003e/etc/keepalived-check-ldap.passwd\n```\n\nConfigure Keepalived to include the script on all nodes (make sure to adapt the\nhost names, interface, IP addresses and VRRP secret accordingly).\n```bash\nvi /etc/keepalived/keepalived.conf\n```\n```\nvrrp_script check_ldap {\n  script \"/usr/libexec/keepalived/keepalived-check-ldap.sh -b dc=example,dc=com -H ldaps://ldap-01.example.com\"\n  interval 15\n  fall 2\n  rise 2\n}\n\nvrrp_instance VI_1 {\n  state MASTER\n  interface ens33\n  virtual_router_id 34\n  priority 100\n  advert_int 1\n  authentication {\n    auth_type PASS\n    auth_pass MY-VRRP-SECRET\n  }\n\n  unicast_src_ip 192.168.0.11\n  unicast_peer {\n    192.168.0.12\n  }\n\n\n  virtual_ipaddress {\n    192.168.0.10/24\n  }\n  track_script {\n   check_ldap\n  }\n}\n```\n\nRestart Keepalived:\n```bash\nsystemctl restart keepalived.service\njournalctl -f -u keepalived.service\n```\n\nScript usage:\n```bash\n./libexec/keepalived-check-ldap.sh -h\n```\n```\nUsage: keepalived-check-ldap.sh [-a ATTRIBUTE] [-b LDAPBASEDN] [-D LDAPBASEDN]\n                                [-H LDAPURI] [-p PASSWDFILE] [-k CHECKDN] [-dhv]\n\n    -a ATTRIBUTE    The LDAP attribute to read or update during the check,\n                    defaults to 'description'\n    -b LDAPBASEDN   The LDAP base DN to use as a suffix for DN buildings,\n                    defaults to 'dc=example,dc=com'\n    -D LDAPBINDDN   The LDAP bind DN to use, defaults to\n                    'uid=keepalived-service,ou=Special Users,dc=example,dc=com'\n    -H LDAPURI      The LDAP URI of the LDAP server, defaults to\n                    'ldap://localhost:389'\n    -d              Enable debug messages\n    -p PASSWDFILE   The LDAP passwd file to use, defaults to\n                    '/etc/keepalived-check-ldap.passwd'\n    -k CHECKDN      The DN of the Keepalived check related LDAP leaf entry,\n                    defaults to 'cn=keepalived-ldap-01,ou=Monitoring,dc=example,dc=com'\n    -h              Display this help and exit\n    -v              Display the version and exit\n\nNote, that all options are also overridable via environment variables.\n\nThe bind password is expected within the PASSWDFILE (-p). Reading the bind\npassword from a file, rather than passing it via an input option, prevents the\npassword from beeing exposed to other processes or users.\n```\n\n## License\nThis program is free software: you can redistribute it and/or modify it under\nthe terms of the GNU Affero General Public License as published by the Free\nSoftware Foundation, version 3 of the License.\n\n## Copyright\nCopyright (c) 2019 [Adfinis SyGroup AG](https://adfinis-sygroup.ch)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadfinis%2Fbase4kids2-keepalived-scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadfinis%2Fbase4kids2-keepalived-scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadfinis%2Fbase4kids2-keepalived-scripts/lists"}