[ctdb.git] / config / events.d / 10.interface

#!/bin/sh

#################################
# interface event script for ctdb
# this adds/removes IPs from your 
# public interface

. $CTDB_BASE/functions
loadconfig

[ -z "$CTDB_PUBLIC_ADDRESSES" ] && {
        CTDB_PUBLIC_ADDRESSES=$CTDB_BASE/public_addresses
}

[ ! -f "$CTDB_PUBLIC_ADDRESSES" ] && {
        exit 0
}

mark_up ()
{
    up_interfaces_found=true
    ctdb setifacelink $1 up >/dev/null 2>&1
}

mark_down ()
{
    fail=true
    ctdb setifacelink $1 down >/dev/null 2>&1
}

monitor_interfaces()
{
        all_interfaces=`cat $CTDB_PUBLIC_ADDRESSES |
                sed -e "s/^[^\t ]*[\t ]*//" -e "s/,/ /g" -e "s/[\t ]*$//"`

        [ "$CTDB_PUBLIC_INTERFACE" ] && all_interfaces="$CTDB_PUBLIC_INTERFACE $all_interfaces"
        [ "$CTDB_NATGW_PUBLIC_IFACE" ] && all_interfaces="$CTDB_NATGW_PUBLIC_IFACE $all_interfaces"


        # For all but the 1st line, get the 2nd last field with commas
        # changes to spaces.
        ctdb_ifaces=`ctdb -Y ip -v | sed -e '1d' -e 's/:[^:]*:$//' -e 's/^.*://' -e 's/,/ /g'`

        all_interfaces=`for iface in $all_interfaces $ctdb_ifaces ; do echo $iface ; done | sort | uniq`

        fail=false
        up_interfaces_found=false

        for iface in $all_interfaces ; do

            ip addr show $iface 2>/dev/null >/dev/null || {
                echo Interface $iface does not exist but it is used by public addresses.
                continue
            }

            # These interfaces are sometimes bond devices
            # When we use VLANs for bond interfaces, there will only
            # be an entry in /proc for the underlying real interface
            realiface=`echo $iface |sed -e 's/\..*$//'`
            bi=$(get_proc "net/bonding/$realiface" 2>/dev/null) && {
                echo "$bi" | grep -q 'Currently Active Slave: None' && {
                        echo "ERROR: No active slaves for bond device $realiface"
                        mark_down $iface
                        continue;
                }
                echo "$bi" | grep -q '^MII Status: up' || {
                        echo "ERROR: public network interface $realiface is down"
                        mark_down $iface
                        continue;
                }
                echo "$bi" | grep -q '^Bonding Mode: IEEE 802.3ad Dynamic link aggregation' && {
                        echo "$bi" | grep 'MII Status:' | tail -n +2 | grep -q '^MII Status: up' || {
                                echo No active slaves for 802.ad bond device $realiface
                                mark_down $iface
                                continue
                        }
                }
                mark_up $iface
                continue;
            }

            case $iface in
            lo*)
                # loopback is always working
                mark_up $iface
                ;;
            ib*)
                # we dont know how to test ib links
                mark_up $iface
                ;;
            *)
                [ -z "$iface" ] || {
                    [ "$(basename $(readlink /sys/class/net/$iface/device/driver) 2>/dev/null)" = virtio_net ] ||
                    ethtool $iface | grep -q 'Link detected: yes' || {
                        # On some systems, this is not successful when a
                        # cable is plugged but the interface has not been
                        # brought up previously. Bring the interface up and
                        # try again...
                        ip link set $iface up
                        ethtool $iface | grep -q 'Link detected: yes' || {
                            echo "ERROR: No link on the public network interface $iface"
                            mark_down $iface
                            continue
                        }
                    }
                    mark_up $iface
                }
                ;;
            esac

        done

        $fail || return 0

        $up_interfaces_found && \
            [ "$CTDB_PARTIALLY_ONLINE_INTERFACES" = "yes" ] && \
            return 0

        return 1
}

case "$1" in 
     #############################
     # called when ctdbd starts up
     init)
        # make sure that we only respond to ARP messages from the NIC where
        # a particular ip address is associated.
        get_proc sys/net/ipv4/conf/all/arp_filter >/dev/null 2>&1 && {
            set_proc sys/net/ipv4/conf/all/arp_filter 1
        }
        ;;

     #############################
     # called after ctdbd has done its initial recovery
     # and we start the services to become healthy
     startup)
        # Assume all links are good initially
        INTERFACES=`for IFACE in $INTERFACES ; do echo $IFACE ; done | sort | uniq`

        for IFACE in $INTERFACES ; do
                ctdb setifacelink $IFACE down >/dev/null 2>/dev/null
        done
        
        monitor_interfaces

        ;;


     ################################################
     # called when ctdbd wants to claim an IP address
     takeip)
        if [ $# != 4 ]; then
           echo "must supply interface, IP and maskbits"
           exit 1
        fi
        iface=$2
        ip=$3
        maskbits=$4

        add_ip_to_iface $iface $ip $maskbits || {
                exit 1;
        }

        # cope with the script being killed while we have the interface blocked
        iptables -D INPUT -i $iface -d $ip -j DROP 2> /dev/null

        # flush our route cache
        set_proc sys/net/ipv4/route/flush 1
        ;;


     ##################################################
     # called when ctdbd wants to release an IP address
     releaseip)
        if [ $# != 4 ]; then
           echo "must supply interface, IP and maskbits"
           exit 1
        fi

        # releasing an IP is a bit more complex than it seems. Once the IP
        # is released, any open tcp connections to that IP on this host will end
        # up being stuck. Some of them (such as NFS connections) will be unkillable
        # so we need to use the killtcp ctdb function to kill them off. We also
        # need to make sure that no new connections get established while we are 
        # doing this! So what we do is this:
        # 1) firewall this IP, so no new external packets arrive for it
        # 2) use netstat -tn to find existing connections, and kill them 
        # 3) remove the IP from the interface
        # 4) remove the firewall rule
        iface=$2
        ip=$3
        maskbits=$4

        failed=0
        # we do an extra delete to cope with the script being killed
        iptables -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
        iptables -I INPUT -i $iface -d $ip -j DROP
        kill_tcp_connections $ip

        delete_ip_from_iface $iface $ip $maskbits || {
                iptables -D INPUT -i $iface -d $ip -j DROP 2> /dev/null
                exit 1;
        }

        iptables -D INPUT -i $iface -d $ip -j DROP 2> /dev/null

        # flush our route cache
        set_proc sys/net/ipv4/route/flush 1
        ;;

     ##################################################
     # called when ctdbd wants to update an IP address
     updateip)
        if [ $# != 5 ]; then
           echo "must supply old interface, new interface, IP and maskbits"
           exit 1
        fi

        # moving an IP is a bit more complex than it seems.
        # First we drop all traffic on the old interface.
        # Then we try to add the ip to the new interface and before
        # we finally remove it from the old interface.
        #
        # 1) firewall this IP, so no new external packets arrive for it
        # 2) add the IP to the new interface
        # 3) remove the IP from the old interface
        # 4) remove the firewall rule
        # 5) use ctdb gratiousarp to propagate the new mac address
        # 6) use netstat -tn to find existing connections, and tickle them
        oiface=$2
        niface=$3
        ip=$4
        maskbits=$5

        failed=0
        # we do an extra delete to cope with the script being killed
        iptables -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null
        iptables -I INPUT -i $oiface -d $ip -j DROP

        delete_ip_from_iface $oiface $ip $maskbits 2>/dev/null
        delete_ip_from_iface $niface $ip $maskbits 2>/dev/null

        add_ip_to_iface $niface $ip $maskbits || {
                iptables -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null
                exit 1;
        }

        # cope with the script being killed while we have the interface blocked
        iptables -D INPUT -i $oiface -d $ip -j DROP 2> /dev/null

        # flush our route cache
        set_proc sys/net/ipv4/route/flush 1

        # propagate the new mac address
        ctdb gratiousarp $ip $niface

        # tickle all existing connections, so that dropped packets
        # are retransmited and the tcp streams work

        tickle_tcp_connections $ip

        ;;


     ###########################################
     # called when ctdbd has finished a recovery
     recovered)
        ;;

     ####################################
     # called when ctdbd is shutting down
     shutdown)
        ;;

     monitor)
        monitor_interfaces || exit 1
        ;;
    *)
        ctdb_standard_event_handler "$@"
        ;;
esac

exit 0