f-93: Fix one-failover issues on Alpine 3.20

- Always run iptables service
- Refactor one-failover logic to fix regressions after Alpine update
- Improve one-failover performance
- Add "standby" command for keepalived
- Code cleanups

Author: sk4zuzu

appliances/VRouter/DNS/main.rb

@@ -70,9 +70,8 @@ def install(initdir: '/etc/init.d')
             install -o unbound -g unbound -m u=rwx,go=rx -d /var/log/unbound/
         SCRIPT
 
-        file "#{initdir}/one-dns", <<~SERVICE, mode: 'u=rwx,g=rx,o='
+        file "#{initdir}/one-dns", <<~SERVICE, mode: 'u=rwx,go=rx'
             #!/sbin/openrc-run
-
             source /run/one-context/one_env
 
             command="/usr/bin/ruby"

appliances/VRouter/Failover/execute.rb

@@ -9,40 +9,35 @@ module Failover
     VROUTER_ID = env :VROUTER_ID, nil
 
     SERVICES = {
-        'one-router4' => { _ENABLED: 'ONEAPP_VNF_ROUTER4_ENABLED',
-                           fallback: VROUTER_ID.nil? ? 'NO' : 'YES' },
+        'one-router4' => { _ENABLED: 'ONEAPP_VNF_ROUTER4_ENABLED', fallback: VROUTER_ID.nil? ? 'NO' : 'YES' },
 
-        'one-nat4'    => { _ENABLED: 'ONEAPP_VNF_NAT4_ENABLED',
-                           fallback: 'NO' },
+        'one-nat4'    => { _ENABLED: 'ONEAPP_VNF_NAT4_ENABLED' },
 
-        'one-lvs'     => { _ENABLED: 'ONEAPP_VNF_LB_ENABLED',
-                           fallback: 'NO' },
+        'one-lvs'     => { _ENABLED: 'ONEAPP_VNF_LB_ENABLED' },
 
-        'one-haproxy' => { _ENABLED: 'ONEAPP_VNF_HAPROXY_ENABLED',
-                           fallback: 'NO' },
+        'one-haproxy' => { _ENABLED: 'ONEAPP_VNF_HAPROXY_ENABLED' },
+        'haproxy'     => { _ENABLED: 'ONEAPP_VNF_HAPROXY_ENABLED', dependency: true },
 
-        'one-sdnat4'  => { _ENABLED: 'ONEAPP_VNF_SDNAT4_ENABLED',
-                           fallback: 'NO' },
+        'one-sdnat4'  => { _ENABLED: 'ONEAPP_VNF_SDNAT4_ENABLED' },
 
-        'one-dns'     => { _ENABLED: 'ONEAPP_VNF_DNS_ENABLED',
-                           fallback: 'NO' },
+        'one-dns'     => { _ENABLED: 'ONEAPP_VNF_DNS_ENABLED' },
+        'unbound'     => { _ENABLED: 'ONEAPP_VNF_DNS_ENABLED', dependency: true },
 
-        'one-dhcp4v2'   => { _ENABLED: 'ONEAPP_VNF_DHCP4_ENABLED',
-                           fallback: 'NO' },
+        'one-dhcp4v2' => { _ENABLED: 'ONEAPP_VNF_DHCP4_ENABLED' },
+        'coredhcp'    => { _ENABLED: 'ONEAPP_VNF_DHCP4_ENABLED', dependency: true },
 
-        'one-wg'      => { _ENABLED: 'ONEAPP_VNF_WG_ENABLED',
-                           fallback: 'NO' }
+        'one-wg'      => { _ENABLED: 'ONEAPP_VNF_WG_ENABLED' }
     }
 
     FIFO_PATH  = '/run/keepalived/vrrp_notify_fifo.sock'
     STATE_PATH = '/run/one-failover.state'
 
     STATE_TO_DIRECTION = {
         'BACKUP'  => :down,
-        'DELETED' => :down,
-        'FAULT'   => :down,
+        'DELETED' => :stay,
+        'FAULT'   => :stay,
         'MASTER'  => :up,
-        'STOP'    => :down,
+        'STOP'    => :stay,
         nil       => :stay
     }
 
@@ -62,7 +57,11 @@ def to_task(event)
             direction = :stay
             ignored   = true
         else
-            if STATE_TO_DIRECTION[event[:state]] == STATE_TO_DIRECTION[state[:state]]
+            case
+            when event[:state] == 'BACKUP'
+                direction = STATE_TO_DIRECTION['BACKUP']
+                ignored   = false
+            when STATE_TO_DIRECTION[event[:state]] == STATE_TO_DIRECTION[state[:state]]
                 direction = :stay
                 ignored   = false
             else
@@ -100,13 +99,12 @@ def process_events(fifo_path = FIFO_PATH)
                     f.each do |line|
                         event = to_event line
                         task = to_task event
-                        msg :info, task
+                        msg :debug, task
                         method(task[:direction]).call
                     end
                 end
             rescue StandardError => e
                 msg :error, e.full_message
-
                 # NOTE: We always disable all services on fatal errors
                 #       to avoid any potential conflicts.
                 down
@@ -117,70 +115,88 @@ def process_events(fifo_path = FIFO_PATH)
         end
     end
 
-    def execute
-        msg :info, 'Failover::execute'
-        process_events
-    end
-
-    def stay
-        msg :debug, :STAY
-    end
-
-    def up
-        msg :debug, :UP
-
-        load_env
-
+    def wait_ready(role = :master)
         # Give one-context 30 seconds to fully start..
         6.times do
             bash 'rc-service one-context status', terminate: false
             break
-        rescue RuntimeError
+        rescue RuntimeError => e
+            msg :error, e.full_message
             sleep 5
         end.then do |result|
-            unless result.nil?
-                msg :error, 'one-context not ready!'
-                return
-            end
+            msg :error, 'one-context not ready!' unless result.nil?
         end
-
-        # Give keepalived 30 seconds to setup VIPs..
+        # Give keepalived 30 seconds to fully start..
         6.times do
-            bash 'rc-service keepalived ready', terminate: false
+            bash "rc-service keepalived #{role == :master ? 'ready' : 'standby'}", terminate: false
             break
-        rescue RuntimeError
+        rescue RuntimeError => e
+            msg :error, e.full_message
             sleep 5
         end.then do |result|
-            unless result.nil?
-                msg :error, 'keepalived not ready!'
-                return
-            end
+            msg :error, 'keepalived not ready!' unless result.nil?
         end
+    end
+
+    def execute
+        msg :info, 'Failover::execute'
+        process_events
+    end
+
+    def stay
+        msg :debug, ":STAY (pid = #{Process.pid})"
+    end
+
+    def up
+        msg :debug, ":UP (pid = #{Process.pid})"
+
+        wait_ready :master
+
+        load_env
 
         SERVICES.each do |service, settings|
-            enabled = env settings[:_ENABLED], settings[:fallback]
+            if env settings[:_ENABLED], (settings[:fallback] || 'NO')
+                next if settings[:dependency]
 
-            msg :debug, "#{service}(#{enabled ? ':enabled' : ':disabled'})"
+                msg :info, "#{service}(:enabled)"
 
-            if enabled
-                bash "rc-service #{service} restart ||:", terminate: false
+                puts bash "rc-service #{service} restart ||:", terminate: false
             else
-                bash "rc-service #{service} stop ||:" , terminate: false
-            end
+                msg :info, "#{service}(:disabled)"
 
-            sleep 1
+                puts bash "rc-service #{service} stop ||:", terminate: false
+            end
         end
+
+        puts bash 'rc-update -v -u ||:', terminate: false
     end
 
     def down
-        msg :debug, :DOWN
+        msg :debug, ":DOWN (pid = #{Process.pid})"
+
+        wait_ready :standby
+
+        12.times do |attempt|
+            services = bash 'rc-status --nocolor --format ini --servicelist', terminate: false
 
-        SERVICES.each do |service, _|
-            msg :debug, "#{service}(:disabled)"
+            stopped = services.lines.map(&:split)
+                                    .select { |_, _, s| s == 'stopped' }
+                                    .map(&:first)
 
-            bash "rc-service #{service} stop ||:", terminate: false
+            break if (running = SERVICES.keys - stopped).empty?
 
-            sleep 1
+            running.each do |service|
+                msg :info, "#{service}(:disabled)"
+
+                puts bash "rc-service #{service} stop ||:", terminate: false
+            end
+
+            puts bash 'rc-update -v -u ||:', terminate: false
+        rescue RuntimeError => e
+            msg :error, e.full_message
+            sleep 5
+        end.then do |result|
+            msg :error, 'could not stop services!' unless result.nil?
         end
     end
 end

appliances/VRouter/Failover/main.rb

@@ -13,23 +13,22 @@ def install(initdir: '/etc/init.d')
 
         puts bash 'apk --no-cache add ruby'
 
-        file "#{initdir}/one-failover", <<~SERVICE, mode: 'u=rwx,g=rx,o='
+        file "#{initdir}/one-failover", <<~SERVICE, mode: 'u=rwx,go=rx'
             #!/sbin/openrc-run
-
             source /run/one-context/one_env
 
             command="/usr/bin/ruby"
             command_args="-r /etc/one-appliance/lib/helpers.rb -r #{__FILE__} -e Service::Failover.execute"
 
-            command_background="yes"
+            command_background="YES"
             pidfile="/run/$RC_SVCNAME.pid"
 
             output_log="/var/log/one-appliance/one-failover.log"
-            error_log="/var/log/one-appliance/one-failover.log"
+            error_log="/var/log/one-appliance/one-failover.err"
 
             depend() {
                 need keepalived
-                after net
+                after net firewall
             }
         SERVICE
 

appliances/VRouter/HAProxy/main.rb

@@ -21,22 +21,21 @@ def install(initdir: '/etc/init.d')
 
         puts bash 'apk --no-cache add haproxy ruby'
 
-        file "#{initdir}/one-haproxy", <<~SERVICE, mode: 'u=rwx,g=rx,o='
+        file "#{initdir}/one-haproxy", <<~SERVICE, mode: 'u=rwx,go=rx'
             #!/sbin/openrc-run
-
             source /run/one-context/one_env
 
             command="/usr/bin/ruby"
             command_args="-r /etc/one-appliance/lib/helpers.rb -r #{__FILE__} -e Service::HAProxy.execute"
 
-            command_background="yes"
+            command_background="YES"
             pidfile="/run/$RC_SVCNAME.pid"
 
             output_log="/var/log/one-appliance/one-haproxy.log"
             error_log="/var/log/one-appliance/one-haproxy.log"
 
             depend() {
-                after net keepalived
+                after net firewall keepalived
             }
 
             start_pre() {

appliances/VRouter/Keepalived/main.rb

@@ -58,7 +58,7 @@ def install(initdir: '/etc/init.d')
 
         script = File.open("#{initdir}/keepalived").each_with_object([]) do |line, acc|
             if line =~ /^extra_started_commands="(.*)"$/
-                acc << %{extra_started_commands="#{$1} ready"\n}
+                acc << %{extra_started_commands="#{$1} ready standby"\n}
             else
                 acc << line
             end
@@ -68,9 +68,16 @@ def install(initdir: '/etc/init.d')
             #{script}
 
             ready() {
-                ebegin "Checking readiness"
+                ebegin "Checking readiness (:master)"
                 source /run/one-context/one_env
-                /usr/bin/ruby -r #{__FILE__} -e Service::Keepalived.ready
+                /usr/bin/ruby -r #{__FILE__} -e 'Service::Keepalived.ready(:master)'
+                eend $?
+            }
+
+            standby() {
+                ebegin "Checking readiness (:standby)"
+                source /run/one-context/one_env
+                /usr/bin/ruby -r #{__FILE__} -e 'Service::Keepalived.ready(:standby)'
                 eend $?
             }
         SCRIPT
@@ -193,7 +200,7 @@ def bootstrap
         msg :info, 'Keepalived::bootstrap'
     end
 
-    def ready
+    def ready(role = :master)
         detect_vips.each do |nic, vips|
             vips = vips.values.map do |vip|
                 vip.split(%[/])[0] # remove the CIDR "prefixlen" if present
@@ -203,7 +210,7 @@ def ready
                 acc << item['local'] unless item['local'].nil?
             end
 
-            if (vips & addrs) != vips
+            if role == :master ? (vips & addrs) != vips : (vips & addrs) == vips
                 msg :debug, { nic => { vips: vips, addrs: addrs, ready: false } }
                 exit 1
             end

appliances/VRouter/LVS/main.rb

@@ -22,22 +22,21 @@ def install(initdir: '/etc/init.d')
 
         puts bash 'apk --no-cache add ipvsadm ruby'
 
-        file "#{initdir}/one-lvs", <<~SERVICE, mode: 'u=rwx,g=rx,o='
+        file "#{initdir}/one-lvs", <<~SERVICE, mode: 'u=rwx,go=rx'
             #!/sbin/openrc-run
-
             source /run/one-context/one_env
 
             command="/usr/bin/ruby"
             command_args="-r /etc/one-appliance/lib/helpers.rb -r #{__FILE__} -e Service::LVS.execute"
 
-            command_background="yes"
+            command_background="YES"
             pidfile="/run/$RC_SVCNAME.pid"
 
             output_log="/var/log/one-appliance/one-lvs.log"
             error_log="/var/log/one-appliance/one-lvs.log"
 
             depend() {
-                after net keepalived
+                after net firewall keepalived
             }
 
             stop_post() {

appliances/VRouter/NAT4/execute.rb

@@ -55,7 +55,7 @@ def execute
             IPTABLES
         end
 
-        toggle [:save, :start, :reload]
+        toggle [:save, :reload]
     end
 
     def cleanup

appliances/VRouter/NAT4/main.rb

@@ -64,9 +64,8 @@ def install(initdir: '/etc/init.d')
 
         puts bash 'apk --no-cache add iptables-openrc ruby'
 
-        file "#{initdir}/one-nat4", <<~SERVICE, mode: 'u=rwx,g=rx,o='
+        file "#{initdir}/one-nat4", <<~SERVICE, mode: 'u=rwx,go=rx'
             #!/sbin/openrc-run
-
             source /run/one-context/one_env
 
             command="/usr/bin/ruby"
@@ -112,8 +111,6 @@ def toggle(operations)
                 puts bash 'rc-update del one-nat4 default ||:'
             when :update
                 puts bash 'rc-update -u'
-            when :start
-                puts bash 'rc-service iptables start'
             else
                 puts bash "rc-service one-nat4 #{op.to_s}"
             end

appliances/VRouter/Router4/main.rb

@@ -20,9 +20,8 @@ def install(initdir: '/etc/init.d')
 
         puts bash 'apk --no-cache add procps ruby'
 
-        file "#{initdir}/one-router4", <<~SERVICE, mode: 'u=rwx,g=rx,o='
+        file "#{initdir}/one-router4", <<~SERVICE, mode: 'u=rwx,go=rx'
             #!/sbin/openrc-run
-
             source /run/one-context/one_env
 
             command="/usr/bin/ruby"

appliances/VRouter/SDNAT4/execute.rb

@@ -101,7 +101,7 @@ def execute
                 iptables -t nat -C PREROUTING -j DNAT4 || iptables -t nat -I PREROUTING 1 -j DNAT4
             IPTABLES
 
-            toggle [:save, :start]
+            toggle [:save, :reload]
 
             loop do
                 unless (vnets = get_vrouter_vnets).empty?