Keepalived notify script, execute action on failover

26-10-2014 | Remy van Elst


Table of Contents


Keepalived supports running scripts on VRRP state change. This can come in handy when you need to execute an action when a failover occurs. In my case, I have a VPN running on a Virtual IP and want to make sure the VPN only runs on the node with the Virtual IP.

If you want to set up a simple keepalived cluster, see my tutorial on that.

The VPN uses strongswan and is a simple ipsec site to site VPN. The two nodes are datacenter redundant. The nodes function as NAT/firewall proxies for a backend network. The backend servers need access to some other servers only reachable over the VPN.

A notify script can be used to take actions, not only removing or adding an IP to an interface. It can for example start or stop a daemon, depending on the VRRP state.

It is defined in the keepalived config like this:

vrrp_instance Example_VRRP {
    [...]
    notify /usr/local/sbin/notify-keepalived.sh
}

The script can be written in any language as long as it is executable. It receives the following parameters:

  • $1 = "INSTANCE" or "GROUP"
  • $2 = name of instance or group
  • $3 = target state of transition, "MASTER", "BACKUP" or "FAULT"

This is the bash script I use for the strongswan VPN:

#!/bin/bash
TYPE=$1
NAME=$2
STATE=$3
case $STATE in
        "MASTER") /usr/sbin/service strongswan start
                  ;;
        "BACKUP") /usr/sbin/service strongswan stop
                  ;;
        "FAULT")  /usr/sbin/service strongswan stop
                  exit 0
                  ;;
        *)        /sbin/logger "ipsec unknown state"
                  exit 1
                  ;;
esac

Tags: cluster, heartbeat, high-availability, keepalived, network, strongswan, vpn, vrrp,