These are chat archives for Exa-Networks/exabgp

10th
Mar 2016
Ben Agricola
@benagricola
Mar 10 2016 11:27
hmm... so what's the correct way to run exabgp + the healthcheck that allows the healthcheck to create the loopback IP correctly?
it looks like exabgp has to be run as root to allow the healthcheck to start as root, and then drop privileges after
doesn't look like it's possible to have exabgp drop privileges after starting the healthcheck?
Thomas Mangin
@thomas-mangin
Mar 10 2016 11:28
ExaBGP does not create the loopback
it must be present beforehand
Ben Agricola
@benagricola
Mar 10 2016 11:28
the healthcheck script does though?
(as in, the one that's in application/healthcheck.py)
Thomas Mangin
@thomas-mangin
Mar 10 2016 11:28
AFAIK - no it does not
It will annouce the IP but the underlying OS must have it configured
You can look at my presentation on how to best configure the IP and sysctl.conf for that
Thomas Mangin
@thomas-mangin
Mar 10 2016 11:30
Oh! you are right it can !
Ben Agricola
@benagricola
Mar 10 2016 11:30
i mean I can always add the address manually but since the script does it already :)
there was also something else i noticed, maybe i'm missing something
but the --run healthcheck option doesn't appear to allow specifying any command line options to the healthcheck script
i ended up reverting the commit that removes /usr/bin/healthcheck manually so I could run the healthcheck command
Thomas Mangin
@thomas-mangin
Mar 10 2016 11:35
You better ask @vincentbernat who wrote that code
Ben Agricola
@benagricola
Mar 10 2016 11:39
i think it's the exabgp command line parser itself, it throws the default exabgp usage message I think because it sees unknown options after the --run healthcheck (arguments aimed for the healthcheck script) but not sure what the appropriate fix is
i'll investigate further and see if there's a simple fix :)
Thomas Mangin
@thomas-mangin
Mar 10 2016 11:40
which version of exabgp are you using ?
Ben Agricola
@benagricola
Mar 10 2016 11:41
this was testing with the master branch
Thomas Mangin
@thomas-mangin
Mar 10 2016 11:42
Ok - I will have to check if for some reason I used to fork and then drop privileges and if now it changed
You can run exabgp as root. If all you do is connect, there is no real risk to do so.
If you want to accept incoming connection, I would rather not
(well the risk is that someone MITM you and then attack the code but that risk is surely not high)
Ben Agricola
@benagricola
Mar 10 2016 11:44
yeah i'm not too worried about running exabgp as root, we'll configure the routers on the other side passive anyway, just want to confirm the correct setup for allowing the healthcheck script to add the loopback ip
Thomas Mangin
@thomas-mangin
Mar 10 2016 11:45
I have not used it myself, we have some home cooked code and always configure the IPs on the servers (and just not announce the MAC on the net)
old but still valid
Ben Agricola
@benagricola
Mar 10 2016 13:26
lol, so the healthcheck script adds the loopback ip
but doesn't remove it on exit
and then fails on next start if it already exists :D
i'll patch that to check if the IP exists and not attempt to re-add it
Ben Agricola
@benagricola
Mar 10 2016 14:33
ahh, looks like an issue trying to parse the output of ip addr show to find existing IPs :)
Thomas Mangin
@thomas-mangin
Mar 10 2016 14:36
is it something you should open an issue on github ?
Ben Agricola
@benagricola
Mar 10 2016 14:36
yep, will do
the change to the regex is simple i think
it's looking for some trailing spaces after the 'loopback IP label' which appear to not exist in the output from ip addr show on our machines :)
(\s+.), I'm not sure why it's not just . because the trailing info doesn't matter (even if it does exist) once the label is parsed out
also just having a quick look at the daemonisation order - exabgp runs daemon.daemonize() prior to process.start() so that explains why it's necessary to run exabgp as root in order to have the healthchecker also run as root!
Thomas Mangin
@thomas-mangin
Mar 10 2016 14:39
ok - I may change this - can you please open an issue raising it. It MAY not be possible for other issues … but I can not recall and should investigate
Ben Agricola
@benagricola
Mar 10 2016 14:39
yeah will do
i'll submit a PR for the regex change in healthcheck.py too
Thomas Mangin
@thomas-mangin
Mar 10 2016 14:40
Thanks
Thomas Mangin
@thomas-mangin
Mar 10 2016 15:00
@vincentbernat - it seems the code need to not failover if the IP is already there and perhaps intercept SIGTERM to perform the IP removal ?
Ben Agricola
@benagricola
Mar 10 2016 15:29
@thomas-mangin when it correctly detects the IP already exists it doesn't error which is fine
but intercepting sigterm to remove it is probably a good idea anyway
Ben Agricola
@benagricola
Mar 10 2016 16:00
heh, so I had a look at removing the IP address on sigterm as well
it's only possible if the healthcheck script runs as root
obviously if you have it drop privileges it's no longer able to remove the IP address on sigterm :D