Package: resource-agents
Version: 1:4.16.0-3
Severity: important
Hello
In our setup, we use the IPaddr2 resource in Pacemaker to configure a
gateway address for a firewall via Corosync. The interface eno2 is
configured with the IPv6 address 2001:db8:abcd:0012::3/64, and the
Pacemaker resource is defined as follows:
primitive intern-ipv6 IPaddr2 \
params ip="2001:db8:abcd:0012::1" nic=eno2 cidr_netmask=64 \
meta migration-threshold=2 \
op monitor interval=20 on-fail=restart
There is this route installed in the routing table:
2001:db8::/32 via 2001:db8:abcd:0012::10 dev eno2 proto static metric
1024 pref medium
Under this configuration, the resource fails to start, and the following
error appears in the logs:
$HOST pacemaker-schedulerd[273]: warning: Unexpected result (Error
occurred: [findif] failed)
$HOST IPaddr2(intern-ipv6)[774]: ERROR: More than 1 routes match
2001:db8:abcd:0012::1/64. Unable to decide which route to use.
This issue occurs because the findif.sh script
(/usr/lib/ocf/lib/heartbeat/findif.sh) in the heartbeat resource agent
does not correctly handle more specific routes or automatically added
local routes when multiple IPs in the same network exist on an
interface. As a result, the route check fails and prevents the resource
from starting. A fix has already been merged upstream [1], but it is not
yet included in the current released version. It would be very helpful
if this fix could be applied, as our firewall setup depends on this
functionality working correctly. And it will break our existing setup
once we do an upgrade.
I added the patch in the attachment.
[1] https://github.com/ClusterLabs/resource-agents/pull/2052
-- System Information:
Debian Release: 13 (trixie)
resource-agents version:
ii resource-agents 1:4.16.0-3 amd64 Cluster Resource Agents
Regards
Sakirnth
From: Sakirnth Nagarasa <[email protected]>
Date: Sat, 26 Jul 2025 10:51:28 +0200
Subject: findif: Avoid duplicate route issue
Origin: upstream, https://github.com/ClusterLabs/resource-agents/pull/2052
Bug: https://github.com/ClusterLabs/resource-agents/issues/2001
Last-Update: 2025-07-26
To handle more specific routes on the same interface and automatic
creation of local routes in the same network when having multiple
ip address per interface.
---
heartbeat/findif.sh | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
index 2ae91e9..6fb4711 100644
--- a/heartbeat/findif.sh
+++ b/heartbeat/findif.sh
@@ -217,18 +217,14 @@ findif()
fi
if [ -n "$nic" ] ; then
# NIC supports more than two.
- routematch=$(ip -o -f $family route list match $match $proto $scope | grep -v "^\(unreachable\|prohibit\|blackhole\)" | grep "dev $nic " | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
+ routematch=$(ip -o -f $family route list match $match $proto $scope | grep "dev $nic " | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
else
- routematch=$(ip -o -f $family route list match $match $proto $scope | grep -v "^\(unreachable\|prohibit\|blackhole\)" | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
- fi
- if [ "$family" = "inet6" ]; then
- routematch=$(echo "$routematch" | grep -v "^default")
+ routematch=$(ip -o -f $family route list match $match $proto $scope | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
fi
- if [ $(echo "$routematch" | wc -l) -gt 1 ]; then
- ocf_exit_reason "More than 1 routes match $match. Unable to decide which route to use."
- return $OCF_ERR_GENERIC
- fi
+ # ignore matches from unrelated tables, and sort by metric to get the route with the lowest metric
+ routematch=$(echo "$routematch" | awk '!/^(default|unreachable|prohibit|blackhole)/{match($0, /metric ([^ ]+)/, arr); print arr[1], $0}' | sort -k 1n -u | cut -d" " -f 2- | head -1)
+
set -- $routematch
if [ $# = 0 ] ; then
case $OCF_RESKEY_ip in
