Keepalived not working since Core Update 177 (OpenSSL 1.1 removed)

Add-Ons
1

Removing OpenSSL 1.1.1 in Core Update 177 caused keepalived (2.2.7) not starting/working anymore. It requires the shared libraries libssl.so.1.1 and libcrypto.so.1.1.

As a workaround I copied both old/deprecated libraries into the “/usr/lib/” directory and successfully restarted keepalived.
I’m not sure, but upgrading keepalived to v2.2.8 and linking against libssl.so.3 and libcrypto.so.3 might solve the problem.

In my proxmox ha-installation I run 2 ipfire instances in active-active mode and use keepalived (vrrp) to manage the ip address failover.

2

As a workaround, you can uninstall the package and re-install it.

3

Thanks Michael for your immediate support.

De- and reinstalling keepalived does not solve the issue:
Actions taken:

  1. /etc/init.d/keepalived stop
  2. rm /usr/lib/libcrypto.so.1.1
  3. rm /usr/lib/libssl.so.1.1
  4. pakfire: deinstall keepalived-2.2.7-13
  1. pakfire: install keepalived-2.2.7-13
  2. check if scripts and config are still in /etc/keepalive/
  3. /etc/init.d/keepalived start
    => Message on the console:
    Starting keepalive daemon…
    /usr/sbin/keepalived: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory [ FAIL ]

Copied again both old/deprecated libraries into the “/usr/lib/” directory and successfully restarted keepalived.

5

Great :slight_smile:
Removing the files /opt/pakfire/cache/keepalived-2.2.7-12.ipfire and /opt/pakfire/cache/keepalived-2.2.7-13.ipfire before reinstalling keepalived did the job.

Problem solved!
Thank you both so much.

3 Likes
6

I will submit a patch for an update of keepalived which will increment the PAK_VER number so in CU178 it will have the correct ssl lib linked.

2 Likes
7

I just pushed a commit into the core177 branch that bumps a couple of packages:

https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=80ff3f08c49fbf0580392a9afda43d99e50d43ba

The build will finish in a couple of hours and I will manually release those affected packages.

Please let me know if there are more that we might have missed.

8

To avoid running into those kind of issues in the future I decided to run one of my ipfire-instances in “stable” the other in “testing”.

3 Likes
9

@pvflick - Thank you for doing this! Core updates would go much smoother & better if more people would take the time to do the exact same thing as you!
:star: :star: :star: