12.8.6 漏洞应对与版本升级策略

在高可用场景中，Keepalived 的漏洞应对需兼顾业务连续性与风险控制。本节围绕“评估—缓解—升级—回滚”的闭环，给出可执行的示例、命令与排错步骤。

版本与资产基线建立（含命令）#

# 1) 记录版本、编译参数与依赖
keepalived -v
ldd /usr/sbin/keepalived | egrep 'ssl|crypto|glibc'

# 2) 记录配置与服务参数
cp -a /etc/keepalived/keepalived.conf /var/backups/keepalived.conf.$(date +%F)
systemctl cat keepalived > /var/backups/keepalived.service.$(date +%F)

# 3) 生成基线清单
{
  echo "hostname=$(hostname)"
  keepalived -v
  rpm -qa | egrep 'keepalived|openssl|glibc'
  sha256sum /usr/sbin/keepalived /etc/keepalived/keepalived.conf
} > /var/backups/keepalived.baseline.$(date +%F).txt

# 预期效果：基线文件可用于对比版本漂移与回滚

漏洞快速评估与临时缓解（含命令）#

# 1) 检查是否受影响版本（示例：假设漏洞影响 2.2.0-2.2.7）
keepalived -v | awk '{print $2}'  # 输出如 v2.2.5

# 2) 核验是否使用受影响功能（VRRP 认证、脚本）
grep -nE 'auth_type|auth_pass|vrrp_script' /etc/keepalived/keepalived.conf

# 3) 临时缓解：限制脚本执行权限
chmod 700 /etc/keepalived/scripts
chown -R root:root /etc/keepalived/scripts

# 4) 临时缓解：收紧 VRRP 组播来源（以 firewalld 为例）
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" \
source address="10.0.0.0/24" protocol value="vrrp" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" \
protocol value="vrrp" drop'
firewall-cmd --reload

# 预期效果：仅允许同网段 VRRP 心跳，降低外部攻击面

灰度升级与验证（包管理方式）#

# 1) 备节点先升级
yum -y update keepalived

# 2) 重载并验证配置
keepalived -t -f /etc/keepalived/keepalived.conf
systemctl restart keepalived
systemctl status keepalived --no-pager

# 3) 验证主备切换与 VIP 漂移
ip addr show | grep -A2 "inet 10.0.0.100"
ip -d link show | grep -A3 vrrp

# 预期效果：备节点升到新版本且可接管 VIP

灰度升级与验证（源码编译方式）#

# 1) 下载与校验
curl -LO https://www.keepalived.org/software/keepalived-2.2.8.tar.gz
sha256sum keepalived-2.2.8.tar.gz

# 2) 编译安装（统一参数）
tar xf keepalived-2.2.8.tar.gz
cd keepalived-2.2.8
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make -j4 && make install

# 3) 验证版本与配置
keepalived -v
keepalived -t -f /etc/keepalived/keepalived.conf

# 预期效果：版本升级一致、配置校验通过

回滚策略与执行（含命令）#

# 触发条件示例：
# - 主备频繁抖动、VIP 无法漂移、health check 失败、日志报错

# 1) 停止服务
systemctl stop keepalived

# 2) 回滚二进制与配置
cp -a /var/backups/keepalived.conf.2024-01-01 /etc/keepalived/keepalived.conf
cp -a /var/backups/keepalived.service.2024-01-01 /etc/systemd/system/keepalived.service
cp -a /var/backups/keepalived.bin.2024-01-01 /usr/sbin/keepalived

# 3) 启动与验证
systemctl daemon-reload
systemctl start keepalived
journalctl -u keepalived -n 50 --no-pager

# 预期效果：恢复到已验证版本，日志无异常报错

排错要点（示例）#

# 1) 配置语法错误
keepalived -t -f /etc/keepalived/keepalived.conf

# 2) VRRP 心跳不通
tcpdump -ni any vrrp

# 3) VIP 未漂移
ip addr show | grep -A2 "inet 10.0.0.100"
journalctl -u keepalived -n 100 --no-pager

# 4) 脚本执行失败
grep -n "script" /var/log/messages

练习#

在备节点上使用包管理方式升级 Keepalived，完成 VIP 漂移验证，并记录升级前后版本差异。
模拟脚本权限过宽的风险，收紧权限并确认脚本仍可执行。
使用 tcpdump 验证 VRRP 仅在允许网段内可见。
按回滚流程将版本恢复到基线，并验证切换稳定性。

12.8.6 漏洞应对与版本升级策略

版本与资产基线建立（含命令）#

漏洞快速评估与临时缓解（含命令）#

灰度升级与验证（包管理方式）#

灰度升级与验证（源码编译方式）#

回滚策略与执行（含命令）#

排错要点（示例）#

练习#

本页内容