NethServer · Tbaile · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/packages/keepalived/files/lib/functions/keepalived/hotplug.sh b/packages/keepalived/files/lib/functions/keepalived/hotplug.sh
@@ -148,20 +148,20 @@ sync_and_restart() {
 
 _notify_master() {
 	if master_and_reload; then
-		log_info "reload service $SERVICE_NAME"
+		log_info "reload service $SERVICE_NAME, reason master_and_reload"
 		_reload_service
 	elif master_and_restart; then
-		log_info "restart service $SERVICE_NAME"
+		log_info "restart service $SERVICE_NAME, reason master_and_restart"
 		_restart_service
 	fi
 }
 
 _notify_backup() {
 	if backup_and_stop; then
-		log_info "stop service $SERVICE_NAME"
+		log_info "stop service $SERVICE_NAME, reason backup_and_stop"
 		_stop_service
 	elif backup_and_reload; then
-		log_info "restart service $SERVICE_NAME"
+		log_info "restart service $SERVICE_NAME, reason backup_and_reload"
 		_restart_service
 	fi
 }
@@ -172,10 +172,10 @@ _notify_fault() {
 
 _notify_sync() {
 	if sync_and_reload; then
-		log_info "reload service $SERVICE_NAME"
+		log_info "reload service $SERVICE_NAME, reason sync_and_reload"
 		_reload_service
 	elif sync_and_restart; then
-		log_info "restart service $SERVICE_NAME"
+		log_info "restart service $SERVICE_NAME, reason sync_and_restart"
 		_restart_service
 	fi
 }

diff --git a/packages/ns-ha/Makefile b/packages/ns-ha/Makefile
@@ -46,6 +46,7 @@ define Package/ns-ha/install
 	$(INSTALL_BIN) ./files/ns-ha-export $(1)/usr/libexec/
 	$(INSTALL_BIN) ./files/ns-ha-import $(1)/usr/libexec/
 	$(INSTALL_BIN) ./files/ns-ha-config $(1)/usr/sbin
+	$(INSTALL_DATA) ./files/00-lock $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/10-adjust $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/500-dhcp-force $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/500-nathelpers $(1)/etc/hotplug.d/keepalived
@@ -71,6 +72,7 @@ define Package/ns-ha/install
 	$(INSTALL_DATA) ./files/900-ddns $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/100-conntrackd $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/999-stop-fault $(1)/etc/hotplug.d/keepalived
+	$(INSTALL_DATA) ./files/999-unlock $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/ns.sh $(1)/lib/functions/keepalived
 	$(INSTALL_DATA) ./files/99-ns-ha.sh $(1)/etc/profile.d
 	$(INSTALL_BIN) ./files/conntrackd.sh $(1)/usr/libexec/

diff --git a/packages/ns-ha/files/00-lock b/packages/ns-ha/files/00-lock
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# Copyright (C) 2026 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Acquire a global serialization lock for keepalived state-transition events
+# (NOTIFY_MASTER, NOTIFY_BACKUP, NOTIFY_FAULT, NOTIFY_STOP) to prevent
+# concurrent hotplug chains from racing when keepalived transitions happen in
+# quick succession.
+#
+# The lock is released by 999-unlock at the end of the hotplug chain.
+# Because hotplug-call sources each script in a subshell, a flag file is used
+# to communicate whether the lock was actually acquired to 999-unlock.
+#
+# On timeout (60 s) the event proceeds with a warning rather than being dropped,
+# to avoid leaving the system in an inconsistent state.
+
+case "$ACTION" in
+	NOTIFY_MASTER|NOTIFY_BACKUP|NOTIFY_FAULT|NOTIFY_STOP) ;;
+	*) return 0 2>/dev/null || exit 0 ;;
+esac
+
+LOCKFILE="/var/lock/keepalived-hotplug.lock"
+ACQUIRED_FLAG="/var/lock/keepalived-hotplug-acquired"
+TIMEOUT=60
+elapsed=0
+
+while [ "$elapsed" -lt "$TIMEOUT" ]; do
+	if lock -n "$LOCKFILE" > /dev/null 2>&1; then
+		touch "$ACQUIRED_FLAG"
+		return 0 2>/dev/null || exit 0
+	fi
+	sleep 1
+	elapsed=$((elapsed + 1))
+done
+
+logger -t ns-ha "WARNING: lock timeout after ${TIMEOUT}s waiting for previous $ACTION event to complete, proceeding anyway"
diff --git a/packages/ns-ha/files/999-unlock b/packages/ns-ha/files/999-unlock
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) 2026 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Release the global keepalived hotplug lock acquired by 00-lock.
+# Only acts when the flag file created by 00-lock is present — this avoids
+# incorrectly releasing a lock held by a concurrent event in the rare case
+# where 00-lock timed out and proceeded without acquiring the lock.
+
+case "$ACTION" in
+	NOTIFY_MASTER|NOTIFY_BACKUP|NOTIFY_FAULT|NOTIFY_STOP) ;;
+	*) return 0 2>/dev/null || exit 0 ;;
+esac
+
+LOCKFILE="/var/lock/keepalived-hotplug.lock"
+ACQUIRED_FLAG="/var/lock/keepalived-hotplug-acquired"
+
+if [ -f "$ACQUIRED_FLAG" ]; then
+	rm -f "$ACQUIRED_FLAG"
+	lock -u "$LOCKFILE"
+fi