From 8f51bc9ff5c4640172d81433ef6df6508fee899e Mon Sep 17 00:00:00 2001
From: Rob Cameron <rcameron@roblox.com>
Date: Fri, 20 Dec 2019 14:55:21 -0800
Subject: [PATCH] Enable GLB Healthcheck to announce VIP/Bind status into BGP

This pull request adds a new feature to GLB healthcheck. It allows it to locally announce the status of a VIP/bind into BGP using a local instance of GoBGP. It integrates with a locally deployed GoBGP daemon to announce the VIP/Bind into BGP when at least one backend is marked healthy. This allows you to prevent a statically announced route via BIRD to black hole traffic for a GLB instance that is unable to talk to its backends. In the event that all backends are marked either inactive or marked as unhealthy GLB healthcheck will withdraw the route. The feature is configurable (see included documentation) and defaults to off. We have been running this in production for a while and it simplified our integration with BGP.
Merge Golang fixes
---
 Makefile                                      |   3 +-
 Vagrantfile                                   |  64 +-
 docs/README.md                                |   1 +
 docs/setup/forwarding-table-config.md         |  37 +-
 docs/setup/gobgp-integration.md               | 146 ++++
 script/Dockerfile.latest                      |  10 +
 script/Dockerfile.stretch                     |  15 +-
 script/cibuild-create-packages                |  26 +-
 script/cibuild-prepare                        |   1 +
 src/glb-director/script/cibuild               |   7 +-
 src/glb-healthcheck/HealthCheckerAnnouce.go   | 734 ++++++++++++++++++
 .../HealthCheckerAppContext.go                |   1 +
 src/glb-healthcheck/Makefile                  |   2 +-
 src/glb-healthcheck/glide.lock                |  78 +-
 src/glb-healthcheck/glide.yaml                |   4 +
 src/glb-healthcheck/main.go                   |  21 +
 src/glb-healthcheck/packaging/version.sh      |   2 +-
 src/glb-redirect/Makefile                     |  10 +-
 18 files changed, 1113 insertions(+), 49 deletions(-)
 create mode 100644 docs/setup/gobgp-integration.md
 create mode 100644 script/Dockerfile.latest
 create mode 100644 src/glb-healthcheck/HealthCheckerAnnouce.go

diff --git a/Makefile b/Makefile
index f3c3ef5..1427070 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,8 @@ mkdeb:
 	cd src/glb-director && script/cibuild
 
 clean:
-	make -C src/glb-redirect clean
+	make -C src/glb-redirect clean && rm -rf ${BUILDDIR}/glb-director_*.deb
 	make -C src/glb-healthcheck clean
 	make -C src/glb-director clean
 	make -C src/glb-director/cli clean
+	make -C src/glb-director/ftctl clean
\ No newline at end of file
diff --git a/Vagrantfile b/Vagrantfile
index 94a62be..7f5bca1 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -6,9 +6,10 @@ Vagrant.configure("2") do |config|
 
   config.vm.synced_folder "src/glb-wireshark-dissector/", "/home/vagrant/.config/wireshark/plugins/glb-wireshark-dissector", type: 'rsync'
 
-  config.vm.provision "shell", inline: <<-SHELL
+  config.vm.provision "shell", name: "Base Host Tool Installation", inline: <<-SHELL
     apt-get update
-    DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump net-tools tshark build-essential libxtables-dev linux-headers-$(uname -r) python-pip jq bird curl
+    DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump net-tools tshark build-essential libxtables-dev python-pip jq bird curl
+    DEBIAN_FRONTEND=noninteractive apt-get install -y linux-headers-$(uname -r)
     groupadd wireshark || true
     usermod -a -G wireshark vagrant || true
     chgrp wireshark /usr/bin/dumpcap
@@ -21,7 +22,7 @@ Vagrant.configure("2") do |config|
     v.vm.network "private_network", ip: "192.168.50.2", virtualbox__intnet: "glb_datacenter_network", :mac=> "001122334455"
     v.vm.hostname = "router"
 
-    v.vm.provision "shell", inline: <<-SHELL
+    v.vm.provision "shell", name: "Enable IPv4 forwarding", inline: <<-SHELL
       if ! grep -q '^net.ipv4.ip_forward' /etc/sysctl.conf; then
         echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
         sysctl -w net.ipv4.ip_forward=1
@@ -35,7 +36,7 @@ Vagrant.configure("2") do |config|
     v.vm.network "private_network", ip: "192.168.40.2", virtualbox__intnet: "glb_user_network"
     v.vm.hostname = "user"
 
-    v.vm.provision "shell", inline: <<-SHELL
+    v.vm.provision "shell", name: "Configure routes", inline: <<-SHELL
       /vagrant/script/helpers/configure-vagrant-user.sh
 
       ip addr add 192.168.40.50/24 dev eth1 || true
@@ -66,7 +67,7 @@ Vagrant.configure("2") do |config|
         vb.customize ["setextradata", :id, "VBoxInternal/CPUM/SSE4.2", "1"]
       end
 
-      v.vm.provision "shell", inline: <<-SHELL
+      v.vm.provision "shell", name: "Huge pages configuration", inline: <<-SHELL
         mkdir -p /mnt/huge
         if ! grep -q 'hugetlbfs' /etc/fstab; then
           echo 'hugetlbfs /mnt/huge hugetlbfs mode=1770 0 0' >>/etc/fstab
@@ -78,40 +79,57 @@ Vagrant.configure("2") do |config|
         fi
       SHELL
 
+      v.vm.provision "shell", name: "Update Kernel", inline: <<-SHELL
+        apt-get update
+        DEBIAN_FRONTEND=noninteractive apt-get install -y linux-image-amd64
+        DEBIAN_FRONTEND=noninteractive apt-get install -y apt-transport-https curl
+      SHELL
+
+      # reload VM to pick up the new kernel so the correct header files can be installed
+      v.vm.provision :reload
+      v.vm.synced_folder ".", "/vagrant", type: "rsync"
+
       # install DPDK et al.
-      v.vm.provision "shell", inline: <<-SHELL
-        apt-get install -y apt-transport-https curl
+      v.vm.provision "shell", run: "always", name: "Install DPDK and enable DPDK modules", inline: <<-SHELL
         echo 'deb http://ftp.debian.org/debian stretch-backports main' >/etc/apt/sources.list.d/backports.list
         apt-get update
         curl -s https://packagecloud.io/install/repositories/github/unofficial-dpdk-stable/script.deb.sh | sudo bash
-        apt-get install -y linux-headers-`(uname -r)` # dpdk requires this for the current kernel, but won't block if not installed
-        apt-get install -y python-pip dpdk-dev=17.11.1-6 dpdk=17.11.1-6 dpdk-rte-kni-dkms dpdk-igb-uio-dkms libjansson-dev
-        apt-get install -y valgrind vim tcpdump clang golang
-
+        DEBIAN_FRONTEND=noninteractive apt-get install -y linux-headers-`(uname -r)` # dpdk requires this for the current kernel, but won't block if not installed
+        DEBIAN_FRONTEND=noninteractive apt-get install -y python-pip dpdk-dev=17.11.1-6 dpdk=17.11.1-6 dpdk-rte-kni-dkms dpdk-igb-uio-dkms libjansson-dev
+        DEBIAN_FRONTEND=noninteractive apt-get install -y valgrind vim tcpdump clang
+
+        #Install an updated version of Golang that matches Debian Latest
+        curl -s https://dl.google.com/go/go1.11.6.linux-amd64.tar.gz -o /tmp/go1.11.6.linux-amd64.tar.gz
+        tar -C /usr/local -xzf /tmp/go1.11.6.linux-amd64.tar.gz
+        ln -s /usr/local/go/bin/go /usr/bin/
+        ln -s /usr/local/go/bin/godoc /usr/bin/
+        ln -s /usr/local/go/bin/gofmt /usr/bin/
+
+        echo "Setting modules to load"
         echo 'rte_kni' >/etc/modules-load.d/dpdk
         echo 'igb_uio' >>/etc/modules-load.d/dpdk
       SHELL
 
-      v.vm.provision "shell", run: "always", inline: <<-SHELL
+      v.vm.provision "shell", run: "always", name: "Modprobe DPDK modules", inline: <<-SHELL
         modprobe rte_kni
         modprobe igb_uio
       SHELL
 
       if install_example_setup
         # example setup
-        v.vm.provision "shell", run: "always", inline: <<-SHELL
+        v.vm.provision "shell", run: "always", name: "Install and configure GLB director", inline: <<-SHELL
           ifdown eth1
           dpdk-devbind --bind=igb_uio eth1
           dpdk-devbind --status
 
-          apt install /vagrant/tmp/build/glb-director_*.deb
-          apt install /vagrant/tmp/build/glb-healthcheck_*.deb
+          DEBIAN_FRONTEND=noninteractive apt install /vagrant/tmp/build/glb-director_*.deb
+          DEBIAN_FRONTEND=noninteractive apt install /vagrant/tmp/build/glb-healthcheck_*.deb
 
           /vagrant/script/helpers/configure-vagrant-director.sh "#{ipv4_addr}"
         SHELL
       else
         # test setup
-        v.vm.provision "shell", run: "always", inline: <<-SHELL
+        v.vm.provision "shell", run: "always", name: "Configure IPv6", inline: <<-SHELL
           ip addr add #{ipv6_addr} dev eth1 || true
         SHELL
       end
@@ -124,12 +142,22 @@ Vagrant.configure("2") do |config|
 
       v.vm.network "private_network", ip: ipv4_addr, virtualbox__intnet: "glb_datacenter_network"
 
-      v.vm.provision "shell", inline: <<-SHELL
+      v.vm.provision "shell", name: "Update Kernel", inline: <<-SHELL
+        apt-get update
+        DEBIAN_FRONTEND=noninteractive apt-get install -y linux-image-amd64
+        DEBIAN_FRONTEND=noninteractive apt-get install -y apt-transport-https curl
+      SHELL
+
+      # reload VM to pick up the new kernel so the correct header files can be installed
+      v.vm.provision :reload
+      v.vm.synced_folder ".", "/vagrant", type: "rsync"
+
+      v.vm.provision "shell", name: "Install hello world HTML", inline: <<-SHELL
         DEBIAN_FRONTEND=noninteractive apt-get install -y nginx
         echo "hello world from #{name} via GLB" >/var/www/html/index.html
       SHELL
 
-      v.vm.provision "shell", run: "always", inline: <<-SHELL
+      v.vm.provision "shell", run: "always", name: "Configure Tunnel Interfaces", inline: <<-SHELL
         modprobe fou
         modprobe sit
         ip link set up dev tunl0 || true
diff --git a/docs/README.md b/docs/README.md
index 1e2e61f..67ae995 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -8,6 +8,7 @@
  * [glb-director component configuration options](./setup/glb-director-configuration.md) - configuration options for the GLB Director and discussion of NIC/Port and CPU Core configuration.
  * [Forwarding table configuration & healthchecks](./setup/forwarding-table-config.md) - Configuring the GLB forwarding table, and the director->proxy healthcheck process.
  * [Backend proxy server setup](./setup/backend-proxy-setup.md) - Configuring the backend TCP/proxy tier servers.
+ * [Integrating with GoBGP](./setup/gobgp-integration.md) - Optional feature for announcing VIPs/Binds via GoBGP
 
 Some notable known limitations / design decisions of the current implementation:
  * The datacenter internal MTU is expected to be large enough to encapsulate any user packet inside a GUE header. We use jumbo frames (9000+ MTU) within the datacenter with a transit/internet MTU of 1500. GLB Director will not fragment packets if they are too large.
diff --git a/docs/setup/forwarding-table-config.md b/docs/setup/forwarding-table-config.md
index c7a732e..b82bc12 100644
--- a/docs/setup/forwarding-table-config.md
+++ b/docs/setup/forwarding-table-config.md
@@ -122,8 +122,43 @@ If `glb-healthcheck` is used, a backend will be considered down if either the `g
     "src": "/etc/glb/forwarding_table.src.json",
     "dst": "/etc/glb/forwarding_table.checked.json"
   },
-  "reload_command": "glb-director-cli build-config /etc/glb/forwarding_table.checked.json /etc/glb/forwarding_table.checked.bin && systemctl reload glb-director"
+  "reload_command": "glb-director-cli build-config /etc/glb/forwarding_table.checked.json /etc/glb/forwarding_table.checked.bin && systemctl reload glb-director",
+  "gobgp_config": {
+    "address": "127.0.0.1:50051",
+    "nexthop": "192.168.50.6",
+    "nexthop_ipv6": "fdb4:98ce:52d4::1",
+    "communities": [ "65000:1234", "65000:5678" ], 
+  },
 }
 ```
+### `forwarding_table` 
+
+_required_
+
+specifies which forwarding tables are used for glb-healtcheck
+
+`src` the source forwarding table that is created by the user
+`dst` the destination forwarding table that is generated by glb-healthcheck
+
+### `reload_command` 
+
+_required_
 
 This instructs the healthchecker to load `/etc/glb/forwarding_table.src.json`, perform any checks defined inside it, and keep a `/etc/glb/forwarding_table.checked.json` up to date with valid/live health state. Any time it changes the `dst` file, it also runs the reload command (which in this case compiles the table and reloads the director to pick up those changes).
+
+### `gobgp_config`
+
+_optional_
+
+This instructs the health checker to integrate with a [GoBGP](https://github.com/osrg/gobgp) daemon. It communicates over
+gRPC to announce the status of the GLB binds or VIPs. When a bind/VIP is healthy the path will be announced with the configured
+next hop address. The setting `nexthop` is used for IPv4 bind/VIPs and `nexthop_ipv6` is used for IPv6 bind/VIPs. If the protocol
+specific next hop is not configured, then it will not be able to announce the route. If the `address` is not configured (default) this feature will not be enabled.
+
+`address` _required_ The gRPC address for the GoBGP daemon. This typically is `172.0.0.1:50051` assuming you have the BGP daemon installed locally.
+
+`nexthop` _required_ The IPv4 next hop address to use for route announcements. This is required if you have IPv4 bind/VIPs.
+
+`nexthop_ipv6` _optional_ The IPv6 next hop address to use for route announcements. This is only required if you are using IPv6 binds/VIPs.
+
+`communities` _optional_ A list of BGP communities you wish to use for tagging routes
\ No newline at end of file
diff --git a/docs/setup/gobgp-integration.md b/docs/setup/gobgp-integration.md
new file mode 100644
index 0000000..15f071d
--- /dev/null
+++ b/docs/setup/gobgp-integration.md
@@ -0,0 +1,146 @@
+# GoBGP integration
+
+When using Github Load Balancer (GLB), you need to inform the upstream network
+devices about which bind or VIPs that your services are listening on. In the provided
+example Vagrant topology the BIRD BGP daemon is used for announcing routes for the available
+bind/VIPs configured on GLB. This is an excellent solution for integrating with upstream routers
+and announcing available VIPs. The drawback is that this is a static announcement that provides
+no validation of the actual VIP is healthy.
+
+Within the glb-healthcheck service it provides all the available health checking to understand the
+state for all the backends associated with a VIP. The glb-healthcheck service can to talk to a local
+instance of [GoBGP](https://github.com/osrg/gobgp) and use that as the method for announcing the VIPs
+to the upstream routers via BGP. This allows the state of the binds to determine if a route should be
+announced or not. This prevents the GLB node from potentially black holing or dropping traffic to VIPs
+that are not ready to serve traffic.
+
+## Enabling GoBGP integration
+
+To enable the integration with GoBGP you must configure the glb-healthcheck service to use the local GoBGP
+daemon. The required configurtion must be set in the `healthcheck.conf` file, more details for the configuration
+options can be found [here](./setup/forwarding-table-config.md).
+
+## Running GoBGP
+
+You must install the GoBGP daemon locally so glb-healthcheck is able to communicate with it. You can download the
+[latest release](https://github.com/osrg/gobgp/releases) bundle. It includes gobgpd (daemon) and gobgp (tool to interact with the
+daemon) in its release file. Place the binaries on your system and set it up as a systemd service.
+
+### Systemd service definition
+
+To enable GoBGP as a systemd service this service definition can be placed in `/lib/systemd/system/gobgp.service`. Once 
+added you will need to run `systemctl daemon-reload` to pickup the new service. The service definition below requires there
+to be a local `gobgpd` user for the service to run as. This prevents it from needing to run as `root`.
+
+```
+[Unit]
+Description=GoBGP Daemon
+After=network.target network-online.target
+Wants=network.target
+
+[Service]
+Type=simple
+Restart=always
+Environment="PATH=/usr/local/bin:/usr/bin:/bin"
+ExecStart=/usr/local/sbin/gobgpd --api-hosts=127.0.0.1:50051 -f /etc/gobgp/config.toml
+ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=TERM
+User=gobgpd
+WorkingDirectory=/etc/gobgp
+TimeoutStopSec=3
+
+[Install]
+WantedBy=multi-user.target
+```
+
+### Listening on low port without running as root
+
+To enable the service to listen on TCP port 179 without running as root we can enable the capacity directly on the binary.
+
+```
+# setcap cap_net_bind_service=+ep /usr/local/sbin/gobgpd
+# chown gobgpd:gobgpd /usr/local/sbin/gobgpd
+```
+
+### Base GoBGP Configuration
+
+Below is a simple base configuration that will announce any routes that are added to GoBGP to its upstream
+neighbor. There are many [configuration options](https://github.com/osrg/gobgp/blob/master/docs/sources/configuration.md)
+available for GoBGP. Currently within glb-healthcheck GoBGP is only used for IPv4 or IPv6 route announcements. In the future
+other features of GoBGP could be used such as flowspec integration.
+
+```
+[global.config]
+    as = 65000
+    router-id = "1.1.1.1"
+
+# configure each remote neighbor
+[[neighbors]]
+    [neighbors.config]
+        neighbor-address = "172.31.2.168"
+        peer-as = 65001
+    [neighbors.apply-policy.config] # only export routes, do not recieve them
+        export-policy-list = ["export-all-ipv4", "export-all-ipv6"]
+        default-export-policy = "accept-route"
+    [[neighbors.afi-safis]] # enable upstream IPv4
+        [neighbors.afi-safis.config]
+        afi-safi-name = "ipv4-unicast"
+    [[neighbors.afi-safis]] # enable upstream IPv6
+        [neighbors.afi-safis.config]
+        afi-safi-name = "ipv6-unicast"
+        
+# Prefix list to match any IPv4 address
+[[defined-sets.prefix-sets]]
+    prefix-set-name = "any-ipv4"
+    [[defined-sets.prefix-sets.prefix-list]]
+        ip-prefix = "0.0.0.0/0"
+
+# Prefix list to match any IPv6 address
+[[defined-sets.prefix-sets]]
+    prefix-set-name = "any-ipv6"
+    [[defined-sets.prefix-sets.prefix-list]]
+        ip-prefix = "::/0"
+
+# Export policy to export any IPv4 addresses
+[[policy-definitions]]
+    name = "export-all-ipv4"
+    [[policy-definitions.statements]]
+        name = "export-ipv4-all-match"
+        [policy-definitions.statements.conditions.match-prefix-set]
+        prefix-set = "any-ipv4"
+        [policy-definitions.statements.actions]
+        route-disposition = "accept-route"
+
+# Export policy to export any IPv6 addresses
+[[policy-definitions]]
+    name = "export-all-ipv6"
+    [[policy-definitions.statements]]
+        name = "export-ipv6-all-match"
+        [policy-definitions.statements.conditions.match-prefix-set]
+        prefix-set = "any-ipv6"
+        [policy-definitions.statements.actions]
+        route-disposition = "accept-route"
+```
+
+## How it works
+
+After every run of the glb-healthcheck the GoBGP integration will take the results and determine which binds to announce. It
+will only announce routes for binds with healthy backends. The route will be refreshed for every successful health check cycle.
+Once all of the backends for a specific bind have failed health checks, the route will be withdrawn automatically. 
+
+If a bind is removed from one of the forwarding tables it will automatically be removed at the end of the next run. The state
+of the routes is stored within glb-healthcheck. In the event that you want to gracefully retire a VIP you can drain each backend. Once 
+the backends are all set to `inactive` state then the routes will be automatically withdrawn. This prevents accidently dropping traffic
+by sending traffic to a bind in which all backends are set to `inactive`.
+
+## Cleaning up routes
+
+If any announced routes get out of sync you can manually remove them from the GoBGP daemon. You can restart GoBGP and this will
+remove any routes loaded. This will be disruptive as it will force your instance of GoBGP to reset all of its neighbor connections.
+Alternatively you can delete routes using the control plane CLI tool `gobgp`.
+
+```
+# gobgp global rib del <prefix> [-a <address family>]
+$ gobgp global rib del 1.1.1.1/32
+$ gobgp global rib del 2001:dead:beef::1/128 -a ipv6
+```
\ No newline at end of file
diff --git a/script/Dockerfile.latest b/script/Dockerfile.latest
new file mode 100644
index 0000000..e3d3528
--- /dev/null
+++ b/script/Dockerfile.latest
@@ -0,0 +1,10 @@
+FROM debian:latest
+
+RUN apt-get update && apt-get install -y build-essential debhelper wget pkg-config
+
+# golang
+RUN apt-get update && apt-get install -y golang golang-glide
+
+# fpm for packaging
+RUN apt-get update && apt-get install -y ruby ruby-dev rubygems build-essential
+RUN gem install --no-ri --no-rdoc rake fpm
\ No newline at end of file
diff --git a/script/Dockerfile.stretch b/script/Dockerfile.stretch
index 4f71e8e..cd31675 100644
--- a/script/Dockerfile.stretch
+++ b/script/Dockerfile.stretch
@@ -3,20 +3,15 @@ FROM debian:stretch
 RUN echo 'deb http://ftp.debian.org/debian stretch-backports main' >>/etc/apt/sources.list
 RUN apt-get update && apt-get -y install curl
 
-# DPDK 
+# DPDK
 RUN curl -s https://packagecloud.io/install/repositories/github/unofficial-dpdk-stable/script.deb.sh | bash
-RUN apt-get update && apt-get install -y build-essential dpdk dpdk-dev wget pkg-config libjansson-dev
+RUN apt-get update && apt-get install -y build-essential dpdk dpdk-dev wget pkg-config libjansson-dev ruby ruby-dev
 
 # iptables / DKMS
 RUN apt-get update && apt-get install -y iptables-dev dkms debhelper libxtables-dev
 
-# golang
-RUN apt-get update && apt-get install -y golang golang-glide
-
-# fpm for packaging
-RUN apt-get update && apt-get install -y ruby ruby-dev rubygems build-essential
-RUN gem install --no-ri --no-rdoc rake fpm
-
 # patch DKMS for source package generation https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832558
 ADD helpers/dkms.diff /root/dkms.diff
-RUN patch -d /usr/sbin </root/dkms.diff
+
+RUN patch -d /usr/sbin </root/dkms.diff;
+RUN gem install --no-ri --no-rdoc rake fpm
\ No newline at end of file
diff --git a/script/cibuild-create-packages b/script/cibuild-create-packages
index 8cf9fa3..654c25b 100755
--- a/script/cibuild-create-packages
+++ b/script/cibuild-create-packages
@@ -9,7 +9,12 @@ cd "$(dirname "$0")/.."
 
 begin_fold "Preparing Docker build environment"
 (
-  docker build -t glb-director-build-stretch -f script/Dockerfile.stretch script
+  # Container for glb-healthcheck
+  docker build -t glb-healthcheck -f script/Dockerfile.latest script
+
+  # Container for glb-director and glb-redirect
+  docker build -t glb-director-redirect -f script/Dockerfile.stretch script
+
 )
 end_fold
 
@@ -20,9 +25,18 @@ begin_fold "Building packages"
   mkdir -p tmp/build/
 
   docker run --rm \
-    --volume "$HOSTPATH":/glb-director \
-    "glb-director-build-stretch" \
-    bash -c "cd /glb-director &&
-      make BUILDDIR=/glb-director/tmp/build clean mkdeb"
+    --volume "$HOSTPATH":/glb \
+    "glb-healthcheck" \
+    bash -c "cd /glb/src/glb-healthcheck && \
+		make BUILDDIR=/glb/tmp/build clean mkdeb"
+
+  docker run --rm \
+    --volume "$HOSTPATH":/glb \
+    "glb-director-redirect" \
+    bash -c "cd /glb/tmp/build && \
+		 /glb/src/glb-director/script/cibuild /glb/tmp/build  && \
+		 cd /glb/src/glb-redirect && \
+		 make BUILDDIR=/glb/tmp/build clean mkdeb"
+
 )
-end_fold
+end_fold
\ No newline at end of file
diff --git a/script/cibuild-prepare b/script/cibuild-prepare
index 76a77f2..d388d66 100755
--- a/script/cibuild-prepare
+++ b/script/cibuild-prepare
@@ -11,6 +11,7 @@ GLB_REDIRECT_VERSION="$( source src/glb-redirect/dkms.conf; echo $PACKAGE_VERSIO
 
 begin_fold "Bringing up and syncing vagrant test environment"
 (
+  vagrant plugin install vagrant-reload
   vagrant up
 
   script/helpers/prepare-vagrant director-test
diff --git a/src/glb-director/script/cibuild b/src/glb-director/script/cibuild
index ac19699..738ec11 100755
--- a/src/glb-director/script/cibuild
+++ b/src/glb-director/script/cibuild
@@ -33,6 +33,7 @@
 set -e
 ROOTDIR=$(dirname $0)/..
 cd $ROOTDIR
+BUILDDIR=$1
 
 . packaging/version.sh
 
@@ -60,9 +61,9 @@ fpm -f -s dir -t deb \
 	packaging/forwarding_table.bin=/etc/glb/ \
 	packaging/glb-director=/etc/default/
 
-if [ -d "$BUILDDIR" ]; then
-  cp glb-director_${GLB_DIRECTOR_VERSION}_amd64.deb $BUILDDIR/
+if [ -d "${BUILDDIR}" ]; then
+  mv glb-director_${GLB_DIRECTOR_VERSION}_amd64.deb ${BUILDDIR}/
 fi
 
 make clean
-make -C cli clean
+make -C cli clean
\ No newline at end of file
diff --git a/src/glb-healthcheck/HealthCheckerAnnouce.go b/src/glb-healthcheck/HealthCheckerAnnouce.go
new file mode 100644
index 0000000..3f5a8c4
--- /dev/null
+++ b/src/glb-healthcheck/HealthCheckerAnnouce.go
@@ -0,0 +1,734 @@
+/*
+ * BSD 3-Clause License
+ *
+ * Copyright (c) 2018 GitHub.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice, this
+ *   list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ * * Neither the name of the copyright holder nor the names of its
+ *   contributors may be used to endorse or promote products derived from
+ *   this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package main
+
+import (
+	"context"
+	"errors"
+	"expvar"
+	"fmt"
+	"github.com/golang/protobuf/ptypes"
+	"github.com/golang/protobuf/ptypes/any"
+	gobgpapi "github.com/osrg/gobgp/api"
+	"github.com/osrg/gobgp/pkg/packet/bgp"
+	"github.com/sirupsen/logrus"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"io"
+	"net"
+	"regexp"
+	"strconv"
+	"sync"
+	"time"
+)
+
+var (
+	// announceCounters counters specific to the health check announce
+	announceCounters = expvar.NewMap("HealthCheckerAnnounce")
+	// regexpCommunity
+	regexpCommunity = regexp.MustCompile(`(\d+):(\d+)`)
+)
+
+
+const (
+	// AnnounceMaxReconnectDelay maximum reconnect delay for gRPC back off, prevents long wait times to reconnect
+	AnnounceMaxReconnectDelay = time.Millisecond * 100
+)
+
+// GoBGPConfig configuration to connect to GoBGP
+type GoBGPConfig struct {
+	Address     string `json:"address"`       // Address and port for connecting to GoBGP
+	NextHop     string `json:"nexthop"`       // next hop IP address to use for routes
+	NextHopIPv6 string `json:"nexthop_ipv6"`  // next hop address for IPv6
+	Communities []string `json:"communities"` // communities used to export routes
+}
+
+// Binds map of binds with useful metadata that describes more information about the bind/vips
+type Binds map[string]*BindMeta
+
+// BindMeta bind metadata to simplify usage of binds/vip to calculated data
+type BindMeta struct {
+	BindIP    string // BindIP the IP address of the Bind/VIP
+	IPVersion int    // IP protocol version supported
+	BitMask   string // The bitmask length to announce
+	Path      string // Path path or host route to announce
+	NextHop   string // Next hop associated with the bind
+}
+
+// NewBindMeta creates an initialized bind meta
+func NewBindMeta(ipAddr string) (bm *BindMeta, err error) {
+
+	bm = &BindMeta{BindIP: ipAddr}
+
+	bm.IPVersion, err = ipVersion(ipAddr)
+	if err != nil {
+		return bm, err
+	}
+
+	// set to announce host routes for the VIP
+	// this could be configurable in the future
+	switch bm.IPVersion {
+	case 4:
+		bm.BitMask = "32"
+	case 6:
+		bm.BitMask = "128"
+	}
+
+	// calculate the path/prefix that will be announced
+	bm.Path = fmt.Sprintf("%s/%s", bm.BindIP, bm.BitMask)
+
+	return bm, nil
+}
+
+// AnnounceRuntime used to measure the run time of an announce step
+// created to be compatible with the expvar.Var interface
+type AnnounceRuntime struct {
+	value time.Duration
+}
+
+// NewAnnounceRuntime create new announce runtime
+func NewAnnounceRuntime(runTime time.Duration) *AnnounceRuntime {
+	return &AnnounceRuntime{value: runTime}
+}
+
+// String return the string value of the runtime duration
+func (ar *AnnounceRuntime) String() string {
+	return fmt.Sprintf("%s", strconv.FormatInt(ar.value.Nanoseconds(), 10))
+}
+
+// HealthCheckerAnnounce allows for announcing the status of a VIP as a BGP route
+type HealthCheckerAnnounce struct {
+	clientOpt  []grpc.DialOption  // clientOpt gRPC client options to communicate with the local GoBGP daemon
+	logContext *logrus.Entry      // Logging context for logging output
+	config     *GoBGPConfig       // Config elements required to configure interaction with GoBGP
+	activeRoutes map[string]Binds // Keeping track of actively announced binds by table, useful for revoking removed binds
+
+	sync.Mutex                    // locking used to prevent multiple instances of the route update loop from running at once
+	enabled bool                  // enabled a simple bool to determine if the announce feature is configured to run
+}
+
+// NewHealthCheckerAnnounce creates a new instance of HealthCheckerAnnounce
+func NewHealthCheckerAnnounce(config *GoBGPConfig, log *logrus.Entry) (*HealthCheckerAnnounce, error) {
+	hca := &HealthCheckerAnnounce{logContext: log,
+		config: config,
+		activeRoutes: make(map[string]Binds)}
+
+	if hca.config.Address == "" {
+		hca.logContext.Errorf("Address for BGP client is not defined, disabling feature")
+
+		hca.enabled = false
+
+		return hca, nil
+	} else {
+		hca.enabled = true
+	}
+
+	// Create base gRPC connection options
+	hca.clientOpt = []grpc.DialOption{grpc.WithBlock()}
+
+	// set max back off delay
+	hca.clientOpt = append(hca.clientOpt, grpc.WithBackoffMaxDelay(AnnounceMaxReconnectDelay))
+
+	// Connect without TLS, TLS to GoBGP is only really useful between hosts
+	hca.clientOpt = append(hca.clientOpt, grpc.WithInsecure())
+
+	// Specify TLS isn't enable to the local GoBGP daemon
+	announceCounters.Add("TLSDisabled", 1)
+	// Specify the config has been successfully loaded
+	announceCounters.Add("ConfigLoaded", 1)
+
+	return hca, nil
+}
+
+// gobgpConnect connect to the local GoBGP daemon
+func (hca *HealthCheckerAnnounce) gobgpConnect() (gobgpapi.GobgpApiClient, *grpc.ClientConn ,error) {
+
+	cc, _ := context.WithTimeout(context.Background(), time.Second)
+	conn, err := grpc.DialContext(cc, hca.config.Address, hca.clientOpt...)
+	if err != nil {
+		return nil, conn, err
+	}
+
+	// initialize client
+	client := gobgpapi.NewGobgpApiClient(conn)
+
+	return client, conn, err
+}
+
+// Announce announce healthy paths via GoBGP
+func (hca *HealthCheckerAnnounce) Announce(ft *GLBTableConfig, targetResults map[HealthCheckTarget]HealthResult) error {
+
+	// Time execution of announce loop to ensure we aren't stuck or hitting errors
+	startTime := time.Now()
+	defer func() {
+		announceCounters.Set("LastAnnounceExecTime", NewAnnounceRuntime(time.Since(startTime)))
+	}()
+
+	// Lock to limit to once announce running at a time
+	hca.Lock()
+	defer hca.Unlock()
+
+	// Track all binds across tables
+	globalBinds := make(map[string]Binds)
+
+	// process each table and check the current health check results of its binds
+	for _, table := range ft.Tables {
+
+		// track the health state for a table
+		tableNumHealthy := 0
+		tableNumUnhealthy := 0
+
+		// create a map of binds for a table
+		bindList := make(Binds)
+
+		// get all of the binds for a table and calculate their next hop that we would announce
+		// these will be announced if all the backends for a bind are healthy
+		for _, bind := range table.Binds {
+
+			// create new metadata based upon the bind
+			newBindMeta, err := NewBindMeta(bind.Ip)
+			if err != nil {
+				hca.logContext.WithFields(log.Fields{
+					"bind": bind.Ip,
+				}).Errorf("Error generating bind metadata: %s", err)
+
+				announceCounters.Add("BindIPParseError", 1)
+
+				// something is wrong with the bind address, skip announcing it
+				continue
+			}
+
+			// calculate the bind next hop
+			newBindMeta.NextHop, err = hca.getNextHop(newBindMeta.IPVersion)
+			if err != nil {
+				hca.logContext.WithFields(log.Fields{
+					"bind": bind.Ip,
+					"table": table.Name,
+				}).Errorf("Error determining bind next hop: %s", err)
+
+				announceCounters.Add("PathNextHopResolveError", 1)
+
+				// error determining next hop, skip
+				continue
+			}
+
+			// record bind we want to announce
+			bindList[bind.Ip] = newBindMeta
+
+			// record global bind so we can track if the bind gets removed and we need to reap the route
+			if _, ok := globalBinds[table.Name]; !ok {
+				globalBinds[table.Name] = make(Binds)
+			}
+			globalBinds[table.Name][bind.Ip] = newBindMeta
+
+		}
+
+		// get all of the backends and determine if the bind is healthy or not based upon the state of its backends
+		for _, backend := range table.Backends {
+
+			// if a backend state is marked as inactive lets consider it removed, in GLB director it will still process
+			// a bind where all backends are set to inactive. This allows us to withdraw a path when all backends in a
+			// table are set to inactive.
+			if backend.State == "inactive" {
+				continue
+			}
+
+			// count all the healthy backends to determine if the table is healthy or not
+			successes := 0
+			failures := 0
+			for _, target := range backend.HealthTargets() {
+				if targetResults[target].Healthy {
+					successes++
+				} else {
+					failures++
+				}
+			}
+
+			healthy := failures == 0
+
+			if healthy {
+				tableNumHealthy += 1
+			} else {
+				tableNumUnhealthy += 1
+			}
+		}
+
+		// take actions based on the state of the bind's backends
+		if tableNumHealthy == 0 {
+			// withdraw route for unhealthy binds
+			for k := range bindList {
+
+				// delete the annouced path from GoBGP daemon
+				if err := hca.DeletePath(bindList[k].Path, bindList[k].NextHop); err != nil {
+					hca.logContext.WithFields(log.Fields{
+						"bind":    k,
+						"nextHop": bindList[k].NextHop,
+						"table": table.Name,
+					}).Errorf("Error removing route: %s", err)
+
+					// error deleting bind, skip
+					continue
+				}
+
+				// remove route from active routes
+				if _, ok := hca.activeRoutes[table.Name]; !ok {
+					hca.activeRoutes[table.Name] = make(Binds)
+				} else {
+					delete(hca.activeRoutes[table.Name], k)
+				}
+
+				hca.logContext.WithFields(log.Fields{
+					"bind":    k,
+					"nextHop": bindList[k].NextHop,
+					"table": table.Name,
+					"action": "delete",
+				}).Debug("Removed path for bind")
+
+			}
+
+		} else {
+			// inject route for healthy are partially healthy binds
+			for k := range bindList {
+
+				// announce path to the GoBGP daemon
+				if _, err := hca.AddPath(bindList[k].Path, bindList[k].NextHop); err != nil {
+					hca.logContext.WithFields(log.Fields{
+						"bind":    k,
+						"nextHop": bindList[k].NextHop,
+						"table": table.Name,
+					}).Errorf("Error announcing route: %s", err)
+
+					// error announcing bind, skip
+					continue
+				}
+
+				// store active route in the event it is removed from the table
+				if _, ok := hca.activeRoutes[table.Name]; !ok {
+					hca.activeRoutes[table.Name] = make(Binds)
+				}
+				hca.activeRoutes[table.Name][bindList[k].BindIP] = bindList[k]
+
+				hca.logContext.WithFields(log.Fields{
+					"bind":    k,
+					"nextHop": bindList[k].NextHop,
+					"table": table.Name,
+					"action": "add",
+				}).Debug("Announced path for bind")
+
+			}
+		}
+	}
+
+	// delete any old routes with binds that are no longer in the config
+	// TODO: Can we query GoBGP and reap any non-configured paths? Today we allow users to configure routes independently so this is not currently configured
+	for tableName, binds := range hca.activeRoutes {
+		for k, v := range binds {
+			// bind with active route no longer part of global binds
+			if _, ok := globalBinds[tableName][k]; !ok {
+
+				// If we find that a previous bind is no longer found the path is deleted
+				if err := hca.DeletePath(v.Path, v.NextHop); err != nil {
+					hca.logContext.WithFields(log.Fields{
+						"bind":    k,
+						"nextHop": v.NextHop,
+						"table": tableName,
+					}).Errorf("Error removing route: %s", err)
+
+					// error deleting bind, skip
+					continue
+				}
+
+				// remove route from active routes
+				delete(hca.activeRoutes[tableName], k)
+
+				hca.logContext.WithFields(log.Fields{
+					"bind":    k,
+					"nextHop": v.NextHop,
+					"table": tableName,
+					"action": "delete",
+				}).Debug("Bind removed from forwarding table, deleting route")
+			}
+		}
+	}
+
+	return nil
+}
+
+// ListPaths list paths for a specific address family
+func (hca *HealthCheckerAnnounce) ListPaths(ipVersion int) ([]*gobgpapi.Destination, error) {
+
+	client, conn, err := hca.gobgpConnect()
+	if err != nil {
+		return nil, err
+	}
+	defer func () {
+		err := conn.Close()
+		if err != nil {
+			hca.logContext.WithFields(log.Fields{
+				"gobgp":    "connection error",
+			}).Debug(err)
+		}
+	}()
+
+	// determine which route announcement type we want to look up
+	var afi gobgpapi.Family_Afi
+	switch ipVersion {
+	case 4:
+		afi = gobgpapi.Family_AFI_IP
+	case 6:
+		afi = gobgpapi.Family_AFI_IP6
+	}
+
+	// only request unicast safis
+	stream, err := client.ListPath(context.Background(), &gobgpapi.ListPathRequest{
+		Family: &gobgpapi.Family{
+			Afi:  afi,
+			Safi: gobgpapi.Family_SAFI_UNICAST,
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	l := make([]*gobgpapi.Destination, 0, 1024)
+	for {
+		r, err := stream.Recv()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return l, err
+		}
+		l = append(l, r.Destination)
+	}
+
+	return l, err
+}
+
+// AddPath add a new path to the route table
+func (hca *HealthCheckerAnnounce) AddPath(prefix, nextHop string) ([]byte, error) {
+
+	client, conn, err := hca.gobgpConnect()
+	if err != nil {
+		return nil, err
+	}
+	defer func () {
+		err := conn.Close()
+		if err != nil {
+			hca.logContext.WithFields(log.Fields{
+				"gobgp":    "connection error",
+			}).Debug(err)
+		}
+	}()
+
+	// create the path struct with all of the correct settings
+	path, err := hca.generatePath(prefix, nextHop, 1)
+	if err != nil {
+		announceCounters.Add("RouteAddError", 1)
+		return []byte{}, err
+	}
+
+	// define the path request we will send to the GoBGP daemon
+	pathRequest := &gobgpapi.AddPathRequest{
+		TableType: gobgpapi.TableType_GLOBAL, // use the default global table
+		VrfId:     "",                        // TODO: do not use a VRF, may be enabled in the future
+		Path:      path,
+	}
+
+	stream, err := client.AddPath(context.Background(), pathRequest)
+	if err != nil {
+		announceCounters.Add("RouteAddError", 1)
+		return []byte{}, err
+	}
+
+	announceCounters.Add("RouteAddSent", 1)
+	return stream.GetUuid(), err
+}
+
+// DeletePath remove a path from the route table
+func (hca *HealthCheckerAnnounce) DeletePath(prefix, nextHop string) error {
+
+	client, conn, err := hca.gobgpConnect()
+	if err != nil {
+		return err
+	}
+	defer func () {
+		err := conn.Close()
+		if err != nil {
+			hca.logContext.WithFields(log.Fields{
+				"gobgp":    "connection error",
+			}).Debug(err)
+		}
+	}()
+
+	// Generate a path for the delete path request
+	path, err := hca.generatePath(prefix, nextHop, 1)
+	if err != nil {
+		announceCounters.Add("RouteDeleteError", 1)
+		return err
+	}
+
+	pathRequest := &gobgpapi.DeletePathRequest{
+		TableType: gobgpapi.TableType_GLOBAL, // use the default global table
+		VrfId:     "",                        // TODO: do not use a VRF, may be enabled in the future
+		Path:      path,
+	}
+
+	_, err = client.DeletePath(context.Background(), pathRequest)
+	if err != nil {
+		announceCounters.Add("RouteDeleteError", 1)
+		return err
+	}
+
+	announceCounters.Add("RouteDeleteSent", 1)
+	return nil
+}
+
+// ListPeers list BGP neighbors
+func (hca *HealthCheckerAnnounce) ListPeers() ([]*gobgpapi.Peer, error) {
+
+	client, conn, err := hca.gobgpConnect()
+	if err != nil {
+		return nil, err
+	}
+	defer func () {
+		err := conn.Close()
+		if err != nil {
+			hca.logContext.WithFields(log.Fields{
+				"gobgp":    "connection error",
+			}).Debug(err)
+		}
+	}()
+
+	// Fetch all of the currently configured peers/neighbors
+	stream, err := client.ListPeer(context.Background(), &gobgpapi.ListPeerRequest{})
+	if err != nil {
+		return nil, err
+	}
+
+	l := make([]*gobgpapi.Peer, 0, 1024)
+	for {
+		r, err := stream.Recv()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return l, err
+		}
+		l = append(l, r.Peer)
+	}
+
+	return l, nil
+}
+
+// getNextHop returns the correct next hop based upon the provided configuration file
+func (hca *HealthCheckerAnnounce) getNextHop(ipVersion int) (string, error) {
+	switch ipVersion {
+	case 4:
+		if  hca.config.NextHop != "" {
+			return hca.config.NextHop, nil
+		}
+	case 6:
+		if hca.config.NextHopIPv6 != "" {
+			return hca.config.NextHopIPv6, nil
+		}
+	}
+
+	// If the next hop isn't configured in the daemon return an error
+	return "", errors.New("unable to determine next hop IP version")
+}
+
+// generatePath generates a gobgp path
+// IPv6 paths can incorrectly allow IPv4 next hops, https://github.com/cloudnativelabs/kube-router/issues/605, this is prevented
+func (hca *HealthCheckerAnnounce) generatePath(prefix, nextHop string, identifier uint32) (*gobgpapi.Path, error) {
+
+	// Parse the prefix so we can determine more details about the IP Prefix
+	ipAddr, ipNet, err := net.ParseCIDR(prefix)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse the next hop
+	nextHopIpAddr := net.ParseIP(nextHop)
+
+	// Determine the route family we want to announce
+	var routeFamily uint16
+	if isV4(ipAddr) {
+		routeFamily = uint16(gobgpapi.Family_AFI_IP)
+	} else if isV6(ipAddr) {
+		routeFamily = uint16(gobgpapi.Family_AFI_IP6)
+	} else {
+		return nil, errors.New("unable to determine IP protocol Version")
+	}
+
+	// Create NLRI
+	var newNLRI *any.Any
+	maskLen, _ := ipNet.Mask.Size()
+	newNLRI, _ = ptypes.MarshalAny(&gobgpapi.IPAddressPrefix{
+		Prefix:    ipAddr.String(),
+		PrefixLen: uint32(maskLen),
+	})
+
+	// Create attribute slice
+	pattrs := make([]*any.Any,0)
+
+	// Create the correct NextHopAttr based on route protocol
+	var nextHopAttr *any.Any
+	// generate IPv6 NRLIs
+	if isV6(nextHopIpAddr) {
+		if routeFamily != uint16(gobgpapi.Family_AFI_IP6) {
+			return nil, errors.New("unable to set IPv6 next hop for IPv4 prefix")
+		}
+
+		// create a IPv6 multi-protocol NRLI
+		nextHopAttr, _ = ptypes.MarshalAny(&gobgpapi.MpReachNLRIAttribute{
+			Family: &gobgpapi.Family{
+				Afi:  gobgpapi.Family_Afi(routeFamily),
+				Safi: gobgpapi.Family_SAFI_UNICAST,
+			},
+			NextHops: []string{nextHopIpAddr.String()},
+			Nlris:    []*any.Any{newNLRI},
+		})
+
+		// add to attributes list
+		pattrs = append(pattrs, nextHopAttr)
+
+	// generate IPv4 NRLIs
+	} else if isV4(nextHopIpAddr) {
+		if routeFamily != uint16(gobgpapi.Family_AFI_IP) {
+			return nil, errors.New("unable to set IPv4 next hop for IPv6 prefix")
+		}
+
+		nextHopAttr, _ = ptypes.MarshalAny(&gobgpapi.NextHopAttribute{
+			NextHop: nextHopIpAddr.String(),
+		})
+
+		// add to attributes list
+		pattrs = append(pattrs, nextHopAttr)
+	} else {
+		return nil, errors.New("unable to determine IP protocol for next hop")
+	}
+
+	// Create the route origin type
+	var originAttr *any.Any
+	originAttr, _ = ptypes.MarshalAny(&gobgpapi.OriginAttribute{
+		Origin: uint32(bgp.BGP_ORIGIN_ATTR_TYPE_IGP),
+	})
+	pattrs = append(pattrs, originAttr)
+
+	// Add any required communities to the route
+	if len(hca.config.Communities) > 0 {
+		comms := make([]uint32, 0, 1)
+
+		for _, v := range hca.config.Communities {
+			c, err := hca.parseCommunity(v)
+			if err != nil {
+				// error parsing community
+				hca.logContext.WithFields(log.Fields{
+					"community":    v,
+				}).Debug(err)
+
+				continue
+			}
+			comms = append(comms, c)
+		}
+
+		commsAttr, _ := ptypes.MarshalAny(&gobgpapi.CommunitiesAttribute{
+			Communities: comms,
+		})
+
+		pattrs = append(pattrs, commsAttr)
+	}
+
+	// Return the correctly generated path
+	return &gobgpapi.Path{
+		Pattrs: pattrs,
+		Nlri:   newNLRI,
+		Family: &gobgpapi.Family{
+			Afi:  gobgpapi.Family_Afi(routeFamily),
+			Safi: gobgpapi.Family_SAFI_UNICAST,
+		},
+		Identifier: identifier,
+	}, nil
+}
+
+// parseCommunity parse a community string and return its value as the required uint32
+func (hca *HealthCheckerAnnounce) parseCommunity(arg string) (uint32, error) {
+	i, err := strconv.ParseUint(arg, 10, 32)
+	if err == nil {
+		return uint32(i), nil
+	}
+
+	elems := regexpCommunity.FindStringSubmatch(arg)
+	if len(elems) == 3 {
+		fst, _ := strconv.ParseUint(elems[1], 10, 16)
+		snd, _ := strconv.ParseUint(elems[2], 10, 16)
+		return uint32(fst<<16 | snd), nil
+	}
+	for i, v := range bgp.WellKnownCommunityNameMap {
+		if arg == v {
+			return uint32(i), nil
+		}
+	}
+	return 0, errors.New("failed to parse %s as community")
+}
+
+// helper functions
+
+// ipVersion return the IP protocol version
+func ipVersion(ip string) (int, error) {
+
+	ipAddr := net.ParseIP(ip)
+
+	if isV4(ipAddr) {
+		return 4, nil
+	} else if isV6(ipAddr) {
+		return 6, nil
+	} else {
+		return 0, errors.New("unable to determine IP protocol Version")
+	}
+}
+
+// isV4 tests if the IP is IPv4
+func isV4(ip net.IP) bool {
+	if ip.To4() != nil {
+		return true
+	}
+	return false
+}
+
+// isV6 tests if the IP is IPv6
+func isV6(ip net.IP) bool {
+	if ip.To4() == nil {
+		return true
+	}
+	return false
+}
\ No newline at end of file
diff --git a/src/glb-healthcheck/HealthCheckerAppContext.go b/src/glb-healthcheck/HealthCheckerAppContext.go
index 6aba81e..01b5e6d 100644
--- a/src/glb-healthcheck/HealthCheckerAppContext.go
+++ b/src/glb-healthcheck/HealthCheckerAppContext.go
@@ -55,6 +55,7 @@ type HealthCheckConfigFile struct {
 	} `json:"forwarding_table"`
 
 	ReloadCommand *string `json:"reload_command"`
+	BGPConfig GoBGPConfig `json:"gobgp_config"`
 }
 
 type HealthCheckerAppContext struct {
diff --git a/src/glb-healthcheck/Makefile b/src/glb-healthcheck/Makefile
index 38651ee..df0211c 100644
--- a/src/glb-healthcheck/Makefile
+++ b/src/glb-healthcheck/Makefile
@@ -32,4 +32,4 @@ mkdeb:
 	script/cibuild
 
 clean:
-	rm -rf glb-healthcheck_*.deb glb-healthcheck
+	rm -rf ${BUILDDIR}/glb-healthcheck_*.deb glb-healthcheck
\ No newline at end of file
diff --git a/src/glb-healthcheck/glide.lock b/src/glb-healthcheck/glide.lock
index af41160..32bb82c 100644
--- a/src/glb-healthcheck/glide.lock
+++ b/src/glb-healthcheck/glide.lock
@@ -1,23 +1,93 @@
-hash: 243fb52be80990666d4d5c7a9e475596305c221146d2840e7b07d8845ba960a3
-updated: 2018-05-16T09:42:23.036243129+10:00
+hash: 75c007b7dd40769ea416110d459960788b6905c0f615e90f41000a084a44bdc4
+updated: 2019-07-25T14:21:19.853185-07:00
 imports:
 - name: github.com/docopt/docopt-go
   version: 784ddc588536785e7299f7272f39101f7faccc3f
+- name: github.com/golang/protobuf
+  version: e91709a02e0e8ff8b86b7aa913fdc9ae9498e825
+  subpackages:
+  - proto
+  - ptypes
+  - ptypes/any
+  - ptypes/duration
+  - ptypes/empty
+  - ptypes/timestamp
 - name: github.com/google/gopacket
-  version: 11c65f1ca9081dfea43b4f9643f5c155583b73ba
+  version: 6d3e2615da4ed2ed2a349918fe74e7e6d03482fa
   subpackages:
   - layers
+- name: github.com/osrg/gobgp
+  version: 07f0fd48d5ac2e83378222762cd0a98e01d3bf5e
+  subpackages:
+  - api
+  - pkg/packet/bgp
 - name: github.com/rs/xid
   version: 02dd45c33376f85d1064355dc790dcc4850596b1
 - name: github.com/sirupsen/logrus
-  version: c155da19408a8799da419ed3eeb0cb5db0ad5dbc
+  version: 3e01752db0189b9157070a0e1668a620f9a85da2
 - name: golang.org/x/crypto
   version: 1a580b3eff7814fc9b40602fd35256c63b50f491
   subpackages:
   - ssh/terminal
+- name: golang.org/x/net
+  version: f4e77d36d62c17c2336347bb2670ddbd02d092b7
+  subpackages:
+  - context
+  - http/httpguts
+  - http2
+  - http2/hpack
+  - idna
+  - internal/timeseries
+  - trace
 - name: golang.org/x/sys
   version: 7c87d13f8e835d2fb3a70a2912c811ed0c1d241b
   subpackages:
   - unix
   - windows
+- name: golang.org/x/text
+  version: 342b2e1fbaa52c93f31447ad2c6abc048c63e475
+  subpackages:
+  - secure/bidirule
+  - transform
+  - unicode/bidi
+  - unicode/norm
+- name: google.golang.org/genproto
+  version: 54afdca5d873f7b529e2ce3def1a99df16feda90
+  subpackages:
+  - googleapis/rpc/status
+- name: google.golang.org/grpc
+  version: 045159ad57f3781d409358e3ade910a018c16b30
+  subpackages:
+  - balancer
+  - balancer/base
+  - balancer/roundrobin
+  - binarylog/grpc_binarylog_v1
+  - codes
+  - connectivity
+  - credentials
+  - credentials/internal
+  - encoding
+  - encoding/proto
+  - grpclog
+  - internal
+  - internal/backoff
+  - internal/balancerload
+  - internal/binarylog
+  - internal/channelz
+  - internal/envconfig
+  - internal/grpcrand
+  - internal/grpcsync
+  - internal/syscall
+  - internal/transport
+  - keepalive
+  - metadata
+  - naming
+  - peer
+  - resolver
+  - resolver/dns
+  - resolver/passthrough
+  - serviceconfig
+  - stats
+  - status
+  - tap
 testImports: []
diff --git a/src/glb-healthcheck/glide.yaml b/src/glb-healthcheck/glide.yaml
index 7e967a8..6cdba66 100644
--- a/src/glb-healthcheck/glide.yaml
+++ b/src/glb-healthcheck/glide.yaml
@@ -14,3 +14,7 @@ import:
   - ssh/terminal
 - package: github.com/rs/xid
   version: ~1.1.0
+- package: google.golang.org/grpc
+  version: ^1.20.1
+- package: github.com/osrg/gobgp
+  version: ^2.6.0
diff --git a/src/glb-healthcheck/main.go b/src/glb-healthcheck/main.go
index f6f484b..b18c2b9 100644
--- a/src/glb-healthcheck/main.go
+++ b/src/glb-healthcheck/main.go
@@ -77,6 +77,16 @@ Options:
 		return
 	}
 
+	// instantiate BGP integration
+	hca, err := NewHealthCheckerAnnounce(&ctx.config.BGPConfig, log.WithFields(log.Fields{
+		"app": "glb-healthcheck",
+		"module": "announce",
+	}))
+	if err != nil {
+		hca.logContext.Fatalf("Unable to configure health announcing checker: %s\n", err)
+		return
+	}
+
 	// the check manager will run the HC loop and manage most of the HC part of the work
 	ctx.checkManager = NewHealthCheckManager(HealthCheckTimeout, HealthCheckInterval)
 
@@ -116,6 +126,17 @@ Options:
 		for range healthRoundComplete {
 			ctx.logContext.Debug("Health check round completed")
 			ctx.SyncAndMaybeReload()
+
+			// run route updates if the announce feature is enabled
+			if hca.enabled {
+				// fetch forwarding table for bind map validation
+				ctx.Lock()
+				ft := ctx.forwardingTableConfig
+				ctx.Unlock()
+
+				// process the current health results and manage paths in GoBGP
+				go hca.Announce(ft, ctx.checkManager.GetResults())
+			}
 		}
 	}()
 
diff --git a/src/glb-healthcheck/packaging/version.sh b/src/glb-healthcheck/packaging/version.sh
index e9f0653..ec8eb60 100644
--- a/src/glb-healthcheck/packaging/version.sh
+++ b/src/glb-healthcheck/packaging/version.sh
@@ -1 +1 @@
-GLB_HEALTHCHECK_VERSION="0.1.4"
+GLB_HEALTHCHECK_VERSION="0.1.5"
diff --git a/src/glb-redirect/Makefile b/src/glb-redirect/Makefile
index b7aafd1..abc2aa8 100644
--- a/src/glb-redirect/Makefile
+++ b/src/glb-redirect/Makefile
@@ -1,6 +1,4 @@
 KDIR?=/usr/src/linux-headers-$(shell uname -r)
-BUILDDIR?=.
-
 ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 
 DKMS_MOD_VER:=$(shell grep 'PACKAGE_VERSION' dkms.conf | cut -d'=' -f2)
@@ -15,7 +13,9 @@ kmod:
 clean:
 	# we allow the following to fail since in our Docker build env we don't have a valid KDIR
 	$(BUILD_VARS) make -C $(KDIR) M=$(ROOT_DIR) clean || true
-	rm -rf libxt_GLBREDIRECT.so $(BUILDDIR)/glb-redirect-iptables-dkms_$(DKMS_MOD_VER)_*.deb
+	rm -rf libxt_GLBREDIRECT.so
+	rm -rf glb-redirect-iptables-dkms-mkdeb
+	rm -rf ${BUILDDIR}/glb-redirect-iptables-dkms_$(DKMS_MOD_VER)_*.deb
 
 .PHONY: lib
 lib: libxt_GLBREDIRECT.so
@@ -37,10 +37,12 @@ IPT_LDFLAGS=-lxtables -shared
 mkdeb:
 	rm -rf glb-redirect-iptables-dkms-mkdeb
 	cp -R /etc/dkms/template-dkms-mkdeb/ glb-redirect-iptables-dkms-mkdeb
-	chown : -R glb-redirect-iptables-dkms-mkdeb
 	# Works around this bug: https://ubuntuforums.org/showthread.php?t=2234906
 	sed -i '/chmod 644/d' glb-redirect-iptables-dkms-mkdeb/Makefile
 	sed -i '/^Depends:/ s/$$/, pkg-config, libxtables12 | libxtables10, libxtables-dev | libxtables10/' glb-redirect-iptables-dkms-mkdeb/debian/control
 	sed -i 's/^Maintainer: .*/Maintainer: GitHub <opensource+glb-director@github.com>/' glb-redirect-iptables-dkms-mkdeb/debian/control
 	dkms mkdeb --source-only
+
+ifneq "$(BUILDDIR)" ""
 	mv ../glb-redirect-iptables-dkms_$(DKMS_MOD_VER)_*.deb $(BUILDDIR)/
+endif
\ No newline at end of file