From 6e1117bfadc191a2ec4df9de34bc94fa11902525 Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Fri, 15 Nov 2024 10:53:34 +0100 Subject: [PATCH] - Resolves: RHEL-65699 --- .gitignore | 1 + ...ort-crypto-errors-back-to-cfg-reload.patch | 246 ------------------ corosync.spec | 17 +- sources | 2 +- 4 files changed, 11 insertions(+), 255 deletions(-) delete mode 100644 RHEL-24163-1-Report-crypto-errors-back-to-cfg-reload.patch diff --git a/.gitignore b/.gitignore index 29a50d9..da9b5a5 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,4 @@ corosync-1.2.7.tar.gz /corosync-3.1.5.tar.gz /corosync-3.1.7.tar.gz /corosync-3.1.8.tar.gz +/corosync-3.1.9.tar.gz diff --git a/RHEL-24163-1-Report-crypto-errors-back-to-cfg-reload.patch b/RHEL-24163-1-Report-crypto-errors-back-to-cfg-reload.patch deleted file mode 100644 index 77153d9..0000000 --- a/RHEL-24163-1-Report-crypto-errors-back-to-cfg-reload.patch +++ /dev/null @@ -1,246 +0,0 @@ -From ce03c68394517ea8782a03968e2507a1096e9efe Mon Sep 17 00:00:00 2001 -From: Christine Caulfield -Date: Wed, 31 Jan 2024 10:29:05 +0000 -Subject: [PATCH 1/3] Report crypto errors back to cfg reload - -Because crypto changing happens in the 'commit' phase -of the reload and we can't get sure that knet will -allow the new parameters, the result gets ignored. -This can happen in FIPS mode if a non-FIPS cipher -is requested. - -This patch reports the errors back in a cmap key -so that the command-line can spot those errors -and report them back to the user. - -It also restores the internal values for crypto -so that subsequent attempts to change things have -predictable results. Otherwise further attempts can -do nothing but not report any errors back. - -I've also added some error reporting back for the -knet ping counters using this mechanism. - -The alternative to all of this would be to check for FIPS -in totemconfig.c and then exclude certain options, but this -would be duplicating code that could easily get out of sync. - -This system could also be a useful mechanism for reporting -back other 'impossible' errors. - -Signed-off-by: Christine Caulfield -Reviewed-by: Jan Friesse ---- - exec/cfg.c | 3 +++ - exec/totemconfig.c | 8 ++++++- - exec/totemknet.c | 48 +++++++++++++++++++++++++++++++++++----- - tools/corosync-cfgtool.c | 31 ++++++++++++++++++++++++++ - 4 files changed, 83 insertions(+), 7 deletions(-) - -diff --git a/exec/cfg.c b/exec/cfg.c -index fe5f551d..4a3834b0 100644 ---- a/exec/cfg.c -+++ b/exec/cfg.c -@@ -722,6 +722,9 @@ static void message_handler_req_exec_cfg_reload_config ( - - log_printf(LOGSYS_LEVEL_NOTICE, "Config reload requested by node " CS_PRI_NODE_ID, nodeid); - -+ // Clear this out in case it all goes well -+ icmap_delete("config.reload_error_message"); -+ - icmap_set_uint8("config.totemconfig_reload_in_progress", 1); - - /* Make sure there is no rubbish in this that might be checked, even on error */ -diff --git a/exec/totemconfig.c b/exec/totemconfig.c -index a6394a2f..505424e3 100644 ---- a/exec/totemconfig.c -+++ b/exec/totemconfig.c -@@ -2439,7 +2439,13 @@ int totemconfig_commit_new_params( - totempg_reconfigure(); - - free(new_interfaces); -- return res; /* On a reload this is ignored */ -+ -+ /* -+ * On a reload this return is ignored because it's too late to do anything about it, -+ * but errors are reported back via cmap. -+ */ -+ return res; -+ - } - - static void add_totem_config_notification(struct totem_config *totem_config) -diff --git a/exec/totemknet.c b/exec/totemknet.c -index f280a094..916f4f8b 100644 ---- a/exec/totemknet.c -+++ b/exec/totemknet.c -@@ -93,6 +93,8 @@ static int setup_nozzle(void *knet_context); - struct totemknet_instance { - struct crypto_instance *crypto_inst; - -+ struct knet_handle_crypto_cfg last_good_crypto_cfg; -+ - qb_loop_t *poll_handle; - - knet_handle_t knet_handle; -@@ -995,6 +997,7 @@ static void totemknet_refresh_config( - } - - for (i=0; iour_nodeid || !instance->totem_config->interfaces[link_no].configured) { - continue; -@@ -1006,19 +1009,25 @@ static void totemknet_refresh_config( - instance->totem_config->interfaces[link_no].knet_ping_precision); - if (err) { - KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_ping_timers for node " CS_PRI_NODE_ID " link %d failed", host_ids[i], link_no); -+ linkerr = err; - } - err = knet_link_set_pong_count(instance->knet_handle, host_ids[i], link_no, - instance->totem_config->interfaces[link_no].knet_pong_count); - if (err) { - KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_pong_count for node " CS_PRI_NODE_ID " link %d failed",host_ids[i], link_no); -+ linkerr = err; - } - err = knet_link_set_priority(instance->knet_handle, host_ids[i], link_no, - instance->totem_config->interfaces[link_no].knet_link_priority); - if (err) { - KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_priority for node " CS_PRI_NODE_ID " link %d failed", host_ids[i], link_no); -+ linkerr = err; - } - - } -+ if (linkerr) { -+ icmap_set_string("config.reload_error_message", "Failed to set knet ping timers(2)"); -+ } - } - - /* Log levels get reconfigured from logconfig.c as that happens last in the reload */ -@@ -1086,6 +1095,10 @@ static int totemknet_set_knet_crypto(struct totemknet_instance *instance) - - /* use_config will be called later when all nodes are synced */ - res = knet_handle_crypto_set_config(instance->knet_handle, &crypto_cfg, instance->totem_config->crypto_index); -+ if (res == 0) { -+ /* Keep a copy in case it fails in future */ -+ memcpy(&instance->last_good_crypto_cfg, &crypto_cfg, sizeof(crypto_cfg)); -+ } - if (res == -1) { - knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_set_config (index %d) failed: %s", instance->totem_config->crypto_index, strerror(errno)); - goto exit_error; -@@ -1112,8 +1125,24 @@ static int totemknet_set_knet_crypto(struct totemknet_instance *instance) - } - #endif - -- - exit_error: -+#ifdef HAVE_KNET_CRYPTO_RECONF -+ if (res) { -+ icmap_set_string("config.reload_error_message", "Failed to set crypto parameters"); -+ -+ /* Restore the old values in cmap & totem_config */ -+ icmap_set_string("totem.crypto_cipher", instance->last_good_crypto_cfg.crypto_cipher_type); -+ icmap_set_string("totem.crypto_hash", instance->last_good_crypto_cfg.crypto_hash_type); -+ icmap_set_string("totem.crypto_model", instance->last_good_crypto_cfg.crypto_model); -+ -+ memcpy(instance->totem_config->crypto_hash_type, instance->last_good_crypto_cfg.crypto_hash_type, -+ sizeof(instance->last_good_crypto_cfg.crypto_hash_type)); -+ memcpy(instance->totem_config->crypto_cipher_type, instance->last_good_crypto_cfg.crypto_cipher_type, -+ sizeof(instance->last_good_crypto_cfg.crypto_cipher_type)); -+ memcpy(instance->totem_config->crypto_model, instance->last_good_crypto_cfg.crypto_model, -+ sizeof(instance->last_good_crypto_cfg.crypto_model)); -+ } -+#endif - return res; - } - -@@ -1656,6 +1685,9 @@ int totemknet_member_add ( - log_flush_messages(instance); - errno = saved_errno; - KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_ping_timers for nodeid " CS_PRI_NODE_ID ", link %d failed", member->nodeid, link_no); -+ -+ icmap_set_string("config.reload_error_message", "Failed to set knet ping timers"); -+ - return -1; - } - err = knet_link_set_pong_count(instance->knet_handle, member->nodeid, link_no, -@@ -1666,6 +1698,7 @@ int totemknet_member_add ( - log_flush_messages(instance); - errno = saved_errno; - KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_pong_count for nodeid " CS_PRI_NODE_ID ", link %d failed", member->nodeid, link_no); -+ icmap_set_string("config.reload_error_message", "Failed to set knet pong count"); - return -1; - } - } -@@ -1774,11 +1807,14 @@ int totemknet_reconfigure ( - /* Flip crypto_index */ - totem_config->crypto_index = 3-totem_config->crypto_index; - res = totemknet_set_knet_crypto(instance); -- -- knet_log_printf(LOG_INFO, "kronosnet crypto reconfigured on index %d: %s/%s/%s", totem_config->crypto_index, -- totem_config->crypto_model, -- totem_config->crypto_cipher_type, -- totem_config->crypto_hash_type); -+ if (res == 0) { -+ knet_log_printf(LOG_INFO, "kronosnet crypto reconfigured on index %d: %s/%s/%s", totem_config->crypto_index, -+ totem_config->crypto_model, -+ totem_config->crypto_cipher_type, -+ totem_config->crypto_hash_type); -+ } else { -+ icmap_set_string("config.reload_error_message", "Failed to set knet crypto"); -+ } - } - return (res); - } -diff --git a/tools/corosync-cfgtool.c b/tools/corosync-cfgtool.c -index d04d5bea..d35f6d90 100644 ---- a/tools/corosync-cfgtool.c -+++ b/tools/corosync-cfgtool.c -@@ -332,6 +332,33 @@ nodestatusget_do (enum user_action action, int brief) - return rc; - } - -+ -+static int check_for_reload_errors(void) -+{ -+ cmap_handle_t cmap_handle; -+ cs_error_t result; -+ char *str; -+ int res; -+ -+ result = cmap_initialize (&cmap_handle); -+ if (result != CS_OK) { -+ fprintf (stderr, "Could not initialize corosync cmap API error %d\n", result); -+ exit (EXIT_FAILURE); -+ } -+ -+ result = cmap_get_string(cmap_handle, "config.reload_error_message", &str); -+ if (result == CS_OK) { -+ printf("ERROR from reload: %s - see syslog for more information\n", str); -+ free(str); -+ res = 1; -+ } -+ else { -+ res = 0; -+ } -+ cmap_finalize(cmap_handle); -+ return res; -+} -+ - static int reload_config_do (void) - { - cs_error_t result; -@@ -358,6 +385,10 @@ static int reload_config_do (void) - - (void)corosync_cfg_finalize (handle); - -+ if ((rc = check_for_reload_errors())) { -+ fprintf(stderr, "Errors in appying config, corosync.conf might not match the running system\n"); -+ } -+ - return (rc); - } - --- -2.39.3 - diff --git a/corosync.spec b/corosync.spec index d7d9417..c727ee0 100644 --- a/corosync.spec +++ b/corosync.spec @@ -17,14 +17,12 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces -Version: 3.1.8 -Release: 2%{?gitver}%{?dist} +Version: 3.1.9 +Release: 1%{?gitver}%{?dist} License: BSD URL: http://corosync.github.io/corosync/ Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz -Patch0: RHEL-24163-1-Report-crypto-errors-back-to-cfg-reload.patch - # Runtime bits # The automatic dependency overridden in favor of explicit version lock Requires: corosynclib%{?_isa} = %{version}-%{release} @@ -74,8 +72,6 @@ BuildRequires: make %prep %setup -q -n %{name}-%{version}%{?gittarver} -%patch0 -p1 -b .RHEL-24163-1 - %build %if %{with runautogen} ./autogen.sh @@ -120,7 +116,7 @@ BuildRequires: make %if %{with dbus} mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d -install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/corosync-signals.conf +install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf %endif ## tree fixup @@ -189,7 +185,7 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/corosync %config(noreplace) %{_sysconfdir}/logrotate.d/corosync %if %{with dbus} -%{_sysconfdir}/dbus-1/system.d/corosync-signals.conf +%{_datadir}/dbus-1/system.d/corosync-signals.conf %endif %if %{with snmp} %{_datadir}/snmp/mibs/COROSYNC-MIB.txt @@ -293,6 +289,11 @@ network splits) %endif %changelog +* Fri Nov 15 2024 Jan Friesse - 3.1.9-1 +- Resolves: RHEL-65699 + +- New upstream release (RHEL-65699) + * Tue May 21 2024 Jan Friesse - 3.1.8-2 - Resolves: RHEL-24163 diff --git a/sources b/sources index fd916ac..d3e0db1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (corosync-3.1.8.tar.gz) = 6325ae39bada33dbc0c85eb07d137af78235a1c0f8a4d1f90a20088e011bff65263903e5688956256ddfb58daec45f6d96c04624ff320be0c00ec36aa5d568f8 +SHA512 (corosync-3.1.9.tar.gz) = d5332c65535dd40e3bee48912ebf2e71c55380b3dba93c36ff8b74090edf3ec44b69685cd11fda3732e4b0dab0b2954f08be94d772fcff6aaf9a4a846ef2e4cc