- Resolves: RHEL-65699
This commit is contained in:
		
							parent
							
								
									67b12f1fb7
								
							
						
					
					
						commit
						6e1117bfad
					
				
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -49,3 +49,4 @@ corosync-1.2.7.tar.gz | |||||||
| /corosync-3.1.5.tar.gz | /corosync-3.1.5.tar.gz | ||||||
| /corosync-3.1.7.tar.gz | /corosync-3.1.7.tar.gz | ||||||
| /corosync-3.1.8.tar.gz | /corosync-3.1.8.tar.gz | ||||||
|  | /corosync-3.1.9.tar.gz | ||||||
|  | |||||||
| @ -1,246 +0,0 @@ | |||||||
| From ce03c68394517ea8782a03968e2507a1096e9efe Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Christine Caulfield <ccaulfie@redhat.com> |  | ||||||
| Date: Wed, 31 Jan 2024 10:29:05 +0000 |  | ||||||
| Subject: [PATCH 1/3] Report crypto errors back to cfg reload |  | ||||||
| 
 |  | ||||||
| Because crypto changing happens in the 'commit' phase |  | ||||||
| of the reload and we can't get sure that knet will |  | ||||||
| allow the new parameters, the result gets ignored. |  | ||||||
| This can happen in FIPS mode if a non-FIPS cipher |  | ||||||
| is requested. |  | ||||||
| 
 |  | ||||||
| This patch reports the errors back in a cmap key |  | ||||||
| so that the command-line can spot those errors |  | ||||||
| and report them back to the user. |  | ||||||
| 
 |  | ||||||
| It also restores the internal values for crypto |  | ||||||
| so that subsequent attempts to change things have |  | ||||||
| predictable results. Otherwise further attempts can |  | ||||||
| do nothing but not report any errors back. |  | ||||||
| 
 |  | ||||||
| I've also added some error reporting back for the |  | ||||||
| knet ping counters using this mechanism. |  | ||||||
| 
 |  | ||||||
| The alternative to all of this would be to check for FIPS |  | ||||||
| in totemconfig.c and then exclude certain options, but this |  | ||||||
| would be duplicating code that could easily get out of sync. |  | ||||||
| 
 |  | ||||||
| This system could also be a useful mechanism for reporting |  | ||||||
| back other 'impossible' errors. |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Christine Caulfield <ccaulfie@redhat.com> |  | ||||||
| Reviewed-by: Jan Friesse <jfriesse@redhat.com> |  | ||||||
| ---
 |  | ||||||
|  exec/cfg.c               |  3 +++ |  | ||||||
|  exec/totemconfig.c       |  8 ++++++- |  | ||||||
|  exec/totemknet.c         | 48 +++++++++++++++++++++++++++++++++++----- |  | ||||||
|  tools/corosync-cfgtool.c | 31 ++++++++++++++++++++++++++ |  | ||||||
|  4 files changed, 83 insertions(+), 7 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/exec/cfg.c b/exec/cfg.c
 |  | ||||||
| index fe5f551d..4a3834b0 100644
 |  | ||||||
| --- a/exec/cfg.c
 |  | ||||||
| +++ b/exec/cfg.c
 |  | ||||||
| @@ -722,6 +722,9 @@ static void message_handler_req_exec_cfg_reload_config (
 |  | ||||||
|   |  | ||||||
|  	log_printf(LOGSYS_LEVEL_NOTICE, "Config reload requested by node " CS_PRI_NODE_ID, nodeid); |  | ||||||
|   |  | ||||||
| +	// Clear this out in case it all goes well
 |  | ||||||
| +	icmap_delete("config.reload_error_message");
 |  | ||||||
| +
 |  | ||||||
|  	icmap_set_uint8("config.totemconfig_reload_in_progress", 1); |  | ||||||
|   |  | ||||||
|  	/* Make sure there is no rubbish in this that might be checked, even on error */ |  | ||||||
| diff --git a/exec/totemconfig.c b/exec/totemconfig.c
 |  | ||||||
| index a6394a2f..505424e3 100644
 |  | ||||||
| --- a/exec/totemconfig.c
 |  | ||||||
| +++ b/exec/totemconfig.c
 |  | ||||||
| @@ -2439,7 +2439,13 @@ int totemconfig_commit_new_params(
 |  | ||||||
|  	totempg_reconfigure(); |  | ||||||
|   |  | ||||||
|  	free(new_interfaces); |  | ||||||
| -	return res; /* On a reload this is ignored */
 |  | ||||||
| +
 |  | ||||||
| +	/*
 |  | ||||||
| +	 * On a reload this return is ignored because it's too late to do anything about it,
 |  | ||||||
| +	 * but errors are reported back via cmap.
 |  | ||||||
| +	 */
 |  | ||||||
| +	return res;
 |  | ||||||
| +
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  static void add_totem_config_notification(struct totem_config *totem_config) |  | ||||||
| diff --git a/exec/totemknet.c b/exec/totemknet.c
 |  | ||||||
| index f280a094..916f4f8b 100644
 |  | ||||||
| --- a/exec/totemknet.c
 |  | ||||||
| +++ b/exec/totemknet.c
 |  | ||||||
| @@ -93,6 +93,8 @@ static int setup_nozzle(void *knet_context);
 |  | ||||||
|  struct totemknet_instance { |  | ||||||
|  	struct crypto_instance *crypto_inst; |  | ||||||
|   |  | ||||||
| +	struct knet_handle_crypto_cfg last_good_crypto_cfg;
 |  | ||||||
| +
 |  | ||||||
|  	qb_loop_t *poll_handle; |  | ||||||
|   |  | ||||||
|          knet_handle_t knet_handle; |  | ||||||
| @@ -995,6 +997,7 @@ static void totemknet_refresh_config(
 |  | ||||||
|  	} |  | ||||||
|   |  | ||||||
|  	for (i=0; i<num_nodes; i++) { |  | ||||||
| +		int linkerr = 0;
 |  | ||||||
|  		for (link_no = 0; link_no < INTERFACE_MAX; link_no++) { |  | ||||||
|  			if (host_ids[i] == instance->our_nodeid || !instance->totem_config->interfaces[link_no].configured) { |  | ||||||
|  				continue; |  | ||||||
| @@ -1006,19 +1009,25 @@ static void totemknet_refresh_config(
 |  | ||||||
|  							instance->totem_config->interfaces[link_no].knet_ping_precision); |  | ||||||
|  			if (err) { |  | ||||||
|  				KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_ping_timers for node " CS_PRI_NODE_ID " link %d failed", host_ids[i], link_no); |  | ||||||
| +				linkerr = err;
 |  | ||||||
|  			} |  | ||||||
|  			err = knet_link_set_pong_count(instance->knet_handle, host_ids[i], link_no, |  | ||||||
|  						       instance->totem_config->interfaces[link_no].knet_pong_count); |  | ||||||
|  			if (err) { |  | ||||||
|  				KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_pong_count for node " CS_PRI_NODE_ID " link %d failed",host_ids[i], link_no); |  | ||||||
| +				linkerr = err;
 |  | ||||||
|  			} |  | ||||||
|  			err = knet_link_set_priority(instance->knet_handle, host_ids[i], link_no, |  | ||||||
|  						     instance->totem_config->interfaces[link_no].knet_link_priority); |  | ||||||
|  			if (err) { |  | ||||||
|  				KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_priority for node " CS_PRI_NODE_ID " link %d failed", host_ids[i], link_no); |  | ||||||
| +				linkerr = err;
 |  | ||||||
|  			} |  | ||||||
|   |  | ||||||
|  		} |  | ||||||
| +		if (linkerr) {
 |  | ||||||
| +			icmap_set_string("config.reload_error_message", "Failed to set knet ping timers(2)");
 |  | ||||||
| +		}
 |  | ||||||
|  	} |  | ||||||
|   |  | ||||||
|  	/* Log levels get reconfigured from logconfig.c as that happens last in the reload */ |  | ||||||
| @@ -1086,6 +1095,10 @@ static int totemknet_set_knet_crypto(struct totemknet_instance *instance)
 |  | ||||||
|   |  | ||||||
|  	/* use_config will be called later when all nodes are synced */ |  | ||||||
|  	res = knet_handle_crypto_set_config(instance->knet_handle, &crypto_cfg, instance->totem_config->crypto_index); |  | ||||||
| +	if (res == 0) {
 |  | ||||||
| +		/* Keep a copy in case it fails in future */
 |  | ||||||
| +		memcpy(&instance->last_good_crypto_cfg, &crypto_cfg, sizeof(crypto_cfg));
 |  | ||||||
| +	}
 |  | ||||||
|  	if (res == -1) { |  | ||||||
|  		knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_set_config (index %d) failed: %s", instance->totem_config->crypto_index, strerror(errno)); |  | ||||||
|  		goto exit_error; |  | ||||||
| @@ -1112,8 +1125,24 @@ static int totemknet_set_knet_crypto(struct totemknet_instance *instance)
 |  | ||||||
|  	} |  | ||||||
|  #endif |  | ||||||
|   |  | ||||||
| -
 |  | ||||||
|  exit_error: |  | ||||||
| +#ifdef HAVE_KNET_CRYPTO_RECONF
 |  | ||||||
| +	if (res) {
 |  | ||||||
| +		icmap_set_string("config.reload_error_message", "Failed to set crypto parameters");
 |  | ||||||
| +
 |  | ||||||
| +		/* Restore the old values in cmap & totem_config */
 |  | ||||||
| +		icmap_set_string("totem.crypto_cipher", instance->last_good_crypto_cfg.crypto_cipher_type);
 |  | ||||||
| +		icmap_set_string("totem.crypto_hash",  instance->last_good_crypto_cfg.crypto_hash_type);
 |  | ||||||
| +		icmap_set_string("totem.crypto_model",  instance->last_good_crypto_cfg.crypto_model);
 |  | ||||||
| +
 |  | ||||||
| +		memcpy(instance->totem_config->crypto_hash_type, instance->last_good_crypto_cfg.crypto_hash_type,
 |  | ||||||
| +		       sizeof(instance->last_good_crypto_cfg.crypto_hash_type));
 |  | ||||||
| +		memcpy(instance->totem_config->crypto_cipher_type, instance->last_good_crypto_cfg.crypto_cipher_type,
 |  | ||||||
| +		       sizeof(instance->last_good_crypto_cfg.crypto_cipher_type));
 |  | ||||||
| +		memcpy(instance->totem_config->crypto_model, instance->last_good_crypto_cfg.crypto_model,
 |  | ||||||
| +		       sizeof(instance->last_good_crypto_cfg.crypto_model));
 |  | ||||||
| +	}
 |  | ||||||
| +#endif
 |  | ||||||
|  	return res; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @@ -1656,6 +1685,9 @@ int totemknet_member_add (
 |  | ||||||
|  			log_flush_messages(instance); |  | ||||||
|  			errno = saved_errno; |  | ||||||
|  			KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_ping_timers for nodeid " CS_PRI_NODE_ID ", link %d failed", member->nodeid, link_no); |  | ||||||
| +
 |  | ||||||
| +			icmap_set_string("config.reload_error_message", "Failed to set knet ping timers");
 |  | ||||||
| +
 |  | ||||||
|  			return -1; |  | ||||||
|  		} |  | ||||||
|  		err = knet_link_set_pong_count(instance->knet_handle, member->nodeid, link_no, |  | ||||||
| @@ -1666,6 +1698,7 @@ int totemknet_member_add (
 |  | ||||||
|  			log_flush_messages(instance); |  | ||||||
|  			errno = saved_errno; |  | ||||||
|  			KNET_LOGSYS_PERROR(errno, LOGSYS_LEVEL_ERROR, "knet_link_set_pong_count for nodeid " CS_PRI_NODE_ID ", link %d failed", member->nodeid, link_no); |  | ||||||
| +			icmap_set_string("config.reload_error_message", "Failed to set knet pong count");
 |  | ||||||
|  			return -1; |  | ||||||
|  		} |  | ||||||
|  	} |  | ||||||
| @@ -1774,11 +1807,14 @@ int totemknet_reconfigure (
 |  | ||||||
|  		/* Flip crypto_index */ |  | ||||||
|  		totem_config->crypto_index = 3-totem_config->crypto_index; |  | ||||||
|  		res = totemknet_set_knet_crypto(instance); |  | ||||||
| -
 |  | ||||||
| -		knet_log_printf(LOG_INFO, "kronosnet crypto reconfigured on index %d: %s/%s/%s", totem_config->crypto_index,
 |  | ||||||
| -				totem_config->crypto_model,
 |  | ||||||
| -				totem_config->crypto_cipher_type,
 |  | ||||||
| -				totem_config->crypto_hash_type);
 |  | ||||||
| +		if (res == 0) {
 |  | ||||||
| +			knet_log_printf(LOG_INFO, "kronosnet crypto reconfigured on index %d: %s/%s/%s", totem_config->crypto_index,
 |  | ||||||
| +					totem_config->crypto_model,
 |  | ||||||
| +					totem_config->crypto_cipher_type,
 |  | ||||||
| +					totem_config->crypto_hash_type);
 |  | ||||||
| +		} else {
 |  | ||||||
| +			icmap_set_string("config.reload_error_message", "Failed to set knet crypto");
 |  | ||||||
| +		}
 |  | ||||||
|  	} |  | ||||||
|  	return (res); |  | ||||||
|  } |  | ||||||
| diff --git a/tools/corosync-cfgtool.c b/tools/corosync-cfgtool.c
 |  | ||||||
| index d04d5bea..d35f6d90 100644
 |  | ||||||
| --- a/tools/corosync-cfgtool.c
 |  | ||||||
| +++ b/tools/corosync-cfgtool.c
 |  | ||||||
| @@ -332,6 +332,33 @@ nodestatusget_do (enum user_action action, int brief)
 |  | ||||||
|  	return rc; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +
 |  | ||||||
| +static int check_for_reload_errors(void)
 |  | ||||||
| +{
 |  | ||||||
| +	cmap_handle_t cmap_handle;
 |  | ||||||
| +	cs_error_t result;
 |  | ||||||
| +	char *str;
 |  | ||||||
| +	int res;
 |  | ||||||
| +
 |  | ||||||
| +	result = cmap_initialize (&cmap_handle);
 |  | ||||||
| +	if (result != CS_OK) {
 |  | ||||||
| +		fprintf (stderr, "Could not initialize corosync cmap API error %d\n", result);
 |  | ||||||
| +		exit (EXIT_FAILURE);
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	result = cmap_get_string(cmap_handle, "config.reload_error_message", &str);
 |  | ||||||
| +	if (result == CS_OK) {
 |  | ||||||
| +		printf("ERROR from reload: %s - see syslog for more information\n", str);
 |  | ||||||
| +		free(str);
 |  | ||||||
| +		res = 1;
 |  | ||||||
| +	}
 |  | ||||||
| +	else {
 |  | ||||||
| +		res = 0;
 |  | ||||||
| +	}
 |  | ||||||
| +	cmap_finalize(cmap_handle);
 |  | ||||||
| +	return res;
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
|  static int reload_config_do (void) |  | ||||||
|  { |  | ||||||
|  	cs_error_t result; |  | ||||||
| @@ -358,6 +385,10 @@ static int reload_config_do (void)
 |  | ||||||
|   |  | ||||||
|  	(void)corosync_cfg_finalize (handle); |  | ||||||
|   |  | ||||||
| +	if ((rc = check_for_reload_errors())) {
 |  | ||||||
| +		fprintf(stderr, "Errors in appying config, corosync.conf might not match the running system\n");
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
|  	return (rc); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| -- 
 |  | ||||||
| 2.39.3 |  | ||||||
| 
 |  | ||||||
| @ -17,14 +17,12 @@ | |||||||
| 
 | 
 | ||||||
| Name: corosync | Name: corosync | ||||||
| Summary: The Corosync Cluster Engine and Application Programming Interfaces | Summary: The Corosync Cluster Engine and Application Programming Interfaces | ||||||
| Version: 3.1.8 | Version: 3.1.9 | ||||||
| Release: 2%{?gitver}%{?dist} | Release: 1%{?gitver}%{?dist} | ||||||
| License: BSD | License: BSD | ||||||
| URL: http://corosync.github.io/corosync/ | URL: http://corosync.github.io/corosync/ | ||||||
| Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz | Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz | ||||||
| 
 | 
 | ||||||
| Patch0: RHEL-24163-1-Report-crypto-errors-back-to-cfg-reload.patch |  | ||||||
| 
 |  | ||||||
| # Runtime bits | # Runtime bits | ||||||
| # The automatic dependency overridden in favor of explicit version lock | # The automatic dependency overridden in favor of explicit version lock | ||||||
| Requires: corosynclib%{?_isa} = %{version}-%{release} | Requires: corosynclib%{?_isa} = %{version}-%{release} | ||||||
| @ -74,8 +72,6 @@ BuildRequires: make | |||||||
| %prep | %prep | ||||||
| %setup -q -n %{name}-%{version}%{?gittarver} | %setup -q -n %{name}-%{version}%{?gittarver} | ||||||
| 
 | 
 | ||||||
| %patch0 -p1 -b .RHEL-24163-1 |  | ||||||
| 
 |  | ||||||
| %build | %build | ||||||
| %if %{with runautogen} | %if %{with runautogen} | ||||||
| ./autogen.sh | ./autogen.sh | ||||||
| @ -120,7 +116,7 @@ BuildRequires: make | |||||||
| 
 | 
 | ||||||
| %if %{with dbus} | %if %{with dbus} | ||||||
| mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d | mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d | ||||||
| install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/corosync-signals.conf | install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf | ||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| ## tree fixup | ## tree fixup | ||||||
| @ -189,7 +185,7 @@ fi | |||||||
| %config(noreplace) %{_sysconfdir}/sysconfig/corosync | %config(noreplace) %{_sysconfdir}/sysconfig/corosync | ||||||
| %config(noreplace) %{_sysconfdir}/logrotate.d/corosync | %config(noreplace) %{_sysconfdir}/logrotate.d/corosync | ||||||
| %if %{with dbus} | %if %{with dbus} | ||||||
| %{_sysconfdir}/dbus-1/system.d/corosync-signals.conf | %{_datadir}/dbus-1/system.d/corosync-signals.conf | ||||||
| %endif | %endif | ||||||
| %if %{with snmp} | %if %{with snmp} | ||||||
| %{_datadir}/snmp/mibs/COROSYNC-MIB.txt | %{_datadir}/snmp/mibs/COROSYNC-MIB.txt | ||||||
| @ -293,6 +289,11 @@ network splits) | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Fri Nov 15 2024 Jan Friesse <jfriesse@redhat.com> - 3.1.9-1 | ||||||
|  | - Resolves: RHEL-65699 | ||||||
|  | 
 | ||||||
|  | - New upstream release (RHEL-65699) | ||||||
|  | 
 | ||||||
| * Tue May 21 2024 Jan Friesse <jfriesse@redhat.com> - 3.1.8-2 | * Tue May 21 2024 Jan Friesse <jfriesse@redhat.com> - 3.1.8-2 | ||||||
| - Resolves: RHEL-24163 | - Resolves: RHEL-24163 | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										2
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								sources
									
									
									
									
									
								
							| @ -1 +1 @@ | |||||||
| SHA512 (corosync-3.1.8.tar.gz) = 6325ae39bada33dbc0c85eb07d137af78235a1c0f8a4d1f90a20088e011bff65263903e5688956256ddfb58daec45f6d96c04624ff320be0c00ec36aa5d568f8 | SHA512 (corosync-3.1.9.tar.gz) = d5332c65535dd40e3bee48912ebf2e71c55380b3dba93c36ff8b74090edf3ec44b69685cd11fda3732e4b0dab0b2954f08be94d772fcff6aaf9a4a846ef2e4cc | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user