import CS fence-agents-4.2.1-123.el8

.fence-agents.metadata

@@ -6,7 +6,7 @@ c2a98b9a1562d223a76514f05028488ca000c395 SOURCES/aliyun-python-sdk-ecs-4.9.3.tar
 f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
 2512ff4ef016cad0b916006f6acf2a309f908c4d SOURCES/botocore-1.23.46.tar.gz
 0d12f48faa727f0979e9ad5c4c80dfa32b73caff SOURCES/cachetools-4.2.4.tar.gz
-b13e22d55867e2ca5f92e5289cfdc21ba6e343aa SOURCES/certifi-2021.10.8.tar.gz
+ec7e8dd8ef95edfdb83a1ea040b8b88507b47615 SOURCES/certifi-2023.7.22.tar.gz
 2384f6cfba4685d901262e073a4455d4cf76d102 SOURCES/chardet-4.0.0.tar.gz
 865df92e66e5dc7b940144cbad8115c07dc8784f SOURCES/charset-normalizer-2.0.7.tar.gz
 e2561df8e7ff9113dab118a651371dd88dab0142 SOURCES/fence-agents-4.2.1.tar.gz

.gitignore

@@ -6,7 +6,7 @@ SOURCES/aliyun-python-sdk-ecs-4.9.3.tar.gz
 SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
 SOURCES/botocore-1.23.46.tar.gz
 SOURCES/cachetools-4.2.4.tar.gz
-SOURCES/certifi-2021.10.8.tar.gz
+SOURCES/certifi-2023.7.22.tar.gz
 SOURCES/chardet-4.0.0.tar.gz
 SOURCES/charset-normalizer-2.0.7.tar.gz
 SOURCES/fence-agents-4.2.1.tar.gz

SOURCES/RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch

@@ -0,0 +1,26 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/kubevirt/urllib3/util/retry.py
++++ b/kubevirt/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120

SOURCES/RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch

@@ -0,0 +1,26 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/aws/urllib3/util/retry.py
++++ b/aws/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120

SOURCES/bz2155453-fence_ibm_powervs-performance-improvements.patch

@@ -0,0 +1,150 @@
+From 22935608247816be0ccec85fc590f19b509f3614 Mon Sep 17 00:00:00 2001
+From: Andreas Schauberer <74912604+andscha@users.noreply.github.com>
+Date: Thu, 15 Jun 2023 16:34:13 +0200
+Subject: [PATCH 1/3] fence_ibm_powervs: improved performance
+
+fence_ibm_powervs: improved performance
+- improved performance using less power-iaas.cloud.ibm.com API calls
+- add support for reboot_cycle, method to fence (onoff|cycle) (Default: onoff)
+
+Addressed comments by oalbrigt in ClusterLabs #PR542
+- you can use if options["--verbose-level"] > 1: to only print it when -vv or more or verbose_level is set to 2 or higher.
+- Removed all_opt["method"] defaults
+---
+ agents/ibm_powervs/fence_ibm_powervs.py | 70 ++++++++++++++++++-------
+ 1 file changed, 51 insertions(+), 19 deletions(-)
+
+diff --git a/agents/ibm_powervs/fence_ibm_powervs.py b/agents/ibm_powervs/fence_ibm_powervs.py
+index 183893616..e65462cb9 100755
+--- a/agents/ibm_powervs/fence_ibm_powervs.py
++++ b/agents/ibm_powervs/fence_ibm_powervs.py
+@@ -12,6 +12,8 @@
+ state = {
+ 	 "ACTIVE": "on",
+ 	 "SHUTOFF": "off",
++	 "HARD_REBOOT": "on",
++	 "SOFT_REBOOT": "on",
+ 	 "ERROR": "unknown"
+ }
+ 
+@@ -37,21 +39,30 @@ def get_list(conn, options):
+ 		return outlets
+ 
+ 	for r in res["pvmInstances"]:
+-		if "--verbose" in options:
++		if options["--verbose-level"] > 1:
+ 			logging.debug(json.dumps(r, indent=2))
+ 		outlets[r["pvmInstanceID"]] = (r["serverName"], state[r["status"]])
+ 
+ 	return outlets
+ 
+ def get_power_status(conn, options):
++	outlets = {}
++	logging.debug("Info: getting power status for LPAR " + options["--plug"] + " instance " + options["--instance"])
+ 	try:
+ 		command = "cloud-instances/{}/pvm-instances/{}".format(
+ 				options["--instance"], options["--plug"])
+ 		res = send_command(conn, command)
+-		result = get_list(conn, options)[options["--plug"]][1]
++		outlets[res["pvmInstanceID"]] = (res["serverName"], state[res["status"]])
++		if options["--verbose-level"] > 1:
++			logging.debug(json.dumps(res, indent=2))
++		result = outlets[options["--plug"]][1]
++		logging.debug("Info: Status: {}".format(result))
+ 	except KeyError as e:
+-		logging.debug("Failed: Unable to get status for {}".format(e))
+-		fail(EC_STATUS)
++		try:
++			result = get_list(conn, options)[options["--plug"]][1]
++		except KeyError as ex:
++			logging.debug("Failed: Unable to get status for {}".format(ex))
++			fail(EC_STATUS)
+ 
+ 	return result
+ 
+@@ -61,6 +72,7 @@ def set_power_status(conn, options):
+ 		"off" : '{"action" : "immediate-shutdown"}',
+ 	}[options["--action"]]
+ 
++	logging.debug("Info: set power status to " + options["--action"] + " for LPAR " + options["--plug"] + " instance " + options["--instance"])
+ 	try:
+ 		send_command(conn, "cloud-instances/{}/pvm-instances/{}/action".format(
+ 				options["--instance"], options["--plug"]), "POST", action)
+@@ -68,6 +80,25 @@ def set_power_status(conn, options):
+ 		logging.debug("Failed: Unable to set power to {} for {}".format(options["--action"], e))
+ 		fail(EC_STATUS)
+ 
++def reboot_cycle(conn, options):
++	action = {
++		"reboot" :  '{"action" : "hard-reboot"}',
++	}[options["--action"]]
++
++	logging.debug("Info: start reboot cycle with action " + options["--action"] + " for LPAR " + options["--plug"] + " instance " + options["--instance"])
++	try:
++		send_command(conn, "cloud-instances/{}/pvm-instances/{}/action".format(
++				options["--instance"], options["--plug"]), "POST", action)
++	except Exception as e:
++		result = get_power_status(conn, options)
++		logging.debug("Info: Status {}".format(result))
++		if result == "off":
++			return True
++		else:
++			logging.debug("Failed: Unable to cycle with {} for {}".format(options["--action"], e))
++			fail(EC_STATUS)
++	return True 
++
+ def connect(opt, token):
+ 	conn = pycurl.Curl()
+ 
+@@ -200,21 +231,21 @@ def define_new_opts():
+ 		"order" : 0
+ 	}
+ 	all_opt["api-type"] = {
+-                "getopt" : ":",
+-                "longopt" : "api-type",
+-                "help" : "--api-type=[public|private]          API-type: 'public' (default) or 'private'",
+-                "required" : "0",
+-                "shortdesc" : "API-type (public|private)",
+-                "order" : 0
+-        }
++		"getopt" : ":",
++		"longopt" : "api-type",
++		"help" : "--api-type=[public|private]          API-type: 'public' (default) or 'private'",
++		"required" : "0",
++		"shortdesc" : "API-type (public|private)",
++		"order" : 0
++	}
+ 	all_opt["proxy"] = {
+-                "getopt" : ":",
+-                "longopt" : "proxy",
+-                "help" : "--proxy=[http://<URL>:<PORT>]          Proxy: 'http://<URL>:<PORT>'",
+-                "required" : "0",
+-                "shortdesc" : "Network proxy",
+-                "order" : 0
+-        }
++		"getopt" : ":",
++		"longopt" : "proxy",
++		"help" : "--proxy=[http://<URL>:<PORT>]          Proxy: 'http://<URL>:<PORT>'",
++		"required" : "0",
++		"shortdesc" : "Network proxy",
++		"order" : 0
++	}
+ 
+ 
+ def main():
+@@ -227,6 +258,7 @@ def main():
+ 		"proxy",
+ 		"port",
+ 		"no_password",
++		"method",
+ 	]
+ 
+ 	atexit.register(atexit_handler)
+@@ -259,7 +291,7 @@ def main():
+ 	conn = connect(options, token)
+ 	atexit.register(disconnect, conn)
+ 
+-	result = fence_action(conn, options, set_power_status, get_power_status, get_list)
++	result = fence_action(conn, options, set_power_status, get_power_status, get_list, reboot_cycle)
+ 
+ 	sys.exit(result)

SOURCES/bz2183158-fence_aws-1-add-skip-race-check-parameter.patch

@@ -0,0 +1,165 @@
+From 73fdae1b9da5aa1ba1d371dcc47fe31a4d22bb31 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 30 Mar 2023 12:20:05 +0200
+Subject: [PATCH] fence_aws: fixes to allow running outside of AWS network
+
+- add --skip-race-check parameter to allow running outside of AWS
+  network e.g. for openshift
+- fixed and improved logging logic
+- use --debug-file parameter for file logging
+---
+ agents/aws/fence_aws.py           | 50 ++++++++++++++++++++-----------
+ tests/data/metadata/fence_aws.xml |  5 ++++
+ 2 files changed, 37 insertions(+), 18 deletions(-)
+
+diff --git a/agents/aws/fence_aws.py b/agents/aws/fence_aws.py
+index c947bf29c..5d1677144 100644
+--- a/agents/aws/fence_aws.py
++++ b/agents/aws/fence_aws.py
+@@ -16,13 +16,13 @@
+ except ImportError:
+ 	pass
+ 
+-logger = logging.getLogger("fence_aws")
++logger = logging.getLogger()
+ logger.propagate = False
+ logger.setLevel(logging.INFO)
+ logger.addHandler(SyslogLibHandler())
+ logging.getLogger('botocore.vendored').propagate = False
+ 
+-def get_instance_id():
++def get_instance_id(options):
+ 	try:
+ 		token = requests.put('http://169.254.169.254/latest/api/token', headers={"X-aws-ec2-metadata-token-ttl-seconds" : "21600"}).content.decode("UTF-8")
+ 		r = requests.get('http://169.254.169.254/latest/meta-data/instance-id', headers={"X-aws-ec2-metadata-token" : token}).content.decode("UTF-8")
+@@ -30,12 +30,15 @@ def get_instance_id():
+ 	except HTTPError as http_err:
+ 		logger.error('HTTP error occurred while trying to access EC2 metadata server: %s', http_err)
+ 	except Exception as err:
+-		logger.error('A fatal error occurred while trying to access EC2 metadata server: %s', err)
++		if "--skip-race-check" not in options:
++			logger.error('A fatal error occurred while trying to access EC2 metadata server: %s', err)
++		else:
++			logger.debug('A fatal error occurred while trying to access EC2 metadata server: %s', err)
+ 	return None
+-	
++
+ 
+ def get_nodes_list(conn, options):
+-	logger.info("Starting monitor operation")
++	logger.debug("Starting monitor operation")
+ 	result = {}
+ 	try:
+ 		if "--filter" in options:
+@@ -63,7 +66,7 @@ def get_power_status(conn, options):
+ 	try:
+ 		instance = conn.instances.filter(Filters=[{"Name": "instance-id", "Values": [options["--plug"]]}])
+ 		state = list(instance)[0].state["Name"]
+-		logger.info("Status operation for EC2 instance %s returned state: %s",options["--plug"],state.upper())
++		logger.debug("Status operation for EC2 instance %s returned state: %s",options["--plug"],state.upper())
+ 		if state == "running":
+ 			return "on"
+ 		elif state == "stopped":
+@@ -78,7 +81,7 @@ def get_power_status(conn, options):
+ 	except IndexError:
+ 		fail(EC_STATUS)
+ 	except Exception as e:
+-		logging.error("Failed to get power status: %s", e)
++		logger.error("Failed to get power status: %s", e)
+ 		fail(EC_STATUS)
+ 
+ def get_self_power_status(conn, instance_id):
+@@ -86,10 +89,10 @@ def get_self_power_status(conn, instance_id):
+ 		instance = conn.instances.filter(Filters=[{"Name": "instance-id", "Values": [instance_id]}])
+ 		state = list(instance)[0].state["Name"]
+ 		if state == "running":
+-			logging.debug("Captured my (%s) state and it %s - returning OK - Proceeding with fencing",instance_id,state.upper())
++			logger.debug("Captured my (%s) state and it %s - returning OK - Proceeding with fencing",instance_id,state.upper())
+ 			return "ok"
+ 		else:
+-			logging.debug("Captured my (%s) state it is %s - returning Alert - Unable to fence other nodes",instance_id,state.upper())
++			logger.debug("Captured my (%s) state it is %s - returning Alert - Unable to fence other nodes",instance_id,state.upper())
+ 			return "alert"
+ 	
+ 	except ClientError:
+@@ -100,18 +103,18 @@ def get_self_power_status(conn, instance_id):
+ 		return "fail"
+ 
+ def set_power_status(conn, options):
+-	my_instance = get_instance_id()
++	my_instance = get_instance_id(options)
+ 	try:
+ 		if (options["--action"]=="off"):
+-			if (get_self_power_status(conn,my_instance) == "ok"):
++			if "--skip-race-check" in options or get_self_power_status(conn,my_instance) == "ok":
+ 				conn.instances.filter(InstanceIds=[options["--plug"]]).stop(Force=True)
+-				logger.info("Called StopInstance API call for %s", options["--plug"])
++				logger.debug("Called StopInstance API call for %s", options["--plug"])
+ 			else:
+-				logger.info("Skipping fencing as instance is not in running status")
++				logger.debug("Skipping fencing as instance is not in running status")
+ 		elif (options["--action"]=="on"):
+ 			conn.instances.filter(InstanceIds=[options["--plug"]]).start()
+ 	except Exception as e:
+-		logger.error("Failed to power %s %s: %s", \
++		logger.debug("Failed to power %s %s: %s", \
+ 				options["--action"], options["--plug"], e)
+ 
+ def define_new_opts():
+@@ -156,12 +159,20 @@ def define_new_opts():
+ 		"default": "False",
+ 		"order": 6
+ 	}
++	all_opt["skip_race_check"] = {
++		"getopt" : "",
++		"longopt" : "skip-race-check",
++		"help" : "--skip-race-check              Skip race condition check",
++		"shortdesc": "Skip race condition check",
++		"required": "0",
++		"order": 7
++	}
+ 
+ # Main agent method
+ def main():
+ 	conn = None
+ 
+-	device_opt = ["port", "no_password", "region", "access_key", "secret_key", "filter", "boto3_debug"]
++	device_opt = ["port", "no_password", "region", "access_key", "secret_key", "filter", "boto3_debug", "skip_race_check"]
+ 
+ 	atexit.register(atexit_handler)
+ 
+@@ -183,12 +194,15 @@ def main():
+ 
+ 	run_delay(options)
+ 
+-	if options.get("--verbose") is not None:
+-		lh = logging.FileHandler('/var/log/fence_aws_debug.log')
++	if "--debug-file" in options:
++		for handler in logger.handlers:
++			if isinstance(handler, logging.FileHandler):
++				logger.removeHandler(handler)
++		lh = logging.FileHandler(options["--debug-file"])
+ 		logger.addHandler(lh)
+ 		lhf = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+ 		lh.setFormatter(lhf)
+-		logger.setLevel(logging.DEBUG)
++		lh.setLevel(logging.DEBUG)
+ 	
+ 	if options["--boto3_debug"].lower() not in ["1", "yes", "on", "true"]:
+ 		boto3.set_stream_logger('boto3',logging.INFO)
+diff --git a/tests/data/metadata/fence_aws.xml b/tests/data/metadata/fence_aws.xml
+index 76995ecf2..32de4418a 100644
+--- a/tests/data/metadata/fence_aws.xml
++++ b/tests/data/metadata/fence_aws.xml
+@@ -46,6 +46,11 @@ For instructions see: https://boto3.readthedocs.io/en/latest/guide/quickstart.ht
+ 		<content type="string" default="False"  />
+ 		<shortdesc lang="en">Boto Lib debug</shortdesc>
+ 	</parameter>
++	<parameter name="skip_race_check" unique="0" required="0">
++		<getopt mixed="--skip-race-check" />
++		<content type="boolean"  />
++		<shortdesc lang="en">Skip race condition check</shortdesc>
++	</parameter>
+ 	<parameter name="quiet" unique="0" required="0">
+ 		<getopt mixed="-q, --quiet" />
+ 		<content type="boolean"  />

SOURCES/bz2183158-fence_aws-2-fail-when-power-action-request-fails.patch

@@ -0,0 +1,21 @@
+From a2e2432cfec0af9a8a90f9d7fed18759da6f9b0c Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 13 Apr 2023 10:14:31 +0200
+Subject: [PATCH] fence_aws: fail when power action request fails
+
+---
+ agents/aws/fence_aws.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/agents/aws/fence_aws.py b/agents/aws/fence_aws.py
+index 5d1677144..0a375bbec 100644
+--- a/agents/aws/fence_aws.py
++++ b/agents/aws/fence_aws.py
+@@ -116,6 +116,7 @@ def set_power_status(conn, options):
+ 	except Exception as e:
+ 		logger.debug("Failed to power %s %s: %s", \
+ 				options["--action"], options["--plug"], e)
++		fail(EC_STATUS)
+ 
+ def define_new_opts():
+ 	all_opt["region"] = {

SOURCES/bz2187329-fence_scsi-1-detect-devices-in-shared-vgs.patch

@@ -0,0 +1,58 @@
+From 4661b6f625c57a728ec58023da89ba378d4d1c27 Mon Sep 17 00:00:00 2001
+From: Arslan Ahmad <arslan.ahmad97@googlemail.com>
+Date: Mon, 17 Apr 2023 15:59:49 +0530
+Subject: [PATCH] fence_scsi: Automatically detect devices for shared VGs
+
+Currently, if no devices option is given, fence_scsi automatically
+builds a device list containing all LVM PVs that back VGs with the
+clustered ('c') bit set. With this commit, fence_scsi will also consider
+VGs with the shared ('s') bit set.
+
+Additionally, the existing check is too broad. We should consider a
+volume group to be clustered or shared only if the 6th bit is set to 'c'
+or 's'. This way, we can avoid false positives.
+
+Closes RHBZ#2187327
+Closes RHBZ#2187329
+---
+ agents/scsi/fence_scsi.py | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
+index 85e4f29e6..3de4ba0b2 100644
+--- a/agents/scsi/fence_scsi.py
++++ b/agents/scsi/fence_scsi.py
+@@ -314,7 +314,7 @@ def dev_read(fail=True, opt=None):
+ 	return devs
+ 
+ 
+-def get_clvm_devices(options):
++def get_shared_devices(options):
+ 	devs = []
+ 	cmd = options["--vgs-path"] + " " +\
+ 	"--noheadings " +\
+@@ -324,10 +324,11 @@ def get_clvm_devices(options):
+ 	"--config 'global { locking_type = 0 } devices { preferred_names = [ \"^/dev/dm\" ] }'"
+ 	out = run_cmd(options, cmd)
+	if out["err"]:
+-		fail_usage("Failed: Cannot get clvm devices")
+-	for line in out["out"].split("\n"):
+-		if 'c' in line.split(":")[0]:
+-			devs.append(line.split(":")[1])
++		fail_usage("Failed: Cannot get shared devices")
++	for line in out["out"].splitlines():
++		vg_attr, pv_name = line.strip().split(":")
++		if vg_attr[5] in "cs":
++			devs.append(pv_name)
+ 	return devs
+ 
+ 
+@@ -612,7 +613,7 @@ def main():
+ 	options["--key"] = options["--key"].lstrip('0')
+ 
+ 	if not ("--devices" in options and options["--devices"].split(",")):
+-		options["devices"] = get_clvm_devices(options)
++		options["devices"] = get_shared_devices(options)
+ 	else:
+ 		options["devices"] = options["--devices"].split(",")
+ 

SOURCES/bz2187329-fence_scsi-2-support-space-separated-devices.patch

@@ -0,0 +1,92 @@
+From e363e55169a7be1cbeac5568fe2a32692867d4c6 Mon Sep 17 00:00:00 2001
+From: Arslan Ahmad <arslan.ahmad97@googlemail.com>
+Date: Thu, 4 May 2023 12:55:41 +0530
+Subject: [PATCH] fence_scsi: Add support for space-separated devices and
+ update in meta-data
+
+Currently the devices associated with fence_scsi should be
+comma-separated. With this commit, fence_scsi will also work if the
+'devices' are space-separated.
+
+Additionally, this commit includes meta-data update:
+1. For fence_scsi:
+ - The 'devices' parameter is optional if the cluster is configured with
+clvm/lvmlock.
+ - The 'devices' parameter can be comma or space-separated.
+
+2. For fence_mpath:
+ - The 'devices' parameter can be comma or space-separated.
+---
+ agents/mpath/fence_mpath.py         | 2 +-
+ agents/scsi/fence_scsi.py           | 8 ++++----
+ tests/data/metadata/fence_mpath.xml | 2 +-
+ tests/data/metadata/fence_scsi.xml  | 2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/agents/mpath/fence_mpath.py b/agents/mpath/fence_mpath.py
+index ee81eab3a..6976fee90 100644
+--- a/agents/mpath/fence_mpath.py
++++ b/agents/mpath/fence_mpath.py
+@@ -226,7 +226,7 @@ def define_new_opts():
+ 		"help" : "-d, --devices=[devices]        List of devices to use for current operation",
+ 		"required" : "0",
+ 		"shortdesc" : "List of devices to use for current operation. Devices can \
+-be comma-separated list of device-mapper multipath devices (eg. /dev/mapper/3600508b400105df70000e00000ac0000 or /dev/mapper/mpath1). \
++be comma or space separated list of device-mapper multipath devices (eg. /dev/mapper/3600508b400105df70000e00000ac0000 or /dev/mapper/mpath1). \
+ Each device must support SCSI-3 persistent reservations.",
+ 		"order": 1
+ 	}
+diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
+index 3de4ba0b2..42530ceb5 100644
+--- a/agents/scsi/fence_scsi.py
++++ b/agents/scsi/fence_scsi.py
+@@ -350,8 +350,8 @@ def define_new_opts():
+ 		"help" : "-d, --devices=[devices]        List of devices to use for current operation",
+ 		"required" : "0",
+ 		"shortdesc" : "List of devices to use for current operation. Devices can \
+-be comma-separated list of raw devices (eg. /dev/sdc). Each device must support SCSI-3 \
+-persistent reservations.",
++be comma or space separated list of raw devices (eg. /dev/sdc). Each device must support SCSI-3 \
++persistent reservations. Optional if cluster is configured with clvm or lvmlockd.",
+ 		"order": 1
+ 	}
+ 	all_opt["nodename"] = {
+@@ -612,10 +612,10 @@ def main():
+ 
+ 	options["--key"] = options["--key"].lstrip('0')
+ 
+-	if not ("--devices" in options and options["--devices"].split(",")):
++	if not ("--devices" in options and [d for d in re.split("\s*,\s*|\s+", options["--devices"].strip()) if d]):
+ 		options["devices"] = get_shared_devices(options)
+ 	else:
+-		options["devices"] = options["--devices"].split(",")
++		options["devices"] = [d for d in re.split("\s*,\s*|\s+", options["--devices"].strip()) if d]
+ 
+ 	if not options["devices"]:
+ 		fail_usage("Failed: No devices found")
+diff --git a/tests/data/metadata/fence_mpath.xml b/tests/data/metadata/fence_mpath.xml
+index e22d3a1f9..262956dca 100644
+--- a/tests/data/metadata/fence_mpath.xml
++++ b/tests/data/metadata/fence_mpath.xml
+@@ -14,7 +14,7 @@ When used as a watchdog device you can define e.g. retry=1, retry-sleep=2 and ve
+ 	<parameter name="devices" unique="0" required="0">
+ 		<getopt mixed="-d, --devices=[devices]" />
+ 		<content type="string"  />
+-		<shortdesc lang="en">List of devices to use for current operation. Devices can be comma-separated list of device-mapper multipath devices (eg. /dev/mapper/3600508b400105df70000e00000ac0000 or /dev/mapper/mpath1). Each device must support SCSI-3 persistent reservations.</shortdesc>
++		<shortdesc lang="en">List of devices to use for current operation. Devices can be comma or space separated list of device-mapper multipath devices (eg. /dev/mapper/3600508b400105df70000e00000ac0000 or /dev/mapper/mpath1). Each device must support SCSI-3 persistent reservations.</shortdesc>
+ 	</parameter>
+ 	<parameter name="key" unique="0" required="0">
+ 		<getopt mixed="-k, --key=[key]" />
+diff --git a/tests/data/metadata/fence_scsi.xml b/tests/data/metadata/fence_scsi.xml
+index 4fa86189c..facb2f52e 100644
+--- a/tests/data/metadata/fence_scsi.xml
++++ b/tests/data/metadata/fence_scsi.xml
+@@ -19,7 +19,7 @@ When used as a watchdog device you can define e.g. retry=1, retry-sleep=2 and ve
+ 	<parameter name="devices" unique="0" required="0">
+ 		<getopt mixed="-d, --devices=[devices]" />
+ 		<content type="string"  />
+-		<shortdesc lang="en">List of devices to use for current operation. Devices can be comma-separated list of raw devices (eg. /dev/sdc). Each device must support SCSI-3 persistent reservations.</shortdesc>
++		<shortdesc lang="en">List of devices to use for current operation. Devices can be comma or space separated list of raw devices (eg. /dev/sdc). Each device must support SCSI-3 persistent reservations. Optional if cluster is configured with clvm or lvmlockd.</shortdesc>
+ 	</parameter>
+ 	<parameter name="key" unique="0" required="0">
+ 		<getopt mixed="-k, --key=[key]" />

SOURCES/bz2211460-fence_azure-arm-1-stack-hub-support.patch

@@ -0,0 +1,113 @@
+From 6e0228536d30ca1bd95bfd1628c0247f094ecaa8 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 2 Mar 2022 13:49:16 +0100
+Subject: [PATCH 1/2] fence_azure_arm: add stack cloud support
+
+---
+ agents/azure_arm/fence_azure_arm.py     | 18 ++++++++++++++----
+ lib/azure_fence.py.py                   | 10 ++++++++++
+ tests/data/metadata/fence_azure_arm.xml | 10 ++++++++++
+ 3 files changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/agents/azure_arm/fence_azure_arm.py b/agents/azure_arm/fence_azure_arm.py
+index 6908169c8..e3b7c85c7 100755
+--- a/agents/azure_arm/fence_azure_arm.py
++++ b/agents/azure_arm/fence_azure_arm.py
+@@ -183,20 +183,30 @@ def define_new_opts():
+         "getopt" : ":",
+         "longopt" : "cloud",
+         "help" : "--cloud=[name]                 Name of the cloud you want to use. Supported\n\
+-                                  values are china, germany or usgov. Do not use\n\
+-                                  this parameter if you want to use public\n\
+-                                  Azure.",
++                                  values are china, germany, usgov, or stack. Do\n\
++                                  not use this parameter if you want to use\n\
++                                  public Azure.",
+         "shortdesc" : "Name of the cloud you want to use.",
+         "required" : "0",
+         "order" : 7
+     }
++    all_opt["metadata-endpoint"] = {
++        "getopt" : ":",
++        "longopt" : "metadata-endpoint",
++        "help" : "--metadata-endpoint=[URL]      URL to metadata endpoint (used when cloud=stack).",
++        "shortdesc" : "URL to metadata endpoint (used when cloud=stack).",
++        "required" : "0",
++        "order" : 8
++    }
+ 
+ # Main agent method
+ def main():
+     compute_client = None
+     network_client = None
+ 
+-    device_opt = ["login", "no_login", "no_password", "passwd", "port", "resourceGroup", "tenantId", "subscriptionId", "network-fencing", "msi", "cloud"]
++    device_opt = ["login", "no_login", "no_password", "passwd", "port",
++		  "resourceGroup", "tenantId", "subscriptionId",
++		  "network-fencing", "msi", "cloud", "metadata-endpoint"]
+ 
+     atexit.register(atexit_handler)
+ 
+diff --git a/lib/azure_fence.py.py b/lib/azure_fence.py.py
+index 5ca71eb42..6f1eee5b9 100644
+--- a/lib/azure_fence.py.py
++++ b/lib/azure_fence.py.py
+@@ -251,6 +251,7 @@ def get_azure_config(options):
+     config.VMName = options.get("--plug")
+     config.SubscriptionId = options.get("--subscriptionId")
+     config.Cloud = options.get("--cloud")
++    config.MetadataEndpoint = options.get("--metadata-endpoint")
+     config.UseMSI = "--msi" in options
+     config.Tenantid = options.get("--tenantId")
+     config.ApplicationId = options.get("--username")
+@@ -279,6 +280,9 @@ def get_azure_cloud_environment(config):
+         elif (config.Cloud.lower() == "usgov"):
+             from msrestazure.azure_cloud import AZURE_US_GOV_CLOUD
+             cloud_environment = AZURE_US_GOV_CLOUD
++        elif (config.Cloud.lower() == "stack"):
++            from msrestazure.azure_cloud import get_cloud_from_metadata_endpoint
++            cloud_environment = get_cloud_from_metadata_endpoint(config.MetadataEndpoint)
+ 
+     return cloud_environment
+ 
+@@ -345,6 +349,9 @@ def get_azure_compute_client(config):
+     credentials = get_azure_credentials(config)
+ 
+     if cloud_environment:
++        if (config.Cloud.lower() == "stack") and not config.MetadataEndpoint:
++                fail_usage("metadata-endpoint not specified")
++
+         compute_client = ComputeManagementClient(
+             credentials,
+             config.SubscriptionId,
+@@ -372,6 +379,9 @@ def get_azure_network_client(config):
+     credentials = get_azure_credentials(config)
+ 
+     if cloud_environment:
++        if (config.Cloud.lower() == "stack") and not config.MetadataEndpoint:
++                fail_usage("metadata-endpoint not specified")
++
+         network_client = NetworkManagementClient(
+             credentials,
+             config.SubscriptionId,
+diff --git a/tests/data/metadata/fence_azure_arm.xml b/tests/data/metadata/fence_azure_arm.xml
+index c6e1f203b..8b7450762 100644
+--- a/tests/data/metadata/fence_azure_arm.xml
++++ b/tests/data/metadata/fence_azure_arm.xml
+@@ -98,6 +98,16 @@ When using network fencing the reboot-action will cause a quick-return once the
+ 		<content type="string"  />
+ 		<shortdesc lang="en">Name of the cloud you want to use.</shortdesc>
+ 	</parameter>
++	<parameter name="metadata-endpoint" unique="0" required="0" deprecated="1">
++		<getopt mixed="--metadata-endpoint=[URL]" />
++		<content type="string"  />
++		<shortdesc lang="en">URL to metadata endpoint (used when cloud=stack).</shortdesc>
++	</parameter>
++	<parameter name="metadata_endpoint" unique="0" required="0" obsoletes="metadata-endpoint">
++		<getopt mixed="--metadata-endpoint=[URL]" />
++		<content type="string"  />
++		<shortdesc lang="en">URL to metadata endpoint (used when cloud=stack).</shortdesc>
++	</parameter>
+ 	<parameter name="quiet" unique="0" required="0">
+ 		<getopt mixed="-q, --quiet" />
+ 		<content type="boolean"  />

SOURCES/bz2211460-fence_azure-arm-2-metadata-endpoint-error-message.patch

@@ -0,0 +1,32 @@
+--- a/lib/azure_fence.py.py	2023-07-03 11:40:44.083882319 +0200
++++ b/lib/azure_fence.py.py	2023-07-03 11:40:38.178784811 +0200
+@@ -317,12 +317,11 @@
+     from azure.mgmt.compute import ComputeManagementClient
+ 
+     cloud_environment = get_azure_cloud_environment(config)
++    if cloud_environment and config.Cloud.lower() == "stack" and not config.MetadataEndpoint:
++            fail_usage("metadata-endpoint not specified")
+     credentials = get_azure_credentials(config)
+ 
+     if cloud_environment:
+-        if (config.Cloud.lower() == "stack") and not config.MetadataEndpoint:
+-                fail_usage("metadata-endpoint not specified")
+-
+         compute_client = ComputeManagementClient(
+             credentials,
+             config.SubscriptionId,
+@@ -339,12 +338,11 @@
+     from azure.mgmt.network import NetworkManagementClient
+ 
+     cloud_environment = get_azure_cloud_environment(config)
++    if cloud_environment and config.Cloud.lower() == "stack" and not config.MetadataEndpoint:
++            fail_usage("metadata-endpoint not specified")
+     credentials = get_azure_credentials(config)
+ 
+     if cloud_environment:
+-        if (config.Cloud.lower() == "stack") and not config.MetadataEndpoint:
+-                fail_usage("metadata-endpoint not specified")
+-
+         network_client = NetworkManagementClient(
+             credentials,
+             config.SubscriptionId,

SOURCES/bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch

@@ -0,0 +1,17 @@
+--- a/kubevirt/dateutil/zoneinfo/rebuild.py	2023-01-26 16:29:30.000000000 +0100
++++ b/kubevirt/dateutil/zoneinfo/rebuild.py	2023-07-19 10:12:42.277559948 +0200
+@@ -21,7 +21,12 @@
+     try:
+         with TarFile.open(filename) as tf:
+             for name in zonegroups:
+-                tf.extract(name, tmpdir)
++                if hasattr(tarfile, 'data_filter'):
++                    # Python with CVE-2007-4559 mitigation (PEP 706)
++                    tf.extract(name, tmpdir, filter='data')
++                else:
++                    # Fallback to a possibly dangerous extraction (before PEP 706)
++                    tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+ 
+             _run_zic(zonedir, filepaths)
+

SOURCES/bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch

@@ -0,0 +1,16 @@
+--- a/aws/dateutil/zoneinfo/rebuild.py	2023-01-26 16:29:30.000000000 +0100
++++ b/aws/dateutil/zoneinfo/rebuild.py	2023-07-19 10:12:42.277559948 +0200
+@@ -21,7 +21,12 @@
+     try:
+         with TarFile.open(filename) as tf:
+             for name in zonegroups:
+-                tf.extract(name, tmpdir)
++                if hasattr(tarfile, 'data_filter'):
++                    # Python with CVE-2007-4559 mitigation (PEP 706)
++                    tf.extract(name, tmpdir, filter='data')
++                else:
++                    # Fallback to a possibly dangerous extraction (before PEP 706)
++                    tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+ 
+             _run_zic(zonedir, filepaths)

SPECS/fence-agents.spec

@@ -44,7 +44,7 @@
 %global kubernetes		kubernetes
 %global kubernetes_version	12.0.1
 %global certifi			certifi
-%global certifi_version		2021.10.8
+%global certifi_version		2023.7.22
 %global googleauth		google-auth
 %global googleauth_version	2.3.0
 %global cachetools		cachetools
@@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 112%{?alphatag:.%{alphatag}}%{?dist}
+Release: 123%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@@ -267,6 +267,21 @@ Patch124: bz2136076-fence_ibm_powervs-improve-defaults.patch
 Patch125: bz2160478-fence_scsi-fix-validate-all.patch
 Patch126: bz2152105-fencing-1-add-plug_separator.patch
 Patch127: bz2152105-fencing-2-update-DEPENDENCY_OPT.patch
+Patch128: bz2183158-fence_aws-1-add-skip-race-check-parameter.patch
+Patch129: bz2183158-fence_aws-2-fail-when-power-action-request-fails.patch
+Patch130: bz2187329-fence_scsi-1-detect-devices-in-shared-vgs.patch
+Patch131: bz2187329-fence_scsi-2-support-space-separated-devices.patch
+Patch132: bz2211460-fence_azure-arm-1-stack-hub-support.patch
+Patch133: bz2211460-fence_azure-arm-2-metadata-endpoint-error-message.patch
+Patch134: bz2155453-fence_ibm_powervs-performance-improvements.patch
+
+### HA support libs/utils ###
+# all archs
+Patch1000: bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1001: RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+# cloud (x86_64 only)
+Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch2001: RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch
 
 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@@ -472,6 +487,13 @@ BuildRequires: python3-google-api-client python3-pip python3-wheel python3-jinja
 %patch125 -p1
 %patch126 -p1
 %patch127 -p1
+%patch128 -p1 -F2
+%patch129 -p1
+%patch130 -p1
+%patch131 -p1
+%patch132 -p1
+%patch133 -p1
+%patch134 -p1
 
 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@@ -582,6 +604,17 @@ popd
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa*
 
+# regular patch doesnt work in build-section
+pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}
+
+%ifarch x86_64
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2001}
+%endif
+popd
+
 ## tree fix up
 # fix libfence permissions
 chmod 0755 %{buildroot}%{_datadir}/fence/*.py
@@ -1469,6 +1502,35 @@ Fence agent for IBM z/VM over IP.
 %endif
 
 %changelog
+* Thu Oct 12 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-123
+- bundled urllib3: fix CVE-2023-43804
+  Resolves: RHEL-11988
+
+* Tue Sep 26 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-122
+- bundled certifi: fix CVE-2023-37920
+  Resolves: RHEL-6972
+
+* Thu Aug  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-121
+- bundled dateutil: fix tarfile CVE-2007-4559
+  Resolves: rhbz#2218234
+
+* Tue Jul 11 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-119
+- fence_ibm_powervs: performance improvements
+  Resolves: rhbz#2155453
+
+* Mon Jul  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-118
+- fence_azure_arm: add Stack Hub support
+  Resolves: rhbz#2211460
+
+* Thu May  4 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-115
+- fence_scsi: detect devices in shared VGs
+  Resolves: rhbz#2187329
+
+* Wed May  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-114
+- fence_aws: add --skip-race-check parameter to allow running outside
+  of AWS network
+  Resolves: rhbz#2183158
+
 * Thu Jan 26 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-112
 - fence_vmware_soap: set login_timeout lower than default
   pcmk_monitor_timeout (20s) to remove tmp dirs