rpms/fence-agents
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c9' into a9

Browse Source
This commit is contained in:
eabdullin 2024-07-10 10:46:29 +03:00
commit 9fc05f6a46
15 changed files with 2992 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.fence-agents.metadata
View File

@ -1,4 +1,4 @@
3297473a9d57e93ff378eab173990c1b64673c01 SOURCES/Jinja2-3.0.2.tar.gz a9db54d91b53f76f546afa1414dd015c0574ebeb SOURCES/Jinja2-3.1.3.tar.gz
e1b766b2b1601fde67b3b19ed2f13b9746bb1cca SOURCES/MarkupSafe-2.0.1.tar.gz e1b766b2b1601fde67b3b19ed2f13b9746bb1cca SOURCES/MarkupSafe-2.0.1.tar.gz
e1fb5dc6f95a85e7d1f93c6701b331201e8b5479 SOURCES/PyJWT-2.1.0-py3-none-any.whl e1fb5dc6f95a85e7d1f93c6701b331201e8b5479 SOURCES/PyJWT-2.1.0-py3-none-any.whl
53fc16036940089ceadd4127381e40fd6106a7ed SOURCES/PyYAML-5.1.tar.gz 53fc16036940089ceadd4127381e40fd6106a7ed SOURCES/PyYAML-5.1.tar.gz
@ -19,7 +19,7 @@ e20df6c9635f1db9a3c891b9239b4319d88b1747 SOURCES/azure_mgmt_core-1.2.2-py2.py3-n
6ef53a76455b377b02b4774c32a04e241cdb24eb SOURCES/botocore-2.0.0dev123.zip 6ef53a76455b377b02b4774c32a04e241cdb24eb SOURCES/botocore-2.0.0dev123.zip
c953dcd6e69587e5b182d77255ed836172fea70a SOURCES/cachetools-4.2.2-py3-none-any.whl c953dcd6e69587e5b182d77255ed836172fea70a SOURCES/cachetools-4.2.2-py3-none-any.whl
0d12f48faa727f0979e9ad5c4c80dfa32b73caff SOURCES/cachetools-4.2.4.tar.gz 0d12f48faa727f0979e9ad5c4c80dfa32b73caff SOURCES/cachetools-4.2.4.tar.gz
e8217d20c809f93bf1df6c57f38c9c56f406e1bb SOURCES/certifi-2023.7.22.tar.gz ec7e8dd8ef95edfdb83a1ea040b8b88507b47615 SOURCES/certifi-2023.7.22.tar.gz
17953cc85717e0f4501dbc7b5fb8e75d67dcdcd3 SOURCES/cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl 17953cc85717e0f4501dbc7b5fb8e75d67dcdcd3 SOURCES/cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl
96faab7de7e9a71b37f22adb64daf2898e967e3e SOURCES/chardet-3.0.4-py2.py3-none-any.whl 96faab7de7e9a71b37f22adb64daf2898e967e3e SOURCES/chardet-3.0.4-py2.py3-none-any.whl
e9eb83c71c09b3c8249bd7d6d2619b65fff03874 SOURCES/chardet-4.0.0-py2.py3-none-any.whl e9eb83c71c09b3c8249bd7d6d2619b65fff03874 SOURCES/chardet-4.0.0-py2.py3-none-any.whl
@ -61,17 +61,17 @@ e0fa19f8fda46a1fa2253477499b116b33f67175 SOURCES/pyasn1-0.4.8.tar.gz
43b89feb6864fe359aae89120627165219de313b SOURCES/pyasn1-modules-0.2.8.tar.gz 43b89feb6864fe359aae89120627165219de313b SOURCES/pyasn1-modules-0.2.8.tar.gz
d77aa46abbcaccc4054a0777a191e427c785c65a SOURCES/pyasn1_modules-0.2.8-py2.py3-none-any.whl d77aa46abbcaccc4054a0777a191e427c785c65a SOURCES/pyasn1_modules-0.2.8-py2.py3-none-any.whl
a0df3ebc552b551f8e99a05cf0a29ce30bef62ee SOURCES/pycparser-2.20-py2.py3-none-any.whl a0df3ebc552b551f8e99a05cf0a29ce30bef62ee SOURCES/pycparser-2.20-py2.py3-none-any.whl
df33feb2a14904c0461b5dcc3ca31f910206e7bd SOURCES/pycryptodome-3.10.1-cp35-abi3-manylinux2010_x86_64.whl c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz
c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
6082312a090f5be5e796e0854294da0738ec0379 SOURCES/pyparsing-3.0.1.tar.gz 6082312a090f5be5e796e0854294da0738ec0379 SOURCES/pyparsing-3.0.1.tar.gz
24213006f983ada342ed86ea516028fdbb1ac66f SOURCES/pyroute2-0.6.4.tar.gz 770968018322c2b3fde684aebe964663c6f5d8c5 SOURCES/pyroute2-0.7.12.tar.gz
a052fefd7a93e1e4b2ca87c6a6c242ae70f97489 SOURCES/pyroute2.core-0.6.4.tar.gz 086fd01f5d989a69eeda46b8a41a53ced5bb402b SOURCES/pyroute2.core-0.6.13.tar.gz
e58f6fa56f1baf766ba147dbc9fbfc67fa92e234 SOURCES/pyroute2.ethtool-0.6.4.tar.gz 9575a9b38119670705b0a6c2648455d97b22ddc6 SOURCES/pyroute2.ethtool-0.6.13.tar.gz
9de1b2825454872697339a63f4d6d06a5167fb73 SOURCES/pyroute2.ipdb-0.6.4.tar.gz 751cb7dc70e3c1780a670c26ca5721de7caef5e7 SOURCES/pyroute2.ipdb-0.6.13.tar.gz
4ce5ab32674f3d2652e2f102b2502af4d499ba6a SOURCES/pyroute2.ipset-0.6.4.tar.gz c204fa61b905fe7b65e250e9204a642bbf3bb84c SOURCES/pyroute2.ipset-0.6.13.tar.gz
7dc3c981c9c991990647b74e670115395675fe04 SOURCES/pyroute2.ndb-0.6.4.tar.gz d5cba2a4501ffcaf7dcf3df9e9072c4fe343fc02 SOURCES/pyroute2.ndb-0.6.13.tar.gz
281fe514b28e096f9deb1121ee8340976f47e8c0 SOURCES/pyroute2.nftables-0.6.4.tar.gz 4939a1807c414682446d836307543928146bda25 SOURCES/pyroute2.nftables-0.6.13.tar.gz
7ecab830b1978fbd07d565872731268169847bc4 SOURCES/pyroute2.nslink-0.6.4.tar.gz 9ea5167f48860ac18a969b8830925852830297cc SOURCES/pyroute2.nslink-0.6.13.tar.gz
c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
1dc2fa004aa6517f1620e55d8a7b8e68a9cf2a47 SOURCES/python-string-utils-1.0.0.tar.gz 1dc2fa004aa6517f1620e55d8a7b8e68a9cf2a47 SOURCES/python-string-utils-1.0.0.tar.gz
3005ff67df93ee276fb8631e17c677df852254ad SOURCES/python_dateutil-2.8.1-py2.py3-none-any.whl 3005ff67df93ee276fb8631e17c677df852254ad SOURCES/python_dateutil-2.8.1-py2.py3-none-any.whl
@ -94,8 +94,7 @@ a4f02fddae697614e356cadfddb6241cc7737f38 SOURCES/setuptools_scm-6.3.2.tar.gz
47a980b20875d1a1714e921552b5bb0eda190f37 SOURCES/suds_community-0.8.5-py3-none-any.whl 47a980b20875d1a1714e921552b5bb0eda190f37 SOURCES/suds_community-0.8.5-py3-none-any.whl
b42b7960047441db7dc021cc20e14279bd836f8d SOURCES/tomli-1.0.1.tar.gz b42b7960047441db7dc021cc20e14279bd836f8d SOURCES/tomli-1.0.1.tar.gz
83be56610e5f824bb05ff7a5618d6d4df9b6cc08 SOURCES/uritemplate-3.0.1-py2.py3-none-any.whl 83be56610e5f824bb05ff7a5618d6d4df9b6cc08 SOURCES/uritemplate-3.0.1-py2.py3-none-any.whl
206b17697417cbf5fc55f1e39c7ceb2197fe3e63 SOURCES/urllib3-1.26.6-py2.py3-none-any.whl 84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz
eb35c3fd8b0867ae988a15917d6b80e8bdf60222 SOURCES/urllib3-1.26.7.tar.gz
7126323614cada181bc8b06436e80ef372ff8656 SOURCES/wcwidth-0.1.9-py2.py3-none-any.whl 7126323614cada181bc8b06436e80ef372ff8656 SOURCES/wcwidth-0.1.9-py2.py3-none-any.whl
540f083782c584989c1a0f69ffd69ba7aae07db6 SOURCES/websocket-client-1.2.1.tar.gz 540f083782c584989c1a0f69ffd69ba7aae07db6 SOURCES/websocket-client-1.2.1.tar.gz
b6c48d8714e043524be7a869d1db0adcd8441cd4 SOURCES/wheel-0.37.0-py2.py3-none-any.whl b6c48d8714e043524be7a869d1db0adcd8441cd4 SOURCES/wheel-0.37.0-py2.py3-none-any.whl

23
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/Jinja2-3.0.2.tar.gz SOURCES/Jinja2-3.1.3.tar.gz
SOURCES/MarkupSafe-2.0.1.tar.gz SOURCES/MarkupSafe-2.0.1.tar.gz
SOURCES/PyJWT-2.1.0-py3-none-any.whl SOURCES/PyJWT-2.1.0-py3-none-any.whl
SOURCES/PyYAML-5.1.tar.gz SOURCES/PyYAML-5.1.tar.gz
@ -61,17 +61,17 @@ SOURCES/pyasn1-0.4.8.tar.gz
SOURCES/pyasn1-modules-0.2.8.tar.gz SOURCES/pyasn1-modules-0.2.8.tar.gz
SOURCES/pyasn1_modules-0.2.8-py2.py3-none-any.whl SOURCES/pyasn1_modules-0.2.8-py2.py3-none-any.whl
SOURCES/pycparser-2.20-py2.py3-none-any.whl SOURCES/pycparser-2.20-py2.py3-none-any.whl
SOURCES/pycryptodome-3.10.1-cp35-abi3-manylinux2010_x86_64.whl SOURCES/pycryptodome-3.20.0.tar.gz
SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
SOURCES/pyparsing-3.0.1.tar.gz SOURCES/pyparsing-3.0.1.tar.gz
SOURCES/pyroute2-0.6.4.tar.gz SOURCES/pyroute2-0.7.12.tar.gz
SOURCES/pyroute2.core-0.6.4.tar.gz SOURCES/pyroute2.core-0.6.13.tar.gz
SOURCES/pyroute2.ethtool-0.6.4.tar.gz SOURCES/pyroute2.ethtool-0.6.13.tar.gz
SOURCES/pyroute2.ipdb-0.6.4.tar.gz SOURCES/pyroute2.ipdb-0.6.13.tar.gz
SOURCES/pyroute2.ipset-0.6.4.tar.gz SOURCES/pyroute2.ipset-0.6.13.tar.gz
SOURCES/pyroute2.ndb-0.6.4.tar.gz SOURCES/pyroute2.ndb-0.6.13.tar.gz
SOURCES/pyroute2.nftables-0.6.4.tar.gz SOURCES/pyroute2.nftables-0.6.13.tar.gz
SOURCES/pyroute2.nslink-0.6.4.tar.gz SOURCES/pyroute2.nslink-0.6.13.tar.gz
SOURCES/python-dateutil-2.8.2.tar.gz SOURCES/python-dateutil-2.8.2.tar.gz
SOURCES/python-string-utils-1.0.0.tar.gz SOURCES/python-string-utils-1.0.0.tar.gz
SOURCES/python_dateutil-2.8.1-py2.py3-none-any.whl SOURCES/python_dateutil-2.8.1-py2.py3-none-any.whl
@ -94,8 +94,7 @@ SOURCES/six-1.16.0.tar.gz
SOURCES/suds_community-0.8.5-py3-none-any.whl SOURCES/suds_community-0.8.5-py3-none-any.whl
SOURCES/tomli-1.0.1.tar.gz SOURCES/tomli-1.0.1.tar.gz
SOURCES/uritemplate-3.0.1-py2.py3-none-any.whl SOURCES/uritemplate-3.0.1-py2.py3-none-any.whl
SOURCES/urllib3-1.26.6-py2.py3-none-any.whl SOURCES/urllib3-1.26.18.tar.gz
SOURCES/urllib3-1.26.7.tar.gz
SOURCES/wcwidth-0.1.9-py2.py3-none-any.whl SOURCES/wcwidth-0.1.9-py2.py3-none-any.whl
SOURCES/websocket-client-1.2.1.tar.gz SOURCES/websocket-client-1.2.1.tar.gz
SOURCES/wheel-0.37.0-py2.py3-none-any.whl SOURCES/wheel-0.37.0-py2.py3-none-any.whl

59
SOURCES/CVE-2023-43804-aws.patch
View File

@ -1,59 +0,0 @@
From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 2 Oct 2023 19:46:16 +0400
Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
---
CHANGES.rst | 5 ++++
docs/user-guide.rst | 3 +++
src/urllib3/util/retry.py | 2 +-
test/test_retry.py | 4 +--
test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
5 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/aws/urllib3/util/retry.py b/aws/urllib3/util/retry.py
index ea48afe3ca..7572bfd26a 100644
--- a/aws/urllib3/util/retry.py
+++ b/aws/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
--- a/awscli/urllib3/util/retry.py
+++ b/awscli/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
--- a/azure/urllib3/util/retry.py
+++ b/azure/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
--- a/google/urllib3/util/retry.py
+++ b/google/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120

26
SOURCES/CVE-2023-43804-kubevirt.patch
View File

@ -1,26 +0,0 @@
From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 2 Oct 2023 19:46:16 +0400
Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
---
CHANGES.rst | 5 ++++
docs/user-guide.rst | 3 +++
src/urllib3/util/retry.py | 2 +-
test/test_retry.py | 4 +--
test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
5 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py
index ea48afe3ca..7572bfd26a 100644
--- a/kubevirt/urllib3/util/retry.py
+++ b/kubevirt/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120

1916
SOURCES/RHEL-14030-1-all-agents-metadata-update-IO-Power-Network.patch Normal file
View File

File diff suppressed because it is too large Load Diff

35
SOURCES/RHEL-14030-2-fence_cisco_mds-undo-metadata-change.patch Normal file
View File

@ -0,0 +1,35 @@
From 639732ddca765b2f147ef0c0a896968e3304ca49 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Mon, 23 Oct 2023 09:28:55 +0200
Subject: [PATCH] fence_cisco_mds: undo metadata change, as it is an I/O agent
---
agents/cisco_mds/fence_cisco_mds.py | 2 +-
tests/data/metadata/fence_cisco_mds.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/agents/cisco_mds/fence_cisco_mds.py b/agents/cisco_mds/fence_cisco_mds.py
index 04cd1f842..fbb876a94 100644
--- a/agents/cisco_mds/fence_cisco_mds.py
+++ b/agents/cisco_mds/fence_cisco_mds.py
@@ -77,7 +77,7 @@ def main():
docs = {}
docs["shortdesc"] = "Fence agent for Cisco MDS"
- docs["longdesc"] = "fence_cisco_mds is a Power Fencing agent \
+ docs["longdesc"] = "fence_cisco_mds is an I/O Fencing agent \
which can be used with any Cisco MDS 9000 series with SNMP enabled device."
docs["vendorurl"] = "http://www.cisco.com"
show_docs(options, docs)
diff --git a/tests/data/metadata/fence_cisco_mds.xml b/tests/data/metadata/fence_cisco_mds.xml
index 2105ecccc..829c9dcbe 100644
--- a/tests/data/metadata/fence_cisco_mds.xml
+++ b/tests/data/metadata/fence_cisco_mds.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" ?>
<resource-agent name="fence_cisco_mds" shortdesc="Fence agent for Cisco MDS" >
-<longdesc>fence_cisco_mds is a Power Fencing agent which can be used with any Cisco MDS 9000 series with SNMP enabled device.</longdesc>
+<longdesc>fence_cisco_mds is an I/O Fencing agent which can be used with any Cisco MDS 9000 series with SNMP enabled device.</longdesc>
<vendor-url>http://www.cisco.com</vendor-url>
<parameters>
<parameter name="action" unique="0" required="1">

159
SOURCES/RHEL-14344-fence_zvmip-1-document-user-permissions.patch Normal file
View File

@ -0,0 +1,159 @@
From dcb8ddd13c3dfad02e00c07f283251e0c2a60c46 Mon Sep 17 00:00:00 2001
From: Reid Wahl <nrwahl@protonmail.com>
Date: Mon, 16 Aug 2021 17:44:13 -0700
Subject: [PATCH] fence_zvmip: Update longdesc to document all required
functions
In RHBZ#1935641, IBM explained that the requesting user needs
authorization for more functions than what is currently documented.
They said:
"""
What we found is that you need rights from three different NICKS:
SERVER_MANAGEMENT, IMAGE_CHARACTERISTICS and IMAGE_OPERATIONS.
You won't be able to give a user all three NICKS.
Therefore, you have to create a new NICK with all capabilities from all
three NICKS together and then assign the new NICK to the USER
"ZCLUSTER".
Even better is to just use the needed Subset with a new NICK.
We found five commands which are used in the fencing code and on the
z/VM Log which should be enough for fencing to work.
We suggest creating following files:
File VSMWORK1 NAMELIST:
```
:nick.ZVM_FENCE
:list.
IMAGE_ACTIVATE
IMAGE_DEACTIVATE
IMAGE_STATUS_QUERY
CHECK_AUTHENTICATION
IMAGE_NAME_QUERY_DM
```
File VSMWORK1 AUTHLIST:
```
ZCLUSTER ALL ZVM_FENCE
```
For details, we suggest adding a link to the current z/VM docu:
- NAMELIST: https://www.ibm.com/support/knowledgecenter/de/SSB27U_7.2.0/com.ibm.zvm.v720.dmse6/namelst.htm
- AUTHLIST: https://www.ibm.com/support/knowledgecenter/de/SSB27U_7.2.0/com.ibm.zvm.v720.dmse6/auf.htm
"""
Resolves: RHBZ1935641
Signed-off-by: Reid Wahl <nrwahl@protonmail.com>
---
agents/zvm/fence_zvmip.py | 37 ++++++++++++++++++++++-------
tests/data/metadata/fence_zvmip.xml | 37 ++++++++++++++++++++++-------
2 files changed, 56 insertions(+), 18 deletions(-)
diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
index 4f538e10d..c37950a20 100644
--- a/agents/zvm/fence_zvmip.py
+++ b/agents/zvm/fence_zvmip.py
@@ -199,21 +199,40 @@ def main():
docs = {}
docs["shortdesc"] = "Fence agent for use with z/VM Virtual Machines"
- docs["longdesc"] = """The fence_zvm agent is intended to be used with with z/VM SMAPI service via TCP/IP
+ docs["longdesc"] = """The fence_zvmip agent is intended to be used with the
+z/VM SMAPI service via TCP/IP.
-To use this agent the z/VM SMAPI service needs to be configured to allow the virtual machine running this agent to connect to it and issue
-the image_recycle operation. This involves updating the VSMWORK1 AUTHLIST VMSYS:VSMWORK1. file. The entry should look something similar to
-this:
+The z/VM SMAPI service must be configured so that the virtual machine running
+the agent can connect to the service, access the system's directory manager,
+and shortly thereafter run image_deactivate and image_activate. This involves
+updating the VSMWORK1 NAMELIST and VSMWORK1 AUTHLIST VMSYS:VSMWORK1 files.
+
+The NAMELIST entry assigns all the required functions to one nick and should
+look similar to this:
+
+:nick.ZVM_FENCE
+:list.
+IMAGE_ACTIVATE
+IMAGE_DEACTIVATE
+IMAGE_STATUS_QUERY
+CHECK_AUTHENTICATION
+IMAGE_NAME_QUERY_DM
+
+
+The AUTHLIST entry authorizes the user to perform all the functions associated
+with the nick, and should look similar to this:
Column 1 Column 66 Column 131
- | | |
- V V V
+| | |
+V V V
+
+XXXXXXXX ALL ZVM_FENCE
-XXXXXXXX ALL IMAGE_CHARACTERISTICS
+where XXXXXXXX is the name of the user in the authuser field of the request.
-Where XXXXXXX is the name of the virtual machine used in the authuser field of the request. This virtual machine also has to be authorized
-to access the system's directory manager.
+Refer to the official z/VM documentation for complete instructions and
+reference materials.
"""
docs["vendorurl"] = "http://www.ibm.com"
show_docs(options, docs)
diff --git a/tests/data/metadata/fence_zvmip.xml b/tests/data/metadata/fence_zvmip.xml
index 6996ab736..96393bdfa 100644
--- a/tests/data/metadata/fence_zvmip.xml
+++ b/tests/data/metadata/fence_zvmip.xml
@@ -1,20 +1,39 @@
<?xml version="1.0" ?>
<resource-agent name="fence_zvmip" shortdesc="Fence agent for use with z/VM Virtual Machines" >
-<longdesc>The fence_zvm agent is intended to be used with with z/VM SMAPI service via TCP/IP
+<longdesc>The fence_zvmip agent is intended to be used with the
+z/VM SMAPI service via TCP/IP.
-To use this agent the z/VM SMAPI service needs to be configured to allow the virtual machine running this agent to connect to it and issue
-the image_recycle operation. This involves updating the VSMWORK1 AUTHLIST VMSYS:VSMWORK1. file. The entry should look something similar to
-this:
+The z/VM SMAPI service must be configured so that the virtual machine running
+the agent can connect to the service, access the system's directory manager,
+and shortly thereafter run image_deactivate and image_activate. This involves
+updating the VSMWORK1 NAMELIST and VSMWORK1 AUTHLIST VMSYS:VSMWORK1 files.
+
+The NAMELIST entry assigns all the required functions to one nick and should
+look similar to this:
+
+:nick.ZVM_FENCE
+:list.
+IMAGE_ACTIVATE
+IMAGE_DEACTIVATE
+IMAGE_STATUS_QUERY
+CHECK_AUTHENTICATION
+IMAGE_NAME_QUERY_DM
+
+
+The AUTHLIST entry authorizes the user to perform all the functions associated
+with the nick, and should look similar to this:
Column 1 Column 66 Column 131
- | | |
- V V V
+| | |
+V V V
+
+XXXXXXXX ALL ZVM_FENCE
-XXXXXXXX ALL IMAGE_CHARACTERISTICS
+where XXXXXXXX is the name of the user in the authuser field of the request.
-Where XXXXXXX is the name of the virtual machine used in the authuser field of the request. This virtual machine also has to be authorized
-to access the system's directory manager.
+Refer to the official z/VM documentation for complete instructions and
+reference materials.
</longdesc>
<vendor-url>http://www.ibm.com</vendor-url>
<parameters>

41
SOURCES/RHEL-14344-fence_zvmip-2-fix-manpage-formatting.patch Normal file
View File

@ -0,0 +1,41 @@
From adac1d81c5758235b6df46d0a91f1e948655848a Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Wed, 3 Jan 2024 10:17:50 +0100
Subject: [PATCH] fence_zvmip: fix manpage formatting
---
agents/zvm/fence_zvmip.py | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
index f1cea2652..bd8273c49 100644
--- a/agents/zvm/fence_zvmip.py
+++ b/agents/zvm/fence_zvmip.py
@@ -210,12 +210,12 @@ def main():
The NAMELIST entry assigns all the required functions to one nick and should
look similar to this:
-:nick.ZVM_FENCE
-:list.
-IMAGE_ACTIVATE
-IMAGE_DEACTIVATE
-IMAGE_STATUS_QUERY
-CHECK_AUTHENTICATION
+:nick.ZVM_FENCE\n.br\n\
+:list.\n.br\n\
+IMAGE_ACTIVATE\n.br\n\
+IMAGE_DEACTIVATE\n.br\n\
+IMAGE_STATUS_QUERY\n.br\n\
+CHECK_AUTHENTICATION\n.br\n\
IMAGE_NAME_QUERY_DM
@@ -224,7 +224,7 @@ def main():
Column 1 Column 66 Column 131
-| | |
+| | |\n.br\n\
V V V
XXXXXXXX ALL ZVM_FENCE

380
SOURCES/RHEL-35273-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patch Normal file
View File

@ -0,0 +1,380 @@
From 55451b6fd007e6f9a6d6860e95304b7c5c27cc1b Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Thu, 2 May 2024 15:10:16 +0200
Subject: [PATCH 1/2] fencing: add support for docs["agent_name"] to use the
main agent name when generating manpages
---
lib/fencing.py.py | 12 +++++++++---
tests/data/metadata/fence_eps.xml | 9 ++++++---
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/lib/fencing.py.py b/lib/fencing.py.py
index 511eb2689..66e2ff156 100644
--- a/lib/fencing.py.py
+++ b/lib/fencing.py.py
@@ -603,7 +603,7 @@ def usage(avail_opt):
if len(value["help"]) != 0:
print(" " + _join_wrap([value["help"]], first_indent=3))
-def metadata(options, avail_opt, docs):
+def metadata(options, avail_opt, docs, agent_name=os.path.basename(sys.argv[0])):
# avail_opt has to be unique, if there are duplicities then they should be removed
sorted_list = [(key, all_opt[key]) for key in list(set(avail_opt)) if "longopt" in all_opt[key]]
# Find keys that are going to replace inconsistent names
@@ -617,7 +617,7 @@ def metadata(options, avail_opt, docs):
docs["longdesc"] = re.sub(r"\\f[BPIR]|\.P|\.TP|\.br\n", r"", docs["longdesc"])
print("<?xml version=\"1.0\" ?>")
- print("<resource-agent name=\"" + os.path.basename(sys.argv[0]) + \
+ print("<resource-agent name=\"" + agent_name + \
"\" shortdesc=\"" + docs["shortdesc"] + "\" >")
for (symlink, desc) in docs.get("symlink", []):
print("<symlink name=\"" + symlink + "\" shortdesc=\"" + desc + "\"/>")
@@ -928,9 +928,15 @@ def show_docs(options, docs=None):
sys.exit(0)
if options.get("--action", "") in ["metadata", "manpage"]:
+ if options["--action"] == "metadata" or "agent_name" not in docs:
+ agent_name=os.path.basename(sys.argv[0])
+ else:
+ agent_name=docs["agent_name"]
+
+
if "port_as_ip" in device_opt:
device_opt.remove("separator")
- metadata(options, device_opt, docs)
+ metadata(options, device_opt, docs, agent_name)
sys.exit(0)
if "--version" in options:
diff --git a/tests/data/metadata/fence_eps.xml b/tests/data/metadata/fence_eps.xml
index 3f9ebdc22..a3aeb1aea 100644
--- a/tests/data/metadata/fence_eps.xml
+++ b/tests/data/metadata/fence_eps.xml
@@ -1,9 +1,12 @@
<?xml version="1.0" ?>
<resource-agent name="fence_eps" shortdesc="Fence agent for ePowerSwitch" >
-<longdesc>fence_eps is a Power Fencing agent which can be used with the ePowerSwitch 8M+ power switch to fence connected machines. Fence agent works ONLY on 8M+ device, because this is only one, which has support for hidden page feature.
+<symlink name="fence_epsr2" shortdesc="Fence agent for ePowerSwitch R2 and newer"/>
+<longdesc>fence_eps is a Power Fencing agent which can be used with the ePowerSwitch 8M+ power switch to fence connected machines. It ONLY works on 8M+ devices, as they support the hidden page feature.
-Agent basically works by connecting to hidden page and pass appropriate arguments to GET request. This means, that hidden page feature must be enabled and properly configured.</longdesc>
-<vendor-url>http://www.epowerswitch.com</vendor-url>
+The agent works by connecting to the hidden page and pass the appropriate arguments to GET request. This means, that the hidden page feature must be enabled and properly configured.
+
+NOTE: In most cases you want to use fence_epsr2, as fence_eps only works with older hardware.</longdesc>
+<vendor-url>https://www.neol.com</vendor-url>
<parameters>
<parameter name="action" unique="0" required="1">
<getopt mixed="-o, --action=[action]" />
From 639f5293e0b2c0153ea01bf37534b74f436dd630 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 13 Feb 2024 11:11:25 +0100
Subject: [PATCH 2/2] fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer
---
agents/eps/fence_eps.py | 46 ++++---
fence-agents.spec.in | 4 +-
tests/data/metadata/fence_epsr2.xml | 178 ++++++++++++++++++++++++++++
3 files changed, 211 insertions(+), 17 deletions(-)
create mode 100644 tests/data/metadata/fence_epsr2.xml
diff --git a/agents/eps/fence_eps.py b/agents/eps/fence_eps.py
index 81e439533..1e6bda099 100644
--- a/agents/eps/fence_eps.py
+++ b/agents/eps/fence_eps.py
@@ -3,8 +3,8 @@
# The Following Agent Has Been Tested On:
# ePowerSwitch 8M+ version 1.0.0.4
-import sys, re
-import base64, string, socket
+import sys, os, re
+import base64, socket
import logging
import atexit
sys.path.append("@FENCEAGENTSLIBDIR@")
@@ -37,7 +37,7 @@ def eps_run_command(options, params):
options["--password"] = "" # Default is empty password
# String for Authorization header
- auth_str = 'Basic ' + string.strip(base64.encodestring(options["--username"]+':'+options["--password"]))
+ auth_str = 'Basic ' + str(base64.encodebytes(bytes(options["--username"]+':'+options["--password"], "utf-8")).decode("utf-8").strip())
logging.debug("Authorization: %s\n", auth_str)
conn.putheader('Authorization', auth_str)
@@ -60,16 +60,22 @@ def eps_run_command(options, params):
logging.error("Failed: {}".format(str(e)))
fail(EC_LOGIN_DENIED)
- return result
+ return result.decode("utf-8", "ignore")
def get_power_status(conn, options):
del conn
ret_val = eps_run_command(options, "")
result = {}
- status = re.findall(r"p(\d{2})=(0|1)\s*\<br\>", ret_val.lower())
+ if os.path.basename(sys.argv[0]) == "fence_eps":
+ status = re.findall(r"p(\d{2})=(0|1)\s*\<br\>", ret_val.lower())
+ elif os.path.basename(sys.argv[0]) == "fence_epsr2":
+ status = re.findall(r"m0:o(\d)=(on|off)\s*", ret_val.lower())
for out_num, out_stat in status:
- result[out_num] = ("", (out_stat == "1" and "on" or "off"))
+ if os.path.basename(sys.argv[0]) == "fence_eps":
+ result[out_num] = ("", (out_stat == "1" and "on" or "off"))
+ elif os.path.basename(sys.argv[0]) == "fence_epsr2":
+ result[out_num] = ("", out_stat)
if not options["--action"] in ['monitor', 'list']:
if not options["--plug"] in result:
@@ -81,7 +87,12 @@ def get_power_status(conn, options):
def set_power_status(conn, options):
del conn
- eps_run_command(options, "P%s=%s"%(options["--plug"], (options["--action"] == "on" and "1" or "0")))
+ if os.path.basename(sys.argv[0]) == "fence_eps":
+ eps_run_command(options, "P%s=%s"%(options["--plug"], (options["--action"] == "on" and "1" or "0")))
+ elif os.path.basename(sys.argv[0]) == "fence_epsr2":
+ if options["--action"] == "reboot":
+ options["--action"] = "off"
+ eps_run_command(options, "M0:O%s=%s"%(options["--plug"], options["--action"]))
# Define new option
def eps_define_new_opts():
@@ -107,20 +118,25 @@ def main():
options = check_input(device_opt, process_input(device_opt))
docs = {}
+ docs["agent_name"] = "fence_eps"
docs["shortdesc"] = "Fence agent for ePowerSwitch"
- docs["longdesc"] = "fence_eps is a Power Fencing agent \
+ docs["longdesc"] = os.path.basename(sys.argv[0]) + " is a Power Fencing agent \
which can be used with the ePowerSwitch 8M+ power switch to fence \
-connected machines. Fence agent works ONLY on 8M+ device, because \
-this is only one, which has support for hidden page feature. \
+connected machines. It ONLY works on 8M+ devices, as \
+they support the hidden page feature. \
\n.TP\n\
-Agent basically works by connecting to hidden page and pass \
-appropriate arguments to GET request. This means, that hidden \
-page feature must be enabled and properly configured."
- docs["vendorurl"] = "http://www.epowerswitch.com"
+The agent works by connecting to the hidden page and pass \
+the appropriate arguments to GET request. This means, that the hidden \
+page feature must be enabled and properly configured. \
+\n.TP\n\
+NOTE: In most cases you want to use fence_epsr2, as fence_eps \
+only works with older hardware."
+ docs["vendorurl"] = "https://www.neol.com"
+ docs["symlink"] = [("fence_epsr2", "Fence agent for ePowerSwitch R2 and newer")]
show_docs(options, docs)
run_delay(options)
- #Run fence action. Conn is None, beacause we always need open new http connection
+ #Run fence action. Conn is None, because we always need open new http connection
result = fence_action(None, options, set_power_status, get_power_status, get_power_status)
sys.exit(result)
diff --git a/fence-agents.spec.in b/fence-agents.spec.in
index e139e6da5..5b8066122 100644
--- a/fence-agents.spec.in
+++ b/fence-agents.spec.in
@@ -597,8 +597,8 @@ BuildArch: noarch
Fence agent for ePowerSwitch 8M+ power switches that are accessed
via the HTTP(s) protocol.
%files eps
-%{_sbindir}/fence_eps
-%{_mandir}/man8/fence_eps.8*
+%{_sbindir}/fence_eps*
+%{_mandir}/man8/fence_eps*.8*
%package gce
License: GPL-2.0-or-later AND LGPL-2.0-or-later
diff --git a/tests/data/metadata/fence_epsr2.xml b/tests/data/metadata/fence_epsr2.xml
new file mode 100644
index 000000000..37074e052
--- /dev/null
+++ b/tests/data/metadata/fence_epsr2.xml
@@ -0,0 +1,178 @@
+<?xml version="1.0" ?>
+<resource-agent name="fence_epsr2" shortdesc="Fence agent for ePowerSwitch" >
+<symlink name="fence_epsr2" shortdesc="Fence agent for ePowerSwitch R2 and newer"/>
+<longdesc>fence_epsr2 is a Power Fencing agent which can be used with the ePowerSwitch 8M+ power switch to fence connected machines. It ONLY works on 8M+ devices, as they support the hidden page feature.
+
+The agent works by connecting to the hidden page and pass the appropriate arguments to GET request. This means, that the hidden page feature must be enabled and properly configured.
+
+NOTE: In most cases you want to use fence_epsr2, as fence_eps only works with older hardware.</longdesc>
+<vendor-url>https://www.neol.com</vendor-url>
+<parameters>
+ <parameter name="action" unique="0" required="1">
+ <getopt mixed="-o, --action=[action]" />
+ <content type="string" default="reboot" />
+ <shortdesc lang="en">Fencing action</shortdesc>
+ </parameter>
+ <parameter name="hidden_page" unique="0" required="0" deprecated="1">
+ <getopt mixed="-c, --page=[page]" />
+ <content type="string" default="hidden.htm" />
+ <shortdesc lang="en">Name of hidden page</shortdesc>
+ </parameter>
+ <parameter name="ip" unique="0" required="1" obsoletes="ipaddr">
+ <getopt mixed="-a, --ip=[ip]" />
+ <content type="string" />
+ <shortdesc lang="en">IP address or hostname of fencing device</shortdesc>
+ </parameter>
+ <parameter name="ipaddr" unique="0" required="1" deprecated="1">
+ <getopt mixed="-a, --ip=[ip]" />
+ <content type="string" />
+ <shortdesc lang="en">IP address or hostname of fencing device</shortdesc>
+ </parameter>
+ <parameter name="ipport" unique="0" required="0">
+ <getopt mixed="-u, --ipport=[port]" />
+ <content type="integer" default="80" />
+ <shortdesc lang="en">TCP/UDP port to use for connection with device</shortdesc>
+ </parameter>
+ <parameter name="login" unique="0" required="0" deprecated="1">
+ <getopt mixed="-l, --username=[name]" />
+ <content type="string" />
+ <shortdesc lang="en">Login name</shortdesc>
+ </parameter>
+ <parameter name="page" unique="0" required="0" obsoletes="hidden_page">
+ <getopt mixed="-c, --page=[page]" />
+ <content type="string" default="hidden.htm" />
+ <shortdesc lang="en">Name of hidden page</shortdesc>
+ </parameter>
+ <parameter name="passwd" unique="0" required="0" deprecated="1">
+ <getopt mixed="-p, --password=[password]" />
+ <content type="string" />
+ <shortdesc lang="en">Login password or passphrase</shortdesc>
+ </parameter>
+ <parameter name="passwd_script" unique="0" required="0" deprecated="1">
+ <getopt mixed="-S, --password-script=[script]" />
+ <content type="string" />
+ <shortdesc lang="en">Script to run to retrieve password</shortdesc>
+ </parameter>
+ <parameter name="password" unique="0" required="0" obsoletes="passwd">
+ <getopt mixed="-p, --password=[password]" />
+ <content type="string" />
+ <shortdesc lang="en">Login password or passphrase</shortdesc>
+ </parameter>
+ <parameter name="password_script" unique="0" required="0" obsoletes="passwd_script">
+ <getopt mixed="-S, --password-script=[script]" />
+ <content type="string" />
+ <shortdesc lang="en">Script to run to retrieve password</shortdesc>
+ </parameter>
+ <parameter name="plug" unique="0" required="1" obsoletes="port">
+ <getopt mixed="-n, --plug=[id]" />
+ <content type="string" />
+ <shortdesc lang="en">Physical plug number on device, UUID or identification of machine</shortdesc>
+ </parameter>
+ <parameter name="port" unique="0" required="1" deprecated="1">
+ <getopt mixed="-n, --plug=[id]" />
+ <content type="string" />
+ <shortdesc lang="en">Physical plug number on device, UUID or identification of machine</shortdesc>
+ </parameter>
+ <parameter name="username" unique="0" required="0" obsoletes="login">
+ <getopt mixed="-l, --username=[name]" />
+ <content type="string" />
+ <shortdesc lang="en">Login name</shortdesc>
+ </parameter>
+ <parameter name="quiet" unique="0" required="0">
+ <getopt mixed="-q, --quiet" />
+ <content type="boolean" />
+ <shortdesc lang="en">Disable logging to stderr. Does not affect --verbose or --debug-file or logging to syslog.</shortdesc>
+ </parameter>
+ <parameter name="verbose" unique="0" required="0">
+ <getopt mixed="-v, --verbose" />
+ <content type="boolean" />
+ <shortdesc lang="en">Verbose mode. Multiple -v flags can be stacked on the command line (e.g., -vvv) to increase verbosity.</shortdesc>
+ </parameter>
+ <parameter name="verbose_level" unique="0" required="0">
+ <getopt mixed="--verbose-level" />
+ <content type="integer" />
+ <shortdesc lang="en">Level of debugging detail in output. Defaults to the number of --verbose flags specified on the command line, or to 1 if verbose=1 in a stonith device configuration (i.e., on stdin).</shortdesc>
+ </parameter>
+ <parameter name="debug" unique="0" required="0" deprecated="1">
+ <getopt mixed="-D, --debug-file=[debugfile]" />
+ <content type="string" />
+ <shortdesc lang="en">Write debug information to given file</shortdesc>
+ </parameter>
+ <parameter name="debug_file" unique="0" required="0" obsoletes="debug">
+ <getopt mixed="-D, --debug-file=[debugfile]" />
+ <shortdesc lang="en">Write debug information to given file</shortdesc>
+ </parameter>
+ <parameter name="version" unique="0" required="0">
+ <getopt mixed="-V, --version" />
+ <content type="boolean" />
+ <shortdesc lang="en">Display version information and exit</shortdesc>
+ </parameter>
+ <parameter name="help" unique="0" required="0">
+ <getopt mixed="-h, --help" />
+ <content type="boolean" />
+ <shortdesc lang="en">Display help and exit</shortdesc>
+ </parameter>
+ <parameter name="plug_separator" unique="0" required="0">
+ <getopt mixed="--plug-separator=[char]" />
+ <content type="string" default="," />
+ <shortdesc lang="en">Separator for plug parameter when specifying more than 1 plug</shortdesc>
+ </parameter>
+ <parameter name="separator" unique="0" required="0">
+ <getopt mixed="-C, --separator=[char]" />
+ <content type="string" default="," />
+ <shortdesc lang="en">Separator for CSV created by 'list' operation</shortdesc>
+ </parameter>
+ <parameter name="delay" unique="0" required="0">
+ <getopt mixed="--delay=[seconds]" />
+ <content type="second" default="0" />
+ <shortdesc lang="en">Wait X seconds before fencing is started</shortdesc>
+ </parameter>
+ <parameter name="disable_timeout" unique="0" required="0">
+ <getopt mixed="--disable-timeout=[true/false]" />
+ <content type="string" />
+ <shortdesc lang="en">Disable timeout (true/false) (default: true when run from Pacemaker 2.0+)</shortdesc>
+ </parameter>
+ <parameter name="login_timeout" unique="0" required="0">
+ <getopt mixed="--login-timeout=[seconds]" />
+ <content type="second" default="5" />
+ <shortdesc lang="en">Wait X seconds for cmd prompt after login</shortdesc>
+ </parameter>
+ <parameter name="power_timeout" unique="0" required="0">
+ <getopt mixed="--power-timeout=[seconds]" />
+ <content type="second" default="20" />
+ <shortdesc lang="en">Test X seconds for status change after ON/OFF</shortdesc>
+ </parameter>
+ <parameter name="power_wait" unique="0" required="0">
+ <getopt mixed="--power-wait=[seconds]" />
+ <content type="second" default="0" />
+ <shortdesc lang="en">Wait X seconds after issuing ON/OFF</shortdesc>
+ </parameter>
+ <parameter name="shell_timeout" unique="0" required="0">
+ <getopt mixed="--shell-timeout=[seconds]" />
+ <content type="second" default="3" />
+ <shortdesc lang="en">Wait X seconds for cmd prompt after issuing command</shortdesc>
+ </parameter>
+ <parameter name="stonith_status_sleep" unique="0" required="0">
+ <getopt mixed="--stonith-status-sleep=[seconds]" />
+ <content type="second" default="1" />
+ <shortdesc lang="en">Sleep X seconds between status calls during a STONITH action</shortdesc>
+ </parameter>
+ <parameter name="retry_on" unique="0" required="0">
+ <getopt mixed="--retry-on=[attempts]" />
+ <content type="integer" default="1" />
+ <shortdesc lang="en">Count of attempts to retry power on</shortdesc>
+ </parameter>
+</parameters>
+<actions>
+ <action name="on" automatic="0"/>
+ <action name="off" />
+ <action name="reboot" />
+ <action name="status" />
+ <action name="list" />
+ <action name="list-status" />
+ <action name="monitor" />
+ <action name="metadata" />
+ <action name="manpage" />
+ <action name="validate-all" />
+</actions>
+</resource-agent>

65
SOURCES/RHEL-36482-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch Normal file
View File

@ -0,0 +1,65 @@
From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Thu, 2 May 2024 09:14:00 -0700
Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
---
CHANGES.rst | 6 ++++++
src/jinja2/filters.py | 22 +++++++++++++++++-----
tests/test_filters.py | 11 ++++++-----
3 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/kubevirt/jinja2/filters.py b/kubevirt/jinja2/filters.py
index 4cf3c11fb..acd11976e 100644
--- a/kubevirt/jinja2/filters.py
+++ b/kubevirt/jinja2/filters.py
@@ -250,7 +250,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
yield from value.items()
-_space_re = re.compile(r"\s", flags=re.ASCII)
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
@pass_eval_context
@@ -259,8 +261,14 @@ def do_xmlattr(
) -> str:
"""Create an SGML/XML attribute string based on the items in a dict.
- If any key contains a space, this fails with a ``ValueError``. Values that
- are neither ``none`` nor ``undefined`` are automatically escaped.
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
+ escaped, safely allowing untrusted user input.
+
+ User input should not be used as **keys** to this filter. If any key
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+ sign, this fails with a ``ValueError``. Regardless of this, user input
+ should never be used as keys to this filter, or must be separately validated
+ first.
.. sourcecode:: html+jinja
@@ -280,6 +288,10 @@ def do_xmlattr(
As you can see it automatically prepends a space in front of the item
if the filter returned something unless the second parameter is false.
+ .. versionchanged:: 3.1.4
+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
+ are not allowed.
+
.. versionchanged:: 3.1.3
Keys with spaces are not allowed.
"""
@@ -289,8 +301,8 @@ def do_xmlattr(
if value is None or isinstance(value, Undefined):
continue
- if _space_re.search(key) is not None:
- raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+ if _attr_key_re.search(key) is not None:
+ raise ValueError(f"Invalid character in attribute name: {key!r}")
items.append(f'{escape(key)}="{escape(value)}"')

68
SOURCES/RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch Normal file
View File

@ -0,0 +1,68 @@
From 9d0d0d013c7edae43a4ebc5f46bf2e7a4f127654 Mon Sep 17 00:00:00 2001
From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
Date: Fri, 17 Feb 2023 18:04:03 -0800
Subject: [PATCH] fence_scsi: fix registration handling if ISID conflicts ISID
(Initiator Session ID) belonging to I_T Nexus changes for RHEL based on the
session ID. This means that the connection to the device can be set up with
different ISID on reconnects.
fence_scsi treats same key as a tip to ignore issuing registration
to the device but if the device was registered using a different
ISID, the key would be the same but the I_T Nexus (new ISID) would
not have access to the device.
Fixing this by preempting the old key and replacing with the current
one.
---
agents/scsi/fence_scsi.py | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
index f9e6823b2..85e4f29e6 100644
--- a/agents/scsi/fence_scsi.py
+++ b/agents/scsi/fence_scsi.py
@@ -137,12 +137,41 @@ def register_dev(options, dev):
for slave in get_mpath_slaves(dev):
register_dev(options, slave)
return True
- if get_reservation_key(options, dev, False) == options["--key"]:
- return True
+
+ # Check if any registration exists for the key already. We track this in
+ # order to decide whether the existing registration needs to be cleared.
+ # This is needed since the previous registration could be for a
+ # different I_T nexus (different ISID).
+ registration_key_exists = False
+ if options["--key"] in get_registration_keys(options, dev):
+ registration_key_exists = True
+ if not register_helper(options, options["--key"], dev):
+ return False
+
+ if registration_key_exists:
+ # If key matches, make sure it matches with the connection that
+ # exists right now. To do this, we can issue a preempt with same key
+ # which should replace the old invalid entries from the target.
+ if not preempt(options, options["--key"], dev):
+ return False
+
+ # If there was no reservation, we need to issue another registration
+ # since the previous preempt would clear registration made above.
+ if get_reservation_key(options, dev, False) != options["--key"]:
+ return register_helper(options, options["--key"], dev)
+ return True
+
+# cancel registration without aborting tasks
+def preempt(options, host, dev):
+ reset_dev(options,dev)
+ cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
+ return not bool(run_cmd(options, cmd)["rc"])
+
+# helper function to send the register command
+def register_helper(options, host, dev):
reset_dev(options, dev)
cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
cmd += " -Z" if "--aptpl" in options else ""
- #cmd return code != 0 but registration can be successful
return not bool(run_cmd(options, cmd)["rc"])

103
SOURCES/RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch Normal file
View File

@ -0,0 +1,103 @@
From 34baef58db442148b8e067509d2cdd37b7a91ef4 Mon Sep 17 00:00:00 2001
From: "sreejit.mohanan" <sreejit.mohanan@nutanix.com>
Date: Thu, 7 Sep 2023 15:57:51 -0700
Subject: [PATCH] fence_scsi: fix registration handling in device 'off'
workflows
ISID (Initiator Session ID) belonging to I_T Nexus changes for
RHEL based on the session ID. This means that the connection to
the device can be set up with different ISID on reconnects.
When a device is powered off, fence_scsi assumes that the client
has a registration to the device and sends a preempt-and-abort
request which ends up failing due to reservation conflict.
Fixing this by registering the host key with the device and preempting
the old registration (if it exists). This should make sure that the
host is able to preempt the other key successfully.
---
agents/scsi/fence_scsi.py | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/agents/scsi/fence_scsi.py b/agents/scsi/fence_scsi.py
index 42530ceb5..519319bf5 100644
--- a/agents/scsi/fence_scsi.py
+++ b/agents/scsi/fence_scsi.py
@@ -41,7 +41,7 @@ def set_status(conn, options):
for dev in options["devices"]:
is_block_device(dev)
- register_dev(options, dev)
+ register_dev(options, dev, options["--key"])
if options["--key"] not in get_registration_keys(options, dev):
count += 1
logging.debug("Failed to register key "\
@@ -62,7 +62,7 @@ def set_status(conn, options):
fail_usage("Failed: keys cannot be same. You can not fence yourself.")
for dev in options["devices"]:
is_block_device(dev)
-
+ register_dev(options, dev, host_key)
if options["--key"] in get_registration_keys(options, dev):
preempt_abort(options, host_key, dev)
@@ -131,11 +131,11 @@ def reset_dev(options, dev):
return run_cmd(options, options["--sg_turs-path"] + " " + dev)["rc"]
-def register_dev(options, dev):
+def register_dev(options, dev, key):
dev = os.path.realpath(dev)
if re.search(r"^dm", dev[5:]):
for slave in get_mpath_slaves(dev):
- register_dev(options, slave)
+ register_dev(options, slave, key)
return True
# Check if any registration exists for the key already. We track this in
@@ -143,34 +143,35 @@ def register_dev(options, dev):
# This is needed since the previous registration could be for a
# different I_T nexus (different ISID).
registration_key_exists = False
- if options["--key"] in get_registration_keys(options, dev):
+ if key in get_registration_keys(options, dev):
+ logging.debug("Registration key exists for device " + dev)
registration_key_exists = True
- if not register_helper(options, options["--key"], dev):
+ if not register_helper(options, dev, key):
return False
if registration_key_exists:
# If key matches, make sure it matches with the connection that
# exists right now. To do this, we can issue a preempt with same key
# which should replace the old invalid entries from the target.
- if not preempt(options, options["--key"], dev):
+ if not preempt(options, key, dev, key):
return False
# If there was no reservation, we need to issue another registration
# since the previous preempt would clear registration made above.
- if get_reservation_key(options, dev, False) != options["--key"]:
- return register_helper(options, options["--key"], dev)
+ if get_reservation_key(options, dev, False) != key:
+ return register_helper(options, dev, key)
return True
-# cancel registration without aborting tasks
-def preempt(options, host, dev):
+# helper function to preempt host with 'key' using 'host_key' without aborting tasks
+def preempt(options, host_key, dev, key):
reset_dev(options,dev)
- cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host + " -S " + options["--key"] + " -d " + dev
+ cmd = options["--sg_persist-path"] + " -n -o -P -T 5 -K " + host_key + " -S " + key + " -d " + dev
return not bool(run_cmd(options, cmd)["rc"])
# helper function to send the register command
-def register_helper(options, host, dev):
+def register_helper(options, dev, key):
reset_dev(options, dev)
- cmd = options["--sg_persist-path"] + " -n -o -I -S " + options["--key"] + " -d " + dev
+ cmd = options["--sg_persist-path"] + " -n -o -I -S " + key + " -d " + dev
cmd += " -Z" if "--aptpl" in options else ""
return not bool(run_cmd(options, cmd)["rc"])

0
SOURCES/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch → SOURCES/bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
View File

0
SOURCES/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch → SOURCES/bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
View File

351
SPECS/fence-agents.spec
View File

@ -34,11 +34,11 @@
%global six six %global six six
%global six_version 1.16.0 %global six_version 1.16.0
%global urllib3 urllib3 %global urllib3 urllib3
%global urllib3_version 1.26.7 %global urllib3_version 1.26.18
%global websocketclient websocket-client %global websocketclient websocket-client
%global websocketclient_version 1.2.1 %global websocketclient_version 1.2.1
%global jinja2 Jinja2 %global jinja2 Jinja2
%global jinja2_version 3.0.2 %global jinja2_version 3.1.3
%global markupsafe MarkupSafe %global markupsafe MarkupSafe
%global markupsafe_version 2.0.1 %global markupsafe_version 2.0.1
%global stringutils string-utils %global stringutils string-utils
@ -59,7 +59,7 @@
Name: fence-agents Name: fence-agents
Summary: Set of unified programs capable of host isolation ("fencing") Summary: Set of unified programs capable of host isolation ("fencing")
Version: 4.10.0 Version: 4.10.0
Release: 55%{?alphatag:.%{alphatag}}%{?dist}.2.alma.1 Release: 62%{?alphatag:.%{alphatag}}%{?dist}.3
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/fence-agents URL: https://github.com/ClusterLabs/fence-agents
Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -83,7 +83,7 @@ Source1002: aliyuncli-2.1.10-py2.py3-none-any.whl
Source1003: cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl Source1003: cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl
Source1004: colorama-0.3.3.tar.gz Source1004: colorama-0.3.3.tar.gz
Source1005: jmespath-0.7.1-py2.py3-none-any.whl Source1005: jmespath-0.7.1-py2.py3-none-any.whl
Source1006: pycryptodome-3.10.1-cp35-abi3-manylinux2010_x86_64.whl Source1006: pycryptodome-3.20.0.tar.gz
Source1007: pycparser-2.20-py2.py3-none-any.whl Source1007: pycparser-2.20-py2.py3-none-any.whl
# awscli # awscli
Source1008: awscrt-0.11.13-cp39-cp39-manylinux2014_x86_64.whl Source1008: awscrt-0.11.13-cp39-cp39-manylinux2014_x86_64.whl
@ -100,7 +100,7 @@ Source1017: boto3-1.17.102-py2.py3-none-any.whl
Source1018: botocore-1.20.102-py2.py3-none-any.whl Source1018: botocore-1.20.102-py2.py3-none-any.whl
Source1019: python_dateutil-2.8.1-py2.py3-none-any.whl Source1019: python_dateutil-2.8.1-py2.py3-none-any.whl
Source1020: s3transfer-0.4.2-py2.py3-none-any.whl Source1020: s3transfer-0.4.2-py2.py3-none-any.whl
Source1021: urllib3-1.26.6-py2.py3-none-any.whl Source1021: urllib3-1.26.18.tar.gz
# azure # azure
Source1022: adal-1.2.7-py2.py3-none-any.whl Source1022: adal-1.2.7-py2.py3-none-any.whl
Source1023: azure_common-1.1.27-py2.py3-none-any.whl Source1023: azure_common-1.1.27-py2.py3-none-any.whl
@ -109,84 +109,83 @@ Source1025: azure_mgmt_compute-21.0.0-py2.py3-none-any.whl
Source1026: azure_mgmt_core-1.2.2-py2.py3-none-any.whl Source1026: azure_mgmt_core-1.2.2-py2.py3-none-any.whl
Source1027: azure_mgmt_network-19.0.0-py2.py3-none-any.whl Source1027: azure_mgmt_network-19.0.0-py2.py3-none-any.whl
Source1028: azure-identity-1.10.0.zip Source1028: azure-identity-1.10.0.zip
Source1030: chardet-4.0.0-py2.py3-none-any.whl Source1029: chardet-4.0.0-py2.py3-none-any.whl
Source1031: idna-2.10-py2.py3-none-any.whl Source1030: idna-2.10-py2.py3-none-any.whl
Source1032: isodate-0.6.0-py2.py3-none-any.whl Source1031: isodate-0.6.0-py2.py3-none-any.whl
Source1033: msrest-0.6.21-py2.py3-none-any.whl Source1032: msrest-0.6.21-py2.py3-none-any.whl
Source1034: msrestazure-0.6.4-py2.py3-none-any.whl Source1033: msrestazure-0.6.4-py2.py3-none-any.whl
Source1035: %{oauthlib}-%{oauthlib_version}.tar.gz Source1034: %{oauthlib}-%{oauthlib_version}.tar.gz
Source1036: PyJWT-2.1.0-py3-none-any.whl Source1035: PyJWT-2.1.0-py3-none-any.whl
Source1037: requests-2.25.1-py2.py3-none-any.whl Source1036: requests-2.25.1-py2.py3-none-any.whl
Source1038: requests_oauthlib-1.3.0-py2.py3-none-any.whl Source1037: requests_oauthlib-1.3.0-py2.py3-none-any.whl
Source1139: msal-1.18.0.tar.gz Source1038: msal-1.18.0.tar.gz
Source1140: msal-extensions-1.0.0.tar.gz Source1039: msal-extensions-1.0.0.tar.gz
Source1141: portalocker-2.5.1.tar.gz Source1040: portalocker-2.5.1.tar.gz
# google # google
Source1042: cachetools-4.2.2-py3-none-any.whl Source1041: cachetools-4.2.2-py3-none-any.whl
Source1043: chardet-3.0.4-py2.py3-none-any.whl Source1042: chardet-3.0.4-py2.py3-none-any.whl
Source1044: google_api_core-1.30.0-py2.py3-none-any.whl Source1043: google_api_core-1.30.0-py2.py3-none-any.whl
Source1045: google_api_python_client-1.12.8-py2.py3-none-any.whl Source1044: google_api_python_client-1.12.8-py2.py3-none-any.whl
Source1046: googleapis_common_protos-1.53.0-py2.py3-none-any.whl Source1045: googleapis_common_protos-1.53.0-py2.py3-none-any.whl
Source1047: google_auth-1.32.0-py2.py3-none-any.whl Source1046: google_auth-1.32.0-py2.py3-none-any.whl
Source1048: google_auth_httplib2-0.1.0-py2.py3-none-any.whl Source1047: google_auth_httplib2-0.1.0-py2.py3-none-any.whl
Source1049: httplib2-0.19.1-py3-none-any.whl Source1048: httplib2-0.19.1-py3-none-any.whl
Source1050: packaging-20.9-py2.py3-none-any.whl Source1049: packaging-20.9-py2.py3-none-any.whl
Source1051: protobuf-3.17.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl Source1050: protobuf-3.17.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Source1052: pyasn1-0.4.8-py2.py3-none-any.whl Source1051: pyasn1-0.4.8-py2.py3-none-any.whl
Source1053: pyasn1_modules-0.2.8-py2.py3-none-any.whl Source1052: pyasn1_modules-0.2.8-py2.py3-none-any.whl
Source1054: pyparsing-2.4.7-py2.py3-none-any.whl Source1053: pyparsing-2.4.7-py2.py3-none-any.whl
Source1055: pyroute2-0.6.4.tar.gz Source1054: pyroute2-0.7.12.tar.gz
Source1056: pyroute2.core-0.6.4.tar.gz Source1055: pyroute2.core-0.6.13.tar.gz
Source1057: pyroute2.ethtool-0.6.4.tar.gz Source1056: pyroute2.ethtool-0.6.13.tar.gz
Source1058: pyroute2.ipdb-0.6.4.tar.gz Source1057: pyroute2.ipdb-0.6.13.tar.gz
Source1059: pyroute2.ipset-0.6.4.tar.gz Source1058: pyroute2.ipset-0.6.13.tar.gz
Source1060: pyroute2.ndb-0.6.4.tar.gz Source1059: pyroute2.ndb-0.6.13.tar.gz
Source1061: pyroute2.nftables-0.6.4.tar.gz Source1060: pyroute2.nftables-0.6.13.tar.gz
Source1062: pyroute2.nslink-0.6.4.tar.gz Source1061: pyroute2.nslink-0.6.13.tar.gz
Source1063: pytz-2021.1-py2.py3-none-any.whl Source1062: pytz-2021.1-py2.py3-none-any.whl
Source1064: rsa-4.7.2-py3-none-any.whl Source1063: rsa-4.7.2-py3-none-any.whl
Source1065: setuptools-57.0.0-py3-none-any.whl Source1064: setuptools-57.0.0-py3-none-any.whl
Source1066: uritemplate-3.0.1-py2.py3-none-any.whl Source1065: uritemplate-3.0.1-py2.py3-none-any.whl
# common (pexpect / suds) # common (pexpect / suds)
Source1067: pexpect-4.8.0-py2.py3-none-any.whl Source1066: pexpect-4.8.0-py2.py3-none-any.whl
Source1068: ptyprocess-0.7.0-py2.py3-none-any.whl Source1067: ptyprocess-0.7.0-py2.py3-none-any.whl
Source1069: suds_community-0.8.5-py3-none-any.whl Source1068: suds_community-0.8.5-py3-none-any.whl
### END ### ### END ###
# kubevirt # kubevirt
## pip download --no-binary :all: openshift "ruamel.yaml.clib>=0.1.2" ## pip download --no-binary :all: openshift "ruamel.yaml.clib>=0.1.2"
### BEGIN ### BEGIN
Source1070: %{openshift}-%{openshift_version}.tar.gz Source1069: %{openshift}-%{openshift_version}.tar.gz
Source1071: %{ruamelyamlclib}-%{ruamelyamlclib_version}.tar.gz Source1070: %{ruamelyamlclib}-%{ruamelyamlclib_version}.tar.gz
Source1072: %{kubernetes}-%{kubernetes_version}.tar.gz Source1071: %{kubernetes}-%{kubernetes_version}.tar.gz
Source1073: %{certifi}-%{certifi_version}.tar.gz Source1072: %{certifi}-%{certifi_version}.tar.gz
Source1074: %{googleauth}-%{googleauth_version}.tar.gz Source1073: %{googleauth}-%{googleauth_version}.tar.gz
Source1075: %{cachetools}-%{cachetools_version}.tar.gz Source1074: %{cachetools}-%{cachetools_version}.tar.gz
Source1076: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz Source1075: %{pyasn1modules}-%{pyasn1modules_version}.tar.gz
Source1077: %{pyasn1}-%{pyasn1_version}.tar.gz Source1076: %{pyasn1}-%{pyasn1_version}.tar.gz
Source1078: python-%{dateutil}-%{dateutil_version}.tar.gz Source1077: python-%{dateutil}-%{dateutil_version}.tar.gz
Source1079: %{pyyaml}-%{pyyaml_version}.tar.gz Source1078: %{pyyaml}-%{pyyaml_version}.tar.gz
## rsa is dependency for "pip install", ## rsa is dependency for "pip install",
## but gets removed to use cryptography lib instead ## but gets removed to use cryptography lib instead
Source1080: rsa-4.7.2.tar.gz Source1079: rsa-4.7.2.tar.gz
Source1081: %{six}-%{six_version}.tar.gz Source1080: %{six}-%{six_version}.tar.gz
Source1082: %{urllib3}-%{urllib3_version}.tar.gz Source1081: %{websocketclient}-%{websocketclient_version}.tar.gz
Source1083: %{websocketclient}-%{websocketclient_version}.tar.gz Source1082: %{jinja2}-%{jinja2_version}.tar.gz
Source1084: %{jinja2}-%{jinja2_version}.tar.gz Source1083: %{markupsafe}-%{markupsafe_version}.tar.gz
Source1085: %{markupsafe}-%{markupsafe_version}.tar.gz Source1084: python-%{stringutils}-%{stringutils_version}.tar.gz
Source1086: python-%{stringutils}-%{stringutils_version}.tar.gz Source1085: %{requests}-%{requests_version}.tar.gz
Source1087: %{requests}-%{requests_version}.tar.gz Source1086: %{chrstnormalizer}-%{chrstnormalizer_version}.tar.gz
Source1088: %{chrstnormalizer}-%{chrstnormalizer_version}.tar.gz Source1087: %{idna}-%{idna_version}.tar.gz
Source1089: %{idna}-%{idna_version}.tar.gz Source1088: %{reqstsoauthlib}-%{reqstsoauthlib_version}.tar.gz
Source1090: %{reqstsoauthlib}-%{reqstsoauthlib_version}.tar.gz Source1089: %{ruamelyaml}-%{ruamelyaml_version}.tar.gz
Source1091: %{ruamelyaml}-%{ruamelyaml_version}.tar.gz Source1090: %{setuptools}-%{setuptools_version}.tar.gz
Source1092: %{setuptools}-%{setuptools_version}.tar.gz
## required for installation ## required for installation
Source1093: setuptools_scm-6.3.2.tar.gz Source1091: setuptools_scm-6.3.2.tar.gz
Source1094: packaging-21.2-py3-none-any.whl Source1092: packaging-21.2-py3-none-any.whl
Source1095: poetry-core-1.0.7.tar.gz Source1093: poetry-core-1.0.7.tar.gz
Source1096: pyparsing-3.0.1.tar.gz Source1094: pyparsing-3.0.1.tar.gz
Source1097: tomli-1.0.1.tar.gz Source1095: tomli-1.0.1.tar.gz
Source1098: wheel-0.37.0-py2.py3-none-any.whl Source1096: wheel-0.37.0-py2.py3-none-any.whl
### END ### END
Patch0: ha-cloud-support-aliyun.patch Patch0: ha-cloud-support-aliyun.patch
@ -236,15 +235,20 @@ Patch43: bz2187327-fence_scsi-2-support-space-separated-devices.patch
Patch44: bz2211930-fence_azure-arm-stack-hub-support.patch Patch44: bz2211930-fence_azure-arm-stack-hub-support.patch
Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch
Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch
Patch47: RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
Patch48: RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
Patch49: RHEL-14344-fence_zvmip-1-document-user-permissions.patch
Patch50: RHEL-14030-1-all-agents-metadata-update-IO-Power-Network.patch
Patch51: RHEL-14030-2-fence_cisco_mds-undo-metadata-change.patch
Patch52: RHEL-14344-fence_zvmip-2-fix-manpage-formatting.patch
Patch53: RHEL-35273-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patch
### HA support libs/utils ### ### HA support libs/utils ###
Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch # all archs
Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
Patch1001: RHEL-36482-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
# Patches were taken from: # cloud (x86_64 only)
# https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
Patch1002: CVE-2023-43804-kubevirt.patch
Patch1003: CVE-2023-43804-aws.patch
%global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
%ifarch x86_64 %ifarch x86_64
@ -355,53 +359,60 @@ BuildRequires: %{systemd_units}
%prep %prep
%setup -q -n %{name}-%{version}%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}} %setup -q -n %{name}-%{version}%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
%patch0 -p1 %patch -p1 -P 0
%patch1 -p1 %patch -p1 -P 1
%patch2 -p1 %patch -p1 -P 2
%patch3 -p1 %patch -p1 -P 3
%patch4 -p1 %patch -p1 -P 4
%patch5 -p1 %patch -p1 -P 5
%patch6 -p1 %patch -p1 -P 6
%patch7 -p1 %patch -p1 -P 7
%patch8 -p1 %patch -p1 -P 8
%patch9 -p1 %patch -p1 -P 9
%patch10 -p1 %patch -p1 -P 10
%patch11 -p1 %patch -p1 -P 11
%patch12 -p1 %patch -p1 -P 12
%patch13 -p1 %patch -p1 -P 13
%patch14 -p1 -F2 %patch -p1 -P 14 -F2
%patch15 -p1 -F1 %patch -p1 -P 15 -F1
%patch16 -p1 %patch -p1 -P 16
%patch17 -p1 %patch -p1 -P 17
%patch18 -p1 %patch -p1 -P 18
%patch19 -p1 %patch -p1 -P 19
%patch20 -p1 %patch -p1 -P 20
%patch21 -p1 %patch -p1 -P 21
%patch22 -p1 %patch -p1 -P 22
%patch23 -p1 %patch -p1 -P 23
%patch24 -p1 %patch -p1 -P 24
%patch25 -p1 %patch -p1 -P 25
%patch26 -p1 %patch -p1 -P 26
%patch27 -p1 %patch -p1 -P 27
%patch28 -p1 %patch -p1 -P 28
%patch29 -p1 %patch -p1 -P 29
%patch30 -p1 %patch -p1 -P 30
%patch31 -p1 %patch -p1 -P 31
%patch32 -p1 %patch -p1 -P 32
%patch33 -p1 %patch -p1 -P 33
%patch34 -p1 %patch -p1 -P 34
%patch35 -p1 %patch -p1 -P 35
%patch36 -p1 %patch -p1 -P 36
%patch37 -p1 %patch -p1 -P 37
%patch38 -p1 %patch -p1 -P 38
%patch39 -p1 %patch -p1 -P 39
%patch40 -p1 %patch -p1 -P 40
%patch41 -p1 %patch -p1 -P 41
%patch42 -p1 %patch -p1 -P 42
%patch43 -p1 %patch -p1 -P 43
%patch44 -p1 %patch -p1 -P 44
%patch45 -p1 %patch -p1 -P 45
%patch46 -p1 %patch -p1 -P 46
%patch -p1 -P 47
%patch -p1 -P 48
%patch -p1 -P 49
%patch -p1 -P 50
%patch -p1 -P 51
%patch -p1 -P 52
%patch -p1 -P 53 -F2
# prevent compilation of something that won't get used anyway # prevent compilation of something that won't get used anyway
sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@ -432,23 +443,19 @@ sed -i -e "/^#\!\/Users/c#\!%{__python3}" support/aws/bin/jp support/aliyun/bin/
sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws
%endif %endif
# regular patch doesnt work in build-section
# Patch1000
%ifarch x86_64
pushd support
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1003}
popd
%endif
# kubevirt # kubevirt
%{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm
%{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift
rm -rf kubevirt/rsa* rm -rf kubevirt/rsa*
# regular patch doesnt work in build-section
pushd support pushd support
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1002} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}
%ifarch x86_64
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
%endif
popd popd
./autogen.sh ./autogen.sh
@ -580,7 +587,7 @@ Provides: bundled(aliyuncli) = 2.1.10
Provides: bundled(python-cffi) = 1.14.5 Provides: bundled(python-cffi) = 1.14.5
Provides: bundled(python-colorama) = 0.3.3 Provides: bundled(python-colorama) = 0.3.3
Provides: bundled(python-jmespath) = 0.7.1 Provides: bundled(python-jmespath) = 0.7.1
Provides: bundled(python-pycryptodome) = 3.10.1 Provides: bundled(python-pycryptodome) = 3.20.0
Provides: bundled(python-pycparser) = 2.20 Provides: bundled(python-pycparser) = 2.20
# awscli # awscli
Provides: bundled(awscli) = 2.2.15 Provides: bundled(awscli) = 2.2.15
@ -598,7 +605,7 @@ Provides: bundled(python-boto3) = 1.17.102
Provides: bundled(python-botocore) = 1.20.102 Provides: bundled(python-botocore) = 1.20.102
Provides: bundled(python-dateutil) = 2.8.1 Provides: bundled(python-dateutil) = 2.8.1
Provides: bundled(python-s3transfer) = 0.4.2 Provides: bundled(python-s3transfer) = 0.4.2
Provides: bundled(python-urllib3) = 1.26.6 Provides: bundled(python-urllib3) = 1.26.18
# azure # azure
Provides: bundled(python-adal) = 1.2.7 Provides: bundled(python-adal) = 1.2.7
Provides: bundled(python-azure-common) = 1.1.27 Provides: bundled(python-azure-common) = 1.1.27
@ -630,14 +637,14 @@ Provides: bundled(python-protobuf) = 3.17.3
Provides: bundled(python-pyasn1) = 0.4.8 Provides: bundled(python-pyasn1) = 0.4.8
Provides: bundled(python-pyasn1-modules) = 0.2.8 Provides: bundled(python-pyasn1-modules) = 0.2.8
Provides: bundled(python-pyparsing) = 2.4.7 Provides: bundled(python-pyparsing) = 2.4.7
Provides: bundled(python-pyroute2) = 0.6.4 Provides: bundled(python-pyroute2) = 0.7.12
Provides: bundled(python-pyroute2-core) = 0.6.4 Provides: bundled(python-pyroute2-core) = 0.6.13
Provides: bundled(python-pyroute2-ethtool) = 0.6.4 Provides: bundled(python-pyroute2-ethtool) = 0.6.13
Provides: bundled(python-pyroute2-ipdb) = 0.6.4 Provides: bundled(python-pyroute2-ipdb) = 0.6.13
Provides: bundled(python-pyroute2-ipset) = 0.6.4 Provides: bundled(python-pyroute2-ipset) = 0.6.13
Provides: bundled(python-pyroute2-ndb) = 0.6.4 Provides: bundled(python-pyroute2-ndb) = 0.6.13
Provides: bundled(python-pyroute2-nftables) = 0.6.4 Provides: bundled(python-pyroute2-nftables) = 0.6.13
Provides: bundled(python-pyroute2-nslink) = 0.6.4 Provides: bundled(python-pyroute2-nslink) = 0.6.13
Provides: bundled(python-pytz) = 2021.1 Provides: bundled(python-pytz) = 2021.1
Provides: bundled(python-rsa) = 4.7.2 Provides: bundled(python-rsa) = 4.7.2
Provides: bundled(python-setuptools) = 57.0.0 Provides: bundled(python-setuptools) = 57.0.0
@ -917,8 +924,8 @@ BuildArch: noarch
Fence agent for ePowerSwitch 8M+ power switches that are accessed Fence agent for ePowerSwitch 8M+ power switches that are accessed
via the HTTP(s) protocol. via the HTTP(s) protocol.
%files eps %files eps
%{_sbindir}/fence_eps %{_sbindir}/fence_eps*
%{_mandir}/man8/fence_eps.8* %{_mandir}/man8/fence_eps*.8*
%ifarch x86_64 %ifarch x86_64
%package gce %package gce
@ -1483,9 +1490,45 @@ are located on corosync cluster nodes.
%endif %endif
%changelog %changelog
* Thu Dec 14 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.0-55.2.alma.1 * Thu May 16 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-62.3
- Fix CVE-2023-43804.patch - bundled jinja2: fix CVE-2024-34064
- Update certifi to 2023.07.22 Resolves: RHEL-36482
* Fri May 3 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-62.2
- fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer
Resolves: RHEL-35273
* Thu Mar 21 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-62.1
- ha-cloud-support: upgrade bundled pyroute2 libs to fix issue in
gcp-vpc-move-route's stop-action
Resolves: RHEL-29668
* Thu Jan 18 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-62
- bundled urllib3: fix CVE-2023-45803
Resolves: RHEL-18139
- bundled pycryptodome: fix CVE-2023-52323
Resolves: RHEL-20917
- bundled jinja2: fix CVE-2024-22195
Resolves: RHEL-21345
* Wed Jan 3 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-61
- fence_zvmip: document required user permissions in metadata/manpage
Resolves: RHEL-14344
* Mon Oct 23 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-60
- all agents: update metadata in non-I/O agents to Power or Network
fencing
Resolves: RHEL-14030
* Wed Oct 11 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-57
- bundled urllib3: fix CVE-2023-43804
Resolves: RHEL-11999
* Wed Sep 27 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-56
- fence_scsi: fix registration handling if ISID conflicts
Resolves: RHEL-5396
- bundled certifi: fix CVE-2023-37920
Resolves: RHEL-9446
* Thu Aug 3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-55 * Thu Aug 3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-55
- bundled dateutil: fix tarfile CVE-2007-4559 - bundled dateutil: fix tarfile CVE-2007-4559