From a54cc9d046df0e42989c9ce3736d22610b9dd1cb Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Tue, 11 Jan 2022 09:34:15 +0100 Subject: [PATCH] - fence_openstack: add --ssl-insecure Resolves: rhbz#2029791 --- ...1-1-fence_openstack-add-ssl-insecure.patch | 72 +++++++++++++++++++ ...791-2-fence_openstack-cacert-default.patch | 59 +++++++++++++++ fence-agents.spec | 10 ++- 3 files changed, 139 insertions(+), 2 deletions(-) create mode 100644 bz2029791-1-fence_openstack-add-ssl-insecure.patch create mode 100644 bz2029791-2-fence_openstack-cacert-default.patch diff --git a/bz2029791-1-fence_openstack-add-ssl-insecure.patch b/bz2029791-1-fence_openstack-add-ssl-insecure.patch new file mode 100644 index 0000000..e616cc8 --- /dev/null +++ b/bz2029791-1-fence_openstack-add-ssl-insecure.patch @@ -0,0 +1,72 @@ +From f79436d3a5e4cf279be0974e9633ad8994a017f7 Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Mon, 6 Dec 2021 12:59:31 +0100 +Subject: [PATCH] fence_openstack: add --ssl-insecure + +--- + agents/openstack/fence_openstack.py | 7 +++++-- + tests/data/metadata/fence_openstack.xml | 5 +++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/agents/openstack/fence_openstack.py b/agents/openstack/fence_openstack.py +index c480596c1..c2d9df160 100755 +--- a/agents/openstack/fence_openstack.py ++++ b/agents/openstack/fence_openstack.py +@@ -89,7 +89,7 @@ def set_power_status(conn, options): + + + def nova_login(username, password, projectname, auth_url, user_domain_name, +- project_domain_name, cacert, apitimeout): ++ project_domain_name, ssl_insecure, cacert, apitimeout): + legacy_import = False + + try: +@@ -127,7 +127,7 @@ def nova_login(username, password, projectname, auth_url, user_domain_name, + cacert=cacert, + ) + +- session = ksc_session.Session(auth=auth, verify=cacert, timeout=apitimeout) ++ session = ksc_session.Session(auth=auth, verify=False if ssl_insecure else cacert, timeout=apitimeout) + nova = client.Client("2", session=session, timeout=apitimeout) + apiversion = None + try: +@@ -220,6 +220,7 @@ def main(): + "port", + "no_port", + "uuid", ++ "ssl_insecure", + "cacert", + "apitimeout", + ] +@@ -268,6 +269,7 @@ def main(): + fail_usage("Failed: You have to set the Keystone service endpoint for authorization") + user_domain_name = options["--user-domain-name"] + project_domain_name = options["--project-domain-name"] ++ ssl_insecure = "--ssl-insecure" in options + cacert = options["--cacert"] + apitimeout = options["--apitimeout"] + try: +@@ -278,6 +280,7 @@ def main(): + auth_url, + user_domain_name, + project_domain_name, ++ ssl_insecure, + cacert, + apitimeout, + ) +diff --git a/tests/data/metadata/fence_openstack.xml b/tests/data/metadata/fence_openstack.xml +index 84503bbe0..926d18c3d 100644 +--- a/tests/data/metadata/fence_openstack.xml ++++ b/tests/data/metadata/fence_openstack.xml +@@ -43,6 +43,11 @@ + + UUID of the node to be fenced. + ++ ++ ++ ++ Use SSL connection without verifying certificate ++ + + + diff --git a/bz2029791-2-fence_openstack-cacert-default.patch b/bz2029791-2-fence_openstack-cacert-default.patch new file mode 100644 index 0000000..419ce33 --- /dev/null +++ b/bz2029791-2-fence_openstack-cacert-default.patch @@ -0,0 +1,59 @@ +From b7032d16a07997ecab3b2c11a6436b3fa21f9043 Mon Sep 17 00:00:00 2001 +From: "Fabio M. Di Nitto" +Date: Thu, 6 Jan 2022 12:53:28 +0100 +Subject: [PATCH] fence_openstack: relax ssl cacert default + +allow the agent to use Base OS defaults vs forcing a specific file +to increase portability. + +Signed-off-by: Fabio M. Di Nitto +--- + agents/openstack/fence_openstack.py | 12 +++++++++--- + tests/data/metadata/fence_openstack.xml | 2 +- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/agents/openstack/fence_openstack.py b/agents/openstack/fence_openstack.py +index c2d9df160..36b353b52 100755 +--- a/agents/openstack/fence_openstack.py ++++ b/agents/openstack/fence_openstack.py +@@ -127,7 +127,13 @@ def nova_login(username, password, projectname, auth_url, user_domain_name, + cacert=cacert, + ) + +- session = ksc_session.Session(auth=auth, verify=False if ssl_insecure else cacert, timeout=apitimeout) ++ caverify=True ++ if ssl_insecure: ++ caverify=False ++ elif cacert: ++ caverify=cacert ++ ++ session = ksc_session.Session(auth=auth, verify=caverify, timeout=apitimeout) + nova = client.Client("2", session=session, timeout=apitimeout) + apiversion = None + try: +@@ -189,10 +195,10 @@ def define_new_opts(): + all_opt["cacert"] = { + "getopt": ":", + "longopt": "cacert", +- "help": "--cacert=[cacert] Path to the PEM file with trusted authority certificates", ++ "help": "--cacert=[cacert] Path to the PEM file with trusted authority certificates (override global CA trust)", + "required": "0", + "shortdesc": "SSL X.509 certificates file", +- "default": "/etc/pki/tls/certs/ca-bundle.crt", ++ "default": "", + "order": 7, + } + all_opt["apitimeout"] = { +diff --git a/tests/data/metadata/fence_openstack.xml b/tests/data/metadata/fence_openstack.xml +index 926d18c3d..c8dc2e60f 100644 +--- a/tests/data/metadata/fence_openstack.xml ++++ b/tests/data/metadata/fence_openstack.xml +@@ -100,7 +100,7 @@ + + + +- ++ + SSL X.509 certificates file + + diff --git a/fence-agents.spec b/fence-agents.spec index e488765..a353967 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -59,7 +59,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 13%{?alphatag:.%{alphatag}}%{?dist} +Release: 14%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -226,6 +226,8 @@ Patch9: bz2010709-2-fence_amt_ws-boot-option.patch Patch10: bz2000954-1-configure-fix-virt.patch Patch11: bz2000954-2-fence_kubevirt.patch Patch12: bz2022334-fence_zvmip-add-ssl-tls-support.patch +Patch13: bz2029791-1-fence_openstack-add-ssl-insecure.patch +Patch14: bz2029791-2-fence_openstack-cacert-default.patch %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 @@ -596,7 +598,7 @@ Support libraries for Fence Agents. %endif %package all -License: GPLv2+, LGPLv2+ and ASL 2.0 +License: GPLv2+ and LGPLv2+ and ASL 2.0 Summary: Set of unified programs capable of host isolation ("fencing") Requires: %{allfenceagents} %ifarch ppc64le @@ -1404,6 +1406,10 @@ are located on corosync cluster nodes. %endif %changelog +* Tue Jan 11 2022 Oyvind Albrigtsen - 4.10.0-14 +- fence_openstack: add --ssl-insecure + Resolves: rhbz#2029791 + * Thu Dec 2 2021 Oyvind Albrigtsen - 4.10.0-13 - fence_amt_ws: fix "or" causing dead code Resolves: rhbz#2010709