From 1aad6d792022758de055fa027ba864e5647b2f6f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 14:59:57 +0000 Subject: [PATCH] import UBI keepalived-2.2.8-9.el10 --- .gitignore | 2 +- .keepalived.metadata | 1 - SOURCES/RHEL-66742.patch | 41 --- SOURCES/RHEL-7694-dep.patch | 23 -- SOURCES/RHEL-7694.patch | 97 ------- SOURCES/RHEL-7699.patch | 40 --- ...evert-explicit-set-LOG_USER-facility.patch | 55 ---- ...6-use-LOG_DAEMON-facility-by-default.patch | 165 ------------ ...2028350-fix-dbus-policy-restrictions.patch | 41 --- ...2054249-fix-unweighted-track-scripts.patch | 41 --- .../keepalived.service => keepalived.service | 7 +- SPECS/keepalived.spec => keepalived.spec | 254 ++++++++++++------ sources | 1 + ...patch => validate-ipset-names-better.patch | 31 ++- 14 files changed, 201 insertions(+), 598 deletions(-) delete mode 100644 .keepalived.metadata delete mode 100644 SOURCES/RHEL-66742.patch delete mode 100644 SOURCES/RHEL-7694-dep.patch delete mode 100644 SOURCES/RHEL-7694.patch delete mode 100644 SOURCES/RHEL-7699.patch delete mode 100644 SOURCES/bz1977716-revert-explicit-set-LOG_USER-facility.patch delete mode 100644 SOURCES/bz1977716-use-LOG_DAEMON-facility-by-default.patch delete mode 100644 SOURCES/bz2028350-fix-dbus-policy-restrictions.patch delete mode 100644 SOURCES/bz2054249-fix-unweighted-track-scripts.patch rename SOURCES/keepalived.service => keepalived.service (69%) rename SPECS/keepalived.spec => keepalived.spec (70%) create mode 100644 sources rename SOURCES/RHEL-49561-validate-ipset-names-better.patch => validate-ipset-names-better.patch (78%) diff --git a/.gitignore b/.gitignore index 0928bfa..40d24bc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/keepalived-2.1.5.tar.gz +keepalived-2.2.8.tar.gz diff --git a/.keepalived.metadata b/.keepalived.metadata deleted file mode 100644 index 4e3f4fb..0000000 --- a/.keepalived.metadata +++ /dev/null @@ -1 +0,0 @@ -54128bc7b4f8b920028af4691be9013f25393a99 SOURCES/keepalived-2.1.5.tar.gz diff --git a/SOURCES/RHEL-66742.patch b/SOURCES/RHEL-66742.patch deleted file mode 100644 index 5f30bbf..0000000 --- a/SOURCES/RHEL-66742.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit d2f5e5595a511ff62934c77cb62f82bdb2320e29 -Author: Yonglong Li -Date: Fri Dec 29 11:03:08 2023 +0800 - - lvs: if lost misc check child register checker agagin - - issue: misc check_child_thread timeout and remove child_pid - form rb_data, timeout callback of check_child_thread is not be - called, if at this time misc script done and exit, and child - termination will do nothing because child_pid was remove form - rb_data. in this case timeou callback will not register checker - again, the checker will lost. - - fix: if lost misc check child register checker again - - Signed-off-by: Yonglong Li - -diff --git a/keepalived/check/check_misc.c b/keepalived/check/check_misc.c -index b2260d5f..c388e89d 100644 ---- a/keepalived/check/check_misc.c -+++ b/keepalived/check/check_misc.c -@@ -337,9 +337,10 @@ misc_check_child_thread(thread_ref_t thread) - /* The process does not exist, and we should - * have reaped its exit status, otherwise it - * would exist as a zombie process. */ -- log_message(LOG_INFO, "Misc script %s child (PID %d) lost", misck_checker->script.args[0], pid); -+ log_message(LOG_INFO, "Misc script %s child (PID %d) lost, register checker again", misck_checker->script.args[0], pid); - misck_checker->state = SCRIPT_STATE_IDLE; - timeout = 0; -+ goto recheck; - } else { - log_message(LOG_INFO, "kill -%d of process %s(%d) with new state %u failed with errno %d", sig_num, misck_checker->script.args[0], pid, misck_checker->state, errno); - timeout = 1000; -@@ -488,6 +489,7 @@ misc_check_child_thread(thread_ref_t thread) - } - } - -+recheck: - /* Register next timer checker */ - next_time = timer_add_long(misck_checker->last_ran, checker->retry_it ? checker->delay_before_retry : checker->delay_loop); - next_time = timer_sub_now(next_time); diff --git a/SOURCES/RHEL-7694-dep.patch b/SOURCES/RHEL-7694-dep.patch deleted file mode 100644 index 2f5f8fd..0000000 --- a/SOURCES/RHEL-7694-dep.patch +++ /dev/null @@ -1,23 +0,0 @@ -commit 4a56ddf74b310d75c31bb98fee6f6789b04f6891 -Author: Quentin Armitage -Date: Mon Jul 20 07:03:54 2020 +0100 - - vrrp: Fix building without VMAC support - - Signed-off-by: Quentin Armitage - -diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c -index 1d19c684..3e05f698 100644 ---- a/keepalived/vrrp/vrrp_parser.c -+++ b/keepalived/vrrp/vrrp_parser.c -@@ -412,9 +412,9 @@ vrrp_handler(const vector_t *strvec) - static void - vrrp_end_handler(void) - { --#ifdef _HAVE_VRRP_VMAC_ - vrrp_t *vrrp = list_last_entry(&vrrp_data->vrrp, vrrp_t, e_list); - -+#ifdef _HAVE_VRRP_VMAC_ - if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) { - report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname); - vrrp->vmac_flags = 0; diff --git a/SOURCES/RHEL-7694.patch b/SOURCES/RHEL-7694.patch deleted file mode 100644 index 48bcf29..0000000 --- a/SOURCES/RHEL-7694.patch +++ /dev/null @@ -1,97 +0,0 @@ -commit 97429b3b7e6ec2f5b9c93a5d507b152bab30f919 -Author: Quentin Armitage -Date: Wed Sep 16 15:35:44 2020 +0100 - - vrrp: Fix using VMACs with unicast peers - - Signed-off-by: Quentin Armitage - -diff --git a/doc/man/man5/keepalived.conf.5 b/doc/man/man5/keepalived.conf.5 -index e6b230c6..83a5915f 100644 ---- a/doc/man/man5/keepalived.conf.5 -+++ b/doc/man/man5/keepalived.conf.5 -@@ -1359,6 +1359,8 @@ The syntax for vrrp_instance is : - # all.rp_filter, as will default.rp_filter, and all.rp_filter - # will be set to 0. - # The original settings are restored on termination. -+ # \fBNOTE 2\fR: If using use_vmac with unicast peers, -+ # vmac_xmit_base must be set. - \fBuse_vmac \fR[] - - # Send/Recv VRRP messages from base interface instead of -diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c -index 5cf1eea1..d1e2d8ea 100644 ---- a/keepalived/vrrp/vrrp_parser.c -+++ b/keepalived/vrrp/vrrp_parser.c -@@ -416,9 +416,14 @@ vrrp_end_handler(void) - - #ifdef _HAVE_VRRP_VMAC_ - if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) { -- report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname); -- vrrp->vmac_flags = 0; -- vrrp->vmac_ifname[0] = '\0'; -+ if (!vrrp->ifp) { -+ report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers and no interface - clearing use_vmac", vrrp->iname); -+ vrrp->vmac_flags = 0; -+ vrrp->vmac_ifname[0] = '\0'; -+ } else if (!__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) { -+ report_config_error(CONFIG_GENERAL_ERROR, "(%s) unicast with use_vmac requires vmac_xmit_base - setting", vrrp->iname); -+ __set_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags); -+ } - } - #endif - -diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c -index 2fb859e1..d9271720 100644 ---- a/keepalived/vrrp/vrrp_scheduler.c -+++ b/keepalived/vrrp/vrrp_scheduler.c -@@ -459,17 +459,17 @@ vrrp_create_sockpool(list_head_t *l) - struct sockaddr_storage *unicast_src; - - list_for_each_entry(vrrp, &vrrp_data->vrrp, e_list) { -- if (list_empty(&vrrp->unicast_peer)) { -- ifp = --#ifdef _HAVE_VRRP_VMAC_ -- (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp : --#endif -- vrrp->ifp; -+ if (list_empty(&vrrp->unicast_peer)) - unicast_src = NULL; -- } else { -+ else - unicast_src = &vrrp->saddr; -- ifp = vrrp->ifp; -- } -+ -+ ifp = -+#ifdef _HAVE_VRRP_VMAC_ -+ (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp : -+#endif -+ vrrp->ifp; -+ - proto = IPPROTO_VRRP; - #if defined _WITH_VRRP_AUTH_ - if (vrrp->auth_type == VRRP_AUTH_AH) -@@ -607,13 +607,6 @@ vrrp_lower_prio_gratuitous_arp_thread(thread_ref_t thread) - vrrp_send_link_update(vrrp, vrrp->garp_lower_prio_rep); - } - --static void --vrrp_master(vrrp_t * vrrp) --{ -- /* Send the VRRP advert */ -- vrrp_state_master_tx(vrrp); --} -- - void - try_up_instance(vrrp_t *vrrp, bool leaving_init) - { -@@ -802,7 +795,7 @@ vrrp_dispatcher_read_timeout(sock_t *sock) - vrrp_goto_master(vrrp); - } - else if (vrrp->state == VRRP_STATE_MAST) -- vrrp_master(vrrp); -+ vrrp_state_master_tx(vrrp); - - /* handle instance synchronization */ - #ifdef _TSM_DEBUG_ diff --git a/SOURCES/RHEL-7699.patch b/SOURCES/RHEL-7699.patch deleted file mode 100644 index 584fe83..0000000 --- a/SOURCES/RHEL-7699.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit e2b4d108d68ada3af8ad437e2e291fcac1fd0ff7 -Author: Quentin Armitage -Date: Tue Oct 20 11:24:48 2020 +0100 - - ipvs: Allow real servers to be specified with a weight of 0 - - This currently only really makes sense when also having a FILE_CHECK - with non-zero weight configured, or a MISC_CHECK with "misc_dynamic", - since otherwise there is no way that the weight of the real server can - be changed to be non-zero. - - Signed-off-by: Quentin Armitage - -diff --git a/keepalived/check/ipwrapper.c b/keepalived/check/ipwrapper.c -index a4c40d6c..4b9ccb6f 100644 ---- a/keepalived/check/ipwrapper.c -+++ b/keepalived/check/ipwrapper.c -@@ -410,8 +410,8 @@ init_service_rs(virtual_server_t *vs) - rs->num_failed_checkers++; - } - -- if (rs->effective_weight < 1) -- rs->weight = 1; -+ if (rs->effective_weight < 0) -+ rs->weight = 0; - else if (rs->effective_weight > IPVS_WEIGHT_MAX - 1) - rs->weight = IPVS_WEIGHT_MAX - 1; - else -@@ -667,9 +667,8 @@ update_svr_wgt(int weight, virtual_server_t * vs, real_server_t * rs - { - rs->effective_weight = weight; - --/* TODO - handle weight = 0 - ? affects quorum */ -- if (weight <= 0) -- weight = 1; -+ if (weight < 0) -+ weight = 0; - #if IPVS_WEIGHT_MAX != INT_MAX - else if (weight > IPVS_WEIGHT_MAX) - weight = IPVS_WEIGHT_MAX; diff --git a/SOURCES/bz1977716-revert-explicit-set-LOG_USER-facility.patch b/SOURCES/bz1977716-revert-explicit-set-LOG_USER-facility.patch deleted file mode 100644 index 2808dfb..0000000 --- a/SOURCES/bz1977716-revert-explicit-set-LOG_USER-facility.patch +++ /dev/null @@ -1,55 +0,0 @@ -From ff476e860e91c1a814ac038ee16790a2a5b950af Mon Sep 17 00:00:00 2001 -From: Quentin Armitage -Date: Mon, 18 Jan 2021 14:38:15 +0000 -Subject: [PATCH 1/2] Revert "Explicitly set LOG_USER log facility when - syslogging" - -This reverts commit db3bcf7b891881e8e70954424f0fe88ec7d37ce0. - -This commit was just plain wrong. The facility should default to -LOG_DAEMON (see keepalived(8) man page), but if --log-facility is -specified, that is the facility to which log entries should be logged. ---- - lib/logger.c | 5 +---- - lib/logger.h | 2 +- - 2 files changed, 2 insertions(+), 5 deletions(-) - -diff --git a/lib/logger.c b/lib/logger.c -index a0cc2048..34c83f32 100644 ---- a/lib/logger.c -+++ b/lib/logger.c -@@ -133,7 +133,7 @@ block_signals(sigset_t *cur_set) - #endif - - void --vlog_message(int facility, const char* format, va_list args) -+vlog_message(const int facility, const char* format, va_list args) - { - #ifndef HAVE_SIGNALFD - sigset_t cur_set; -@@ -213,9 +213,6 @@ vlog_message(int facility, const char* format, va_list args) - restore_signals = true; - #endif - -- if (!(facility & LOG_FACMASK)) -- facility |= LOG_USER; -- - #if HAVE_VSYSLOG - vsyslog(facility, format, args); - #else -diff --git a/lib/logger.h b/lib/logger.h -index 7536536a..20b2a7e4 100644 ---- a/lib/logger.h -+++ b/lib/logger.h -@@ -44,7 +44,7 @@ extern void open_log_file(const char *, const char *, const char *, const char * - extern void flush_log_file(void); - extern void update_log_file_perms(mode_t); - #endif --extern void vlog_message(int facility, const char* format, va_list args) -+extern void vlog_message(const int facility, const char* format, va_list args) - __attribute__ ((format (printf, 2, 0))); - extern void log_message(int priority, const char* format, ...) - __attribute__ ((format (printf, 2, 3))); --- -2.31.1 - diff --git a/SOURCES/bz1977716-use-LOG_DAEMON-facility-by-default.patch b/SOURCES/bz1977716-use-LOG_DAEMON-facility-by-default.patch deleted file mode 100644 index 80b9e02..0000000 --- a/SOURCES/bz1977716-use-LOG_DAEMON-facility-by-default.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 75ea1d31c17f4bb3a73590167658310bc9f67149 Mon Sep 17 00:00:00 2001 -From: Quentin Armitage -Date: Mon, 18 Jan 2021 14:57:30 +0000 -Subject: [PATCH 2/2] all: log to LOG_DAEMON facility by default - -keepalived(8) man page states that the default log facility is LOG_DAEMON. -Commit db3bcf7 - "Explicitly set LOG_USER log facility when syslogging" -incorrectly set the facility to LOG_USER, and that has now been reverted. -However, with that reverted, by default the VRRP process logs to LOG_LOCAL1 -and the checker and BFD processes log to LOG_LOCAL2, contrary to the -documentation. - -Since no-one has commented that logs were not going to LOG_LOCAL1/2 since -commit db3bcf7 (April 28 2020), it is safe to assume that no-one was relying -on that. This commit therefore reverts to the documentation and by default -logs everything to the LOG_DAEMON facility. - -Signed-off-by: Quentin Armitage ---- - keepalived/bfd/bfd_daemon.c | 3 +-- - keepalived/check/check_daemon.c | 3 +-- - keepalived/core/main.c | 7 +++---- - keepalived/include/main.h | 1 - - keepalived/vrrp/vrrp_daemon.c | 3 +-- - lib/logger.c | 2 ++ - lib/logger.h | 10 ++++++++++ - 7 files changed, 18 insertions(+), 11 deletions(-) - -diff --git a/keepalived/bfd/bfd_daemon.c b/keepalived/bfd/bfd_daemon.c -index cf74eee3..47d87892 100644 ---- a/keepalived/bfd/bfd_daemon.c -+++ b/keepalived/bfd/bfd_daemon.c -@@ -396,8 +396,7 @@ start_bfd_child(void) - - /* Opening local BFD syslog channel */ - if (!__test_bit(NO_SYSLOG_BIT, &debug)) -- openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0) -- , (log_facility==LOG_DAEMON) ? LOG_LOCAL2 : log_facility); -+ open_syslog(syslog_ident); - - #ifdef ENABLE_LOG_TO_FILE - if (log_file_name) -diff --git a/keepalived/check/check_daemon.c b/keepalived/check/check_daemon.c -index 5e03cc4c..63bdf07b 100644 ---- a/keepalived/check/check_daemon.c -+++ b/keepalived/check/check_daemon.c -@@ -689,8 +689,7 @@ start_check_child(void) - - /* Opening local CHECK syslog channel */ - if (!__test_bit(NO_SYSLOG_BIT, &debug)) -- openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0) -- , (log_facility==LOG_DAEMON) ? LOG_LOCAL2 : log_facility); -+ open_syslog(syslog_ident); - - #ifdef ENABLE_LOG_TO_FILE - if (log_file_name) -diff --git a/keepalived/core/main.c b/keepalived/core/main.c -index be4488ea..756b2f12 100644 ---- a/keepalived/core/main.c -+++ b/keepalived/core/main.c -@@ -149,7 +149,6 @@ static const struct child_term children_term[] = { - /* global var */ - const char *version_string = VERSION_STRING; /* keepalived version */ - const char *conf_file = KEEPALIVED_CONFIG_FILE; /* Configuration file */ --int log_facility = LOG_DAEMON; /* Optional logging facilities */ - bool reload; /* Set during a reload */ - const char *main_pidfile; /* overrule default pidfile */ - static bool free_main_pidfile; -@@ -2087,7 +2086,7 @@ keepalived_main(int argc, char **argv) - umask(umask_val); - - /* Open log with default settings so we can log initially */ -- openlog(PACKAGE_NAME, LOG_PID, log_facility); -+ open_syslog(PACKAGE_NAME); - - #ifdef _MEM_CHECK_ - mem_log_init(PACKAGE_NAME, "Parent process"); -@@ -2128,7 +2127,7 @@ keepalived_main(int argc, char **argv) - if (parse_cmdline(argc, argv)) { - closelog(); - if (!__test_bit(NO_SYSLOG_BIT, &debug)) -- openlog(PACKAGE_NAME, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0) , log_facility); -+ open_syslog(PACKAGE_NAME); - } - - if (__test_bit(LOG_CONSOLE_BIT, &debug)) -@@ -2212,7 +2211,7 @@ keepalived_main(int argc, char **argv) - if ((syslog_ident = make_syslog_ident(PACKAGE_NAME))) { - log_message(LOG_INFO, "Changing syslog ident to %s", syslog_ident); - closelog(); -- openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0), log_facility); -+ open_syslog(syslog_ident); - } - else - log_message(LOG_INFO, "Unable to change syslog ident"); -diff --git a/keepalived/include/main.h b/keepalived/include/main.h -index 3e013bb6..6a34797b 100644 ---- a/keepalived/include/main.h -+++ b/keepalived/include/main.h -@@ -51,7 +51,6 @@ enum daemon_bits { - extern const char *version_string; /* keepalived version */ - extern unsigned long daemon_mode; /* Which child processes are run */ - extern const char *conf_file; /* Configuration file */ --extern int log_facility; /* Optional logging facilities */ - #ifdef _WITH_VRRP_ - extern pid_t vrrp_child; /* VRRP child process ID */ - extern const char *vrrp_pidfile; /* overrule default pidfile */ -diff --git a/keepalived/vrrp/vrrp_daemon.c b/keepalived/vrrp/vrrp_daemon.c -index baa5f5f2..e22f8a81 100644 ---- a/keepalived/vrrp/vrrp_daemon.c -+++ b/keepalived/vrrp/vrrp_daemon.c -@@ -974,8 +974,7 @@ start_vrrp_child(void) - syslog_ident = PROG_VRRP; - - if (!__test_bit(NO_SYSLOG_BIT, &debug)) -- openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0) -- , (log_facility==LOG_DAEMON) ? LOG_LOCAL1 : log_facility); -+ open_syslog(syslog_ident); - - #ifdef ENABLE_LOG_TO_FILE - if (log_file_name) -diff --git a/lib/logger.c b/lib/logger.c -index 34c83f32..7fad8ac6 100644 ---- a/lib/logger.c -+++ b/lib/logger.c -@@ -40,6 +40,8 @@ - /* Boolean flag - send messages to console as well as syslog */ - static bool log_console = false; - -+int log_facility = LOG_DAEMON; /* Optional logging facilities */ -+ - #ifdef ENABLE_LOG_TO_FILE - /* File to write log messages to */ - const char *log_file_name; -diff --git a/lib/logger.h b/lib/logger.h -index 20b2a7e4..c6f29138 100644 ---- a/lib/logger.h -+++ b/lib/logger.h -@@ -30,8 +30,13 @@ - #include - #endif - -+#include "bitops.h" -+#include "utils.h" -+ - #define MAX_LOG_MSG 255 - -+extern int log_facility; /* Optional logging facilities */ -+ - #ifdef ENABLE_LOG_TO_FILE - extern const char *log_file_name; - #endif -@@ -51,4 +56,9 @@ extern void log_message(int priority, const char* format, ...) - extern void conf_write(FILE *fp, const char *format, ...) - __attribute__ ((format (printf, 2, 3))); - -+static inline void -+open_syslog(const char *ident) -+{ -+ openlog(ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0), log_facility); -+} - #endif --- -2.31.1 - diff --git a/SOURCES/bz2028350-fix-dbus-policy-restrictions.patch b/SOURCES/bz2028350-fix-dbus-policy-restrictions.patch deleted file mode 100644 index 7df76e0..0000000 --- a/SOURCES/bz2028350-fix-dbus-policy-restrictions.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 763eaa49343acdda5ff359012e8cc49c9ffc8e81 Mon Sep 17 00:00:00 2001 -From: Vincent Bernat -Date: Tue, 23 Nov 2021 06:50:59 +0100 -Subject: [PATCH] dbus: fix policy to not be overly broad - -The DBus policy did not restrict the message destination, allowing any -user to inspect and manipulate any property. - -Signed-off-by: Vincent Bernat ---- - keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf -index 2b78a575..b5ced608 100644 ---- a/keepalived/dbus/org.keepalived.Vrrp1.conf -+++ b/keepalived/dbus/org.keepalived.Vrrp1.conf -@@ -3,12 +3,15 @@ - "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> - - -- -- -+ -+ - - -- -- -- -+ -+ -+ - - --- -2.33.1 - diff --git a/SOURCES/bz2054249-fix-unweighted-track-scripts.patch b/SOURCES/bz2054249-fix-unweighted-track-scripts.patch deleted file mode 100644 index 2b85867..0000000 --- a/SOURCES/bz2054249-fix-unweighted-track-scripts.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d93b2051641ebfc4c5dcdc405ed0f26b9bcaa65a Mon Sep 17 00:00:00 2001 -From: Quentin Armitage -Date: Sat, 25 Jul 2020 10:13:32 +0100 -Subject: [PATCH] vrrp: Don't remove unweighted track scripts from sync group - members - -Commit 3390697 - "vrrp: rewrote framework using list_head_t design" -cleared the track_script list for any vrrp instance that was in a -sync group. This was due to the old list structure allocating memory -which had to be freed if the list was empty, but that is no longer -the case with list_head. - -Signed-off-by: Quentin Armitage ---- - keepalived/vrrp/vrrp.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c -index c8967eef..c7ded6b4 100644 ---- a/keepalived/vrrp/vrrp.c -+++ b/keepalived/vrrp/vrrp.c -@@ -3406,7 +3406,7 @@ vrrp_complete_instance(vrrp_t * vrrp) - free_track_if_list(&vrrp->track_ifp); - - /* Ignore any weighted script */ -- list_for_each_entry_safe(sc, sc_tmp, &vrrp->track_script,e_list) { -+ list_for_each_entry_safe(sc, sc_tmp, &vrrp->track_script, e_list) { - if (sc->weight) { - report_config_error(CONFIG_GENERAL_ERROR, "(%s) ignoring " - "tracked script %s with weights due to %s" -@@ -3417,7 +3417,6 @@ vrrp_complete_instance(vrrp_t * vrrp) - free_track_script(sc); - } - } -- free_track_script_list(&vrrp->track_script); - - /* Set tracking files to unweighted if weight not explicitly set, otherwise ignore */ - list_for_each_entry_safe(tfl, tfl_tmp, &vrrp->track_file, e_list) { --- -2.33.1 - diff --git a/SOURCES/keepalived.service b/keepalived.service similarity index 69% rename from SOURCES/keepalived.service rename to keepalived.service index 64c5d3f..b4a521d 100644 --- a/SOURCES/keepalived.service +++ b/keepalived.service @@ -4,11 +4,12 @@ After=network-online.target syslog.target Wants=network-online.target [Service] -Type=forking -PIDFile=/var/run/keepalived.pid +Type=notify +NotifyAccess=all +PIDFile=/run/keepalived.pid KillMode=process EnvironmentFile=-/etc/sysconfig/keepalived -ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS +ExecStart=/usr/sbin/keepalived --dont-fork $KEEPALIVED_OPTIONS ExecReload=/bin/kill -HUP $MAINPID [Install] diff --git a/SPECS/keepalived.spec b/keepalived.spec similarity index 70% rename from SPECS/keepalived.spec rename to keepalived.spec index c12b8f6..80e59d4 100644 --- a/SPECS/keepalived.spec +++ b/keepalived.spec @@ -1,7 +1,8 @@ %bcond_without snmp %bcond_without vrrp %bcond_without sha1 -%bcond_with iptables +%bcond_without json +%bcond_without nftables %bcond_with profile %bcond_with debug @@ -9,24 +10,15 @@ Name: keepalived Summary: High Availability monitor built upon LVS, VRRP and service pollers -Version: 2.1.5 -Release: 11%{?dist} -License: GPLv2+ +Version: 2.2.8 +Release: 9%{?dist} +License: GPL-2.0-or-later URL: http://www.keepalived.org/ -Group: System Environment/Daemons Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz Source1: keepalived.service - -Patch1: bz1977716-revert-explicit-set-LOG_USER-facility.patch -Patch2: bz1977716-use-LOG_DAEMON-facility-by-default.patch -Patch3: bz2028350-fix-dbus-policy-restrictions.patch -Patch4: bz2054249-fix-unweighted-track-scripts.patch -Patch5: RHEL-49561-validate-ipset-names-better.patch -Patch6: RHEL-7694-dep.patch -Patch7: RHEL-7694.patch -Patch8: RHEL-7699.patch -Patch9: RHEL-66742.patch +#Patch0: keepalived-configure-c99.patch +Patch1: validate-ipset-names-better.patch Requires(post): systemd Requires(preun): systemd @@ -35,16 +27,21 @@ Requires(postun): systemd %if %{with snmp} BuildRequires: net-snmp-devel %endif -%if %{with iptables} +%if %{with nftables} +BuildRequires: libmnl-devel +BuildRequires: libnftnl-devel +%else BuildRequires: ipset-devel BuildRequires: iptables-devel %endif BuildRequires: gcc -BuildRequires: automake BuildRequires: systemd-units +BuildRequires: systemd-devel BuildRequires: openssl-devel BuildRequires: libnl3-devel BuildRequires: libnfnetlink-devel +BuildRequires: file-devel +BuildRequires: make %description Keepalived provides simple and robust facilities for load balancing @@ -61,24 +58,19 @@ can be used independently or all together to provide resilient infrastructures. %prep -%setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%autosetup -p1 + +# Prevent re-running autotools. +touch aclocal.m4 Makefile.in lib/config.h.in configure %build %configure \ %{?with_debug:--enable-debug} \ %{?with_profile:--enable-profile} \ %{!?with_vrrp:--disable-vrrp} \ - %{!?with_iptables:--disable-libiptc --disable-ipset} \ %{?with_snmp:--enable-snmp --enable-snmp-rfc} \ + %{?with_nftables:--enable-nftables --disable-iptables} \ + %{?with_json:--enable-json} \ %{?with_sha1:--enable-sha1} \ --with-init=systemd %{__make} %{?_smp_mflags} STRIP=/bin/true @@ -88,6 +80,8 @@ rm -rf %{buildroot} make install DESTDIR=%{buildroot} rm -rf %{buildroot}%{_initrddir}/ rm -rf %{buildroot}%{_sysconfdir}/keepalived/samples/ +mv %{buildroot}%{_sysconfdir}/keepalived/keepalived.conf.sample \ + %{buildroot}%{_sysconfdir}/keepalived/keepalived.conf %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/keepalived.service mkdir -p %{buildroot}%{_libexecdir}/keepalived @@ -101,7 +95,6 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived %systemd_postun_with_restart keepalived.service %files -%defattr(-,root,root,-) %attr(0755,root,root) %{_sbindir}/keepalived %config(noreplace) %attr(0644,root,root) %{_sysconfdir}/sysconfig/keepalived %config(noreplace) %attr(0644,root,root) %{_sysconfdir}/keepalived/keepalived.conf @@ -121,77 +114,178 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived %{_mandir}/man8/keepalived.8* %changelog +* Mon Dec 2 2024 Christine Caulfield - 2.2.8-9 + Add gating.yaml from c9s + Related: RHEL-49565 -* Fri Jan 31 2025 Christine Caulfield - 2.1.5-11 -- ipvs: Allow real servers to be specified with a weight of 0 - Resolves: RHEL-7699 -- vrrp: Fix using VMACs with unicast peers - Resolves: RHEL-7694 -- lvs: if lost misc check child register checker again - Resolves: RHEL-66742 +* Fri Nov 29 2024 Christine Caulfield - 2.2.8-8 +- Fix name parsing for CVE-2024-41184 + Resolves: RHEL-49565 -* Mon Dec 2 2024 Christine Caulfield - 2.1.5-10 -- CVE-2024-41184 - Resolves: RHEL-49561 +* Tue Oct 29 2024 Troy Dawson - 2.2.8-7 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Thu Jul 21 2022 Ryan O'Hara - 2.1.5-9 -- Fix removal of unweighted track scripts from sync group (#2054249) +* Mon Jun 24 2024 Troy Dawson - 2.2.8-6 +- Bump release for June 2024 mass rebuild -* Tue Jan 18 2022 Ryan O'Hara - 2.1.5-8 -- Fix DBus policy restrictions (#2028350, CVE-2021-44225) +* Wed Jan 24 2024 Fedora Release Engineering - 2.2.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Fri Oct 29 2021 Ryan O'Hara - 2.1.5-7 -- Fix log-facility option (#197716) +* Sun Jan 21 2024 Fedora Release Engineering - 2.2.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Tue Dec 15 2020 Ryan O'Hara - 2.1.5-6 -- Fix changelog +* Fri Aug 04 2023 Ryan O'Hara - 2.2.8-3 +- Migrate to SPDX license -* Tue Oct 20 2020 Ryan O'Hara - 2.1.5-5 -- Update to 2.1.5 (#1889440) -- Fix intermittent child lost messages (#1868077) - -* Tue Jun 16 2020 Ryan O'Hara - 2.0.10-11 -- Fix vrrp_script execution (#1683438) +* Thu Jul 20 2023 Fedora Release Engineering - 2.2.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Mon Feb 24 2020 Ryan O'Hara - 2.0.10-10 -- Disable libiptc/ipset (#1806642) +* Thu Jun 08 2023 Ryan O'Hara - 2.2.8-1 +- Update to 2.2.8 (#2211385) -* Thu Jan 30 2020 Ryan O'Hara - 2.0.10-9 -- Fix FAULT state when interface is renamed (#1792160) +* Thu Jan 19 2023 Fedora Release Engineering - 2.2.7-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -* Mon Jul 08 2019 Ryan O'Hara - 2.0.10-7 -- Add gating tests (#1682114) +* Tue Dec 20 2022 Ryan O'Hara - 2.2.7-5 +- Enable JSON support -* Wed May 01 2019 Ryan O'Hara - 2.0.10-6 -- Fix segfault when smtp alerts configured (#1693706) -- Fix double free when smtp_helo_name copied from local_name (#1693706) +* Wed Dec 7 2022 Florian Weimer - 2.2.7-4 +- Fix spurious implicit function declaration in broken configure check -* Wed Mar 27 2019 Ryan O'Hara - 2.0.10-5 -- Bump release nummber (#1688892) +* Thu Jul 21 2022 Fedora Release Engineering - 2.2.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Mon Mar 18 2019 Ryan O'Hara - 2.0.10-3 -- Rework fix for OpenSSL initialization segfault (#1688892) +* Thu Jul 07 2022 Ryan O'Hara - 2.2.7-2 +- Move keepalived.conf.sample to keepalived.conf -* Fri Mar 15 2019 Ryan O'Hara - 2.0.10-2 -- Fix OpenSSL initialization segfault (#1688892) +* Mon Feb 14 2022 Ryan O'Hara - 2.2.7-1 +- Update to 2.2.7 (#2041231) + +* Thu Jan 20 2022 Fedora Release Engineering - 2.2.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Dec 14 2021 Ryan O'Hara - 2.2.4-4 +- Fix dbus policy (#2027158, CVE-2021-44225) + +* Sat Nov 27 2021 Kevin Fenzi - 2.2.4-3 +- Rebuild for new libnftnl + +* Tue Sep 14 2021 Sahana Prasad - 2.2.4-2 +- Rebuilt with OpenSSL 3.0.0 + +* Mon Aug 23 2021 Ryan O'Hara - 2.2.4-1 +- Update to 2.2.4 (#1996274) + +* Sat Aug 14 2021 Ryan O'Hara - 2.2.3-1 +- Update to 2.2.3 (#1993601) + +* Tue Aug 03 2021 Ryan O'Hara - 2.2.2-5 +- Add systemd notify support + +* Tue Aug 03 2021 Ryan O'Hara - 2.2.2-4 +- Fix build errors (#1987620) + +* Thu Jul 22 2021 Fedora Release Engineering - 2.2.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon Apr 12 2021 Ryan O'Hara - 2.2.2-2 +- Add BuildRequires for file-devel + +* Wed Apr 07 2021 Ryan O'Hara - 2.2.2-1 +- Update to 2.2.2 (#1935590) + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2.2.1-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 2.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jan 18 2021 Ryan O'Hara - 2.2.1-1 +- Update to 2.2.1 (#1917152) + +* Thu Jan 14 2021 Ryan O'Hara - 2.2.0-1 +- Update to 2.2.0 (#1914512) + +* Thu Aug 27 2020 Josef Řídký - 2.1.5-3 +- Rebuilt for new net-snmp release + +* Tue Jul 28 2020 Fedora Release Engineering - 2.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 15 2020 Ryan O'Hara - 2.1.5-1 +- Update to 2.1.5 (#1794135) + +* Tue Feb 18 2020 Ryan O'Hara - 2.0.20-3 +- Build with nftables support instead of iptables + +* Thu Feb 13 2020 Ryan O'Hara - 2.0.20-2 +- Remove unused patches + +* Wed Feb 12 2020 Ryan O'Hara - 2.0.20-1 +- Update to 2.0.20 (#1794135) + +* Wed Jan 29 2020 Fedora Release Engineering - 2.0.19-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 12 2019 Ryan O'Hara - 2.0.19-4 +- Fix file descriptor errors on reload + +* Tue Nov 12 2019 Ryan O'Hara - 2.0.19-3 +- Fix track_process with PIDs over 32767 (#1770766) + +* Wed Nov 06 2019 Ryan O'Hara - 2.0.19-2 +- Enable nftables support (#1769278) + +* Wed Nov 06 2019 Ryan O'Hara - 2.0.19-1 +- Update to 2.0.19 (#1763424) + +* Tue Jul 30 2019 Ryan O'Hara - 2.0.18-2 +- Change pidfile directory (#1712730) + +* Tue Jul 30 2019 Ryan O'Hara - 2.0.18-1 +- Update to 2.0.18 (#1678397) + +* Thu Jul 25 2019 Fedora Release Engineering - 2.0.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 25 2019 Björn Esser - 2.0.12-2 +- Rebuilt (iptables) + +* Mon Feb 04 2019 Ryan O'Hara - 2.0.12-1 +- Update to 2.0.12 (#1576138) + +* Fri Feb 01 2019 Fedora Release Engineering - 2.0.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 09 2019 Ryan O'Hara - 2.0.11-1 +- Update to 2.0.11 * Mon Nov 26 2018 Ryan O'Hara - 2.0.10-1 -- Update to 2.0.10 (#1631816) - -* Mon Oct 08 2018 Ryan O'Hara - 2.0.7-2 -- Remove BuildRequires for ipset-devel - -* Tue Oct 02 2018 Ryan O'Hara - 2.0.7-1 -- Update to 2.0.7 (#1631816) - -* Thu Aug 09 2018 Josef Ridky - 2.0.6-2 -- Rebuild for Net-SNMP +- Update to 2.0.10 +- Fix improper pathname validation (#1651864, CVE-2018-19044) +- Fix insecure permissions when creating temporary files (#1651868, CVE-2018-19045) +- Fix insecure use of temporary files (#1651870, CVE-2018-19046) +- Fix buffer overflow when parsing HTTP status codes (#1651873, CVE-2018-19047) * Wed Jul 25 2018 Ryan O'Hara - 2.0.6-1 -- Update to 2.0.6 +- Update to 2.0.6 (#1576138) + +* Tue Jul 24 2018 Adam Williamson - 2.0.5-3 +- Rebuild for new net-snmp + +* Fri Jul 13 2018 Fedora Release Engineering - 2.0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Tue Jul 03 2018 Ryan O'Hara - 2.0.5-1 -- Update to 2.0.5 +- Update to 2.0.5 (#1576138) + +* Mon Jul 02 2018 Ryan O'Hara - 1.4.5-1 +- Update to 1.4.5 + +* Thu May 10 2018 Ryan O'Hara - 1.4.4-1 +- Update to 1.4.4 (#1576138) * Thu Apr 19 2018 Ryan O'Hara - 1.4.3-1 - Update to 1.4.3 (#1565388) diff --git a/sources b/sources new file mode 100644 index 0000000..68261a4 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (keepalived-2.2.8.tar.gz) = dc0ab5b0ef8911a7859422eccc2771a40e942236c855a628158ed748eb5f7dc4b6f4850e9c3057e81fd9d2daa640ab51fb1d7af12748a613280a217b333eb06b diff --git a/SOURCES/RHEL-49561-validate-ipset-names-better.patch b/validate-ipset-names-better.patch similarity index 78% rename from SOURCES/RHEL-49561-validate-ipset-names-better.patch rename to validate-ipset-names-better.patch index 40ede33..d38dcfc 100644 --- a/SOURCES/RHEL-49561-validate-ipset-names-better.patch +++ b/validate-ipset-names-better.patch @@ -1,7 +1,19 @@ -diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patched/keepalived/core/global_parser.c ---- keepalived-2.1.5/keepalived/core/global_parser.c 2020-07-10 17:41:46.000000000 +0100 -+++ keepalived-2.1.5.patched/keepalived/core/global_parser.c 2024-12-02 14:06:44.469215491 +0000 -@@ -955,6 +955,22 @@ +Version of this patch from upstream + +--- keepalived-2.2.8/keepalived/core/commit e78513fe0ce5d83c226ea2c0bd222f375c2438e7 +Author: Quentin Armitage +Date: Fri Jul 12 15:16:47 2024 +0100 + + vrrp: Handle empty ipset names with vrrp_ipsets keyword + + We now handle empty ipset names and return a config error. + + Signed-off-by: Quentin Armitage + + +global_parser.c 2023-04-01 18:39:25.000000000 +0100 ++++ keepalived-2.2.8.patched/keepalived/core/global_parser.c 2024-11-28 08:56:17.445615602 +0000 +@@ -1086,6 +1086,22 @@ } } #ifdef _HAVE_LIBIPSET_ @@ -24,7 +36,7 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch static void vrrp_ipsets_handler(const vector_t *strvec) { -@@ -974,17 +990,13 @@ +@@ -1103,17 +1119,13 @@ return; } @@ -44,7 +56,7 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2)); } else { -@@ -995,10 +1007,8 @@ +@@ -1124,10 +1136,8 @@ global_data->vrrp_ipset_address6 = STRDUP(set_name); } if (vector_size(strvec) >= 4) { @@ -56,9 +68,9 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3)); } else { -@@ -1014,10 +1024,8 @@ +@@ -1142,10 +1152,8 @@ + } - #ifdef HAVE_IPSET_ATTR_IFACE if (vector_size(strvec) >= 5) { - if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) { - report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored"); @@ -68,7 +80,7 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4)); } else { -@@ -1028,10 +1036,8 @@ +@@ -1156,10 +1164,8 @@ global_data->vrrp_ipset_igmp = STRDUP(set_name); } if (vector_size(strvec) >= 6) { @@ -80,4 +92,3 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5)); } else { -Only in keepalived-2.1.5.patched/keepalived/core: global_parser.c.orig