rpms/keepalived
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import keepalived-2.1.5-6.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 03:00:18 -04:00 committed by Andrew Lukoshko
parent c9fb72a1a1
commit 3b4d62c8f5
12 changed files with 10 additions and 875 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/keepalived-2.0.10.tar.gz
SOURCES/keepalived-2.1.5.tar.gz

2
.keepalived.metadata
View File

@ -1 +1 @@
c0b62f6d20a4a322e4bd67b4ae447bb842c28c4c SOURCES/keepalived-2.0.10.tar.gz
54128bc7b4f8b920028af4691be9013f25393a99 SOURCES/keepalived-2.1.5.tar.gz

51
SOURCES/bz1683438-fix-vrrp_script-execution.patch
View File

@ -1,51 +0,0 @@
From 4e60fead497c9e99953dd6106c6a5869182533cc Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Thu, 9 May 2019 19:23:46 +0100
Subject: [PATCH] Don't enclose /dev/tcp/127.0.0.1/22 in ' chars when running
as script
RedHat identified a problem with scripts like:
vrrp_script {
script "</dev/tcp/127.0.0.1/22"
}
where returning an exit code of 127 (script not found).
This was identified to be due to the "script" being enclosed in '
characters, so the resulting system call was
system("'</dev/tcp/127.0.0.1/22'"), which failed. Not adding the leading
and trailing ' characters when the first character of the script is '<'
or '>' resolves the problem.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
lib/notify.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/lib/notify.c b/lib/notify.c
index 2f60e24c..1984bde3 100644
--- a/lib/notify.c
+++ b/lib/notify.c
@@ -130,10 +130,18 @@ cmd_str_r(const notify_script_t *script, char *buf, size_t len)
if (i)
*str_p++ = ' ';
- *str_p++ = '\'';
+
+ /* Allow special case of bash script which is redirection only to
+ * test for file existence. */
+ if (i || (script->args[i][0] != '<' && script->args[i][0] != '>'))
+ *str_p++ = '\'';
+
strcpy(str_p, script->args[i]);
str_p += str_len;
- *str_p++ = '\'';
+
+ /* Close opening ' if we added one */
+ if (i || (script->args[i][0] != '<' && script->args[i][0] != '>'))
+ *str_p++ = '\'';
}
*str_p = '\0';
--
2.24.1

76
SOURCES/bz1688892-fix-openssl-init-config-check.patch
View File

@ -1,76 +0,0 @@
From 1f2b558da9f631a635e9b099b455696b1903bee4 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Fri, 15 Mar 2019 00:12:19 +0000
Subject: [PATCH 3/3] Fix some configure tested checks for OPENSSL_init_crypto
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
genhash/ssl.c | 6 +++---
keepalived/check/check_ssl.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/genhash/ssl.c b/genhash/ssl.c
index 96f51201..0574675a 100644
--- a/genhash/ssl.c
+++ b/genhash/ssl.c
@@ -44,7 +44,7 @@ void
init_ssl(void)
{
/* Library initialization */
-#if HAVE_OPENSSL_INIT_CRYPTO
+#ifdef HAVE_OPENSSL_INIT_CRYPTO
#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
/* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
* It works in v1.1.0h and v1.1.1b.
@@ -59,7 +59,7 @@ init_ssl(void)
#endif
/* Initialize SSL context */
-#if HAVE_TLS_METHOD
+#ifdef HAVE_TLS_METHOD
req->meth = TLS_method();
#else
req->meth = SSLv23_method();
@@ -123,7 +123,7 @@ ssl_connect(thread_t * thread)
}
BIO_set_nbio(sock_obj->bio, 1); /* Set the Non-Blocking flag */
-#if HAVE_SSL_SET0_RBIO
+#ifdef HAVE_SSL_SET0_RBIO
BIO_up_ref(sock_obj->bio);
SSL_set0_rbio(sock_obj->ssl, sock_obj->bio);
SSL_set0_wbio(sock_obj->ssl, sock_obj->bio);
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
index 2743ea87..58061b91 100644
--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
@@ -68,7 +68,7 @@ build_ssl_ctx(void)
ssl_data_t *ssl;
/* Library initialization */
-#if HAVE_OPENSSL_INIT_CRYPTO
+#ifdef HAVE_OPENSSL_INIT_CRYPTO
#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
/* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
* It works in v1.1.0h and v1.1.1b.
@@ -88,7 +88,7 @@ build_ssl_ctx(void)
ssl = check_data->ssl;
/* Initialize SSL context */
-#if HAVE_TLS_METHOD
+#ifdef HAVE_TLS_METHOD
ssl->meth = TLS_method();
#else
ssl->meth = SSLv23_method();
@@ -226,7 +226,7 @@ ssl_connect(thread_t * thread, int new_req)
BIO_get_fd(req->bio, &bio_fd);
fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC);
-#if HAVE_SSL_SET0_RBIO
+#ifdef HAVE_SSL_SET0_RBIO
BIO_up_ref(req->bio);
SSL_set0_rbio(req->ssl, req->bio);
SSL_set0_wbio(req->ssl, req->bio);
--
2.20.1

409
SOURCES/bz1688892-fix-openssl-init-configure.patch
View File

@ -1,409 +0,0 @@
--- a/configure 2018-11-12 13:40:33.000000000 -0600
+++ b/configure 2019-03-18 11:29:03.305427768 -0500
@@ -730,7 +730,6 @@
AMDEPBACKSLASH
AMDEP_FALSE
AMDEP_TRUE
-am__quote
am__include
DEPDIR
OBJEXT
@@ -790,7 +789,6 @@
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -809,7 +807,8 @@
PACKAGE_TARNAME
PACKAGE_NAME
PATH_SEPARATOR
-SHELL'
+SHELL
+am__quote'
ac_subst_files=''
ac_user_opts='
enable_option_checking
@@ -925,7 +924,6 @@
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1178,15 +1176,6 @@
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1324,7 +1313,7 @@
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1477,7 +1466,6 @@
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -2689,7 +2677,7 @@
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-am__api_version='1.15'
+am__api_version='1.16'
ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
@@ -3234,8 +3222,8 @@
# For better backward compatibility. To be removed once Automake 1.9.x
# dies out for good. For more background, see:
-# <http://lists.gnu.org/archive/html/automake/2012-07/msg00001.html>
-# <http://lists.gnu.org/archive/html/automake/2012-07/msg00014.html>
+# <https://lists.gnu.org/archive/html/automake/2012-07/msg00001.html>
+# <https://lists.gnu.org/archive/html/automake/2012-07/msg00014.html>
mkdir_p='$(MKDIR_P)'
# We need awk for the "check" target (and possibly the TAP driver). The
@@ -3286,7 +3274,7 @@
Aborting the configuration process, to ensure you take notice of the issue.
You can download and install GNU coreutils to get an 'rm' implementation
-that behaves properly: <http://www.gnu.org/software/coreutils/>.
+that behaves properly: <https://www.gnu.org/software/coreutils/>.
If you want to complete the configuration process using your problematic
'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
@@ -4650,45 +4638,45 @@
ac_config_commands="$ac_config_commands depfiles"
-
-am_make=${MAKE-make}
-cat > confinc << 'END'
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} supports the include directive" >&5
+$as_echo_n "checking whether ${MAKE-make} supports the include directive... " >&6; }
+cat > confinc.mk << 'END'
am__doit:
- @echo this is the am__doit target
+ @echo this is the am__doit target >confinc.out
.PHONY: am__doit
END
-# If we don't find an include directive, just comment out the code.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5
-$as_echo_n "checking for style of include used by $am_make... " >&6; }
am__include="#"
am__quote=
-_am_result=none
-# First try GNU make style include.
-echo "include confinc" > confmf
-# Ignore all kinds of additional output from 'make'.
-case `$am_make -s -f confmf 2> /dev/null` in #(
-*the\ am__doit\ target*)
- am__include=include
- am__quote=
- _am_result=GNU
- ;;
-esac
-# Now try BSD make style include.
-if test "$am__include" = "#"; then
- echo '.include "confinc"' > confmf
- case `$am_make -s -f confmf 2> /dev/null` in #(
- *the\ am__doit\ target*)
- am__include=.include
- am__quote="\""
- _am_result=BSD
+# BSD make does it like this.
+echo '.include "confinc.mk" # ignored' > confmf.BSD
+# Other make implementations (GNU, Solaris 10, AIX) do it like this.
+echo 'include confinc.mk # ignored' > confmf.GNU
+_am_result=no
+for s in GNU BSD; do
+ { echo "$as_me:$LINENO: ${MAKE-make} -f confmf.$s && cat confinc.out" >&5
+ (${MAKE-make} -f confmf.$s && cat confinc.out) >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+ case $?:`cat confinc.out 2>/dev/null` in #(
+ '0:this is the am__doit target') :
+ case $s in #(
+ BSD) :
+ am__include='.include' am__quote='"' ;; #(
+ *) :
+ am__include='include' am__quote='' ;;
+esac ;; #(
+ *) :
;;
- esac
-fi
-
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5
-$as_echo "$_am_result" >&6; }
-rm -f confinc confmf
+esac
+ if test "$am__include" != "#"; then
+ _am_result="yes ($s style)"
+ break
+ fi
+done
+rm -f confinc.* confmf.*
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${_am_result}" >&5
+$as_echo "${_am_result}" >&6; }
# Check whether --enable-dependency-tracking was given.
if test "${enable_dependency_tracking+set}" = set; then :
@@ -7506,8 +7494,8 @@
done
-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
-for ac_func in SSL_set0_rbio OPENSSL_init_crypto
+# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0
+for ac_func in SSL_set0_rbio OPENSSL_init_crypto TLS_method
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -7520,19 +7508,62 @@
done
-# TLS_method() introduced OpenSSL v1.1.0
-for ac_func in TLS_method
-do :
- ac_fn_c_check_func "$LINENO" "TLS_method" "ac_cv_func_TLS_method"
-if test "x$ac_cv_func_TLS_method" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_TLS_METHOD 1
-_ACEOF
+# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
+# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
+if test .$ac_cv_func_OPENSSL_init_crypto = .yes; then :
+ if test .$ac_cv_func_TLS_method = .yes; then :
+ method_func=TLS_method
+else
+ method_func=SSLv23_method
fi
-done
+ if test "$cross_compiling" = yes; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&5
+$as_echo "$as_me: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&2;}
+ openssl_init_no_load_bug=1
+
+
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <openssl/ssl.h>
+int
+main ()
+{
+
+ const SSL_METHOD *meth;
+ SSL_CTX *ctx;
+
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
+ return 1;
+ /* Initialize SSL context */
+ meth = $method_func();
+ if (!(ctx = SSL_CTX_new(meth)))
+ return 1;
+ return 0;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ openssl_init_no_load_bug=0
+else
+ openssl_init_no_load_bug=1
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+ if test $openssl_init_no_load_bug -eq 1; then :
+
+$as_echo "#define HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG 1 " >>confdefs.h
+
+fi
+
+fi
unset LIBS
if test $BUILD_GENHASH = No; then
@@ -12695,7 +12726,7 @@
#
# INIT-COMMANDS
#
-AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
+AMDEP_TRUE="$AMDEP_TRUE" MAKE="${MAKE-make}"
_ACEOF
@@ -13322,29 +13353,35 @@
# Older Autoconf quotes --file arguments for eval, but not when files
# are listed without --file. Let's play safe and only enable the eval
# if we detect the quoting.
- case $CONFIG_FILES in
- *\'*) eval set x "$CONFIG_FILES" ;;
- *) set x $CONFIG_FILES ;;
- esac
+ # TODO: see whether this extra hack can be removed once we start
+ # requiring Autoconf 2.70 or later.
+ case $CONFIG_FILES in #(
+ *\'*) :
+ eval set x "$CONFIG_FILES" ;; #(
+ *) :
+ set x $CONFIG_FILES ;; #(
+ *) :
+ ;;
+esac
shift
- for mf
+ # Used to flag and report bootstrapping failures.
+ am_rc=0
+ for am_mf
do
# Strip MF so we end up with the name of the file.
- mf=`echo "$mf" | sed -e 's/:.*$//'`
- # Check whether this is an Automake generated Makefile or not.
- # We used to match only the files named 'Makefile.in', but
- # some people rename them; so instead we look at the file content.
- # Grep'ing the first line is not enough: some people post-process
- # each Makefile.in and add a new line on top of each file to say so.
- # Grep'ing the whole file is not good either: AIX grep has a line
+ am_mf=`$as_echo "$am_mf" | sed -e 's/:.*$//'`
+ # Check whether this is an Automake generated Makefile which includes
+ # dependency-tracking related rules and includes.
+ # Grep'ing the whole file directly is not great: AIX grep has a line
# limit of 2048, but all sed's we know have understand at least 4000.
- if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
- dirpart=`$as_dirname -- "$mf" ||
-$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
- X"$mf" : 'X\(//\)[^/]' \| \
- X"$mf" : 'X\(//\)$' \| \
- X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$mf" |
+ sed -n 's,^am--depfiles:.*,X,p' "$am_mf" | grep X >/dev/null 2>&1 \
+ || continue
+ am_dirpart=`$as_dirname -- "$am_mf" ||
+$as_expr X"$am_mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$am_mf" : 'X\(//\)[^/]' \| \
+ X"$am_mf" : 'X\(//\)$' \| \
+ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$am_mf" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
@@ -13362,53 +13399,48 @@
q
}
s/.*/./; q'`
- else
- continue
- fi
- # Extract the definition of DEPDIR, am__include, and am__quote
- # from the Makefile without running 'make'.
- DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
- test -z "$DEPDIR" && continue
- am__include=`sed -n 's/^am__include = //p' < "$mf"`
- test -z "$am__include" && continue
- am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
- # Find all dependency output files, they are included files with
- # $(DEPDIR) in their names. We invoke sed twice because it is the
- # simplest approach to changing $(DEPDIR) to its actual value in the
- # expansion.
- for file in `sed -n "
- s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
- sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do
- # Make sure the directory exists.
- test -f "$dirpart/$file" && continue
- fdir=`$as_dirname -- "$file" ||
-$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
- X"$file" : 'X\(//\)[^/]' \| \
- X"$file" : 'X\(//\)$' \| \
- X"$file" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$file" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- s//\1/
- q
- }
- /^X\(\/\/\)[^/].*/{
+ am_filepart=`$as_basename -- "$am_mf" ||
+$as_expr X/"$am_mf" : '.*/\([^/][^/]*\)/*$' \| \
+ X"$am_mf" : 'X\(//\)$' \| \
+ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$am_mf" |
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
s//\1/
q
}
- /^X\(\/\/\)$/{
+ /^X\/\(\/\/\)$/{
s//\1/
q
}
- /^X\(\/\).*/{
+ /^X\/\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
- as_dir=$dirpart/$fdir; as_fn_mkdir_p
- # echo "creating $dirpart/$file"
- echo '# dummy' > "$dirpart/$file"
- done
+ { echo "$as_me:$LINENO: cd "$am_dirpart" \
+ && sed -e '/# am--include-marker/d' "$am_filepart" \
+ | $MAKE -f - am--depfiles" >&5
+ (cd "$am_dirpart" \
+ && sed -e '/# am--include-marker/d' "$am_filepart" \
+ | $MAKE -f - am--depfiles) >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } || am_rc=$?
done
+ if test $am_rc -ne 0; then
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "Something went wrong bootstrapping makefile fragments
+ for automatic dependency tracking. Try re-running configure with the
+ '--disable-dependency-tracking' option to at least be able to build
+ the package (albeit without support for automatic dependency tracking).
+See \`config.log' for more details" "$LINENO" 5; }
+ fi
+ { am_dirpart=; unset am_dirpart;}
+ { am_filepart=; unset am_filepart;}
+ { am_mf=; unset am_mf;}
+ { am_rc=; unset am_rc;}
+ rm -f conftest-deps.mk
}
;;

81
SOURCES/bz1688892-fix-openssl-init-failure.patch
View File

@ -1,81 +0,0 @@
From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 12 Mar 2019 14:58:38 +0000
Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1
OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new()
if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously
been called.
This commit doesn't call OPENSSL_init_crypto() if doing so causes
SSL_CTX_new() to fail.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
configure.ac | 30 ++++++++++++++++++++++++++++++
keepalived/check/check_ssl.c | 6 ++++++
2 files changed, 36 insertions(+)
diff --git a/configure.ac b/configure.ac
index 89399ca3..504b9b92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
# TLS_method() introduced OpenSSL v1.1.0
AC_CHECK_FUNCS([TLS_method])
+# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
+# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
+AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
+ [
+ AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <openssl/ssl.h>]],
+ [[
+ const SSL_METHOD *meth;
+ SSL_CTX *ctx;
+
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
+ return 1;
+
+ /* Initialize SSL context */
+ meth = TLS_method();
+ if (!(ctx = SSL_CTX_new(meth)))
+ return 1;
+ return 0;
+ ]])],
+ [openssl_init_no_load_bug=0],
+ [openssl_init_no_load_bug=1],
+ [
+ AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.])
+ openssl_init_no_load_bug=1
+ ]
+ )
+ AS_IF([test $openssl_init_no_load_bug -eq 1],
+ [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])])
+ ])
unset LIBS
if test $BUILD_GENHASH = No; then
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
index 6bf6a005..2743ea87 100644
--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
@@ -69,8 +69,14 @@ build_ssl_ctx(void)
/* Library initialization */
#if HAVE_OPENSSL_INIT_CRYPTO
+#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
+ * It works in v1.1.0h and v1.1.1b.
+ * It transpires that it works without setting NO_LOAD_CONFIG, but it is
+ * presumably more efficient not to load it. */
if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
log_message(LOG_INFO, "OPENSSL_init_crypto failed");
+#endif
#else
SSL_library_init();
SSL_load_error_strings();
--
2.20.1

72
SOURCES/bz1688892-fix-openssl-init-genhash.patch
View File

@ -1,72 +0,0 @@
From 5e1a2130340ea4fabc4095b412c8b3836d112828 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Wed, 13 Mar 2019 09:46:27 +0000
Subject: [PATCH 2/3] Fix genhash re OPENSSL_init_crypto bug and improve
configure.ac
Commit fe6d6ac (Fix OpenSSL init failure with OpenSSL v1.1.1) didn't
update the identical code in genhash/ssl.c. Also, an improvement for
the test in configure.ac was suggested.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
configure.ac | 12 +++++-------
genhash/ssl.c | 6 ++++++
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/configure.ac b/configure.ac
index 504b9b92..c964a11e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -813,16 +813,14 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
# SSL_CTX_set_verify_depth() introduced OpenSSL v0.9.5a
AC_CHECK_FUNCS([SSL_CTX_set_verify_depth])
-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
-AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
-
-# TLS_method() introduced OpenSSL v1.1.0
-AC_CHECK_FUNCS([TLS_method])
+# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0
+AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto TLS_method])
# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
-AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
+AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes],
[
+ AS_IF([test .$ac_cv_func_TLS_method = .yes], [method_func=TLS_method], [method_func=SSLv23_method])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM(
[[#include <openssl/ssl.h>]],
@@ -834,7 +832,7 @@ AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method =
return 1;
/* Initialize SSL context */
- meth = TLS_method();
+ meth = $method_func();
if (!(ctx = SSL_CTX_new(meth)))
return 1;
return 0;
diff --git a/genhash/ssl.c b/genhash/ssl.c
index 8e9162c8..96f51201 100644
--- a/genhash/ssl.c
+++ b/genhash/ssl.c
@@ -45,8 +45,14 @@ init_ssl(void)
{
/* Library initialization */
#if HAVE_OPENSSL_INIT_CRYPTO
+#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
+ * It works in v1.1.0h and v1.1.1b.
+ * It transpires that it works without setting NO_LOAD_CONFIG, but it is
+ * presumably more efficient not to load it. */
if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
fprintf(stderr, "OPENSSL_init_crypto failed\n");
+#endif
#else
SSL_library_init();
SSL_load_error_strings();
--
2.20.1

26
SOURCES/bz1693706-fix-smtp-alerts-segfault.patch
View File

@ -1,26 +0,0 @@
From fdb1739356f723a4e9e4f8b52c37d193a3a5c6e3 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 27 Nov 2018 10:57:37 +0000
Subject: [PATCH] Fix segfault when smtp alerts configured
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
keepalived/core/global_data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/keepalived/core/global_data.c b/keepalived/core/global_data.c
index 6e872dcf..cd381d9b 100644
--- a/keepalived/core/global_data.c
+++ b/keepalived/core/global_data.c
@@ -253,7 +253,7 @@ init_global_data(data_t * data, data_t *old_global_data)
if (!data->smtp_connection_to)
set_default_smtp_connection_timeout(data);
- if (strcmp(data->local_name, unknown_name)) {
+ if (data->local_name && strcmp(data->local_name, unknown_name)) {
if (!data->email_from)
set_default_email_from(data, data->local_name);
--
2.20.1

39
SOURCES/bz1693706-fix-smtp_helo_name-double-free.patch
View File

@ -1,39 +0,0 @@
From e91583fb20b584621dd48031bef68279945f7aa6 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 20 Nov 2018 13:03:55 +0000
Subject: [PATCH] Fix double free when global data smtp_helo_name copied from
local_name
Issue #1071 identified a double free fault. It occurred when smtp_helo_name
was not set, in which case it was set to point to the same malloc'd memory
as local_name. At termination keepalived freed both local_name and
smtp_helo_name.
If keepalived needs to use local_name for smtp_helo_name it now malloc's
aadditional memory to copy the string into.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
keepalived/core/global_data.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/keepalived/core/global_data.c b/keepalived/core/global_data.c
index cd381d9b..be9fecbd 100644
--- a/keepalived/core/global_data.c
+++ b/keepalived/core/global_data.c
@@ -257,8 +257,10 @@ init_global_data(data_t * data, data_t *old_global_data)
if (!data->email_from)
set_default_email_from(data, data->local_name);
- if (!data->smtp_helo_name)
- data->smtp_helo_name = data->local_name;
+ if (!data->smtp_helo_name) {
+ data->smtp_helo_name = MALLOC(strlen(data->local_name) + 1);
+ strcpy(data->smtp_helo_name, data->local_name);
+ }
}
}
--
2.20.1

34
SOURCES/bz1792160-fix-fault-rename-interface.patch
View File

@ -1,34 +0,0 @@
From 30eeb48b1a0737dc7443fd421fd6613e0d55fd17 Mon Sep 17 00:00:00 2001
From: "Z. Liu" <liuzx@knownsec.com>
Date: Tue, 18 Dec 2018 16:38:24 +0800
Subject: [PATCH] Also skip route not configured with down interface
Otherwise, if keepalived has virtual_routes configured, we create
a virtual interface and bring it up and down, current code will bring
VRRP state to FAULT and never return.
# ip tun add test mode ipip remote 10.0.0.1 local 10.0.0.2
# ip link set test up
# ip link set test down
---
keepalived/vrrp/vrrp_if.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/keepalived/vrrp/vrrp_if.c b/keepalived/vrrp/vrrp_if.c
index a2087ceb..6ae2666a 100644
--- a/keepalived/vrrp/vrrp_if.c
+++ b/keepalived/vrrp/vrrp_if.c
@@ -1051,7 +1051,9 @@ interface_down(interface_t *ifp)
/* Any route that has an oif will be tracking the interface,
* so we only need to check for routes that dont specify an
* oif */
- if (!route->oif && route->configured_ifindex != ifp->ifindex)
+ /* Don't track route if it's not configured with this down
+ * interface. */
+ if (!route->oif || route->configured_ifindex != ifp->ifindex)
continue;
route->set = false;
--
2.24.1

62
SOURCES/bz1868077-fix-intermittent-child-lost-messages.patch
View File

@ -1,62 +0,0 @@
From 21482202567979b8a17cc750b095272b3270ee76 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Wed, 13 Nov 2019 10:37:38 +0000
Subject: [PATCH] Fix intermittent "child lost" messages
Issue #1364 identified that occassionaly a "child lost" message could
be logged. Although keepalived continued working as expected, the
"child lost" message indicated that something wasn't working properly.
If a vrrp track script had a timeout in the script that was the
same as the script timeout configured in keepalived, when the system
was heavily loaded it was possible for the timeout to occur, followed
by the termination before the timeout thread was run, in which case
the termination would be lost because the child thread was no longer
on the child_pid queue, but on the ready queue.
This commit leaves threads on the child_pid queue after a timeout, and
only removes it when the timeout thread is run. That means that if the
termination is received before the timeout thread is run, the thread
(now on the ready queue) can be updated to be a termination rather than
a timeout.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
lib/scheduler.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lib/scheduler.c b/lib/scheduler.c
index 0a1c334c..f6d9bad1 100644
--- a/lib/scheduler.c
+++ b/lib/scheduler.c
@@ -1708,6 +1708,14 @@ process_threads(thread_master_t *m)
* We only want timer and signal fd, and don't want inotify, vrrp socket,
* snmp_read, bfd_receiver, bfd pipe in vrrp/check, dbus pipe or netlink fds. */
thread = thread_trim_head(thread_list);
+
+ if (thread && thread->type == THREAD_CHILD_TIMEOUT) {
+ /* We remove the thread from the child_pid queue here so that
+ * if the termination arrives before we processed the timeout
+ * we can still handle the termination. */
+ rb_erase(&thread->rb_data, &master->child_pid);
+ }
+
if (!shutting_down ||
(thread->type == THREAD_READY_FD &&
(thread->u.fd == m->timer_fd || thread->u.fd == m->signal_fd)) ||
@@ -1773,6 +1781,12 @@ process_child_termination(pid_t pid, int status)
thread_add_terminate_event(m);
}
+ else if (thread->type == THREAD_CHILD_TIMEOUT) {
+ /* The child had been timed out, but we have not processed the timeout
+ * and it is still on the thread->ready queue. Since we have now got
+ * the termination, just handle the termination instead. */
+ thread->type = THREAD_CHILD_TERMINATED;
+ }
else
thread_move_ready(m, &m->child, thread, THREAD_CHILD_TERMINATED);
}
--
2.26.2

31
SPECS/keepalived.spec
View File

@ -9,8 +9,8 @@
Name: keepalived
Summary: High Availability monitor built upon LVS, VRRP and service pollers
Version: 2.0.10
Release: 11%{?dist}.1
Version: 2.1.5
Release: 6%{?dist}
License: GPLv2+
URL: http://www.keepalived.org/
Group: System Environment/Daemons
@ -18,16 +18,6 @@ Group: System Environment/Daemons
Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz
Source1: keepalived.service
Patch1: bz1688892-fix-openssl-init-failure.patch
Patch2: bz1688892-fix-openssl-init-genhash.patch
Patch3: bz1688892-fix-openssl-init-config-check.patch
Patch4: bz1688892-fix-openssl-init-configure.patch
Patch5: bz1693706-fix-smtp-alerts-segfault.patch
Patch6: bz1693706-fix-smtp_helo_name-double-free.patch
Patch7: bz1792160-fix-fault-rename-interface.patch
Patch8: bz1683438-fix-vrrp_script-execution.patch
Patch9: bz1868077-fix-intermittent-child-lost-messages.patch
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@ -62,15 +52,6 @@ infrastructures.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
%configure \
@ -121,9 +102,13 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
%{_mandir}/man8/keepalived.8*
%changelog
* Fri Oct 23 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.10-11.1
- Fix intermittent child lost messages (#1890625)
* Tue Dec 15 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.5-6
- Fix changelog
* Tue Oct 20 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.5-5
- Update to 2.1.5 (#1889440)
- Fix intermittent child lost messages (#1868077)
* Tue Jun 16 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.10-11
- Fix vrrp_script execution (#1683438)