diff --git a/001-rollup.patch b/001-rollup.patch new file mode 100644 index 0000000..33fc178 --- /dev/null +++ b/001-rollup.patch @@ -0,0 +1,877 @@ +From 8c2e95ab41ae11697ed08992c7687e68abd1d88d Mon Sep 17 00:00:00 2001 +From: Kazunori INOUE +Date: Wed, 12 May 2021 18:18:11 +0900 +Subject: [PATCH 01/11] Log: pcmk__pid_active: Lower the log level when + readlink() is EACCES + +--- + lib/common/pid.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/lib/common/pid.c b/lib/common/pid.c +index 90a24a6..2705228 100644 +--- a/lib/common/pid.c ++++ b/lib/common/pid.c +@@ -73,8 +73,13 @@ pcmk__pid_active(pid_t pid, const char *daemon) + rc = readlink(proc_path, exe_path, sizeof(exe_path) - 1); + if (rc < 0) { + if (last_asked_pid != pid) { +- crm_err("Could not read from %s: %s " CRM_XS " errno=%d", +- proc_path, strerror(errno), errno); ++ if (errno == EACCES) { ++ crm_info("Could not read from %s: %s " CRM_XS " errno=%d", ++ proc_path, strerror(errno), errno); ++ } else { ++ crm_err("Could not read from %s: %s " CRM_XS " errno=%d", ++ proc_path, strerror(errno), errno); ++ } + last_asked_pid = pid; + } + if ((errno == EACCES) && checked_through_kill) { +-- +1.8.3.1 + + +From 29e9e68498189f7b5fb2e6e42eec306962376c8c Mon Sep 17 00:00:00 2001 +From: Chris Lumens +Date: Thu, 20 May 2021 11:32:57 -0400 +Subject: [PATCH 02/11] Low: tools: Fix handling certain error codes in + crm_resource. + +It is possible, at the bottom of crm_resource, to end up in a situation +where rc is pcmk_rc_ok, but exit_code contains some error value. This +results in an error message like "Error performing operation: OK", which +is obviously terrible. + +The idea behind this fix is that when we get to the done label, we won't +use rc again. Any value contained in rc will have been converted to a +crm_exit_t beforehand, and so we only need to worry about exit_code when +doing the final error reporting. + +The way to accomplish this is that anywhere in the code that there's a +"goto done", we need to use pcmk_rc2exitc to make sure exit_code is set +correctly and just forget about rc. And then throughout the big command +switch block, we use rc for just about everything and do the error code +conversion just before hitting the done label. + +There's one extra wrinkle here - ban_or_move needs to be checked for +whether it returned EINVAL or not. If so, that needs to be converted to +CRM_EX_USAGE prior to running pcmk_rc2exitc. That function will map +EINVAL to CRM_EX_SOFTWARE, which is not right. +--- + cts/cli/regression.acls.exp | 12 ++--- + cts/cli/regression.tools.exp | 7 ++- + tools/crm_resource.c | 125 +++++++++++++++++++++++-------------------- + 3 files changed, 77 insertions(+), 67 deletions(-) + +diff --git a/cts/cli/regression.acls.exp b/cts/cli/regression.acls.exp +index fa5ffee..b5630a1 100644 +--- a/cts/cli/regression.acls.exp ++++ b/cts/cli/regression.acls.exp +@@ -742,15 +742,15 @@ Call failed: Permission denied + =#=#=#= End test: root: Create a resource - OK (0) =#=#=#= + * Passed: cibadmin - root: Create a resource + =#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#= +-crm_resource: Error performing operation: Permission denied ++crm_resource: Error performing operation: Insufficient privileges + =#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#= + * Passed: crm_resource - l33t-haxor: Create a resource meta attribute + =#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#= +-crm_resource: Error performing operation: Permission denied ++crm_resource: Error performing operation: Insufficient privileges + =#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#= + * Passed: crm_resource - l33t-haxor: Query a resource meta attribute + =#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#= +-crm_resource: Error performing operation: Permission denied ++crm_resource: Error performing operation: Insufficient privileges + =#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#= + * Passed: crm_resource - l33t-haxor: Remove a resource meta attribute + =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= +@@ -2769,15 +2769,15 @@ Call failed: Permission denied + =#=#=#= End test: root: Create a resource - OK (0) =#=#=#= + * Passed: cibadmin - root: Create a resource + =#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#= +-crm_resource: Error performing operation: Permission denied ++crm_resource: Error performing operation: Insufficient privileges + =#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#= + * Passed: crm_resource - l33t-haxor: Create a resource meta attribute + =#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#= +-crm_resource: Error performing operation: Permission denied ++crm_resource: Error performing operation: Insufficient privileges + =#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#= + * Passed: crm_resource - l33t-haxor: Query a resource meta attribute + =#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#= +-crm_resource: Error performing operation: Permission denied ++crm_resource: Error performing operation: Insufficient privileges + =#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#= + * Passed: crm_resource - l33t-haxor: Remove a resource meta attribute + =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#= +diff --git a/cts/cli/regression.tools.exp b/cts/cli/regression.tools.exp +index 3a3d8a9..5ce90e5 100644 +--- a/cts/cli/regression.tools.exp ++++ b/cts/cli/regression.tools.exp +@@ -979,7 +979,6 @@ Resource XML: + =#=#=#= Begin test: Require a destination when migrating a resource that is stopped =#=#=#= + crm_resource: Resource 'dummy' not moved: active in 0 locations. + To prevent 'dummy' from running on a specific location, specify a node. +-Error performing operation: Invalid argument + =#=#=#= Current cib after: Require a destination when migrating a resource that is stopped =#=#=#= + + +@@ -1019,7 +1018,7 @@ Error performing operation: Invalid argument + =#=#=#= End test: Require a destination when migrating a resource that is stopped - Incorrect usage (64) =#=#=#= + * Passed: crm_resource - Require a destination when migrating a resource that is stopped + =#=#=#= Begin test: Don't support migration to non-existent locations =#=#=#= +-crm_resource: Error performing operation: Node not found ++crm_resource: Error performing operation: No such object + =#=#=#= Current cib after: Don't support migration to non-existent locations =#=#=#= + + +@@ -1174,7 +1173,7 @@ Revised Cluster Status: + =#=#=#= End test: Bring resources online - OK (0) =#=#=#= + * Passed: crm_simulate - Bring resources online + =#=#=#= Begin test: Try to move a resource to its existing location =#=#=#= +-crm_resource: Error performing operation: Already in requested state ++crm_resource: Error performing operation: Requested item already exists + =#=#=#= Current cib after: Try to move a resource to its existing location =#=#=#= + + +@@ -1755,7 +1754,7 @@ true + =#=#=#= End test: Delete ticket standby state - OK (0) =#=#=#= + * Passed: crm_ticket - Delete ticket standby state + =#=#=#= Begin test: Ban a resource on unknown node =#=#=#= +-crm_resource: Error performing operation: Node not found ++crm_resource: Error performing operation: No such object + =#=#=#= Current cib after: Ban a resource on unknown node =#=#=#= + + +diff --git a/tools/crm_resource.c b/tools/crm_resource.c +index 3b58978..cc230d5 100644 +--- a/tools/crm_resource.c ++++ b/tools/crm_resource.c +@@ -952,8 +952,7 @@ why_cb(const gchar *option_name, const gchar *optarg, gpointer data, GError **er + } + + static int +-ban_or_move(pcmk__output_t *out, pe_resource_t *rsc, const char *move_lifetime, +- crm_exit_t *exit_code) ++ban_or_move(pcmk__output_t *out, pe_resource_t *rsc, const char *move_lifetime) + { + int rc = pcmk_rc_ok; + pe_node_t *current = NULL; +@@ -988,8 +987,7 @@ ban_or_move(pcmk__output_t *out, pe_resource_t *rsc, const char *move_lifetime, + + } else { + rc = EINVAL; +- *exit_code = CRM_EX_USAGE; +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, ++ g_set_error(&error, PCMK__EXITC_ERROR, CRM_EX_USAGE, + "Resource '%s' not moved: active in %d locations (promoted in %d).\n" + "To prevent '%s' from running on a specific location, " + "specify a node." +@@ -1000,8 +998,7 @@ ban_or_move(pcmk__output_t *out, pe_resource_t *rsc, const char *move_lifetime, + + } else { + rc = EINVAL; +- *exit_code = CRM_EX_USAGE; +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, ++ g_set_error(&error, PCMK__EXITC_ERROR, CRM_EX_USAGE, + "Resource '%s' not moved: active in %d locations.\n" + "To prevent '%s' from running on a specific location, " + "specify a node.", +@@ -1124,7 +1121,7 @@ delete(void) + } + + static int +-list_agents(pcmk__output_t *out, const char *agent_spec, crm_exit_t *exit_code) ++list_agents(pcmk__output_t *out, const char *agent_spec) + { + int rc = pcmk_rc_ok; + char *provider = strchr(agent_spec, ':'); +@@ -1144,12 +1141,11 @@ list_agents(pcmk__output_t *out, const char *agent_spec, crm_exit_t *exit_code) + } + + if (rc != pcmk_rc_ok) { +- *exit_code = CRM_EX_NOSUCH; + if (provider == NULL) { +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, ++ g_set_error(&error, PCMK__RC_ERROR, rc, + "No agents found for standard '%s'", agent_spec); + } else { +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, ++ g_set_error(&error, PCMK__RC_ERROR, rc, + "No agents found for standard '%s' and provider '%s'", + agent_spec, provider); + } +@@ -1160,7 +1156,7 @@ list_agents(pcmk__output_t *out, const char *agent_spec, crm_exit_t *exit_code) + } + + static int +-list_providers(pcmk__output_t *out, const char *agent_spec, crm_exit_t *exit_code) ++list_providers(pcmk__output_t *out, const char *agent_spec) + { + int rc; + const char *text = NULL; +@@ -1202,23 +1198,20 @@ list_providers(pcmk__output_t *out, const char *agent_spec, crm_exit_t *exit_cod + text = "OCF providers"; + break; + default: +- *exit_code = CRM_EX_SOFTWARE; +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, "Bug"); ++ g_set_error(&error, PCMK__RC_ERROR, pcmk_rc_error, "Bug"); + lrmd_api_delete(lrmd_conn); + return pcmk_rc_error; + } + + if (rc != pcmk_rc_ok) { + if (agent_spec != NULL) { +- *exit_code = CRM_EX_NOSUCH; +- rc = pcmk_rc_error; +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, ++ rc = ENXIO; ++ g_set_error(&error, PCMK__RC_ERROR, rc, + "No %s found for %s", text, agent_spec); + + } else { +- *exit_code = CRM_EX_NOSUCH; +- rc = pcmk_rc_error; +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, ++ rc = ENXIO; ++ g_set_error(&error, PCMK__RC_ERROR, rc, + "No %s found", text); + } + } +@@ -1343,7 +1336,7 @@ set_property(void) + } else if (pcmk__str_empty(options.prop_value)) { + g_set_error(&error, PCMK__EXITC_ERROR, CRM_EX_USAGE, + "Must supply -v with new value"); +- rc = EINVAL; ++ rc = ENXIO; + return rc; + } + +@@ -1362,7 +1355,7 @@ set_property(void) + } + + static int +-show_metadata(pcmk__output_t *out, const char *agent_spec, crm_exit_t *exit_code) ++show_metadata(pcmk__output_t *out, const char *agent_spec) + { + int rc = pcmk_rc_ok; + char *standard = NULL; +@@ -1383,8 +1376,7 @@ show_metadata(pcmk__output_t *out, const char *agent_spec, crm_exit_t *exit_code + if (metadata) { + out->output_xml(out, "metadata", metadata); + } else { +- *exit_code = crm_errno2exit(rc); +- g_set_error(&error, PCMK__EXITC_ERROR, *exit_code, ++ g_set_error(&error, PCMK__RC_ERROR, rc, + "Metadata query for %s failed: %s", + agent_spec, pcmk_rc_str(rc)); + } +@@ -1706,15 +1698,16 @@ main(int argc, char **argv) + if (options.require_cib) { + cib_conn = cib_new(); + if ((cib_conn == NULL) || (cib_conn->cmds == NULL)) { +- rc = pcmk_rc_error; +- g_set_error(&error, PCMK__EXITC_ERROR, CRM_EX_DISCONNECT, ++ exit_code = CRM_EX_DISCONNECT; ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, + "Could not create CIB connection"); + goto done; + } + rc = cib_conn->cmds->signon(cib_conn, crm_system_name, cib_command); + rc = pcmk_legacy2rc(rc); + if (rc != pcmk_rc_ok) { +- g_set_error(&error, PCMK__RC_ERROR, rc, ++ exit_code = pcmk_rc2exitc(rc); ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, + "Could not connect to the CIB: %s", pcmk_rc_str(rc)); + goto done; + } +@@ -1724,6 +1717,7 @@ main(int argc, char **argv) + if (options.require_dataset) { + rc = populate_working_set(&cib_xml_copy); + if (rc != pcmk_rc_ok) { ++ exit_code = pcmk_rc2exitc(rc); + goto done; + } + } +@@ -1733,8 +1727,8 @@ main(int argc, char **argv) + rsc = pe_find_resource_with_flags(data_set->resources, options.rsc_id, + options.find_flags); + if (rsc == NULL) { +- rc = ENXIO; +- g_set_error(&error, PCMK__RC_ERROR, rc, ++ exit_code = CRM_EX_NOSUCH; ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, + "Resource '%s' not found", options.rsc_id); + goto done; + } +@@ -1749,7 +1743,8 @@ main(int argc, char **argv) + if (options.require_crmd) { + rc = pcmk_new_ipc_api(&controld_api, pcmk_ipc_controld); + if (rc != pcmk_rc_ok) { +- g_set_error(&error, PCMK__RC_ERROR, rc, ++ exit_code = pcmk_rc2exitc(rc); ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, + "Error connecting to the controller: %s", pcmk_rc_str(rc)); + goto done; + } +@@ -1757,7 +1752,8 @@ main(int argc, char **argv) + NULL); + rc = pcmk_connect_ipc(controld_api, pcmk_ipc_dispatch_main); + if (rc != pcmk_rc_ok) { +- g_set_error(&error, PCMK__RC_ERROR, rc, ++ exit_code = pcmk_rc2exitc(rc); ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, + "Error connecting to the controller: %s", pcmk_rc_str(rc)); + goto done; + } +@@ -1794,15 +1790,15 @@ main(int argc, char **argv) + case cmd_list_standards: + case cmd_list_providers: + case cmd_list_alternatives: +- rc = list_providers(out, options.agent_spec, &exit_code); ++ rc = list_providers(out, options.agent_spec); + break; + + case cmd_list_agents: +- rc = list_agents(out, options.agent_spec, &exit_code); ++ rc = list_agents(out, options.agent_spec); + break; + + case cmd_metadata: +- rc = show_metadata(out, options.agent_spec, &exit_code); ++ rc = show_metadata(out, options.agent_spec); + break; + + case cmd_restart: +@@ -1835,7 +1831,7 @@ main(int argc, char **argv) + options.timeout_ms, cib_conn, data_set, + args->verbosity, options.force); + } +- break; ++ goto done; + + case cmd_digests: + node = pe_find_node(data_set->nodes, options.host_uname); +@@ -1918,7 +1914,7 @@ main(int argc, char **argv) + + case cmd_move: + if (options.host_uname == NULL) { +- rc = ban_or_move(out, rsc, options.move_lifetime, &exit_code); ++ rc = ban_or_move(out, rsc, options.move_lifetime); + } else { + rc = cli_resource_move(rsc, options.rsc_id, options.host_uname, + options.move_lifetime, cib_conn, +@@ -1926,11 +1922,17 @@ main(int argc, char **argv) + options.promoted_role_only, + options.force); + } ++ ++ if (rc == EINVAL) { ++ exit_code = CRM_EX_USAGE; ++ goto done; ++ } ++ + break; + + case cmd_ban: + if (options.host_uname == NULL) { +- rc = ban_or_move(out, rsc, options.move_lifetime, &exit_code); ++ rc = ban_or_move(out, rsc, options.move_lifetime); + } else if (node == NULL) { + rc = pcmk_rc_node_unknown; + } else { +@@ -1939,6 +1941,12 @@ main(int argc, char **argv) + options.cib_options, + options.promoted_role_only); + } ++ ++ if (rc == EINVAL) { ++ exit_code = CRM_EX_USAGE; ++ goto done; ++ } ++ + break; + + case cmd_get_property: +@@ -1990,9 +1998,9 @@ main(int argc, char **argv) + + case cmd_set_param: + if (pcmk__str_empty(options.prop_value)) { +- g_set_error(&error, PCMK__EXITC_ERROR, CRM_EX_USAGE, ++ exit_code = CRM_EX_USAGE; ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, + "You need to supply a value with the -v option"); +- rc = EINVAL; + goto done; + } + +@@ -2045,10 +2053,19 @@ main(int argc, char **argv) + break; + + default: +- exit_code = CRM_EX_SOFTWARE; ++ exit_code = CRM_EX_USAGE; + g_set_error(&error, PCMK__EXITC_ERROR, exit_code, + "Unimplemented command: %d", (int) options.rsc_cmd); +- break; ++ goto done; ++ } ++ ++ /* Convert rc into an exit code. */ ++ if (rc != pcmk_rc_ok && rc != pcmk_rc_no_output) { ++ if (rc == pcmk_rc_no_quorum) { ++ g_prefix_error(&error, "To ignore quorum, use the force option.\n"); ++ } ++ ++ exit_code = pcmk_rc2exitc(rc); + } + + /* +@@ -2056,32 +2073,26 @@ main(int argc, char **argv) + */ + + done: +- /* Don't do any of this for pcmk_rc_no_output (doesn't make sense to show an +- * error message for no output) or for CRM_EX_USAGE (we don't want to show +- * an "error: OK" message from pcmk_rc_str). ++ /* When we get here, exit_code has been set one of two ways - either at one of ++ * the spots where there's a "goto done" (which itself could have happened either ++ * directly or by calling pcmk_rc2exitc), or just up above after any of the break ++ * statements. ++ * ++ * Thus, we can use just exit_code here to decide what to do. + */ +- if ((rc != pcmk_rc_ok && rc != pcmk_rc_no_output) || +- (exit_code != CRM_EX_OK && exit_code != CRM_EX_USAGE)) { +- if (rc == pcmk_rc_no_quorum) { +- g_prefix_error(&error, "To ignore quorum, use the force option.\n"); +- } +- ++ if (exit_code != CRM_EX_OK && exit_code != CRM_EX_USAGE) { + if (error != NULL) { + char *msg = crm_strdup_printf("%s\nError performing operation: %s", +- error->message, pcmk_rc_str(rc)); ++ error->message, crm_exit_str(exit_code)); + g_clear_error(&error); +- g_set_error(&error, PCMK__RC_ERROR, rc, "%s", msg); ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, "%s", msg); + free(msg); + } else { +- g_set_error(&error, PCMK__RC_ERROR, rc, +- "Error performing operation: %s", pcmk_rc_str(rc)); ++ g_set_error(&error, PCMK__EXITC_ERROR, exit_code, ++ "Error performing operation: %s", crm_exit_str(exit_code)); + } + } + +- if (exit_code == CRM_EX_OK) { +- exit_code = pcmk_rc2exitc(rc); +- } +- + g_free(options.host_uname); + g_free(options.interval_spec); + g_free(options.move_lifetime); +-- +1.8.3.1 + + +From 83a194d5927f42386adf236542ce2b24d3cce18c Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Thu, 20 May 2021 14:50:24 -0500 +Subject: [PATCH 03/11] Log: executor: log OCF resource agent search path at + start-up + +--- + daemons/execd/pacemaker-execd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemons/execd/pacemaker-execd.c b/daemons/execd/pacemaker-execd.c +index 718afe5..ad838b6 100644 +--- a/daemons/execd/pacemaker-execd.c ++++ b/daemons/execd/pacemaker-execd.c +@@ -525,6 +525,7 @@ main(int argc, char **argv, char **envp) + mainloop_add_signal(SIGTERM, lrmd_shutdown); + mainloop = g_main_loop_new(NULL, FALSE); + crm_notice("Pacemaker " EXECD_TYPE " executor successfully started and accepting connections"); ++ crm_notice("OCF resource agent search path is %s", OCF_RA_PATH); + g_main_loop_run(mainloop); + + /* should never get here */ +-- +1.8.3.1 + + +From fd44a0c5536f54fb2fa432e053d711a561b574a2 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Thu, 20 May 2021 14:55:14 -0500 +Subject: [PATCH 05/11] Build: rpm: enable CIB secrets by default except on + certain distro versions + +--- + rpm/pacemaker.spec.in | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/rpm/pacemaker.spec.in b/rpm/pacemaker.spec.in +index f7bdc20..78f6807 100644 +--- a/rpm/pacemaker.spec.in ++++ b/rpm/pacemaker.spec.in +@@ -42,8 +42,12 @@ + ## Add option to enable support for stonith/external fencing agents + %bcond_with stonithd + +-## Add option to enable support for storing sensitive information outside CIB ++## Add option for whether to support storing sensitive information outside CIB ++%if (0%{?fedora} && 0%{?fedora} <= 33) || (0%{?rhel} && 0%{?rhel} <= 8) + %bcond_with cibsecrets ++%else ++%bcond_without cibsecrets ++%endif + + ## Add option to create binaries suitable for use with profiling tools + %bcond_with profiling +-- +1.8.3.1 + + +From 918c71c34b7220a3c82f90b7520ea58428da8d7b Mon Sep 17 00:00:00 2001 +From: Chris Lumens +Date: Tue, 25 May 2021 15:11:04 -0400 +Subject: [PATCH 06/11] Low: tools: Return ENOTUNIQ in find_resource_attr. + +We were returning EINVAL in the case where multiple attributes were +found with a given name, but there's a more fitting error code that can +be used. This also starts to take care of a bunch of other functions +that could be returning EINVAL due to calling find_resource_attr. +--- + tools/crm_resource_runtime.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/crm_resource_runtime.c b/tools/crm_resource_runtime.c +index fe0ec98..cf67203 100644 +--- a/tools/crm_resource_runtime.c ++++ b/tools/crm_resource_runtime.c +@@ -157,7 +157,7 @@ find_resource_attr(pcmk__output_t *out, cib_t * the_cib, const char *attr, + if (xml_has_children(xml_search)) { + xmlNode *child = NULL; + +- rc = EINVAL; ++ rc = ENOTUNIQ; + out->info(out, "Multiple attributes match name=%s", attr_name); + + for (child = pcmk__xml_first_child(xml_search); child != NULL; +-- +1.8.3.1 + + +From ba9c7a89c597779a2c6f175e39b4b8f21fe784de Mon Sep 17 00:00:00 2001 +From: Chris Lumens +Date: Tue, 25 May 2021 15:31:37 -0400 +Subject: [PATCH 07/11] Low: tools: Return ENXIO from show_metadata. + +We could be given a validly formatted but nonexistent resource spec, in +which case ENXIO seems like the most fitting error code. This maps to +CRM_EX_NOSUCH. Returning EINVAL will result in the user seeing an +internal software error message. +--- + tools/crm_resource.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/crm_resource.c b/tools/crm_resource.c +index cc230d5..83389b5 100644 +--- a/tools/crm_resource.c ++++ b/tools/crm_resource.c +@@ -1376,6 +1376,12 @@ show_metadata(pcmk__output_t *out, const char *agent_spec) + if (metadata) { + out->output_xml(out, "metadata", metadata); + } else { ++ /* We were given a validly formatted spec, but it doesn't necessarily ++ * match up with anything that exists. Use ENXIO as the return code ++ * here because that maps to an exit code of CRM_EX_NOSUCH, which ++ * probably is the most common reason to get here. ++ */ ++ rc = ENXIO; + g_set_error(&error, PCMK__RC_ERROR, rc, + "Metadata query for %s failed: %s", + agent_spec, pcmk_rc_str(rc)); +-- +1.8.3.1 + + +From dea4562594cb21900bbda66be87e6686d5b4418b Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Wed, 26 May 2021 11:43:05 -0500 +Subject: [PATCH 08/11] Build: configure: make stack protection message more + readable + +... and structure the code so it's easier to add more hardening options +--- + configure.ac | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 5743087..610393e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1808,6 +1808,7 @@ AS_CASE([$enable_hardening], + relro=0 + pie=0 + bindnow=0 ++ stackprot="none" + # daemons incl. libs: partial RELRO + flag="-Wl,-z,relro" + CC_CHECK_LDFLAGS(["${flag}"], +@@ -1855,20 +1856,30 @@ AS_CASE([$enable_hardening], + # universal: prefer strong > all > default stack protector if possible + flag= + AS_IF([cc_supports_flag -fstack-protector-strong], +- [flag="-fstack-protector-strong"], ++ [ ++ flag="-fstack-protector-strong" ++ stackprot="strong" ++ ], + [cc_supports_flag -fstack-protector-all], +- [flag="-fstack-protector-all"], ++ [ ++ flag="-fstack-protector-all" ++ stackprot="all" ++ ], + [cc_supports_flag -fstack-protector], +- [flag="-fstack-protector"] +- ) +- AS_IF([test -n "${flag}"], + [ +- CC_EXTRAS="${CC_EXTRAS} ${flag}" +- stackprot=1 ++ flag="-fstack-protector" ++ stackprot="default" + ] + ) +- AS_IF([test "${relro}" = 1 || test "${pie}" = 1 || test "${stackprot}" = 1], +- [AC_MSG_NOTICE([Hardening: relro=${relro} pie=${pie} bindnow=${bindnow} stackprot=${flag}])], ++ AS_IF([test -n "${flag}"], [CC_EXTRAS="${CC_EXTRAS} ${flag}"]) ++ # Log a summary ++ AS_IF([test "${relro}" = 1 || test "${pie}" = 1 || test "${stackprot}" != "none"], ++ [AC_MSG_NOTICE(m4_normalize([Hardening: ++ relro=${relro} ++ pie=${pie} ++ bindnow=${bindnow} ++ stackprot=${stackprot}])) ++ ], + [AC_MSG_WARN([Hardening: no suitable features in the toolchain detected])] + ) + ], +-- +1.8.3.1 + + +From 884dc490c5261990cd3251e4ffcb4639384b753b Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Wed, 26 May 2021 11:56:24 -0500 +Subject: [PATCH 09/11] Build: configure: add stack clash protection to + hardening flags + +... by default, if supported by the compiler +--- + configure.ac | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 610393e..54fd913 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1872,6 +1872,16 @@ AS_CASE([$enable_hardening], + ] + ) + AS_IF([test -n "${flag}"], [CC_EXTRAS="${CC_EXTRAS} ${flag}"]) ++ # universal: enable stack clash protection if possible ++ AS_IF([cc_supports_flag -fstack-clash-protection], ++ [ ++ CC_EXTRAS="${CC_EXTRAS} -fstack-clash-protection" ++ AS_IF([test "${stackprot}" = "none"], ++ [stackprot="clash-only"], ++ [stackprot="${stackprot}+clash"] ++ ) ++ ] ++ ) + # Log a summary + AS_IF([test "${relro}" = 1 || test "${pie}" = 1 || test "${stackprot}" != "none"], + [AC_MSG_NOTICE(m4_normalize([Hardening: +-- +1.8.3.1 + + +From 59e7363ea845887521076e38b04276d694985af9 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Wed, 26 May 2021 12:16:25 -0500 +Subject: [PATCH 10/11] Build: rpm: respect prefix when installing resource + agents + +This defines a new user-overridable global ocf_root that defaults to +%{_prefix}/lib/ocf, used where /usr/lib/ocf was hardcoded previously, +and passed to the configure script's --with-ocfdir option. +--- + rpm/pacemaker.spec.in | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/rpm/pacemaker.spec.in b/rpm/pacemaker.spec.in +index 78f6807..dbe1b58 100644 +--- a/rpm/pacemaker.spec.in ++++ b/rpm/pacemaker.spec.in +@@ -22,6 +22,9 @@ + ## Where bug reports should be submitted + ## Leave bug_url undefined to use ClusterLabs default, others define it here + ++## What to use as the OCF resource agent root directory ++%global ocf_root %{_prefix}/lib/ocf ++ + ## Upstream pacemaker version, and its package version (specversion + ## can be incremented to build packages reliably considered "newer" + ## than previously built packages with the same pcmkversion) +@@ -498,6 +501,7 @@ export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}" + %{?with_sbd_sync: --with-sbd-sync-default="true"} \ + %{?gnutls_priorities: --with-gnutls-priorities="%{gnutls_priorities}"} \ + %{?bug_url: --with-bug-url=%{bug_url}} \ ++ %{?ocf_root: --with-ocfdir=%{ocf_root}} \ + %{?concurrent_fencing} \ + %{?resource_stickiness} \ + %{?compat20} \ +@@ -731,9 +735,9 @@ exit 0 + + %dir %attr (750, %{uname}, %{gname}) %{_var}/lib/pacemaker/cib + %dir %attr (750, %{uname}, %{gname}) %{_var}/lib/pacemaker/pengine +-/usr/lib/ocf/resource.d/pacemaker/controld +-/usr/lib/ocf/resource.d/pacemaker/o2cb +-/usr/lib/ocf/resource.d/pacemaker/remote ++%{ocf_root}/resource.d/pacemaker/controld ++%{ocf_root}/resource.d/pacemaker/o2cb ++%{ocf_root}/resource.d/pacemaker/remote + + %if %{with upstart_job} + %config(noreplace) %{_sysconfdir}/init/pacemaker.conf +@@ -780,13 +784,13 @@ exit 0 + # XXX "dirname" is not owned by any prerequisite + %{_datadir}/snmp/mibs/PCMK-MIB.txt + +-%exclude /usr/lib/ocf/resource.d/pacemaker/controld +-%exclude /usr/lib/ocf/resource.d/pacemaker/o2cb +-%exclude /usr/lib/ocf/resource.d/pacemaker/remote ++%exclude %{ocf_root}/resource.d/pacemaker/controld ++%exclude %{ocf_root}/resource.d/pacemaker/o2cb ++%exclude %{ocf_root}/resource.d/pacemaker/remote + +-%dir /usr/lib/ocf +-%dir /usr/lib/ocf/resource.d +-/usr/lib/ocf/resource.d/pacemaker ++%dir %{ocf_root} ++%dir %{ocf_root}/resource.d ++%{ocf_root}/resource.d/pacemaker + + %doc %{_mandir}/man7/* + %exclude %{_mandir}/man7/pacemaker-controld.* +-- +1.8.3.1 + + +From 83da5ba61728064ecf24560cca27efc14ad67eff Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Wed, 26 May 2021 12:34:49 -0500 +Subject: [PATCH 11/11] Doc: Pacemaker Development,README: update outdated URLs + +Also, reference the new ClusterLabs wiki page created for IRC channel details +instead of IRC directly, so references to the channel don't have to be updated +anytime something changes. +--- + README.markdown | 12 ++++++------ + doc/crm_fencing.txt | 4 ++-- + doc/sphinx/Pacemaker_Development/faq.rst | 4 ++-- + doc/sphinx/conf.py.in | 2 +- + extra/cluster-init | 2 +- + 5 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/README.markdown b/README.markdown +index 2ae7ae6..480b098 100644 +--- a/README.markdown ++++ b/README.markdown +@@ -13,7 +13,7 @@ resource health. + + ## Who is Pacemaker? + +-Pacemaker is distributed by [ClusterLabs](http://www.clusterlabs.org). ++Pacemaker is distributed by [ClusterLabs](https://www.clusterlabs.org/). + + Pacemaker was initially created by main architect and lead developer + Andrew Beekhof , with the aid of +@@ -69,8 +69,8 @@ See [CONTRIBUTING.md](https://github.com/ClusterLabs/pacemaker/blob/master/CONTR + + ## Where can I find more information about Pacemaker? + +-* [ClusterLabs website](http://www.clusterlabs.org/) +-* [Documentation](http://www.clusterlabs.org/doc/) +-* [Issues/Bugs](http://bugs.clusterlabs.org/) +-* Mailing lists for [users](http://oss.clusterlabs.org/mailman/listinfo/users) and [developers](http://oss.clusterlabs.org/mailman/listinfo/developers) +-* #clusterlabs IRC channel on [freenode](http://freenode.net/) ++* [ClusterLabs website](https://www.clusterlabs.org/) ++* [Documentation](https://www.clusterlabs.org/pacemaker/doc/) ++* [Issues/Bugs](https://bugs.clusterlabs.org/) ++* [Mailing lists](https://wiki.clusterlabs.org/wiki/Mailing_lists) for users and developers ++* [ClusterLabs IRC channel](https://wiki.clusterlabs.org/wiki/ClusterLabs_IRC_channel) +diff --git a/doc/crm_fencing.txt b/doc/crm_fencing.txt +index 22be35e..eb706c4 100644 +--- a/doc/crm_fencing.txt ++++ b/doc/crm_fencing.txt +@@ -432,8 +432,8 @@ the CIB. + + http://www.linux-ha.org/wiki/STONITH + +-http://www.clusterlabs.org/doc/crm_fencing.html ++https://www.clusterlabs.org/doc/crm_fencing.html + +-http://www.clusterlabs.org/doc/en-US/Pacemaker/1.0/html/Pacemaker_Explained ++https://www.clusterlabs.org/pacemaker/doc/en-US/Pacemaker/2.0/html/Pacemaker_Explained/ + + http://techthoughts.typepad.com/managing_computers/2007/10/split-brain-quo.html +diff --git a/doc/sphinx/Pacemaker_Development/faq.rst b/doc/sphinx/Pacemaker_Development/faq.rst +index 749c2e0..729c244 100644 +--- a/doc/sphinx/Pacemaker_Development/faq.rst ++++ b/doc/sphinx/Pacemaker_Development/faq.rst +@@ -159,5 +159,5 @@ Frequently Asked Questions + mailing list for development-related questions, or on the + `users@ClusterLabs.org `_ + mailing list for general questions about using Pacemaker. +- Developers often also hang out on `freenode's `_ +- #clusterlabs IRC channel. ++ Developers often also hang out on the ++ [ClusterLabs IRC channel](https://wiki.clusterlabs.org/wiki/ClusterLabs_IRC_channel). +diff --git a/doc/sphinx/conf.py.in b/doc/sphinx/conf.py.in +index d181147..9da32d5 100644 +--- a/doc/sphinx/conf.py.in ++++ b/doc/sphinx/conf.py.in +@@ -282,7 +282,7 @@ epub_scheme = 'URL' + + # The unique identifier of the text. This can be a ISBN number + # or the project homepage. +-epub_identifier = 'http://www.clusterlabs.org/pacemaker/doc/2.0/%BOOK_ID%/epub/%BOOK_ID%.epub' ++epub_identifier = 'https://www.clusterlabs.org/pacemaker/doc/2.0/%BOOK_ID%/epub/%BOOK_ID%.epub' + + # A unique identification for the text. + epub_uid = 'ClusterLabs.org-Pacemaker-%BOOK_ID%' +diff --git a/extra/cluster-init b/extra/cluster-init +index 52949f6..aca7489 100755 +--- a/extra/cluster-init ++++ b/extra/cluster-init +@@ -378,7 +378,7 @@ case $INSTALL in + info Configuring Clusterlabs repo: $REPO + yum install -y wget + rm -f /etc/yum.repos.d/clusterlabs.repo +- wget -O /etc/yum.repos.d/clusterlabs.repo http://www.clusterlabs.org/$REPO/clusterlabs.repo &>/dev/null ++ wget -O /etc/yum.repos.d/clusterlabs.repo https://www.clusterlabs.org/$REPO/clusterlabs.repo &>/dev/null + yum clean all + fi + +-- +1.8.3.1 + diff --git a/001-ping-agent.patch b/002-ping-agent.patch similarity index 100% rename from 001-ping-agent.patch rename to 002-ping-agent.patch diff --git a/002-pacemakerd-options.patch b/003-pacemakerd-options.patch similarity index 100% rename from 002-pacemakerd-options.patch rename to 003-pacemakerd-options.patch diff --git a/003-pacemakerd-output.patch b/004-pacemakerd-output.patch similarity index 100% rename from 003-pacemakerd-output.patch rename to 004-pacemakerd-output.patch diff --git a/004-check-level.patch b/005-check-level.patch similarity index 99% rename from 004-check-level.patch rename to 005-check-level.patch index 369c15c..f2abb5f 100644 --- a/004-check-level.patch +++ b/005-check-level.patch @@ -100,7 +100,7 @@ index 45db2b2..6ca96f8 100644 - args->verbosity, options.force); + args->verbosity, options.force, options.check_level); } - break; + goto done; diff --git a/tools/crm_resource.h b/tools/crm_resource.h index 3560377..5ab10d6 100644 diff --git a/pacemaker.spec b/pacemaker.spec index a45809f..3e567a8 100644 --- a/pacemaker.spec +++ b/pacemaker.spec @@ -25,11 +25,14 @@ %endif %endif +## What to use as the OCF resource agent root directory +%global ocf_root %{_prefix}/lib/ocf + ## Upstream pacemaker version, and its package version (specversion ## can be incremented to build packages reliably considered "newer" ## than previously built packages with the same pcmkversion) %global pcmkversion 2.1.0 -%global specversion 1 +%global specversion 2 ## Upstream commit (full commit ID, abbreviated commit ID, or tag) to build %global commit 4edf50cc97b29f0bb6a62bd449027327fbe9c882 @@ -73,7 +76,7 @@ ## to synchronization improves safety, without requiring higher-level tools ## to be aware of the setting or requiring users to modify configurations ## after upgrading to versions that support synchronization. -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} > 8 %bcond_without sbd_sync %else %bcond_with sbd_sync @@ -232,10 +235,11 @@ Source0: https://codeload.github.com/%{github_owner}/%{name}/tar.gz/%{arch Source1: https://codeload.github.com/%{github_owner}/%{nagios_name}/tar.gz/%{nagios_archive_github_url} # upstream commits -Patch1: 001-ping-agent.patch -Patch2: 002-pacemakerd-options.patch -Patch3: 003-pacemakerd-output.patch -Patch4: 004-check-level.patch +Patch1: 001-rollup.patch +Patch2: 002-ping-agent.patch +Patch3: 003-pacemakerd-options.patch +Patch4: 004-pacemakerd-output.patch +Patch5: 005-check-level.patch Requires: resource-agents Requires: %{pkgname_pcmk_libs}%{?_isa} = %{version}-%{release} @@ -288,9 +292,6 @@ BuildRequires: %{pkgname_glue_libs}-devel BuildRequires: asciidoc inkscape %{python_name}-sphinx %endif -# RH patches are created by git, so we need git to apply them -BuildRequires: git - Provides: pcmk-cluster-manager = %{version}-%{release} Provides: pcmk-cluster-manager%{?_isa} = %{version}-%{release} @@ -671,8 +672,8 @@ exit 0 %dir %attr (750, %{uname}, %{gname}) %{_var}/lib/pacemaker/cib %dir %attr (750, %{uname}, %{gname}) %{_var}/lib/pacemaker/pengine -/usr/lib/ocf/resource.d/pacemaker/controld -/usr/lib/ocf/resource.d/pacemaker/remote +%{ocf_root}/resource.d/pacemaker/controld +%{ocf_root}/resource.d/pacemaker/remote %files cli %dir %attr (750, root, %{gname}) %{_sysconfdir}/pacemaker @@ -708,13 +709,13 @@ exit 0 # XXX "dirname" is not owned by any prerequisite %{_datadir}/snmp/mibs/PCMK-MIB.txt -%exclude /usr/lib/ocf/resource.d/pacemaker/controld -%exclude /usr/lib/ocf/resource.d/pacemaker/o2cb -%exclude /usr/lib/ocf/resource.d/pacemaker/remote +%exclude %{ocf_root}/resource.d/pacemaker/controld +%exclude %{ocf_root}/resource.d/pacemaker/o2cb +%exclude %{ocf_root}/resource.d/pacemaker/remote -%dir /usr/lib/ocf -%dir /usr/lib/ocf/resource.d -/usr/lib/ocf/resource.d/pacemaker +%dir %{ocf_root} +%dir %{ocf_root}/resource.d +%{ocf_root}/resource.d/pacemaker %doc %{_mandir}/man7/* %exclude %{_mandir}/man7/pacemaker-controld.* @@ -768,9 +769,7 @@ exit 0 %{_unitdir}/pacemaker_remote.service %{_sbindir}/pacemaker-remoted -%if %{with legacy_links} %{_sbindir}/pacemaker_remoted -%endif %{_mandir}/man8/pacemaker-remoted.* %license licenses/GPLv2 %doc COPYING @@ -817,9 +816,13 @@ exit 0 %license %{nagios_name}-%{nagios_hash}/COPYING %changelog +* Wed May 26 2021 Ken Gaillot - 2.1.0-2 +- Include recent post-rc2 fixes with rebase +- Resolves: rhbz1936023 + * Wed May 12 2021 Ken Gaillot - 2.1.0-1 - Default resource-stickiness to 1 in newly created clusters -- Rebase on upstream 2.1.0 release +- Rebase on upstream 2.1.0-rc2 release - Resolves: rhbz1850145 - Resolves: rhbz1936023