From 2f533e1db342a28cdaba2c555f538fb6e085db41 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 22 Apr 2025 15:52:23 +0200
Subject: [PATCH] - Filesystem: add support for aznfs - crypt: new resource
 agent

  Resolves: RHEL-88042, RHEL-13089
---
 ...d-tang-clevis-support-and-fix-issues.patch | 317 ++++++++++++++++++
 resource-agents.spec                          |  10 +-
 2 files changed, 326 insertions(+), 1 deletion(-)
 create mode 100644 RHEL-13089-crypt-add-tang-clevis-support-and-fix-issues.patch

diff --git a/RHEL-13089-crypt-add-tang-clevis-support-and-fix-issues.patch b/RHEL-13089-crypt-add-tang-clevis-support-and-fix-issues.patch
new file mode 100644
index 0000000..d3f8e70
--- /dev/null
+++ b/RHEL-13089-crypt-add-tang-clevis-support-and-fix-issues.patch
@@ -0,0 +1,317 @@
+From ba5737a659be55a5e88f2cadcec867b00b8a53be Mon Sep 17 00:00:00 2001
+From: Lloyd Brown <lloyd_brown@byu.edu>
+Date: Fri, 4 Jun 2021 08:58:25 -0600
+Subject: [PATCH 1/3] initial pass on supporting clevis-unlocked volumes
+
+---
+ heartbeat/crypt | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/heartbeat/crypt b/heartbeat/crypt
+index 56db379666..ab9d686b04 100755
+--- a/heartbeat/crypt
++++ b/heartbeat/crypt
+@@ -37,12 +37,14 @@ OCF_RESKEY_crypt_dev_default=""
+ OCF_RESKEY_key_file_default=""
+ OCF_RESKEY_crypt_type_default=""
+ OCF_RESKEY_force_stop_default="false"
++OCF_RESKEY_use_clevis_default="false"
+ 
+ : ${OCF_RESKEY_encrypted_dev=${OCF_RESKEY_encrypted_dev_default}}
+ : ${OCF_RESKEY_crypt_dev=${OCF_RESKEY_crypt_dev_default}}
+ : ${OCF_RESKEY_key_file=${OCF_RESKEY_key_file_default}}
+ : ${OCF_RESKEY_crypt_type=${OCF_RESKEY_crypt_type_default}}
+ : ${OCF_RESKEY_force_stop=${OCF_RESKEY_force_stop_default}}
++: ${OCF_RESKEY_use_clevis=${OCF_RESKEY_use_clevis_default}}
+ 
+ #######################################################################
+ 
+@@ -122,6 +124,16 @@ will fail and the node will be fenced.
+ <content type="boolean" default="${OCF_RESKEY_force_stop_default}" />
+ </parameter>
+ 
++<parameter name="use_clevis" unique="0" required="0">
++<longdesc lang="en">
++If LUKS volume is set up to unlock automatically using Tang/Clevis,
++then set this parameter to "true".  This has the side-effect of ignoring
++the "key_file", "disable_locks" and "crypt_type" parameters.
++</longdesc>
++<shortdesc lang="en">use clevis tools to unlock volume</shortdesc>
++<content type="boolean" default="${OCF_RESKEY_use_clevis_default}" />
++</parameter>
++
+ </parameters>
+ 
+ <actions>
+@@ -153,12 +165,17 @@ crypt_dev_path="/dev/mapper/$crypt_dev"
+ key_file="${OCF_RESKEY_key_file}"
+ crypt_type="${OCF_RESKEY_crypt_type}"
+ force_stop="${OCF_RESKEY_force_stop}"
++use_clevis="${OCF_RESKEY_use_clevis}"
+ 
+ crypt_validate_all() {
+ 	if ! have_binary cryptsetup; then
+ 		ocf_exit_reason "Please install cryptsetup(8)"
+ 		return $OCF_ERR_INSTALLED
+ 	fi
++	if ocf_is_true "$use_clevis" && ! have_binary clevis ; then
++		ocf_exit_reason "Please install clevis tools"
++		return $OCF_ERR_INSTALLED
++	fi
+ 	if [ -z "$encrypted_dev" ]; then
+ 		ocf_exit_reason "Undefined OCF_RESKEY_encrypted_dev"
+ 		return $OCF_ERR_CONFIGURED
+@@ -250,8 +267,13 @@ crypt_stop_one() {
+ crypt_start() {
+ 	local rc
+ 
+-	cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file
+-	rc=$?
++	if ocf_is_true "$use_clevis"; then
++		clevis luks unlock -d $encrypted_dev -n $crypt_dev
++		rc=$?
++	else
++ 		cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file
++ 		rc=$?
++	fi
+ 	if [ $rc -eq 0 ];then
+ 		crypt_monitor
+ 		rc=$?
+
+From 7419b629429edacd16493a3baaca2c5481467bc5 Mon Sep 17 00:00:00 2001
+From: Lloyd Brown <lloyd_brown@byu.edu>
+Date: Mon, 7 Jun 2021 08:40:41 -0600
+Subject: [PATCH 2/3] Attempting to detect clevis automatically
+
+---
+ heartbeat/crypt | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/heartbeat/crypt b/heartbeat/crypt
+index ab9d686b04..0b184305e8 100755
+--- a/heartbeat/crypt
++++ b/heartbeat/crypt
+@@ -227,6 +227,19 @@ crypt_validate_all() {
+ 	return $OCF_SUCCESS
+ }
+ 
++
++detect_clevis() {
++	if ! have_binary clevis; then
++		use_clevis="false" #We can't use clevis, if we don't have it installed
++	elif ! ocf_is_true "$use_clevis"; then #if not already specified by user to use clevis
++		#Try to detect whether clevis is available
++		if clevis luks list -d $encrypted_dev | grep -q '^[[:digit:]]\+:'; then
++			use_clevis="true" #if grep finds output that matches, we have clevis, therefore use it
++		fi
++	fi
++}
++
++
+ get_users_pids() {
+ 	ocf_log debug "running lsof to list \"$crypt_dev\" users..."
+ 	ocf_run -warn 'lsof $crypt_dev_path | tail -n +2 | awk "{print $2}" | sort -u'
+@@ -266,7 +279,8 @@ crypt_stop_one() {
+ #
+ crypt_start() {
+ 	local rc
+-
++	detect_clevis
++	
+ 	if ocf_is_true "$use_clevis"; then
+ 		clevis luks unlock -d $encrypted_dev -n $crypt_dev
+ 		rc=$?
+
+From c35a3d14656a7c52f32126b7646f4a78f2b33dff Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 27 Feb 2025 15:00:17 +0100
+Subject: [PATCH 3/3] crypt: fixes to validate-action and to avoid running as a
+ cloned resource
+
+---
+ heartbeat/crypt | 67 ++++++++++++++++++++++++++-----------------------
+ 1 file changed, 36 insertions(+), 31 deletions(-)
+
+diff --git a/heartbeat/crypt b/heartbeat/crypt
+index 0b184305e8..4d4d6142ba 100755
+--- a/heartbeat/crypt
++++ b/heartbeat/crypt
+@@ -88,7 +88,7 @@ The resulting block device path is /dev/mapper/name.
+ <content type="string" default="${OCF_RESKEY_crypt_dev_default}" />
+ </parameter>
+ 
+-<parameter name="key_file" unique="0" required="1">
++<parameter name="key_file" unique="0" required="0">
+ <longdesc lang="en">
+ Key file path containing the encryption passphrase
+ (aka key; see cryptsetup(8)).  For LUKS, the passphrase as of the key_file
+@@ -98,7 +98,7 @@ parameter is used to decrypt a randomly selected key when the device was created
+ <content type="string" default="${OCF_RESKEY_key_file_default}" />
+ </parameter>
+ 
+-<parameter name="crypt_type" unique="0" required="1">
++<parameter name="crypt_type" unique="0" required="0">
+ <longdesc lang="en">
+ Encryption (device) type (e.g. "luks" or "luks2").
+ 
+@@ -128,7 +128,7 @@ will fail and the node will be fenced.
+ <longdesc lang="en">
+ If LUKS volume is set up to unlock automatically using Tang/Clevis,
+ then set this parameter to "true".  This has the side-effect of ignoring
+-the "key_file", "disable_locks" and "crypt_type" parameters.
++the "key_file" and "crypt_type" parameters.
+ </longdesc>
+ <shortdesc lang="en">use clevis tools to unlock volume</shortdesc>
+ <content type="boolean" default="${OCF_RESKEY_use_clevis_default}" />
+@@ -147,10 +147,6 @@ the "key_file", "disable_locks" and "crypt_type" parameters.
+ END
+ }
+ 
+-# Disable cryptsetup auto-recovery if cloned.
+-disable_locks=""
+-ocf_is_clone && disable_locks="--disable-locks"
+-
+ crypt_usage() {
+ 	cat <<END
+ usage: $0 {start|stop|monitor|usage|meta-data|validate-all}
+@@ -168,6 +164,10 @@ force_stop="${OCF_RESKEY_force_stop}"
+ use_clevis="${OCF_RESKEY_use_clevis}"
+ 
+ crypt_validate_all() {
++	if ocf_is_clone; then
++		ocf_exit_reason "crypt cannot run as a cloned resource"
++		return $OCF_ERR_CONFIGURED
++	fi
+ 	if ! have_binary cryptsetup; then
+ 		ocf_exit_reason "Please install cryptsetup(8)"
+ 		return $OCF_ERR_INSTALLED
+@@ -184,35 +184,32 @@ crypt_validate_all() {
+ 		case "$encrypted_dev" in
+ 		*-*-*-*) if [ `echo "$encrypted_dev" | wc -c` -ne 37 ]; then
+ 				ocf_exit_reason "Bogus encrypted device UUID \"$encrypted_dev\""
+-				return $OCF_ERR_ARGS
++				return $OCF_ERR_CONFIGURED
+ 			 fi
+ 			 encrypted_dev=/dev/disk/by-uuid/"$encrypted_dev";;
+ 		*)	 case "$encrypted_dev" in
+ 			 /dev/*) ;;
+ 			 *)	ocf_exit_reason "Bogus encrypted device path"
+-				return $OCF_ERR_ARGS;;
++				return $OCF_ERR_CONFIGURED;;
+ 			 esac
+ 		esac
+ 	fi
+-
+-	# return early for probes where device might not be available yet
+-	# e.g. LVM exclusive volumes
+-	if ocf_is_probe; then
+-		return $OCF_SUCCESS
+-	fi
+-
+ 	if [ ! -b "$encrypted_dev" ] && [ ! -L "$encrypted_dev" ]; then
+ 		ocf_exit_reason "Encrypted device $encrypted_dev not accessible"
+-		return $OCF_ERR_ARGS
++		return $OCF_ERR_CONFIGURED
+ 	fi
+ 	echo "$crypt_dev" | grep "/" >/dev/null
+ 	if [ $? -eq 0 ] &&  [ -z "$crypt_dev" ]; then
+ 		ocf_exit_reason "Crypt device \"$crypt_dev\" name has to at least 1 character long and without path"
+-		return $OCF_ERR_ARGS
++		return $OCF_ERR_CONFIGURED
+ 	fi
+-	if [ ! -r "$key_file" ]; then
++	if ! ocf_is_true "$use_clevis" && [ ! -r "$key_file" ]; then
+ 		ocf_exit_reason "Hash key file $key_file not accessible"
+-		return $OCF_ERR_ARGS
++		return $OCF_ERR_CONFIGURED
++	fi
++	if ! ocf_is_true "$use_clevis" && [ ! -r "$crypt_type" ]; then
++		ocf_exit_reason "crypt_type not set"
++		return $OCF_ERR_CONFIGURED
+ 	fi
+ 	if ocf_is_true "$force_stop" && ! have_binary lsof; then
+ 		ocf_exit_reason "Force stop requested, please install lsof(8)"
+@@ -270,7 +267,7 @@ show_users() {
+ }
+ 
+ crypt_stop_one() {
+-	cryptsetup close $crypt_dev $disable_locks
++	cryptsetup close $crypt_dev
+ }
+ 
+ #######################################################################
+@@ -278,21 +275,22 @@ crypt_stop_one() {
+ # Action: START an encrypted resource
+ #
+ crypt_start() {
+-	local rc
++	local out rc
+ 	detect_clevis
+-	
++
+ 	if ocf_is_true "$use_clevis"; then
+-		clevis luks unlock -d $encrypted_dev -n $crypt_dev
++		out=$(clevis luks unlock -d $encrypted_dev -n $crypt_dev  2>&1)
+ 		rc=$?
+ 	else
+- 		cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file
++		out=$(cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type --key-file=$key_file 2>&1)
+  		rc=$?
+ 	fi
+ 	if [ $rc -eq 0 ];then
+ 		crypt_monitor
+ 		rc=$?
+ 	else
+-		rc=$OCF_ERR_GERNERIC
++		ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\": $out"
++		return $OCF_ERR_GENERIC
+ 	fi
+ 	[ $rc -ne $OCF_SUCCESS ] && ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\""
+ 
+@@ -315,7 +313,8 @@ crypt_stop() {
+ 	if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $force_stop; then
+ 		stop_crypt_users
+ 		case $? in
+-		2) rc=$OCF_SUCCESS;;
++		2) crypt_monitor
++		   rc=$?;;
+ 		*) crypt_stop_one
+ 		   crypt_monitor
+ 		   rc=$?;;
+@@ -335,7 +334,7 @@ crypt_stop() {
+ # Action: MONITOR an encrypted resource
+ #
+ crypt_monitor() {
+-	cryptsetup status $crypt_dev $disable_locks >/dev/null 2>&1
++	cryptsetup status $crypt_dev >/dev/null 2>&1
+ 	if [ $? -eq 0 ]; then
+ 		if [ -b "$encrypted_dev" ] || [ -L $crypt_dev_path ]; then
+ 			return $OCF_SUCCESS
+@@ -347,10 +346,10 @@ crypt_monitor() {
+ 	return $OCF_NOT_RUNNING
+ }
+ 
+-# Check for stange argument count.
++# Check for strange argument count.
+ if [ $# -ne 1 ]; then
+ 	usage
+-	exit $OCF_ERR_ARGS
++	exit $OCF_ERR_GENERIC
+ fi
+ 
+ case "$__OCF_ACTION" in
+@@ -363,7 +362,13 @@ esac
+ # XME: remove once pacemaker is fixed and calls this action
+ crypt_validate_all
+ rc=$?
+-[ $rc -ne $OCF_SUCCESS ] && exit $rc
++if [ $rc -ne $OCF_SUCCESS ]; then
++	if ! ocf_is_probe && [ "$__OCF_ACTION" != "stop" ]; then
++		exit $rc
++	else
++		$OCF_NOT_RUNNING
++	fi
++fi
+ 
+ case "$__OCF_ACTION" in
+ start)		crypt_start; rc=$?;;
diff --git a/resource-agents.spec b/resource-agents.spec
index 1d1c790..0bde24d 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -45,7 +45,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.16.0
-Release:	12%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	13%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPL-2.0-or-later AND LGPL-2.1-or-later
 URL:		https://github.com/ClusterLabs/resource-agents
 Source0:	%{upstream_prefix}-%{upstream_version}.tar.gz
@@ -69,6 +69,7 @@ Patch16:	RHEL-79822-1-portblock-fix-version-detection.patch
 Patch17:	RHEL-79822-2-portblock-use-ocf_log-for-logging.patch
 Patch18:	RHEL-85057-1-tomcat-fix-CATALINA_PID-not-set-and-parameter-defaults.patch
 Patch19:	RHEL-85057-2-tomcat-log-validate-all-on-debug-level.patch
+Patch20:	RHEL-13089-crypt-add-tang-clevis-support-and-fix-issues.patch
 
 # bundled ha-cloud-support libs
 Patch500:	ha-cloud-support-aliyun.patch
@@ -247,6 +248,7 @@ exit 1
 %patch -p1 -P 17
 %patch -p1 -P 18
 %patch -p1 -P 19
+%patch -p1 -P 20
 
 # bundled ha-cloud-support libs
 %patch -p1 -P 500
@@ -577,6 +579,12 @@ rm -rf %{buildroot}/usr/share/doc/resource-agents
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Tue Apr 22 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.16.0-13
+- Filesystem: add support for aznfs
+- crypt: new resource agent
+
+  Resolves: RHEL-88042, RHEL-13089
+
 * Wed Apr  9 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.16.0-12
 - tomcat: fix CATALINA_PID not set, and catalina_base and catalina_out
   parameter defaults