import CS resource-agents-4.9.0-54.el8

2024-03-27 20:26:52 +00:00 · 2024-03-27 20:26:52 +00:00 · 811f026e9f
commit 811f026e9f
parent f4289184e3
11 changed files with 964 additions and 188 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,6 +6,7 @@ SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
 SOURCES/colorama-0.3.3.tar.gz
 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
 SOURCES/httplib2-0.20.4.tar.gz
-SOURCES/pycryptodome-3.6.4.tar.gz
+SOURCES/pycryptodome-3.20.0.tar.gz
 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 SOURCES/pyroute2-0.4.13.tar.gz
 SOURCES/urllib3-1.26.18.tar.gz
--- a/.resource-agents.metadata
+++ b/.resource-agents.metadata
@ -6,6 +6,7 @@ f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar
 0fe5bd8bca54dd71223778a1e0bcca9af324abb1 SOURCES/colorama-0.3.3.tar.gz
 81f039cf075e9c8b70d5af99c189296a9e031de3 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
 7caf4412d9473bf17352316249a8133fa70b7e37 SOURCES/httplib2-0.20.4.tar.gz
-326a73f58a62ebee00c11a12cfdd838b196e0e8e SOURCES/pycryptodome-3.6.4.tar.gz
+c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz
 c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 147149db11104c06d405fd077dcd2aa1c345f109 SOURCES/pyroute2-0.4.13.tar.gz
 84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz
--- a/SOURCES/RHEL-15302-1-exportfs-make-fsid-optional.patch
+++ b/SOURCES/RHEL-15302-1-exportfs-make-fsid-optional.patch
@ -0,0 +1,75 @@
 From b806487ca758fce838c988767556007ecf66a6e3 Mon Sep 17 00:00:00 2001
 From: Roger Zhou <zzhou@suse.com>
 Date: Mon, 10 Apr 2023 18:08:56 +0800
 Subject: [PATCH] exportfs: make the "fsid=" parameter optional
 Based on feedback [1] from the kernel developer @neilbrown regarding the
 NFS clustering use case, it has been determined that the fsid= parameter
 is now considered optional and safe to omit.
 [1] https://bugzilla.suse.com/show_bug.cgi?id=1201271#c49
 """
 Since some time in 2007 NFS has used the UUID of a filesystem as the
 primary identifier for that filesystem, rather than using the device
 number.  So from that time there should have been reduced need for the
 "fsid=" option.  Probably there are some filesystems that this didn't
 work for.  btrfs has been problematic at time, particularly when subvols
 are exported.  But for quite some years this has all "just worked" at
 least for the major filesystems (ext4 xfs btrfs). [...] I would suggest
 getting rid of the use of fsid= altogether. [...] I'm confident that it
 was no longer an issue in SLE-12 and similarly not in SLE-15.
 """
 ---
 heartbeat/exportfs | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)
 diff --git a/heartbeat/exportfs b/heartbeat/exportfs
 index 2307a9e67b..435a19646b 100755
 --- a/heartbeat/exportfs
 +++ b/heartbeat/exportfs
@@ -82,7 +82,7 @@ The directory or directories to export.
 <content type="string" />
 </parameter>
 -<parameter name="fsid" unique="0" required="1">
 +<parameter name="fsid" unique="0" required="0">
 <longdesc lang="en">
 The fsid option to pass to exportfs. This can be a unique positive
 integer, a UUID (assuredly sans comma characters), or the special string
@@ -185,6 +185,8 @@ exportfs_methods() {
 reset_fsid() {
 	CURRENT_FSID=$OCF_RESKEY_fsid
 +	[ -z "$CURRENT_FSID" ] && CURRENT_FSID=`echo "$OCF_RESKEY_options" | sed -n 's/.*fsid=\([^,]*\).*/\1/p'`
 +	echo $CURRENT_FSID
 }
 bump_fsid() {
 	CURRENT_FSID=$((CURRENT_FSID+1))
@@ -322,7 +324,7 @@ export_one() {
 	if echo "$opts" | grep fsid >/dev/null; then
 		#replace fsid in options list
 		opts=`echo "$opts" | sed "s,fsid=[^,]*,fsid=$(get_fsid),g"`
 -	else
 +	elif [ -n "$OCF_RESKEY_fsid" ]; then
 		#tack the fsid option onto our options list.
 		opts="${opts}${sep}fsid=$(get_fsid)"
 	fi
@@ -448,8 +450,8 @@ exportfs_validate_all ()
 		ocf_exit_reason "$OCF_RESKEY_fsid cannot contain a comma"
 		return $OCF_ERR_CONFIGURED
 	fi
 -	if [ $NUMDIRS -gt 1 ] &&
 -			! ocf_is_decimal "$OCF_RESKEY_fsid"; then
 +	if [ $NUMDIRS -gt 1 ] && [ -n "$(reset_fsid)" ] &&
 +			! ocf_is_decimal "$(reset_fsid)"; then
 		ocf_exit_reason "use integer fsid when exporting multiple directories"
 		return $OCF_ERR_CONFIGURED
 	fi
@@ -485,6 +487,6 @@ done
 OCF_RESKEY_directory="${directories%% }"
 NUMDIRS=`echo "$OCF_RESKEY_directory" | wc -w`
 -OCF_REQUIRED_PARAMS="directory fsid clientspec"
 +OCF_REQUIRED_PARAMS="directory clientspec"
 OCF_REQUIRED_BINARIES="exportfs"
 ocf_rarun $*
--- a/SOURCES/RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
+++ b/SOURCES/RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
@ -0,0 +1,43 @@
 From 1d1481aa6d848efab4d398ad6e74d80b5b32549f Mon Sep 17 00:00:00 2001
 From: Valentin Vidic <vvidic@debian.org>
 Date: Wed, 1 Nov 2023 18:25:45 +0100
 Subject: [PATCH] exportfs: remove test for "fsid=" parameter
 fsid parameter is now considered optional.
 ---
 tools/ocft/exportfs          | 5 -----
 tools/ocft/exportfs-multidir | 5 -----
 2 files changed, 10 deletions(-)
 diff --git a/tools/ocft/exportfs b/tools/ocft/exportfs
 index 285a4b8ea0..1ec3d4c364 100644
 --- a/tools/ocft/exportfs
 +++ b/tools/ocft/exportfs
@@ -28,11 +28,6 @@ CASE "check base env"
 	Include prepare
 	AgentRun start OCF_SUCCESS
 -CASE "check base env: no 'OCF_RESKEY_fsid'"
 -	Include prepare
 -	Env OCF_RESKEY_fsid=
 -	AgentRun start OCF_ERR_CONFIGURED
 -
 CASE "check base env: invalid 'OCF_RESKEY_directory'"
 	Include prepare
 	Env OCF_RESKEY_directory=/no_such
 diff --git a/tools/ocft/exportfs-multidir b/tools/ocft/exportfs-multidir
 index 00e41f0859..ac6d5c7f6a 100644
 --- a/tools/ocft/exportfs-multidir
 +++ b/tools/ocft/exportfs-multidir
@@ -28,11 +28,6 @@ CASE "check base env"
 	Include prepare
 	AgentRun start OCF_SUCCESS
 -CASE "check base env: no 'OCF_RESKEY_fsid'"
 -	Include prepare
 -	Env OCF_RESKEY_fsid=
 -	AgentRun start OCF_ERR_CONFIGURED
 -
 CASE "check base env: invalid 'OCF_RESKEY_directory'"
 	Include prepare
 	Env OCF_RESKEY_directory=/no_such
--- a/SOURCES/RHEL-15305-1-findif.sh-fix-loopback-handling.patch
+++ b/SOURCES/RHEL-15305-1-findif.sh-fix-loopback-handling.patch
@ -0,0 +1,45 @@
 From e4f84ae185b6943d1ff461d53c7f1b5295783086 Mon Sep 17 00:00:00 2001
 From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
 Date: Wed, 1 Nov 2023 19:35:21 +0100
 Subject: [PATCH] findif.sh: fix loopback handling
 tools/ocft/IPaddr2 fails the loopback test because of the missing
 table local parameter:
 $ ip -o -f inet route list match 127.0.0.3 scope host
 $ ip -o -f inet route list match 127.0.0.3 table local scope host
 local 127.0.0.0/8 dev lo proto kernel src 127.0.0.1
 Also rename the function because it is called only in for the special
 loopback address case.
 ---
 heartbeat/findif.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
 index 5f1c19ec3..7c766e6e0 100644
 --- a/heartbeat/findif.sh
 +++ b/heartbeat/findif.sh
@@ -29,10 +29,10 @@ prefixcheck() {
   fi
   return 0
 }
 -getnetworkinfo()
 +getloopbackinfo()
 {
   local line netinfo
 -  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
 +  ip -o -f inet route list match $OCF_RESKEY_ip table local scope host | (while read line;
   do
     netinfo=`echo $line | awk '{print $2}'`
     case $netinfo in
@@ -222,7 +222,7 @@ findif()
   if [ $# = 0 ] ; then
     case $OCF_RESKEY_ip in
     127.*)
 -      set -- `getnetworkinfo`
 +      set -- `getloopbackinfo`
       shift;;
     esac
   fi
--- a/SOURCES/RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
+++ b/SOURCES/RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
@ -0,0 +1,20 @@
 --- a/heartbeat/findif.sh	2024-02-08 11:31:53.414257686 +0100
 +++ b/heartbeat/findif.sh	2023-11-02 10:20:12.150853167 +0100
@@ -210,14 +210,14 @@
   fi
   findif_check_params $family || return $?
 -  if [ -n "$netmask" ] ; then
 +  if [ -n "$netmask" ]; then
       match=$match/$netmask
   fi
   if [ -n "$nic" ] ; then
     # NIC supports more than two.
 -    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
 +    set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
   else
 -    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
 +    set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
   fi
   if [ $# = 0 ] ; then
     case $OCF_RESKEY_ip in
--- a/SOURCES/RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
+++ b/SOURCES/RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
@ -0,0 +1,555 @@
 From f45f76600a7e02c860566db7d1350dc3b09449c2 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Mon, 6 Nov 2023 15:49:44 +0100
 Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
 parameter and AWS Policy based authentication type
 ---
 heartbeat/aws-vpc-move-ip    | 43 +++++++++++++++++++----
 heartbeat/aws-vpc-route53.in | 47 ++++++++++++++++++++-----
 heartbeat/awseip             | 68 +++++++++++++++++++++++++++---------
 heartbeat/awsvip             | 60 ++++++++++++++++++++++++-------
 4 files changed, 173 insertions(+), 45 deletions(-)
 diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
 index dee040300f..54806f6eaa 100755
 --- a/heartbeat/aws-vpc-move-ip
 +++ b/heartbeat/aws-vpc-move-ip
@@ -36,6 +36,7 @@
 # Defaults
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 OCF_RESKEY_region_default=""
 OCF_RESKEY_ip_default=""
@@ -48,6 +49,7 @@ OCF_RESKEY_monapi_default="false"
 OCF_RESKEY_lookup_type_default="InstanceId"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
@@ -58,8 +60,6 @@ OCF_RESKEY_lookup_type_default="InstanceId"
 : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
 : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
 : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
 -
 -[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
 #######################################################################
@@ -83,6 +83,10 @@ cat <<END
 <longdesc lang="en">
 Resource Agent to move IP addresses within a VPC of the Amazon Webservices EC2
 by changing an entry in an specific routing table
 +
 +Credentials needs to be setup by running "aws configure", or by using AWS Policies.
 +
 +See https://aws.amazon.com/cli/ for more information about awscli.
 </longdesc>
 <shortdesc lang="en">Move IP within a VPC of the AWS EC2</shortdesc>
@@ -95,6 +99,15 @@ Path to command line tools for AWS
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -198,7 +211,7 @@ END
 execute_cmd_as_role(){
 	cmd=$1
 	role=$2
 -	output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
 +	output="$($AWSCLI_CMD sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --output=text)"
 	export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
 	export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
 	export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
@@ -220,11 +233,11 @@ ec2ip_set_address_param_compat(){
 }
 ec2ip_validate() {
 -	for cmd in $OCF_RESKEY_awscli ip curl; do
 +	for cmd in "$OCF_RESKEY_awscli" ip curl; do
 		check_binary "$cmd"
 	done
 -	if [ -z "$OCF_RESKEY_profile" ]; then
 +	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
 		ocf_exit_reason "profile parameter not set"
 		return $OCF_ERR_CONFIGURED
 	fi
@@ -262,7 +275,7 @@ ec2ip_monitor() {
 		for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
 			ocf_log info "monitor: check routing table (API call) - $rtb"
 			if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
 -				cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
 +				cmd="$AWSCLI_CMD --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
 				ocf_log debug "executing command: $cmd"
 				ROUTE_TO_INSTANCE="$($cmd)"
 			else
@@ -368,7 +381,7 @@ ec2ip_get_and_configure() {
 	EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
 	for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
 		if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
 -			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
 +			cmd="$AWSCLI_CMD --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
 			ocf_log debug "executing command: $cmd"
 			$cmd
 		else
@@ -475,6 +488,22 @@ if ! ocf_is_root; then
 	exit $OCF_ERR_PERM
 fi
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 +
 ec2ip_set_address_param_compat
 ec2ip_validate
 diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
 index 22cbb35833..18ab157e8a 100644
 --- a/heartbeat/aws-vpc-route53.in
 +++ b/heartbeat/aws-vpc-route53.in
@@ -46,24 +46,22 @@
 # Defaults
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 +OCF_RESKEY_region_default=""
 OCF_RESKEY_hostedzoneid_default=""
 OCF_RESKEY_fullname_default=""
 OCF_RESKEY_ip_default="local"
 OCF_RESKEY_ttl_default=10
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 +: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
 : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
 : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
 : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
 -#######################################################################
 -
 -
 -AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
 -#######################################################################
 -
 usage() {
 	cat <<-EOT
@@ -123,6 +121,15 @@ Path to command line tools for AWS
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 The name of the AWS CLI profile of the root account. This
@@ -196,7 +203,7 @@ r53_validate() {
 	# Check for required binaries
 	ocf_log debug "Checking for required binaries"
 -	for command in curl dig; do
 +	for command in "${OCF_RESKEY_awscli}" curl dig; do
 		check_binary "$command"
 	done
@@ -216,7 +223,10 @@ r53_validate() {
 	esac
 	# profile
 -	[[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
 +	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
 +		ocf_exit_reason "profile parameter not set"
 +		return $OCF_ERR_CONFIGURED
 +	fi
 	# TTL
 	[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
@@ -417,7 +427,6 @@ _update_record() {
 }
 ###############################################################################
 -
 case $__OCF_ACTION in
 	usage|help)
 		usage
@@ -427,6 +436,26 @@ case $__OCF_ACTION in
 		metadata
 		exit $OCF_SUCCESS
 		;;
 +esac
 +
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 +AWSCLI_CMD="$AWSCLI_CMD --cli-connect-timeout 10"
 +
 +case $__OCF_ACTION in
 	start)
 		r53_validate || exit $?
 		r53_start
 diff --git a/heartbeat/awseip b/heartbeat/awseip
 index dc48460c85..49b0ca6155 100755
 --- a/heartbeat/awseip
 +++ b/heartbeat/awseip
@@ -23,7 +23,8 @@
 #
 #  Prerequisites:
 #
 -#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
 +#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
 +#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
 #  - a reserved secondary private IP address for EC2 instances high availability
 #  - IAM user role with the following permissions:
 #    * DescribeInstances
@@ -44,11 +45,15 @@
 # Defaults
 #
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 +OCF_RESKEY_region_default=""
 OCF_RESKEY_api_delay_default="3"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 +: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
 meta_data() {
@@ -63,7 +68,7 @@ Resource Agent for Amazon AWS Elastic IP Addresses.
 It manages AWS Elastic IP Addresses with awscli.
 -Credentials needs to be setup by running "aws configure".
 +Credentials needs to be setup by running "aws configure", or by using AWS Policies.
 See https://aws.amazon.com/cli/ for more information about awscli.
 </longdesc>
@@ -79,6 +84,15 @@ command line tools for aws services
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -111,6 +125,14 @@ predefined private ip address for ec2 instance
 <content type="string" default="" />
 </parameter>
 +<parameter name="region" required="0">
 +<longdesc lang="en">
 +Region for AWS resource (required for role-based authentication)
 +</longdesc>
 +<shortdesc lang="en">Region</shortdesc>
 +<content type="string" default="${OCF_RESKEY_region_default}" />
 +</parameter>
 +
 <parameter name="api_delay" unique="0">
 <longdesc lang="en">
 a short delay between API calls, to avoid sending API too quick
@@ -157,13 +179,13 @@ awseip_start() {
                 NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
             fi
         done
 -        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
 +        $AWSCLI_CMD ec2 associate-address  \
             --network-interface-id ${NETWORK_ID} \
             --allocation-id ${ALLOCATION_ID} \
             --private-ip-address ${PRIVATE_IP_ADDRESS}
         RET=$?
     else
 -        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
 +        $AWSCLI_CMD ec2 associate-address  \
             --instance-id ${INSTANCE_ID} \
             --allocation-id ${ALLOCATION_ID}
         RET=$?
@@ -183,7 +205,7 @@ awseip_start() {
 awseip_stop() {
     awseip_monitor || return $OCF_SUCCESS
 -    ASSOCIATION_ID=$($AWSCLI --profile $OCF_RESKEY_profile --output json ec2 describe-addresses \
 +    ASSOCIATION_ID=$($AWSCLI_CMD --output json ec2 describe-addresses \
                          --allocation-id ${ALLOCATION_ID} | grep -m 1 "AssociationId" | awk -F'"' '{print$4}')
     if [ -z "${ASSOCIATION_ID}" ]; then
@@ -191,9 +213,7 @@ awseip_stop() {
         return $OCF_NOT_RUNNING
     fi
 -    $AWSCLI --profile ${OCF_RESKEY_profile} \
 -        ec2 disassociate-address \
 -        --association-id ${ASSOCIATION_ID}
 +    $AWSCLI_CMD ec2 disassociate-address --association-id ${ASSOCIATION_ID}
     RET=$?
     # delay to avoid sending request too fast
@@ -208,7 +228,7 @@ awseip_stop() {
 }
 awseip_monitor() {
 -    $AWSCLI --profile $OCF_RESKEY_profile ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
 +    $AWSCLI_CMD ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
     RET=$?
     if [ $RET -ne 0 ]; then
@@ -218,9 +238,9 @@ awseip_monitor() {
 }
 awseip_validate() {
 -    check_binary ${AWSCLI}
 +    check_binary "${OCF_RESKEY_awscli}"
 -    if [ -z "$OCF_RESKEY_profile" ]; then
 +    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
         ocf_exit_reason "profile parameter not set"
         return $OCF_ERR_CONFIGURED
     fi
@@ -238,9 +258,27 @@ case $__OCF_ACTION in
         meta_data
         exit $OCF_SUCCESS
         ;;
 -esac 
 +    usage|help)
 +        awseip_usage
 +        exit $OCF_SUCCESS
 +        ;;
 +esac
 -AWSCLI="${OCF_RESKEY_awscli}"
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
 ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
 PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
@@ -272,10 +310,6 @@ case $__OCF_ACTION in
     validate|validate-all)
         awseip_validate
         ;;
 -    usage|help)
 -        awseip_usage
 -        exit $OCF_SUCCESS
 -        ;;
     *)
         awseip_usage
         exit $OCF_ERR_UNIMPLEMENTED
 diff --git a/heartbeat/awsvip b/heartbeat/awsvip
 index 037278e296..bdb4d68dd0 100755
 --- a/heartbeat/awsvip
 +++ b/heartbeat/awsvip
@@ -23,7 +23,8 @@
 #
 #  Prerequisites:
 #
 -#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
 +#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
 +#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
 #  - a reserved secondary private IP address for EC2 instances high availablity
 #  - IAM user role with the following permissions:
 #    * DescribeInstances
@@ -43,11 +44,15 @@
 # Defaults
 #
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 +OCF_RESKEY_region_default=""
 OCF_RESKEY_api_delay_default="3"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 +: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
 meta_data() {
@@ -62,7 +67,7 @@ Resource Agent for Amazon AWS Secondary Private IP Addresses.
 It manages AWS Secondary Private IP Addresses with awscli.
 -Credentials needs to be setup by running "aws configure".
 +Credentials needs to be setup by running "aws configure", or by using AWS Policies.
 See https://aws.amazon.com/cli/ for more information about awscli.
 </longdesc>
@@ -78,6 +83,15 @@ command line tools for aws services
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -94,6 +108,14 @@ reserved secondary private ip for ec2 instance
 <content type="string" default="" />
 </parameter>
 +<parameter name="region" required="0">
 +<longdesc lang="en">
 +Region for AWS resource (required for role-based authentication)
 +</longdesc>
 +<shortdesc lang="en">Region</shortdesc>
 +<content type="string" default="${OCF_RESKEY_region_default}" />
 +</parameter>
 +
 <parameter name="api_delay" unique="0">
 <longdesc lang="en">
 a short delay between API calls, to avoid sending API too quick
@@ -131,7 +153,7 @@ END
 awsvip_start() {
     awsvip_monitor && return $OCF_SUCCESS
 -    $AWSCLI --profile $OCF_RESKEY_profile ec2 assign-private-ip-addresses \
 +    $AWSCLI_CMD ec2 assign-private-ip-addresses \
         --network-interface-id ${NETWORK_ID} \
         --private-ip-addresses ${SECONDARY_PRIVATE_IP} \
         --allow-reassignment
@@ -151,7 +173,7 @@ awsvip_start() {
 awsvip_stop() {
     awsvip_monitor || return $OCF_SUCCESS
 -    $AWSCLI --profile $OCF_RESKEY_profile ec2 unassign-private-ip-addresses \
 +    $AWSCLI_CMD ec2 unassign-private-ip-addresses \
         --network-interface-id ${NETWORK_ID} \
         --private-ip-addresses ${SECONDARY_PRIVATE_IP}
     RET=$?
@@ -168,7 +190,7 @@ awsvip_stop() {
 }
 awsvip_monitor() {
 -    $AWSCLI --profile ${OCF_RESKEY_profile} ec2 describe-instances \
 +    $AWSCLI_CMD ec2 describe-instances \
             --instance-id "${INSTANCE_ID}" \
             --query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
             --output text | \
@@ -182,9 +204,9 @@ awsvip_monitor() {
 }
 awsvip_validate() {
 -    check_binary ${AWSCLI}
 +    check_binary "${OCF_RESKEY_awscli}"
 -    if [ -z "$OCF_RESKEY_profile" ]; then
 +    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
         ocf_exit_reason "profile parameter not set"
         return $OCF_ERR_CONFIGURED
     fi
@@ -202,9 +224,27 @@ case $__OCF_ACTION in
         meta_data
         exit $OCF_SUCCESS
         ;;
 +    usage|help)
 +        awsvip_usage
 +        exit $OCF_SUCCESS
 +        ;;
 esac
 -AWSCLI="${OCF_RESKEY_awscli}"
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
 TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
@@ -236,10 +276,6 @@ case $__OCF_ACTION in
     validate|validate-all)
         awsvip_validate
         ;;
 -    usage|help)
 -        awsvip_usage
 -        exit $OCF_SUCCESS
 -        ;;
     *)
         awsvip_usage
         exit $OCF_ERR_UNIMPLEMENTED
--- a/SOURCES/RHEL-17083-findif-EOS-fix.patch
+++ b/SOURCES/RHEL-17083-findif-EOS-fix.patch
@ -0,0 +1,22 @@
 From b23ba4eaefb500199c4845751f4c5545c81f42f1 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Mon, 20 Nov 2023 16:37:37 +0100
 Subject: [PATCH 2/2] findif: also check that netmaskbits != EOS
 ---
 tools/findif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tools/findif.c b/tools/findif.c
 index a25395fec..ab108a3c4 100644
 --- a/tools/findif.c
 +++ b/tools/findif.c
@@ -669,7 +669,7 @@ main(int argc, char ** argv) {
 		}
 	}
 -	if (netmaskbits) {
 +	if (netmaskbits != NULL && *netmaskbits != EOS) {
 		best_netmask = netmask;
 	}else if (best_netmask == 0L) {
 		/*
--- a/SOURCES/bz1904465-mysql-common-improve-error-message.patch
+++ b/SOURCES/bz1904465-mysql-common-improve-error-message.patch
@ -0,0 +1,68 @@
 From fcceb714085836de9db4493b527e94d85dd72626 Mon Sep 17 00:00:00 2001
 From: ut002970 <liuxingwei@uniontech.com>
 Date: Wed, 6 Sep 2023 15:27:05 +0800
 Subject: [PATCH 1/3] modify error message
 ---
 heartbeat/mysql-common.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
 index 8104019b03..a93acc4c60 100755
 --- a/heartbeat/mysql-common.sh
 +++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
     while [ $start_wait = 1 ]; do
         if ! ps $pid > /dev/null 2>&1; then
             wait $pid
 -            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation"
 +            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
             return $OCF_ERR_GENERIC
         fi
         mysql_common_status info
 From 8f9b344cd5b3cb96ea0f94b7ab0306da2234ac00 Mon Sep 17 00:00:00 2001
 From: ut002970 <liuxingwei@uniontech.com>
 Date: Wed, 6 Sep 2023 15:56:24 +0800
 Subject: [PATCH 2/3] modify error message
 ---
 heartbeat/mysql-common.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
 index a93acc4c60..d5b2286737 100755
 --- a/heartbeat/mysql-common.sh
 +++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
     while [ $start_wait = 1 ]; do
         if ! ps $pid > /dev/null 2>&1; then
             wait $pid
 -            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
 +            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
             return $OCF_ERR_GENERIC
         fi
         mysql_common_status info
 From a292b3c552bf3f2beea5f73e0d171546c0a1273c Mon Sep 17 00:00:00 2001
 From: ut002970 <liuxingwei@uniontech.com>
 Date: Wed, 6 Sep 2023 16:10:48 +0800
 Subject: [PATCH 3/3] modify error message
 ---
 heartbeat/mysql-common.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
 index d5b2286737..d6b4e3cdf4 100755
 --- a/heartbeat/mysql-common.sh
 +++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
     while [ $start_wait = 1 ]; do
         if ! ps $pid > /dev/null 2>&1; then
             wait $pid
 -            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
 +            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?). Check $OCF_RESKEY_log for details"
             return $OCF_ERR_GENERIC
         fi
         mysql_common_status info
--- a/SOURCES/python3-syntax-fixes.patch
+++ b/SOURCES/python3-syntax-fixes.patch
@ -590,116 +590,3 @@ diff -uNr a/bundled/aliyun/colorama/demos/demo07.py b/bundled/aliyun/colorama/de
 if __name__ == '__main__':
 diff -uNr a/bundled/aliyun/pycryptodome/Doc/conf.py b/bundled/aliyun/pycryptodome/Doc/conf.py
 --- a/bundled/aliyun/pycryptodome/Doc/conf.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/Doc/conf.py	2018-10-08 12:08:11.122188094 +0200
@@ -15,7 +15,7 @@
 # Modules to document with autodoc are in another directory
 sys.path.insert(0, os.path.abspath('../lib'))
 -print sys.path
 +print(sys.path)
 # Mock existance of native modules
 from Crypto.Util import _raw_api
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-10-08 12:08:11.123188075 +0200
@@ -302,7 +302,7 @@
     randfunc = kwargs.pop("randfunc", None)
     prime_filter = kwargs.pop("prime_filter", lambda x: True)
     if kwargs:
 -        print "Unknown parameters:", kwargs.keys()
 +        print("Unknown parameters:", kwargs.keys())
     if exact_bits is None:
         raise ValueError("Missing exact_bits parameter")
@@ -341,7 +341,7 @@
     exact_bits = kwargs.pop("exact_bits", None)
     randfunc = kwargs.pop("randfunc", None)
     if kwargs:
 -        print "Unknown parameters:", kwargs.keys()
 +        print("Unknown parameters:", kwargs.keys())
     if randfunc is None:
         randfunc = Random.new().read
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-10-08 12:08:11.124188057 +0200
@@ -912,4 +912,4 @@
     count = 30
     for x in xrange(count):
         _ = point * d
 -    print (time.time() - start) / count * 1000, "ms"
 +    print((time.time() - start) / count * 1000, "ms")
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-10-08 12:08:11.124188057 +0200
@@ -1276,7 +1276,7 @@
         tests += make_block_tests(AES, "AESNI", test_data, {'use_aesni': True})
         tests += [ TestMultipleBlocks(True) ]
     else:
 -        print "Skipping AESNI tests"
 +        print("Skipping AESNI tests")
     return tests
 if __name__ == '__main__':
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-10-08 12:08:11.125188038 +0200
@@ -894,7 +894,7 @@
         if config.get('slow_tests'):
             tests += list_test_cases(NISTTestVectorsGCM_no_clmul)
     else:
 -        print "Skipping test of PCLMULDQD in AES GCM"
 +        print("Skipping test of PCLMULDQD in AES GCM")
     return tests
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-10-08 12:08:11.125188038 +0200
@@ -39,7 +39,7 @@
     """Convert a text string with bytes in hex form to a byte string"""
     clean = b(rws(t))
     if len(clean)%2 == 1:
 -        print clean
 +        print(clean)
         raise ValueError("Even number of characters expected")
     return a2b_hex(clean)
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-10-08 12:08:11.126188020 +0200
@@ -25,11 +25,11 @@
 slow_tests = not "--skip-slow-tests" in sys.argv
 if not slow_tests:
 -    print "Skipping slow tests"
 +    print("Skipping slow tests")
 wycheproof_warnings = "--wycheproof-warnings" in sys.argv
 if wycheproof_warnings:
 -    print "Printing Wycheproof warnings"
 +    print("Printing Wycheproof warnings")
 config = {'slow_tests' : slow_tests, 'wycheproof_warnings' : wycheproof_warnings }
 SelfTest.run(stream=sys.stdout, verbosity=1, config=config)
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-10-08 12:08:11.126188020 +0200
@@ -369,13 +369,13 @@
            ]
     for key, words in data:
 -        print 'Trying key', key
 +        print('Trying key', key)
         key=binascii.a2b_hex(key)
         w2=key_to_english(key)
         if w2!=words:
 -            print 'key_to_english fails on key', repr(key), ', producing', str(w2)
 +            print('key_to_english fails on key', repr(key), ', producing', str(w2))
         k2=english_to_key(words)
         if k2!=key:
 -            print 'english_to_key fails on key', repr(key), ', producing', repr(k2)
 +            print('english_to_key fails on key', repr(key), ', producing', repr(k2))
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@ -43,7 +43,7 @@
 %global colorama_dir		%{bundled_lib_dir}/aliyun/%{colorama}
 # python-pycryptodome bundle
 %global pycryptodome		pycryptodome
-%global pycryptodome_version	3.6.4
+%global pycryptodome_version	3.20.0
 %global pycryptodome_dir	%{bundled_lib_dir}/aliyun/%{pycryptodome}
 # python-aliyun-sdk-core bundle
 %global aliyunsdkcore		aliyun-python-sdk-core
@ -61,6 +61,10 @@
 %global aliyuncli		aliyun-cli
 %global aliyuncli_version	2.1.10
 %global aliyuncli_dir		%{bundled_lib_dir}/aliyun/%{aliyuncli}
 ## fix CVEs
 # urllib3 bundle
 %global urllib3 		urllib3
 %global urllib3_version 	1.26.18
 # determine the ras-set to process based on configure invokation
 %bcond_with rgmanager
@ -69,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	47%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -88,6 +92,7 @@ Source7:	%{aliyunsdkcore}-%{aliyunsdkcore_version}.tar.gz
 Source8:	%{aliyunsdkecs}-%{aliyunsdkecs_version}.tar.gz
 Source9:	%{aliyunsdkvpc}-%{aliyunsdkvpc_version}.tar.gz
 Source10:	%{aliyuncli}-%{aliyuncli_version}.tar.gz
 Source11:	%{urllib3}-%{urllib3_version}.tar.gz
 Patch0: 	nova-compute-wait-NovaEvacuate.patch
 Patch1: 	bz1872754-pgsqlms-new-ra.patch
 Patch2: 	bz1995178-storage-mon-fix-typo.patch
@ -148,6 +153,13 @@ Patch56:	bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
 Patch57:	bz2189243-Filesystem-1-improve-stop-action.patch
 Patch58:	bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
 Patch59:	bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
 Patch60:	bz1904465-mysql-common-improve-error-message.patch
 Patch61:	RHEL-15302-1-exportfs-make-fsid-optional.patch
 Patch62:	RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
 Patch63:	RHEL-15305-1-findif.sh-fix-loopback-handling.patch
 Patch64:	RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
 Patch65:	RHEL-17083-findif-EOS-fix.patch
 Patch66:	RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@ -254,6 +266,8 @@ Provides:	bundled(python-aliyun-sdk-ecs) = %{aliyunsdkecs_version}
 Provides:	bundled(python-aliyun-sdk-vpc) = %{aliyunsdkvpc_version}
 # aliyuncli bundle
 Provides:	bundled(aliyuncli) = %{aliyuncli_version}
 # urllib3 bundle
 Provides:	bundled(python-urllib3) = %{urllib3_version}
 %description aliyun
 Alibaba Cloud (Aliyun) resource agents allows Alibaba Cloud
@ -293,7 +307,7 @@ Provides:	bundled(python-pyparsing) = 2.1.10
 Provides:	bundled(python-requests) = 2.10.0
 Provides:	bundled(python-six) = 1.11.0
 Provides:	bundled(python-uritemplate) = 3.0.0
-Provides:	bundled(python-urllib3) = 1.15.1
+Provides:	bundled(python-urllib3) = %{urllib3_version}
 Provides:	bundled(python-websocket) = 0.47.0
 Provides:	bundled(python-yaml) = 3.12
 # python-pyroute2 bundle
@ -327,66 +341,73 @@ databases to be managed in a cluster environment.
 exit 1
 %endif
 %setup -q -n %{upstream_prefix}-%{upstream_version}
-%patch0 -p1
+%patch -p1 -P 0
-%patch1 -p1
+%patch -p1 -P 1
-%patch2 -p1
+%patch -p1 -P 2
-%patch3 -p1
+%patch -p1 -P 3
-%patch4 -p1
+%patch -p1 -P 4
-%patch5 -p1
+%patch -p1 -P 5
-%patch6 -p1
+%patch -p1 -P 6
-%patch7 -p1
+%patch -p1 -P 7
-%patch8 -p1
+%patch -p1 -P 8
-%patch9 -p1
+%patch -p1 -P 9
-%patch10 -p1
+%patch -p1 -P 10
-%patch11 -p1
+%patch -p1 -P 11
-%patch12 -p1
+%patch -p1 -P 12
-%patch13 -p1
+%patch -p1 -P 13
-%patch14 -p1
+%patch -p1 -P 14
-%patch15 -p1
+%patch -p1 -P 15
-%patch16 -p1
+%patch -p1 -P 16
-%patch17 -p1
+%patch -p1 -P 17
-%patch18 -p1
+%patch -p1 -P 18
-%patch19 -p1
+%patch -p1 -P 19
-%patch20 -p1
+%patch -p1 -P 20
-%patch21 -p1
+%patch -p1 -P 21
-%patch22 -p1
+%patch -p1 -P 22
-%patch23 -p1
+%patch -p1 -P 23
-%patch24 -p1
+%patch -p1 -P 24
-%patch25 -p1
+%patch -p1 -P 25
-%patch26 -p1
+%patch -p1 -P 26
-%patch27 -p1
+%patch -p1 -P 27
-%patch28 -p1
+%patch -p1 -P 28
-%patch29 -p1
+%patch -p1 -P 29
-%patch30 -p1
+%patch -p1 -P 30
-%patch31 -p1
+%patch -p1 -P 31
-%patch32 -p1
+%patch -p1 -P 32
-%patch33 -p1
+%patch -p1 -P 33
-%patch34 -p1
+%patch -p1 -P 34
-%patch35 -p1
+%patch -p1 -P 35
-%patch36 -p1
+%patch -p1 -P 36
-%patch37 -p1
+%patch -p1 -P 37
-%patch38 -p1
+%patch -p1 -P 38
-%patch39 -p1
+%patch -p1 -P 39
-%patch40 -p1
+%patch -p1 -P 40
-%patch41 -p1
+%patch -p1 -P 41
-%patch42 -p1
+%patch -p1 -P 42
-%patch43 -p1
+%patch -p1 -P 43
-%patch44 -p1
+%patch -p1 -P 44
-%patch45 -p1
+%patch -p1 -P 45
-%patch46 -p1
+%patch -p1 -P 46
-%patch47 -p1
+%patch -p1 -P 47
-%patch48 -p1
+%patch -p1 -P 48
-%patch49 -p1
+%patch -p1 -P 49
-%patch50 -p1
+%patch -p1 -P 50
-%patch51 -p1
+%patch -p1 -P 51
-%patch52 -p1
+%patch -p1 -P 52
-%patch53 -p1
+%patch -p1 -P 53
-%patch54 -p1
+%patch -p1 -P 54
-%patch55 -p1
+%patch -p1 -P 55
-%patch56 -p1
+%patch -p1 -P 56
-%patch57 -p1
+%patch -p1 -P 57
-%patch58 -p1
+%patch -p1 -P 58
-%patch59 -p1
+%patch -p1 -P 59
 %patch -p1 -P 60
 %patch -p1 -P 61
 %patch -p1 -P 62
 %patch -p1 -P 63
 %patch -p1 -P 64
 %patch -p1 -P 65
 %patch -p1 -P 66
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@ -400,15 +421,15 @@ mkdir -p %{bundled_lib_dir}/aliyun
 %ifarch x86_64
 tar -xzf %SOURCE1 -C %{bundled_lib_dir}/gcp
 # gcp*: append bundled-directory to search path, gcloud-ra
-%patch1000 -p1
+%patch -p1 -P 1000
 # replace python-rsa with python-cryptography
-%patch1001 -p1
+%patch -p1 -P 1001
 # gcloud support info
-%patch1002 -p1
+%patch -p1 -P 1002
 # configure: skip bundled gcp lib checks
-%patch1003 -p1 -F1
+%patch -p1 -P 1003 -F1
 # gcloud remove python 2 detection
-%patch1004 -p1
+%patch -p1 -P 1004
 # rename gcloud
 mv %{googlecloudsdk_dir}/bin/gcloud %{googlecloudsdk_dir}/bin/gcloud-ra
 # keep googleapiclient
@ -515,16 +536,16 @@ mv %{bundled_lib_dir}/aliyun/%{aliyuncli}-%{aliyuncli_version} %{aliyuncli_dir}
 cp %{aliyuncli_dir}/README.rst %{aliyuncli}_README.rst
 cp %{aliyuncli_dir}/LICENSE %{aliyuncli}_LICENSE
 # aliyun*: use bundled libraries
-%patch1005 -p1
+%patch -p1 -P 1005
 # aliyun Python 3 fixes
-%patch1006 -p1
+%patch -p1 -P 1006
-%patch1007 -p1
+%patch -p1 -P 1007
 # fix CVE's in python-pygments
 pushd %{googlecloudsdk_dir}/lib/third_party
-%patch1008 -p1 -F2
+%patch -p1 -P 1008 -F2
-%patch1009 -p1 -F2
+%patch -p1 -P 1009 -F2
 popd
 %endif
@ -621,6 +642,9 @@ make install DESTDIR=%{buildroot}
 # google-cloud-sdk bundle
 %ifarch x86_64
 pushd %{googlecloudsdk_dir}
 # fix urllib3 CVEs
 rm -rf lib/third_party/urllib3
 %{__python3} -m pip install --target lib/third_party --no-index --find-links %{_sourcedir} urllib3
 mkdir -p %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 cp -a bin data lib %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 mkdir %{buildroot}/%{_bindir}
@ -649,6 +673,9 @@ popd
 # python-aliyun-sdk-core bundle
 pushd %{aliyunsdkcore_dir}
 %{__python3} setup.py install -O1 --skip-build --root %{buildroot} --install-lib /usr/lib/%{name}/%{bundled_lib_dir}/aliyun
 # fix urllib3 CVEs
 rm -rf %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3
 %{__python3} -m pip install --target %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages --no-index --find-links %{_sourcedir} urllib3
 popd
 # python-aliyun-sdk-ecs bundle
@ -962,6 +989,38 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 %changelog
 * Thu Feb  8 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54
 - findif.sh: fix loopback IP handling
  Resolves: RHEL-15305
 * Wed Jan 24 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-53
 - bundled urllib3: fix CVE-2023-45803
 - bundled pycryptodome: fix CVE-2023-52323
  Resolves: RHEL-22431, RHEL-20916
 * Tue Nov 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-52
 - findif: also check that netmaskbits != EOS
  Resolves: RHEL-17083
 * Fri Nov 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-51
 - aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter
  and AWS Policy based authentication type
  Resolves: RHEL-16248
 * Thu Nov  2 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-49
 - exportfs: make "fsid" parameter optional
  Resolves: RHEL-15302
 * Wed Sep  6 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-48
 - mysql-common: improve error message
  Resolves: rhbz#1904465
 * Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-47
 - Filesystem: improve stop-action and allow setting term/kill signals
  and signal_delay for large filesystems