Import from CS git

2025-04-22 07:43:47 +00:00 · 2025-04-22 07:43:47 +00:00 · a7220e5caf
commit a7220e5caf
parent 7dc1922e8e
4 changed files with 706 additions and 1 deletions
--- a/SOURCES/RHEL-81960-1-aws-agents-reuse-imds-token-until-it-expires.patch
+++ b/SOURCES/RHEL-81960-1-aws-agents-reuse-imds-token-until-it-expires.patch
@ -0,0 +1,455 @@
+From 61cec34a754017537c61e79cd1212f2688c32429 Mon Sep 17 00:00:00 2001
+From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com>
+Date: Mon, 4 Nov 2024 12:19:10 +0530
+Subject: [PATCH 1/7] Introduce a new shell function to reuse IMDS token
+
+---
+ heartbeat/ocf-shellfuncs.in | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
+index 5c4bb3264..0c4632cf9 100644
+--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
+@@ -1111,3 +1111,34 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
+ if ocf_is_true "$HA_use_logd"; then
+ 	: ${HA_LOGD:=yes}
+ fi
+
+# File to store the token and timestamp
+TOKEN_FILE="/tmp/.imds_token"
+TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
+
+# Function to fetch a new token
+fetch_new_token() {
+    TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME")
+    echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
+    echo "$TOKEN"
+}
+
+# Function to retrieve or renew the token
+get_token() {
+    if [[ -f "$TOKEN_FILE" ]]; then
+        read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE"
+        CURRENT_TIME=$(date +%s)
+        ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
+
+        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
+            # Token is still valid
+            echo "$STORED_TOKEN"
+            return
+        fi
+    fi
+    # Fetch a new token if not valid
+    fetch_new_token
+}
+
+
+
+From 00629fa44cb7a8dd1045fc8cad755e1d0c808476 Mon Sep 17 00:00:00 2001
+From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com>
+Date: Mon, 4 Nov 2024 12:21:18 +0530
+Subject: [PATCH 2/7] Utilize the get_token function to reuse the token
+
+---
+ heartbeat/aws-vpc-move-ip | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index 6115e5ba8..fbeb2ee64 100755
+--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
+@@ -270,7 +270,7 @@ ec2ip_validate() {
+ 		fi
+ 	fi
+ 
+-	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+	TOKEN=$(get_token)
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+
+From 36126cdcb90ad617ecfce03d986550907732aa4f Mon Sep 17 00:00:00 2001
+From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com>
+Date: Mon, 4 Nov 2024 12:22:16 +0530
+Subject: [PATCH 3/7] Utilize to get_token function to reuse the token
+
+---
+ heartbeat/awsvip | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index f2b238a0f..ca19ac086 100755
+--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
+@@ -266,7 +266,7 @@ if [ -n "${OCF_RESKEY_region}" ]; then
+ 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+ fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+-TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+
+From dcd0050df5ba94905bc71d38b05cbb93f5687b61 Mon Sep 17 00:00:00 2001
+From: harshkiprofile <beer18317@gmail.com>
+Date: Mon, 4 Nov 2024 20:05:33 +0530
+Subject: [PATCH 4/7] Move token renewal function to aws.sh for reuse in AWS
+ agent scripts
+
+---
+ heartbeat/Makefile.am        |  1 +
+ heartbeat/aws-vpc-move-ip    |  1 +
+ heartbeat/aws-vpc-route53.in |  3 ++-
+ heartbeat/aws.sh             | 46 ++++++++++++++++++++++++++++++++++++
+ heartbeat/awseip             |  3 ++-
+ heartbeat/awsvip             |  1 +
+ heartbeat/ocf-shellfuncs.in  | 33 +-------------------------
+ 7 files changed, 54 insertions(+), 34 deletions(-)
+ create mode 100644 heartbeat/aws.sh
+
+diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am
+index 409847970..655740f14 100644
+--- a/heartbeat/Makefile.am
+++ b/heartbeat/Makefile.am
+@@ -218,6 +218,7 @@ ocfcommon_DATA		= ocf-shellfuncs 	\
+ 			  ocf-rarun		\
+ 			  ocf-distro		\
+ 			  apache-conf.sh 	\
+			  aws.sh            \
+ 			  http-mon.sh		\
+ 			  sapdb-nosha.sh	\
+ 			  sapdb.sh		\
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index fbeb2ee64..f4b0492f2 100755
+--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
+@@ -33,6 +33,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index eba2ed95c..f7e756782 100644
+--- a/heartbeat/aws-vpc-route53.in
+++ b/heartbeat/aws-vpc-route53.in
+@@ -43,6 +43,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+@@ -377,7 +378,7 @@ r53_monitor() {
+ _get_ip() {
+ 	case $OCF_RESKEY_ip in
+ 		local|public)
+-			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+			TOKEN=$(get_token)
+ 			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
+ 			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
+new file mode 100644
+index 000000000..fc557109c
+--- /dev/null
+++ b/heartbeat/aws.sh
+@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+#
+#   AWS Helper Scripts
+#
+#
+
+: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+
+# Defaults
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
+
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+
+# Function to enable reusable IMDS token retrieval for efficient repeated access 
+# File to store the token and timestamp
+TOKEN_FILE="/tmp/.imds_token"
+TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
+
+# Function to fetch a new token
+fetch_new_token() {
+    TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME'" "http://169.254.169.254/latest/api/token")
+    echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
+    echo "$TOKEN"
+}
+
+# Function to retrieve or renew the token
+get_token() {
+    if [ -f "$TOKEN_FILE" ]; then
+        read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE"
+        CURRENT_TIME=$(date +%s)
+        ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
+
+        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
+            # Token is still valid
+            echo "$STORED_TOKEN"
+            return
+        fi
+    fi
+    # Fetch a new token if not valid
+    fetch_new_token
+}
+\ No newline at end of file
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index ffb6223a1..049c2e566 100755
+--- a/heartbeat/awseip
+++ b/heartbeat/awseip
+@@ -38,6 +38,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ #######################################################################
+ 
+@@ -306,7 +307,7 @@ fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+-TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index ca19ac086..de67981d8 100755
+--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
+@@ -37,6 +37,7 @@
+ 
+ : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+. ${OCF_FUNCTIONS_DIR}/aws.sh
+ 
+ #######################################################################
+ 
+diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
+index 0c4632cf9..922c6ea45 100644
+--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
+@@ -1110,35 +1110,4 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
+ # pacemaker sets HA_use_logd, some others use HA_LOGD :/
+ if ocf_is_true "$HA_use_logd"; then
+ 	: ${HA_LOGD:=yes}
+-fi
+-
+-# File to store the token and timestamp
+-TOKEN_FILE="/tmp/.imds_token"
+-TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+-TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
+-
+-# Function to fetch a new token
+-fetch_new_token() {
+-    TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME")
+-    echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
+-    echo "$TOKEN"
+-}
+-
+-# Function to retrieve or renew the token
+-get_token() {
+-    if [[ -f "$TOKEN_FILE" ]]; then
+-        read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE"
+-        CURRENT_TIME=$(date +%s)
+-        ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
+-
+-        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
+-            # Token is still valid
+-            echo "$STORED_TOKEN"
+-            return
+-        fi
+-    fi
+-    # Fetch a new token if not valid
+-    fetch_new_token
+-}
+-
+-
+fi
+\ No newline at end of file
+
+From 9f7be201923c8eab1b121f2067ed74a69841cf8a Mon Sep 17 00:00:00 2001
+From: harshkiprofile <beer18317@gmail.com>
+Date: Tue, 5 Nov 2024 19:12:34 +0530
+Subject: [PATCH 5/7] Refactor to use common temp path and update shell syntax
+
+---
+ heartbeat/Makefile.am | 2 +-
+ heartbeat/aws.sh      | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am
+index 655740f14..8352f3a3d 100644
+--- a/heartbeat/Makefile.am
+++ b/heartbeat/Makefile.am
+@@ -218,7 +218,7 @@ ocfcommon_DATA		= ocf-shellfuncs 	\
+ 			  ocf-rarun		\
+ 			  ocf-distro		\
+ 			  apache-conf.sh 	\
+-			  aws.sh            \
+			  aws.sh		\
+ 			  http-mon.sh		\
+ 			  sapdb-nosha.sh	\
+ 			  sapdb.sh		\
+diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
+index fc557109c..c77f93b91 100644
+--- a/heartbeat/aws.sh
+++ b/heartbeat/aws.sh
+@@ -17,7 +17,7 @@ OCF_RESKEY_curl_sleep_default="1"
+ 
+ # Function to enable reusable IMDS token retrieval for efficient repeated access 
+ # File to store the token and timestamp
+-TOKEN_FILE="/tmp/.imds_token"
+TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
+ TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+ TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
+ 
+@@ -35,7 +35,7 @@ get_token() {
+         CURRENT_TIME=$(date +%s)
+         ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
+ 
+-        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
+        if [ "$ELAPSED_TIME" -lt "$((TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD))" ]; then
+             # Token is still valid
+             echo "$STORED_TOKEN"
+             return
+
+From 4f61048064d1df3bebdb5c1441cf0020f213c01b Mon Sep 17 00:00:00 2001
+From: harshkiprofile <beer18317@gmail.com>
+Date: Tue, 5 Nov 2024 19:30:15 +0530
+Subject: [PATCH 6/7] Consolidate curl_retry and curl_sleep variable to a
+ single location in aws.sh
+
+---
+ heartbeat/aws-vpc-move-ip    | 4 ----
+ heartbeat/aws-vpc-route53.in | 4 ----
+ heartbeat/awseip             | 4 ----
+ heartbeat/awsvip             | 4 ----
+ 4 files changed, 16 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index f4b0492f2..3aa9ceb02 100755
+--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
+@@ -48,8 +48,6 @@ OCF_RESKEY_interface_default="eth0"
+ OCF_RESKEY_iflabel_default=""
+ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -63,8 +61,6 @@ OCF_RESKEY_curl_sleep_default="1"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ #######################################################################
+ 
+ 
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index f7e756782..85c8de3c1 100644
+--- a/heartbeat/aws-vpc-route53.in
+++ b/heartbeat/aws-vpc-route53.in
+@@ -54,8 +54,6 @@ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -65,8 +63,6 @@ OCF_RESKEY_curl_sleep_default="1"
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ usage() {
+ 	cat <<-EOT
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index 049c2e566..4b1c3bc6a 100755
+--- a/heartbeat/awseip
+++ b/heartbeat/awseip
+@@ -50,16 +50,12 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index de67981d8..8c71e7fac 100755
+--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
+@@ -49,16 +49,12 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+-: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+-: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+
+From d451c5c595b08685f84ec85da96ae9cb4fc076fe Mon Sep 17 00:00:00 2001
+From: harshkiprofile <beer18317@gmail.com>
+Date: Tue, 5 Nov 2024 20:50:24 +0530
+Subject: [PATCH 7/7] aws.sh needs to added to be symlinkstargets in
+ doc/man/Makefile.am
+
+---
+ doc/man/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
+index ef7639bff..447f5cba3 100644
+--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
+@@ -42,7 +42,7 @@ radir			= $(abs_top_builddir)/heartbeat
+ # required for out-of-tree build
+ symlinkstargets		= \
+ 			  ocf-distro ocf.py ocf-rarun ocf-returncodes \
+-			  findif.sh apache-conf.sh http-mon.sh mysql-common.sh \
+			  findif.sh apache-conf.sh aws.sh http-mon.sh mysql-common.sh \
+ 			  nfsserver-redhat.sh ora-common.sh
+ 
+ preptree:
--- a/SOURCES/RHEL-81960-2-aws-agents-reuse-imds-token-improvements.patch
+++ b/SOURCES/RHEL-81960-2-aws-agents-reuse-imds-token-improvements.patch
@ -0,0 +1,161 @@
+From cc5ffa5e599c974c426e93faa821b342e96b916d Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 11 Nov 2024 12:46:27 +0100
+Subject: [PATCH 1/2] aws.sh: chmod 600 $TOKEN_FILE, add get_instance_id() with
+ DMI support, and use get_instance_id() in AWS agents
+
+---
+ heartbeat/aws-vpc-move-ip |  2 +-
+ heartbeat/aws.sh          | 30 +++++++++++++++++++++++++++---
+ heartbeat/awseip          |  2 +-
+ heartbeat/awsvip          |  2 +-
+ 4 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index 3aa9ceb02..09ae68b57 100755
+--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
+@@ -269,7 +269,7 @@ ec2ip_validate() {
+ 
+ 	TOKEN=$(get_token)
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+-	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+	EC2_INSTANCE_ID=$(get_instance_id)
+ 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ 	if [ -z "${EC2_INSTANCE_ID}" ]; then
+diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
+index c77f93b91..9cd343c16 100644
+--- a/heartbeat/aws.sh
+++ b/heartbeat/aws.sh
+@@ -9,8 +9,8 @@
+ . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+ 
+ # Defaults
+-OCF_RESKEY_curl_retries_default="3"
+-OCF_RESKEY_curl_sleep_default="1"
+OCF_RESKEY_curl_retries_default="4"
+OCF_RESKEY_curl_sleep_default="3"
+ 
+ : ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+ : ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+@@ -20,11 +20,13 @@ OCF_RESKEY_curl_sleep_default="1"
+ TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
+ TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+ TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
+DMI_FILE="/sys/devices/virtual/dmi/id/board_asset_tag" # Only supported on nitro-based instances.
+ 
+ # Function to fetch a new token
+ fetch_new_token() {
+     TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME'" "http://169.254.169.254/latest/api/token")
+     echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
+    chmod 600 "$TOKEN_FILE"
+     echo "$TOKEN"
+ }
+ 
+@@ -43,4 +45,26 @@ get_token() {
+     fi
+     # Fetch a new token if not valid
+     fetch_new_token
+-}
+\ No newline at end of file
+}
+
+get_instance_id() {
+    local INSTANCE_ID
+
+    # Try to get the EC2 instance ID from DMI first before falling back to IMDS.
+    ocf_log debug "EC2: Attempt to get EC2 Instance ID from local file."
+    if [ -r "$DMI_FILE" ] && [ -s "$DMI_FILE" ]; then
+        INSTANCE_ID="$(cat "$DMI_FILE")"
+        case "$INSTANCE_ID" in
+            i-0*) echo "$INSTANCE_ID"; return "$OCF_SUCCESS" ;;
+        esac
+    fi
+
+    INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+    if [ $? -ne 0 ]; then
+        ocf_exit_reason "Failed to get EC2 Instance ID"
+        exit $OCF_ERR_GENERIC
+    fi
+
+    echo "$INSTANCE_ID"
+    return "$OCF_SUCCESS"
+}
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index 4b1c3bc6a..7f38376dc 100755
+--- a/heartbeat/awseip
+++ b/heartbeat/awseip
+@@ -305,7 +305,7 @@ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+ TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+-INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+INSTANCE_ID=$(get_instance_id)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ case $__OCF_ACTION in
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index 8c71e7fac..0856ac5e4 100755
+--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
+@@ -265,7 +265,7 @@ fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+ TOKEN=$(get_token)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+-INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+INSTANCE_ID=$(get_instance_id)
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+
+From b8d3ecc6a8ce4baf4b28d02978dd573728ccf5fa Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 18 Nov 2024 11:10:42 +0100
+Subject: [PATCH 2/2] aws.sh/ocf-shellfuncs: add ability to fresh token if it's
+ invalid
+
+---
+ heartbeat/aws.sh            |  1 +
+ heartbeat/ocf-shellfuncs.in | 11 ++++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
+index 9cd343c16..64f2e13a7 100644
+--- a/heartbeat/aws.sh
+++ b/heartbeat/aws.sh
+@@ -18,6 +18,7 @@ OCF_RESKEY_curl_sleep_default="3"
+ # Function to enable reusable IMDS token retrieval for efficient repeated access 
+ # File to store the token and timestamp
+ TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
+TOKEN_FUNC="fetch_new_token"  # Used by curl_retry() if saved token is invalid
+ TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
+ TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
+ DMI_FILE="/sys/devices/virtual/dmi/id/board_asset_tag" # Only supported on nitro-based instances.
+diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
+index 922c6ea45..8e51fa3c8 100644
+--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
+@@ -697,6 +697,15 @@ curl_retry()
+ 
+ 		ocf_log debug "result: $result"
+ 		[ $rc -eq 0 ] && break
+		if [ -n "$TOKEN" ] && [ -n "$TOKEN_FILE" ] && \
+		   [ -f "$TOKEN_FILE" ] && [ -n "$TOKEN_FUNC" ] && \
+		   echo "$result" | grep -q "The requested URL returned error: 401$"; then
+			local OLD_TOKEN="$TOKEN"
+			ocf_log err "Token invalid. Getting new token."
+			TOKEN=$($TOKEN_FUNC)
+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+			args=$(echo "$args" | sed "s/$OLD_TOKEN/$TOKEN/")
+		fi
+ 		sleep $sleep
+ 	done
+ 
+@@ -1110,4 +1119,4 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
+ # pacemaker sets HA_use_logd, some others use HA_LOGD :/
+ if ocf_is_true "$HA_use_logd"; then
+ 	: ${HA_LOGD:=yes}
+-fi
+\ No newline at end of file
+fi
--- a/SOURCES/RHEL-85048-tomcat-fix-CATALINA_PID-not-set-and-parameter-defaults.patch
+++ b/SOURCES/RHEL-85048-tomcat-fix-CATALINA_PID-not-set-and-parameter-defaults.patch
@ -0,0 +1,72 @@
+From f6a5f38405a93ab88e887aa657ee79593d1a4485 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 26 Mar 2025 09:48:06 +0100
+Subject: [PATCH 1/2] tomcat: fix CATALINA_PID not set issue
+
+---
+ heartbeat/tomcat | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/heartbeat/tomcat b/heartbeat/tomcat
+index fa2715140b..6d47980296 100755
+--- a/heartbeat/tomcat
+++ b/heartbeat/tomcat
+@@ -695,10 +695,12 @@ CATALINA_BASE="${OCF_RESKEY_catalina_base-${OCF_RESKEY_catalina_home}}"
+ CATALINA_OUT="${OCF_RESKEY_catalina_out}"
+ 
+ CATALINA_PID=$OCF_RESKEY_catalina_pid
+-if [ -z "$CATALINA_PID" ] && [ "$__OCF_ACTION" = "start" ]; then
+-	mkdir -p "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
+-	if [ "${RESOURCE_TOMCAT_USER}" != "root" ]; then
+-		chown ${RESOURCE_TOMCAT_USER} "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
+if [ -z "$CATALINA_PID" ]; then
+	if [ "$__OCF_ACTION" = "start" ]; then
+		mkdir -p "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
+		if [ "${RESOURCE_TOMCAT_USER}" != "root" ]; then
+			chown ${RESOURCE_TOMCAT_USER} "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
+		fi
+ 	fi
+ 	CATALINA_PID="${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/catalina.pid"
+ fi
+
+From b0da375699ebfa544e6e4a13eae554af3e7d65c9 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Fri, 28 Mar 2025 10:50:17 +0100
+Subject: [PATCH 2/2] tomcat: fix catalina_base and catalina_out parameter
+ defaults
+
+---
+ heartbeat/tomcat | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/heartbeat/tomcat b/heartbeat/tomcat
+index 6d47980296..1e8f216384 100755
+--- a/heartbeat/tomcat
+++ b/heartbeat/tomcat
+@@ -650,7 +650,6 @@ OCF_RESKEY_statusurl_default="http://127.0.0.1:8080"
+ OCF_RESKEY_max_stop_time_default=""
+ OCF_RESKEY_java_home_default=""
+ OCF_RESKEY_java_opts_default=""
+-OCF_RESKEY_catalina_out_default="${OCF_RESKEY_catalina_base-${OCF_RESKEY_catalina_home}}/logs/catalina.out"
+ OCF_RESKEY_catalina_pid_default=""
+ OCF_RESKEY_tomcat_start_script_default="${TOMCAT_START_SCRIPT}"
+ OCF_RESKEY_tomcat_start_opts_default=""
+@@ -670,7 +669,6 @@ OCF_RESKEY_logging_manager_default=""
+ : ${OCF_RESKEY_max_stop_time=${OCF_RESKEY_max_stop_time_default}}
+ : ${OCF_RESKEY_java_home=${OCF_RESKEY_java_home_default}}
+ : ${OCF_RESKEY_java_opts=${OCF_RESKEY_java_opts_default}}
+-: ${OCF_RESKEY_catalina_out=${OCF_RESKEY_catalina_out_default}}
+ : ${OCF_RESKEY_catalina_pid=${OCF_RESKEY_catalina_pid_default}}
+ : ${OCF_RESKEY_tomcat_start_script=${OCF_RESKEY_tomcat_start_script_default}}
+ : ${OCF_RESKEY_tomcat_start_opts=${OCF_RESKEY_tomcat_start_opts_default}}
+@@ -691,7 +689,9 @@ RESOURCE_STATUSURL="${OCF_RESKEY_statusurl}"
+ JAVA_HOME="${OCF_RESKEY_java_home}"
+ JAVA_OPTS="${OCF_RESKEY_java_opts}"
+ CATALINA_HOME="${OCF_RESKEY_catalina_home}"
+-CATALINA_BASE="${OCF_RESKEY_catalina_base-${OCF_RESKEY_catalina_home}}"
+CATALINA_BASE="${OCF_RESKEY_catalina_base:-${OCF_RESKEY_catalina_home}}"
+OCF_RESKEY_catalina_out_default="${OCF_RESKEY_catalina_base:-${OCF_RESKEY_catalina_home}}/logs/catalina.out"
+: ${OCF_RESKEY_catalina_out=${OCF_RESKEY_catalina_out_default}}
+ CATALINA_OUT="${OCF_RESKEY_catalina_out}"
+ 
+ CATALINA_PID=$OCF_RESKEY_catalina_pid
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.10
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.12
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -168,6 +168,9 @@ Patch71:	RHEL-69297-2-Filesystem-update-bsd-logic.patch
 Patch72:	RHEL-72956-1-openstack-cinder-volume-wait-for-volume-to-be-available.patch
 Patch73:	RHEL-72956-2-openstack-cinder-volume-fix-detach-not-working-during-start-action.patch
 Patch74:	RHEL-79823-portblock-fix-version-detection.patch
+Patch75: 	RHEL-81960-1-aws-agents-reuse-imds-token-until-it-expires.patch
+Patch76: 	RHEL-81960-2-aws-agents-reuse-imds-token-improvements.patch
+Patch77: 	RHEL-85048-tomcat-fix-CATALINA_PID-not-set-and-parameter-defaults.patch

 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@ -426,6 +429,9 @@ exit 1
 %patch -p1 -P 72
 %patch -p1 -P 73
 %patch -p1 -P 74
+%patch -p1 -P 75
+%patch -p1 -P 76
+%patch -p1 -P 77

 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@ -1015,6 +1021,17 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm

 %changelog
+* Fri Mar 28 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.12
+- tomcat: fix CATALINA_PID not set, and catalina_base and catalina_out
+  parameter defaults
+
+  Resolves: RHEL-85048
+
+* Tue Mar  4 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.11
+- AWS agents: reuse IMDS token until it expires
+
+  Resolves: RHEL-81960
+
 * Thu Feb 20 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.10
 - portblock: fix iptables version detection