Compare commits

..

6 Commits
a8 ... c8

20 changed files with 1677 additions and 411 deletions

3
.gitignore vendored
View File

@ -6,6 +6,7 @@ SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
SOURCES/colorama-0.3.3.tar.gz
SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
SOURCES/httplib2-0.20.4.tar.gz
SOURCES/pycryptodome-3.6.4.tar.gz
SOURCES/pycryptodome-3.20.0.tar.gz
SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
SOURCES/pyroute2-0.4.13.tar.gz
SOURCES/urllib3-1.26.18.tar.gz

View File

@ -6,6 +6,7 @@ f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar
0fe5bd8bca54dd71223778a1e0bcca9af324abb1 SOURCES/colorama-0.3.3.tar.gz
81f039cf075e9c8b70d5af99c189296a9e031de3 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
7caf4412d9473bf17352316249a8133fa70b7e37 SOURCES/httplib2-0.20.4.tar.gz
326a73f58a62ebee00c11a12cfdd838b196e0e8e SOURCES/pycryptodome-3.6.4.tar.gz
c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz
c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
147149db11104c06d405fd077dcd2aa1c345f109 SOURCES/pyroute2-0.4.13.tar.gz
84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz

View File

@ -1,6 +1,17 @@
diff --color -uNr a/heartbeat/gcp-pd-move.in b/heartbeat/gcp-pd-move.in
--- a/heartbeat/gcp-pd-move.in 2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-pd-move.in 2024-07-22 11:01:51.455543850 +0200
@@ -32,6 +32,7 @@
from ocf import logger
try:
+ sys.path.insert(0, '/usr/lib/resource-agents/bundled/gcp')
import googleapiclient.discovery
except ImportError:
pass
diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
--- a/heartbeat/gcp-vpc-move-ip.in 2022-06-16 09:45:21.419090782 +0200
+++ b/heartbeat/gcp-vpc-move-ip.in 2022-06-16 10:11:22.978648598 +0200
--- a/heartbeat/gcp-vpc-move-ip.in 2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-vpc-move-ip.in 2024-07-22 11:01:18.010752081 +0200
@@ -36,7 +36,7 @@
. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
@ -11,8 +22,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
OCF_RESKEY_vpc_network_default="default"
OCF_RESKEY_interface_default="eth0"
diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-route.in
--- a/heartbeat/gcp-vpc-move-route.in 2022-06-16 09:45:21.420090788 +0200
+++ b/heartbeat/gcp-vpc-move-route.in 2022-06-16 10:11:22.978648598 +0200
--- a/heartbeat/gcp-vpc-move-route.in 2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-vpc-move-route.in 2024-07-22 11:01:18.011752105 +0200
@@ -45,6 +45,7 @@
from ocf import *
@ -22,8 +33,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-rou
import pyroute2
try:
diff --color -uNr a/heartbeat/gcp-vpc-move-vip.in b/heartbeat/gcp-vpc-move-vip.in
--- a/heartbeat/gcp-vpc-move-vip.in 2022-06-16 09:45:21.420090788 +0200
+++ b/heartbeat/gcp-vpc-move-vip.in 2022-06-16 10:11:22.979648603 +0200
--- a/heartbeat/gcp-vpc-move-vip.in 2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-vpc-move-vip.in 2024-07-22 11:01:18.012752128 +0200
@@ -29,6 +29,7 @@
from ocf import *

View File

@ -0,0 +1,75 @@
From b806487ca758fce838c988767556007ecf66a6e3 Mon Sep 17 00:00:00 2001
From: Roger Zhou <zzhou@suse.com>
Date: Mon, 10 Apr 2023 18:08:56 +0800
Subject: [PATCH] exportfs: make the "fsid=" parameter optional
Based on feedback [1] from the kernel developer @neilbrown regarding the
NFS clustering use case, it has been determined that the fsid= parameter
is now considered optional and safe to omit.
[1] https://bugzilla.suse.com/show_bug.cgi?id=1201271#c49
"""
Since some time in 2007 NFS has used the UUID of a filesystem as the
primary identifier for that filesystem, rather than using the device
number. So from that time there should have been reduced need for the
"fsid=" option. Probably there are some filesystems that this didn't
work for. btrfs has been problematic at time, particularly when subvols
are exported. But for quite some years this has all "just worked" at
least for the major filesystems (ext4 xfs btrfs). [...] I would suggest
getting rid of the use of fsid= altogether. [...] I'm confident that it
was no longer an issue in SLE-12 and similarly not in SLE-15.
"""
---
heartbeat/exportfs | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/heartbeat/exportfs b/heartbeat/exportfs
index 2307a9e67b..435a19646b 100755
--- a/heartbeat/exportfs
+++ b/heartbeat/exportfs
@@ -82,7 +82,7 @@ The directory or directories to export.
<content type="string" />
</parameter>
-<parameter name="fsid" unique="0" required="1">
+<parameter name="fsid" unique="0" required="0">
<longdesc lang="en">
The fsid option to pass to exportfs. This can be a unique positive
integer, a UUID (assuredly sans comma characters), or the special string
@@ -185,6 +185,8 @@ exportfs_methods() {
reset_fsid() {
CURRENT_FSID=$OCF_RESKEY_fsid
+ [ -z "$CURRENT_FSID" ] && CURRENT_FSID=`echo "$OCF_RESKEY_options" | sed -n 's/.*fsid=\([^,]*\).*/\1/p'`
+ echo $CURRENT_FSID
}
bump_fsid() {
CURRENT_FSID=$((CURRENT_FSID+1))
@@ -322,7 +324,7 @@ export_one() {
if echo "$opts" | grep fsid >/dev/null; then
#replace fsid in options list
opts=`echo "$opts" | sed "s,fsid=[^,]*,fsid=$(get_fsid),g"`
- else
+ elif [ -n "$OCF_RESKEY_fsid" ]; then
#tack the fsid option onto our options list.
opts="${opts}${sep}fsid=$(get_fsid)"
fi
@@ -448,8 +450,8 @@ exportfs_validate_all ()
ocf_exit_reason "$OCF_RESKEY_fsid cannot contain a comma"
return $OCF_ERR_CONFIGURED
fi
- if [ $NUMDIRS -gt 1 ] &&
- ! ocf_is_decimal "$OCF_RESKEY_fsid"; then
+ if [ $NUMDIRS -gt 1 ] && [ -n "$(reset_fsid)" ] &&
+ ! ocf_is_decimal "$(reset_fsid)"; then
ocf_exit_reason "use integer fsid when exporting multiple directories"
return $OCF_ERR_CONFIGURED
fi
@@ -485,6 +487,6 @@ done
OCF_RESKEY_directory="${directories%% }"
NUMDIRS=`echo "$OCF_RESKEY_directory" | wc -w`
-OCF_REQUIRED_PARAMS="directory fsid clientspec"
+OCF_REQUIRED_PARAMS="directory clientspec"
OCF_REQUIRED_BINARIES="exportfs"
ocf_rarun $*

View File

@ -0,0 +1,43 @@
From 1d1481aa6d848efab4d398ad6e74d80b5b32549f Mon Sep 17 00:00:00 2001
From: Valentin Vidic <vvidic@debian.org>
Date: Wed, 1 Nov 2023 18:25:45 +0100
Subject: [PATCH] exportfs: remove test for "fsid=" parameter
fsid parameter is now considered optional.
---
tools/ocft/exportfs | 5 -----
tools/ocft/exportfs-multidir | 5 -----
2 files changed, 10 deletions(-)
diff --git a/tools/ocft/exportfs b/tools/ocft/exportfs
index 285a4b8ea0..1ec3d4c364 100644
--- a/tools/ocft/exportfs
+++ b/tools/ocft/exportfs
@@ -28,11 +28,6 @@ CASE "check base env"
Include prepare
AgentRun start OCF_SUCCESS
-CASE "check base env: no 'OCF_RESKEY_fsid'"
- Include prepare
- Env OCF_RESKEY_fsid=
- AgentRun start OCF_ERR_CONFIGURED
-
CASE "check base env: invalid 'OCF_RESKEY_directory'"
Include prepare
Env OCF_RESKEY_directory=/no_such
diff --git a/tools/ocft/exportfs-multidir b/tools/ocft/exportfs-multidir
index 00e41f0859..ac6d5c7f6a 100644
--- a/tools/ocft/exportfs-multidir
+++ b/tools/ocft/exportfs-multidir
@@ -28,11 +28,6 @@ CASE "check base env"
Include prepare
AgentRun start OCF_SUCCESS
-CASE "check base env: no 'OCF_RESKEY_fsid'"
- Include prepare
- Env OCF_RESKEY_fsid=
- AgentRun start OCF_ERR_CONFIGURED
-
CASE "check base env: invalid 'OCF_RESKEY_directory'"
Include prepare
Env OCF_RESKEY_directory=/no_such

View File

@ -0,0 +1,45 @@
From e4f84ae185b6943d1ff461d53c7f1b5295783086 Mon Sep 17 00:00:00 2001
From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
Date: Wed, 1 Nov 2023 19:35:21 +0100
Subject: [PATCH] findif.sh: fix loopback handling
tools/ocft/IPaddr2 fails the loopback test because of the missing
table local parameter:
$ ip -o -f inet route list match 127.0.0.3 scope host
$ ip -o -f inet route list match 127.0.0.3 table local scope host
local 127.0.0.0/8 dev lo proto kernel src 127.0.0.1
Also rename the function because it is called only in for the special
loopback address case.
---
heartbeat/findif.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
index 5f1c19ec3..7c766e6e0 100644
--- a/heartbeat/findif.sh
+++ b/heartbeat/findif.sh
@@ -29,10 +29,10 @@ prefixcheck() {
fi
return 0
}
-getnetworkinfo()
+getloopbackinfo()
{
local line netinfo
- ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
+ ip -o -f inet route list match $OCF_RESKEY_ip table local scope host | (while read line;
do
netinfo=`echo $line | awk '{print $2}'`
case $netinfo in
@@ -222,7 +222,7 @@ findif()
if [ $# = 0 ] ; then
case $OCF_RESKEY_ip in
127.*)
- set -- `getnetworkinfo`
+ set -- `getloopbackinfo`
shift;;
esac
fi

View File

@ -0,0 +1,20 @@
--- a/heartbeat/findif.sh 2024-02-08 11:31:53.414257686 +0100
+++ b/heartbeat/findif.sh 2023-11-02 10:20:12.150853167 +0100
@@ -210,14 +210,14 @@
fi
findif_check_params $family || return $?
- if [ -n "$netmask" ] ; then
+ if [ -n "$netmask" ]; then
match=$match/$netmask
fi
if [ -n "$nic" ] ; then
# NIC supports more than two.
- set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+ set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
else
- set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+ set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
fi
if [ $# = 0 ] ; then
case $OCF_RESKEY_ip in

View File

@ -0,0 +1,555 @@
From f45f76600a7e02c860566db7d1350dc3b09449c2 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Mon, 6 Nov 2023 15:49:44 +0100
Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
parameter and AWS Policy based authentication type
---
heartbeat/aws-vpc-move-ip | 43 +++++++++++++++++++----
heartbeat/aws-vpc-route53.in | 47 ++++++++++++++++++++-----
heartbeat/awseip | 68 +++++++++++++++++++++++++++---------
heartbeat/awsvip | 60 ++++++++++++++++++++++++-------
4 files changed, 173 insertions(+), 45 deletions(-)
diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
index dee040300f..54806f6eaa 100755
--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
@@ -36,6 +36,7 @@
# Defaults
OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
OCF_RESKEY_profile_default="default"
OCF_RESKEY_region_default=""
OCF_RESKEY_ip_default=""
@@ -48,6 +49,7 @@ OCF_RESKEY_monapi_default="false"
OCF_RESKEY_lookup_type_default="InstanceId"
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
: ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
: ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
@@ -58,8 +60,6 @@ OCF_RESKEY_lookup_type_default="InstanceId"
: ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
: ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
: ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
-
-[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
#######################################################################
@@ -83,6 +83,10 @@ cat <<END
<longdesc lang="en">
Resource Agent to move IP addresses within a VPC of the Amazon Webservices EC2
by changing an entry in an specific routing table
+
+Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+
+See https://aws.amazon.com/cli/ for more information about awscli.
</longdesc>
<shortdesc lang="en">Move IP within a VPC of the AWS EC2</shortdesc>
@@ -95,6 +99,15 @@ Path to command line tools for AWS
<content type="string" default="${OCF_RESKEY_awscli_default}" />
</parameter>
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
<parameter name="profile">
<longdesc lang="en">
Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -198,7 +211,7 @@ END
execute_cmd_as_role(){
cmd=$1
role=$2
- output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
+ output="$($AWSCLI_CMD sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --output=text)"
export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
@@ -220,11 +233,11 @@ ec2ip_set_address_param_compat(){
}
ec2ip_validate() {
- for cmd in $OCF_RESKEY_awscli ip curl; do
+ for cmd in "$OCF_RESKEY_awscli" ip curl; do
check_binary "$cmd"
done
- if [ -z "$OCF_RESKEY_profile" ]; then
+ if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
ocf_exit_reason "profile parameter not set"
return $OCF_ERR_CONFIGURED
fi
@@ -262,7 +275,7 @@ ec2ip_monitor() {
for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
ocf_log info "monitor: check routing table (API call) - $rtb"
if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
- cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+ cmd="$AWSCLI_CMD --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
ocf_log debug "executing command: $cmd"
ROUTE_TO_INSTANCE="$($cmd)"
else
@@ -368,7 +381,7 @@ ec2ip_get_and_configure() {
EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
- cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+ cmd="$AWSCLI_CMD --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
ocf_log debug "executing command: $cmd"
$cmd
else
@@ -475,6 +488,22 @@ if ! ocf_is_root; then
exit $OCF_ERR_PERM
fi
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication"
+ exit $OCF_ERR_CONFIGURED
+ fi
+else
+ ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+ exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
+
ec2ip_set_address_param_compat
ec2ip_validate
diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
index 22cbb35833..18ab157e8a 100644
--- a/heartbeat/aws-vpc-route53.in
+++ b/heartbeat/aws-vpc-route53.in
@@ -46,24 +46,22 @@
# Defaults
OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
OCF_RESKEY_profile_default="default"
+OCF_RESKEY_region_default=""
OCF_RESKEY_hostedzoneid_default=""
OCF_RESKEY_fullname_default=""
OCF_RESKEY_ip_default="local"
OCF_RESKEY_ttl_default=10
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
: ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
: ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
: ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
: ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
: ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
-#######################################################################
-
-
-AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
-#######################################################################
-
usage() {
cat <<-EOT
@@ -123,6 +121,15 @@ Path to command line tools for AWS
<content type="string" default="${OCF_RESKEY_awscli_default}" />
</parameter>
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
<parameter name="profile">
<longdesc lang="en">
The name of the AWS CLI profile of the root account. This
@@ -196,7 +203,7 @@ r53_validate() {
# Check for required binaries
ocf_log debug "Checking for required binaries"
- for command in curl dig; do
+ for command in "${OCF_RESKEY_awscli}" curl dig; do
check_binary "$command"
done
@@ -216,7 +223,10 @@ r53_validate() {
esac
# profile
- [[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
+ if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+ ocf_exit_reason "profile parameter not set"
+ return $OCF_ERR_CONFIGURED
+ fi
# TTL
[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
@@ -417,7 +427,6 @@ _update_record() {
}
###############################################################################
-
case $__OCF_ACTION in
usage|help)
usage
@@ -427,6 +436,26 @@ case $__OCF_ACTION in
metadata
exit $OCF_SUCCESS
;;
+esac
+
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication"
+ exit $OCF_ERR_CONFIGURED
+ fi
+else
+ ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+ exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
+AWSCLI_CMD="$AWSCLI_CMD --cli-connect-timeout 10"
+
+case $__OCF_ACTION in
start)
r53_validate || exit $?
r53_start
diff --git a/heartbeat/awseip b/heartbeat/awseip
index dc48460c85..49b0ca6155 100755
--- a/heartbeat/awseip
+++ b/heartbeat/awseip
@@ -23,7 +23,8 @@
#
# Prerequisites:
#
-# - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
+# - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
+# (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
# - a reserved secondary private IP address for EC2 instances high availability
# - IAM user role with the following permissions:
# * DescribeInstances
@@ -44,11 +45,15 @@
# Defaults
#
OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
OCF_RESKEY_profile_default="default"
+OCF_RESKEY_region_default=""
OCF_RESKEY_api_delay_default="3"
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
: ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
: ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
meta_data() {
@@ -63,7 +68,7 @@ Resource Agent for Amazon AWS Elastic IP Addresses.
It manages AWS Elastic IP Addresses with awscli.
-Credentials needs to be setup by running "aws configure".
+Credentials needs to be setup by running "aws configure", or by using AWS Policies.
See https://aws.amazon.com/cli/ for more information about awscli.
</longdesc>
@@ -79,6 +84,15 @@ command line tools for aws services
<content type="string" default="${OCF_RESKEY_awscli_default}" />
</parameter>
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
<parameter name="profile">
<longdesc lang="en">
Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -111,6 +125,14 @@ predefined private ip address for ec2 instance
<content type="string" default="" />
</parameter>
+<parameter name="region" required="0">
+<longdesc lang="en">
+Region for AWS resource (required for role-based authentication)
+</longdesc>
+<shortdesc lang="en">Region</shortdesc>
+<content type="string" default="${OCF_RESKEY_region_default}" />
+</parameter>
+
<parameter name="api_delay" unique="0">
<longdesc lang="en">
a short delay between API calls, to avoid sending API too quick
@@ -157,13 +179,13 @@ awseip_start() {
NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
fi
done
- $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address \
+ $AWSCLI_CMD ec2 associate-address \
--network-interface-id ${NETWORK_ID} \
--allocation-id ${ALLOCATION_ID} \
--private-ip-address ${PRIVATE_IP_ADDRESS}
RET=$?
else
- $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address \
+ $AWSCLI_CMD ec2 associate-address \
--instance-id ${INSTANCE_ID} \
--allocation-id ${ALLOCATION_ID}
RET=$?
@@ -183,7 +205,7 @@ awseip_start() {
awseip_stop() {
awseip_monitor || return $OCF_SUCCESS
- ASSOCIATION_ID=$($AWSCLI --profile $OCF_RESKEY_profile --output json ec2 describe-addresses \
+ ASSOCIATION_ID=$($AWSCLI_CMD --output json ec2 describe-addresses \
--allocation-id ${ALLOCATION_ID} | grep -m 1 "AssociationId" | awk -F'"' '{print$4}')
if [ -z "${ASSOCIATION_ID}" ]; then
@@ -191,9 +213,7 @@ awseip_stop() {
return $OCF_NOT_RUNNING
fi
- $AWSCLI --profile ${OCF_RESKEY_profile} \
- ec2 disassociate-address \
- --association-id ${ASSOCIATION_ID}
+ $AWSCLI_CMD ec2 disassociate-address --association-id ${ASSOCIATION_ID}
RET=$?
# delay to avoid sending request too fast
@@ -208,7 +228,7 @@ awseip_stop() {
}
awseip_monitor() {
- $AWSCLI --profile $OCF_RESKEY_profile ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
+ $AWSCLI_CMD ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
RET=$?
if [ $RET -ne 0 ]; then
@@ -218,9 +238,9 @@ awseip_monitor() {
}
awseip_validate() {
- check_binary ${AWSCLI}
+ check_binary "${OCF_RESKEY_awscli}"
- if [ -z "$OCF_RESKEY_profile" ]; then
+ if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
ocf_exit_reason "profile parameter not set"
return $OCF_ERR_CONFIGURED
fi
@@ -238,9 +258,27 @@ case $__OCF_ACTION in
meta_data
exit $OCF_SUCCESS
;;
-esac
+ usage|help)
+ awseip_usage
+ exit $OCF_SUCCESS
+ ;;
+esac
-AWSCLI="${OCF_RESKEY_awscli}"
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication"
+ exit $OCF_ERR_CONFIGURED
+ fi
+else
+ ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+ exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
@@ -272,10 +310,6 @@ case $__OCF_ACTION in
validate|validate-all)
awseip_validate
;;
- usage|help)
- awseip_usage
- exit $OCF_SUCCESS
- ;;
*)
awseip_usage
exit $OCF_ERR_UNIMPLEMENTED
diff --git a/heartbeat/awsvip b/heartbeat/awsvip
index 037278e296..bdb4d68dd0 100755
--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
@@ -23,7 +23,8 @@
#
# Prerequisites:
#
-# - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
+# - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
+# (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
# - a reserved secondary private IP address for EC2 instances high availablity
# - IAM user role with the following permissions:
# * DescribeInstances
@@ -43,11 +44,15 @@
# Defaults
#
OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
OCF_RESKEY_profile_default="default"
+OCF_RESKEY_region_default=""
OCF_RESKEY_api_delay_default="3"
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
: ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
: ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
meta_data() {
@@ -62,7 +67,7 @@ Resource Agent for Amazon AWS Secondary Private IP Addresses.
It manages AWS Secondary Private IP Addresses with awscli.
-Credentials needs to be setup by running "aws configure".
+Credentials needs to be setup by running "aws configure", or by using AWS Policies.
See https://aws.amazon.com/cli/ for more information about awscli.
</longdesc>
@@ -78,6 +83,15 @@ command line tools for aws services
<content type="string" default="${OCF_RESKEY_awscli_default}" />
</parameter>
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
<parameter name="profile">
<longdesc lang="en">
Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -94,6 +108,14 @@ reserved secondary private ip for ec2 instance
<content type="string" default="" />
</parameter>
+<parameter name="region" required="0">
+<longdesc lang="en">
+Region for AWS resource (required for role-based authentication)
+</longdesc>
+<shortdesc lang="en">Region</shortdesc>
+<content type="string" default="${OCF_RESKEY_region_default}" />
+</parameter>
+
<parameter name="api_delay" unique="0">
<longdesc lang="en">
a short delay between API calls, to avoid sending API too quick
@@ -131,7 +153,7 @@ END
awsvip_start() {
awsvip_monitor && return $OCF_SUCCESS
- $AWSCLI --profile $OCF_RESKEY_profile ec2 assign-private-ip-addresses \
+ $AWSCLI_CMD ec2 assign-private-ip-addresses \
--network-interface-id ${NETWORK_ID} \
--private-ip-addresses ${SECONDARY_PRIVATE_IP} \
--allow-reassignment
@@ -151,7 +173,7 @@ awsvip_start() {
awsvip_stop() {
awsvip_monitor || return $OCF_SUCCESS
- $AWSCLI --profile $OCF_RESKEY_profile ec2 unassign-private-ip-addresses \
+ $AWSCLI_CMD ec2 unassign-private-ip-addresses \
--network-interface-id ${NETWORK_ID} \
--private-ip-addresses ${SECONDARY_PRIVATE_IP}
RET=$?
@@ -168,7 +190,7 @@ awsvip_stop() {
}
awsvip_monitor() {
- $AWSCLI --profile ${OCF_RESKEY_profile} ec2 describe-instances \
+ $AWSCLI_CMD ec2 describe-instances \
--instance-id "${INSTANCE_ID}" \
--query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
--output text | \
@@ -182,9 +204,9 @@ awsvip_monitor() {
}
awsvip_validate() {
- check_binary ${AWSCLI}
+ check_binary "${OCF_RESKEY_awscli}"
- if [ -z "$OCF_RESKEY_profile" ]; then
+ if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
ocf_exit_reason "profile parameter not set"
return $OCF_ERR_CONFIGURED
fi
@@ -202,9 +224,27 @@ case $__OCF_ACTION in
meta_data
exit $OCF_SUCCESS
;;
+ usage|help)
+ awsvip_usage
+ exit $OCF_SUCCESS
+ ;;
esac
-AWSCLI="${OCF_RESKEY_awscli}"
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+ if [ -z "${OCF_RESKEY_region}" ]; then
+ ocf_exit_reason "region needs to be set when using role-based authentication"
+ exit $OCF_ERR_CONFIGURED
+ fi
+else
+ ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+ exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+ AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
@@ -236,10 +276,6 @@ case $__OCF_ACTION in
validate|validate-all)
awsvip_validate
;;
- usage|help)
- awsvip_usage
- exit $OCF_SUCCESS
- ;;
*)
awsvip_usage
exit $OCF_ERR_UNIMPLEMENTED

View File

@ -0,0 +1,22 @@
From b23ba4eaefb500199c4845751f4c5545c81f42f1 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Mon, 20 Nov 2023 16:37:37 +0100
Subject: [PATCH 2/2] findif: also check that netmaskbits != EOS
---
tools/findif.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/findif.c b/tools/findif.c
index a25395fec..ab108a3c4 100644
--- a/tools/findif.c
+++ b/tools/findif.c
@@ -669,7 +669,7 @@ main(int argc, char ** argv) {
}
}
- if (netmaskbits) {
+ if (netmaskbits != NULL && *netmaskbits != EOS) {
best_netmask = netmask;
}else if (best_netmask == 0L) {
/*

View File

@ -0,0 +1,23 @@
From a9c4aeb971e9f4963345d0e215b729def62dd27c Mon Sep 17 00:00:00 2001
From: pepadelic <162310096+pepadelic@users.noreply.github.com>
Date: Mon, 15 Apr 2024 13:52:54 +0200
Subject: [PATCH] Update db2: fix OCF_SUCESS name in db2_notify
fix OCF_SUCESS to OCF_SUCCESS in db2_notify
---
heartbeat/db2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/heartbeat/db2 b/heartbeat/db2
index 95447ab6cb..1cd66f15af 100755
--- a/heartbeat/db2
+++ b/heartbeat/db2
@@ -848,7 +848,7 @@ db2_notify() {
# only interested in pre-start
[ $OCF_RESKEY_CRM_meta_notify_type = pre \
- -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCESS
+ -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCCESS
# gets FIRST_ACTIVE_LOG
db2_get_cfg $dblist || return $?

View File

@ -0,0 +1,343 @@
From fc0657b936f6a58f741e33f851b22f82bc68bffa Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 6 Feb 2024 13:28:12 +0100
Subject: [PATCH 1/2] ocf-shellfuncs: add curl_retry()
---
heartbeat/ocf-shellfuncs.in | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
index c5edb6f57..a69a9743d 100644
--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
@@ -672,6 +672,40 @@ EOF
systemctl daemon-reload
}
+# usage: curl_retry RETRIES SLEEP ARGS URL
+#
+# Use --show-error in ARGS to log HTTP error code
+#
+# returns:
+# 0 success
+# exit:
+# 1 fail
+curl_retry()
+{
+ local retries=$1 sleep=$2 opts=$3 url=$4
+ local tries=$(($retries + 1))
+ local args="--fail $opts $url"
+ local result rc
+
+ for try in $(seq $tries); do
+ ocf_log debug "curl $args try $try of $tries"
+ result=$(echo "$args" | xargs curl 2>&1)
+ rc=$?
+
+ ocf_log debug "result: $result"
+ [ $rc -eq 0 ] && break
+ sleep $sleep
+ done
+
+ if [ $rc -ne 0 ]; then
+ ocf_exit_reason "curl $args failed $tries tries"
+ exit $OCF_ERR_GENERIC
+ fi
+
+ echo "$result"
+ return $rc
+}
+
# usage: crm_mon_no_validation args...
# run crm_mon without any cib schema validation
# This is useful when an agent runs in a bundle to avoid potential
From 80d330557319bdae9e45aad1279e435fc481d4e7 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 6 Feb 2024 13:28:25 +0100
Subject: [PATCH 2/2] AWS agents: use curl_retry()
---
heartbeat/aws-vpc-move-ip | 35 ++++++++++++++++++++++++++---------
heartbeat/aws-vpc-route53.in | 27 +++++++++++++++++++++++++--
heartbeat/awseip | 36 +++++++++++++++++++++++++++++++-----
heartbeat/awsvip | 32 ++++++++++++++++++++++++++++----
4 files changed, 110 insertions(+), 20 deletions(-)
diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
index 54806f6ea..6115e5ba8 100755
--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
@@ -47,6 +47,8 @@ OCF_RESKEY_interface_default="eth0"
OCF_RESKEY_iflabel_default=""
OCF_RESKEY_monapi_default="false"
OCF_RESKEY_lookup_type_default="InstanceId"
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
@@ -60,6 +62,8 @@ OCF_RESKEY_lookup_type_default="InstanceId"
: ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
: ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
: ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
#######################################################################
@@ -194,6 +198,22 @@ Name of resource type to lookup in route table.
<content type="string" default="${OCF_RESKEY_lookup_type_default}" />
</parameter>
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
+
</parameters>
<actions>
@@ -250,8 +270,10 @@ ec2ip_validate() {
fi
fi
- TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
- EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+ TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
if [ -z "${EC2_INSTANCE_ID}" ]; then
ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
@@ -365,14 +387,9 @@ ec2ip_get_instance_eni() {
fi
ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
- cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
- ocf_log debug "executing command: $cmd"
+ cmd="curl_retry \"$OCF_RESKEY_curl_retries\" \"$OCF_RESKEY_curl_sleep\" \"--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'\" \"http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id\""
EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
- rc=$?
- if [ $rc != 0 ]; then
- ocf_log warn "command failed, rc: $rc"
- return $OCF_ERR_GENERIC
- fi
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
echo $EC2_NETWORK_INTERFACE_ID
}
diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
index 18ab157e8..eba2ed95c 100644
--- a/heartbeat/aws-vpc-route53.in
+++ b/heartbeat/aws-vpc-route53.in
@@ -53,6 +53,8 @@ OCF_RESKEY_hostedzoneid_default=""
OCF_RESKEY_fullname_default=""
OCF_RESKEY_ip_default="local"
OCF_RESKEY_ttl_default=10
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
@@ -62,6 +64,8 @@ OCF_RESKEY_ttl_default=10
: ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
: ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
: ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
usage() {
cat <<-EOT
@@ -185,6 +189,22 @@ Time to live for Route53 ARECORD
<shortdesc lang="en">ARECORD TTL</shortdesc>
<content type="string" default="${OCF_RESKEY_ttl_default}" />
</parameter>
+
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
</parameters>
<actions>
@@ -357,8 +377,11 @@ r53_monitor() {
_get_ip() {
case $OCF_RESKEY_ip in
local|public)
- TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
- IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
+ TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
+ [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ ;;
*.*.*.*)
IPADDRESS="${OCF_RESKEY_ip}";;
esac
diff --git a/heartbeat/awseip b/heartbeat/awseip
index 49b0ca615..ffb6223a1 100755
--- a/heartbeat/awseip
+++ b/heartbeat/awseip
@@ -49,12 +49,16 @@ OCF_RESKEY_auth_type_default="key"
OCF_RESKEY_profile_default="default"
OCF_RESKEY_region_default=""
OCF_RESKEY_api_delay_default="3"
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
: ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
: ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
meta_data() {
cat <<END
@@ -141,6 +145,22 @@ a short delay between API calls, to avoid sending API too quick
<content type="integer" default="${OCF_RESKEY_api_delay_default}" />
</parameter>
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
+
</parameters>
<actions>
@@ -171,14 +191,18 @@ awseip_start() {
awseip_monitor && return $OCF_SUCCESS
if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
- NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
+ NETWORK_INTERFACES_MACS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/")
for MAC in ${NETWORK_INTERFACES_MACS}; do
- curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
+ curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/local-ipv4s" |
grep -q "^${PRIVATE_IP_ADDRESS}$"
if [ $? -eq 0 ]; then
- NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+ NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/interface-id")
fi
done
+ if [ -z "$NETWORK_ID" ]; then
+ ocf_exit_reason "Could not find network interface for private_ip_address: $PRIVATE_IP_ADDRESS"
+ exit $OCF_ERR_GENERIC
+ fi
$AWSCLI_CMD ec2 associate-address \
--network-interface-id ${NETWORK_ID} \
--allocation-id ${ALLOCATION_ID} \
@@ -282,8 +306,10 @@ fi
ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
-TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
case $__OCF_ACTION in
start)
diff --git a/heartbeat/awsvip b/heartbeat/awsvip
index bdb4d68dd..f2b238a0f 100755
--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
@@ -48,12 +48,16 @@ OCF_RESKEY_auth_type_default="key"
OCF_RESKEY_profile_default="default"
OCF_RESKEY_region_default=""
OCF_RESKEY_api_delay_default="3"
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
: ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
: ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
: ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
meta_data() {
cat <<END
@@ -124,6 +128,22 @@ a short delay between API calls, to avoid sending API too quick
<content type="integer" default="${OCF_RESKEY_api_delay_default}" />
</parameter>
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
+
</parameters>
<actions>
@@ -246,10 +266,14 @@ if [ -n "${OCF_RESKEY_region}" ]; then
AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
fi
SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
-TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
-MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
-NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
case $__OCF_ACTION in
start)

View File

@ -0,0 +1,48 @@
From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* Strip Proxy-Authorization header on redirects
* Fix test_retry_default_remove_headers_on_redirect
* Set release date
---
CHANGES.rst | 5 +++++
src/urllib3/util/retry.py | 4 +++-
test/test_retry.py | 6 ++++-
test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
4 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
index 7a76a4a6ad..0456cceba4 100644
--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
@@ -189,7 +189,9 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
index 7a76a4a6ad..0456cceba4 100644
--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
@@ -189,7 +189,9 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120

View File

@ -0,0 +1,201 @@
--- a/setuptools/package_index.py 1980-01-01 09:00:00.000000000 +0100
+++ b/setuptools/package_index.py 2024-07-25 10:11:40.537307665 +0200
@@ -1,5 +1,6 @@
"""PyPI and direct package downloading"""
import sys
+import subprocess
import os
import re
import shutil
@@ -563,7 +564,7 @@
scheme = URL_SCHEME(spec)
if scheme:
# It's a url, download it to tmpdir
- found = self._download_url(scheme.group(1), spec, tmpdir)
+ found = self._download_url(spec, tmpdir)
base, fragment = egg_info_for_url(spec)
if base.endswith('.py'):
found = self.gen_setup(found, fragment, tmpdir)
@@ -775,7 +776,7 @@
raise DistutilsError("Download error for %s: %s"
% (url, v))
- def _download_url(self, scheme, url, tmpdir):
+ def _download_url(self, url, tmpdir):
# Determine download filename
#
name, fragment = egg_info_for_url(url)
@@ -790,19 +791,59 @@
filename = os.path.join(tmpdir, name)
- # Download the file
- #
- if scheme == 'svn' or scheme.startswith('svn+'):
- return self._download_svn(url, filename)
- elif scheme == 'git' or scheme.startswith('git+'):
- return self._download_git(url, filename)
- elif scheme.startswith('hg+'):
- return self._download_hg(url, filename)
- elif scheme == 'file':
- return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
- else:
- self.url_ok(url, True) # raises error if not allowed
- return self._attempt_download(url, filename)
+ return self._download_vcs(url, filename) or self._download_other(url, filename)
+
+ @staticmethod
+ def _resolve_vcs(url):
+ """
+ >>> rvcs = PackageIndex._resolve_vcs
+ >>> rvcs('git+http://foo/bar')
+ 'git'
+ >>> rvcs('hg+https://foo/bar')
+ 'hg'
+ >>> rvcs('git:myhost')
+ 'git'
+ >>> rvcs('hg:myhost')
+ >>> rvcs('http://foo/bar')
+ """
+ scheme = urllib.parse.urlsplit(url).scheme
+ pre, sep, post = scheme.partition('+')
+ # svn and git have their own protocol; hg does not
+ allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
+ return next(iter({pre} & allowed), None)
+
+ def _download_vcs(self, url, spec_filename):
+ vcs = self._resolve_vcs(url)
+ if not vcs:
+ return
+ if vcs == 'svn':
+ raise DistutilsError(
+ f"Invalid config, SVN download is not supported: {url}"
+ )
+
+ filename, _, _ = spec_filename.partition('#')
+ url, rev = self._vcs_split_rev_from_url(url)
+
+ self.info(f"Doing {vcs} clone from {url} to {filename}")
+ subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
+
+ co_commands = dict(
+ git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
+ hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
+ )
+ if rev is not None:
+ self.info(f"Checking out {rev}")
+ subprocess.check_call(co_commands[vcs])
+
+ return filename
+
+ def _download_other(self, url, filename):
+ scheme = urllib.parse.urlsplit(url).scheme
+ if scheme == 'file': # pragma: no cover
+ return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
+ # raise error if not allowed
+ self.url_ok(url, True)
+ return self._attempt_download(url, filename)
def scan_url(self, url):
self.process_url(url, True)
@@ -829,76 +870,37 @@
os.unlink(filename)
raise DistutilsError("Unexpected HTML page found at " + url)
- def _download_svn(self, url, filename):
- url = url.split('#', 1)[0] # remove any fragment for svn's sake
- creds = ''
- if url.lower().startswith('svn:') and '@' in url:
- scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
- if not netloc and path.startswith('//') and '/' in path[2:]:
- netloc, path = path[2:].split('/', 1)
- auth, host = splituser(netloc)
- if auth:
- if ':' in auth:
- user, pw = auth.split(':', 1)
- creds = " --username=%s --password=%s" % (user, pw)
- else:
- creds = " --username=" + auth
- netloc = host
- parts = scheme, netloc, url, p, q, f
- url = urllib.parse.urlunparse(parts)
- self.info("Doing subversion checkout from %s to %s", url, filename)
- os.system("svn checkout%s -q %s %s" % (creds, url, filename))
- return filename
-
@staticmethod
- def _vcs_split_rev_from_url(url, pop_prefix=False):
- scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
-
- scheme = scheme.split('+', 1)[-1]
-
- # Some fragment identification fails
- path = path.split('#', 1)[0]
-
- rev = None
- if '@' in path:
- path, rev = path.rsplit('@', 1)
-
- # Also, discard fragment
- url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
-
- return url, rev
-
- def _download_git(self, url, filename):
- filename = filename.split('#', 1)[0]
- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
-
- self.info("Doing git clone from %s to %s", url, filename)
- os.system("git clone --quiet %s %s" % (url, filename))
+ def _vcs_split_rev_from_url(url):
+ """
+ Given a possible VCS URL, return a clean URL and resolved revision if any.
- if rev is not None:
- self.info("Checking out %s", rev)
- os.system("(cd %s && git checkout --quiet %s)" % (
- filename,
- rev,
- ))
+ >>> vsrfu = PackageIndex._vcs_split_rev_from_url
+ >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
+ ('https://github.com/pypa/setuptools', 'v69.0.0')
+ >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
+ ('https://github.com/pypa/setuptools', None)
+ >>> vsrfu('http://foo/bar')
+ ('http://foo/bar', None)
+ """
+ parts = urllib.parse.urlsplit(url)
- return filename
+ clean_scheme = parts.scheme.split('+', 1)[-1]
- def _download_hg(self, url, filename):
- filename = filename.split('#', 1)[0]
- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+ # Some fragment identification fails
+ no_fragment_path, _, _ = parts.path.partition('#')
- self.info("Doing hg clone from %s to %s", url, filename)
- os.system("hg clone --quiet %s %s" % (url, filename))
+ pre, sep, post = no_fragment_path.rpartition('@')
+ clean_path, rev = (pre, post) if sep else (post, None)
- if rev is not None:
- self.info("Updating to %s", rev)
- os.system("(cd %s && hg up -C -r %s >&-)" % (
- filename,
- rev,
- ))
+ resolved = parts._replace(
+ scheme=clean_scheme,
+ path=clean_path,
+ # discard the fragment
+ fragment='',
+ ).geturl()
- return filename
+ return resolved, rev
def debug(self, msg, *args):
log.debug(msg, *args)

View File

@ -0,0 +1,38 @@
From 38eaf00bc81af7530c56eba282918762a47a9326 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Thu, 19 Sep 2024 13:01:53 +0200
Subject: [PATCH] nfsserver: also stop rpc-statd for nfsv4_only to avoid stop
failing in some cases
E.g. nfs_no_notify=true nfsv4_only=true nfs_shared_infodir=/nfsmq/nfsinfo would cause a "Failed to unmount a bind mount" error
---
heartbeat/nfsserver | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/heartbeat/nfsserver b/heartbeat/nfsserver
index 5793d7a70..fd9268afc 100755
--- a/heartbeat/nfsserver
+++ b/heartbeat/nfsserver
@@ -947,15 +947,13 @@ nfsserver_stop ()
sleep 1
done
- if ! ocf_is_true "$OCF_RESKEY_nfsv4_only"; then
- nfs_exec stop rpc-statd > /dev/null 2>&1
- ocf_log info "Stop: rpc-statd"
- rpcinfo -t localhost 100024 > /dev/null 2>&1
- rc=$?
- if [ "$rc" -eq "0" ]; then
- ocf_exit_reason "Failed to stop rpc-statd"
- return $OCF_ERR_GENERIC
- fi
+ nfs_exec stop rpc-statd > /dev/null 2>&1
+ ocf_log info "Stop: rpc-statd"
+ rpcinfo -t localhost 100024 > /dev/null 2>&1
+ rc=$?
+ if [ "$rc" -eq "0" ]; then
+ ocf_exit_reason "Failed to stop rpc-statd"
+ return $OCF_ERR_GENERIC
fi
nfs_exec stop nfs-idmapd > /dev/null 2>&1

View File

@ -0,0 +1,68 @@
From fcceb714085836de9db4493b527e94d85dd72626 Mon Sep 17 00:00:00 2001
From: ut002970 <liuxingwei@uniontech.com>
Date: Wed, 6 Sep 2023 15:27:05 +0800
Subject: [PATCH 1/3] modify error message
---
heartbeat/mysql-common.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
index 8104019b03..a93acc4c60 100755
--- a/heartbeat/mysql-common.sh
+++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
while [ $start_wait = 1 ]; do
if ! ps $pid > /dev/null 2>&1; then
wait $pid
- ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation"
+ ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
return $OCF_ERR_GENERIC
fi
mysql_common_status info
From 8f9b344cd5b3cb96ea0f94b7ab0306da2234ac00 Mon Sep 17 00:00:00 2001
From: ut002970 <liuxingwei@uniontech.com>
Date: Wed, 6 Sep 2023 15:56:24 +0800
Subject: [PATCH 2/3] modify error message
---
heartbeat/mysql-common.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
index a93acc4c60..d5b2286737 100755
--- a/heartbeat/mysql-common.sh
+++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
while [ $start_wait = 1 ]; do
if ! ps $pid > /dev/null 2>&1; then
wait $pid
- ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
+ ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
return $OCF_ERR_GENERIC
fi
mysql_common_status info
From a292b3c552bf3f2beea5f73e0d171546c0a1273c Mon Sep 17 00:00:00 2001
From: ut002970 <liuxingwei@uniontech.com>
Date: Wed, 6 Sep 2023 16:10:48 +0800
Subject: [PATCH 3/3] modify error message
---
heartbeat/mysql-common.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
index d5b2286737..d6b4e3cdf4 100755
--- a/heartbeat/mysql-common.sh
+++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
while [ $start_wait = 1 ]; do
if ! ps $pid > /dev/null 2>&1; then
wait $pid
- ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
+ ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?). Check $OCF_RESKEY_log for details"
return $OCF_ERR_GENERIC
fi
mysql_common_status info

View File

@ -1,54 +0,0 @@
From 81bb58b05d2ddabd17fe31af39f0e857e61db3c9 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 28 Mar 2023 16:53:45 +0200
Subject: [PATCH] azure-events*: fix for no "Transition Summary" for Pacemaker
2.1+
---
heartbeat/azure-events-az.in | 8 ++++----
heartbeat/azure-events.in | 6 +++---
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/heartbeat/azure-events-az.in b/heartbeat/azure-events-az.in
index 59d0953061..67c02c6422 100644
--- a/heartbeat/azure-events-az.in
+++ b/heartbeat/azure-events-az.in
@@ -311,10 +311,10 @@ class clusterHelper:
summary = clusterHelper._exec("crm_simulate", "-Ls")
if not summary:
ocf.logger.warning("transitionSummary: could not load transition summary")
- return False
+ return ""
if summary.find("Transition Summary:") < 0:
- ocf.logger.warning("transitionSummary: received unexpected transition summary: %s" % summary)
- return False
+ ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
+ return ""
summary = summary.split("Transition Summary:")[1]
ret = summary.split("\n").pop(0)
@@ -768,4 +768,4 @@ def main():
agent.run()
if __name__ == '__main__':
- main()
\ No newline at end of file
+ main()
diff --git a/heartbeat/azure-events.in b/heartbeat/azure-events.in
index 66e129060a..5ad658df93 100644
--- a/heartbeat/azure-events.in
+++ b/heartbeat/azure-events.in
@@ -310,10 +310,10 @@ class clusterHelper:
summary = clusterHelper._exec("crm_simulate", "-Ls")
if not summary:
ocf.logger.warning("transitionSummary: could not load transition summary")
- return False
+ return ""
if summary.find("Transition Summary:") < 0:
- ocf.logger.warning("transitionSummary: received unexpected transition summary: %s" % summary)
- return False
+ ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
+ return ""
summary = summary.split("Transition Summary:")[1]
ret = summary.split("\n").pop(0)

View File

@ -1,77 +0,0 @@
From ff53e5c8d6867e580506d132fba6fcf6aa46b804 Mon Sep 17 00:00:00 2001
From: Peter Varkoly <varkoly@suse.com>
Date: Sat, 29 Apr 2023 08:09:11 +0200
Subject: [PATCH] Use -LS instead of -Ls as parameter to get the Transition
Summary
---
heartbeat/azure-events-az.in | 9 +++++----
heartbeat/azure-events.in | 9 +++++----
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/heartbeat/azure-events-az.in b/heartbeat/azure-events-az.in
index 67c02c642..46d4d1f3d 100644
--- a/heartbeat/azure-events-az.in
+++ b/heartbeat/azure-events-az.in
@@ -298,7 +298,7 @@ class clusterHelper:
Get the current Pacemaker transition summary (used to check if all resources are stopped when putting a node standby)
"""
# <tniek> Is a global crm_simulate "too much"? Or would it be sufficient it there are no planned transitions for a particular node?
- # # crm_simulate -Ls
+ # # crm_simulate -LS
# Transition Summary:
# * Promote rsc_SAPHana_HN1_HDB03:0 (Slave -> Master hsr3-db1)
# * Stop rsc_SAPHana_HN1_HDB03:1 (hsr3-db0)
@@ -308,15 +308,16 @@ class clusterHelper:
# Transition Summary:
ocf.logger.debug("transitionSummary: begin")
- summary = clusterHelper._exec("crm_simulate", "-Ls")
+ summary = clusterHelper._exec("crm_simulate", "-LS")
if not summary:
ocf.logger.warning("transitionSummary: could not load transition summary")
return ""
if summary.find("Transition Summary:") < 0:
ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
return ""
- summary = summary.split("Transition Summary:")[1]
- ret = summary.split("\n").pop(0)
+ j=summary.find('Transition Summary:') + len('Transition Summary:')
+ l=summary.lower().find('executing cluster transition:')
+ ret = list(filter(str.strip, summary[j:l].split("\n")))
ocf.logger.debug("transitionSummary: finished; return = %s" % str(ret))
return ret
diff --git a/heartbeat/azure-events.in b/heartbeat/azure-events.in
index 5ad658df9..90acaba62 100644
--- a/heartbeat/azure-events.in
+++ b/heartbeat/azure-events.in
@@ -297,7 +297,7 @@ class clusterHelper:
Get the current Pacemaker transition summary (used to check if all resources are stopped when putting a node standby)
"""
# <tniek> Is a global crm_simulate "too much"? Or would it be sufficient it there are no planned transitions for a particular node?
- # # crm_simulate -Ls
+ # # crm_simulate -LS
# Transition Summary:
# * Promote rsc_SAPHana_HN1_HDB03:0 (Slave -> Master hsr3-db1)
# * Stop rsc_SAPHana_HN1_HDB03:1 (hsr3-db0)
@@ -307,15 +307,16 @@ class clusterHelper:
# Transition Summary:
ocf.logger.debug("transitionSummary: begin")
- summary = clusterHelper._exec("crm_simulate", "-Ls")
+ summary = clusterHelper._exec("crm_simulate", "-LS")
if not summary:
ocf.logger.warning("transitionSummary: could not load transition summary")
return ""
if summary.find("Transition Summary:") < 0:
ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
return ""
- summary = summary.split("Transition Summary:")[1]
- ret = summary.split("\n").pop(0)
+ j=summary.find('Transition Summary:') + len('Transition Summary:')
+ l=summary.lower().find('executing cluster transition:')
+ ret = list(filter(str.strip, summary[j:l].split("\n")))
ocf.logger.debug("transitionSummary: finished; return = %s" % str(ret))
return ret

View File

@ -1,79 +0,0 @@
From cf2fd2a9cf06dc2e915f2fb5dbcc5e09e907a6df Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Thu, 5 Oct 2023 11:53:18 +0200
Subject: [PATCH] findif.sh: dont use table parameter as it returns no netmask
(tested with main/local/custom tables)
---
heartbeat/IPaddr2 | 12 ------------
heartbeat/findif.sh | 8 ++++----
2 files changed, 4 insertions(+), 16 deletions(-)
diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
index e8384c5866..97a7431a24 100755
--- a/heartbeat/IPaddr2
+++ b/heartbeat/IPaddr2
@@ -73,7 +73,6 @@ OCF_RESKEY_ip_default=""
OCF_RESKEY_cidr_netmask_default=""
OCF_RESKEY_broadcast_default=""
OCF_RESKEY_iflabel_default=""
-OCF_RESKEY_table_default=""
OCF_RESKEY_cidr_netmask_default=""
OCF_RESKEY_lvs_support_default=false
OCF_RESKEY_lvs_ipv6_addrlabel_default=false
@@ -98,7 +97,6 @@ OCF_RESKEY_network_namespace_default=""
: ${OCF_RESKEY_cidr_netmask=${OCF_RESKEY_cidr_netmask_default}}
: ${OCF_RESKEY_broadcast=${OCF_RESKEY_broadcast_default}}
: ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
-: ${OCF_RESKEY_table=${OCF_RESKEY_table_default}}
: ${OCF_RESKEY_lvs_support=${OCF_RESKEY_lvs_support_default}}
: ${OCF_RESKEY_lvs_ipv6_addrlabel=${OCF_RESKEY_lvs_ipv6_addrlabel_default}}
: ${OCF_RESKEY_lvs_ipv6_addrlabel_value=${OCF_RESKEY_lvs_ipv6_addrlabel_value_default}}
@@ -241,16 +239,6 @@ If a label is specified in nic name, this parameter has no effect.
<content type="string" default="${OCF_RESKEY_iflabel_default}"/>
</parameter>
-<parameter name="table">
-<longdesc lang="en">
-Table to use to lookup which interface to use for the IP.
-
-This can be used for policy based routing. See man ip-rule(8).
-</longdesc>
-<shortdesc lang="en">Table</shortdesc>
-<content type="string" default="${OCF_RESKEY_table_default}" />
-</parameter>
-
<parameter name="lvs_support">
<longdesc lang="en">
Enable support for LVS Direct Routing configurations. In case a IP
diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
index 6c04c98c19..5f1c19ec3c 100644
--- a/heartbeat/findif.sh
+++ b/heartbeat/findif.sh
@@ -32,7 +32,7 @@ prefixcheck() {
getnetworkinfo()
{
local line netinfo
- ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
+ ip -o -f inet route list match $OCF_RESKEY_ip scope host | (while read line;
do
netinfo=`echo $line | awk '{print $2}'`
case $netinfo in
@@ -210,14 +210,14 @@ findif()
fi
findif_check_params $family || return $?
- if [ -n "$netmask" ] ; then
+ if [ -n "$netmask" ]; then
match=$match/$netmask
fi
if [ -n "$nic" ] ; then
# NIC supports more than two.
- set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+ set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
else
- set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+ set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
fi
if [ $# = 0 ] ; then
case $OCF_RESKEY_ip in

View File

@ -590,116 +590,3 @@ diff -uNr a/bundled/aliyun/colorama/demos/demo07.py b/bundled/aliyun/colorama/de
if __name__ == '__main__':
diff -uNr a/bundled/aliyun/pycryptodome/Doc/conf.py b/bundled/aliyun/pycryptodome/Doc/conf.py
--- a/bundled/aliyun/pycryptodome/Doc/conf.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/Doc/conf.py 2018-10-08 12:08:11.122188094 +0200
@@ -15,7 +15,7 @@
# Modules to document with autodoc are in another directory
sys.path.insert(0, os.path.abspath('../lib'))
-print sys.path
+print(sys.path)
# Mock existance of native modules
from Crypto.Util import _raw_api
diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py 2018-10-08 12:08:11.123188075 +0200
@@ -302,7 +302,7 @@
randfunc = kwargs.pop("randfunc", None)
prime_filter = kwargs.pop("prime_filter", lambda x: True)
if kwargs:
- print "Unknown parameters:", kwargs.keys()
+ print("Unknown parameters:", kwargs.keys())
if exact_bits is None:
raise ValueError("Missing exact_bits parameter")
@@ -341,7 +341,7 @@
exact_bits = kwargs.pop("exact_bits", None)
randfunc = kwargs.pop("randfunc", None)
if kwargs:
- print "Unknown parameters:", kwargs.keys()
+ print("Unknown parameters:", kwargs.keys())
if randfunc is None:
randfunc = Random.new().read
diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py 2018-10-08 12:08:11.124188057 +0200
@@ -912,4 +912,4 @@
count = 30
for x in xrange(count):
_ = point * d
- print (time.time() - start) / count * 1000, "ms"
+ print((time.time() - start) / count * 1000, "ms")
diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py 2018-10-08 12:08:11.124188057 +0200
@@ -1276,7 +1276,7 @@
tests += make_block_tests(AES, "AESNI", test_data, {'use_aesni': True})
tests += [ TestMultipleBlocks(True) ]
else:
- print "Skipping AESNI tests"
+ print("Skipping AESNI tests")
return tests
if __name__ == '__main__':
diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py 2018-10-08 12:08:11.125188038 +0200
@@ -894,7 +894,7 @@
if config.get('slow_tests'):
tests += list_test_cases(NISTTestVectorsGCM_no_clmul)
else:
- print "Skipping test of PCLMULDQD in AES GCM"
+ print("Skipping test of PCLMULDQD in AES GCM")
return tests
diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py 2018-10-08 12:08:11.125188038 +0200
@@ -39,7 +39,7 @@
"""Convert a text string with bytes in hex form to a byte string"""
clean = b(rws(t))
if len(clean)%2 == 1:
- print clean
+ print(clean)
raise ValueError("Even number of characters expected")
return a2b_hex(clean)
diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py 2018-10-08 12:08:11.126188020 +0200
@@ -25,11 +25,11 @@
slow_tests = not "--skip-slow-tests" in sys.argv
if not slow_tests:
- print "Skipping slow tests"
+ print("Skipping slow tests")
wycheproof_warnings = "--wycheproof-warnings" in sys.argv
if wycheproof_warnings:
- print "Printing Wycheproof warnings"
+ print("Printing Wycheproof warnings")
config = {'slow_tests' : slow_tests, 'wycheproof_warnings' : wycheproof_warnings }
SelfTest.run(stream=sys.stdout, verbosity=1, config=config)
diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py 2018-07-10 21:32:46.000000000 +0200
+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py 2018-10-08 12:08:11.126188020 +0200
@@ -369,13 +369,13 @@
]
for key, words in data:
- print 'Trying key', key
+ print('Trying key', key)
key=binascii.a2b_hex(key)
w2=key_to_english(key)
if w2!=words:
- print 'key_to_english fails on key', repr(key), ', producing', str(w2)
+ print('key_to_english fails on key', repr(key), ', producing', str(w2))
k2=english_to_key(words)
if k2!=key:
- print 'english_to_key fails on key', repr(key), ', producing', repr(k2)
+ print('english_to_key fails on key', repr(key), ', producing', repr(k2))

View File

@ -43,7 +43,7 @@
%global colorama_dir %{bundled_lib_dir}/aliyun/%{colorama}
# python-pycryptodome bundle
%global pycryptodome pycryptodome
%global pycryptodome_version 3.6.4
%global pycryptodome_version 3.20.0
%global pycryptodome_dir %{bundled_lib_dir}/aliyun/%{pycryptodome}
# python-aliyun-sdk-core bundle
%global aliyunsdkcore aliyun-python-sdk-core
@ -61,6 +61,10 @@
%global aliyuncli aliyun-cli
%global aliyuncli_version 2.1.10
%global aliyuncli_dir %{bundled_lib_dir}/aliyun/%{aliyuncli}
## fix CVEs
# urllib3 bundle
%global urllib3 urllib3
%global urllib3_version 1.26.18
# determine the ras-set to process based on configure invokation
%bcond_with rgmanager
@ -69,7 +73,7 @@
Name: resource-agents
Summary: Open Source HA Reusable Cluster Resource Scripts
Version: 4.9.0
Release: 48%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.alma.1
Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.5
License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/resource-agents
%if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -88,6 +92,7 @@ Source7: %{aliyunsdkcore}-%{aliyunsdkcore_version}.tar.gz
Source8: %{aliyunsdkecs}-%{aliyunsdkecs_version}.tar.gz
Source9: %{aliyunsdkvpc}-%{aliyunsdkvpc_version}.tar.gz
Source10: %{aliyuncli}-%{aliyuncli_version}.tar.gz
Source11: %{urllib3}-%{urllib3_version}.tar.gz
Patch0: nova-compute-wait-NovaEvacuate.patch
Patch1: bz1872754-pgsqlms-new-ra.patch
Patch2: bz1995178-storage-mon-fix-typo.patch
@ -148,10 +153,16 @@ Patch56: bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
Patch57: bz2189243-Filesystem-1-improve-stop-action.patch
Patch58: bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
Patch59: bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
# Patches were taken from:
# https://github.com/ClusterLabs/resource-agents/commit/cf2fd2a9cf06dc2e915f2fb5dbcc5e09e907a6df
Patch60: findif-dont-use-table-parameter-as-it-returns-no-netmask.patch
Patch60: bz1904465-mysql-common-improve-error-message.patch
Patch61: RHEL-15302-1-exportfs-make-fsid-optional.patch
Patch62: RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
Patch63: RHEL-15305-1-findif.sh-fix-loopback-handling.patch
Patch64: RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
Patch65: RHEL-17083-findif-EOS-fix.patch
Patch66: RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
Patch67: RHEL-34137-aws-agents-use-curl_retry.patch
Patch68: RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
Patch69: RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
# bundle patches
Patch1000: 7-gcp-bundled.patch
@ -164,6 +175,8 @@ Patch1006: python3-syntax-fixes.patch
Patch1007: aliyuncli-python3-fixes.patch
Patch1008: bz1935422-python-pygments-fix-CVE-2021-20270.patch
Patch1009: bz1943464-python-pygments-fix-CVE-2021-27291.patch
Patch1010: RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
Patch1011: RHEL-50360-setuptools-fix-CVE-2024-6345.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@ -258,6 +271,8 @@ Provides: bundled(python-aliyun-sdk-ecs) = %{aliyunsdkecs_version}
Provides: bundled(python-aliyun-sdk-vpc) = %{aliyunsdkvpc_version}
# aliyuncli bundle
Provides: bundled(aliyuncli) = %{aliyuncli_version}
# urllib3 bundle
Provides: bundled(python-urllib3) = %{urllib3_version}
%description aliyun
Alibaba Cloud (Aliyun) resource agents allows Alibaba Cloud
@ -297,7 +312,7 @@ Provides: bundled(python-pyparsing) = 2.1.10
Provides: bundled(python-requests) = 2.10.0
Provides: bundled(python-six) = 1.11.0
Provides: bundled(python-uritemplate) = 3.0.0
Provides: bundled(python-urllib3) = 1.15.1
Provides: bundled(python-urllib3) = %{urllib3_version}
Provides: bundled(python-websocket) = 0.47.0
Provides: bundled(python-yaml) = 3.12
# python-pyroute2 bundle
@ -331,67 +346,76 @@ databases to be managed in a cluster environment.
exit 1
%endif
%setup -q -n %{upstream_prefix}-%{upstream_version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch -p1 -P 0
%patch -p1 -P 1
%patch -p1 -P 2
%patch -p1 -P 3
%patch -p1 -P 4
%patch -p1 -P 5
%patch -p1 -P 6
%patch -p1 -P 7
%patch -p1 -P 8
%patch -p1 -P 9
%patch -p1 -P 10
%patch -p1 -P 11
%patch -p1 -P 12
%patch -p1 -P 13
%patch -p1 -P 14
%patch -p1 -P 15
%patch -p1 -P 16
%patch -p1 -P 17
%patch -p1 -P 18
%patch -p1 -P 19
%patch -p1 -P 20
%patch -p1 -P 21
%patch -p1 -P 22
%patch -p1 -P 23
%patch -p1 -P 24
%patch -p1 -P 25
%patch -p1 -P 26
%patch -p1 -P 27
%patch -p1 -P 28
%patch -p1 -P 29
%patch -p1 -P 30
%patch -p1 -P 31
%patch -p1 -P 32
%patch -p1 -P 33
%patch -p1 -P 34
%patch -p1 -P 35
%patch -p1 -P 36
%patch -p1 -P 37
%patch -p1 -P 38
%patch -p1 -P 39
%patch -p1 -P 40
%patch -p1 -P 41
%patch -p1 -P 42
%patch -p1 -P 43
%patch -p1 -P 44
%patch -p1 -P 45
%patch -p1 -P 46
%patch -p1 -P 47
%patch -p1 -P 48
%patch -p1 -P 49
%patch -p1 -P 50
%patch -p1 -P 51
%patch -p1 -P 52
%patch -p1 -P 53
%patch -p1 -P 54
%patch -p1 -P 55
%patch -p1 -P 56
%patch -p1 -P 57
%patch -p1 -P 58
%patch -p1 -P 59
%patch -p1 -P 60
%patch -p1 -P 61
%patch -p1 -P 62
%patch -p1 -P 63
%patch -p1 -P 64
%patch -p1 -P 65
%patch -p1 -P 66
%patch -p1 -P 67 -F1
%patch -p1 -P 68
%patch -p1 -P 69
chmod 755 heartbeat/nova-compute-wait
chmod 755 heartbeat/NovaEvacuate
@ -405,15 +429,15 @@ mkdir -p %{bundled_lib_dir}/aliyun
%ifarch x86_64
tar -xzf %SOURCE1 -C %{bundled_lib_dir}/gcp
# gcp*: append bundled-directory to search path, gcloud-ra
%patch1000 -p1
%patch -p1 -P 1000
# replace python-rsa with python-cryptography
%patch1001 -p1
%patch -p1 -P 1001
# gcloud support info
%patch1002 -p1
%patch -p1 -P 1002
# configure: skip bundled gcp lib checks
%patch1003 -p1 -F1
%patch -p1 -P 1003 -F1
# gcloud remove python 2 detection
%patch1004 -p1
%patch -p1 -P 1004
# rename gcloud
mv %{googlecloudsdk_dir}/bin/gcloud %{googlecloudsdk_dir}/bin/gcloud-ra
# keep googleapiclient
@ -520,16 +544,16 @@ mv %{bundled_lib_dir}/aliyun/%{aliyuncli}-%{aliyuncli_version} %{aliyuncli_dir}
cp %{aliyuncli_dir}/README.rst %{aliyuncli}_README.rst
cp %{aliyuncli_dir}/LICENSE %{aliyuncli}_LICENSE
# aliyun*: use bundled libraries
%patch1005 -p1
%patch -p1 -P 1005
# aliyun Python 3 fixes
%patch1006 -p1
%patch1007 -p1
%patch -p1 -P 1006
%patch -p1 -P 1007
# fix CVE's in python-pygments
pushd %{googlecloudsdk_dir}/lib/third_party
%patch1008 -p1 -F2
%patch1009 -p1 -F2
%patch -p1 -P 1008 -F2
%patch -p1 -P 1009 -F2
popd
%endif
@ -626,6 +650,9 @@ make install DESTDIR=%{buildroot}
# google-cloud-sdk bundle
%ifarch x86_64
pushd %{googlecloudsdk_dir}
# fix urllib3 CVEs
rm -rf lib/third_party/urllib3
%{__python3} -m pip install --target lib/third_party --no-index --find-links %{_sourcedir} urllib3
mkdir -p %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
cp -a bin data lib %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
mkdir %{buildroot}/%{_bindir}
@ -654,6 +681,9 @@ popd
# python-aliyun-sdk-core bundle
pushd %{aliyunsdkcore_dir}
%{__python3} setup.py install -O1 --skip-build --root %{buildroot} --install-lib /usr/lib/%{name}/%{bundled_lib_dir}/aliyun
# fix urllib3 CVEs
rm -rf %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3
%{__python3} -m pip install --target %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages --no-index --find-links %{_sourcedir} urllib3
popd
# python-aliyun-sdk-ecs bundle
@ -674,6 +704,14 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra
# aliyun_completer / aliyun_zsh_complete.sh
rm %{buildroot}/%{_bindir}/aliyun_*
popd
# regular patch doesnt work in build-section
pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010}
popd
pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1011}
popd
%endif
## tree fixup
@ -967,8 +1005,65 @@ ccs_update_schema > /dev/null 2>&1 ||:
%{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
%changelog
* Tue Nov 14 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.9.0-48.alma.1
- findif.sh: dont use table parameter as it returns no netmask
* Tue Oct 1 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.5
- nfsserver: also stop rpc-statd for nfsv4_only to avoid stop failing
in some cases
Resolves: RHEL-61138
* Thu Jul 25 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.4
- bundled setuptools: fix CVE-2024-6345
Resolves: RHEL-50360
* Tue Jul 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.3
- gcp-pd-move: fix TLS_VERSION_1 issue
Resolves: RHEL-50041
* Wed Jun 26 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.2
- bundled urllib3: fix CVE-2024-37891
Resolves: RHEL-44923
* Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1
- AWS agents: retry failed metadata requests to avoid instantly
failing when there is a hiccup in the network or metadata service
- db2: fix OCF_SUCESS typo
Resolves: RHEL-34137, RHEL-32828
* Thu Feb 8 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54
- findif.sh: fix loopback IP handling
Resolves: RHEL-15305
* Wed Jan 24 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-53
- bundled urllib3: fix CVE-2023-45803
- bundled pycryptodome: fix CVE-2023-52323
Resolves: RHEL-22431, RHEL-20916
* Tue Nov 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-52
- findif: also check that netmaskbits != EOS
Resolves: RHEL-17083
* Fri Nov 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-51
- aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter
and AWS Policy based authentication type
Resolves: RHEL-16248
* Thu Nov 2 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-49
- exportfs: make "fsid" parameter optional
Resolves: RHEL-15302
* Wed Sep 6 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-48
- mysql-common: improve error message
Resolves: rhbz#1904465
* Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-47
- Filesystem: improve stop-action and allow setting term/kill signals