SOURCES/7-gcp-bundled.patch

@@ -1,17 +1,6 @@
-diff --color -uNr a/heartbeat/gcp-pd-move.in b/heartbeat/gcp-pd-move.in
---- a/heartbeat/gcp-pd-move.in	2024-07-22 10:59:42.170483160 +0200
-+++ b/heartbeat/gcp-pd-move.in	2024-07-22 11:01:51.455543850 +0200
-@@ -32,6 +32,7 @@
- from ocf import logger
- 
- try:
-+  sys.path.insert(0, '/usr/lib/resource-agents/bundled/gcp')
-   import googleapiclient.discovery
- except ImportError:
-   pass
 diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
---- a/heartbeat/gcp-vpc-move-ip.in	2024-07-22 10:59:42.170483160 +0200
-+++ b/heartbeat/gcp-vpc-move-ip.in	2024-07-22 11:01:18.010752081 +0200
+--- a/heartbeat/gcp-vpc-move-ip.in	2022-06-16 09:45:21.419090782 +0200
++++ b/heartbeat/gcp-vpc-move-ip.in	2022-06-16 10:11:22.978648598 +0200
 @@ -36,7 +36,7 @@
  . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
  
@@ -22,8 +11,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
  OCF_RESKEY_vpc_network_default="default"
  OCF_RESKEY_interface_default="eth0"
 diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-route.in
---- a/heartbeat/gcp-vpc-move-route.in	2024-07-22 10:59:42.170483160 +0200
-+++ b/heartbeat/gcp-vpc-move-route.in	2024-07-22 11:01:18.011752105 +0200
+--- a/heartbeat/gcp-vpc-move-route.in	2022-06-16 09:45:21.420090788 +0200
++++ b/heartbeat/gcp-vpc-move-route.in	2022-06-16 10:11:22.978648598 +0200
 @@ -45,6 +45,7 @@
  from ocf import *
  
@@ -33,8 +22,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-rou
    import pyroute2
    try:
 diff --color -uNr a/heartbeat/gcp-vpc-move-vip.in b/heartbeat/gcp-vpc-move-vip.in
---- a/heartbeat/gcp-vpc-move-vip.in	2024-07-22 10:59:42.170483160 +0200
-+++ b/heartbeat/gcp-vpc-move-vip.in	2024-07-22 11:01:18.012752128 +0200
+--- a/heartbeat/gcp-vpc-move-vip.in	2022-06-16 09:45:21.420090788 +0200
++++ b/heartbeat/gcp-vpc-move-vip.in	2022-06-16 10:11:22.979648603 +0200
 @@ -29,6 +29,7 @@
  from ocf import *
  

SOURCES/RHEL-102731-ocf-shellfuncs-remove-extra-sleep-from-curl_retry.patch

@@ -1,24 +0,0 @@
-From d5fbb84496501c7da75cad992e027700823edf65 Mon Sep 17 00:00:00 2001
-From: adamaze <adamaze@gmail.com>
-Date: Mon, 30 Jun 2025 15:55:50 -0500
-Subject: [PATCH] Update ocf-shellfuncs.in
-
----
- heartbeat/ocf-shellfuncs.in | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
-index cb4d5cacc..526be42b6 100644
---- a/heartbeat/ocf-shellfuncs.in
-+++ b/heartbeat/ocf-shellfuncs.in
-@@ -708,7 +708,9 @@ curl_retry()
- 			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 			args=$(echo "$args" | sed "s/$OLD_TOKEN/$TOKEN/")
- 		fi
--		sleep $sleep
-+		if [ $try -lt $tries ]; then
-+			sleep $sleep
-+   		fi
- 	done
- 
- 	if [ $rc -ne 0 ]; then

SOURCES/RHEL-102979-1-nfsserver-support-non-clustered-kerberized-mounts.patch

@@ -1,92 +0,0 @@
-From a4fd26a37b20e86e7c188b45d40e31d240f3decf Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Thu, 14 Aug 2025 09:33:17 +0200
-Subject: [PATCH] nfsserver: add ability to set e.g.
- "pipefs-directory=/run/nfs/rpc_pipefs" in /etc/nfs.conf to avoid issues with
- non-clustered Kerberized mounts
-
----
- heartbeat/nfsserver | 28 +++++++++++++++++-----------
- 1 file changed, 17 insertions(+), 11 deletions(-)
-
-diff --git a/heartbeat/nfsserver b/heartbeat/nfsserver
-index 5b02924a9..83f4bac51 100755
---- a/heartbeat/nfsserver
-+++ b/heartbeat/nfsserver
-@@ -264,7 +264,7 @@ set_exec_mode()
- 	##
- 	# If the user defined an init script, It must exist for us to continue
- 	##
--	if [ -n "$OCF_RESKEY_nfs_init_script" ]; then
-+	if [ $systemd_running -ne 0 ] && [ -n "$OCF_RESKEY_nfs_init_script" ]; then
- 		# check_binary will exit the process if init script does not exist
- 		check_binary ${OCF_RESKEY_nfs_init_script}
- 		EXEC_MODE=1
-@@ -274,7 +274,7 @@ set_exec_mode()
- 	##
- 	# Check to see if the default init script exists, if so we'll use that.
- 	##
--	if which $DEFAULT_INIT_SCRIPT > /dev/null 2>&1; then
-+	if [ $systemd_running -ne 0 ] && which $DEFAULT_INIT_SCRIPT > /dev/null 2>&1; then
- 		OCF_RESKEY_nfs_init_script=$DEFAULT_INIT_SCRIPT
- 		EXEC_MODE=1
- 		return 0
-@@ -780,7 +780,7 @@ nfsserver_start ()
- 	# the uts namespace is useless in that case.
- 	# If systemd is running, mangle the nfs-server.service unit,
- 	# independent of the "EXEC_MODE" we detected.
--	if $systemd_is_running ; then
-+	if [ $systemd_running -eq 0 ]; then
- 		if [ -z "$OCF_RESKEY_nfs_server_scope" ] ; then
- 			remove_unshare_uts_dropins
- 		else
-@@ -789,7 +789,9 @@ nfsserver_start ()
- 	fi
- 
- 	if ! `mount | grep -q " on $OCF_RESKEY_rpcpipefs_dir "`; then
--		mount -t rpc_pipefs sunrpc $OCF_RESKEY_rpcpipefs_dir
-+		if [ $systemd_running -ne 0 ] || { [ $systemd_running -eq 0 ] && systemctl -q is-enabled var-lib-nfs-rpc_pipefs.mount ;}; then
-+			mount -t rpc_pipefs sunrpc $OCF_RESKEY_rpcpipefs_dir
-+		fi
- 	fi
- 
- 	# remove the sm-notify pid so sm-notify will be allowed to run again without requiring a reboot.
-@@ -1003,11 +1005,15 @@ nfsserver_stop ()
- 		fi
- 	fi
- 
--	# systemd
--	case $EXEC_MODE in
--            [23]) nfs_exec stop rpc-gssd > /dev/null 2>&1
--		  ocf_log info "Stop: rpc-gssd"
--	esac
-+
-+	if mount | grep -q " on $OCF_RESKEY_rpcpipefs_dir "; then
-+		# systemd
-+		case $EXEC_MODE in
-+			[23])
-+				nfs_exec stop rpc-gssd > /dev/null 2>&1
-+				ocf_log info "Stop: rpc-gssd"
-+		esac
-+	fi
- 
- 	unbind_tree
- 	rc=$?
-@@ -1017,7 +1023,7 @@ nfsserver_stop ()
- 		ocf_log info "NFS server stopped"
- 	fi
- 
--	if $systemd_is_running; then
-+	if [ $systemd_running -eq 0 ]; then
- 		remove_unshare_uts_dropins
- 	fi
- 
-@@ -1057,7 +1063,7 @@ nfsserver_validate ()
- }
- 
- nfsserver_validate
--systemd_is_running && systemd_is_running=true || systemd_is_running=false
-+systemd_is_running; systemd_running=$?
- 
- case $__OCF_ACTION in
- 	start)      nfsserver_start

SOURCES/RHEL-102979-2-nfsserver-fix-error-message.patch

@@ -1,24 +0,0 @@
-From 72620db5b52c943358faaf77ce5a15fb41169fab Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Fri, 31 Oct 2025 11:22:46 +0100
-Subject: [PATCH] nfsserver: set systemd_running before nfsserver_validate() to
- avoid error message
-
----
- heartbeat/nfsserver | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/heartbeat/nfsserver b/heartbeat/nfsserver
-index 83f4bac51..71a711305 100755
---- a/heartbeat/nfsserver
-+++ b/heartbeat/nfsserver
-@@ -1062,8 +1062,8 @@ nfsserver_validate ()
- 	return $OCF_SUCCESS
- }
- 
--nfsserver_validate
- systemd_is_running; systemd_running=$?
-+nfsserver_validate
- 
- case $__OCF_ACTION in
- 	start)      nfsserver_start

SOURCES/RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch

@@ -1,47 +0,0 @@
-From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001
-From: Nate Prewitt <nate.prewitt@gmail.com>
-Date: Wed, 25 Sep 2024 08:03:20 -0700
-Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
-
----
- src/requests/utils.py | 8 +-------
- 1 file changed, 1 insertion(+), 7 deletions(-)
-
-diff --git a/aliyun/aliyunsdkcore/vendored/requests/utils.py b/aliyun/aliyunsdkcore/vendored/requests/utils.py
-index 699683e5d9..8a307ca8a0 100644
---- a/aliyun/aliyunsdkcore/vendored/requests/utils.py
-+++ b/aliyun/aliyunsdkcore/vendored/requests/utils.py
-@@ -182,13 +182,7 @@
-             return
- 
-         ri = urlparse(url)
--
--        # Strip port numbers from netloc. This weird `if...encode`` dance is
--        # used for Python 3.2, which doesn't support unicode literals.
--        splitstr = b':'
--        if isinstance(url, str):
--            splitstr = splitstr.decode('ascii')
--        host = ri.netloc.split(splitstr)[0]
-+        host = ri.hostname
- 
-         try:
-             _netrc = netrc(netrc_path).authenticators(host)
-diff --git a/gcp/google-cloud-sdk/lib/third_party/requests/utils.py b/gcp/google-cloud-sdk/lib/third_party/requests/utils.py
-index 699683e5d9..8a307ca8a0 100644
---- a/gcp/google-cloud-sdk/lib/third_party/requests/utils.py
-+++ b/gcp/google-cloud-sdk/lib/third_party/requests/utils.py
-@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False):
-             return
- 
-         ri = urlparse(url)
--
--        # Strip port numbers from netloc. This weird `if...encode`` dance is
--        # used for Python 3.2, which doesn't support unicode literals.
--        splitstr = b':'
--        if isinstance(url, str):
--            splitstr = splitstr.decode('ascii')
--        host = ri.netloc.split(splitstr)[0]
-+        host = ri.hostname
- 
-         try:
-             _netrc = netrc(netrc_path).authenticators(host)

SOURCES/RHEL-115783-RHEL-115781-db2-add-skip_basic_sql_health_check-and-monitor-parameters.patch

@@ -1,258 +0,0 @@
-From fc240bdff60aae7133a532c7752c6253ce8f65ca Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Mon, 4 Aug 2025 16:53:09 +0200
-Subject: [PATCH 1/2] db2: add "skip_basic_sql_health_check" parameter to avoid
- failing on systems with high load
-
----
- heartbeat/db2 | 63 +++++++++++++++++++++++++++++++--------------------
- 1 file changed, 38 insertions(+), 25 deletions(-)
-
-diff --git a/heartbeat/db2 b/heartbeat/db2
-index 1cd66f15a..da6c9d5f1 100755
---- a/heartbeat/db2
-+++ b/heartbeat/db2
-@@ -40,10 +40,12 @@
- # Parameter defaults
- 
- OCF_RESKEY_instance_default=""
-+OCF_RESKEY_skip_basic_sql_health_check_default="false"
- OCF_RESKEY_admin_default=""
- OCF_RESKEY_dbpartitionnum_default="0"
- 
- : ${OCF_RESKEY_instance=${OCF_RESKEY_instance_default}}
-+: ${OCF_RESKEY_skip_basic_sql_health_check=${OCF_RESKEY_skip_basic_sql_health_check_default}}
- : ${OCF_RESKEY_admin=${OCF_RESKEY_admin_default}}
- : ${OCF_RESKEY_dbpartitionnum=${OCF_RESKEY_dbpartitionnum_default}}
- 
-@@ -102,6 +104,15 @@ Defaults to all databases in the instance. Specify one db for HADR mode.
- <shortdesc lang="en">List of databases to be managed</shortdesc>
- <content type="string"/>
- </parameter>
-+<parameter name="skip_basic_sql_health_check" unique="0" required="0">
-+<longdesc lang="en">
-+Skip basic health check SQL query.
-+
-+Only set to "true" to avoid issues during high load.
-+</longdesc>
-+<shortdesc lang="en">Skip basic health check SQL query</shortdesc>
-+<content type="boolean" default="${OCF_RESKEY_skip_basic_sql_health_check_default}" />
-+</parameter>
- <parameter name="admin" unique="0" required="0">
- <longdesc lang="en">
- DEPRECATED: The admin user of the instance.
-@@ -695,31 +706,33 @@ db2_monitor() {
-         # set master preference accordingly
-         case "$hadr" in
-             PRIMARY/*|Primary/*|Standard/*)
--            # perform  a basic health check
--            CMD="if db2 connect to $db;
--            then 
--                db2 select \* from sysibm.sysversions ; rc=\$?;
--                db2 terminate;
--            else
--                rc=\$?;
--            fi;
--            exit \$rc"
--
--            if ! output=$(runasdb2 $CMD)
--            then
--                case "$output" in
--                    SQL1776N*)
--                    # can't connect/select on standby, may be spurious turing takeover
--                    ;;
--
--                    *)
--                    ocf_log err "DB2 database $instance($db2node)/$db is not working"
--                    ocf_log err "DB2 message: $output"
--
--                    # dead primary, remove master score
--                    master_score -D -l reboot
--                    return $OCF_ERR_GENERIC
--                esac
-+            if ! ocf_is_true "$OCF_RESKEY_skip_basic_sql_health_check"; then
-+                # perform  a basic health check
-+                CMD="if db2 connect to $db;
-+                then
-+                    db2 select \* from sysibm.sysversions ; rc=\$?;
-+                    db2 terminate;
-+                else
-+                    rc=\$?;
-+                fi;
-+                exit \$rc"
-+
-+                if ! output=$(runasdb2 $CMD)
-+                then
-+                    case "$output" in
-+                        SQL1776N*)
-+                        # can't connect/select on standby, may be spurious turing takeover
-+                        ;;
-+
-+                        *)
-+                        ocf_log err "DB2 database $instance($db2node)/$db is not working"
-+                        ocf_log err "DB2 message: $output"
-+
-+                        # dead primary, remove master score
-+                        master_score -D -l reboot
-+                        return $OCF_ERR_GENERIC
-+                    esac
-+                fi
-             fi
- 
-             ocf_log debug "DB2 database $instance($db2node)/$db appears to be working"
-
-From ded016f84d3fb77dc0542e3f4226774526910d97 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Thu, 7 Aug 2025 13:55:11 +0200
-Subject: [PATCH 2/2] db2: add "monitor_retries", "monitor_sleep", and
- "monitor_retry_all_errors" parameters to be able to avoid failing on first
- try
-
----
- heartbeat/db2 | 80 +++++++++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 72 insertions(+), 8 deletions(-)
-
-diff --git a/heartbeat/db2 b/heartbeat/db2
-index da6c9d5f1..fe1d9b892 100755
---- a/heartbeat/db2
-+++ b/heartbeat/db2
-@@ -41,11 +41,17 @@
- 
- OCF_RESKEY_instance_default=""
- OCF_RESKEY_skip_basic_sql_health_check_default="false"
-+OCF_RESKEY_monitor_retries_default="1"
-+OCF_RESKEY_monitor_sleep_default="1"
-+OCF_RESKEY_monitor_retry_all_errors_default="false"
- OCF_RESKEY_admin_default=""
- OCF_RESKEY_dbpartitionnum_default="0"
- 
- : ${OCF_RESKEY_instance=${OCF_RESKEY_instance_default}}
- : ${OCF_RESKEY_skip_basic_sql_health_check=${OCF_RESKEY_skip_basic_sql_health_check_default}}
-+: ${OCF_RESKEY_monitor_retries=${OCF_RESKEY_monitor_retries_default}}
-+: ${OCF_RESKEY_monitor_sleep=${OCF_RESKEY_monitor_sleep_default}}
-+: ${OCF_RESKEY_monitor_retry_all_errors=${OCF_RESKEY_monitor_retry_all_errors_default}}
- : ${OCF_RESKEY_admin=${OCF_RESKEY_admin_default}}
- : ${OCF_RESKEY_dbpartitionnum=${OCF_RESKEY_dbpartitionnum_default}}
- 
-@@ -108,11 +114,33 @@ Defaults to all databases in the instance. Specify one db for HADR mode.
- <longdesc lang="en">
- Skip basic health check SQL query.
- 
--Only set to "true" to avoid issues during high load.
-+Only set to "true" when the "monitor_retries" and "monitor_retry_all_errors" parameters arent
-+enough to avoid issues under high load.
- </longdesc>
- <shortdesc lang="en">Skip basic health check SQL query</shortdesc>
- <content type="boolean" default="${OCF_RESKEY_skip_basic_sql_health_check_default}" />
- </parameter>
-+<parameter name="monitor_retries" unique="0" required="0">
-+<longdesc lang="en">
-+Monitor retries before failing.
-+</longdesc>
-+<shortdesc lang="en">Monitor retries</shortdesc>
-+<content type="string" default="${OCF_RESKEY_monitor_retries_default}" />
-+</parameter>
-+<parameter name="monitor_retries_sleep" unique="0" required="0">
-+<longdesc lang="en">
-+Monitor sleep between tries.
-+</longdesc>
-+<shortdesc lang="en">Monitor sleep</shortdesc>
-+<content type="string" default="${OCF_RESKEY_monitor_sleep_default}" />
-+</parameter>
-+<parameter name="monitor_retry_all_errors" unique="0" required="0">
-+<longdesc lang="en">
-+Set to true to retry monitor-action for all errors instead of the default "db2pd" race conditions.
-+</longdesc>
-+<shortdesc lang="en">Retry monitor for all errors</shortdesc>
-+<content type="string" default="${OCF_RESKEY_monitor_retry_all_errors_default}" />
-+</parameter>
- <parameter name="admin" unique="0" required="0">
- <longdesc lang="en">
- DEPRECATED: The admin user of the instance.
-@@ -666,6 +694,7 @@ db2_hadr_status() {
-     local output
- 
-     output=$(runasdb2 db2pd -hadr -db $db)
-+    ocf_log debug "db2_hadr_status: $output"
-     if [ $? != 0 ]
-     then
-         echo "Down/Off"
-@@ -676,7 +705,34 @@ db2_hadr_status() {
-     awk '/^\s+HADR_(ROLE|STATE) =/ {printf $3"/"}
-          /^\s+HADR_CONNECT_STATUS =/ {print $3; exit; }
-          /^HADR is not active/ {print "Standard/Standalone"; exit; }
--         /^Role *State */ {getline; printf "%s/%s\n", $1, $2; exit; }'
-+         /^Role *State */ {getline; printf "%s/%s\n", $1, $2; exit; }
-+         /^Option -hadr requires -db <database> or -alldbs option and active database./ { exit 255 }
-+         /^Another possibility of this failure is the Virtual Address Space Randomization is currently enabled on this system./ { exit 255 }
-+         /^Changing data structure forced command termination./ { exit 255 }'
-+}
-+
-+db2_monitor_retry() {
-+    local tries=$(($OCF_RESKEY_monitor_retries + 1))
-+
-+    for try in $(seq $tries); do
-+        ocf_log debug "monitor try $try of $tries"
-+        db2_monitor
-+        rc=$?
-+        [ $rc -ne $OCF_SUCCESS ] && [ $rc -ne $OCF_RUNNING_MASTER ] && [ $rc -ne $OCF_NOT_RUNNING ] && ocf_log warn "Monitor failed with rc $rc."
-+        if [ $rc -eq $OCF_SUCCESS ] || [ $rc -eq $OCF_RUNNING_MASTER ] || [ $rc -eq $OCF_NOT_RUNNING ] || { [ $rc -ne 255 ] && ! ocf_is_true "$OCF_RESKEY_monitor_retry_all_errors" ;} ;then
-+            break
-+        fi
-+        [ $try -lt $tries ] && sleep $OCF_RESKEY_monitor_sleep
-+    done
-+
-+    [ $rc -eq 255 ] && rc=$OCF_ERR_GENERIC
-+
-+    if [ $rc -ne $OCF_SUCCESS ] && [ $rc -ne $OCF_RUNNING_MASTER ]; then
-+        # instance is dead remove master score
-+        master_score -D -l reboot
-+    fi
-+
-+    return $rc
- }
- 
- #
-@@ -690,9 +746,7 @@ db2_monitor() {
-     db2_instance_status
-     rc=$?
-     if [ $rc -ne $OCF_SUCCESS ]; then
--        # instance is dead remove master score
--        master_score -D -l reboot
--        exit $rc
-+        return $rc
-     fi
- 
-     [ $db2node = 0 ] || return 0
-@@ -700,8 +754,18 @@ db2_monitor() {
- 
-     for db in $dblist
-     do
--        hadr=$(db2_hadr_status $db) || return $OCF_ERR_GENERIC
-+        hadr=$(db2_hadr_status $db)
-+        rc=$?
-         ocf_log debug "Monitor: DB2 database $instance($db2node)/$db has HADR status $hadr"
-+        if [ "$rc" -eq 255 ]; then
-+            if [ "$__OCF_ACTION" = "monitor" ]; then
-+                return $rc
-+            else
-+                return $OCF_ERR_GENERIC
-+            fi
-+        elif [ "$rc" -ne 0 ]; then
-+            return $OCF_ERR_GENERIC
-+        fi
- 
-         # set master preference accordingly
-         case "$hadr" in
-@@ -915,9 +979,9 @@ case "$__OCF_ACTION" in
-     exit $?
-     ;;
- 
--    monitor)	
-+    monitor)
-     db2_validate
--    db2_monitor
-+    db2_monitor_retry
-     exit $?
-     ;;
- 

SOURCES/RHEL-116150-1-ocf-shellfuncs-add-ocf_promotion_score.patch

@@ -1,19 +0,0 @@
---- a/heartbeat/ocf-shellfuncs.in	2025-09-29 14:01:55.762931795 +0200
-+++ b/heartbeat/ocf-shellfuncs.in	2025-09-29 14:09:28.651731793 +0200
-@@ -1093,6 +1093,16 @@
- 	echo $1
- }
- 
-+ocf_promotion_score() {
-+	ocf_version_cmp "$OCF_RESKEY_crm_feature_set" "3.10.0"
-+	res=$?
-+	if [ $res -eq 2 ] || [ $res -eq 1 ] || ! have_binary "crm_master"; then
-+		${HA_SBIN_DIR}/crm_attribute -p ${OCF_RESOURCE_INSTANCE} $@
-+	else
-+		${HA_SBIN_DIR}/crm_master -l reboot $@
-+	fi
-+}
-+
- __ocf_set_defaults "$@"
- 
- : ${OCF_TRACE_RA:=$OCF_RESKEY_trace_ra}

SOURCES/RHEL-116150-2-portblock-add-promotable-support.patch

@@ -1,362 +0,0 @@
---- a/heartbeat/portblock	2025-09-30 09:52:13.967530030 +0200
-+++ b/heartbeat/portblock	2025-09-30 09:52:49.018382542 +0200
-@@ -4,6 +4,7 @@
- #
- # Author:	Sun Jiang Dong (initial version)
- #               Philipp Reisner (per-IP filtering)
-+#               Sebastian Baszczyj (nftables code)
- #
- # License:	GNU General Public License (GPL)
- #
-@@ -43,11 +44,15 @@
- #######################################################################
- CMD=`basename $0`
- TICKLETCP=$HA_BIN/tickle_tcp
-+TABLE="portblock"
-+# Promotion scores
-+SCORE_UNPROMOTED=5
-+SCORE_PROMOTED=10
- 
- usage()
- {
- 	cat <<END >&2
--	usage: $CMD {start|stop|status|monitor|meta-data|validate-all}
-+	usage: $CMD {start|stop|promote|demote|status|monitor|meta-data|validate-all}
- 
- 	$CMD is used to temporarily block ports using iptables.
- 
-@@ -86,8 +91,8 @@
- 	NOTE: iptables is Linux-specific.
- 
- 	An additional feature in the portblock RA is the tickle ACK function
--	enabled by specifying the tickle_dir parameter. The tickle ACK 
--	triggers the clients to faster reconnect their TCP connections to the 
-+	enabled by specifying the tickle_dir parameter. The tickle ACK
-+	triggers the clients to faster reconnect their TCP connections to the
- 	fail-overed server.
- 
- 	Please note that this feature is often used for the floating IP fail-
-@@ -95,7 +100,7 @@
- 	It doesn't support the cluster alias IP scenario.
- 
- 	When using the tickle ACK function, in addition to the normal usage
--	of portblock RA, the parameter tickle_dir must be specified in the 
-+	of portblock RA, the parameter tickle_dir must be specified in the
- 	action=unblock instance of the portblock resources.
- 	For example, you may stack resources like below:
- 		portblock action=block
-@@ -103,18 +108,18 @@
- 		portblock action=unblock tickle_dir=/tickle/state/dir
- 
- 	If you want to tickle all the TCP connections which connected to _one_
--	floating IP but different ports, no matter how many portblock resources 
--	you have defined, you should enable tickles for _one_ portblock 
-+	floating IP but different ports, no matter how many portblock resources
-+	you have defined, you should enable tickles for _one_ portblock
- 	resource(action=unblock) only.
--	
--	The tickle_dir is a location which stores the established TCP 
--	connections. It can be a shared directory(which is cluster-visible to 
-+
-+	The tickle_dir is a location which stores the established TCP
-+	connections. It can be a shared directory(which is cluster-visible to
- 	all nodes) or a local directory.
- 	If you use the shared directory, you needn't do any other things.
- 	If you use the local directory, you must also specify the sync_script
- 	paramater. We recommend you to use csync2 as the sync_script.
--	For example, if you use the local directory /tmp/tickle as tickle_dir, 
--	you could setup the csync2 as the csync2 documentation says and 
-+	For example, if you use the local directory /tmp/tickle as tickle_dir,
-+	you could setup the csync2 as the csync2 documentation says and
- 	configure your /etc/csync2/csync2.cfg like:
- 		group ticklegroup {
- 		  host node1;
-@@ -137,15 +142,19 @@
- <version>1.0</version>
- 
- <longdesc lang="en">
--Resource script for portblock. It is used to temporarily block ports 
-+Resource script for portblock. It is used to block ports 
- using iptables. In addition, it may allow for faster TCP reconnects
- for clients on failover. Use that if there are long lived TCP
- connections to an HA service. This feature is enabled by setting the
- tickle_dir parameter and only in concert with action set to unblock.
- Note that the tickle ACK function is new as of version 3.0.2 and
- hasn't yet seen widespread use.
-+
-+In Promotable mode, the promote action unblocks the port(s) on the Promoted node
-+and blocks the port(s) on the Unpromoted node(s) when action=unblock, and vice versa
-+when action=block.
- </longdesc>
--<shortdesc lang="en">Block and unblocks access to TCP and UDP ports</shortdesc>
-+<shortdesc lang="en">Blocks and unblocks access to TCP and UDP ports</shortdesc>
- 
- <parameters>
- <parameter name="protocol" unique="0" required="1">
-@@ -167,6 +176,10 @@
- <parameter name="action" unique="0" required="1">
- <longdesc lang="en">
- The action (block/unblock) to be done on the protocol::portno.
-+
-+In Promotable mode it is the action for the promote action,
-+and the opposite action will be used for the start and demote
-+actions.
- </longdesc>
- <shortdesc lang="en">action</shortdesc>
- <content type="string" default="${OCF_RESKEY_action_default}" />
-@@ -202,7 +215,7 @@
- 
- <parameter name="tickle_dir" unique="0" required="0">
- <longdesc lang="en">
--The shared or local directory (_must_ be absolute path) which 
-+The shared or local directory (_must_ be absolute path) which
- stores the established TCP connections.
- </longdesc>
- <shortdesc lang="en">Tickle directory</shortdesc>
-@@ -236,6 +249,8 @@
- <actions>
- <action name="start" timeout="20s" />
- <action name="stop" timeout="20s" />
-+<action name="promote" timeout="10s"/>
-+<action name="demote" timeout="10s"/>
- <action name="status" depth="0" timeout="10s" interval="10s" />
- <action name="monitor" depth="0" timeout="10s" interval="10s" />
- <action name="meta-data" timeout="5s" />
-@@ -269,9 +284,9 @@
-   # iptables 1.8.9 briefly broke the output format, returning the
-   # numeric protocol value instead of a string. Support both variants.
-   if [ "$1" = "tcp" ]; then
--    local prot="(tcp|6)"
-+    local prot="\(tcp\|6\)"
-   else
--    local prot="(udp|17)"
-+    local prot="\(udp\|17\)"
-   fi
-   echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
- }
-@@ -281,7 +296,7 @@
- {
-   [ "$4" = "OUTPUT" ] && ds="s" || ds="d"
-   PAT=$(active_grep_pat "$1" "$2" "$3" "$ds")
--  $IPTABLES $wait -n -L "$4" | grep -qE "$PAT"
-+  $IPTABLES $wait -n -L "$4" | grep -q "$PAT"
- }
- 
- # netstat -tn and ss -Htn, split on whitespace and colon,
-@@ -397,6 +412,17 @@
-         rc=$OCF_NOT_RUNNING
-         ;;
-     esac
-+  elif ocf_is_ms; then
-+    case $5 in
-+      block)
-+        SayInactive $*
-+        rc=$OCF_NOT_RUNNING
-+        ;;
-+      *)
-+        SayActive $*
-+        rc=$OCF_SUCCESS
-+        ;;
-+    esac
-   else
-     case $5 in
-       block)
-@@ -493,18 +519,21 @@
- {
-   ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start
-   case $5 in
--    block)	IptablesBLOCK "$@";;
-+    block)	IptablesBLOCK "$@"
-+		rc=$?
-+		;;
-     unblock)
- 		IptablesUNBLOCK "$@"
- 		rc=$?
- 		tickle_remote
- 		#ignore run_tickle_tcp exit code!
--		return $rc
- 		;;
--    *)		usage; return 1;
-+    *)		usage; return $OCF_ERR_CONFIGURED ;
-   esac
- 
--  return $?
-+  ocf_is_ms && ocf_promotion_score -v $SCORE_UNPROMOTED -N $nodename
-+
-+  return $rc
- }
- 
- #IptablesStop  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
-@@ -512,17 +541,73 @@
- {
-   ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop
-   case $5 in
--    block)	IptablesUNBLOCK "$@";;
-+    block)	IptablesUNBLOCK "$@"
-+		rc=$?
-+		;;
-     unblock)
- 		save_tcp_connections
- 		IptablesBLOCK "$@"
-+		rc=$?
- 		;;
--    *)		usage; return 1;;
-+    *)		usage; return $OCF_ERR_CONFIGURED ;;
-   esac
- 
-+  ocf_is_ms && ocf_promotion_score -D -N $nodename
-+
-+  return $rc
-+}
-+
-+IptablesPromote() {
-+  IptablesStatus "$@"
-+  rc=$?
-+  if [ $rc -eq $OCF_SUCCESS ] && [ $promotion_score -eq $SCORE_PROMOTED ]; then
-+    ocf_log info "Promote: resource already promoted."
-+    return $rc
-+  elif [ $rc -ne $OCF_SUCCESS ] && [ $rc -ne $OCF_NOT_RUNNING ]; then
-+    ocf_exit_reason "Promote: IptablesStatus failed with rc: $rc."
-+    return $rc
-+  fi
-+  case $5 in
-+    block)	IptablesBLOCK "$@"
-+		rc=$?
-+		;;
-+    unblock)
-+		IptablesUNBLOCK "$@"
-+		rc=$?
-+		tickle_remote
-+		#ignore run_tickle_tcp exit code!
-+		;;
-+    *)		usage; return $OCF_ERR_CONFIGURED ;
-+  esac
-+  ocf_promotion_score -v $SCORE_PROMOTED -N $nodename
-   return $?
- }
- 
-+IptablesDemote() {
-+  IptablesStatus "$@"
-+  rc=$?
-+  if [ $rc -eq $OCF_SUCCESS ] && [ $promotion_score -eq $SCORE_UNPROMOTED ]; then
-+    ocf_log info "Demote: resource already demoted."
-+    return $rc
-+  elif [ $rc -ne $OCF_SUCCESS ] && [ $rc -ne $OCF_NOT_RUNNING ]; then
-+    ocf_exit_reason "Demote: IptablesStatus failed with rc: $rc."
-+    return $rc
-+  fi
-+  case $5 in
-+    block)
-+		save_tcp_connections
-+		IptablesBLOCK "$@"
-+		rc=$?
-+		;;
-+    unblock)	IptablesUNBLOCK "$@"
-+		rc=$?
-+		;;
-+    *)		usage; return $OCF_ERR_CONFIGURED ;;
-+  esac
-+  ocf_promotion_score -v $SCORE_UNPROMOTED -N $nodename
-+  return $rc
-+}
-+
- #
- #	Check if the port is valid, this function code is not decent, but works
- #
-@@ -558,17 +643,17 @@
- 	fi
- 	if [ ! -d "$OCF_RESKEY_tickle_dir" ]; then
- 		ocf_log err "The tickle dir doesn't exist!"
--		exit $OCF_ERR_INSTALLED	  	
-+		exit $OCF_ERR_INSTALLED
- 	fi
-   fi
- 
-   case $action in
--    block|unblock)	
-+    block|unblock)
- 	;;
--    *)		
-+    *)
- 	ocf_log err "Invalid action $action!"
- 	exit $OCF_ERR_CONFIGURED
--	;; 
-+	;;
-   esac
- 
-   if ocf_is_true $reset_local_on_unblock_stop; then
-@@ -591,7 +676,7 @@
-   exit $OCF_ERR_ARGS
- fi
- 
--case $1 in
-+case $__OCF_ACTION in
-   meta-data)		meta_data
- 			exit $OCF_SUCCESS
- 			;;
-@@ -605,12 +690,12 @@
- if [ -z "$OCF_RESKEY_protocol" ]; then
-   ocf_log err "Please set OCF_RESKEY_protocol"
-   exit $OCF_ERR_CONFIGURED
--fi 
-+fi
- 
- if [ -z "$OCF_RESKEY_portno" ]; then
-   ocf_log err "Please set OCF_RESKEY_portno"
-   exit $OCF_ERR_CONFIGURED
--fi 
-+fi
- 
- if [ -z "$OCF_RESKEY_action" ]; then
-   ocf_log err "Please set OCF_RESKEY_action"
-@@ -632,6 +717,7 @@
- action=$OCF_RESKEY_action
- ip=$OCF_RESKEY_ip
- reset_local_on_unblock_stop=$OCF_RESKEY_reset_local_on_unblock_stop
-+nodename=$(ocf_local_nodename)
- 
- 
- # If "tickle" is enabled, we need to record the list of currently established
-@@ -647,17 +733,35 @@
- 	fi
- fi
- 
--case $1 in
--  start)	
--			IptablesStart $protocol $portno $ip $direction $action
-+if ocf_is_ms; then
-+  promotion_score=$(ocf_promotion_score -G -N $nodename -q 2> /dev/null)
-+  if { [ "$__OCF_ACTION" = "monitor" ] && [ "$promotion_score" = "$SCORE_UNPROMOTED" ]; } || [ "$__OCF_ACTION" = "demote" ] || [ "$__OCF_ACTION" = "start" ]; then
-+    case $action in
-+      block) action="unblock" ;;
-+      unblock) action="block" ;;
-+    esac
-+  fi
-+fi
-+
-+case $__OCF_ACTION in
-+  start)
-+			IptablesStart "$protocol" "$portno" "$ip" "$direction" "$action"
-+			;;
-+
-+  stop)
-+			IptablesStop "$protocol" "$portno" "$ip" "$direction" "$action"
-+			;;
-+
-+  promote)
-+			IptablesPromote "$protocol" "$portno" "$ip" "$direction" "$action"
- 			;;
- 
--  stop)		
--			IptablesStop $protocol $portno $ip $direction $action
-+  demote)
-+			IptablesDemote "$protocol" "$portno" "$ip" "$direction" "$action"
- 			;;
- 
--  status|monitor)	
--			IptablesStatus $protocol $portno $ip $direction $action
-+  status|monitor)
-+			IptablesStatus "$protocol" "$portno" "$ip" "$direction" "$action"
- 			;;
- 
-   validate-all)

SOURCES/RHEL-116150-3-portblock-fixes-add-method-and-status_check-parameters.patch

@@ -1,180 +0,0 @@
---- a/heartbeat/portblock	2025-10-21 09:27:41.753028260 +0200
-+++ b/heartbeat/portblock	2025-10-21 09:28:55.573855995 +0200
-@@ -28,6 +28,8 @@
- OCF_RESKEY_portno_default=""
- OCF_RESKEY_direction_default="in"
- OCF_RESKEY_action_default=""
-+OCF_RESKEY_method_default="drop"
-+OCF_RESKEY_status_check_default="rule"
- OCF_RESKEY_ip_default="0.0.0.0/0"
- OCF_RESKEY_reset_local_on_unblock_stop_default="false"
- OCF_RESKEY_tickle_dir_default=""
-@@ -37,6 +39,8 @@
- : ${OCF_RESKEY_portno=${OCF_RESKEY_portno_default}}
- : ${OCF_RESKEY_direction=${OCF_RESKEY_direction_default}}
- : ${OCF_RESKEY_action=${OCF_RESKEY_action_default}}
-+: ${OCF_RESKEY_method=${OCF_RESKEY_method_default}}
-+: ${OCF_RESKEY_status_check=${OCF_RESKEY_status_check_default}}
- : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
- : ${OCF_RESKEY_reset_local_on_unblock_stop=${OCF_RESKEY_reset_local_on_unblock_stop_default}}
- : ${OCF_RESKEY_tickle_dir=${OCF_RESKEY_tickle_dir_default}}
-@@ -185,6 +189,26 @@
- <content type="string" default="${OCF_RESKEY_action_default}" />
- </parameter>
- 
-+<parameter name="method" unique="0" required="0">
-+<longdesc lang="en">
-+Block method:
-+drop: Use DROP rule.
-+reject: Use REJECT rule w/conntrack to clear connections when blocking.
-+</longdesc>
-+<shortdesc lang="en">Block method</shortdesc>
-+<content type="string" default="${OCF_RESKEY_method_default}" />
-+</parameter>
-+
-+<parameter name="status_check" unique="0" required="0">
-+<longdesc lang="en">
-+Status check:
-+rule: Check rule.
-+pseudo: Check pseudo status when rule is absent.
-+</longdesc>
-+<shortdesc lang="en">Status check</shortdesc>
-+<content type="string" default="${OCF_RESKEY_status_check_default}" />
-+</parameter>
-+
- <parameter name="reset_local_on_unblock_stop" unique="0" required="0">
- <longdesc lang="en">
- If for some reason the long lived server side TCP sessions won't be cleaned up
-@@ -253,6 +277,7 @@
- <action name="demote" timeout="10s"/>
- <action name="status" depth="0" timeout="10s" interval="10s" />
- <action name="monitor" depth="0" timeout="10s" interval="10s" />
-+<action name="monitor" depth="0" timeout="10s" interval="9s" role="Promoted" />
- <action name="meta-data" timeout="5s" />
- <action name="validate-all" timeout="5s" />
- </actions>
-@@ -288,7 +313,11 @@
-   else
-     local prot="\(udp\|17\)"
-   fi
--  echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
-+  if [ "$method" = "DROP" ]; then
-+    echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
-+  else
-+    echo "^REJECT${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}${w}ctstate${w}NEW,RELATED,ESTABLISHED${w}reject-with${w}tcp-reset$"
-+  fi
- }
- 
- #chain_isactive  {udp|tcp} portno,portno ip chain
-@@ -374,17 +403,17 @@
- 
- SayActive()
- {
--  ocf_log debug "$CMD DROP rule [$*]  is running (OK)"
-+  ocf_log debug "$CMD $method rule [$*] is running (OK)"
- }
- 
- SayConsideredActive()
- {
--  ocf_log debug "$CMD DROP rule [$*] considered to be running (OK)"
-+  ocf_log debug "$CMD $method rule [$*] considered to be running (OK)"
- }
- 
- SayInactive()
- {
--  ocf_log debug "$CMD DROP rule [$*] is inactive"
-+  ocf_log debug "$CMD $method rule [$*] is inactive"
- }
- 
- #IptablesStatus  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
-@@ -405,14 +434,18 @@
-     case $5 in
-       block)
-         SayActive $*
--        rc=$OCF_SUCCESS
-+        if [ "$__OCF_ACTION" = "monitor" ] && [ "$promotion_score" = "$SCORE_PROMOTED" ]; then
-+          rc=$OCF_RUNNING_MASTER
-+        else
-+          rc=$OCF_SUCCESS
-+        fi
-         ;;
-       *)
-         SayInactive $*
-         rc=$OCF_NOT_RUNNING
-         ;;
-     esac
--  elif ocf_is_ms; then
-+  elif [ "$OCF_RESKEY_status_check" = "rule" ]; then
-     case $5 in
-       block)
-         SayInactive $*
-@@ -420,7 +453,11 @@
-         ;;
-       *)
-         SayActive $*
--        rc=$OCF_SUCCESS
-+        if [ "$__OCF_ACTION" = "monitor" ] && [ "$promotion_score" = "$SCORE_PROMOTED" ]; then
-+          rc=$OCF_RUNNING_MASTER
-+        else
-+          rc=$OCF_SUCCESS
-+        fi
-         ;;
-     esac
-   else
-@@ -461,7 +498,11 @@
-     : Chain already in desired state
-   else
-     [ "$chain" = "OUTPUT" ] && ds="s" || ds="d"
--    $IPTABLES $wait "$op" "$chain" -p "$proto" -${ds} "$ip" -m multiport --${ds}ports "$ports" -j DROP
-+    if [ "$method" = "DROP" ]; then
-+      $IPTABLES $wait "$op" "$chain" -p "$proto" -${ds} "$ip" -m multiport --${ds}ports "$ports" -j DROP
-+    else
-+      $IPTABLES $wait "$op" "$chain" -p "$proto" -${ds} "$ip" -m multiport --${ds}ports "$ports" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j REJECT --reject-with tcp-reset
-+    fi
-   fi
- }
- 
-@@ -486,7 +527,11 @@
-         $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-         tickle_local
-       fi
--      $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
-+      if [ "$method" = "DROP" ]; then
-+        $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
-+      else
-+        $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j REJECT --reject-with tcp-reset
-+      fi
-       rc_in=$?
-       if $try_reset ; then
-         $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-@@ -718,6 +763,13 @@
- ip=$OCF_RESKEY_ip
- reset_local_on_unblock_stop=$OCF_RESKEY_reset_local_on_unblock_stop
- nodename=$(ocf_local_nodename)
-+case "$OCF_RESKEY_method" in
-+	drop)	method="DROP" ;;
-+	reject)	method="REJECT" ;;
-+	*)	ocf_log err "method: $OCF_RESKEY_method not supported"
-+		exit $OCF_ERR_CONFIGURED
-+		;;
-+esac
- 
- 
- # If "tickle" is enabled, we need to record the list of currently established
-@@ -743,6 +795,8 @@
-   fi
- fi
- 
-+IptablesValidateAll
-+
- case $__OCF_ACTION in
-   start)
- 			IptablesStart "$protocol" "$portno" "$ip" "$direction" "$action"
-@@ -765,7 +819,6 @@
- 			;;
- 
-   validate-all)
--			IptablesValidateAll
- 			;;
- 
-   *)			usage

SOURCES/RHEL-118625-db2-use-reintegration-flag-to-avoid-race-condition-on-cluster-reintegration.patch

@@ -1,481 +0,0 @@
-From dbc0d2647d73bed986bf7208df33f092f56e8523 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Thu, 25 Sep 2025 14:23:20 +0200
-Subject: [PATCH] db2: use reintegration flag to avoid race condition on
- cluster reintegration, and removed FAL, as it's no longer needed
-
----
- heartbeat/db2 | 306 ++++++++++++++++++++++++++++++++------------------
- 1 file changed, 197 insertions(+), 109 deletions(-)
-
-diff --git a/heartbeat/db2 b/heartbeat/db2
-index fe1d9b892..83020fc70 100755
---- a/heartbeat/db2
-+++ b/heartbeat/db2
-@@ -37,6 +37,13 @@
- : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
- . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
- 
-+# Use runuser if available for SELinux.
-+if [ -x "/sbin/runuser" ]; then
-+    SU="runuser"
-+else
-+    SU="su"
-+fi
-+
- # Parameter defaults
- 
- OCF_RESKEY_instance_default=""
-@@ -55,11 +62,12 @@ OCF_RESKEY_dbpartitionnum_default="0"
- : ${OCF_RESKEY_admin=${OCF_RESKEY_admin_default}}
- : ${OCF_RESKEY_dbpartitionnum=${OCF_RESKEY_dbpartitionnum_default}}
- 
-+POSIX_UNICODE_LOCALE="C.UTF-8"
- #######################################################################
- 
- 
- db2_usage() {
--    echo "db2 start|stop|monitor|promote|demote|notify|validate-all|meta-data"
-+    echo "db2 start|stop|monitor|promote|demote|validate-all|meta-data"
- }
- 
- db2_meta_data() {
-@@ -162,7 +170,6 @@ The number of the partition (DBPARTITIONNUM) to be managed.
- <action name="stop" timeout="120s"/>
- <action name="promote" timeout="120s"/>
- <action name="demote" timeout="120s"/>
--<action name="notify" timeout="10s"/>
- <action name="monitor" depth="0" timeout="60s" interval="20s"/>
- <action name="monitor" depth="0" timeout="60s" role="Promoted" interval="22s"/>
- <action name="validate-all" timeout="5s"/>
-@@ -273,7 +280,18 @@ master_score()
- # Run the given command as db2 instance user
- #
- runasdb2() {
--    su $instance -c ". $db2profile; $*"
-+    $SU $instance -c ". $db2profile; $*"
-+}
-+
-+#
-+# Run the given command as db2 instance user using $SU
-+# We run this function as opposed to runasdb2 whenever we have to issue commands
-+# that leave processes running on the system, such as db2start
-+# We do not want these processes to hog the resources as they were run with elevated privileges
-+#
-+runasdb2_session() {
-+   # Override db2profile with unicode locale is required to maintain compatibility with unicode CODEPAGE
-+   $SU "$instance" -c "ksh -c '. $db2profile; export LC_ALL="$POSIX_UNICODE_LOCALE"; export LANG="$POSIX_UNICODE_LOCALE"; $*'"
- }
- 
- #
-@@ -294,48 +312,6 @@ logasdb2() {
- }
- 
- 
--#
--# maintain the fal (first active log) attribute
--# db2_fal_attrib DB {set val|get}
--#
--db2_fal_attrib() {
--    local db=$1
--    local attr val rc id node member me
--
--    attr=db2hadr_${instance}_${db}_fal
--
--    case "$2" in
--        set)
--        me=$(ocf_local_nodename)
--
--        # loop over all member nodes and set attribute
--        crm_node -l |
--        while read id node member
--        do
--            [ "$member" = member -a "$node" != "$me" ] || continue
--            crm_attribute -l forever --node=$node -n $attr -v "$3"
--            rc=$?
--            ocf_log info "DB2 instance $instance($db2node/$db: setting attrib for FAL to $FIRST_ACTIVE_LOG @ $node"
--            [ $rc != 0 ] && break
--        done
--        ;;
--
--        get)
--        crm_attribute -l forever -n $attr -G --quiet 2>&1
--        rc=$?
--        if ! ocf_is_true "$OCF_RESKEY_CRM_meta_notify" && [ $rc != 0 ]
--        then
--            ocf_log warn "DB2 instance $instance($db2node/$db: can't retrieve attribute $attr, are you sure notifications are enabled ?"
--        fi
--        ;;
--
--        *)
--        exit $OCF_ERR_CONFIGURED
--    esac
--
--    return $rc
--}
--
- #
- # unfortunately a first connect after a crash may need several minutes
- # for some internal cleanup stuff in DB2.
-@@ -429,6 +405,42 @@ db2_check_config_compatibility() {
- 
- }
- 
-+#
-+# Start HADR as standby.
-+#
-+# Parameters
-+#     1 - Calling function
-+#     2 - Calling functions line number
-+#
-+# Return codes:
-+#     0 - Start as standby successful
-+#     1 - Start as standby failed
-+#
-+reintegrateAsStandby() {
-+   db=$1
-+   reint_attr="db2hadr-${inst1}_${inst2}_${db}_reint"
-+   ocf_log info "$__OCF_ACTION: $LINENO: reintegrateAsStandby called by $2 at $3. Attempting to reintegrate $db as standby."
-+   if output=$(runasdb2_session "db2 start hadr on db $db as standby"); then
-+      rc=0
-+      ocf_log info "$__OCF_ACTION: $LINENO: Db2 database $instance($db2node)/$db started/activated"
-+   else
-+      case $output in
-+      SQL1777N*)
-+         # SQL1777N: HADR is already started in given state.
-+         ocf_log info "$__OCF_ACTION: $LINENO: $output"
-+         rc=0
-+         ;;
-+
-+      *)
-+         rc=1
-+         ocf_log err "$__OCF_ACTION: $LINENO: Unable to reintegrate Db2 database $instance($db2node)/$db. Please reintegrate manually: $output, return with rc=$rc"
-+         ;;
-+      esac
-+   fi
-+   crm_attribute -n "$reint_attr" -N "$local_host" -v "0" -l forever
-+   return $rc
-+}
-+
- #
- # Start instance and DB.
- # Standard mode is through "db2 activate" in order to start in previous
-@@ -478,6 +490,8 @@ db2_start() {
- 
-     for db in $dblist
-     do
-+        reint_attr="db2hadr-${inst1}_${inst2}_${db}_reint"
-+
-         # sets HADR_ROLE HADR_TIMEOUT HADR_PEER_WINDOW FIRST_ACTIVE_LOG
-         db2_get_cfg $db || return $?
- 
-@@ -488,20 +502,13 @@ db2_start() {
- 
-         if [ $HADR_ROLE = PRIMARY ]
-         then
--            local master_fal
--
--            # communicate our FAL to other nodes the might start concurrently
--            db2_fal_attrib $db set $FIRST_ACTIVE_LOG
--
--            # ignore false positive:
--            # error: Can't use > in [ ]. Escape it or use [[..]]. [SC2073]
--            # see https://github.com/koalaman/shellcheck/issues/691
--            # shellcheck disable=SC2073
--            if master_fal=$(db2_fal_attrib $db get) && [ "$master_fal" '>' $FIRST_ACTIVE_LOG ]
--            then
-+            cib_value=$(crm_attribute -n "$reint_attr" -N "$local_host" -G | awk -v FS=' value=' '{print $2}')
-+            ocf_log info "$__OCF_ACTION: $LINENO: CIB attribute $reint_attr is set to '$cib_value'"
-+            if [ "$cib_value" = "1" ]; then
-                 ocf_log info "DB2 database $instance($db2node)/$db is Primary and outdated, starting as secondary"
-                 start_cmd="db2 start hadr on db $db as standby"
-                 HADR_ROLE=STANDBY
-+                standby_reintegration=1
-             fi
-         fi
- 
-@@ -511,27 +518,65 @@ db2_start() {
-             [ $HADR_ROLE != STANDBY ] && db2_run_connect $db &
-         else
-             case $output in
--                SQL1490W*|SQL1494W*|SQL1497W*|SQL1777N*)
--                ocf_log info "DB2 database $instance($db2node)/$db already activated: $output"
-+            SQL1490W* | SQL1494W* | SQL1497W* | SQL1777N*)
-+                # SQL1490W  Activate database is successful, however, the database has already been activated on one or more nodes.
-+                # SQL1494W  Activate database is successful, however, there is already a connection to the database.
-+                # SQL1497W  Activate/Deactivate database was successful, however, an error occurred on some nodes.
-+                # SQL1777N  HADR is already started.
-+
-+                ocf_log info "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: The database is already activated: $output"
-                 ;;
- 
--                SQL1768N*"Reason code = \"7\""*)
--                ocf_log err "DB2 database $instance($db2node)/$db is a Primary and the Standby is down"
--                ocf_log err "Possible split brain ! Manual intervention required."
-+            SQL1768N*"Reason code = \"7\""*)
-+                rc="$OCF_ERR_GENERIC"
-+
-+                ocf_log err "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: The database is a Primary and the Standby is down"
-+                ocf_log err "Possible split brain! Manual intervention required."
-                 ocf_log err "If this DB is outdated use \"db2 start hadr on db $db as standby\""
--                ocf_log err "If this DB is the surviving primary use \"db2 start hadr on db $db as primary by force\""
-+                ocf_log err "If this DB is the surviving primary use \"db2 start hadr on db $db as primary by force\".  db2_start() exit with rc=$rc."
- 
--                # might be the Standby is not yet there
--                # might be a timing problem because "First active log" is delayed
--                #    on the next start attempt we might succeed when FAL was advanced
--                # might be manual intervention is required
--                # ... so let pacemaker give it another try and we will succeed then
--                return $OCF_ERR_GENERIC
-+                # let pacemaker give it another try and we will succeed then
-+                return "$rc"
-                 ;;
- 
--                *)
--                ocf_log err "DB2 database $instance($db2node)/$db didn't start: $output"
--                return $OCF_ERR_GENERIC
-+            SQL1776N*"Reason code = \"6\""*)
-+                # SQL1776N  The command cannot be issued on an HADR database.
-+                # Reason code 6:
-+                #  This database is an old primary database. It cannot be started
-+                #  because the standby has become the new primary through forced
-+                #  takeover.
-+
-+                rc="$OCF_ERR_GENERIC"
-+                ocf_log err "$__OCF_ACTION: $LINENO: Db2 database $instance($db2node)/$db didn't start: $output, return with rc=$rc"
-+                ocf_log err "$__OCF_ACTION: $LINENO: This database is an old primary database. Trying start again as standby"
-+
-+                start_cmd="db2 start hadr on db $db as standby"
-+                if output=$(runasdb2_session "$start_cmd"); then
-+                    rc="$OCF_SUCCESS"
-+                    ocf_log info "$__OCF_ACTION: $LINENO: Db2 database $instance($db2node)/$db started/activated"
-+                else
-+                    case $output in
-+                    SQL1777N*)
-+                        # SQL1777N: HADR is already started.
-+                        ocf_log info "$__OCF_ACTION: $LINENO: $output"
-+                        rc="$OCF_SUCCESS"
-+                        ;;
-+
-+                    *)
-+                        rc="$OCF_ERR_GENERIC"
-+                        ocf_log err "$__OCF_ACTION: $LINENO: Unable to reintegrate Db2 database $instance($db2node)/$db. Please reintegrate manually: $output, return with rc=$rc"
-+                        ;;
-+                    esac
-+                fi
-+
-+                return "$rc"
-+                ;;
-+
-+            *)
-+                rc="$OCF_ERR_GENERIC"
-+                ocf_log err "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: The database didn't start: $output, db2_start() exit with rc=$rc."
-+                return "$rc"
-+                ;;
-             esac
-         fi
-     done
-@@ -539,6 +584,15 @@ db2_start() {
-     # come here with success
-     # Even if we are a db2 Primary pacemaker requires start to end up in slave mode
-     echo SLAVE > $STATE_FILE
-+
-+    # Unset primary failover attribute as host was successfully reintegrated as standby
-+    if [ "$standby_reintegration" = "1" ]; then
-+        for db in $dblist; do
-+            reint_attr="db2hadr-${inst1}_${inst2}_${db}_reint"
-+            crm_attribute -n "$reint_attr" -N "$local_host" -v "0" -l forever
-+        done
-+    fi
-+
-     return $OCF_SUCCESS
- }
- 
-@@ -737,7 +791,7 @@ db2_monitor_retry() {
- 
- #
- # Monitor the db
--# And as side effect set crm_master / FAL attribute
-+# And as side effect set crm_master
- #
- db2_monitor() {
-     local CMD output hadr db
-@@ -754,6 +808,22 @@ db2_monitor() {
- 
-     for db in $dblist
-     do
-+        reint_attr="db2hadr-${inst1}_${inst2}_${db}_reint"
-+
-+        #Check for the reintegration file, then set the flag if it exists and delete the file
-+        if [ -e "/tmp/$reint_attr" ] && [ -n "$remote_host" ]; then
-+            #The file exist, try to set the reintegration attribute
-+            crm_attribute -n "$reint_attr" -N "$remote_host" -v "1" -l forever
-+            cib_value=$(crm_attribute -n "$reint_attr" -N "$remote_host" -G | awk -v FS=' value=' '{print $2}')
-+
-+            if [ "$cib_value" = "1" ]; then
-+                ocf_log info "$__OCF_ACTION: $LINENO: CIB attribute $reint_attr is set to '$cib_value', reintegration flag file will now be deleted."
-+                rm -f "/tmp/$reint_attr"
-+            else
-+                ocf_log err "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: The reintegration flag file exists, but its attribute failed to set."
-+            fi
-+        fi
-+
-         hadr=$(db2_hadr_status $db)
-         rc=$?
-         ocf_log debug "Monitor: DB2 database $instance($db2node)/$db has HADR status $hadr"
-@@ -804,6 +874,14 @@ db2_monitor() {
-             ;;
- 
-             STANDBY/*PEER/*|Standby/*Peer)
-+            # If db is in standby peer, then it has already reintegrated.
-+            # If the reintegrate flag is still set, remove it
-+            cib_value=$(crm_attribute -n "$reint_attr" -N "$local_host" -G | awk -v FS=' value=' '{print $2}')
-+            if [ "$cib_value" = "1" ]; then
-+               ocf_log info "$__OCF_ACTION: $LINENO: Reintegrate flag detected for $db, but it has already reintegrated as standby. Removing reintegration flag."
-+               crm_attribute -n "$reint_attr" -N "$local_host" -v "0" -l forever
-+            fi
-+
-             master_score -v 8000 -l reboot
-             ;;
- 
-@@ -812,6 +890,34 @@ db2_monitor() {
-             master_score -D -l reboot
-             ;;
- 
-+            Down/Off)
-+            # If db is a deactivated primary and it has a reintegration flag, then reintegrate as standby.
-+            cib_value=$(crm_attribute -n "$reint_attr" -N "$local_host" -G | awk -v FS=' value=' '{print $2}')
-+            if [ "$cib_value" = "1" ]; then
-+                output=$(runasdb2 "db2 get db cfg for $db" | grep 'HADR database role' | awk '{print $5}')
-+                if [ "PRIMARY" = "$output" ]; then
-+                   ocf_log info "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: Database is deactivated with Primary role and the reintegration flag is set. Role: $output, Reintegration flag: $reint_attr = $cib_value"
-+                   # Reintegrate as the standby database.
-+                   if reintegrateAsStandby "$db" 'db2_monitor' $LINENO; then
-+                      ocf_log info "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: The database reintegration succeeded."
-+                      # Setting slave state here will cause rc to be OCF_SUCCESS below.
-+                      ocf_log info "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: Echoing SLAVE into $STATE_FILE"
-+                      echo SLAVE >"$STATE_FILE"
-+                      # Update master score to reflect standby state.
-+                      master_score -v 8000 -l reboot
-+                   else
-+                      ocf_log err "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: The database reintegration failed."
-+                      return "$OCF_ERR_GENERIC"
-+                   fi
-+                fi
-+            else
-+                rc="$OCF_NOT_RUNNING"
-+                ocf_log info "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: The database has HADR status $hadr."
-+                ocf_log info "$__OCF_ACTION: $LINENO: $instance: $db2node: $db: db2_monitor() exit with rc=$rc."
-+                return "$rc"
-+            fi
-+            ;;
-+
-             *)
-             return $OCF_ERR_GENERIC
-         esac
-@@ -875,8 +981,6 @@ db2_promote() {
-             # update pacemaker's view
-             echo MASTER > $STATE_FILE
- 
--            # turn the log so we rapidly get a new FAL
--            logasdb2 "db2 archive log for db $db"
-             return $OCF_SUCCESS
-         fi
- 
-@@ -914,26 +1018,6 @@ db2_demote() {
-     return $?
- }
- 
--#
--# handle pre start notification
--# We record our first active log on the other nodes.
--# If two primaries come up after a crash they can safely determine who is
--# the outdated one.
--#
--db2_notify() {
--    local node
--
--    # only interested in pre-start
--    [  $OCF_RESKEY_CRM_meta_notify_type = pre \
--    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCCESS
--
--    # gets FIRST_ACTIVE_LOG
--    db2_get_cfg $dblist || return $?
--
--    db2_fal_attrib $dblist set $FIRST_ACTIVE_LOG || return $OCF_ERR_GENERIC
--    exit $OCF_SUCCESS
--}
--
- ########
- # Main #
- ########
-@@ -947,50 +1031,54 @@ case "$__OCF_ACTION" in
-     db2_usage
-     exit $OCF_SUCCESS
-     ;;
-+esac
- 
-+local_host=$(ocf_local_nodename)
-+inst1=$(echo "$OCF_RESKEY_instance" | cut -d"," -f1)
-+inst2=$(echo "$OCF_RESKEY_instance" | cut -d"," -f2)
-+host1=$(crm_node -l | sort | awk '{print $2;}' | sed -n 1p)
-+
-+if [ "$host1" = "$local_host" ]; then
-+   remote_host=$(crm_node -l | sort | awk '{print $2;}' | sed -n 2p)
-+else
-+   remote_host="$host1"
-+fi
-+
-+db2_validate; validate_rc=$?
-+
-+case "$__OCF_ACTION" in
-     start)
--    db2_validate
-     db2_start || exit $?
-     db2_monitor
--    exit $?
-     ;;
- 
-     stop)
--    db2_validate
-     db2_stop
--    exit $?
-     ;;
- 
-     promote)
--    db2_validate
-     db2_promote
--    exit $?
-     ;;
- 
-     demote)
--    db2_validate
-     db2_demote
--    exit $?
-     ;;
- 
-     notify)
--    db2_validate
--    db2_notify
--    exit $?
-+    ocf_log debug "notify-action has been DEPRECATED, and should be removed"
-     ;;
- 
-     monitor)
--    db2_validate
-     db2_monitor_retry
--    exit $?
-     ;;
- 
-     validate-all)
--    db2_validate
--    exit $?
-+    exit $validate_rc
-     ;;
- 
-     *)
-     db2_usage
-     exit $OCF_ERR_UNIMPLEMENTED
- esac
-+
-+exit $?

SOURCES/RHEL-124815-db2-fix-variable-name.patch

@@ -1,49 +0,0 @@
-From 54714646c6e2c4ba851e366e63316adb1092af61 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Tue, 28 Oct 2025 16:34:54 +0100
-Subject: [PATCH] db2: fix monitor_retries_sleep variable name
-
----
- heartbeat/db2 | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/heartbeat/db2 b/heartbeat/db2
-index 83020fc70..82f2f82c3 100755
---- a/heartbeat/db2
-+++ b/heartbeat/db2
-@@ -49,7 +49,7 @@ fi
- OCF_RESKEY_instance_default=""
- OCF_RESKEY_skip_basic_sql_health_check_default="false"
- OCF_RESKEY_monitor_retries_default="1"
--OCF_RESKEY_monitor_sleep_default="1"
-+OCF_RESKEY_monitor_retries_sleep_default="1"
- OCF_RESKEY_monitor_retry_all_errors_default="false"
- OCF_RESKEY_admin_default=""
- OCF_RESKEY_dbpartitionnum_default="0"
-@@ -57,7 +57,7 @@ OCF_RESKEY_dbpartitionnum_default="0"
- : ${OCF_RESKEY_instance=${OCF_RESKEY_instance_default}}
- : ${OCF_RESKEY_skip_basic_sql_health_check=${OCF_RESKEY_skip_basic_sql_health_check_default}}
- : ${OCF_RESKEY_monitor_retries=${OCF_RESKEY_monitor_retries_default}}
--: ${OCF_RESKEY_monitor_sleep=${OCF_RESKEY_monitor_sleep_default}}
-+: ${OCF_RESKEY_monitor_retries_sleep=${OCF_RESKEY_monitor_retries_sleep_default}}
- : ${OCF_RESKEY_monitor_retry_all_errors=${OCF_RESKEY_monitor_retry_all_errors_default}}
- : ${OCF_RESKEY_admin=${OCF_RESKEY_admin_default}}
- : ${OCF_RESKEY_dbpartitionnum=${OCF_RESKEY_dbpartitionnum_default}}
-@@ -140,7 +140,7 @@ Monitor retries before failing.
- Monitor sleep between tries.
- </longdesc>
- <shortdesc lang="en">Monitor sleep</shortdesc>
--<content type="string" default="${OCF_RESKEY_monitor_sleep_default}" />
-+<content type="string" default="${OCF_RESKEY_monitor_retries_sleep_default}" />
- </parameter>
- <parameter name="monitor_retry_all_errors" unique="0" required="0">
- <longdesc lang="en">
-@@ -776,7 +776,7 @@ db2_monitor_retry() {
-         if [ $rc -eq $OCF_SUCCESS ] || [ $rc -eq $OCF_RUNNING_MASTER ] || [ $rc -eq $OCF_NOT_RUNNING ] || { [ $rc -ne 255 ] && ! ocf_is_true "$OCF_RESKEY_monitor_retry_all_errors" ;} ;then
-             break
-         fi
--        [ $try -lt $tries ] && sleep $OCF_RESKEY_monitor_sleep
-+        [ $try -lt $tries ] && sleep $OCF_RESKEY_monitor_retries_sleep
-     done
- 
-     [ $rc -eq 255 ] && rc=$OCF_ERR_GENERIC

SOURCES/RHEL-32828-db2-fix-OCF_SUCESS-typo.patch

@@ -1,23 +0,0 @@
-From a9c4aeb971e9f4963345d0e215b729def62dd27c Mon Sep 17 00:00:00 2001
-From: pepadelic <162310096+pepadelic@users.noreply.github.com>
-Date: Mon, 15 Apr 2024 13:52:54 +0200
-Subject: [PATCH] Update db2: fix OCF_SUCESS name in db2_notify
-
-fix OCF_SUCESS to OCF_SUCCESS  in db2_notify
----
- heartbeat/db2 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/heartbeat/db2 b/heartbeat/db2
-index 95447ab6cb..1cd66f15af 100755
---- a/heartbeat/db2
-+++ b/heartbeat/db2
-@@ -848,7 +848,7 @@ db2_notify() {
- 
-     # only interested in pre-start
-     [  $OCF_RESKEY_CRM_meta_notify_type = pre \
--    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCESS
-+    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCCESS
- 
-     # gets FIRST_ACTIVE_LOG
-     db2_get_cfg $dblist || return $?

SOURCES/RHEL-34137-aws-agents-use-curl_retry.patch

@@ -1,343 +0,0 @@
-From fc0657b936f6a58f741e33f851b22f82bc68bffa Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Tue, 6 Feb 2024 13:28:12 +0100
-Subject: [PATCH 1/2] ocf-shellfuncs: add curl_retry()
-
----
- heartbeat/ocf-shellfuncs.in | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
-index c5edb6f57..a69a9743d 100644
---- a/heartbeat/ocf-shellfuncs.in
-+++ b/heartbeat/ocf-shellfuncs.in
-@@ -672,6 +672,40 @@ EOF
- 	systemctl daemon-reload
- }
- 
-+# usage: curl_retry RETRIES SLEEP ARGS URL
-+#
-+# Use --show-error in ARGS to log HTTP error code
-+#
-+# returns:
-+#    0  success
-+# exit:
-+#    1  fail
-+curl_retry()
-+{
-+	local retries=$1 sleep=$2 opts=$3 url=$4
-+	local tries=$(($retries + 1))
-+	local args="--fail $opts $url"
-+	local result rc
-+
-+	for try in $(seq $tries); do
-+		ocf_log debug "curl $args try $try of $tries"
-+		result=$(echo "$args" | xargs curl 2>&1)
-+		rc=$?
-+
-+		ocf_log debug "result: $result"
-+		[ $rc -eq 0 ] && break
-+		sleep $sleep
-+	done
-+
-+	if [ $rc -ne 0 ]; then
-+		ocf_exit_reason "curl $args failed $tries tries"
-+		exit $OCF_ERR_GENERIC
-+	fi
-+
-+	echo "$result"
-+	return $rc
-+}
-+
- # usage: crm_mon_no_validation args...
- # run crm_mon without any cib schema validation
- # This is useful when an agent runs in a bundle to avoid potential
-
-From 80d330557319bdae9e45aad1279e435fc481d4e7 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Tue, 6 Feb 2024 13:28:25 +0100
-Subject: [PATCH 2/2] AWS agents: use curl_retry()
-
----
- heartbeat/aws-vpc-move-ip    | 35 ++++++++++++++++++++++++++---------
- heartbeat/aws-vpc-route53.in | 27 +++++++++++++++++++++++++--
- heartbeat/awseip             | 36 +++++++++++++++++++++++++++++++-----
- heartbeat/awsvip             | 32 ++++++++++++++++++++++++++++----
- 4 files changed, 110 insertions(+), 20 deletions(-)
-
-diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
-index 54806f6ea..6115e5ba8 100755
---- a/heartbeat/aws-vpc-move-ip
-+++ b/heartbeat/aws-vpc-move-ip
-@@ -47,6 +47,8 @@ OCF_RESKEY_interface_default="eth0"
- OCF_RESKEY_iflabel_default=""
- OCF_RESKEY_monapi_default="false"
- OCF_RESKEY_lookup_type_default="InstanceId"
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
-@@ -60,6 +62,8 @@ OCF_RESKEY_lookup_type_default="InstanceId"
- : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
- : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
- : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- #######################################################################
- 
- 
-@@ -194,6 +198,22 @@ Name of resource type to lookup in route table.
- <content type="string" default="${OCF_RESKEY_lookup_type_default}" />
- </parameter>
- 
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
-+
- </parameters>
- 
- <actions>
-@@ -250,8 +270,10 @@ ec2ip_validate() {
- 		fi
- 	fi
- 
--	TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- 	if [ -z "${EC2_INSTANCE_ID}" ]; then
- 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
-@@ -365,14 +387,9 @@ ec2ip_get_instance_eni() {
- 	fi
- 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
- 
--	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
--	ocf_log debug "executing command: $cmd"
-+	cmd="curl_retry \"$OCF_RESKEY_curl_retries\" \"$OCF_RESKEY_curl_sleep\" \"--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'\" \"http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id\""
- 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
--	rc=$?
--	if [ $rc != 0 ]; then
--		ocf_log warn "command failed, rc: $rc"
--		return $OCF_ERR_GENERIC
--	fi
-+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 	ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
- 	echo $EC2_NETWORK_INTERFACE_ID
- }
-diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
-index 18ab157e8..eba2ed95c 100644
---- a/heartbeat/aws-vpc-route53.in
-+++ b/heartbeat/aws-vpc-route53.in
-@@ -53,6 +53,8 @@ OCF_RESKEY_hostedzoneid_default=""
- OCF_RESKEY_fullname_default=""
- OCF_RESKEY_ip_default="local"
- OCF_RESKEY_ttl_default=10
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
-@@ -62,6 +64,8 @@ OCF_RESKEY_ttl_default=10
- : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
- : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
- : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- usage() {
- 	cat <<-EOT
-@@ -185,6 +189,22 @@ Time to live for Route53 ARECORD
- <shortdesc lang="en">ARECORD TTL</shortdesc>
- <content type="string" default="${OCF_RESKEY_ttl_default}" />
- </parameter>
-+
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
- </parameters>
- 
- <actions>
-@@ -357,8 +377,11 @@ r53_monitor() {
- _get_ip() {
- 	case $OCF_RESKEY_ip in
- 		local|public)
--			TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
-+			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
-+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+			;;
- 		*.*.*.*)
- 			IPADDRESS="${OCF_RESKEY_ip}";;
- 	esac
-diff --git a/heartbeat/awseip b/heartbeat/awseip
-index 49b0ca615..ffb6223a1 100755
---- a/heartbeat/awseip
-+++ b/heartbeat/awseip
-@@ -49,12 +49,16 @@ OCF_RESKEY_auth_type_default="key"
- OCF_RESKEY_profile_default="default"
- OCF_RESKEY_region_default=""
- OCF_RESKEY_api_delay_default="3"
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
- : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
- : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
- : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- meta_data() {
-     cat <<END
-@@ -141,6 +145,22 @@ a short delay between API calls, to avoid sending API too quick
- <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
- </parameter>
- 
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
-+
- </parameters>
- 
- <actions>
-@@ -171,14 +191,18 @@ awseip_start() {
-     awseip_monitor && return $OCF_SUCCESS
- 
-     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
--        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
-+        NETWORK_INTERFACES_MACS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/")
-         for MAC in ${NETWORK_INTERFACES_MACS}; do
--            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
-+            curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/local-ipv4s" |
-                 grep -q "^${PRIVATE_IP_ADDRESS}$"
-             if [ $? -eq 0 ]; then
--                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+                NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/interface-id")
-             fi
-         done
-+        if [ -z "$NETWORK_ID" ]; then
-+            ocf_exit_reason "Could not find network interface for private_ip_address: $PRIVATE_IP_ADDRESS"
-+            exit $OCF_ERR_GENERIC
-+        fi
-         $AWSCLI_CMD ec2 associate-address  \
-             --network-interface-id ${NETWORK_ID} \
-             --allocation-id ${ALLOCATION_ID} \
-@@ -282,8 +306,10 @@ fi
- ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
- ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
- PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
--TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- case $__OCF_ACTION in
-     start)
-diff --git a/heartbeat/awsvip b/heartbeat/awsvip
-index bdb4d68dd..f2b238a0f 100755
---- a/heartbeat/awsvip
-+++ b/heartbeat/awsvip
-@@ -48,12 +48,16 @@ OCF_RESKEY_auth_type_default="key"
- OCF_RESKEY_profile_default="default"
- OCF_RESKEY_region_default=""
- OCF_RESKEY_api_delay_default="3"
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
- : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
- : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
- : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- meta_data() {
-     cat <<END
-@@ -124,6 +128,22 @@ a short delay between API calls, to avoid sending API too quick
- <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
- </parameter>
- 
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
-+
- </parameters>
- 
- <actions>
-@@ -246,10 +266,14 @@ if [ -n "${OCF_RESKEY_region}" ]; then
- 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
- fi
- SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
--TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
--MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
--NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- case $__OCF_ACTION in
-     start)

SOURCES/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch

@@ -1,48 +0,0 @@
-From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 17 Jun 2024 11:09:06 +0400
-Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
-
-* Strip Proxy-Authorization header on redirects
-
-* Fix test_retry_default_remove_headers_on_redirect
-
-* Set release date
----
- CHANGES.rst                               |  5 +++++
- src/urllib3/util/retry.py                 |  4 +++-
- test/test_retry.py                        |  6 ++++-
- test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
- 4 files changed, 37 insertions(+), 5 deletions(-)
-
-diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
-index 7a76a4a6ad..0456cceba4 100644
---- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
-+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
-@@ -189,7 +189,9 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
-+        ["Cookie", "Authorization", "Proxy-Authorization"]
-+    )
- 
-     #: Default maximum backoff time.
-     DEFAULT_BACKOFF_MAX = 120
-
-diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
-index 7a76a4a6ad..0456cceba4 100644
---- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
-+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
-@@ -189,7 +189,9 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
-+        ["Cookie", "Authorization", "Proxy-Authorization"]
-+    )
- 
-     #: Default maximum backoff time.
-     DEFAULT_BACKOFF_MAX = 120

SOURCES/RHEL-50360-setuptools-fix-CVE-2024-6345.patch

@@ -1,201 +0,0 @@
---- a/setuptools/package_index.py	1980-01-01 09:00:00.000000000 +0100
-+++ b/setuptools/package_index.py	2024-07-25 10:11:40.537307665 +0200
-@@ -1,5 +1,6 @@
- """PyPI and direct package downloading"""
- import sys
-+import subprocess
- import os
- import re
- import shutil
-@@ -563,7 +564,7 @@
-             scheme = URL_SCHEME(spec)
-             if scheme:
-                 # It's a url, download it to tmpdir
--                found = self._download_url(scheme.group(1), spec, tmpdir)
-+                found = self._download_url(spec, tmpdir)
-                 base, fragment = egg_info_for_url(spec)
-                 if base.endswith('.py'):
-                     found = self.gen_setup(found, fragment, tmpdir)
-@@ -775,7 +776,7 @@
-                 raise DistutilsError("Download error for %s: %s"
-                                      % (url, v))
- 
--    def _download_url(self, scheme, url, tmpdir):
-+    def _download_url(self, url, tmpdir):
-         # Determine download filename
-         #
-         name, fragment = egg_info_for_url(url)
-@@ -790,19 +791,59 @@
- 
-         filename = os.path.join(tmpdir, name)
- 
--        # Download the file
--        #
--        if scheme == 'svn' or scheme.startswith('svn+'):
--            return self._download_svn(url, filename)
--        elif scheme == 'git' or scheme.startswith('git+'):
--            return self._download_git(url, filename)
--        elif scheme.startswith('hg+'):
--            return self._download_hg(url, filename)
--        elif scheme == 'file':
--            return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
--        else:
--            self.url_ok(url, True)  # raises error if not allowed
--            return self._attempt_download(url, filename)
-+        return self._download_vcs(url, filename) or self._download_other(url, filename)
-+
-+    @staticmethod
-+    def _resolve_vcs(url):
-+        """
-+        >>> rvcs = PackageIndex._resolve_vcs
-+        >>> rvcs('git+http://foo/bar')
-+        'git'
-+        >>> rvcs('hg+https://foo/bar')
-+        'hg'
-+        >>> rvcs('git:myhost')
-+        'git'
-+        >>> rvcs('hg:myhost')
-+        >>> rvcs('http://foo/bar')
-+        """
-+        scheme = urllib.parse.urlsplit(url).scheme
-+        pre, sep, post = scheme.partition('+')
-+        # svn and git have their own protocol; hg does not
-+        allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
-+        return next(iter({pre} & allowed), None)
-+
-+    def _download_vcs(self, url, spec_filename):
-+        vcs = self._resolve_vcs(url)
-+        if not vcs:
-+            return
-+        if vcs == 'svn':
-+            raise DistutilsError(
-+                f"Invalid config, SVN download is not supported: {url}"
-+            )
-+
-+        filename, _, _ = spec_filename.partition('#')
-+        url, rev = self._vcs_split_rev_from_url(url)
-+
-+        self.info(f"Doing {vcs} clone from {url} to {filename}")
-+        subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
-+
-+        co_commands = dict(
-+            git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
-+            hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
-+        )
-+        if rev is not None:
-+            self.info(f"Checking out {rev}")
-+            subprocess.check_call(co_commands[vcs])
-+
-+        return filename
-+
-+    def _download_other(self, url, filename):
-+        scheme = urllib.parse.urlsplit(url).scheme
-+        if scheme == 'file':  # pragma: no cover
-+            return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
-+        # raise error if not allowed
-+        self.url_ok(url, True)
-+        return self._attempt_download(url, filename)
- 
-     def scan_url(self, url):
-         self.process_url(url, True)
-@@ -829,76 +870,37 @@
-         os.unlink(filename)
-         raise DistutilsError("Unexpected HTML page found at " + url)
- 
--    def _download_svn(self, url, filename):
--        url = url.split('#', 1)[0]  # remove any fragment for svn's sake
--        creds = ''
--        if url.lower().startswith('svn:') and '@' in url:
--            scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
--            if not netloc and path.startswith('//') and '/' in path[2:]:
--                netloc, path = path[2:].split('/', 1)
--                auth, host = splituser(netloc)
--                if auth:
--                    if ':' in auth:
--                        user, pw = auth.split(':', 1)
--                        creds = " --username=%s --password=%s" % (user, pw)
--                    else:
--                        creds = " --username=" + auth
--                    netloc = host
--                    parts = scheme, netloc, url, p, q, f
--                    url = urllib.parse.urlunparse(parts)
--        self.info("Doing subversion checkout from %s to %s", url, filename)
--        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
--        return filename
--
-     @staticmethod
--    def _vcs_split_rev_from_url(url, pop_prefix=False):
--        scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
--
--        scheme = scheme.split('+', 1)[-1]
--
--        # Some fragment identification fails
--        path = path.split('#', 1)[0]
--
--        rev = None
--        if '@' in path:
--            path, rev = path.rsplit('@', 1)
--
--        # Also, discard fragment
--        url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
--
--        return url, rev
--
--    def _download_git(self, url, filename):
--        filename = filename.split('#', 1)[0]
--        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
--
--        self.info("Doing git clone from %s to %s", url, filename)
--        os.system("git clone --quiet %s %s" % (url, filename))
-+    def _vcs_split_rev_from_url(url):
-+        """
-+        Given a possible VCS URL, return a clean URL and resolved revision if any.
- 
--        if rev is not None:
--            self.info("Checking out %s", rev)
--            os.system("(cd %s && git checkout --quiet %s)" % (
--                filename,
--                rev,
--            ))
-+        >>> vsrfu = PackageIndex._vcs_split_rev_from_url
-+        >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
-+        ('https://github.com/pypa/setuptools', 'v69.0.0')
-+        >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
-+        ('https://github.com/pypa/setuptools', None)
-+        >>> vsrfu('http://foo/bar')
-+        ('http://foo/bar', None)
-+        """
-+        parts = urllib.parse.urlsplit(url)
- 
--        return filename
-+        clean_scheme = parts.scheme.split('+', 1)[-1]
- 
--    def _download_hg(self, url, filename):
--        filename = filename.split('#', 1)[0]
--        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
-+        # Some fragment identification fails
-+        no_fragment_path, _, _ = parts.path.partition('#')
- 
--        self.info("Doing hg clone from %s to %s", url, filename)
--        os.system("hg clone --quiet %s %s" % (url, filename))
-+        pre, sep, post = no_fragment_path.rpartition('@')
-+        clean_path, rev = (pre, post) if sep else (post, None)
- 
--        if rev is not None:
--            self.info("Updating to %s", rev)
--            os.system("(cd %s && hg up -C -r %s >&-)" % (
--                filename,
--                rev,
--            ))
-+        resolved = parts._replace(
-+            scheme=clean_scheme,
-+            path=clean_path,
-+            # discard the fragment
-+            fragment='',
-+        ).geturl()
- 
--        return filename
-+        return resolved, rev
- 
-     def debug(self, msg, *args):
-         log.debug(msg, *args)

SOURCES/RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch

@@ -1,38 +0,0 @@
-From 38eaf00bc81af7530c56eba282918762a47a9326 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Thu, 19 Sep 2024 13:01:53 +0200
-Subject: [PATCH] nfsserver: also stop rpc-statd for nfsv4_only to avoid stop
- failing in some cases
-
-E.g. nfs_no_notify=true nfsv4_only=true nfs_shared_infodir=/nfsmq/nfsinfo would cause a "Failed to unmount a bind mount" error
----
- heartbeat/nfsserver | 16 +++++++---------
- 1 file changed, 7 insertions(+), 9 deletions(-)
-
-diff --git a/heartbeat/nfsserver b/heartbeat/nfsserver
-index 5793d7a70..fd9268afc 100755
---- a/heartbeat/nfsserver
-+++ b/heartbeat/nfsserver
-@@ -947,15 +947,13 @@ nfsserver_stop ()
- 			sleep 1
- 		  done
- 
--		  if ! ocf_is_true "$OCF_RESKEY_nfsv4_only"; then
--			nfs_exec stop rpc-statd > /dev/null 2>&1
--			ocf_log info "Stop: rpc-statd"
--			rpcinfo -t localhost 100024 > /dev/null 2>&1
--			rc=$?
--			if [ "$rc" -eq "0" ]; then
--				ocf_exit_reason "Failed to stop rpc-statd"
--				return $OCF_ERR_GENERIC
--			fi
-+		  nfs_exec stop rpc-statd > /dev/null 2>&1
-+		  ocf_log info "Stop: rpc-statd"
-+		  rpcinfo -t localhost 100024 > /dev/null 2>&1
-+		  rc=$?
-+		  if [ "$rc" -eq "0" ]; then
-+		  	ocf_exit_reason "Failed to stop rpc-statd"
-+		  	return $OCF_ERR_GENERIC
- 		  fi
- 
- 		  nfs_exec stop nfs-idmapd > /dev/null 2>&1

SOURCES/RHEL-69297-1-Filesystem-dont-kill-unrelated-processes.patch

@@ -1,22 +0,0 @@
-From 4b09b3e467a7f8076bbf20f5b027efecf16303e7 Mon Sep 17 00:00:00 2001
-From: Gianluca Piccolo <gianluca.piccolo@wuerth-phoenix.com>
-Date: Thu, 6 Jun 2024 17:34:41 +0200
-Subject: [PATCH] Fix #1944
-
----
- heartbeat/Filesystem | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
-index a445349b9..59b6c1b51 100755
---- a/heartbeat/Filesystem
-+++ b/heartbeat/Filesystem
-@@ -664,7 +664,7 @@ get_pids()
- 		if [ "X${HOSTOS}" = "XOpenBSD" ];then
- 			fstat | grep $dir | awk '{print $3}'
- 		else
--			$FUSER -m $dir 2>/dev/null
-+			$FUSER -Mm $dir 2>/dev/null
- 		fi
- 	elif [ "$FORCE_UNMOUNT" = "safe" ]; then
- 		procs=$(find /proc/[0-9]*/ -type l -lname "${dir}/*" -or -lname "${dir}" 2>/dev/null | awk -F/ '{print $3}')

SOURCES/RHEL-69297-2-Filesystem-update-bsd-logic.patch

@@ -1,26 +0,0 @@
-From c9ba6ac66ee27a70c69e1156f17aa6beac277bc5 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Fri, 7 Jun 2024 14:23:28 +0200
-Subject: [PATCH] Filesystem: use fuser -c on FreeBSD, as -m and -M are used
- for other functionality
-
----
- heartbeat/Filesystem | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
-index 59b6c1b51..88fe2e2eb 100755
---- a/heartbeat/Filesystem
-+++ b/heartbeat/Filesystem
-@@ -661,8 +661,10 @@ get_pids()
- 	fi
- 
- 	if ocf_is_true  "$FORCE_UNMOUNT"; then
--		if [ "X${HOSTOS}" = "XOpenBSD" ];then
-+		if [ "X${HOSTOS}" = "XOpenBSD" ]; then
- 			fstat | grep $dir | awk '{print $3}'
-+		elif [ "X${HOSTOS}" = "XFreeBSD" ]; then
-+			$FUSER -c $dir 2>/dev/null
- 		else
- 			$FUSER -Mm $dir 2>/dev/null
- 		fi

SOURCES/RHEL-72956-1-openstack-cinder-volume-wait-for-volume-to-be-available.patch

@@ -1,63 +0,0 @@
-From 71bc76dc4fa57726e80d0ddcc0bdcfe708af8763 Mon Sep 17 00:00:00 2001
-From: "Fabio M. Di Nitto" <fdinitto@redhat.com>
-Date: Thu, 5 Dec 2024 11:02:40 +0100
-Subject: [PATCH] openstack-cinder-volume: wait for volume to be available
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-monitor the vol till it´s attached to the host and avoid a race between
-openstack APIs receiving the request and completing the operation.
-
-Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
----
- heartbeat/openstack-cinder-volume | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/heartbeat/openstack-cinder-volume b/heartbeat/openstack-cinder-volume
-index 116442c41b..2b64d4d887 100755
---- a/heartbeat/openstack-cinder-volume
-+++ b/heartbeat/openstack-cinder-volume
-@@ -141,17 +141,19 @@ osvol_monitor() {
- 
- 	node_id=$(_get_node_id)
- 
--	if [ "$__OCF_ACTION" = "monitor" ] && ocf_is_true $OCF_RESKEY_volume_local_check ; then
--		#
--		# Is the volue attached?
--		# We check the local devices
--		#
--		short_volume_id=$(echo $OCF_RESKEY_volume_id | awk '{print substr($0, 0, 20)}')
--		if lsblk /dev/disk/by-id/virtio-$short_volume_id 1>/dev/null 2>&1; then
--			return $OCF_SUCCESS
--		else
--			ocf_log warn "$OCF_RESKEY_volume_id is not attached to instance $node_id"
--			return $OCF_NOT_RUNNING
-+	if ocf_is_true $OCF_RESKEY_volume_local_check ; then
-+		if [ "$__OCF_ACTION" = "monitor" ] || [ "$__OCF_ACTION" = "start" ] ; then
-+			#
-+			# Is the volue attached?
-+			# We check the local devices
-+			#
-+			short_volume_id=$(echo $OCF_RESKEY_volume_id | awk '{print substr($0, 0, 20)}')
-+			if lsblk /dev/disk/by-id/virtio-$short_volume_id 1>/dev/null 2>&1; then
-+				return $OCF_SUCCESS
-+			else
-+				ocf_log warn "$OCF_RESKEY_volume_id is not attached to instance $node_id"
-+				return $OCF_NOT_RUNNING
-+			fi
- 		fi
- 	fi
- 
-@@ -247,6 +249,11 @@ osvol_start() {
- 		return $OCF_ERR_GENERIC
- 	fi
- 
-+	while ! osvol_monitor; do
-+		ocf_log info "Waiting for cinder volume $OCF_RESKEY_volume_id to appear on $node_id"
-+		sleep 1
-+	done
-+
- 	return $OCF_SUCCESS
- }
- 

SOURCES/RHEL-72956-2-openstack-cinder-volume-fix-detach-not-working-during-start-action.patch

@@ -1,44 +0,0 @@
-From d89b3fb29033c3a60eb0896033af5981c7b9f64a Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Fri, 10 Jan 2025 11:39:48 +0100
-Subject: [PATCH] openstack-cinder-volume: fix detach not working during
- start-action after #2000
-
----
- heartbeat/openstack-cinder-volume | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/heartbeat/openstack-cinder-volume b/heartbeat/openstack-cinder-volume
-index 2b64d4d88..5bb1acddd 100755
---- a/heartbeat/openstack-cinder-volume
-+++ b/heartbeat/openstack-cinder-volume
-@@ -142,9 +142,9 @@ osvol_monitor() {
- 	node_id=$(_get_node_id)
- 
- 	if ocf_is_true $OCF_RESKEY_volume_local_check ; then
--		if [ "$__OCF_ACTION" = "monitor" ] || [ "$__OCF_ACTION" = "start" ] ; then
-+		if [ "$__OCF_ACTION" = "monitor" ] || [ "$1" = "quick" ]; then
- 			#
--			# Is the volue attached?
-+			# Is the volume attached?
- 			# We check the local devices
- 			#
- 			short_volume_id=$(echo $OCF_RESKEY_volume_id | awk '{print substr($0, 0, 20)}')
-@@ -158,7 +158,7 @@ osvol_monitor() {
- 	fi
- 
- 	#
--	# Is the volue attached?
-+	# Is the volume attached?
- 	# We use the API
- 	#
- 	result=$(run_openstackcli "volume show \
-@@ -249,7 +249,7 @@ osvol_start() {
- 		return $OCF_ERR_GENERIC
- 	fi
- 
--	while ! osvol_monitor; do
-+	while ! osvol_monitor quick; do
- 		ocf_log info "Waiting for cinder volume $OCF_RESKEY_volume_id to appear on $node_id"
- 		sleep 1
- 	done

SOURCES/RHEL-79823-portblock-fix-version-detection.patch

@@ -1,448 +0,0 @@
---- a/heartbeat/portblock	2025-02-20 14:54:18.047134471 +0100
-+++ b/heartbeat/portblock	2025-02-20 14:09:44.546869740 +0100
-@@ -25,6 +25,7 @@
- # Defaults
- OCF_RESKEY_protocol_default=""
- OCF_RESKEY_portno_default=""
-+OCF_RESKEY_direction_default="in"
- OCF_RESKEY_action_default=""
- OCF_RESKEY_ip_default="0.0.0.0/0"
- OCF_RESKEY_reset_local_on_unblock_stop_default="false"
-@@ -33,6 +34,7 @@
- 
- : ${OCF_RESKEY_protocol=${OCF_RESKEY_protocol_default}}
- : ${OCF_RESKEY_portno=${OCF_RESKEY_portno_default}}
-+: ${OCF_RESKEY_direction=${OCF_RESKEY_direction_default}}
- : ${OCF_RESKEY_action=${OCF_RESKEY_action_default}}
- : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
- : ${OCF_RESKEY_reset_local_on_unblock_stop=${OCF_RESKEY_reset_local_on_unblock_stop_default}}
-@@ -217,6 +219,18 @@
- <shortdesc lang="en">Connection state file synchronization script</shortdesc>
- <content type="string" default="${OCF_RESKEY_sync_script_default}" />
- </parameter>
-+
-+<parameter name="direction" unique="0" required="0">
-+<longdesc lang="en">
-+Whether to block incoming or outgoing traffic. Can be either "in",
-+"out", or "both".
-+If "in" is used, the incoming ports are blocked on the INPUT chain.
-+If "out" is used, the outgoing ports are blocked on the OUTPUT chain.
-+If "both" is used, both the incoming and outgoing ports are blocked.
-+</longdesc>
-+<shortdesc lang="en">Whether to block incoming or outgoing traffic, or both</shortdesc>
-+<content type="string" default="${OCF_RESKEY_direction_default}" />
-+</parameter>
- </parameters>
- 
- <actions>
-@@ -240,36 +254,73 @@
- #	and disable us -- but we're still in some sense active...
- #
- 
--#active_grep_pat {udp|tcp} portno,portno
-+#active_grep_pat {udp|tcp} portno,portno ip {d|s}
-+# d = look for destination ports
-+# s = look for source ports
- active_grep_pat()
- {
-   w="[ 	][ 	]*"
-   any="0\\.0\\.0\\.0/0"
--  echo "^DROP${w}${1}${w}--${w}${any}${w}${3}${w}multiport${w}dports${w}${2}\>"
-+  src=$any dst=$3
-+  if [ "$4" = "s" ]; then
-+    local src=$3
-+    local dst=$any
-+  fi
-+  # iptables 1.8.9 briefly broke the output format, returning the
-+  # numeric protocol value instead of a string. Support both variants.
-+  if [ "$1" = "tcp" ]; then
-+    local prot="(tcp|6)"
-+  else
-+    local prot="(udp|17)"
-+  fi
-+  echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
- }
- 
--#chain_isactive  {udp|tcp} portno,portno ip
-+#chain_isactive  {udp|tcp} portno,portno ip chain
- chain_isactive()
- {
--  PAT=`active_grep_pat "$1" "$2" "$3"`
--  $IPTABLES $wait -n -L INPUT | grep "$PAT" >/dev/null
-+  [ "$4" = "OUTPUT" ] && ds="s" || ds="d"
-+  PAT=$(active_grep_pat "$1" "$2" "$3" "$ds")
-+  $IPTABLES $wait -n -L "$4" | grep -qE "$PAT"
-+}
-+
-+# netstat -tn and ss -Htn, split on whitespace and colon,
-+# look very similar:
-+#  tcp    0  0  10.43.55.1  675  10.43.9.8  2049  ESTABLISHED
-+#  ESTAB  0  0  10.43.55.1  675  10.43.9.8  2049
-+# so we can write one awk script for both
-+get_established_tcp_connections()
-+{
-+	local columns
-+	if [ -z "$1" ] ; then
-+		columns='$4,$5, $6,$7'
-+	else
-+		# swap local and remote for "tickle_local"
-+		columns='$6,$7, $4,$5'
-+	fi
-+	$ss_or_netstat | awk -F '[:[:space:]]+' '
-+		( $8 == "ESTABLISHED" || $1 == "ESTAB" ) && $4 == "'$OCF_RESKEY_ip'" \
-+		{printf "%s:%s\t%s:%s\n", '"$columns"'}'
- }
- 
- save_tcp_connections()
- {
- 	[ -z "$OCF_RESKEY_tickle_dir" ] && return
- 	statefile=$OCF_RESKEY_tickle_dir/$OCF_RESKEY_ip
-+	# If we have _no_ sync script, we probably have a shared
-+	# (or replicated) directory, and need to fsync, or we might
-+	# end up with the just truncated file after failover, exactly
-+	# when we need it.
-+	#
-+	# If we _do_ have a sync script, it is not that important whether
-+	# the local state file is fsync'ed or not, the sync script is
-+	# responsible to "atomically" communicate the state to the peer(s).
- 	if [ -z "$OCF_RESKEY_sync_script" ]; then
--		netstat -tn |awk -F '[:[:space:]]+' '
--			$8 == "ESTABLISHED" && $4 == "'$OCF_RESKEY_ip'" \
--			{printf "%s:%s\t%s:%s\n", $4,$5, $6,$7}' |
--			dd of="$statefile".new conv=fsync status=none &&
--			mv "$statefile".new "$statefile"
-+		get_established_tcp_connections |
-+		dd of="$statefile".new conv=fsync status=none &&
-+		mv "$statefile".new "$statefile"
- 	else
--		netstat -tn |awk -F '[:[:space:]]+' '
--			$8 == "ESTABLISHED" && $4 == "'$OCF_RESKEY_ip'" \
--			{printf "%s:%s\t%s:%s\n", $4,$5, $6,$7}' \
--			> $statefile
-+		get_established_tcp_connections > $statefile
- 		$OCF_RESKEY_sync_script $statefile > /dev/null 2>&1 &
- 	fi
- }
-@@ -277,7 +328,6 @@
- tickle_remote()
- {
- 	[ -z "$OCF_RESKEY_tickle_dir" ] && return
--	echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
- 	f=$OCF_RESKEY_tickle_dir/$OCF_RESKEY_ip
- 	[ -r $f ] || return
- 	$TICKLETCP -n 3 < $f
-@@ -289,11 +339,6 @@
- 	f=$OCF_RESKEY_tickle_dir/$OCF_RESKEY_ip
- 	[ -r $f ] || return
- 
--	checkcmd="netstat -tn"
--	if ! have_binary "netstat"; then
--		checkcmd="ss -Htn"
--	fi
--
- 	# swap "local" and "remote" address,
- 	# so we tickle ourselves.
- 	# We set up a REJECT with tcp-reset before we do so, so we get rid of
-@@ -302,122 +347,152 @@
- 	# the way if we switch-over and then switch-back in quick succession.
- 	local i
- 	awk '{ print $2, $1; }' $f | $TICKLETCP
--	$checkcmd | grep -Fw $OCF_RESKEY_ip || return
-+	$ss_or_netstat | grep -Fw $OCF_RESKEY_ip || return
- 	for i in 0.1 0.5 1 2 4 ; do
- 		sleep $i
--		awk '{ print $2, $1; }' $f | $TICKLETCP
--		$checkcmd | grep -Fw $OCF_RESKEY_ip || break
-+		# now kill what is currently in the list,
-+		# not what was recorded during last monitor
-+		get_established_tcp_connections swap | $TICKLETCP
-+		$ss_or_netstat | grep -Fw $OCF_RESKEY_ip || break
- 	done
- }
- 
- SayActive()
- {
--  echo "$CMD DROP rule for INPUT chain [$*]  is running (OK)"
-+  ocf_log debug "$CMD DROP rule [$*]  is running (OK)"
- }
- 
- SayConsideredActive()
- {
--  echo "$CMD DROP rule for INPUT chain [$*] considered to be running (OK)"
-+  ocf_log debug "$CMD DROP rule [$*] considered to be running (OK)"
- }
- 
- SayInactive()
- {
--  echo "$CMD DROP rule for INPUT chain [$*] is inactive"
-+  ocf_log debug "$CMD DROP rule [$*] is inactive"
- }
- 
--#IptablesStatus  {udp|tcp} portno,portno ip {block|unblock}
-+#IptablesStatus  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStatus() {
--    local rc
--    rc=$OCF_ERR_GENERIC
--    activewords="$CMD $1 $2 is running (OK)"
--    if chain_isactive "$1" "$2" "$3"; then
--	case $4 in
--	    block)	
--		SayActive $*
--		rc=$OCF_SUCCESS
--		;;
--	    *)
-- 		SayInactive $*
--		rc=$OCF_NOT_RUNNING
--		;;
--	esac
--    else
--	case $4 in
--	    block)
--		if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
--		    SayConsideredActive $*
--		    rc=$OCF_SUCCESS
--		else
--		    SayInactive $*
--		    rc=$OCF_NOT_RUNNING
--		fi
--		;;
--	    
--	    *)
--		if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
--			SayActive $*
--			#This is only run on real monitor events.
--			save_tcp_connections
--			rc=$OCF_SUCCESS
--		else
--			SayInactive $*
--			rc=$OCF_NOT_RUNNING
--		fi
--		;;
--	esac
--    fi      
--    
--    return $rc
-+  local rc
-+  rc=$OCF_ERR_GENERIC
-+  is_active=0
-+  if [ "$4" = "in" ] || [ "$4" = "both" ]; then
-+    chain_isactive "$1" "$2" "$3" INPUT
-+    is_active=$?
-+  fi
-+  if [ "$4" = "out" ] || [ "$4" = "both" ]; then
-+    chain_isactive "$1" "$2" "$3" OUTPUT
-+    r=$?
-+    [ $r -gt $is_active ] && is_active=$r
-+  fi
-+  if [ $is_active -eq 0 ]; then
-+    case $5 in
-+      block)
-+        SayActive $*
-+        rc=$OCF_SUCCESS
-+        ;;
-+      *)
-+        SayInactive $*
-+        rc=$OCF_NOT_RUNNING
-+        ;;
-+    esac
-+  else
-+    case $5 in
-+      block)
-+        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
-+          SayConsideredActive $*
-+          rc=$OCF_SUCCESS
-+        else
-+          SayInactive $*
-+          rc=$OCF_NOT_RUNNING
-+        fi
-+        ;;
-+      *)
-+        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
-+          SayActive $*
-+          #This is only run on real monitor events.
-+          save_tcp_connections
-+          rc=$OCF_SUCCESS
-+        else
-+          SayInactive $*
-+          rc=$OCF_NOT_RUNNING
-+        fi
-+        ;;
-+    esac
-+  fi
-+  return $rc
- }
- 
--#IptablesBLOCK  {udp|tcp} portno,portno ip
--IptablesBLOCK()
-+#DoIptables  {-I|-D} {udp|tcp} portno,portno ip chain
-+DoIptables()
- {
--  local rc=0
--  local try_reset=false
--  if	[ "$1/$4/$__OCF_ACTION" = tcp/unblock/stop ] &&
--	ocf_is_true $reset_local_on_unblock_stop
--  then
--	try_reset=true
--  fi
--  if
--    chain_isactive "$1" "$2" "$3"
--  then
--    : OK -- chain already active
-+  op=$1 proto=$2 ports=$3 ip=$4 chain=$5
-+  active=0; chain_isactive "$proto" "$ports" "$ip" "$chain" && active=1
-+  want_active=0; [ "$op" = "-I" ] && want_active=1
-+  ocf_log debug "active: $active want_active: $want_active"
-+  if [ $active -eq $want_active ] ; then
-+    : Chain already in desired state
-   else
--    if $try_reset ; then
--      $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
--      tickle_local
-+    [ "$chain" = "OUTPUT" ] && ds="s" || ds="d"
-+    $IPTABLES $wait "$op" "$chain" -p "$proto" -${ds} "$ip" -m multiport --${ds}ports "$ports" -j DROP
-+  fi
-+}
-+
-+#IptablesBLOCK  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
-+IptablesBLOCK()
-+{
-+  local rc_in=0
-+  local rc_out=0
-+  if [ "$4" = "in" ] || [ "$4" = "both" ]; then
-+    local try_reset=false
-+    if	[ "$1/$5/$__OCF_ACTION" = tcp/unblock/stop ] &&
-+    ocf_is_true $reset_local_on_unblock_stop
-+    then
-+      try_reset=true
-     fi
--    $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
--    rc=$?
--    if $try_reset ; then
--      $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-+    if
-+      chain_isactive "$1" "$2" "$3" INPUT
-+    then
-+      : OK -- chain already active
-+    else
-+      if $try_reset ; then
-+        $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-+        tickle_local
-+      fi
-+      $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
-+      rc_in=$?
-+      if $try_reset ; then
-+        $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-+      fi
-     fi
-   fi
-+  if [ "$4" = "out" ] || [ "$4" = "both" ]; then
-+    DoIptables -I "$1" "$2" "$3" OUTPUT
-+    rc_out=$?
-+  fi
- 
--  return $rc
-+  [ $rc_in -gt $rc_out ] && return $rc_in || return $rc_out
- }
- 
--#IptablesUNBLOCK  {udp|tcp} portno,portno ip
-+#IptablesUNBLOCK  {udp|tcp} portno,portno ip {in|out|both}
- IptablesUNBLOCK()
- {
--  if
--    chain_isactive "$1" "$2" "$3"
--  then
--    $IPTABLES $wait -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
--  else
--    : Chain Not active
-+  if [ "$4" = "in" ] || [ "$4" = "both" ]; then
-+    DoIptables -D "$1" "$2" "$3" INPUT
-+  fi
-+  if [ "$4" = "out" ] || [ "$4" = "both" ]; then
-+    DoIptables -D "$1" "$2" "$3" OUTPUT
-   fi
- 
-   return $?
- }
- 
--#IptablesStart  {udp|tcp} portno,portno ip {block|unblock}
-+#IptablesStart  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStart()
- {
-   ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start
--  case $4 in
-+  case $5 in
-     block)	IptablesBLOCK "$@";;
-     unblock)
- 		IptablesUNBLOCK "$@"
-@@ -432,11 +507,11 @@
-   return $?
- }
- 
--#IptablesStop  {udp|tcp} portno,portno ip {block|unblock}
-+#IptablesStop  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStop()
- {
-   ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop
--  case $4 in
-+  case $5 in
-     block)	IptablesUNBLOCK "$@";;
-     unblock)
- 		save_tcp_connections
-@@ -454,7 +529,7 @@
- CheckPort() {
- #	Examples of valid port: "1080", "1", "0080"
- #	Examples of invalid port: "1080bad", "0", "0000", ""
--  echo $1 |egrep -qx '[0-9]+(:[0-9]+)?(,[0-9]+(:[0-9]+)?)*'
-+  echo $1 | $EGREP -qx '[0-9]+(:[0-9]+)?(,[0-9]+(:[0-9]+)?)*'
- }
- 
- IptablesValidateAll()
-@@ -543,7 +618,7 @@
- fi 
- 
- # iptables v1.4.20+ is required to use -w (wait)
--version=$(iptables -V | awk -F ' v' '{print $NF}')
-+version=$(iptables -V | grep -oE '[0-9]+[\.0-9]+')
- ocf_version_cmp "$version" "1.4.19.1"
- if [ "$?" -eq "2" ]; then
-     wait="-w"
-@@ -553,21 +628,36 @@
- 
- protocol=$OCF_RESKEY_protocol
- portno=$OCF_RESKEY_portno
-+direction=$OCF_RESKEY_direction
- action=$OCF_RESKEY_action
- ip=$OCF_RESKEY_ip
- reset_local_on_unblock_stop=$OCF_RESKEY_reset_local_on_unblock_stop
- 
-+
-+# If "tickle" is enabled, we need to record the list of currently established
-+# connections during monitor.  Use ss where available, and netstat otherwise.
-+if [ -n "$OCF_RESKEY_tickle_dir" ] ; then
-+	if have_binary ss ; then
-+		ss_or_netstat="ss -Htn"
-+	elif have_binary netstat ; then
-+		ss_or_netstat="netstat -tn"
-+	else
-+		ocf_log err "Neither ss nor netstat found, but needed to record estblished connections."
-+		exit $OCF_ERR_INSTALLED
-+	fi
-+fi
-+
- case $1 in
-   start)	
--			IptablesStart $protocol $portno $ip $action 
-+			IptablesStart $protocol $portno $ip $direction $action
- 			;;
- 
-   stop)		
--			IptablesStop $protocol $portno $ip $action
-+			IptablesStop $protocol $portno $ip $direction $action
- 			;;
- 
-   status|monitor)	
--			IptablesStatus $protocol $portno $ip $action
-+			IptablesStatus $protocol $portno $ip $direction $action
- 			;;
- 
-   validate-all)

SOURCES/RHEL-81960-1-aws-agents-reuse-imds-token-until-it-expires.patch

@@ -1,455 +0,0 @@
-From 61cec34a754017537c61e79cd1212f2688c32429 Mon Sep 17 00:00:00 2001
-From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com>
-Date: Mon, 4 Nov 2024 12:19:10 +0530
-Subject: [PATCH 1/7] Introduce a new shell function to reuse IMDS token
-
----
- heartbeat/ocf-shellfuncs.in | 31 +++++++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
-index 5c4bb3264..0c4632cf9 100644
---- a/heartbeat/ocf-shellfuncs.in
-+++ b/heartbeat/ocf-shellfuncs.in
-@@ -1111,3 +1111,34 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
- if ocf_is_true "$HA_use_logd"; then
- 	: ${HA_LOGD:=yes}
- fi
-+
-+# File to store the token and timestamp
-+TOKEN_FILE="/tmp/.imds_token"
-+TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
-+TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
-+
-+# Function to fetch a new token
-+fetch_new_token() {
-+    TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME")
-+    echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
-+    echo "$TOKEN"
-+}
-+
-+# Function to retrieve or renew the token
-+get_token() {
-+    if [[ -f "$TOKEN_FILE" ]]; then
-+        read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE"
-+        CURRENT_TIME=$(date +%s)
-+        ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
-+
-+        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
-+            # Token is still valid
-+            echo "$STORED_TOKEN"
-+            return
-+        fi
-+    fi
-+    # Fetch a new token if not valid
-+    fetch_new_token
-+}
-+
-+
-
-From 00629fa44cb7a8dd1045fc8cad755e1d0c808476 Mon Sep 17 00:00:00 2001
-From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com>
-Date: Mon, 4 Nov 2024 12:21:18 +0530
-Subject: [PATCH 2/7] Utilize the get_token function to reuse the token
-
----
- heartbeat/aws-vpc-move-ip | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
-index 6115e5ba8..fbeb2ee64 100755
---- a/heartbeat/aws-vpc-move-ip
-+++ b/heartbeat/aws-vpc-move-ip
-@@ -270,7 +270,7 @@ ec2ip_validate() {
- 		fi
- 	fi
- 
--	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+	TOKEN=$(get_token)
- 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
- 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-
-From 36126cdcb90ad617ecfce03d986550907732aa4f Mon Sep 17 00:00:00 2001
-From: harshkiprofile <83770157+harshkiprofile@users.noreply.github.com>
-Date: Mon, 4 Nov 2024 12:22:16 +0530
-Subject: [PATCH 3/7] Utilize to get_token function to reuse the token
-
----
- heartbeat/awsvip | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/heartbeat/awsvip b/heartbeat/awsvip
-index f2b238a0f..ca19ac086 100755
---- a/heartbeat/awsvip
-+++ b/heartbeat/awsvip
-@@ -266,7 +266,7 @@ if [ -n "${OCF_RESKEY_region}" ]; then
- 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
- fi
- SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
--TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+TOKEN=$(get_token)
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-
-From dcd0050df5ba94905bc71d38b05cbb93f5687b61 Mon Sep 17 00:00:00 2001
-From: harshkiprofile <beer18317@gmail.com>
-Date: Mon, 4 Nov 2024 20:05:33 +0530
-Subject: [PATCH 4/7] Move token renewal function to aws.sh for reuse in AWS
- agent scripts
-
----
- heartbeat/Makefile.am        |  1 +
- heartbeat/aws-vpc-move-ip    |  1 +
- heartbeat/aws-vpc-route53.in |  3 ++-
- heartbeat/aws.sh             | 46 ++++++++++++++++++++++++++++++++++++
- heartbeat/awseip             |  3 ++-
- heartbeat/awsvip             |  1 +
- heartbeat/ocf-shellfuncs.in  | 33 +-------------------------
- 7 files changed, 54 insertions(+), 34 deletions(-)
- create mode 100644 heartbeat/aws.sh
-
-diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am
-index 409847970..655740f14 100644
---- a/heartbeat/Makefile.am
-+++ b/heartbeat/Makefile.am
-@@ -218,6 +218,7 @@ ocfcommon_DATA		= ocf-shellfuncs 	\
- 			  ocf-rarun		\
- 			  ocf-distro		\
- 			  apache-conf.sh 	\
-+			  aws.sh            \
- 			  http-mon.sh		\
- 			  sapdb-nosha.sh	\
- 			  sapdb.sh		\
-diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
-index fbeb2ee64..f4b0492f2 100755
---- a/heartbeat/aws-vpc-move-ip
-+++ b/heartbeat/aws-vpc-move-ip
-@@ -33,6 +33,7 @@
- 
- : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
- . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
-+. ${OCF_FUNCTIONS_DIR}/aws.sh
- 
- # Defaults
- OCF_RESKEY_awscli_default="/usr/bin/aws"
-diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
-index eba2ed95c..f7e756782 100644
---- a/heartbeat/aws-vpc-route53.in
-+++ b/heartbeat/aws-vpc-route53.in
-@@ -43,6 +43,7 @@
- 
- : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
- . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
-+. ${OCF_FUNCTIONS_DIR}/aws.sh
- 
- # Defaults
- OCF_RESKEY_awscli_default="/usr/bin/aws"
-@@ -377,7 +378,7 @@ r53_monitor() {
- _get_ip() {
- 	case $OCF_RESKEY_ip in
- 		local|public)
--			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+			TOKEN=$(get_token)
- 			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
- 			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
-new file mode 100644
-index 000000000..fc557109c
---- /dev/null
-+++ b/heartbeat/aws.sh
-@@ -0,0 +1,46 @@
-+#!/bin/sh
-+#
-+#
-+#   AWS Helper Scripts
-+#
-+#
-+
-+: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
-+. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
-+
-+# Defaults
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
-+
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
-+
-+# Function to enable reusable IMDS token retrieval for efficient repeated access 
-+# File to store the token and timestamp
-+TOKEN_FILE="/tmp/.imds_token"
-+TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
-+TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
-+
-+# Function to fetch a new token
-+fetch_new_token() {
-+    TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME'" "http://169.254.169.254/latest/api/token")
-+    echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
-+    echo "$TOKEN"
-+}
-+
-+# Function to retrieve or renew the token
-+get_token() {
-+    if [ -f "$TOKEN_FILE" ]; then
-+        read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE"
-+        CURRENT_TIME=$(date +%s)
-+        ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
-+
-+        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
-+            # Token is still valid
-+            echo "$STORED_TOKEN"
-+            return
-+        fi
-+    fi
-+    # Fetch a new token if not valid
-+    fetch_new_token
-+}
-\ No newline at end of file
-diff --git a/heartbeat/awseip b/heartbeat/awseip
-index ffb6223a1..049c2e566 100755
---- a/heartbeat/awseip
-+++ b/heartbeat/awseip
-@@ -38,6 +38,7 @@
- 
- : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
- . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
-+. ${OCF_FUNCTIONS_DIR}/aws.sh
- 
- #######################################################################
- 
-@@ -306,7 +307,7 @@ fi
- ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
- ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
- PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
--TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+TOKEN=$(get_token)
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-diff --git a/heartbeat/awsvip b/heartbeat/awsvip
-index ca19ac086..de67981d8 100755
---- a/heartbeat/awsvip
-+++ b/heartbeat/awsvip
-@@ -37,6 +37,7 @@
- 
- : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
- . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
-+. ${OCF_FUNCTIONS_DIR}/aws.sh
- 
- #######################################################################
- 
-diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
-index 0c4632cf9..922c6ea45 100644
---- a/heartbeat/ocf-shellfuncs.in
-+++ b/heartbeat/ocf-shellfuncs.in
-@@ -1110,35 +1110,4 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
- # pacemaker sets HA_use_logd, some others use HA_LOGD :/
- if ocf_is_true "$HA_use_logd"; then
- 	: ${HA_LOGD:=yes}
--fi
--
--# File to store the token and timestamp
--TOKEN_FILE="/tmp/.imds_token"
--TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
--TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
--
--# Function to fetch a new token
--fetch_new_token() {
--    TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME")
--    echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
--    echo "$TOKEN"
--}
--
--# Function to retrieve or renew the token
--get_token() {
--    if [[ -f "$TOKEN_FILE" ]]; then
--        read -r STORED_TOKEN STORED_TIMESTAMP < "$TOKEN_FILE"
--        CURRENT_TIME=$(date +%s)
--        ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
--
--        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
--            # Token is still valid
--            echo "$STORED_TOKEN"
--            return
--        fi
--    fi
--    # Fetch a new token if not valid
--    fetch_new_token
--}
--
--
-+fi
-\ No newline at end of file
-
-From 9f7be201923c8eab1b121f2067ed74a69841cf8a Mon Sep 17 00:00:00 2001
-From: harshkiprofile <beer18317@gmail.com>
-Date: Tue, 5 Nov 2024 19:12:34 +0530
-Subject: [PATCH 5/7] Refactor to use common temp path and update shell syntax
-
----
- heartbeat/Makefile.am | 2 +-
- heartbeat/aws.sh      | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am
-index 655740f14..8352f3a3d 100644
---- a/heartbeat/Makefile.am
-+++ b/heartbeat/Makefile.am
-@@ -218,7 +218,7 @@ ocfcommon_DATA		= ocf-shellfuncs 	\
- 			  ocf-rarun		\
- 			  ocf-distro		\
- 			  apache-conf.sh 	\
--			  aws.sh            \
-+			  aws.sh		\
- 			  http-mon.sh		\
- 			  sapdb-nosha.sh	\
- 			  sapdb.sh		\
-diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
-index fc557109c..c77f93b91 100644
---- a/heartbeat/aws.sh
-+++ b/heartbeat/aws.sh
-@@ -17,7 +17,7 @@ OCF_RESKEY_curl_sleep_default="1"
- 
- # Function to enable reusable IMDS token retrieval for efficient repeated access 
- # File to store the token and timestamp
--TOKEN_FILE="/tmp/.imds_token"
-+TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
- TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
- TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
- 
-@@ -35,7 +35,7 @@ get_token() {
-         CURRENT_TIME=$(date +%s)
-         ELAPSED_TIME=$((CURRENT_TIME - STORED_TIMESTAMP))
- 
--        if (( ELAPSED_TIME < (TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD) )); then
-+        if [ "$ELAPSED_TIME" -lt "$((TOKEN_LIFETIME - TOKEN_EXPIRY_THRESHOLD))" ]; then
-             # Token is still valid
-             echo "$STORED_TOKEN"
-             return
-
-From 4f61048064d1df3bebdb5c1441cf0020f213c01b Mon Sep 17 00:00:00 2001
-From: harshkiprofile <beer18317@gmail.com>
-Date: Tue, 5 Nov 2024 19:30:15 +0530
-Subject: [PATCH 6/7] Consolidate curl_retry and curl_sleep variable to a
- single location in aws.sh
-
----
- heartbeat/aws-vpc-move-ip    | 4 ----
- heartbeat/aws-vpc-route53.in | 4 ----
- heartbeat/awseip             | 4 ----
- heartbeat/awsvip             | 4 ----
- 4 files changed, 16 deletions(-)
-
-diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
-index f4b0492f2..3aa9ceb02 100755
---- a/heartbeat/aws-vpc-move-ip
-+++ b/heartbeat/aws-vpc-move-ip
-@@ -48,8 +48,6 @@ OCF_RESKEY_interface_default="eth0"
- OCF_RESKEY_iflabel_default=""
- OCF_RESKEY_monapi_default="false"
- OCF_RESKEY_lookup_type_default="InstanceId"
--OCF_RESKEY_curl_retries_default="3"
--OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
-@@ -63,8 +61,6 @@ OCF_RESKEY_curl_sleep_default="1"
- : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
- : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
- : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
--: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
--: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- #######################################################################
- 
- 
-diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
-index f7e756782..85c8de3c1 100644
---- a/heartbeat/aws-vpc-route53.in
-+++ b/heartbeat/aws-vpc-route53.in
-@@ -54,8 +54,6 @@ OCF_RESKEY_hostedzoneid_default=""
- OCF_RESKEY_fullname_default=""
- OCF_RESKEY_ip_default="local"
- OCF_RESKEY_ttl_default=10
--OCF_RESKEY_curl_retries_default="3"
--OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
-@@ -65,8 +63,6 @@ OCF_RESKEY_curl_sleep_default="1"
- : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
- : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
- : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
--: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
--: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- usage() {
- 	cat <<-EOT
-diff --git a/heartbeat/awseip b/heartbeat/awseip
-index 049c2e566..4b1c3bc6a 100755
---- a/heartbeat/awseip
-+++ b/heartbeat/awseip
-@@ -50,16 +50,12 @@ OCF_RESKEY_auth_type_default="key"
- OCF_RESKEY_profile_default="default"
- OCF_RESKEY_region_default=""
- OCF_RESKEY_api_delay_default="3"
--OCF_RESKEY_curl_retries_default="3"
--OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
- : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
- : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
- : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
--: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
--: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- meta_data() {
-     cat <<END
-diff --git a/heartbeat/awsvip b/heartbeat/awsvip
-index de67981d8..8c71e7fac 100755
---- a/heartbeat/awsvip
-+++ b/heartbeat/awsvip
-@@ -49,16 +49,12 @@ OCF_RESKEY_auth_type_default="key"
- OCF_RESKEY_profile_default="default"
- OCF_RESKEY_region_default=""
- OCF_RESKEY_api_delay_default="3"
--OCF_RESKEY_curl_retries_default="3"
--OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
- : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
- : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
- : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
--: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
--: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- meta_data() {
-     cat <<END
-
-From d451c5c595b08685f84ec85da96ae9cb4fc076fe Mon Sep 17 00:00:00 2001
-From: harshkiprofile <beer18317@gmail.com>
-Date: Tue, 5 Nov 2024 20:50:24 +0530
-Subject: [PATCH 7/7] aws.sh needs to added to be symlinkstargets in
- doc/man/Makefile.am
-
----
- doc/man/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
-index ef7639bff..447f5cba3 100644
---- a/doc/man/Makefile.am
-+++ b/doc/man/Makefile.am
-@@ -42,7 +42,7 @@ radir			= $(abs_top_builddir)/heartbeat
- # required for out-of-tree build
- symlinkstargets		= \
- 			  ocf-distro ocf.py ocf-rarun ocf-returncodes \
--			  findif.sh apache-conf.sh http-mon.sh mysql-common.sh \
-+			  findif.sh apache-conf.sh aws.sh http-mon.sh mysql-common.sh \
- 			  nfsserver-redhat.sh ora-common.sh
- 
- preptree:

SOURCES/RHEL-81960-2-aws-agents-reuse-imds-token-improvements.patch

@@ -1,161 +0,0 @@
-From cc5ffa5e599c974c426e93faa821b342e96b916d Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Mon, 11 Nov 2024 12:46:27 +0100
-Subject: [PATCH 1/2] aws.sh: chmod 600 $TOKEN_FILE, add get_instance_id() with
- DMI support, and use get_instance_id() in AWS agents
-
----
- heartbeat/aws-vpc-move-ip |  2 +-
- heartbeat/aws.sh          | 30 +++++++++++++++++++++++++++---
- heartbeat/awseip          |  2 +-
- heartbeat/awsvip          |  2 +-
- 4 files changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
-index 3aa9ceb02..09ae68b57 100755
---- a/heartbeat/aws-vpc-move-ip
-+++ b/heartbeat/aws-vpc-move-ip
-@@ -269,7 +269,7 @@ ec2ip_validate() {
- 
- 	TOKEN=$(get_token)
- 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
--	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+	EC2_INSTANCE_ID=$(get_instance_id)
- 	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- 	if [ -z "${EC2_INSTANCE_ID}" ]; then
-diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
-index c77f93b91..9cd343c16 100644
---- a/heartbeat/aws.sh
-+++ b/heartbeat/aws.sh
-@@ -9,8 +9,8 @@
- . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
- 
- # Defaults
--OCF_RESKEY_curl_retries_default="3"
--OCF_RESKEY_curl_sleep_default="1"
-+OCF_RESKEY_curl_retries_default="4"
-+OCF_RESKEY_curl_sleep_default="3"
- 
- : ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
- : ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
-@@ -20,11 +20,13 @@ OCF_RESKEY_curl_sleep_default="1"
- TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
- TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
- TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
-+DMI_FILE="/sys/devices/virtual/dmi/id/board_asset_tag" # Only supported on nitro-based instances.
- 
- # Function to fetch a new token
- fetch_new_token() {
-     TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: $TOKEN_LIFETIME'" "http://169.254.169.254/latest/api/token")
-     echo "$TOKEN $(date +%s)" > "$TOKEN_FILE"
-+    chmod 600 "$TOKEN_FILE"
-     echo "$TOKEN"
- }
- 
-@@ -43,4 +45,26 @@ get_token() {
-     fi
-     # Fetch a new token if not valid
-     fetch_new_token
--}
-\ No newline at end of file
-+}
-+
-+get_instance_id() {
-+    local INSTANCE_ID
-+
-+    # Try to get the EC2 instance ID from DMI first before falling back to IMDS.
-+    ocf_log debug "EC2: Attempt to get EC2 Instance ID from local file."
-+    if [ -r "$DMI_FILE" ] && [ -s "$DMI_FILE" ]; then
-+        INSTANCE_ID="$(cat "$DMI_FILE")"
-+        case "$INSTANCE_ID" in
-+            i-0*) echo "$INSTANCE_ID"; return "$OCF_SUCCESS" ;;
-+        esac
-+    fi
-+
-+    INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+    if [ $? -ne 0 ]; then
-+        ocf_exit_reason "Failed to get EC2 Instance ID"
-+        exit $OCF_ERR_GENERIC
-+    fi
-+
-+    echo "$INSTANCE_ID"
-+    return "$OCF_SUCCESS"
-+}
-diff --git a/heartbeat/awseip b/heartbeat/awseip
-index 4b1c3bc6a..7f38376dc 100755
---- a/heartbeat/awseip
-+++ b/heartbeat/awseip
-@@ -305,7 +305,7 @@ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
- PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
- TOKEN=$(get_token)
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
--INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+INSTANCE_ID=$(get_instance_id)
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- case $__OCF_ACTION in
-diff --git a/heartbeat/awsvip b/heartbeat/awsvip
-index 8c71e7fac..0856ac5e4 100755
---- a/heartbeat/awsvip
-+++ b/heartbeat/awsvip
-@@ -265,7 +265,7 @@ fi
- SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
- TOKEN=$(get_token)
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
--INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+INSTANCE_ID=$(get_instance_id)
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
- [ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-
-From b8d3ecc6a8ce4baf4b28d02978dd573728ccf5fa Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Mon, 18 Nov 2024 11:10:42 +0100
-Subject: [PATCH 2/2] aws.sh/ocf-shellfuncs: add ability to fresh token if it's
- invalid
-
----
- heartbeat/aws.sh            |  1 +
- heartbeat/ocf-shellfuncs.in | 11 ++++++++++-
- 2 files changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/heartbeat/aws.sh b/heartbeat/aws.sh
-index 9cd343c16..64f2e13a7 100644
---- a/heartbeat/aws.sh
-+++ b/heartbeat/aws.sh
-@@ -18,6 +18,7 @@ OCF_RESKEY_curl_sleep_default="3"
- # Function to enable reusable IMDS token retrieval for efficient repeated access 
- # File to store the token and timestamp
- TOKEN_FILE="${HA_RSCTMP}/.aws_imds_token"
-+TOKEN_FUNC="fetch_new_token"  # Used by curl_retry() if saved token is invalid
- TOKEN_LIFETIME=21600  # Token lifetime in seconds (6 hours)
- TOKEN_EXPIRY_THRESHOLD=3600  # Renew token if less than 60 minutes (1 hour) remaining
- DMI_FILE="/sys/devices/virtual/dmi/id/board_asset_tag" # Only supported on nitro-based instances.
-diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
-index 922c6ea45..8e51fa3c8 100644
---- a/heartbeat/ocf-shellfuncs.in
-+++ b/heartbeat/ocf-shellfuncs.in
-@@ -697,6 +697,15 @@ curl_retry()
- 
- 		ocf_log debug "result: $result"
- 		[ $rc -eq 0 ] && break
-+		if [ -n "$TOKEN" ] && [ -n "$TOKEN_FILE" ] && \
-+		   [ -f "$TOKEN_FILE" ] && [ -n "$TOKEN_FUNC" ] && \
-+		   echo "$result" | grep -q "The requested URL returned error: 401$"; then
-+			local OLD_TOKEN="$TOKEN"
-+			ocf_log err "Token invalid. Getting new token."
-+			TOKEN=$($TOKEN_FUNC)
-+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+			args=$(echo "$args" | sed "s/$OLD_TOKEN/$TOKEN/")
-+		fi
- 		sleep $sleep
- 	done
- 
-@@ -1110,4 +1119,4 @@ ocf_is_true "$OCF_TRACE_RA" && ocf_start_trace
- # pacemaker sets HA_use_logd, some others use HA_LOGD :/
- if ocf_is_true "$HA_use_logd"; then
- 	: ${HA_LOGD:=yes}
--fi
-\ No newline at end of file
-+fi

SOURCES/RHEL-85048-tomcat-fix-CATALINA_PID-not-set-and-parameter-defaults.patch

@@ -1,72 +0,0 @@
-From f6a5f38405a93ab88e887aa657ee79593d1a4485 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Wed, 26 Mar 2025 09:48:06 +0100
-Subject: [PATCH 1/2] tomcat: fix CATALINA_PID not set issue
-
----
- heartbeat/tomcat | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/heartbeat/tomcat b/heartbeat/tomcat
-index fa2715140b..6d47980296 100755
---- a/heartbeat/tomcat
-+++ b/heartbeat/tomcat
-@@ -695,10 +695,12 @@ CATALINA_BASE="${OCF_RESKEY_catalina_base-${OCF_RESKEY_catalina_home}}"
- CATALINA_OUT="${OCF_RESKEY_catalina_out}"
- 
- CATALINA_PID=$OCF_RESKEY_catalina_pid
--if [ -z "$CATALINA_PID" ] && [ "$__OCF_ACTION" = "start" ]; then
--	mkdir -p "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
--	if [ "${RESOURCE_TOMCAT_USER}" != "root" ]; then
--		chown ${RESOURCE_TOMCAT_USER} "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
-+if [ -z "$CATALINA_PID" ]; then
-+	if [ "$__OCF_ACTION" = "start" ]; then
-+		mkdir -p "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
-+		if [ "${RESOURCE_TOMCAT_USER}" != "root" ]; then
-+			chown ${RESOURCE_TOMCAT_USER} "${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/"
-+		fi
- 	fi
- 	CATALINA_PID="${HA_RSCTMP}/${TOMCAT_NAME}_tomcatstate/catalina.pid"
- fi
-
-From b0da375699ebfa544e6e4a13eae554af3e7d65c9 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Fri, 28 Mar 2025 10:50:17 +0100
-Subject: [PATCH 2/2] tomcat: fix catalina_base and catalina_out parameter
- defaults
-
----
- heartbeat/tomcat | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/heartbeat/tomcat b/heartbeat/tomcat
-index 6d47980296..1e8f216384 100755
---- a/heartbeat/tomcat
-+++ b/heartbeat/tomcat
-@@ -650,7 +650,6 @@ OCF_RESKEY_statusurl_default="http://127.0.0.1:8080"
- OCF_RESKEY_max_stop_time_default=""
- OCF_RESKEY_java_home_default=""
- OCF_RESKEY_java_opts_default=""
--OCF_RESKEY_catalina_out_default="${OCF_RESKEY_catalina_base-${OCF_RESKEY_catalina_home}}/logs/catalina.out"
- OCF_RESKEY_catalina_pid_default=""
- OCF_RESKEY_tomcat_start_script_default="${TOMCAT_START_SCRIPT}"
- OCF_RESKEY_tomcat_start_opts_default=""
-@@ -670,7 +669,6 @@ OCF_RESKEY_logging_manager_default=""
- : ${OCF_RESKEY_max_stop_time=${OCF_RESKEY_max_stop_time_default}}
- : ${OCF_RESKEY_java_home=${OCF_RESKEY_java_home_default}}
- : ${OCF_RESKEY_java_opts=${OCF_RESKEY_java_opts_default}}
--: ${OCF_RESKEY_catalina_out=${OCF_RESKEY_catalina_out_default}}
- : ${OCF_RESKEY_catalina_pid=${OCF_RESKEY_catalina_pid_default}}
- : ${OCF_RESKEY_tomcat_start_script=${OCF_RESKEY_tomcat_start_script_default}}
- : ${OCF_RESKEY_tomcat_start_opts=${OCF_RESKEY_tomcat_start_opts_default}}
-@@ -691,7 +689,9 @@ RESOURCE_STATUSURL="${OCF_RESKEY_statusurl}"
- JAVA_HOME="${OCF_RESKEY_java_home}"
- JAVA_OPTS="${OCF_RESKEY_java_opts}"
- CATALINA_HOME="${OCF_RESKEY_catalina_home}"
--CATALINA_BASE="${OCF_RESKEY_catalina_base-${OCF_RESKEY_catalina_home}}"
-+CATALINA_BASE="${OCF_RESKEY_catalina_base:-${OCF_RESKEY_catalina_home}}"
-+OCF_RESKEY_catalina_out_default="${OCF_RESKEY_catalina_base:-${OCF_RESKEY_catalina_home}}/logs/catalina.out"
-+: ${OCF_RESKEY_catalina_out=${OCF_RESKEY_catalina_out_default}}
- CATALINA_OUT="${OCF_RESKEY_catalina_out}"
- 
- CATALINA_PID=$OCF_RESKEY_catalina_pid

SOURCES/RHEL-91257-Filesystem-add-support-for-aznfs.patch

@@ -1,171 +0,0 @@
-From 3bffa541f7bf66e143f14e51551fc91dfebec86c Mon Sep 17 00:00:00 2001
-From: Tobias Schug <happytobi@tscoding.de>
-Date: Mon, 28 Oct 2024 09:14:41 +0100
-Subject: [PATCH] Add azure aznfs filesystem support
-
----
- heartbeat/Filesystem | 37 ++++++++++++++++++++-----------------
- 1 file changed, 20 insertions(+), 17 deletions(-)
-
-diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
-index 3405e2c26..b48bee142 100755
---- a/heartbeat/Filesystem
-+++ b/heartbeat/Filesystem
-@@ -2,7 +2,7 @@
- #
- # Support:      users@clusterlabs.org
- # License:      GNU General Public License (GPL)
--# 
-+#
- # Filesystem
- #      Description: Manages a Filesystem on a shared storage medium.
- #  Original Author: Eric Z. Ayers (eric.ayers@compgen.com)
-@@ -142,7 +142,7 @@ meta_data() {
- 
- <longdesc lang="en">
- Resource script for Filesystem. It manages a Filesystem on a
--shared storage medium. 
-+shared storage medium.
- 
- The standard monitor operation of depth 0 (also known as probe)
- checks if the filesystem is mounted. If you want deeper tests,
-@@ -260,7 +260,7 @@ currently accessing the mount directory.
- "true"  : Kill processes accessing mount point
- "safe"  : Kill processes accessing mount point using methods that
-           avoid functions that could potentially block during process
--          detection 
-+          detection
- "false" : Do not kill any processes.
- 
- The 'safe' option uses shell logic to walk the /procs/ directory
-@@ -373,7 +373,7 @@ determine_blockdevice() {
- 	# Get the current real device name, if possible.
- 	# (specified devname could be -L or -U...)
- 	case "$FSTYPE" in
--	nfs4|nfs|efs|smbfs|cifs|glusterfs|ceph|tmpfs|overlay|overlayfs|rozofs|zfs|cvfs|none|lustre)
-+	nfs4|nfs|aznfs|efs|smbfs|cifs|glusterfs|ceph|tmpfs|overlay|overlayfs|rozofs|zfs|cvfs|none|lustre)
- 		: ;;
- 	*)
- 		match_string="${TAB}${CANONICALIZED_MOUNTPOINT}${TAB}"
-@@ -455,7 +455,7 @@ is_fsck_needed() {
- 		no)    false;;
- 		""|auto)
- 		case "$FSTYPE" in
--			ext4|ext4dev|ext3|reiserfs|reiser4|nss|xfs|jfs|vfat|fat|nfs4|nfs|efs|cifs|smbfs|ocfs2|gfs2|none|lustre|glusterfs|ceph|tmpfs|overlay|overlayfs|rozofs|zfs|cvfs)
-+			ext4|ext4dev|ext3|reiserfs|reiser4|nss|xfs|jfs|vfat|fat|nfs4|nfs|aznfs|efs|cifs|smbfs|ocfs2|gfs2|none|lustre|glusterfs|ceph|tmpfs|overlay|overlayfs|rozofs|zfs|cvfs)
- 			false;;
- 			*)
- 			true;;
-@@ -478,7 +478,7 @@ fstype_supported()
- 	fi
- 
- 	if [ -z "$FSTYPE" -o "$FSTYPE" = none ]; then
--		: No FSTYPE specified, rely on the system has the right file-system support already 
-+		: No FSTYPE specified, rely on the system has the right file-system support already
- 		return $OCF_SUCCESS
- 	fi
- 
-@@ -487,6 +487,7 @@ fstype_supported()
- 	case "$FSTYPE" in
- 		fuse.*|glusterfs|rozofs) support="fuse";;
- 		efs) check_binary "mount.efs"; support="nfs4";;
-+		aznfs) check_binary "mount.aznfs"; support="nfs4";;
- 	esac
- 
- 	if [ "$support" != "$FSTYPE" ]; then
-@@ -530,7 +531,7 @@ fstype_supported()
- # node on the shared storage, and is not visible yet. Then try
- # partprobe to refresh /dev/disk/by-{label,uuid}/* up to date.
- #
--# DEVICE can be /dev/xxx, -U, -L 
-+# DEVICE can be /dev/xxx, -U, -L
- #
- trigger_udev_rules_if_needed()
- {
-@@ -545,12 +546,12 @@ trigger_udev_rules_if_needed()
- 		fi
- 	else
- 		tmp="$(echo $DEVICE|awk '{$1=""; print substr($0,2)}')"
--		case "$DEVICE" in 
--		-U*|--uuid*) 
--			tmp="/dev/disk/by-uuid/$tmp" 
-+		case "$DEVICE" in
-+		-U*|--uuid*)
-+			tmp="/dev/disk/by-uuid/$tmp"
- 			;;
- 		-L*|--label*)
--			tmp="/dev/disk/by-label/$tmp" 
-+			tmp="/dev/disk/by-label/$tmp"
- 			;;
- 		*)
- 			# bind mount?
-@@ -595,7 +596,7 @@ Filesystem_start()
- 
- 	fstype_supported || exit $OCF_ERR_INSTALLED
- 
--	# Check the filesystem & auto repair.  
-+	# Check the filesystem & auto repair.
- 	# NOTE: Some filesystem types don't need this step...  Please modify
- 	#       accordingly
- 
-@@ -697,7 +698,7 @@ signal_processes() {
- 	local sig=$2
- 	local pids pid
- 	# fuser returns a non-zero return code if none of the
--	# specified files is accessed or in case of a fatal 
-+	# specified files is accessed or in case of a fatal
- 	# error.
- 	pids=$(get_pids "$dir")
- 	if [ -z "$pids" ]; then
-@@ -745,6 +746,7 @@ fs_stop_loop() {
- 		try_umount "$force_arg" "$SUB" && return $OCF_SUCCESS
- 	done
- }
-+
- fs_stop() {
- 	local SUB="$1" timeout=$2 grace_time ret
- 	grace_time=$((timeout/2))
-@@ -797,7 +799,7 @@ Filesystem_stop()
- 
- 		# For networked filesystems, there's merit in trying -f:
- 		case "$FSTYPE" in
--		nfs4|nfs|efs|cifs|smbfs) umount_force="-f" ;;
-+		nfs4|nfs|aznfs|efs|cifs|smbfs) umount_force="-f" ;;
- 		esac
- 
- 		# Umount all sub-filesystems mounted under $MOUNTPOINT/ too.
-@@ -942,6 +944,7 @@ Filesystem_monitor_20()
- 	fi
- 	return $OCF_SUCCESS
- }
-+
- Filesystem_monitor()
- {
- 	Filesystem_status
-@@ -1016,7 +1019,7 @@ set_blockdevice_var() {
- 
- 	# these are definitely not block devices
- 	case "$FSTYPE" in
--	nfs4|nfs|efs|smbfs|cifs|none|glusterfs|ceph|tmpfs|overlay|overlayfs|rozofs|zfs|cvfs|lustre) return;;
-+	nfs4|nfs|aznfs|efs|smbfs|cifs|none|glusterfs|ceph|tmpfs|overlay|overlayfs|rozofs|zfs|cvfs|lustre) return;;
- 	esac
- 
- 	if $(is_option "loop"); then
-@@ -1098,7 +1101,7 @@ set_blockdevice_var
- if [ -z "$OCF_RESKEY_directory" ]; then
- 	if [ X$OP = "Xstart" -o $blockdevice = "no" ]; then
- 		ocf_exit_reason "Please specify the directory"
--		exit $OCF_ERR_CONFIGURED 
-+		exit $OCF_ERR_CONFIGURED
- 	fi
- else
- 	MOUNTPOINT="$(echo "$OCF_RESKEY_directory" | sed 's/\/*$//')"
-@@ -1166,7 +1169,7 @@ is_option "ro" &&
- 	CLUSTERSAFE=2
- 
- case "$FSTYPE" in
--nfs4|nfs|efs|smbfs|cifs|none|gfs2|glusterfs|ceph|ocfs2|overlay|overlayfs|tmpfs|cvfs|lustre)
-+nfs4|nfs|aznfs|efs|smbfs|cifs|none|gfs2|glusterfs|ceph|ocfs2|overlay|overlayfs|tmpfs|cvfs|lustre)
- 	CLUSTERSAFE=1 # this is kind of safe too
- 	systemd_drop_in "99-Filesystem-remote" "After" "remote-fs.target"
- 	;;

SPECS/resource-agents.spec

@@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.23
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -160,27 +160,6 @@ Patch63:	RHEL-15305-1-findif.sh-fix-loopback-handling.patch
 Patch64:	RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
 Patch65:	RHEL-17083-findif-EOS-fix.patch
 Patch66:	RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
-Patch67:	RHEL-34137-aws-agents-use-curl_retry.patch
-Patch68:	RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
-Patch69:	RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
-Patch70:	RHEL-69297-1-Filesystem-dont-kill-unrelated-processes.patch
-Patch71:	RHEL-69297-2-Filesystem-update-bsd-logic.patch
-Patch72:	RHEL-72956-1-openstack-cinder-volume-wait-for-volume-to-be-available.patch
-Patch73:	RHEL-72956-2-openstack-cinder-volume-fix-detach-not-working-during-start-action.patch
-Patch74:	RHEL-79823-portblock-fix-version-detection.patch
-Patch75: 	RHEL-81960-1-aws-agents-reuse-imds-token-until-it-expires.patch
-Patch76: 	RHEL-81960-2-aws-agents-reuse-imds-token-improvements.patch
-Patch77: 	RHEL-85048-tomcat-fix-CATALINA_PID-not-set-and-parameter-defaults.patch
-Patch78:	RHEL-91257-Filesystem-add-support-for-aznfs.patch
-Patch79:	RHEL-102731-ocf-shellfuncs-remove-extra-sleep-from-curl_retry.patch
-Patch80:	RHEL-115783-RHEL-115781-db2-add-skip_basic_sql_health_check-and-monitor-parameters.patch
-Patch81:	RHEL-118625-db2-use-reintegration-flag-to-avoid-race-condition-on-cluster-reintegration.patch
-Patch82:	RHEL-116150-1-ocf-shellfuncs-add-ocf_promotion_score.patch
-Patch83:	RHEL-116150-2-portblock-add-promotable-support.patch
-Patch84:	RHEL-116150-3-portblock-fixes-add-method-and-status_check-parameters.patch
-Patch85:	RHEL-124815-db2-fix-variable-name.patch
-Patch86:	RHEL-102979-1-nfsserver-support-non-clustered-kerberized-mounts.patch
-Patch87:	RHEL-102979-2-nfsserver-fix-error-message.patch
 
 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@@ -193,9 +172,6 @@ Patch1006:	python3-syntax-fixes.patch
 Patch1007:	aliyuncli-python3-fixes.patch
 Patch1008:	bz1935422-python-pygments-fix-CVE-2021-20270.patch
 Patch1009:	bz1943464-python-pygments-fix-CVE-2021-27291.patch
-Patch1010:	RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
-Patch1011:	RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch
-Patch1012:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch
 
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@@ -432,27 +408,6 @@ exit 1
 %patch -p1 -P 64
 %patch -p1 -P 65
 %patch -p1 -P 66
-%patch -p1 -P 67 -F1
-%patch -p1 -P 68
-%patch -p1 -P 69
-%patch -p1 -P 70
-%patch -p1 -P 71
-%patch -p1 -P 72
-%patch -p1 -P 73
-%patch -p1 -P 74
-%patch -p1 -P 75
-%patch -p1 -P 76
-%patch -p1 -P 77
-%patch -p1 -P 78 -F2
-%patch -p1 -P 79
-%patch -p1 -P 80
-%patch -p1 -P 81 -F2
-%patch -p1 -P 82
-%patch -p1 -P 83
-%patch -p1 -P 84
-%patch -p1 -P 85
-%patch -p1 -P 86
-%patch -p1 -P 87
 
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@@ -741,15 +696,6 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra
 # aliyun_completer / aliyun_zsh_complete.sh
 rm %{buildroot}/%{_bindir}/aliyun_*
 popd
-
-# regular patch doesnt work in build-section
-pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1011}
-popd
-pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1012}
-popd
 %endif
 
 ## tree fixup
@@ -1043,107 +989,6 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
-* Fri Oct 31 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.23
-- nfsserver: add ability to set e.g. "pipefs-directory=/run/nfs/rpc_pipefs"
-  in /etc/nfs.conf to avoid issues with non-clustered Kerberized mounts
-
-  Resolves: RHEL-102979
-
-* Thu Oct 30 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.21
-- db2: fix monitor_retries_sleep variable name
-
-  Resolves: RHEL-124815
-
-* Tue Oct 21 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.20
-- portblock: add promotable support, and method and status_check
-  parameters
-
-  Resolves: RHEL-116150
-
-* Mon Oct 20 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.19
-- db2: use reintegration flag to avoid race condition on cluster
-  reintegration
-
-  Resolves: RHEL-118625
-
-* Thu Sep 18 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.17
-- db2: add "skip_basic_sql_health_check" parameter to avoid failing on
-  systems with high load
-- db2: add "monitor_retries", "monitor_sleep", and "monitor_retry_all_errors"
-  parameters to be able to avoid failing on first try
-
-  Resolves: RHEL-115783, RHEL-115781
-
-* Fri Aug 15 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.16
-- bundled requests: fix CVE-2024-47081
-
-  Resolves: RHEL-104761
-
-* Tue Jul 15 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.15
-- ocf-shellfuncs/AWS agents: dont sleep after the final try in
-  curl_retry()
-
-  Resolves: RHEL-102731
-
-* Wed May 14 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.13
-- Filesystem: add support for aznfs
-
-  Resolves: RHEL-91257
-
-* Fri Mar 28 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.12
-- tomcat: fix CATALINA_PID not set, and catalina_base and catalina_out
-  parameter defaults
-
-  Resolves: RHEL-85048
-
-* Tue Mar  4 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.11
-- AWS agents: reuse IMDS token until it expires
-
-  Resolves: RHEL-81960
-
-* Thu Feb 20 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.10
-- portblock: fix iptables version detection
-
-  Resolves: RHEL-79823
-
-* Fri Jan 10 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.8
-- openstack-cinder-volume: wait for volume to be available
-
-  Resolves: RHEL-72956
-
-* Wed Nov 27 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.6
-- Filesystem: dont kill unrelated processes during stop-action
-
-  Resolves: RHEL-69297
-
-* Tue Oct  1 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.5
-- nfsserver: also stop rpc-statd for nfsv4_only to avoid stop failing
-  in some cases
-
-  Resolves: RHEL-61138
-
-* Thu Jul 25 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.4
-- bundled setuptools: fix CVE-2024-6345
-
-  Resolves: RHEL-50360
-
-* Tue Jul 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.3
-- gcp-pd-move: fix TLS_VERSION_1 issue
-
-  Resolves: RHEL-50041
-
-* Wed Jun 26 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.2
-- bundled urllib3: fix CVE-2024-37891
-
-  Resolves: RHEL-44923
-
-* Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1
-- AWS agents: retry failed metadata requests to avoid instantly
-  failing when there is a hiccup in the network or metadata service
-- db2: fix OCF_SUCESS typo
-
-  Resolves: RHEL-34137, RHEL-32828
-
 * Thu Feb  8 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54
 - findif.sh: fix loopback IP handling