SOURCES/7-gcp-bundled.patch

@@ -1,17 +1,6 @@
-diff --color -uNr a/heartbeat/gcp-pd-move.in b/heartbeat/gcp-pd-move.in
---- a/heartbeat/gcp-pd-move.in	2024-07-22 10:59:42.170483160 +0200
-+++ b/heartbeat/gcp-pd-move.in	2024-07-22 11:01:51.455543850 +0200
-@@ -32,6 +32,7 @@
- from ocf import logger
- 
- try:
-+  sys.path.insert(0, '/usr/lib/resource-agents/bundled/gcp')
-   import googleapiclient.discovery
- except ImportError:
-   pass
 diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
---- a/heartbeat/gcp-vpc-move-ip.in	2024-07-22 10:59:42.170483160 +0200
+--- a/heartbeat/gcp-vpc-move-ip.in	2022-06-16 09:45:21.419090782 +0200
-+++ b/heartbeat/gcp-vpc-move-ip.in	2024-07-22 11:01:18.010752081 +0200
++++ b/heartbeat/gcp-vpc-move-ip.in	2022-06-16 10:11:22.978648598 +0200
 @@ -36,7 +36,7 @@
  . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
  
@@ -22,8 +11,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
  OCF_RESKEY_vpc_network_default="default"
  OCF_RESKEY_interface_default="eth0"
 diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-route.in
---- a/heartbeat/gcp-vpc-move-route.in	2024-07-22 10:59:42.170483160 +0200
+--- a/heartbeat/gcp-vpc-move-route.in	2022-06-16 09:45:21.420090788 +0200
-+++ b/heartbeat/gcp-vpc-move-route.in	2024-07-22 11:01:18.011752105 +0200
++++ b/heartbeat/gcp-vpc-move-route.in	2022-06-16 10:11:22.978648598 +0200
 @@ -45,6 +45,7 @@
  from ocf import *
  
@@ -33,8 +22,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-rou
    import pyroute2
    try:
 diff --color -uNr a/heartbeat/gcp-vpc-move-vip.in b/heartbeat/gcp-vpc-move-vip.in
---- a/heartbeat/gcp-vpc-move-vip.in	2024-07-22 10:59:42.170483160 +0200
+--- a/heartbeat/gcp-vpc-move-vip.in	2022-06-16 09:45:21.420090788 +0200
-+++ b/heartbeat/gcp-vpc-move-vip.in	2024-07-22 11:01:18.012752128 +0200
++++ b/heartbeat/gcp-vpc-move-vip.in	2022-06-16 10:11:22.979648603 +0200
 @@ -29,6 +29,7 @@
  from ocf import *
  

SOURCES/RHEL-32828-db2-fix-OCF_SUCESS-typo.patch

@@ -1,23 +0,0 @@
-From a9c4aeb971e9f4963345d0e215b729def62dd27c Mon Sep 17 00:00:00 2001
-From: pepadelic <162310096+pepadelic@users.noreply.github.com>
-Date: Mon, 15 Apr 2024 13:52:54 +0200
-Subject: [PATCH] Update db2: fix OCF_SUCESS name in db2_notify
-
-fix OCF_SUCESS to OCF_SUCCESS  in db2_notify
----
- heartbeat/db2 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/heartbeat/db2 b/heartbeat/db2
-index 95447ab6cb..1cd66f15af 100755
---- a/heartbeat/db2
-+++ b/heartbeat/db2
-@@ -848,7 +848,7 @@ db2_notify() {
- 
-     # only interested in pre-start
-     [  $OCF_RESKEY_CRM_meta_notify_type = pre \
--    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCESS
-+    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCCESS
- 
-     # gets FIRST_ACTIVE_LOG
-     db2_get_cfg $dblist || return $?

SOURCES/RHEL-34137-aws-agents-use-curl_retry.patch

@@ -1,343 +0,0 @@
-From fc0657b936f6a58f741e33f851b22f82bc68bffa Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Tue, 6 Feb 2024 13:28:12 +0100
-Subject: [PATCH 1/2] ocf-shellfuncs: add curl_retry()
-
----
- heartbeat/ocf-shellfuncs.in | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
-index c5edb6f57..a69a9743d 100644
---- a/heartbeat/ocf-shellfuncs.in
-+++ b/heartbeat/ocf-shellfuncs.in
-@@ -672,6 +672,40 @@ EOF
- 	systemctl daemon-reload
- }
- 
-+# usage: curl_retry RETRIES SLEEP ARGS URL
-+#
-+# Use --show-error in ARGS to log HTTP error code
-+#
-+# returns:
-+#    0  success
-+# exit:
-+#    1  fail
-+curl_retry()
-+{
-+	local retries=$1 sleep=$2 opts=$3 url=$4
-+	local tries=$(($retries + 1))
-+	local args="--fail $opts $url"
-+	local result rc
-+
-+	for try in $(seq $tries); do
-+		ocf_log debug "curl $args try $try of $tries"
-+		result=$(echo "$args" | xargs curl 2>&1)
-+		rc=$?
-+
-+		ocf_log debug "result: $result"
-+		[ $rc -eq 0 ] && break
-+		sleep $sleep
-+	done
-+
-+	if [ $rc -ne 0 ]; then
-+		ocf_exit_reason "curl $args failed $tries tries"
-+		exit $OCF_ERR_GENERIC
-+	fi
-+
-+	echo "$result"
-+	return $rc
-+}
-+
- # usage: crm_mon_no_validation args...
- # run crm_mon without any cib schema validation
- # This is useful when an agent runs in a bundle to avoid potential
-
-From 80d330557319bdae9e45aad1279e435fc481d4e7 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Tue, 6 Feb 2024 13:28:25 +0100
-Subject: [PATCH 2/2] AWS agents: use curl_retry()
-
----
- heartbeat/aws-vpc-move-ip    | 35 ++++++++++++++++++++++++++---------
- heartbeat/aws-vpc-route53.in | 27 +++++++++++++++++++++++++--
- heartbeat/awseip             | 36 +++++++++++++++++++++++++++++++-----
- heartbeat/awsvip             | 32 ++++++++++++++++++++++++++++----
- 4 files changed, 110 insertions(+), 20 deletions(-)
-
-diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
-index 54806f6ea..6115e5ba8 100755
---- a/heartbeat/aws-vpc-move-ip
-+++ b/heartbeat/aws-vpc-move-ip
-@@ -47,6 +47,8 @@ OCF_RESKEY_interface_default="eth0"
- OCF_RESKEY_iflabel_default=""
- OCF_RESKEY_monapi_default="false"
- OCF_RESKEY_lookup_type_default="InstanceId"
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
-@@ -60,6 +62,8 @@ OCF_RESKEY_lookup_type_default="InstanceId"
- : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
- : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
- : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- #######################################################################
- 
- 
-@@ -194,6 +198,22 @@ Name of resource type to lookup in route table.
- <content type="string" default="${OCF_RESKEY_lookup_type_default}" />
- </parameter>
- 
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
-+
- </parameters>
- 
- <actions>
-@@ -250,8 +270,10 @@ ec2ip_validate() {
- 		fi
- 	fi
- 
--	TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- 	if [ -z "${EC2_INSTANCE_ID}" ]; then
- 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
-@@ -365,14 +387,9 @@ ec2ip_get_instance_eni() {
- 	fi
- 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
- 
--	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
--	ocf_log debug "executing command: $cmd"
-+	cmd="curl_retry \"$OCF_RESKEY_curl_retries\" \"$OCF_RESKEY_curl_sleep\" \"--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'\" \"http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id\""
- 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
--	rc=$?
--	if [ $rc != 0 ]; then
--		ocf_log warn "command failed, rc: $rc"
--		return $OCF_ERR_GENERIC
--	fi
-+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 	ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
- 	echo $EC2_NETWORK_INTERFACE_ID
- }
-diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
-index 18ab157e8..eba2ed95c 100644
---- a/heartbeat/aws-vpc-route53.in
-+++ b/heartbeat/aws-vpc-route53.in
-@@ -53,6 +53,8 @@ OCF_RESKEY_hostedzoneid_default=""
- OCF_RESKEY_fullname_default=""
- OCF_RESKEY_ip_default="local"
- OCF_RESKEY_ttl_default=10
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
-@@ -62,6 +64,8 @@ OCF_RESKEY_ttl_default=10
- : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
- : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
- : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- usage() {
- 	cat <<-EOT
-@@ -185,6 +189,22 @@ Time to live for Route53 ARECORD
- <shortdesc lang="en">ARECORD TTL</shortdesc>
- <content type="string" default="${OCF_RESKEY_ttl_default}" />
- </parameter>
-+
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
- </parameters>
- 
- <actions>
-@@ -357,8 +377,11 @@ r53_monitor() {
- _get_ip() {
- 	case $OCF_RESKEY_ip in
- 		local|public)
--			TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
-+			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
-+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+			;;
- 		*.*.*.*)
- 			IPADDRESS="${OCF_RESKEY_ip}";;
- 	esac
-diff --git a/heartbeat/awseip b/heartbeat/awseip
-index 49b0ca615..ffb6223a1 100755
---- a/heartbeat/awseip
-+++ b/heartbeat/awseip
-@@ -49,12 +49,16 @@ OCF_RESKEY_auth_type_default="key"
- OCF_RESKEY_profile_default="default"
- OCF_RESKEY_region_default=""
- OCF_RESKEY_api_delay_default="3"
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
- : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
- : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
- : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- meta_data() {
-     cat <<END
-@@ -141,6 +145,22 @@ a short delay between API calls, to avoid sending API too quick
- <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
- </parameter>
- 
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
-+
- </parameters>
- 
- <actions>
-@@ -171,14 +191,18 @@ awseip_start() {
-     awseip_monitor && return $OCF_SUCCESS
- 
-     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
--        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
-+        NETWORK_INTERFACES_MACS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/")
-         for MAC in ${NETWORK_INTERFACES_MACS}; do
--            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
-+            curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/local-ipv4s" |
-                 grep -q "^${PRIVATE_IP_ADDRESS}$"
-             if [ $? -eq 0 ]; then
--                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+                NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/interface-id")
-             fi
-         done
-+        if [ -z "$NETWORK_ID" ]; then
-+            ocf_exit_reason "Could not find network interface for private_ip_address: $PRIVATE_IP_ADDRESS"
-+            exit $OCF_ERR_GENERIC
-+        fi
-         $AWSCLI_CMD ec2 associate-address  \
-             --network-interface-id ${NETWORK_ID} \
-             --allocation-id ${ALLOCATION_ID} \
-@@ -282,8 +306,10 @@ fi
- ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
- ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
- PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
--TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- case $__OCF_ACTION in
-     start)
-diff --git a/heartbeat/awsvip b/heartbeat/awsvip
-index bdb4d68dd..f2b238a0f 100755
---- a/heartbeat/awsvip
-+++ b/heartbeat/awsvip
-@@ -48,12 +48,16 @@ OCF_RESKEY_auth_type_default="key"
- OCF_RESKEY_profile_default="default"
- OCF_RESKEY_region_default=""
- OCF_RESKEY_api_delay_default="3"
-+OCF_RESKEY_curl_retries_default="3"
-+OCF_RESKEY_curl_sleep_default="1"
- 
- : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
- : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
- : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
- : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
- : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
-+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
-+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
- 
- meta_data() {
-     cat <<END
-@@ -124,6 +128,22 @@ a short delay between API calls, to avoid sending API too quick
- <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
- </parameter>
- 
-+<parameter name="curl_retries" unique="0">
-+<longdesc lang="en">
-+curl retries before failing
-+</longdesc>
-+<shortdesc lang="en">curl retries</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
-+</parameter>
-+
-+<parameter name="curl_sleep" unique="0">
-+<longdesc lang="en">
-+curl sleep between tries
-+</longdesc>
-+<shortdesc lang="en">curl sleep</shortdesc>
-+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
-+</parameter>
-+
- </parameters>
- 
- <actions>
-@@ -246,10 +266,14 @@ if [ -n "${OCF_RESKEY_region}" ]; then
- 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
- fi
- SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
--TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
--INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
--MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
--NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
-+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
-+NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id")
-+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
- 
- case $__OCF_ACTION in
-     start)

SOURCES/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch

@@ -1,48 +0,0 @@
-From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 17 Jun 2024 11:09:06 +0400
-Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
-
-* Strip Proxy-Authorization header on redirects
-
-* Fix test_retry_default_remove_headers_on_redirect
-
-* Set release date
----
- CHANGES.rst                               |  5 +++++
- src/urllib3/util/retry.py                 |  4 +++-
- test/test_retry.py                        |  6 ++++-
- test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
- 4 files changed, 37 insertions(+), 5 deletions(-)
-
-diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
-index 7a76a4a6ad..0456cceba4 100644
---- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
-+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
-@@ -189,7 +189,9 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
-+        ["Cookie", "Authorization", "Proxy-Authorization"]
-+    )
- 
-     #: Default maximum backoff time.
-     DEFAULT_BACKOFF_MAX = 120
-
-diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
-index 7a76a4a6ad..0456cceba4 100644
---- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
-+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
-@@ -189,7 +189,9 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
-+        ["Cookie", "Authorization", "Proxy-Authorization"]
-+    )
- 
-     #: Default maximum backoff time.
-     DEFAULT_BACKOFF_MAX = 120

SOURCES/RHEL-50360-setuptools-fix-CVE-2024-6345.patch

@@ -1,201 +0,0 @@
---- a/setuptools/package_index.py	1980-01-01 09:00:00.000000000 +0100
-+++ b/setuptools/package_index.py	2024-07-25 10:11:40.537307665 +0200
-@@ -1,5 +1,6 @@
- """PyPI and direct package downloading"""
- import sys
-+import subprocess
- import os
- import re
- import shutil
-@@ -563,7 +564,7 @@
-             scheme = URL_SCHEME(spec)
-             if scheme:
-                 # It's a url, download it to tmpdir
--                found = self._download_url(scheme.group(1), spec, tmpdir)
-+                found = self._download_url(spec, tmpdir)
-                 base, fragment = egg_info_for_url(spec)
-                 if base.endswith('.py'):
-                     found = self.gen_setup(found, fragment, tmpdir)
-@@ -775,7 +776,7 @@
-                 raise DistutilsError("Download error for %s: %s"
-                                      % (url, v))
- 
--    def _download_url(self, scheme, url, tmpdir):
-+    def _download_url(self, url, tmpdir):
-         # Determine download filename
-         #
-         name, fragment = egg_info_for_url(url)
-@@ -790,19 +791,59 @@
- 
-         filename = os.path.join(tmpdir, name)
- 
--        # Download the file
--        #
--        if scheme == 'svn' or scheme.startswith('svn+'):
--            return self._download_svn(url, filename)
--        elif scheme == 'git' or scheme.startswith('git+'):
--            return self._download_git(url, filename)
--        elif scheme.startswith('hg+'):
--            return self._download_hg(url, filename)
--        elif scheme == 'file':
--            return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
--        else:
--            self.url_ok(url, True)  # raises error if not allowed
--            return self._attempt_download(url, filename)
-+        return self._download_vcs(url, filename) or self._download_other(url, filename)
-+
-+    @staticmethod
-+    def _resolve_vcs(url):
-+        """
-+        >>> rvcs = PackageIndex._resolve_vcs
-+        >>> rvcs('git+http://foo/bar')
-+        'git'
-+        >>> rvcs('hg+https://foo/bar')
-+        'hg'
-+        >>> rvcs('git:myhost')
-+        'git'
-+        >>> rvcs('hg:myhost')
-+        >>> rvcs('http://foo/bar')
-+        """
-+        scheme = urllib.parse.urlsplit(url).scheme
-+        pre, sep, post = scheme.partition('+')
-+        # svn and git have their own protocol; hg does not
-+        allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
-+        return next(iter({pre} & allowed), None)
-+
-+    def _download_vcs(self, url, spec_filename):
-+        vcs = self._resolve_vcs(url)
-+        if not vcs:
-+            return
-+        if vcs == 'svn':
-+            raise DistutilsError(
-+                f"Invalid config, SVN download is not supported: {url}"
-+            )
-+
-+        filename, _, _ = spec_filename.partition('#')
-+        url, rev = self._vcs_split_rev_from_url(url)
-+
-+        self.info(f"Doing {vcs} clone from {url} to {filename}")
-+        subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
-+
-+        co_commands = dict(
-+            git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
-+            hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
-+        )
-+        if rev is not None:
-+            self.info(f"Checking out {rev}")
-+            subprocess.check_call(co_commands[vcs])
-+
-+        return filename
-+
-+    def _download_other(self, url, filename):
-+        scheme = urllib.parse.urlsplit(url).scheme
-+        if scheme == 'file':  # pragma: no cover
-+            return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
-+        # raise error if not allowed
-+        self.url_ok(url, True)
-+        return self._attempt_download(url, filename)
- 
-     def scan_url(self, url):
-         self.process_url(url, True)
-@@ -829,76 +870,37 @@
-         os.unlink(filename)
-         raise DistutilsError("Unexpected HTML page found at " + url)
- 
--    def _download_svn(self, url, filename):
--        url = url.split('#', 1)[0]  # remove any fragment for svn's sake
--        creds = ''
--        if url.lower().startswith('svn:') and '@' in url:
--            scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
--            if not netloc and path.startswith('//') and '/' in path[2:]:
--                netloc, path = path[2:].split('/', 1)
--                auth, host = splituser(netloc)
--                if auth:
--                    if ':' in auth:
--                        user, pw = auth.split(':', 1)
--                        creds = " --username=%s --password=%s" % (user, pw)
--                    else:
--                        creds = " --username=" + auth
--                    netloc = host
--                    parts = scheme, netloc, url, p, q, f
--                    url = urllib.parse.urlunparse(parts)
--        self.info("Doing subversion checkout from %s to %s", url, filename)
--        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
--        return filename
--
-     @staticmethod
--    def _vcs_split_rev_from_url(url, pop_prefix=False):
--        scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
--
--        scheme = scheme.split('+', 1)[-1]
--
--        # Some fragment identification fails
--        path = path.split('#', 1)[0]
--
--        rev = None
--        if '@' in path:
--            path, rev = path.rsplit('@', 1)
--
--        # Also, discard fragment
--        url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
--
--        return url, rev
--
--    def _download_git(self, url, filename):
--        filename = filename.split('#', 1)[0]
--        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
--
--        self.info("Doing git clone from %s to %s", url, filename)
--        os.system("git clone --quiet %s %s" % (url, filename))
-+    def _vcs_split_rev_from_url(url):
-+        """
-+        Given a possible VCS URL, return a clean URL and resolved revision if any.
- 
--        if rev is not None:
--            self.info("Checking out %s", rev)
--            os.system("(cd %s && git checkout --quiet %s)" % (
--                filename,
--                rev,
--            ))
-+        >>> vsrfu = PackageIndex._vcs_split_rev_from_url
-+        >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
-+        ('https://github.com/pypa/setuptools', 'v69.0.0')
-+        >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
-+        ('https://github.com/pypa/setuptools', None)
-+        >>> vsrfu('http://foo/bar')
-+        ('http://foo/bar', None)
-+        """
-+        parts = urllib.parse.urlsplit(url)
- 
--        return filename
-+        clean_scheme = parts.scheme.split('+', 1)[-1]
- 
--    def _download_hg(self, url, filename):
--        filename = filename.split('#', 1)[0]
--        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
-+        # Some fragment identification fails
-+        no_fragment_path, _, _ = parts.path.partition('#')
- 
--        self.info("Doing hg clone from %s to %s", url, filename)
--        os.system("hg clone --quiet %s %s" % (url, filename))
-+        pre, sep, post = no_fragment_path.rpartition('@')
-+        clean_path, rev = (pre, post) if sep else (post, None)
- 
--        if rev is not None:
--            self.info("Updating to %s", rev)
--            os.system("(cd %s && hg up -C -r %s >&-)" % (
--                filename,
--                rev,
--            ))
-+        resolved = parts._replace(
-+            scheme=clean_scheme,
-+            path=clean_path,
-+            # discard the fragment
-+            fragment='',
-+        ).geturl()
- 
--        return filename
-+        return resolved, rev
- 
-     def debug(self, msg, *args):
-         log.debug(msg, *args)

SOURCES/RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch

@@ -1,38 +0,0 @@
-From 38eaf00bc81af7530c56eba282918762a47a9326 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Thu, 19 Sep 2024 13:01:53 +0200
-Subject: [PATCH] nfsserver: also stop rpc-statd for nfsv4_only to avoid stop
- failing in some cases
-
-E.g. nfs_no_notify=true nfsv4_only=true nfs_shared_infodir=/nfsmq/nfsinfo would cause a "Failed to unmount a bind mount" error
----
- heartbeat/nfsserver | 16 +++++++---------
- 1 file changed, 7 insertions(+), 9 deletions(-)
-
-diff --git a/heartbeat/nfsserver b/heartbeat/nfsserver
-index 5793d7a70..fd9268afc 100755
---- a/heartbeat/nfsserver
-+++ b/heartbeat/nfsserver
-@@ -947,15 +947,13 @@ nfsserver_stop ()
- 			sleep 1
- 		  done
- 
--		  if ! ocf_is_true "$OCF_RESKEY_nfsv4_only"; then
--			nfs_exec stop rpc-statd > /dev/null 2>&1
--			ocf_log info "Stop: rpc-statd"
--			rpcinfo -t localhost 100024 > /dev/null 2>&1
--			rc=$?
--			if [ "$rc" -eq "0" ]; then
--				ocf_exit_reason "Failed to stop rpc-statd"
--				return $OCF_ERR_GENERIC
--			fi
-+		  nfs_exec stop rpc-statd > /dev/null 2>&1
-+		  ocf_log info "Stop: rpc-statd"
-+		  rpcinfo -t localhost 100024 > /dev/null 2>&1
-+		  rc=$?
-+		  if [ "$rc" -eq "0" ]; then
-+		  	ocf_exit_reason "Failed to stop rpc-statd"
-+		  	return $OCF_ERR_GENERIC
- 		  fi
- 
- 		  nfs_exec stop nfs-idmapd > /dev/null 2>&1

SOURCES/RHEL-69297-1-Filesystem-dont-kill-unrelated-processes.patch

@@ -1,22 +0,0 @@
-From 4b09b3e467a7f8076bbf20f5b027efecf16303e7 Mon Sep 17 00:00:00 2001
-From: Gianluca Piccolo <gianluca.piccolo@wuerth-phoenix.com>
-Date: Thu, 6 Jun 2024 17:34:41 +0200
-Subject: [PATCH] Fix #1944
-
----
- heartbeat/Filesystem | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
-index a445349b9..59b6c1b51 100755
---- a/heartbeat/Filesystem
-+++ b/heartbeat/Filesystem
-@@ -664,7 +664,7 @@ get_pids()
- 		if [ "X${HOSTOS}" = "XOpenBSD" ];then
- 			fstat | grep $dir | awk '{print $3}'
- 		else
--			$FUSER -m $dir 2>/dev/null
-+			$FUSER -Mm $dir 2>/dev/null
- 		fi
- 	elif [ "$FORCE_UNMOUNT" = "safe" ]; then
- 		procs=$(find /proc/[0-9]*/ -type l -lname "${dir}/*" -or -lname "${dir}" 2>/dev/null | awk -F/ '{print $3}')

SOURCES/RHEL-69297-2-Filesystem-update-bsd-logic.patch

@@ -1,26 +0,0 @@
-From c9ba6ac66ee27a70c69e1156f17aa6beac277bc5 Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Fri, 7 Jun 2024 14:23:28 +0200
-Subject: [PATCH] Filesystem: use fuser -c on FreeBSD, as -m and -M are used
- for other functionality
-
----
- heartbeat/Filesystem | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
-index 59b6c1b51..88fe2e2eb 100755
---- a/heartbeat/Filesystem
-+++ b/heartbeat/Filesystem
-@@ -661,8 +661,10 @@ get_pids()
- 	fi
- 
- 	if ocf_is_true  "$FORCE_UNMOUNT"; then
--		if [ "X${HOSTOS}" = "XOpenBSD" ];then
-+		if [ "X${HOSTOS}" = "XOpenBSD" ]; then
- 			fstat | grep $dir | awk '{print $3}'
-+		elif [ "X${HOSTOS}" = "XFreeBSD" ]; then
-+			$FUSER -c $dir 2>/dev/null
- 		else
- 			$FUSER -Mm $dir 2>/dev/null
- 		fi

SOURCES/RHEL-72956-1-openstack-cinder-volume-wait-for-volume-to-be-available.patch

@@ -1,63 +0,0 @@
-From 71bc76dc4fa57726e80d0ddcc0bdcfe708af8763 Mon Sep 17 00:00:00 2001
-From: "Fabio M. Di Nitto" <fdinitto@redhat.com>
-Date: Thu, 5 Dec 2024 11:02:40 +0100
-Subject: [PATCH] openstack-cinder-volume: wait for volume to be available
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-monitor the vol till it´s attached to the host and avoid a race between
-openstack APIs receiving the request and completing the operation.
-
-Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
----
- heartbeat/openstack-cinder-volume | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/heartbeat/openstack-cinder-volume b/heartbeat/openstack-cinder-volume
-index 116442c41b..2b64d4d887 100755
---- a/heartbeat/openstack-cinder-volume
-+++ b/heartbeat/openstack-cinder-volume
-@@ -141,17 +141,19 @@ osvol_monitor() {
- 
- 	node_id=$(_get_node_id)
- 
--	if [ "$__OCF_ACTION" = "monitor" ] && ocf_is_true $OCF_RESKEY_volume_local_check ; then
--		#
--		# Is the volue attached?
--		# We check the local devices
--		#
--		short_volume_id=$(echo $OCF_RESKEY_volume_id | awk '{print substr($0, 0, 20)}')
--		if lsblk /dev/disk/by-id/virtio-$short_volume_id 1>/dev/null 2>&1; then
--			return $OCF_SUCCESS
--		else
--			ocf_log warn "$OCF_RESKEY_volume_id is not attached to instance $node_id"
--			return $OCF_NOT_RUNNING
-+	if ocf_is_true $OCF_RESKEY_volume_local_check ; then
-+		if [ "$__OCF_ACTION" = "monitor" ] || [ "$__OCF_ACTION" = "start" ] ; then
-+			#
-+			# Is the volue attached?
-+			# We check the local devices
-+			#
-+			short_volume_id=$(echo $OCF_RESKEY_volume_id | awk '{print substr($0, 0, 20)}')
-+			if lsblk /dev/disk/by-id/virtio-$short_volume_id 1>/dev/null 2>&1; then
-+				return $OCF_SUCCESS
-+			else
-+				ocf_log warn "$OCF_RESKEY_volume_id is not attached to instance $node_id"
-+				return $OCF_NOT_RUNNING
-+			fi
- 		fi
- 	fi
- 
-@@ -247,6 +249,11 @@ osvol_start() {
- 		return $OCF_ERR_GENERIC
- 	fi
- 
-+	while ! osvol_monitor; do
-+		ocf_log info "Waiting for cinder volume $OCF_RESKEY_volume_id to appear on $node_id"
-+		sleep 1
-+	done
-+
- 	return $OCF_SUCCESS
- }
- 

SOURCES/RHEL-72956-2-openstack-cinder-volume-fix-detach-not-working-during-start-action.patch

@@ -1,44 +0,0 @@
-From d89b3fb29033c3a60eb0896033af5981c7b9f64a Mon Sep 17 00:00:00 2001
-From: Oyvind Albrigtsen <oalbrigt@redhat.com>
-Date: Fri, 10 Jan 2025 11:39:48 +0100
-Subject: [PATCH] openstack-cinder-volume: fix detach not working during
- start-action after #2000
-
----
- heartbeat/openstack-cinder-volume | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/heartbeat/openstack-cinder-volume b/heartbeat/openstack-cinder-volume
-index 2b64d4d88..5bb1acddd 100755
---- a/heartbeat/openstack-cinder-volume
-+++ b/heartbeat/openstack-cinder-volume
-@@ -142,9 +142,9 @@ osvol_monitor() {
- 	node_id=$(_get_node_id)
- 
- 	if ocf_is_true $OCF_RESKEY_volume_local_check ; then
--		if [ "$__OCF_ACTION" = "monitor" ] || [ "$__OCF_ACTION" = "start" ] ; then
-+		if [ "$__OCF_ACTION" = "monitor" ] || [ "$1" = "quick" ]; then
- 			#
--			# Is the volue attached?
-+			# Is the volume attached?
- 			# We check the local devices
- 			#
- 			short_volume_id=$(echo $OCF_RESKEY_volume_id | awk '{print substr($0, 0, 20)}')
-@@ -158,7 +158,7 @@ osvol_monitor() {
- 	fi
- 
- 	#
--	# Is the volue attached?
-+	# Is the volume attached?
- 	# We use the API
- 	#
- 	result=$(run_openstackcli "volume show \
-@@ -249,7 +249,7 @@ osvol_start() {
- 		return $OCF_ERR_GENERIC
- 	fi
- 
--	while ! osvol_monitor; do
-+	while ! osvol_monitor quick; do
- 		ocf_log info "Waiting for cinder volume $OCF_RESKEY_volume_id to appear on $node_id"
- 		sleep 1
- 	done

SOURCES/RHEL-79823-portblock-fix-version-detection.patch

@@ -1,448 +0,0 @@
---- a/heartbeat/portblock	2025-02-20 14:54:18.047134471 +0100
-+++ b/heartbeat/portblock	2025-02-20 14:09:44.546869740 +0100
-@@ -25,6 +25,7 @@
- # Defaults
- OCF_RESKEY_protocol_default=""
- OCF_RESKEY_portno_default=""
-+OCF_RESKEY_direction_default="in"
- OCF_RESKEY_action_default=""
- OCF_RESKEY_ip_default="0.0.0.0/0"
- OCF_RESKEY_reset_local_on_unblock_stop_default="false"
-@@ -33,6 +34,7 @@
- 
- : ${OCF_RESKEY_protocol=${OCF_RESKEY_protocol_default}}
- : ${OCF_RESKEY_portno=${OCF_RESKEY_portno_default}}
-+: ${OCF_RESKEY_direction=${OCF_RESKEY_direction_default}}
- : ${OCF_RESKEY_action=${OCF_RESKEY_action_default}}
- : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
- : ${OCF_RESKEY_reset_local_on_unblock_stop=${OCF_RESKEY_reset_local_on_unblock_stop_default}}
-@@ -217,6 +219,18 @@
- <shortdesc lang="en">Connection state file synchronization script</shortdesc>
- <content type="string" default="${OCF_RESKEY_sync_script_default}" />
- </parameter>
-+
-+<parameter name="direction" unique="0" required="0">
-+<longdesc lang="en">
-+Whether to block incoming or outgoing traffic. Can be either "in",
-+"out", or "both".
-+If "in" is used, the incoming ports are blocked on the INPUT chain.
-+If "out" is used, the outgoing ports are blocked on the OUTPUT chain.
-+If "both" is used, both the incoming and outgoing ports are blocked.
-+</longdesc>
-+<shortdesc lang="en">Whether to block incoming or outgoing traffic, or both</shortdesc>
-+<content type="string" default="${OCF_RESKEY_direction_default}" />
-+</parameter>
- </parameters>
- 
- <actions>
-@@ -240,36 +254,73 @@
- #	and disable us -- but we're still in some sense active...
- #
- 
--#active_grep_pat {udp|tcp} portno,portno
-+#active_grep_pat {udp|tcp} portno,portno ip {d|s}
-+# d = look for destination ports
-+# s = look for source ports
- active_grep_pat()
- {
-   w="[ 	][ 	]*"
-   any="0\\.0\\.0\\.0/0"
--  echo "^DROP${w}${1}${w}--${w}${any}${w}${3}${w}multiport${w}dports${w}${2}\>"
-+  src=$any dst=$3
-+  if [ "$4" = "s" ]; then
-+    local src=$3
-+    local dst=$any
-+  fi
-+  # iptables 1.8.9 briefly broke the output format, returning the
-+  # numeric protocol value instead of a string. Support both variants.
-+  if [ "$1" = "tcp" ]; then
-+    local prot="(tcp|6)"
-+  else
-+    local prot="(udp|17)"
-+  fi
-+  echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
- }
- 
--#chain_isactive  {udp|tcp} portno,portno ip
-+#chain_isactive  {udp|tcp} portno,portno ip chain
- chain_isactive()
- {
--  PAT=`active_grep_pat "$1" "$2" "$3"`
--  $IPTABLES $wait -n -L INPUT | grep "$PAT" >/dev/null
-+  [ "$4" = "OUTPUT" ] && ds="s" || ds="d"
-+  PAT=$(active_grep_pat "$1" "$2" "$3" "$ds")
-+  $IPTABLES $wait -n -L "$4" | grep -qE "$PAT"
-+}
-+
-+# netstat -tn and ss -Htn, split on whitespace and colon,
-+# look very similar:
-+#  tcp    0  0  10.43.55.1  675  10.43.9.8  2049  ESTABLISHED
-+#  ESTAB  0  0  10.43.55.1  675  10.43.9.8  2049
-+# so we can write one awk script for both
-+get_established_tcp_connections()
-+{
-+	local columns
-+	if [ -z "$1" ] ; then
-+		columns='$4,$5, $6,$7'
-+	else
-+		# swap local and remote for "tickle_local"
-+		columns='$6,$7, $4,$5'
-+	fi
-+	$ss_or_netstat | awk -F '[:[:space:]]+' '
-+		( $8 == "ESTABLISHED" || $1 == "ESTAB" ) && $4 == "'$OCF_RESKEY_ip'" \
-+		{printf "%s:%s\t%s:%s\n", '"$columns"'}'
- }
- 
- save_tcp_connections()
- {
- 	[ -z "$OCF_RESKEY_tickle_dir" ] && return
- 	statefile=$OCF_RESKEY_tickle_dir/$OCF_RESKEY_ip
-+	# If we have _no_ sync script, we probably have a shared
-+	# (or replicated) directory, and need to fsync, or we might
-+	# end up with the just truncated file after failover, exactly
-+	# when we need it.
-+	#
-+	# If we _do_ have a sync script, it is not that important whether
-+	# the local state file is fsync'ed or not, the sync script is
-+	# responsible to "atomically" communicate the state to the peer(s).
- 	if [ -z "$OCF_RESKEY_sync_script" ]; then
--		netstat -tn |awk -F '[:[:space:]]+' '
--			$8 == "ESTABLISHED" && $4 == "'$OCF_RESKEY_ip'" \
--			{printf "%s:%s\t%s:%s\n", $4,$5, $6,$7}' |
--			dd of="$statefile".new conv=fsync status=none &&
--			mv "$statefile".new "$statefile"
-+		get_established_tcp_connections |
-+		dd of="$statefile".new conv=fsync status=none &&
-+		mv "$statefile".new "$statefile"
- 	else
--		netstat -tn |awk -F '[:[:space:]]+' '
--			$8 == "ESTABLISHED" && $4 == "'$OCF_RESKEY_ip'" \
--			{printf "%s:%s\t%s:%s\n", $4,$5, $6,$7}' \
--			> $statefile
-+		get_established_tcp_connections > $statefile
- 		$OCF_RESKEY_sync_script $statefile > /dev/null 2>&1 &
- 	fi
- }
-@@ -277,7 +328,6 @@
- tickle_remote()
- {
- 	[ -z "$OCF_RESKEY_tickle_dir" ] && return
--	echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
- 	f=$OCF_RESKEY_tickle_dir/$OCF_RESKEY_ip
- 	[ -r $f ] || return
- 	$TICKLETCP -n 3 < $f
-@@ -289,11 +339,6 @@
- 	f=$OCF_RESKEY_tickle_dir/$OCF_RESKEY_ip
- 	[ -r $f ] || return
- 
--	checkcmd="netstat -tn"
--	if ! have_binary "netstat"; then
--		checkcmd="ss -Htn"
--	fi
--
- 	# swap "local" and "remote" address,
- 	# so we tickle ourselves.
- 	# We set up a REJECT with tcp-reset before we do so, so we get rid of
-@@ -302,122 +347,152 @@
- 	# the way if we switch-over and then switch-back in quick succession.
- 	local i
- 	awk '{ print $2, $1; }' $f | $TICKLETCP
--	$checkcmd | grep -Fw $OCF_RESKEY_ip || return
-+	$ss_or_netstat | grep -Fw $OCF_RESKEY_ip || return
- 	for i in 0.1 0.5 1 2 4 ; do
- 		sleep $i
--		awk '{ print $2, $1; }' $f | $TICKLETCP
--		$checkcmd | grep -Fw $OCF_RESKEY_ip || break
-+		# now kill what is currently in the list,
-+		# not what was recorded during last monitor
-+		get_established_tcp_connections swap | $TICKLETCP
-+		$ss_or_netstat | grep -Fw $OCF_RESKEY_ip || break
- 	done
- }
- 
- SayActive()
- {
--  echo "$CMD DROP rule for INPUT chain [$*]  is running (OK)"
-+  ocf_log debug "$CMD DROP rule [$*]  is running (OK)"
- }
- 
- SayConsideredActive()
- {
--  echo "$CMD DROP rule for INPUT chain [$*] considered to be running (OK)"
-+  ocf_log debug "$CMD DROP rule [$*] considered to be running (OK)"
- }
- 
- SayInactive()
- {
--  echo "$CMD DROP rule for INPUT chain [$*] is inactive"
-+  ocf_log debug "$CMD DROP rule [$*] is inactive"
- }
- 
--#IptablesStatus  {udp|tcp} portno,portno ip {block|unblock}
-+#IptablesStatus  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStatus() {
--    local rc
--    rc=$OCF_ERR_GENERIC
--    activewords="$CMD $1 $2 is running (OK)"
--    if chain_isactive "$1" "$2" "$3"; then
--	case $4 in
--	    block)	
--		SayActive $*
--		rc=$OCF_SUCCESS
--		;;
--	    *)
-- 		SayInactive $*
--		rc=$OCF_NOT_RUNNING
--		;;
--	esac
--    else
--	case $4 in
--	    block)
--		if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
--		    SayConsideredActive $*
--		    rc=$OCF_SUCCESS
--		else
--		    SayInactive $*
--		    rc=$OCF_NOT_RUNNING
--		fi
--		;;
--	    
--	    *)
--		if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
--			SayActive $*
--			#This is only run on real monitor events.
--			save_tcp_connections
--			rc=$OCF_SUCCESS
--		else
--			SayInactive $*
--			rc=$OCF_NOT_RUNNING
--		fi
--		;;
--	esac
--    fi      
--    
--    return $rc
-+  local rc
-+  rc=$OCF_ERR_GENERIC
-+  is_active=0
-+  if [ "$4" = "in" ] || [ "$4" = "both" ]; then
-+    chain_isactive "$1" "$2" "$3" INPUT
-+    is_active=$?
-+  fi
-+  if [ "$4" = "out" ] || [ "$4" = "both" ]; then
-+    chain_isactive "$1" "$2" "$3" OUTPUT
-+    r=$?
-+    [ $r -gt $is_active ] && is_active=$r
-+  fi
-+  if [ $is_active -eq 0 ]; then
-+    case $5 in
-+      block)
-+        SayActive $*
-+        rc=$OCF_SUCCESS
-+        ;;
-+      *)
-+        SayInactive $*
-+        rc=$OCF_NOT_RUNNING
-+        ;;
-+    esac
-+  else
-+    case $5 in
-+      block)
-+        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
-+          SayConsideredActive $*
-+          rc=$OCF_SUCCESS
-+        else
-+          SayInactive $*
-+          rc=$OCF_NOT_RUNNING
-+        fi
-+        ;;
-+      *)
-+        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
-+          SayActive $*
-+          #This is only run on real monitor events.
-+          save_tcp_connections
-+          rc=$OCF_SUCCESS
-+        else
-+          SayInactive $*
-+          rc=$OCF_NOT_RUNNING
-+        fi
-+        ;;
-+    esac
-+  fi
-+  return $rc
- }
- 
--#IptablesBLOCK  {udp|tcp} portno,portno ip
--IptablesBLOCK()
-+#DoIptables  {-I|-D} {udp|tcp} portno,portno ip chain
-+DoIptables()
- {
--  local rc=0
--  local try_reset=false
--  if	[ "$1/$4/$__OCF_ACTION" = tcp/unblock/stop ] &&
--	ocf_is_true $reset_local_on_unblock_stop
--  then
--	try_reset=true
--  fi
--  if
--    chain_isactive "$1" "$2" "$3"
--  then
--    : OK -- chain already active
-+  op=$1 proto=$2 ports=$3 ip=$4 chain=$5
-+  active=0; chain_isactive "$proto" "$ports" "$ip" "$chain" && active=1
-+  want_active=0; [ "$op" = "-I" ] && want_active=1
-+  ocf_log debug "active: $active want_active: $want_active"
-+  if [ $active -eq $want_active ] ; then
-+    : Chain already in desired state
-   else
--    if $try_reset ; then
--      $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
--      tickle_local
-+    [ "$chain" = "OUTPUT" ] && ds="s" || ds="d"
-+    $IPTABLES $wait "$op" "$chain" -p "$proto" -${ds} "$ip" -m multiport --${ds}ports "$ports" -j DROP
-+  fi
-+}
-+
-+#IptablesBLOCK  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
-+IptablesBLOCK()
-+{
-+  local rc_in=0
-+  local rc_out=0
-+  if [ "$4" = "in" ] || [ "$4" = "both" ]; then
-+    local try_reset=false
-+    if	[ "$1/$5/$__OCF_ACTION" = tcp/unblock/stop ] &&
-+    ocf_is_true $reset_local_on_unblock_stop
-+    then
-+      try_reset=true
-     fi
--    $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
--    rc=$?
--    if $try_reset ; then
--      $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-+    if
-+      chain_isactive "$1" "$2" "$3" INPUT
-+    then
-+      : OK -- chain already active
-+    else
-+      if $try_reset ; then
-+        $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-+        tickle_local
-+      fi
-+      $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
-+      rc_in=$?
-+      if $try_reset ; then
-+        $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
-+      fi
-     fi
-   fi
-+  if [ "$4" = "out" ] || [ "$4" = "both" ]; then
-+    DoIptables -I "$1" "$2" "$3" OUTPUT
-+    rc_out=$?
-+  fi
- 
--  return $rc
-+  [ $rc_in -gt $rc_out ] && return $rc_in || return $rc_out
- }
- 
--#IptablesUNBLOCK  {udp|tcp} portno,portno ip
-+#IptablesUNBLOCK  {udp|tcp} portno,portno ip {in|out|both}
- IptablesUNBLOCK()
- {
--  if
--    chain_isactive "$1" "$2" "$3"
--  then
--    $IPTABLES $wait -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
--  else
--    : Chain Not active
-+  if [ "$4" = "in" ] || [ "$4" = "both" ]; then
-+    DoIptables -D "$1" "$2" "$3" INPUT
-+  fi
-+  if [ "$4" = "out" ] || [ "$4" = "both" ]; then
-+    DoIptables -D "$1" "$2" "$3" OUTPUT
-   fi
- 
-   return $?
- }
- 
--#IptablesStart  {udp|tcp} portno,portno ip {block|unblock}
-+#IptablesStart  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStart()
- {
-   ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start
--  case $4 in
-+  case $5 in
-     block)	IptablesBLOCK "$@";;
-     unblock)
- 		IptablesUNBLOCK "$@"
-@@ -432,11 +507,11 @@
-   return $?
- }
- 
--#IptablesStop  {udp|tcp} portno,portno ip {block|unblock}
-+#IptablesStop  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
- IptablesStop()
- {
-   ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop
--  case $4 in
-+  case $5 in
-     block)	IptablesUNBLOCK "$@";;
-     unblock)
- 		save_tcp_connections
-@@ -454,7 +529,7 @@
- CheckPort() {
- #	Examples of valid port: "1080", "1", "0080"
- #	Examples of invalid port: "1080bad", "0", "0000", ""
--  echo $1 |egrep -qx '[0-9]+(:[0-9]+)?(,[0-9]+(:[0-9]+)?)*'
-+  echo $1 | $EGREP -qx '[0-9]+(:[0-9]+)?(,[0-9]+(:[0-9]+)?)*'
- }
- 
- IptablesValidateAll()
-@@ -543,7 +618,7 @@
- fi 
- 
- # iptables v1.4.20+ is required to use -w (wait)
--version=$(iptables -V | awk -F ' v' '{print $NF}')
-+version=$(iptables -V | grep -oE '[0-9]+[\.0-9]+')
- ocf_version_cmp "$version" "1.4.19.1"
- if [ "$?" -eq "2" ]; then
-     wait="-w"
-@@ -553,21 +628,36 @@
- 
- protocol=$OCF_RESKEY_protocol
- portno=$OCF_RESKEY_portno
-+direction=$OCF_RESKEY_direction
- action=$OCF_RESKEY_action
- ip=$OCF_RESKEY_ip
- reset_local_on_unblock_stop=$OCF_RESKEY_reset_local_on_unblock_stop
- 
-+
-+# If "tickle" is enabled, we need to record the list of currently established
-+# connections during monitor.  Use ss where available, and netstat otherwise.
-+if [ -n "$OCF_RESKEY_tickle_dir" ] ; then
-+	if have_binary ss ; then
-+		ss_or_netstat="ss -Htn"
-+	elif have_binary netstat ; then
-+		ss_or_netstat="netstat -tn"
-+	else
-+		ocf_log err "Neither ss nor netstat found, but needed to record estblished connections."
-+		exit $OCF_ERR_INSTALLED
-+	fi
-+fi
-+
- case $1 in
-   start)	
--			IptablesStart $protocol $portno $ip $action 
-+			IptablesStart $protocol $portno $ip $direction $action
- 			;;
- 
-   stop)		
--			IptablesStop $protocol $portno $ip $action
-+			IptablesStop $protocol $portno $ip $direction $action
- 			;;
- 
-   status|monitor)	
--			IptablesStatus $protocol $portno $ip $action
-+			IptablesStatus $protocol $portno $ip $direction $action
- 			;;
- 
-   validate-all)

SPECS/resource-agents.spec

@@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.10
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -160,14 +160,6 @@ Patch63:	RHEL-15305-1-findif.sh-fix-loopback-handling.patch
 Patch64:	RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
 Patch65:	RHEL-17083-findif-EOS-fix.patch
 Patch66:	RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
-Patch67:	RHEL-34137-aws-agents-use-curl_retry.patch
-Patch68:	RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
-Patch69:	RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
-Patch70:	RHEL-69297-1-Filesystem-dont-kill-unrelated-processes.patch
-Patch71:	RHEL-69297-2-Filesystem-update-bsd-logic.patch
-Patch72:	RHEL-72956-1-openstack-cinder-volume-wait-for-volume-to-be-available.patch
-Patch73:	RHEL-72956-2-openstack-cinder-volume-fix-detach-not-working-during-start-action.patch
-Patch74:	RHEL-79823-portblock-fix-version-detection.patch
 
 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@@ -180,8 +172,6 @@ Patch1006:	python3-syntax-fixes.patch
 Patch1007:	aliyuncli-python3-fixes.patch
 Patch1008:	bz1935422-python-pygments-fix-CVE-2021-20270.patch
 Patch1009:	bz1943464-python-pygments-fix-CVE-2021-27291.patch
-Patch1010:	RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
-Patch1011:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch
 
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@@ -418,14 +408,6 @@ exit 1
 %patch -p1 -P 64
 %patch -p1 -P 65
 %patch -p1 -P 66
-%patch -p1 -P 67 -F1
-%patch -p1 -P 68
-%patch -p1 -P 69
-%patch -p1 -P 70
-%patch -p1 -P 71
-%patch -p1 -P 72
-%patch -p1 -P 73
-%patch -p1 -P 74
 
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@@ -714,14 +696,6 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra
 # aliyun_completer / aliyun_zsh_complete.sh
 rm %{buildroot}/%{_bindir}/aliyun_*
 popd
-
-# regular patch doesnt work in build-section
-pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010}
-popd
-pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1011}
-popd
 %endif
 
 ## tree fixup
@@ -1015,49 +989,6 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
-* Thu Feb 20 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.10
-- portblock: fix iptables version detection
-
-  Resolves: RHEL-79823
-
-* Fri Jan 10 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.8
-- openstack-cinder-volume: wait for volume to be available
-
-  Resolves: RHEL-72956
-
-* Wed Nov 27 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.6
-- Filesystem: dont kill unrelated processes during stop-action
-
-  Resolves: RHEL-69297
-
-* Tue Oct  1 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.5
-- nfsserver: also stop rpc-statd for nfsv4_only to avoid stop failing
-  in some cases
-
-  Resolves: RHEL-61138
-
-* Thu Jul 25 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.4
-- bundled setuptools: fix CVE-2024-6345
-
-  Resolves: RHEL-50360
-
-* Tue Jul 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.3
-- gcp-pd-move: fix TLS_VERSION_1 issue
-
-  Resolves: RHEL-50041
-
-* Wed Jun 26 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.2
-- bundled urllib3: fix CVE-2024-37891
-
-  Resolves: RHEL-44923
-
-* Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1
-- AWS agents: retry failed metadata requests to avoid instantly
-  failing when there is a hiccup in the network or metadata service
-- db2: fix OCF_SUCESS typo
-
-  Resolves: RHEL-34137, RHEL-32828
-
 * Thu Feb  8 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54
 - findif.sh: fix loopback IP handling