.gitignore

@@ -1,12 +1,7 @@
-SOURCES/ClusterLabs-resource-agents-55a4e2c9.tar.gz
-SOURCES/aliyun-cli-2.1.10.tar.gz
-SOURCES/aliyun-python-sdk-core-2.13.1.tar.gz
-SOURCES/aliyun-python-sdk-ecs-4.9.3.tar.gz
-SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
-SOURCES/colorama-0.3.3.tar.gz
-SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
-SOURCES/httplib2-0.20.4.tar.gz
-SOURCES/pycryptodome-3.20.0.tar.gz
-SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
-SOURCES/pyroute2-0.4.13.tar.gz
-SOURCES/urllib3-1.26.18.tar.gz
+/*.tar.gz
+/*.rpm
+/*.whl
+/.*
+/*/
+!/tests/
+/tests/*.retry

.resource-agents.metadata

@@ -1,12 +0,0 @@
-dfc65f4cac3f95026b2f5674019814a527333004 SOURCES/ClusterLabs-resource-agents-55a4e2c9.tar.gz
-306e131d8908ca794276bfe3a0b55ccc3bbd482f SOURCES/aliyun-cli-2.1.10.tar.gz
-0a56f6d9ed2014a363486d33b63eca094379be06 SOURCES/aliyun-python-sdk-core-2.13.1.tar.gz
-c2a98b9a1562d223a76514f05028488ca000c395 SOURCES/aliyun-python-sdk-ecs-4.9.3.tar.gz
-f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
-0fe5bd8bca54dd71223778a1e0bcca9af324abb1 SOURCES/colorama-0.3.3.tar.gz
-81f039cf075e9c8b70d5af99c189296a9e031de3 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
-7caf4412d9473bf17352316249a8133fa70b7e37 SOURCES/httplib2-0.20.4.tar.gz
-c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz
-c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
-147149db11104c06d405fd077dcd2aa1c345f109 SOURCES/pyroute2-0.4.13.tar.gz
-84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz

RHEL-152316-portblock-check-inverse-action.patch

@@ -0,0 +1,156 @@
+--- a/heartbeat/portblock	2026-02-27 08:43:50.813925268 +0100
++++ b/heartbeat/portblock	2026-02-27 08:44:40.481824601 +0100
+@@ -29,12 +29,17 @@
+ OCF_RESKEY_direction_default="in"
+ OCF_RESKEY_action_default=""
+ OCF_RESKEY_method_default="drop"
+-OCF_RESKEY_status_check_default="rule"
+ OCF_RESKEY_ip_default="0.0.0.0/0"
+ OCF_RESKEY_reset_local_on_unblock_stop_default="false"
+ OCF_RESKEY_tickle_dir_default=""
+ OCF_RESKEY_sync_script_default=""
+ 
++if ocf_is_ms; then
++  OCF_RESKEY_status_check_default="rule"
++else
++  OCF_RESKEY_status_check_default="pseudo"
++fi
++
+ : ${OCF_RESKEY_protocol=${OCF_RESKEY_protocol_default}}
+ : ${OCF_RESKEY_portno=${OCF_RESKEY_portno_default}}
+ : ${OCF_RESKEY_direction=${OCF_RESKEY_direction_default}}
+@@ -401,6 +406,10 @@
+ 	done
+ }
+ 
++# A long time ago, these messages needed to go to stdout,
++# "running" / "OK" being the trigger string
++# for heartbeat in haresources mode.
++# Now they are still useful for debugging.
+ SayActive()
+ {
+   ocf_log debug "$CMD $method rule [$*] is running (OK)"
+@@ -416,6 +425,11 @@
+   ocf_log debug "$CMD $method rule [$*] is inactive"
+ }
+ 
++SayConsideredInactive()
++{
++  ocf_log debug "$CMD $method rule [$*] considered to be inactive"
++}
++
+ #IptablesStatus  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
+ IptablesStatus() {
+   local rc
+@@ -441,8 +455,17 @@
+         fi
+         ;;
+       *)
+-        SayInactive $*
+-        rc=$OCF_NOT_RUNNING
++        if [ "$OCF_RESKEY_status_check" != "rule" ] \
++        && test -e "$state_file" && test "$inverse_state_file" -nt "$state_file"; then
++          # rule present, action=unblock, unblock statefile present,
++          # block state file more recent.
++          # apparently an unusual setup: unblock first, block later
++          SayConsideredActive $*
++          rc=$OCF_SUCCESS
++        else
++          SayInactive $*
++          rc=$OCF_NOT_RUNNING
++        fi
+         ;;
+     esac
+   elif [ "$OCF_RESKEY_status_check" = "rule" ]; then
+@@ -454,6 +477,7 @@
+       *)
+         SayActive $*
+         if [ "$__OCF_ACTION" = "monitor" ] && [ "$promotion_score" = "$SCORE_PROMOTED" ]; then
++          save_tcp_connections
+           rc=$OCF_RUNNING_MASTER
+         else
+           rc=$OCF_SUCCESS
+@@ -463,7 +487,10 @@
+   else
+     case $5 in
+       block)
+-        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
++        if test -e "$state_file" && test "$inverse_state_file" -nt "$state_file"; then
++          # rule NOT present, action=block, block state file present,
++          # unblock state file more recent.
++          # expected setup: block first, unblock later
+           SayConsideredActive $*
+           rc=$OCF_SUCCESS
+         else
+@@ -472,13 +499,15 @@
+         fi
+         ;;
+       *)
+-        if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
++        if test -e "$state_file" ; then
++          # rule NOT present, action=unblock, unblock state file present
+           SayActive $*
+-          #This is only run on real monitor events.
++          # This is only run on real monitor events (state file present).
+           save_tcp_connections
+           rc=$OCF_SUCCESS
+         else
+-          SayInactive $*
++          # rule NOT present, action=unblock, unblock state file NOT present
++          SayConsideredInactive $*
+           rc=$OCF_NOT_RUNNING
+         fi
+         ;;
+@@ -562,7 +591,7 @@
+ #IptablesStart  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
+ IptablesStart()
+ {
+-  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start
++  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start "$state_file"
+   case $5 in
+     block)	IptablesBLOCK "$@"
+ 		rc=$?
+@@ -584,7 +613,8 @@
+ #IptablesStop  {udp|tcp} portno,portno ip {in|out|both} {block|unblock}
+ IptablesStop()
+ {
+-  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop
++  ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop "$state_file"
++
+   case $5 in
+     block)	IptablesUNBLOCK "$@"
+ 		rc=$?
+@@ -797,6 +827,33 @@
+ 
+ IptablesValidateAll
+ 
++# State file name for ha_pseudo_resource
++#
++#  The expected usage of this agent is to pair a "block" with an "unblock",
++#  and order startup and configuration of some service between these.
++#
++#  The established idiom is to have two separate instances with inverse actions.
++#  To "reliably" report the status of "block" during a monitor action,
++#  it is not sufficient to check the existence of the blocking rule.
++#
++#  It is also insufficient to rely on the pseudo resource state file
++#  of this instance only.
++#
++#  To know our actual expectation, we need to check the state file of the
++#  "inverse" instance as well.
++#
++#  Because we don't know the OCF_RESOURCE_INSTANCE value of the other instance,
++#  we override the state file name for both instances to something derived from
++#  our parameters.
++#
++#  This should give use the same "global state" view as the "promotion score"
++#  does for the promotable clone variant of this agent.
++#
++[ "$action" = block ] && inverse_action=unblock || inverse_action=block
++state_file_base=$(echo "portblock_${protocol}_${portno}_${ip}_${direction}" | tr -c '0-9a-zA-Z._' _)
++state_file=${HA_RSCTMP}/${state_file_base}_${action}
++inverse_state_file=${HA_RSCTMP}/${state_file_base}_${inverse_action}
++
+ case $__OCF_ACTION in
+   start)
+ 			IptablesStart "$protocol" "$portno" "$ip" "$direction" "$action"