34 changed files with 177 additions and 2833 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,7 +6,6 @@ SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
 SOURCES/colorama-0.3.3.tar.gz
 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
 SOURCES/httplib2-0.20.4.tar.gz
-SOURCES/pycryptodome-3.20.0.tar.gz
+SOURCES/pycryptodome-3.6.4.tar.gz
 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 SOURCES/pyroute2-0.4.13.tar.gz
 SOURCES/urllib3-1.26.18.tar.gz
--- a/.resource-agents.metadata
+++ b/.resource-agents.metadata
@ -6,7 +6,6 @@ f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar
 0fe5bd8bca54dd71223778a1e0bcca9af324abb1 SOURCES/colorama-0.3.3.tar.gz
 81f039cf075e9c8b70d5af99c189296a9e031de3 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
 7caf4412d9473bf17352316249a8133fa70b7e37 SOURCES/httplib2-0.20.4.tar.gz
-c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz
+326a73f58a62ebee00c11a12cfdd838b196e0e8e SOURCES/pycryptodome-3.6.4.tar.gz
 c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 147149db11104c06d405fd077dcd2aa1c345f109 SOURCES/pyroute2-0.4.13.tar.gz
 84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz
--- a/SOURCES/7-gcp-bundled.patch
+++ b/SOURCES/7-gcp-bundled.patch
@ -1,17 +1,6 @@
 diff --color -uNr a/heartbeat/gcp-pd-move.in b/heartbeat/gcp-pd-move.in
 --- a/heartbeat/gcp-pd-move.in	2024-07-22 10:59:42.170483160 +0200
 +++ b/heartbeat/gcp-pd-move.in	2024-07-22 11:01:51.455543850 +0200
@@ -32,6 +32,7 @@
 from ocf import logger
 try:
 +  sys.path.insert(0, '/usr/lib/resource-agents/bundled/gcp')
   import googleapiclient.discovery
 except ImportError:
   pass
 diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
--- a/heartbeat/gcp-vpc-move-ip.in	2024-07-22 10:59:42.170483160 +0200
+--- a/heartbeat/gcp-vpc-move-ip.in	2022-06-16 09:45:21.419090782 +0200
-+++ b/heartbeat/gcp-vpc-move-ip.in	2024-07-22 11:01:18.010752081 +0200
+++ b/heartbeat/gcp-vpc-move-ip.in	2022-06-16 10:11:22.978648598 +0200
@@ -36,7 +36,7 @@
 . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
@ -22,8 +11,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
 OCF_RESKEY_vpc_network_default="default"
 OCF_RESKEY_interface_default="eth0"
 diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-route.in
--- a/heartbeat/gcp-vpc-move-route.in	2024-07-22 10:59:42.170483160 +0200
+--- a/heartbeat/gcp-vpc-move-route.in	2022-06-16 09:45:21.420090788 +0200
-+++ b/heartbeat/gcp-vpc-move-route.in	2024-07-22 11:01:18.011752105 +0200
+++ b/heartbeat/gcp-vpc-move-route.in	2022-06-16 10:11:22.978648598 +0200
@@ -45,6 +45,7 @@
 from ocf import *
@ -33,8 +22,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-rou
   import pyroute2
   try:
 diff --color -uNr a/heartbeat/gcp-vpc-move-vip.in b/heartbeat/gcp-vpc-move-vip.in
--- a/heartbeat/gcp-vpc-move-vip.in	2024-07-22 10:59:42.170483160 +0200
+--- a/heartbeat/gcp-vpc-move-vip.in	2022-06-16 09:45:21.420090788 +0200
-+++ b/heartbeat/gcp-vpc-move-vip.in	2024-07-22 11:01:18.012752128 +0200
+++ b/heartbeat/gcp-vpc-move-vip.in	2022-06-16 10:11:22.979648603 +0200
@@ -29,6 +29,7 @@
 from ocf import *
--- a/SOURCES/RHEL-15302-1-exportfs-make-fsid-optional.patch
+++ b/SOURCES/RHEL-15302-1-exportfs-make-fsid-optional.patch
@ -1,75 +0,0 @@
 From b806487ca758fce838c988767556007ecf66a6e3 Mon Sep 17 00:00:00 2001
 From: Roger Zhou <zzhou@suse.com>
 Date: Mon, 10 Apr 2023 18:08:56 +0800
 Subject: [PATCH] exportfs: make the "fsid=" parameter optional
 Based on feedback [1] from the kernel developer @neilbrown regarding the
 NFS clustering use case, it has been determined that the fsid= parameter
 is now considered optional and safe to omit.
 [1] https://bugzilla.suse.com/show_bug.cgi?id=1201271#c49
 """
 Since some time in 2007 NFS has used the UUID of a filesystem as the
 primary identifier for that filesystem, rather than using the device
 number.  So from that time there should have been reduced need for the
 "fsid=" option.  Probably there are some filesystems that this didn't
 work for.  btrfs has been problematic at time, particularly when subvols
 are exported.  But for quite some years this has all "just worked" at
 least for the major filesystems (ext4 xfs btrfs). [...] I would suggest
 getting rid of the use of fsid= altogether. [...] I'm confident that it
 was no longer an issue in SLE-12 and similarly not in SLE-15.
 """
 ---
 heartbeat/exportfs | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)
 diff --git a/heartbeat/exportfs b/heartbeat/exportfs
 index 2307a9e67b..435a19646b 100755
 --- a/heartbeat/exportfs
 +++ b/heartbeat/exportfs
@@ -82,7 +82,7 @@ The directory or directories to export.
 <content type="string" />
 </parameter>
 -<parameter name="fsid" unique="0" required="1">
 +<parameter name="fsid" unique="0" required="0">
 <longdesc lang="en">
 The fsid option to pass to exportfs. This can be a unique positive
 integer, a UUID (assuredly sans comma characters), or the special string
@@ -185,6 +185,8 @@ exportfs_methods() {
 reset_fsid() {
 	CURRENT_FSID=$OCF_RESKEY_fsid
 +	[ -z "$CURRENT_FSID" ] && CURRENT_FSID=`echo "$OCF_RESKEY_options" | sed -n 's/.*fsid=\([^,]*\).*/\1/p'`
 +	echo $CURRENT_FSID
 }
 bump_fsid() {
 	CURRENT_FSID=$((CURRENT_FSID+1))
@@ -322,7 +324,7 @@ export_one() {
 	if echo "$opts" | grep fsid >/dev/null; then
 		#replace fsid in options list
 		opts=`echo "$opts" | sed "s,fsid=[^,]*,fsid=$(get_fsid),g"`
 -	else
 +	elif [ -n "$OCF_RESKEY_fsid" ]; then
 		#tack the fsid option onto our options list.
 		opts="${opts}${sep}fsid=$(get_fsid)"
 	fi
@@ -448,8 +450,8 @@ exportfs_validate_all ()
 		ocf_exit_reason "$OCF_RESKEY_fsid cannot contain a comma"
 		return $OCF_ERR_CONFIGURED
 	fi
 -	if [ $NUMDIRS -gt 1 ] &&
 -			! ocf_is_decimal "$OCF_RESKEY_fsid"; then
 +	if [ $NUMDIRS -gt 1 ] && [ -n "$(reset_fsid)" ] &&
 +			! ocf_is_decimal "$(reset_fsid)"; then
 		ocf_exit_reason "use integer fsid when exporting multiple directories"
 		return $OCF_ERR_CONFIGURED
 	fi
@@ -485,6 +487,6 @@ done
 OCF_RESKEY_directory="${directories%% }"
 NUMDIRS=`echo "$OCF_RESKEY_directory" | wc -w`
 -OCF_REQUIRED_PARAMS="directory fsid clientspec"
 +OCF_REQUIRED_PARAMS="directory clientspec"
 OCF_REQUIRED_BINARIES="exportfs"
 ocf_rarun $*
--- a/SOURCES/RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
+++ b/SOURCES/RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
@ -1,43 +0,0 @@
 From 1d1481aa6d848efab4d398ad6e74d80b5b32549f Mon Sep 17 00:00:00 2001
 From: Valentin Vidic <vvidic@debian.org>
 Date: Wed, 1 Nov 2023 18:25:45 +0100
 Subject: [PATCH] exportfs: remove test for "fsid=" parameter
 fsid parameter is now considered optional.
 ---
 tools/ocft/exportfs          | 5 -----
 tools/ocft/exportfs-multidir | 5 -----
 2 files changed, 10 deletions(-)
 diff --git a/tools/ocft/exportfs b/tools/ocft/exportfs
 index 285a4b8ea0..1ec3d4c364 100644
 --- a/tools/ocft/exportfs
 +++ b/tools/ocft/exportfs
@@ -28,11 +28,6 @@ CASE "check base env"
 	Include prepare
 	AgentRun start OCF_SUCCESS
 -CASE "check base env: no 'OCF_RESKEY_fsid'"
 -	Include prepare
 -	Env OCF_RESKEY_fsid=
 -	AgentRun start OCF_ERR_CONFIGURED
 -
 CASE "check base env: invalid 'OCF_RESKEY_directory'"
 	Include prepare
 	Env OCF_RESKEY_directory=/no_such
 diff --git a/tools/ocft/exportfs-multidir b/tools/ocft/exportfs-multidir
 index 00e41f0859..ac6d5c7f6a 100644
 --- a/tools/ocft/exportfs-multidir
 +++ b/tools/ocft/exportfs-multidir
@@ -28,11 +28,6 @@ CASE "check base env"
 	Include prepare
 	AgentRun start OCF_SUCCESS
 -CASE "check base env: no 'OCF_RESKEY_fsid'"
 -	Include prepare
 -	Env OCF_RESKEY_fsid=
 -	AgentRun start OCF_ERR_CONFIGURED
 -
 CASE "check base env: invalid 'OCF_RESKEY_directory'"
 	Include prepare
 	Env OCF_RESKEY_directory=/no_such
--- a/SOURCES/RHEL-15305-1-findif.sh-fix-loopback-handling.patch
+++ b/SOURCES/RHEL-15305-1-findif.sh-fix-loopback-handling.patch
@ -1,45 +0,0 @@
 From e4f84ae185b6943d1ff461d53c7f1b5295783086 Mon Sep 17 00:00:00 2001
 From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
 Date: Wed, 1 Nov 2023 19:35:21 +0100
 Subject: [PATCH] findif.sh: fix loopback handling
 tools/ocft/IPaddr2 fails the loopback test because of the missing
 table local parameter:
 $ ip -o -f inet route list match 127.0.0.3 scope host
 $ ip -o -f inet route list match 127.0.0.3 table local scope host
 local 127.0.0.0/8 dev lo proto kernel src 127.0.0.1
 Also rename the function because it is called only in for the special
 loopback address case.
 ---
 heartbeat/findif.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
 index 5f1c19ec3..7c766e6e0 100644
 --- a/heartbeat/findif.sh
 +++ b/heartbeat/findif.sh
@@ -29,10 +29,10 @@ prefixcheck() {
   fi
   return 0
 }
 -getnetworkinfo()
 +getloopbackinfo()
 {
   local line netinfo
 -  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
 +  ip -o -f inet route list match $OCF_RESKEY_ip table local scope host | (while read line;
   do
     netinfo=`echo $line | awk '{print $2}'`
     case $netinfo in
@@ -222,7 +222,7 @@ findif()
   if [ $# = 0 ] ; then
     case $OCF_RESKEY_ip in
     127.*)
 -      set -- `getnetworkinfo`
 +      set -- `getloopbackinfo`
       shift;;
     esac
   fi
--- a/SOURCES/RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
+++ b/SOURCES/RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
@ -1,20 +0,0 @@
 --- a/heartbeat/findif.sh	2024-02-08 11:31:53.414257686 +0100
 +++ b/heartbeat/findif.sh	2023-11-02 10:20:12.150853167 +0100
@@ -210,14 +210,14 @@
   fi
   findif_check_params $family || return $?
 -  if [ -n "$netmask" ] ; then
 +  if [ -n "$netmask" ]; then
       match=$match/$netmask
   fi
   if [ -n "$nic" ] ; then
     # NIC supports more than two.
 -    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
 +    set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
   else
 -    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
 +    set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
   fi
   if [ $# = 0 ] ; then
     case $OCF_RESKEY_ip in
--- a/SOURCES/RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
+++ b/SOURCES/RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
@ -1,555 +0,0 @@
 From f45f76600a7e02c860566db7d1350dc3b09449c2 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Mon, 6 Nov 2023 15:49:44 +0100
 Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
 parameter and AWS Policy based authentication type
 ---
 heartbeat/aws-vpc-move-ip    | 43 +++++++++++++++++++----
 heartbeat/aws-vpc-route53.in | 47 ++++++++++++++++++++-----
 heartbeat/awseip             | 68 +++++++++++++++++++++++++++---------
 heartbeat/awsvip             | 60 ++++++++++++++++++++++++-------
 4 files changed, 173 insertions(+), 45 deletions(-)
 diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
 index dee040300f..54806f6eaa 100755
 --- a/heartbeat/aws-vpc-move-ip
 +++ b/heartbeat/aws-vpc-move-ip
@@ -36,6 +36,7 @@
 # Defaults
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 OCF_RESKEY_region_default=""
 OCF_RESKEY_ip_default=""
@@ -48,6 +49,7 @@ OCF_RESKEY_monapi_default="false"
 OCF_RESKEY_lookup_type_default="InstanceId"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
@@ -58,8 +60,6 @@ OCF_RESKEY_lookup_type_default="InstanceId"
 : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
 : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
 : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
 -
 -[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
 #######################################################################
@@ -83,6 +83,10 @@ cat <<END
 <longdesc lang="en">
 Resource Agent to move IP addresses within a VPC of the Amazon Webservices EC2
 by changing an entry in an specific routing table
 +
 +Credentials needs to be setup by running "aws configure", or by using AWS Policies.
 +
 +See https://aws.amazon.com/cli/ for more information about awscli.
 </longdesc>
 <shortdesc lang="en">Move IP within a VPC of the AWS EC2</shortdesc>
@@ -95,6 +99,15 @@ Path to command line tools for AWS
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -198,7 +211,7 @@ END
 execute_cmd_as_role(){
 	cmd=$1
 	role=$2
 -	output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
 +	output="$($AWSCLI_CMD sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --output=text)"
 	export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
 	export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
 	export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
@@ -220,11 +233,11 @@ ec2ip_set_address_param_compat(){
 }
 ec2ip_validate() {
 -	for cmd in $OCF_RESKEY_awscli ip curl; do
 +	for cmd in "$OCF_RESKEY_awscli" ip curl; do
 		check_binary "$cmd"
 	done
 -	if [ -z "$OCF_RESKEY_profile" ]; then
 +	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
 		ocf_exit_reason "profile parameter not set"
 		return $OCF_ERR_CONFIGURED
 	fi
@@ -262,7 +275,7 @@ ec2ip_monitor() {
 		for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
 			ocf_log info "monitor: check routing table (API call) - $rtb"
 			if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
 -				cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
 +				cmd="$AWSCLI_CMD --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
 				ocf_log debug "executing command: $cmd"
 				ROUTE_TO_INSTANCE="$($cmd)"
 			else
@@ -368,7 +381,7 @@ ec2ip_get_and_configure() {
 	EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
 	for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
 		if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
 -			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
 +			cmd="$AWSCLI_CMD --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
 			ocf_log debug "executing command: $cmd"
 			$cmd
 		else
@@ -475,6 +488,22 @@ if ! ocf_is_root; then
 	exit $OCF_ERR_PERM
 fi
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 +
 ec2ip_set_address_param_compat
 ec2ip_validate
 diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
 index 22cbb35833..18ab157e8a 100644
 --- a/heartbeat/aws-vpc-route53.in
 +++ b/heartbeat/aws-vpc-route53.in
@@ -46,24 +46,22 @@
 # Defaults
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 +OCF_RESKEY_region_default=""
 OCF_RESKEY_hostedzoneid_default=""
 OCF_RESKEY_fullname_default=""
 OCF_RESKEY_ip_default="local"
 OCF_RESKEY_ttl_default=10
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 +: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
 : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
 : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
 : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
 -#######################################################################
 -
 -
 -AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
 -#######################################################################
 -
 usage() {
 	cat <<-EOT
@@ -123,6 +121,15 @@ Path to command line tools for AWS
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 The name of the AWS CLI profile of the root account. This
@@ -196,7 +203,7 @@ r53_validate() {
 	# Check for required binaries
 	ocf_log debug "Checking for required binaries"
 -	for command in curl dig; do
 +	for command in "${OCF_RESKEY_awscli}" curl dig; do
 		check_binary "$command"
 	done
@@ -216,7 +223,10 @@ r53_validate() {
 	esac
 	# profile
 -	[[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
 +	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
 +		ocf_exit_reason "profile parameter not set"
 +		return $OCF_ERR_CONFIGURED
 +	fi
 	# TTL
 	[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
@@ -417,7 +427,6 @@ _update_record() {
 }
 ###############################################################################
 -
 case $__OCF_ACTION in
 	usage|help)
 		usage
@@ -427,6 +436,26 @@ case $__OCF_ACTION in
 		metadata
 		exit $OCF_SUCCESS
 		;;
 +esac
 +
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 +AWSCLI_CMD="$AWSCLI_CMD --cli-connect-timeout 10"
 +
 +case $__OCF_ACTION in
 	start)
 		r53_validate || exit $?
 		r53_start
 diff --git a/heartbeat/awseip b/heartbeat/awseip
 index dc48460c85..49b0ca6155 100755
 --- a/heartbeat/awseip
 +++ b/heartbeat/awseip
@@ -23,7 +23,8 @@
 #
 #  Prerequisites:
 #
 -#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
 +#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
 +#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
 #  - a reserved secondary private IP address for EC2 instances high availability
 #  - IAM user role with the following permissions:
 #    * DescribeInstances
@@ -44,11 +45,15 @@
 # Defaults
 #
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 +OCF_RESKEY_region_default=""
 OCF_RESKEY_api_delay_default="3"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 +: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
 meta_data() {
@@ -63,7 +68,7 @@ Resource Agent for Amazon AWS Elastic IP Addresses.
 It manages AWS Elastic IP Addresses with awscli.
 -Credentials needs to be setup by running "aws configure".
 +Credentials needs to be setup by running "aws configure", or by using AWS Policies.
 See https://aws.amazon.com/cli/ for more information about awscli.
 </longdesc>
@@ -79,6 +84,15 @@ command line tools for aws services
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -111,6 +125,14 @@ predefined private ip address for ec2 instance
 <content type="string" default="" />
 </parameter>
 +<parameter name="region" required="0">
 +<longdesc lang="en">
 +Region for AWS resource (required for role-based authentication)
 +</longdesc>
 +<shortdesc lang="en">Region</shortdesc>
 +<content type="string" default="${OCF_RESKEY_region_default}" />
 +</parameter>
 +
 <parameter name="api_delay" unique="0">
 <longdesc lang="en">
 a short delay between API calls, to avoid sending API too quick
@@ -157,13 +179,13 @@ awseip_start() {
                 NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
             fi
         done
 -        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
 +        $AWSCLI_CMD ec2 associate-address  \
             --network-interface-id ${NETWORK_ID} \
             --allocation-id ${ALLOCATION_ID} \
             --private-ip-address ${PRIVATE_IP_ADDRESS}
         RET=$?
     else
 -        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
 +        $AWSCLI_CMD ec2 associate-address  \
             --instance-id ${INSTANCE_ID} \
             --allocation-id ${ALLOCATION_ID}
         RET=$?
@@ -183,7 +205,7 @@ awseip_start() {
 awseip_stop() {
     awseip_monitor || return $OCF_SUCCESS
 -    ASSOCIATION_ID=$($AWSCLI --profile $OCF_RESKEY_profile --output json ec2 describe-addresses \
 +    ASSOCIATION_ID=$($AWSCLI_CMD --output json ec2 describe-addresses \
                          --allocation-id ${ALLOCATION_ID} | grep -m 1 "AssociationId" | awk -F'"' '{print$4}')
     if [ -z "${ASSOCIATION_ID}" ]; then
@@ -191,9 +213,7 @@ awseip_stop() {
         return $OCF_NOT_RUNNING
     fi
 -    $AWSCLI --profile ${OCF_RESKEY_profile} \
 -        ec2 disassociate-address \
 -        --association-id ${ASSOCIATION_ID}
 +    $AWSCLI_CMD ec2 disassociate-address --association-id ${ASSOCIATION_ID}
     RET=$?
     # delay to avoid sending request too fast
@@ -208,7 +228,7 @@ awseip_stop() {
 }
 awseip_monitor() {
 -    $AWSCLI --profile $OCF_RESKEY_profile ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
 +    $AWSCLI_CMD ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
     RET=$?
     if [ $RET -ne 0 ]; then
@@ -218,9 +238,9 @@ awseip_monitor() {
 }
 awseip_validate() {
 -    check_binary ${AWSCLI}
 +    check_binary "${OCF_RESKEY_awscli}"
 -    if [ -z "$OCF_RESKEY_profile" ]; then
 +    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
         ocf_exit_reason "profile parameter not set"
         return $OCF_ERR_CONFIGURED
     fi
@@ -238,9 +258,27 @@ case $__OCF_ACTION in
         meta_data
         exit $OCF_SUCCESS
         ;;
 -esac 
 +    usage|help)
 +        awseip_usage
 +        exit $OCF_SUCCESS
 +        ;;
 +esac
 -AWSCLI="${OCF_RESKEY_awscli}"
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
 ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
 PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
@@ -272,10 +310,6 @@ case $__OCF_ACTION in
     validate|validate-all)
         awseip_validate
         ;;
 -    usage|help)
 -        awseip_usage
 -        exit $OCF_SUCCESS
 -        ;;
     *)
         awseip_usage
         exit $OCF_ERR_UNIMPLEMENTED
 diff --git a/heartbeat/awsvip b/heartbeat/awsvip
 index 037278e296..bdb4d68dd0 100755
 --- a/heartbeat/awsvip
 +++ b/heartbeat/awsvip
@@ -23,7 +23,8 @@
 #
 #  Prerequisites:
 #
 -#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
 +#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
 +#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
 #  - a reserved secondary private IP address for EC2 instances high availablity
 #  - IAM user role with the following permissions:
 #    * DescribeInstances
@@ -43,11 +44,15 @@
 # Defaults
 #
 OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 +OCF_RESKEY_region_default=""
 OCF_RESKEY_api_delay_default="3"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 +: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 +: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
 meta_data() {
@@ -62,7 +67,7 @@ Resource Agent for Amazon AWS Secondary Private IP Addresses.
 It manages AWS Secondary Private IP Addresses with awscli.
 -Credentials needs to be setup by running "aws configure".
 +Credentials needs to be setup by running "aws configure", or by using AWS Policies.
 See https://aws.amazon.com/cli/ for more information about awscli.
 </longdesc>
@@ -78,6 +83,15 @@ command line tools for aws services
 <content type="string" default="${OCF_RESKEY_awscli_default}" />
 </parameter>
 +<parameter name="auth_type">
 +<longdesc lang="en">
 +Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
 +or "role" to use AWS Policies.
 +</longdesc>
 +<shortdesc lang="en">Authentication type</shortdesc>
 +<content type="string" default="${OCF_RESKEY_auth_type_default}" />
 +</parameter>
 +
 <parameter name="profile">
 <longdesc lang="en">
 Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
@@ -94,6 +108,14 @@ reserved secondary private ip for ec2 instance
 <content type="string" default="" />
 </parameter>
 +<parameter name="region" required="0">
 +<longdesc lang="en">
 +Region for AWS resource (required for role-based authentication)
 +</longdesc>
 +<shortdesc lang="en">Region</shortdesc>
 +<content type="string" default="${OCF_RESKEY_region_default}" />
 +</parameter>
 +
 <parameter name="api_delay" unique="0">
 <longdesc lang="en">
 a short delay between API calls, to avoid sending API too quick
@@ -131,7 +153,7 @@ END
 awsvip_start() {
     awsvip_monitor && return $OCF_SUCCESS
 -    $AWSCLI --profile $OCF_RESKEY_profile ec2 assign-private-ip-addresses \
 +    $AWSCLI_CMD ec2 assign-private-ip-addresses \
         --network-interface-id ${NETWORK_ID} \
         --private-ip-addresses ${SECONDARY_PRIVATE_IP} \
         --allow-reassignment
@@ -151,7 +173,7 @@ awsvip_start() {
 awsvip_stop() {
     awsvip_monitor || return $OCF_SUCCESS
 -    $AWSCLI --profile $OCF_RESKEY_profile ec2 unassign-private-ip-addresses \
 +    $AWSCLI_CMD ec2 unassign-private-ip-addresses \
         --network-interface-id ${NETWORK_ID} \
         --private-ip-addresses ${SECONDARY_PRIVATE_IP}
     RET=$?
@@ -168,7 +190,7 @@ awsvip_stop() {
 }
 awsvip_monitor() {
 -    $AWSCLI --profile ${OCF_RESKEY_profile} ec2 describe-instances \
 +    $AWSCLI_CMD ec2 describe-instances \
             --instance-id "${INSTANCE_ID}" \
             --query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
             --output text | \
@@ -182,9 +204,9 @@ awsvip_monitor() {
 }
 awsvip_validate() {
 -    check_binary ${AWSCLI}
 +    check_binary "${OCF_RESKEY_awscli}"
 -    if [ -z "$OCF_RESKEY_profile" ]; then
 +    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
         ocf_exit_reason "profile parameter not set"
         return $OCF_ERR_CONFIGURED
     fi
@@ -202,9 +224,27 @@ case $__OCF_ACTION in
         meta_data
         exit $OCF_SUCCESS
         ;;
 +    usage|help)
 +        awsvip_usage
 +        exit $OCF_SUCCESS
 +        ;;
 esac
 -AWSCLI="${OCF_RESKEY_awscli}"
 +AWSCLI_CMD="${OCF_RESKEY_awscli}"
 +if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
 +elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
 +	if [ -z "${OCF_RESKEY_region}" ]; then
 +		ocf_exit_reason "region needs to be set when using role-based authentication"
 +		exit $OCF_ERR_CONFIGURED
 +	fi
 +else
 +	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
 +	exit $OCF_ERR_CONFIGURED
 +fi
 +if [ -n "${OCF_RESKEY_region}" ]; then
 +	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 +fi
 SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
 TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
@@ -236,10 +276,6 @@ case $__OCF_ACTION in
     validate|validate-all)
         awsvip_validate
         ;;
 -    usage|help)
 -        awsvip_usage
 -        exit $OCF_SUCCESS
 -        ;;
     *)
         awsvip_usage
         exit $OCF_ERR_UNIMPLEMENTED
--- a/SOURCES/RHEL-17083-findif-EOS-fix.patch
+++ b/SOURCES/RHEL-17083-findif-EOS-fix.patch
@ -1,22 +0,0 @@
 From b23ba4eaefb500199c4845751f4c5545c81f42f1 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Mon, 20 Nov 2023 16:37:37 +0100
 Subject: [PATCH 2/2] findif: also check that netmaskbits != EOS
 ---
 tools/findif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tools/findif.c b/tools/findif.c
 index a25395fec..ab108a3c4 100644
 --- a/tools/findif.c
 +++ b/tools/findif.c
@@ -669,7 +669,7 @@ main(int argc, char ** argv) {
 		}
 	}
 -	if (netmaskbits) {
 +	if (netmaskbits != NULL && *netmaskbits != EOS) {
 		best_netmask = netmask;
 	}else if (best_netmask == 0L) {
 		/*
--- a/SOURCES/RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
+++ b/SOURCES/RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
@ -1,23 +0,0 @@
 From a9c4aeb971e9f4963345d0e215b729def62dd27c Mon Sep 17 00:00:00 2001
 From: pepadelic <162310096+pepadelic@users.noreply.github.com>
 Date: Mon, 15 Apr 2024 13:52:54 +0200
 Subject: [PATCH] Update db2: fix OCF_SUCESS name in db2_notify
 fix OCF_SUCESS to OCF_SUCCESS  in db2_notify
 ---
 heartbeat/db2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/db2 b/heartbeat/db2
 index 95447ab6cb..1cd66f15af 100755
 --- a/heartbeat/db2
 +++ b/heartbeat/db2
@@ -848,7 +848,7 @@ db2_notify() {
     # only interested in pre-start
     [  $OCF_RESKEY_CRM_meta_notify_type = pre \
 -    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCESS
 +    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCCESS
     # gets FIRST_ACTIVE_LOG
     db2_get_cfg $dblist || return $?
--- a/SOURCES/RHEL-34137-aws-agents-use-curl_retry.patch
+++ b/SOURCES/RHEL-34137-aws-agents-use-curl_retry.patch
@ -1,343 +0,0 @@
 From fc0657b936f6a58f741e33f851b22f82bc68bffa Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Tue, 6 Feb 2024 13:28:12 +0100
 Subject: [PATCH 1/2] ocf-shellfuncs: add curl_retry()
 ---
 heartbeat/ocf-shellfuncs.in | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
 index c5edb6f57..a69a9743d 100644
 --- a/heartbeat/ocf-shellfuncs.in
 +++ b/heartbeat/ocf-shellfuncs.in
@@ -672,6 +672,40 @@ EOF
 	systemctl daemon-reload
 }
 +# usage: curl_retry RETRIES SLEEP ARGS URL
 +#
 +# Use --show-error in ARGS to log HTTP error code
 +#
 +# returns:
 +#    0  success
 +# exit:
 +#    1  fail
 +curl_retry()
 +{
 +	local retries=$1 sleep=$2 opts=$3 url=$4
 +	local tries=$(($retries + 1))
 +	local args="--fail $opts $url"
 +	local result rc
 +
 +	for try in $(seq $tries); do
 +		ocf_log debug "curl $args try $try of $tries"
 +		result=$(echo "$args" | xargs curl 2>&1)
 +		rc=$?
 +
 +		ocf_log debug "result: $result"
 +		[ $rc -eq 0 ] && break
 +		sleep $sleep
 +	done
 +
 +	if [ $rc -ne 0 ]; then
 +		ocf_exit_reason "curl $args failed $tries tries"
 +		exit $OCF_ERR_GENERIC
 +	fi
 +
 +	echo "$result"
 +	return $rc
 +}
 +
 # usage: crm_mon_no_validation args...
 # run crm_mon without any cib schema validation
 # This is useful when an agent runs in a bundle to avoid potential
 From 80d330557319bdae9e45aad1279e435fc481d4e7 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Tue, 6 Feb 2024 13:28:25 +0100
 Subject: [PATCH 2/2] AWS agents: use curl_retry()
 ---
 heartbeat/aws-vpc-move-ip    | 35 ++++++++++++++++++++++++++---------
 heartbeat/aws-vpc-route53.in | 27 +++++++++++++++++++++++++--
 heartbeat/awseip             | 36 +++++++++++++++++++++++++++++++-----
 heartbeat/awsvip             | 32 ++++++++++++++++++++++++++++----
 4 files changed, 110 insertions(+), 20 deletions(-)
 diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
 index 54806f6ea..6115e5ba8 100755
 --- a/heartbeat/aws-vpc-move-ip
 +++ b/heartbeat/aws-vpc-move-ip
@@ -47,6 +47,8 @@ OCF_RESKEY_interface_default="eth0"
 OCF_RESKEY_iflabel_default=""
 OCF_RESKEY_monapi_default="false"
 OCF_RESKEY_lookup_type_default="InstanceId"
 +OCF_RESKEY_curl_retries_default="3"
 +OCF_RESKEY_curl_sleep_default="1"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
@@ -60,6 +62,8 @@ OCF_RESKEY_lookup_type_default="InstanceId"
 : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
 : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
 : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
 +: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
 +: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
 #######################################################################
@@ -194,6 +198,22 @@ Name of resource type to lookup in route table.
 <content type="string" default="${OCF_RESKEY_lookup_type_default}" />
 </parameter>
 +<parameter name="curl_retries" unique="0">
 +<longdesc lang="en">
 +curl retries before failing
 +</longdesc>
 +<shortdesc lang="en">curl retries</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
 +</parameter>
 +
 +<parameter name="curl_sleep" unique="0">
 +<longdesc lang="en">
 +curl sleep between tries
 +</longdesc>
 +<shortdesc lang="en">curl sleep</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
 +</parameter>
 +
 </parameters>
 <actions>
@@ -250,8 +270,10 @@ ec2ip_validate() {
 		fi
 	fi
 -	TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 -	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
 +	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
 +	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 +	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
 +	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 	if [ -z "${EC2_INSTANCE_ID}" ]; then
 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
@@ -365,14 +387,9 @@ ec2ip_get_instance_eni() {
 	fi
 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
 -	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
 -	ocf_log debug "executing command: $cmd"
 +	cmd="curl_retry \"$OCF_RESKEY_curl_retries\" \"$OCF_RESKEY_curl_sleep\" \"--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'\" \"http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id\""
 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
 -	rc=$?
 -	if [ $rc != 0 ]; then
 -		ocf_log warn "command failed, rc: $rc"
 -		return $OCF_ERR_GENERIC
 -	fi
 +	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 	ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
 	echo $EC2_NETWORK_INTERFACE_ID
 }
 diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
 index 18ab157e8..eba2ed95c 100644
 --- a/heartbeat/aws-vpc-route53.in
 +++ b/heartbeat/aws-vpc-route53.in
@@ -53,6 +53,8 @@ OCF_RESKEY_hostedzoneid_default=""
 OCF_RESKEY_fullname_default=""
 OCF_RESKEY_ip_default="local"
 OCF_RESKEY_ttl_default=10
 +OCF_RESKEY_curl_retries_default="3"
 +OCF_RESKEY_curl_sleep_default="1"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
@@ -62,6 +64,8 @@ OCF_RESKEY_ttl_default=10
 : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
 : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
 : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
 +: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
 +: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
 usage() {
 	cat <<-EOT
@@ -185,6 +189,22 @@ Time to live for Route53 ARECORD
 <shortdesc lang="en">ARECORD TTL</shortdesc>
 <content type="string" default="${OCF_RESKEY_ttl_default}" />
 </parameter>
 +
 +<parameter name="curl_retries" unique="0">
 +<longdesc lang="en">
 +curl retries before failing
 +</longdesc>
 +<shortdesc lang="en">curl retries</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
 +</parameter>
 +
 +<parameter name="curl_sleep" unique="0">
 +<longdesc lang="en">
 +curl sleep between tries
 +</longdesc>
 +<shortdesc lang="en">curl sleep</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
 +</parameter>
 </parameters>
 <actions>
@@ -357,8 +377,11 @@ r53_monitor() {
 _get_ip() {
 	case $OCF_RESKEY_ip in
 		local|public)
 -			TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 -			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
 +			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
 +			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 +			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
 +			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 +			;;
 		*.*.*.*)
 			IPADDRESS="${OCF_RESKEY_ip}";;
 	esac
 diff --git a/heartbeat/awseip b/heartbeat/awseip
 index 49b0ca615..ffb6223a1 100755
 --- a/heartbeat/awseip
 +++ b/heartbeat/awseip
@@ -49,12 +49,16 @@ OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 OCF_RESKEY_region_default=""
 OCF_RESKEY_api_delay_default="3"
 +OCF_RESKEY_curl_retries_default="3"
 +OCF_RESKEY_curl_sleep_default="1"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
 +: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
 +: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
 meta_data() {
     cat <<END
@@ -141,6 +145,22 @@ a short delay between API calls, to avoid sending API too quick
 <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
 </parameter>
 +<parameter name="curl_retries" unique="0">
 +<longdesc lang="en">
 +curl retries before failing
 +</longdesc>
 +<shortdesc lang="en">curl retries</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
 +</parameter>
 +
 +<parameter name="curl_sleep" unique="0">
 +<longdesc lang="en">
 +curl sleep between tries
 +</longdesc>
 +<shortdesc lang="en">curl sleep</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
 +</parameter>
 +
 </parameters>
 <actions>
@@ -171,14 +191,18 @@ awseip_start() {
     awseip_monitor && return $OCF_SUCCESS
     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
 -        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
 +        NETWORK_INTERFACES_MACS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/")
         for MAC in ${NETWORK_INTERFACES_MACS}; do
 -            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
 +            curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/local-ipv4s" |
                 grep -q "^${PRIVATE_IP_ADDRESS}$"
             if [ $? -eq 0 ]; then
 -                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
 +                NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/interface-id")
             fi
         done
 +        if [ -z "$NETWORK_ID" ]; then
 +            ocf_exit_reason "Could not find network interface for private_ip_address: $PRIVATE_IP_ADDRESS"
 +            exit $OCF_ERR_GENERIC
 +        fi
         $AWSCLI_CMD ec2 associate-address  \
             --network-interface-id ${NETWORK_ID} \
             --allocation-id ${ALLOCATION_ID} \
@@ -282,8 +306,10 @@ fi
 ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
 ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
 PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
 -TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 -INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
 +TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
 +[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 +INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
 +[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 case $__OCF_ACTION in
     start)
 diff --git a/heartbeat/awsvip b/heartbeat/awsvip
 index bdb4d68dd..f2b238a0f 100755
 --- a/heartbeat/awsvip
 +++ b/heartbeat/awsvip
@@ -48,12 +48,16 @@ OCF_RESKEY_auth_type_default="key"
 OCF_RESKEY_profile_default="default"
 OCF_RESKEY_region_default=""
 OCF_RESKEY_api_delay_default="3"
 +OCF_RESKEY_curl_retries_default="3"
 +OCF_RESKEY_curl_sleep_default="1"
 : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
 : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
 : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
 : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
 : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
 +: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
 +: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
 meta_data() {
     cat <<END
@@ -124,6 +128,22 @@ a short delay between API calls, to avoid sending API too quick
 <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
 </parameter>
 +<parameter name="curl_retries" unique="0">
 +<longdesc lang="en">
 +curl retries before failing
 +</longdesc>
 +<shortdesc lang="en">curl retries</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
 +</parameter>
 +
 +<parameter name="curl_sleep" unique="0">
 +<longdesc lang="en">
 +curl sleep between tries
 +</longdesc>
 +<shortdesc lang="en">curl sleep</shortdesc>
 +<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
 +</parameter>
 +
 </parameters>
 <actions>
@@ -246,10 +266,14 @@ if [ -n "${OCF_RESKEY_region}" ]; then
 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
 fi
 SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
 -TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 -INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
 -MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
 -NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
 +TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
 +[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 +INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
 +[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 +MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
 +[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 +NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id")
 +[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
 case $__OCF_ACTION in
     start)
--- a/SOURCES/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
+++ b/SOURCES/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
@ -1,48 +0,0 @@
 From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
 From: Quentin Pradet <quentin.pradet@gmail.com>
 Date: Mon, 17 Jun 2024 11:09:06 +0400
 Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
 * Strip Proxy-Authorization header on redirects
 * Fix test_retry_default_remove_headers_on_redirect
 * Set release date
 ---
 CHANGES.rst                               |  5 +++++
 src/urllib3/util/retry.py                 |  4 +++-
 test/test_retry.py                        |  6 ++++-
 test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
 4 files changed, 37 insertions(+), 5 deletions(-)
 diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
 index 7a76a4a6ad..0456cceba4 100644
 --- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
 +++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
@@ -189,7 +189,9 @@ class Retry:
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
 +        ["Cookie", "Authorization", "Proxy-Authorization"]
 +    )
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
 diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
 index 7a76a4a6ad..0456cceba4 100644
 --- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
 +++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
@@ -189,7 +189,9 @@ class Retry:
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
 +        ["Cookie", "Authorization", "Proxy-Authorization"]
 +    )
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
--- a/SOURCES/RHEL-50360-setuptools-fix-CVE-2024-6345.patch
+++ b/SOURCES/RHEL-50360-setuptools-fix-CVE-2024-6345.patch
@ -1,201 +0,0 @@
 --- a/setuptools/package_index.py	1980-01-01 09:00:00.000000000 +0100
 +++ b/setuptools/package_index.py	2024-07-25 10:11:40.537307665 +0200
@@ -1,5 +1,6 @@
 """PyPI and direct package downloading"""
 import sys
 +import subprocess
 import os
 import re
 import shutil
@@ -563,7 +564,7 @@
             scheme = URL_SCHEME(spec)
             if scheme:
                 # It's a url, download it to tmpdir
 -                found = self._download_url(scheme.group(1), spec, tmpdir)
 +                found = self._download_url(spec, tmpdir)
                 base, fragment = egg_info_for_url(spec)
                 if base.endswith('.py'):
                     found = self.gen_setup(found, fragment, tmpdir)
@@ -775,7 +776,7 @@
                 raise DistutilsError("Download error for %s: %s"
                                      % (url, v))
 -    def _download_url(self, scheme, url, tmpdir):
 +    def _download_url(self, url, tmpdir):
         # Determine download filename
         #
         name, fragment = egg_info_for_url(url)
@@ -790,19 +791,59 @@
         filename = os.path.join(tmpdir, name)
 -        # Download the file
 -        #
 -        if scheme == 'svn' or scheme.startswith('svn+'):
 -            return self._download_svn(url, filename)
 -        elif scheme == 'git' or scheme.startswith('git+'):
 -            return self._download_git(url, filename)
 -        elif scheme.startswith('hg+'):
 -            return self._download_hg(url, filename)
 -        elif scheme == 'file':
 -            return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
 -        else:
 -            self.url_ok(url, True)  # raises error if not allowed
 -            return self._attempt_download(url, filename)
 +        return self._download_vcs(url, filename) or self._download_other(url, filename)
 +
 +    @staticmethod
 +    def _resolve_vcs(url):
 +        """
 +        >>> rvcs = PackageIndex._resolve_vcs
 +        >>> rvcs('git+http://foo/bar')
 +        'git'
 +        >>> rvcs('hg+https://foo/bar')
 +        'hg'
 +        >>> rvcs('git:myhost')
 +        'git'
 +        >>> rvcs('hg:myhost')
 +        >>> rvcs('http://foo/bar')
 +        """
 +        scheme = urllib.parse.urlsplit(url).scheme
 +        pre, sep, post = scheme.partition('+')
 +        # svn and git have their own protocol; hg does not
 +        allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
 +        return next(iter({pre} & allowed), None)
 +
 +    def _download_vcs(self, url, spec_filename):
 +        vcs = self._resolve_vcs(url)
 +        if not vcs:
 +            return
 +        if vcs == 'svn':
 +            raise DistutilsError(
 +                f"Invalid config, SVN download is not supported: {url}"
 +            )
 +
 +        filename, _, _ = spec_filename.partition('#')
 +        url, rev = self._vcs_split_rev_from_url(url)
 +
 +        self.info(f"Doing {vcs} clone from {url} to {filename}")
 +        subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
 +
 +        co_commands = dict(
 +            git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
 +            hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
 +        )
 +        if rev is not None:
 +            self.info(f"Checking out {rev}")
 +            subprocess.check_call(co_commands[vcs])
 +
 +        return filename
 +
 +    def _download_other(self, url, filename):
 +        scheme = urllib.parse.urlsplit(url).scheme
 +        if scheme == 'file':  # pragma: no cover
 +            return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
 +        # raise error if not allowed
 +        self.url_ok(url, True)
 +        return self._attempt_download(url, filename)
     def scan_url(self, url):
         self.process_url(url, True)
@@ -829,76 +870,37 @@
         os.unlink(filename)
         raise DistutilsError("Unexpected HTML page found at " + url)
 -    def _download_svn(self, url, filename):
 -        url = url.split('#', 1)[0]  # remove any fragment for svn's sake
 -        creds = ''
 -        if url.lower().startswith('svn:') and '@' in url:
 -            scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
 -            if not netloc and path.startswith('//') and '/' in path[2:]:
 -                netloc, path = path[2:].split('/', 1)
 -                auth, host = splituser(netloc)
 -                if auth:
 -                    if ':' in auth:
 -                        user, pw = auth.split(':', 1)
 -                        creds = " --username=%s --password=%s" % (user, pw)
 -                    else:
 -                        creds = " --username=" + auth
 -                    netloc = host
 -                    parts = scheme, netloc, url, p, q, f
 -                    url = urllib.parse.urlunparse(parts)
 -        self.info("Doing subversion checkout from %s to %s", url, filename)
 -        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
 -        return filename
 -
     @staticmethod
 -    def _vcs_split_rev_from_url(url, pop_prefix=False):
 -        scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
 -
 -        scheme = scheme.split('+', 1)[-1]
 -
 -        # Some fragment identification fails
 -        path = path.split('#', 1)[0]
 -
 -        rev = None
 -        if '@' in path:
 -            path, rev = path.rsplit('@', 1)
 -
 -        # Also, discard fragment
 -        url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
 -
 -        return url, rev
 -
 -    def _download_git(self, url, filename):
 -        filename = filename.split('#', 1)[0]
 -        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
 -
 -        self.info("Doing git clone from %s to %s", url, filename)
 -        os.system("git clone --quiet %s %s" % (url, filename))
 +    def _vcs_split_rev_from_url(url):
 +        """
 +        Given a possible VCS URL, return a clean URL and resolved revision if any.
 -        if rev is not None:
 -            self.info("Checking out %s", rev)
 -            os.system("(cd %s && git checkout --quiet %s)" % (
 -                filename,
 -                rev,
 -            ))
 +        >>> vsrfu = PackageIndex._vcs_split_rev_from_url
 +        >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
 +        ('https://github.com/pypa/setuptools', 'v69.0.0')
 +        >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
 +        ('https://github.com/pypa/setuptools', None)
 +        >>> vsrfu('http://foo/bar')
 +        ('http://foo/bar', None)
 +        """
 +        parts = urllib.parse.urlsplit(url)
 -        return filename
 +        clean_scheme = parts.scheme.split('+', 1)[-1]
 -    def _download_hg(self, url, filename):
 -        filename = filename.split('#', 1)[0]
 -        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
 +        # Some fragment identification fails
 +        no_fragment_path, _, _ = parts.path.partition('#')
 -        self.info("Doing hg clone from %s to %s", url, filename)
 -        os.system("hg clone --quiet %s %s" % (url, filename))
 +        pre, sep, post = no_fragment_path.rpartition('@')
 +        clean_path, rev = (pre, post) if sep else (post, None)
 -        if rev is not None:
 -            self.info("Updating to %s", rev)
 -            os.system("(cd %s && hg up -C -r %s >&-)" % (
 -                filename,
 -                rev,
 -            ))
 +        resolved = parts._replace(
 +            scheme=clean_scheme,
 +            path=clean_path,
 +            # discard the fragment
 +            fragment='',
 +        ).geturl()
 -        return filename
 +        return resolved, rev
     def debug(self, msg, *args):
         log.debug(msg, *args)
--- a/SOURCES/RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
+++ b/SOURCES/RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
@ -1,38 +0,0 @@
 From 38eaf00bc81af7530c56eba282918762a47a9326 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Thu, 19 Sep 2024 13:01:53 +0200
 Subject: [PATCH] nfsserver: also stop rpc-statd for nfsv4_only to avoid stop
 failing in some cases
 E.g. nfs_no_notify=true nfsv4_only=true nfs_shared_infodir=/nfsmq/nfsinfo would cause a "Failed to unmount a bind mount" error
 ---
 heartbeat/nfsserver | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
 diff --git a/heartbeat/nfsserver b/heartbeat/nfsserver
 index 5793d7a70..fd9268afc 100755
 --- a/heartbeat/nfsserver
 +++ b/heartbeat/nfsserver
@@ -947,15 +947,13 @@ nfsserver_stop ()
 			sleep 1
 		  done
 -		  if ! ocf_is_true "$OCF_RESKEY_nfsv4_only"; then
 -			nfs_exec stop rpc-statd > /dev/null 2>&1
 -			ocf_log info "Stop: rpc-statd"
 -			rpcinfo -t localhost 100024 > /dev/null 2>&1
 -			rc=$?
 -			if [ "$rc" -eq "0" ]; then
 -				ocf_exit_reason "Failed to stop rpc-statd"
 -				return $OCF_ERR_GENERIC
 -			fi
 +		  nfs_exec stop rpc-statd > /dev/null 2>&1
 +		  ocf_log info "Stop: rpc-statd"
 +		  rpcinfo -t localhost 100024 > /dev/null 2>&1
 +		  rc=$?
 +		  if [ "$rc" -eq "0" ]; then
 +		  	ocf_exit_reason "Failed to stop rpc-statd"
 +		  	return $OCF_ERR_GENERIC
 		  fi
 		  nfs_exec stop nfs-idmapd > /dev/null 2>&1
--- a/SOURCES/bz1904465-mysql-common-improve-error-message.patch
+++ b/SOURCES/bz1904465-mysql-common-improve-error-message.patch
@ -1,68 +0,0 @@
 From fcceb714085836de9db4493b527e94d85dd72626 Mon Sep 17 00:00:00 2001
 From: ut002970 <liuxingwei@uniontech.com>
 Date: Wed, 6 Sep 2023 15:27:05 +0800
 Subject: [PATCH 1/3] modify error message
 ---
 heartbeat/mysql-common.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
 index 8104019b03..a93acc4c60 100755
 --- a/heartbeat/mysql-common.sh
 +++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
     while [ $start_wait = 1 ]; do
         if ! ps $pid > /dev/null 2>&1; then
             wait $pid
 -            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation"
 +            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
             return $OCF_ERR_GENERIC
         fi
         mysql_common_status info
 From 8f9b344cd5b3cb96ea0f94b7ab0306da2234ac00 Mon Sep 17 00:00:00 2001
 From: ut002970 <liuxingwei@uniontech.com>
 Date: Wed, 6 Sep 2023 15:56:24 +0800
 Subject: [PATCH 2/3] modify error message
 ---
 heartbeat/mysql-common.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
 index a93acc4c60..d5b2286737 100755
 --- a/heartbeat/mysql-common.sh
 +++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
     while [ $start_wait = 1 ]; do
         if ! ps $pid > /dev/null 2>&1; then
             wait $pid
 -            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
 +            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
             return $OCF_ERR_GENERIC
         fi
         mysql_common_status info
 From a292b3c552bf3f2beea5f73e0d171546c0a1273c Mon Sep 17 00:00:00 2001
 From: ut002970 <liuxingwei@uniontech.com>
 Date: Wed, 6 Sep 2023 16:10:48 +0800
 Subject: [PATCH 3/3] modify error message
 ---
 heartbeat/mysql-common.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
 index d5b2286737..d6b4e3cdf4 100755
 --- a/heartbeat/mysql-common.sh
 +++ b/heartbeat/mysql-common.sh
@@ -254,7 +254,7 @@ mysql_common_start()
     while [ $start_wait = 1 ]; do
         if ! ps $pid > /dev/null 2>&1; then
             wait $pid
 -            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
 +            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?). Check $OCF_RESKEY_log for details"
             return $OCF_ERR_GENERIC
         fi
         mysql_common_status info
--- a/SOURCES/bz2039692-mysql-1-replication-fixes.patch
+++ b/SOURCES/bz2039692-mysql-1-replication-fixes.patch
@ -1,70 +0,0 @@
 From 706b48fd93a75a582c538013aea1418b6ed69dd0 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Thu, 9 Mar 2023 15:57:59 +0100
 Subject: [PATCH] mysql: promotable fixes to avoid nodes getting bounced around
 by setting -v 1/-v 2, and added OCF_CHECK_LEVEL=10 for promotable resources
 to be able to distinguish between promoted and not
 ---
 heartbeat/mysql | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)
 diff --git a/heartbeat/mysql b/heartbeat/mysql
 index 9ab49ab20e..29ed427319 100755
 --- a/heartbeat/mysql
 +++ b/heartbeat/mysql
@@ -757,6 +757,10 @@ mysql_monitor() {
         status_loglevel="info"
     fi
 +    if ocf_is_ms; then
 +        OCF_CHECK_LEVEL=10
 +    fi
 +
     mysql_common_status $status_loglevel
     rc=$?
@@ -777,7 +781,13 @@ mysql_monitor() {
         return $rc
     fi
 -    if [ $OCF_CHECK_LEVEL -gt 0 -a -n "$OCF_RESKEY_test_table" ]; then
 +    if [ $OCF_CHECK_LEVEL -eq 10 ]; then
 +        if [ -z "$OCF_RESKEY_test_table" ]; then
 +            ocf_exit_reason "test_table not set"
 +            return $OCF_ERR_CONFIGURED
 +
 +        fi
 +
         # Check if this instance is configured as a slave, and if so
         # check slave status
         if is_slave; then
@@ -795,18 +805,16 @@ mysql_monitor() {
             ocf_exit_reason "Failed to select from $test_table";
             return $OCF_ERR_GENERIC;
         fi
 -    else
 -        # In case no exnteded tests are enabled and we are in master/slave mode _always_ set the master score to 1 if we reached this point
 -        ocf_is_ms && $CRM_MASTER -v 1
     fi
     if ocf_is_ms && ! get_read_only; then
         ocf_log debug "MySQL monitor succeeded (master)";
         # Always set master score for the master
 -        $CRM_MASTER -v 2
 +        $CRM_MASTER -v $((${OCF_RESKEY_max_slave_lag}+1))
         return $OCF_RUNNING_MASTER
     else
         ocf_log debug "MySQL monitor succeeded";
 +        ocf_is_ms && $CRM_MASTER -v 1
         return $OCF_SUCCESS
     fi
 }
@@ -873,7 +881,6 @@ mysql_start() {
         # preference set by the administrator. We choose a low
         # greater-than-zero preference.
         $CRM_MASTER -v 1
 -
     fi
     # Initial monitor action
--- a/SOURCES/bz2039692-mysql-2-fix-demoted-score-bounce.patch
+++ b/SOURCES/bz2039692-mysql-2-fix-demoted-score-bounce.patch
@ -1,32 +0,0 @@
 From 34483f8029ea9ab25220cfee71d53adaf5aacaa0 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Wed, 14 Jun 2023 14:37:01 +0200
 Subject: [PATCH] mysql: fix promotion_score bouncing between ~3600 and 1 on
 demoted nodes
 ---
 heartbeat/mysql | 11 -----------
 1 file changed, 11 deletions(-)
 diff --git a/heartbeat/mysql b/heartbeat/mysql
 index 29ed42731..1df2fc0f2 100755
 --- a/heartbeat/mysql
 +++ b/heartbeat/mysql
@@ -517,17 +517,6 @@ check_slave() {
                 exit $OCF_ERR_INSTALLED
             fi
 -        elif ocf_is_ms; then
 -            # Even if we're not set to evict lagging slaves, we can
 -            # still use the seconds behind master value to set our
 -            # master preference.
 -            local master_pref
 -            master_pref=$((${OCF_RESKEY_max_slave_lag}-${secs_behind}))
 -            if [ $master_pref -lt 0 ]; then
 -                # Sanitize a below-zero preference to just zero
 -                master_pref=0
 -            fi
 -            $CRM_MASTER -v $master_pref
         fi
         # is the slave ok to have a VIP on it
--- a/SOURCES/bz2040110-IPaddr2-IPsrcaddr-1-support-policy-based-routing.patch
+++ b/SOURCES/bz2040110-IPaddr2-IPsrcaddr-1-support-policy-based-routing.patch
@ -1,84 +0,0 @@
 From 4d87bcfe5df8a1e40ee945e095ac9e7cca147ec4 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Wed, 29 Jun 2022 10:26:25 +0200
 Subject: [PATCH] IPaddr2/IPsrcaddr: add/modify table parameter to be able to
 find interface while using policy based routing
 ---
 heartbeat/IPaddr2   | 12 ++++++++++++
 heartbeat/IPsrcaddr |  5 ++++-
 heartbeat/findif.sh |  2 +-
 3 files changed, 17 insertions(+), 2 deletions(-)
 diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
 index 97a7431a2..e8384c586 100755
 --- a/heartbeat/IPaddr2
 +++ b/heartbeat/IPaddr2
@@ -73,6 +73,7 @@ OCF_RESKEY_ip_default=""
 OCF_RESKEY_cidr_netmask_default=""
 OCF_RESKEY_broadcast_default=""
 OCF_RESKEY_iflabel_default=""
 +OCF_RESKEY_table_default=""
 OCF_RESKEY_cidr_netmask_default=""
 OCF_RESKEY_lvs_support_default=false
 OCF_RESKEY_lvs_ipv6_addrlabel_default=false
@@ -97,6 +98,7 @@ OCF_RESKEY_network_namespace_default=""
 : ${OCF_RESKEY_cidr_netmask=${OCF_RESKEY_cidr_netmask_default}}
 : ${OCF_RESKEY_broadcast=${OCF_RESKEY_broadcast_default}}
 : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
 +: ${OCF_RESKEY_table=${OCF_RESKEY_table_default}}
 : ${OCF_RESKEY_lvs_support=${OCF_RESKEY_lvs_support_default}}
 : ${OCF_RESKEY_lvs_ipv6_addrlabel=${OCF_RESKEY_lvs_ipv6_addrlabel_default}}
 : ${OCF_RESKEY_lvs_ipv6_addrlabel_value=${OCF_RESKEY_lvs_ipv6_addrlabel_value_default}}
@@ -239,6 +241,16 @@ If a label is specified in nic name, this parameter has no effect.
 <content type="string" default="${OCF_RESKEY_iflabel_default}"/>
 </parameter>
 +<parameter name="table">
 +<longdesc lang="en">
 +Table to use to lookup which interface to use for the IP.
 +
 +This can be used for policy based routing. See man ip-rule(8).
 +</longdesc>
 +<shortdesc lang="en">Table</shortdesc>
 +<content type="string" default="${OCF_RESKEY_table_default}" />
 +</parameter>
 +
 <parameter name="lvs_support">
 <longdesc lang="en">
 Enable support for LVS Direct Routing configurations. In case a IP
 diff --git a/heartbeat/IPsrcaddr b/heartbeat/IPsrcaddr
 index 1bd41a930..cf106cc34 100755
 --- a/heartbeat/IPsrcaddr
 +++ b/heartbeat/IPsrcaddr
@@ -155,13 +155,16 @@ Metric. Only needed if incorrect metric value is used.
 <parameter name="table">
 <longdesc lang="en">
 -Table to modify. E.g. "local".
 +Table to modify and use for interface lookup. E.g. "local".
 The table has to have a route matching the "destination" parameter.
 +
 +This can be used for policy based routing. See man ip-rule(8).
 </longdesc>
 <shortdesc lang="en">Table</shortdesc>
 <content type="string" default="${OCF_RESKEY_table_default}" />
 </parameter>
 +
 </parameters>
 <actions>
 diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
 index 66bc6d56a..1a40cc9a4 100644
 --- a/heartbeat/findif.sh
 +++ b/heartbeat/findif.sh
@@ -32,7 +32,7 @@ prefixcheck() {
 getnetworkinfo()
 {
   local line netinfo
 -  ip -o -f inet route list match $OCF_RESKEY_ip table local scope host | (while read line;
 +  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table=local}" scope host | (while read line;
   do
     netinfo=`echo $line | awk '{print $2}'`
     case $netinfo in
--- a/SOURCES/bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
+++ b/SOURCES/bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
@ -1,35 +0,0 @@
 From da9e8e691f39494e14f8f11173b6ab6433384396 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Tue, 20 Jun 2023 14:19:23 +0200
 Subject: [PATCH] findif.sh: fix table parameter so it uses main table by
 default
 ---
 heartbeat/findif.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
 index 1a40cc9a4b..6c04c98c19 100644
 --- a/heartbeat/findif.sh
 +++ b/heartbeat/findif.sh
@@ -32,7 +32,7 @@ prefixcheck() {
 getnetworkinfo()
 {
   local line netinfo
 -  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table=local}" scope host | (while read line;
 +  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
   do
     netinfo=`echo $line | awk '{print $2}'`
     case $netinfo in
@@ -215,9 +215,9 @@ findif()
   fi
   if [ -n "$nic" ] ; then
     # NIC supports more than two.
 -    set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
 +    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
   else
 -    set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
 +    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
   fi
   if [ $# = 0 ] ; then
     case $OCF_RESKEY_ip in
--- a/SOURCES/bz2149970-lvmlockd-add-use_lvmlockd-if-missing.patch
+++ b/SOURCES/bz2149970-lvmlockd-add-use_lvmlockd-if-missing.patch
@ -1,42 +0,0 @@
 From 2695888c983df331b0fee407a5c69c493a360313 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Wed, 30 Nov 2022 12:07:05 +0100
 Subject: [PATCH] lvmlockd: add "use_lvmlockd = 1" if it's commented out or
 missing
 ---
 heartbeat/lvmlockd | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)
 diff --git a/heartbeat/lvmlockd b/heartbeat/lvmlockd
 index dc7bd2d7e..f4b299f28 100755
 --- a/heartbeat/lvmlockd
 +++ b/heartbeat/lvmlockd
@@ -180,14 +180,23 @@ setup_lvm_config()
 	lock_type=$(echo "$out" | cut -d'=' -f2)
 	if [ -z "$use_lvmlockd" ]; then
 -		ocf_exit_reason "\"use_lvmlockd\" not set in /etc/lvm/lvm.conf ..."
 -		exit $OCF_ERR_CONFIGURED
 -	fi
 +		ocf_log info "adding \"use_lvmlockd=1\" to /etc/lvm/lvm.conf ..."
 +		cat >> /etc/lvm/lvm.conf << EOF
 +
 +global {
 +    use_lvmlockd = 1
 +}
 +EOF
 -	if [ -n "$use_lvmlockd" ] && [ "$use_lvmlockd" != 1 ] ; then
 +		if [ $? -ne 0 ]; then
 +			ocf_exit_reason "unable to add \"use_lvmlockd=1\" to /etc/lvm/lvm.conf ..."
 +			exit $OCF_ERR_CONFIGURED
 +		fi
 +	elif [ "$use_lvmlockd" != 1 ] ; then
 		ocf_log info "setting \"use_lvmlockd=1\" in /etc/lvm/lvm.conf ..."
 		sed -i 's,^[[:blank:]]*use_lvmlockd[[:blank:]]*=.*,\ \ \ \ use_lvmlockd = 1,g' /etc/lvm/lvm.conf
 	fi
 +
 	if [ -n "$lock_type" ] ; then
 		# locking_type was removed from config in v2.03
 		ocf_version_cmp "$(lvmconfig --version | awk '/LVM ver/ {sub(/\(.*/, "", $3); print $3}')" "2.03"
--- a/SOURCES/bz2154727-ethmonitor-dont-log-iface-doesnt-exist-monitor.patch
+++ b/SOURCES/bz2154727-ethmonitor-dont-log-iface-doesnt-exist-monitor.patch
@ -1,24 +0,0 @@
 From e7a748d35fe56f2be727ecae1885a2f1366f41bf Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Wed, 15 Mar 2023 13:03:07 +0100
 Subject: [PATCH] ethmonitor: dont log "Interface does not exist" for
 monitor-action
 ---
 heartbeat/ethmonitor | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/heartbeat/ethmonitor b/heartbeat/ethmonitor
 index 451738a0b5..f9c9ef4bdd 100755
 --- a/heartbeat/ethmonitor
 +++ b/heartbeat/ethmonitor
@@ -271,6 +271,9 @@ if_init() {
 			validate-all)
 				ocf_exit_reason "Interface $NIC does not exist"
 				exit $OCF_ERR_CONFIGURED;;
 +			monitor)
 +				ocf_log debug "Interface $NIC does not exist"
 +				;;
 			*)	
 				## It might be a bond interface which is temporarily not available, therefore we want to continue here
 				ocf_log warn "Interface $NIC does not exist"
--- a/SOURCES/bz2157873-1-all-ras-validate-all-OCF_CHECK_LEVEL-10.patch
+++ b/SOURCES/bz2157873-1-all-ras-validate-all-OCF_CHECK_LEVEL-10.patch
@ -1,137 +0,0 @@
 From bf89ad06d5da5c05533c80a37a37c8dbbcd123aa Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Thu, 8 Dec 2022 15:40:07 +0100
 Subject: [PATCH] galera/mpathpersist/sg_persist/IPsrcaddr: only check notify
 and promotable when OCF_CHECK_LEVEL=10
 Pacemaker has started running validate-all action before creating the
 resource. It doesnt provide notify/promotable settings while doing so,
 so this patch moves these checks to OCF_CHECK_LEVEL 10 and runs the
 validate action at OCF_CHECK_LEVEL 10 in the start-action.
 ---
 heartbeat/IPsrcaddr       | 13 ++++++++-----
 heartbeat/galera.in       |  9 ++++++---
 heartbeat/mpathpersist.in | 13 +++++++++----
 heartbeat/sg_persist.in   | 13 +++++++++----
 4 files changed, 32 insertions(+), 16 deletions(-)
 diff --git a/heartbeat/IPsrcaddr b/heartbeat/IPsrcaddr
 index 1bd41a930..66e2ad8cd 100755
 --- a/heartbeat/IPsrcaddr
 +++ b/heartbeat/IPsrcaddr
@@ -510,11 +510,13 @@ srca_validate_all() {
 	fi
 #	We should serve this IP address of course
 -	if ip_status "$ipaddress"; then
 -	  :
 -	else
 -	  ocf_exit_reason "We are not serving [$ipaddress], hence can not make it a preferred source address"
 -	  return $OCF_ERR_INSTALLED
 +	if [ "$OCF_CHECK_LEVEL" -eq 10 ]; then
 +		if ip_status "$ipaddress"; then
 +			:
 +		else
 +			ocf_exit_reason "We are not serving [$ipaddress], hence can not make it a preferred source address"
 +			return $OCF_ERR_INSTALLED
 +		fi
 	fi
 	return $OCF_SUCCESS
 }
@@ -540,6 +542,7 @@ esac
 ipaddress="$OCF_RESKEY_ipaddress"
 +[ "$__OCF_ACTION" != "validate-all" ] && OCF_CHECK_LEVEL=10
 srca_validate_all
 rc=$?
 if [ $rc -ne $OCF_SUCCESS ]; then
 diff --git a/heartbeat/galera.in b/heartbeat/galera.in
 index cd2fee7c0..6aed3e4b6 100755
 --- a/heartbeat/galera.in
 +++ b/heartbeat/galera.in
@@ -1015,9 +1015,11 @@ galera_stop()
 galera_validate()
 {
 -    if ! ocf_is_ms; then
 -        ocf_exit_reason "Galera must be configured as a multistate Master/Slave resource."
 -        return $OCF_ERR_CONFIGURED
 +    if [ "$OCF_CHECK_LEVEL" -eq 10 ]; then
 +        if ! ocf_is_ms; then
 +            ocf_exit_reason "Galera must be configured as a multistate Master/Slave resource."
 +            return $OCF_ERR_CONFIGURED
 +        fi
     fi
     if [ -z "$OCF_RESKEY_wsrep_cluster_address" ]; then
@@ -1035,6 +1037,7 @@ case "$1" in
         exit $OCF_SUCCESS;;
 esac
 +[ "$__OCF_ACTION" = "start" ] && OCF_CHECK_LEVEL=10
 galera_validate
 rc=$?
 LSB_STATUS_STOPPED=3
 diff --git a/heartbeat/mpathpersist.in b/heartbeat/mpathpersist.in
 index 0e2c2a4a0..8a46b9930 100644
 --- a/heartbeat/mpathpersist.in
 +++ b/heartbeat/mpathpersist.in
@@ -630,10 +630,11 @@ mpathpersist_action_notify() {
 }
 mpathpersist_action_validate_all () {
 -
 -    if [ "$OCF_RESKEY_CRM_meta_master_max" != "1" ] && [ "$RESERVATION_TYPE"  != "7" ] && [ "$RESERVATION_TYPE" != "8" ]; then
 -        ocf_log err "Master options misconfigured."
 -        exit $OCF_ERR_CONFIGURED
 +    if [ "$OCF_CHECK_LEVEL" -eq 10 ]; then
 +        if [ "$OCF_RESKEY_CRM_meta_master_max" != "1" ] && [ "$RESERVATION_TYPE"  != "7" ] && [ "$RESERVATION_TYPE" != "8" ]; then
 +            ocf_log err "Master options misconfigured."
 +            exit $OCF_ERR_CONFIGURED
 +        fi
     fi
     return $OCF_SUCCESS
@@ -659,6 +660,10 @@ case $ACTION in
     start|promote|monitor|stop|demote)
         ocf_log debug "$RESOURCE: starting action \"$ACTION\""
         mpathpersist_init
 +        if [ "$__OCF_ACTION" = "start" ]; then
 +            OCF_CHECK_LEVEL=10
 +            mpathpersist_action_validate_all
 +        fi
         mpathpersist_action_$ACTION
         exit $?
         ;;
 diff --git a/heartbeat/sg_persist.in b/heartbeat/sg_persist.in
 index 16048ea6f..620c02f4a 100644
 --- a/heartbeat/sg_persist.in
 +++ b/heartbeat/sg_persist.in
@@ -643,10 +643,11 @@ sg_persist_action_notify() {
 }
 sg_persist_action_validate_all () {
 -
 -    if [ "$OCF_RESKEY_CRM_meta_master_max" != "1" ] && [ "$RESERVATION_TYPE"  != "7" ] && [ "$RESERVATION_TYPE" != "8" ]; then
 -        ocf_log err "Master options misconfigured."
 -        exit $OCF_ERR_CONFIGURED
 +    if [ "$OCF_CHECK_LEVEL" -eq 10 ]; then
 +        if [ "$OCF_RESKEY_CRM_meta_master_max" != "1" ] && [ "$RESERVATION_TYPE"  != "7" ] && [ "$RESERVATION_TYPE" != "8" ]; then
 +            ocf_log err "Master options misconfigured."
 +            exit $OCF_ERR_CONFIGURED
 +        fi
     fi
     return $OCF_SUCCESS
@@ -672,6 +673,10 @@ case $ACTION in
     start|promote|monitor|stop|demote)
         ocf_log debug "$RESOURCE: starting action \"$ACTION\""
         sg_persist_init
 +        if [ "$__OCF_ACTION" = "start" ]; then
 +            OCF_CHECK_LEVEL=10
 +            sg_persist_action_validate_all
 +        fi
         sg_persist_action_$ACTION
         exit $?
         ;;
--- a/SOURCES/bz2157873-2-Filesystem-CTDB-validate-all-improvements.patch
+++ b/SOURCES/bz2157873-2-Filesystem-CTDB-validate-all-improvements.patch
@ -1,49 +0,0 @@
 From 21666c5c842b8a6028699ee78db75a1d7134fad0 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Wed, 4 Jan 2023 10:39:16 +0100
 Subject: [PATCH 1/2] Filesystem: remove validate-all mountpoint warning as it
 is auto-created during start-action if it doesnt exist
 ---
 heartbeat/Filesystem | 4 ----
 1 file changed, 4 deletions(-)
 diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
 index 44270ad98..65088029e 100755
 --- a/heartbeat/Filesystem
 +++ b/heartbeat/Filesystem
@@ -851,10 +851,6 @@ Filesystem_monitor()
 #
 Filesystem_validate_all()
 {
 -	if [ -n "$MOUNTPOINT" ] && [ ! -d "$MOUNTPOINT" ]; then
 -		ocf_log warn "Mountpoint $MOUNTPOINT does not exist"
 -	fi
 -
 	# Check if the $FSTYPE is workable
 	# NOTE: Without inserting the $FSTYPE module, this step may be imprecise
 	# TODO: This is Linux specific crap.
 From 8a7f40b6ab93d8d39230d864ab06a57ff48d6f1f Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Thu, 5 Jan 2023 13:09:48 +0100
 Subject: [PATCH 2/2] CTDB: change public_addresses validate-all warning to
 info
 ---
 heartbeat/CTDB.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/CTDB.in b/heartbeat/CTDB.in
 index 46f56cfac..b4af66bc1 100755
 --- a/heartbeat/CTDB.in
 +++ b/heartbeat/CTDB.in
@@ -940,7 +940,7 @@ ctdb_validate() {
 	fi
 	if [ -f "${OCF_RESKEY_ctdb_config_dir}/public_addresses" ]; then
 -		ocf_log warn "CTDB file '${OCF_RESKEY_ctdb_config_dir}/public_addresses' exists - CTDB will try to manage IP failover!"
 +		ocf_log info "CTDB file '${OCF_RESKEY_ctdb_config_dir}/public_addresses' exists - CTDB will try to manage IP failover!"
 	fi
 	if [ ! -f "$OCF_RESKEY_ctdb_config_dir/nodes" ]; then
--- a/SOURCES/bz2157873-3-pgsqlms-validate-all-OCF_CHECK_LEVEL-10.patch
+++ b/SOURCES/bz2157873-3-pgsqlms-validate-all-OCF_CHECK_LEVEL-10.patch
@ -1,68 +0,0 @@
 --- a/heartbeat/pgsqlms	2023-01-04 14:42:36.093258702 +0100
 +++ b/heartbeat/pgsqlms	2023-01-04 14:40:52.403994545 +0100
@@ -66,6 +66,7 @@
 my $maxlag       = $ENV{'OCF_RESKEY_maxlag'} || $maxlag_default;
 my $recovery_tpl = $ENV{'OCF_RESKEY_recovery_template'}
     || "$pgdata/recovery.conf.pcmk";
 +my $ocf_check_level = $ENV{'OCF_CHECK_LEVEL'} || 0;
 # PostgreSQL commands path
@@ -1304,26 +1305,28 @@
         return $OCF_ERR_INSTALLED;
     }
 -    # check notify=true
 -    $ans = qx{ $CRM_RESOURCE --resource "$OCF_RESOURCE_INSTANCE" \\
 -                 --meta --get-parameter notify 2>/dev/null };
 -    chomp $ans;
 -    unless ( lc($ans) =~ /^true$|^on$|^yes$|^y$|^1$/ ) {
 -        ocf_exit_reason(
 -            'You must set meta parameter notify=true for your master resource'
 -        );
 -        return $OCF_ERR_INSTALLED;
 -    }
 +    if ( $ocf_check_level == 10 ) {
 +        # check notify=true
 +        $ans = qx{ $CRM_RESOURCE --resource "$OCF_RESOURCE_INSTANCE" \\
 +                     --meta --get-parameter notify 2>/dev/null };
 +        chomp $ans;
 +        unless ( lc($ans) =~ /^true$|^on$|^yes$|^y$|^1$/ ) {
 +            ocf_exit_reason(
 +                'You must set meta parameter notify=true for your "master" resource'
 +            );
 +            return $OCF_ERR_INSTALLED;
 +        }
 -    # check master-max=1
 -    unless (
 -        defined $ENV{'OCF_RESKEY_CRM_meta_master_max'}
 -            and $ENV{'OCF_RESKEY_CRM_meta_master_max'} eq '1'
 -    ) {
 -        ocf_exit_reason(
 -            'You must set meta parameter master-max=1 for your master resource'
 -        );
 -        return $OCF_ERR_INSTALLED;
 +        # check master-max=1
 +        unless (
 +            defined $ENV{'OCF_RESKEY_CRM_meta_master_max'}
 +                and $ENV{'OCF_RESKEY_CRM_meta_master_max'} eq '1'
 +        ) {
 +            ocf_exit_reason(
 +                'You must set meta parameter master-max=1 for your "master" resource'
 +            );
 +            return $OCF_ERR_INSTALLED;
 +        }
     }
     if ( $PGVERNUM >= $PGVER_12 ) {
@@ -2242,6 +2245,9 @@
 # Set current node name.
 $nodename = ocf_local_nodename();
 +if ( $__OCF_ACTION ne 'validate-all' ) {
 +    $ocf_check_level = 10;
 +}
 $exit_code = pgsql_validate_all();
 exit $exit_code if $exit_code != $OCF_SUCCESS or $__OCF_ACTION eq 'validate-all';
--- a/SOURCES/bz2157873-4-exportfs-pgsql-validate-all-fixes.patch
+++ b/SOURCES/bz2157873-4-exportfs-pgsql-validate-all-fixes.patch
@ -1,187 +0,0 @@
 From 81f9e1a04dfd2274ccb906310b4f191485e342ab Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Wed, 11 Jan 2023 13:22:24 +0100
 Subject: [PATCH 1/2] exportfs: move testdir() to start-action to avoid failing
 during resource creation (validate-all) and make it create the directory if
 it doesnt exist
 ---
 heartbeat/exportfs | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)
 diff --git a/heartbeat/exportfs b/heartbeat/exportfs
 index c10777fa9..2307a9e67 100755
 --- a/heartbeat/exportfs
 +++ b/heartbeat/exportfs
@@ -301,6 +301,16 @@ exportfs_monitor ()
 	fi
 }
 +testdir() {
 +	if [ ! -d $1 ]; then
 +		mkdir -p "$1"
 +		if [ $? -ne 0 ]; then
 +			ocf_exit_reason "Unable to create directory $1"
 +			return 1
 +		fi
 +	fi
 +	return 0
 +}
 export_one() {
 	local dir=$1
 	local opts sep
@@ -331,6 +341,10 @@ export_one() {
 }
 exportfs_start ()
 {
 +	if ! forall testdir; then
 +		return $OCF_ERR_INSTALLED
 +	fi
 +
 	if exportfs_monitor; then
 		ocf_log debug "already exported"
 		return $OCF_SUCCESS
@@ -428,14 +442,6 @@ exportfs_stop ()
 	fi
 }
 -testdir() {
 -	if [ ! -d $1 ]; then
 -		ocf_is_probe ||
 -			ocf_log err "$1 does not exist or is not a directory"
 -		return 1
 -	fi
 -	return 0
 -}
 exportfs_validate_all ()
 {
 	if echo "$OCF_RESKEY_fsid" | grep -q -F ','; then
@@ -447,9 +453,6 @@ exportfs_validate_all ()
 		ocf_exit_reason "use integer fsid when exporting multiple directories"
 		return $OCF_ERR_CONFIGURED
 	fi
 -	if ! forall testdir; then
 -		return $OCF_ERR_INSTALLED
 -	fi
 }
 for dir in $OCF_RESKEY_directory; do
@@ -466,7 +469,7 @@ for dir in $OCF_RESKEY_directory; do
 		fi
 	else
 		case "$__OCF_ACTION" in
 -			stop|monitor)
 +			stop|monitor|validate-all)
 				canonicalized_dir="$dir"
 				ocf_log debug "$dir does not exist"
 				;;
 From 8ee41af82cda35149f8e0cfede6a8ddef3e221e1 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Wed, 11 Jan 2023 13:25:57 +0100
 Subject: [PATCH 2/2] pgsql: dont run promotable and file checks that could be
 on shared storage during validate-all action
 ---
 heartbeat/pgsql | 53 +++++++++++++++++++++++++++++--------------------
 1 file changed, 32 insertions(+), 21 deletions(-)
 diff --git a/heartbeat/pgsql b/heartbeat/pgsql
 index aa8a13a84..532063ac5 100755
 --- a/heartbeat/pgsql
 +++ b/heartbeat/pgsql
@@ -1835,7 +1835,7 @@ check_config() {
     if [ ! -f "$1" ]; then
         if ocf_is_probe; then
 -           ocf_log info "Configuration file is $1 not readable during probe."
 +           ocf_log info "Unable to read $1 during probe."
            rc=1
         else
            ocf_exit_reason "Configuration file $1 doesn't exist"
@@ -1846,8 +1846,7 @@ check_config() {
     return $rc
 }
 -# Validate most critical parameters
 -pgsql_validate_all() {
 +validate_ocf_check_level_10() {
     local version
     local check_config_rc
     local rep_mode_string
@@ -1883,12 +1882,6 @@ pgsql_validate_all() {
         fi
     fi
 -    getent passwd $OCF_RESKEY_pgdba >/dev/null 2>&1
 -    if [ ! $? -eq 0 ]; then
 -        ocf_exit_reason "User $OCF_RESKEY_pgdba doesn't exist";
 -        return $OCF_ERR_INSTALLED;
 -    fi
 -
     if ocf_is_probe; then
         ocf_log info "Don't check $OCF_RESKEY_pgdata during probe"
     else
@@ -1898,18 +1891,6 @@ pgsql_validate_all() {
         fi
     fi
 -    if [ -n "$OCF_RESKEY_monitor_user" -a ! -n "$OCF_RESKEY_monitor_password" ]
 -    then
 -        ocf_exit_reason "monitor password can't be empty"
 -        return $OCF_ERR_CONFIGURED
 -    fi
 -
 -    if [ ! -n "$OCF_RESKEY_monitor_user" -a -n "$OCF_RESKEY_monitor_password" ]
 -    then
 -        ocf_exit_reason "monitor_user has to be set if monitor_password is set"
 -        return $OCF_ERR_CONFIGURED
 -    fi
 -
     if is_replication || [ "$OCF_RESKEY_rep_mode" = "slave" ]; then
         if [ `printf "$version\n9.1" | sort -n | head -1` != "9.1" ]; then
             ocf_exit_reason "Replication mode needs PostgreSQL 9.1 or higher."
@@ -2027,6 +2008,35 @@ pgsql_validate_all() {
     return $OCF_SUCCESS
 }
 +# Validate most critical parameters
 +pgsql_validate_all() {
 +    local rc
 +
 +    getent passwd $OCF_RESKEY_pgdba >/dev/null 2>&1
 +    if [ ! $? -eq 0 ]; then
 +        ocf_exit_reason "User $OCF_RESKEY_pgdba doesn't exist";
 +        return $OCF_ERR_INSTALLED;
 +    fi
 +
 +    if [ -n "$OCF_RESKEY_monitor_user" ] && [ -z "$OCF_RESKEY_monitor_password" ]; then
 +        ocf_exit_reason "monitor password can't be empty"
 +        return $OCF_ERR_CONFIGURED
 +    fi
 +
 +    if [ -z "$OCF_RESKEY_monitor_user" ] && [ -n "$OCF_RESKEY_monitor_password" ]; then
 +        ocf_exit_reason "monitor_user has to be set if monitor_password is set"
 +        return $OCF_ERR_CONFIGURED
 +    fi
 +
 +    if [ "$OCF_CHECK_LEVEL" -eq 10 ]; then
 +        validate_ocf_check_level_10
 +	rc=$?
 +	[ $rc -ne "$OCF_SUCCESS" ] && exit $rc
 +    fi
 +
 +    return $OCF_SUCCESS
 +}
 +
 #
 # Check if we need to create a log file
@@ -2163,6 +2173,7 @@ case "$1" in
                 exit $OCF_SUCCESS;;
 esac
 +[ "$__OCF_ACTION" != "validate-all" ] && OCF_CHECK_LEVEL=10
 pgsql_validate_all
 rc=$?
--- a/SOURCES/bz2157873-5-pgsqlms-alidate-all-OCF_CHECK_LEVEL-10.patch
+++ b/SOURCES/bz2157873-5-pgsqlms-alidate-all-OCF_CHECK_LEVEL-10.patch
@ -1,23 +0,0 @@
 --- ClusterLabs-resource-agents-fd0720f7/heartbeat/pgsqlms	2023-01-16 10:54:30.897188238 +0100
 +++ pgsqlms	2023-01-10 14:21:19.281286242 +0100
@@ -1351,12 +1351,14 @@
             return $OCF_ERR_ARGS;
         }
 -        $guc = qx{ $POSTGRES -C primary_conninfo -D "$pgdata" $start_opts};
 -        unless ($guc =~ /\bapplication_name='?$nodename'?\b/) {
 -            ocf_exit_reason(
 -                q{Parameter "primary_conninfo" MUST contain 'application_name=%s'. }.
 -                q{It is currently set to '%s'}, $nodename, $guc );
 -            return $OCF_ERR_ARGS;
 +        if ( $ocf_check_level == 10 ) {
 +            $guc = qx{ $POSTGRES -C primary_conninfo -D "$pgdata" $start_opts};
 +            unless ($guc =~ /\bapplication_name='?$nodename'?\b/) {
 +                ocf_exit_reason(
 +                    q{Parameter "primary_conninfo" MUST contain 'application_name=%s'. }.
 +                    q{It is currently set to '%s'}, $nodename, $guc );
 +                return $OCF_ERR_ARGS;
 +            }
         }
     }
     else {
--- a/SOURCES/bz2181019-azure-events-1-fix-no-transition-summary.patch
+++ b/SOURCES/bz2181019-azure-events-1-fix-no-transition-summary.patch
@ -1,54 +0,0 @@
 From 81bb58b05d2ddabd17fe31af39f0e857e61db3c9 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Tue, 28 Mar 2023 16:53:45 +0200
 Subject: [PATCH] azure-events*: fix for no "Transition Summary" for Pacemaker
 2.1+
 ---
 heartbeat/azure-events-az.in | 8 ++++----
 heartbeat/azure-events.in    | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)
 diff --git a/heartbeat/azure-events-az.in b/heartbeat/azure-events-az.in
 index 59d0953061..67c02c6422 100644
 --- a/heartbeat/azure-events-az.in
 +++ b/heartbeat/azure-events-az.in
@@ -311,10 +311,10 @@ class clusterHelper:
 		summary = clusterHelper._exec("crm_simulate", "-Ls")
 		if not summary:
 			ocf.logger.warning("transitionSummary: could not load transition summary")
 -			return False
 +			return ""
 		if summary.find("Transition Summary:") < 0:
 -			ocf.logger.warning("transitionSummary: received unexpected transition summary: %s" % summary)
 -			return False
 +			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
 +			return ""
 		summary = summary.split("Transition Summary:")[1]
 		ret = summary.split("\n").pop(0)
@@ -768,4 +768,4 @@ def main():
 	agent.run()
 if __name__ == '__main__':
 -	main()
 \ No newline at end of file
 +	main()
 diff --git a/heartbeat/azure-events.in b/heartbeat/azure-events.in
 index 66e129060a..5ad658df93 100644
 --- a/heartbeat/azure-events.in
 +++ b/heartbeat/azure-events.in
@@ -310,10 +310,10 @@ class clusterHelper:
 		summary = clusterHelper._exec("crm_simulate", "-Ls")
 		if not summary:
 			ocf.logger.warning("transitionSummary: could not load transition summary")
 -			return False
 +			return ""
 		if summary.find("Transition Summary:") < 0:
 -			ocf.logger.warning("transitionSummary: received unexpected transition summary: %s" % summary)
 -			return False
 +			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
 +			return ""
 		summary = summary.split("Transition Summary:")[1]
 		ret = summary.split("\n").pop(0)
--- a/SOURCES/bz2181019-azure-events-2-improve-logic.patch
+++ b/SOURCES/bz2181019-azure-events-2-improve-logic.patch
@ -1,77 +0,0 @@
 From ff53e5c8d6867e580506d132fba6fcf6aa46b804 Mon Sep 17 00:00:00 2001
 From: Peter Varkoly <varkoly@suse.com>
 Date: Sat, 29 Apr 2023 08:09:11 +0200
 Subject: [PATCH] Use -LS instead of -Ls as parameter to get the Transition
 Summary
 ---
 heartbeat/azure-events-az.in | 9 +++++----
 heartbeat/azure-events.in    | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)
 diff --git a/heartbeat/azure-events-az.in b/heartbeat/azure-events-az.in
 index 67c02c642..46d4d1f3d 100644
 --- a/heartbeat/azure-events-az.in
 +++ b/heartbeat/azure-events-az.in
@@ -298,7 +298,7 @@ class clusterHelper:
 		Get the current Pacemaker transition summary (used to check if all resources are stopped when putting a node standby)
 		"""
 		# <tniek> Is a global crm_simulate "too much"? Or would it be sufficient it there are no planned transitions for a particular node?
 -		# # crm_simulate -Ls
 +		# # crm_simulate -LS
 		# 	Transition Summary:
 		# 	 * Promote rsc_SAPHana_HN1_HDB03:0      (Slave -> Master hsr3-db1)
 		# 	 * Stop    rsc_SAPHana_HN1_HDB03:1      (hsr3-db0)
@@ -308,15 +308,16 @@ class clusterHelper:
 		# 	Transition Summary:
 		ocf.logger.debug("transitionSummary: begin")
 -		summary = clusterHelper._exec("crm_simulate", "-Ls")
 +		summary = clusterHelper._exec("crm_simulate", "-LS")
 		if not summary:
 			ocf.logger.warning("transitionSummary: could not load transition summary")
 			return ""
 		if summary.find("Transition Summary:") < 0:
 			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
 			return ""
 -		summary = summary.split("Transition Summary:")[1]
 -		ret = summary.split("\n").pop(0)
 +		j=summary.find('Transition Summary:') + len('Transition Summary:')
 +		l=summary.lower().find('executing cluster transition:')
 +		ret = list(filter(str.strip, summary[j:l].split("\n")))
 		ocf.logger.debug("transitionSummary: finished; return = %s" % str(ret))
 		return ret
 diff --git a/heartbeat/azure-events.in b/heartbeat/azure-events.in
 index 5ad658df9..90acaba62 100644
 --- a/heartbeat/azure-events.in
 +++ b/heartbeat/azure-events.in
@@ -297,7 +297,7 @@ class clusterHelper:
 		Get the current Pacemaker transition summary (used to check if all resources are stopped when putting a node standby)
 		"""
 		# <tniek> Is a global crm_simulate "too much"? Or would it be sufficient it there are no planned transitions for a particular node?
 -		# # crm_simulate -Ls
 +		# # crm_simulate -LS
 		# 	Transition Summary:
 		# 	 * Promote rsc_SAPHana_HN1_HDB03:0      (Slave -> Master hsr3-db1)
 		# 	 * Stop    rsc_SAPHana_HN1_HDB03:1      (hsr3-db0)
@@ -307,15 +307,16 @@ class clusterHelper:
 		# 	Transition Summary:
 		ocf.logger.debug("transitionSummary: begin")
 -		summary = clusterHelper._exec("crm_simulate", "-Ls")
 +		summary = clusterHelper._exec("crm_simulate", "-LS")
 		if not summary:
 			ocf.logger.warning("transitionSummary: could not load transition summary")
 			return ""
 		if summary.find("Transition Summary:") < 0:
 			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
 			return ""
 -		summary = summary.split("Transition Summary:")[1]
 -		ret = summary.split("\n").pop(0)
 +		j=summary.find('Transition Summary:') + len('Transition Summary:')
 +		l=summary.lower().find('executing cluster transition:')
 +		ret = list(filter(str.strip, summary[j:l].split("\n")))
 		ocf.logger.debug("transitionSummary: finished; return = %s" % str(ret))
 		return ret
--- a/SOURCES/bz2183152-Filesystem-fail-efs-utils-not-installed.patch
+++ b/SOURCES/bz2183152-Filesystem-fail-efs-utils-not-installed.patch
@ -1,23 +0,0 @@
 From b02b06c437b1d8cb1dcfe8ace47c2efc4a0e476c Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Thu, 30 Mar 2023 14:44:41 +0200
 Subject: [PATCH] Filesystem: fail if AWS efs-utils not installed when
 fstype=efs
 ---
 heartbeat/Filesystem | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
 index 65088029ec..50c68f115b 100755
 --- a/heartbeat/Filesystem
 +++ b/heartbeat/Filesystem
@@ -456,7 +456,7 @@ fstype_supported()
 	# System (EFS)
 	case "$FSTYPE" in
 		fuse.*|glusterfs|rozofs) support="fuse";;
 -		efs) support="nfs4";;
 +		efs) check_binary "mount.efs"; support="nfs4";;
 	esac
 	if [ "$support" != "$FSTYPE" ]; then
--- a/SOURCES/bz2189243-Filesystem-1-improve-stop-action.patch
+++ b/SOURCES/bz2189243-Filesystem-1-improve-stop-action.patch
@ -1,125 +0,0 @@
 From 48ed6e6d6510f42743e4463970e27f05637e4982 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Tue, 4 Jul 2023 14:40:19 +0200
 Subject: [PATCH] Filesystem: improve stop-action and allow setting term/kill
 signals and signal_delay for large filesystems
 ---
 heartbeat/Filesystem | 80 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 70 insertions(+), 10 deletions(-)
 diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
 index 65a9dffb5..fe608ebfd 100755
 --- a/heartbeat/Filesystem
 +++ b/heartbeat/Filesystem
@@ -71,6 +71,9 @@ OCF_RESKEY_run_fsck_default="auto"
 OCF_RESKEY_fast_stop_default="no"
 OCF_RESKEY_force_clones_default="false"
 OCF_RESKEY_force_unmount_default="true"
 +OCF_RESKEY_term_signals_default="TERM"
 +OCF_RESKEY_kill_signals_default="KILL"
 +OCF_RESKEY_signal_delay_default="1"
 # RHEL specific defaults
 if is_redhat_based; then
@@ -104,6 +107,9 @@ if [ -z "${OCF_RESKEY_fast_stop}" ]; then
 fi
 : ${OCF_RESKEY_force_clones=${OCF_RESKEY_force_clones_default}}
 : ${OCF_RESKEY_force_unmount=${OCF_RESKEY_force_unmount_default}}
 +: ${OCF_RESKEY_term_signals=${OCF_RESKEY_term_signals_default}}
 +: ${OCF_RESKEY_kill_signals=${OCF_RESKEY_kill_signals_default}}
 +: ${OCF_RESKEY_signal_delay=${OCF_RESKEY_signal_delay_default}}
 # Variables used by multiple methods
 HOSTOS=$(uname)
@@ -266,6 +272,30 @@ block if unresponsive nfs mounts are in use on the system.
 <content type="boolean" default="${OCF_RESKEY_force_unmount_default}" />
 </parameter>
 +<parameter name="term_signals">
 +<longdesc lang="en">
 +Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action.
 +</longdesc>
 +<shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action</shortdesc>
 +<content type="boolean" default="${OCF_RESKEY_term_signals_default}" />
 +</parameter>
 +
 +<parameter name="kill_signals">
 +<longdesc lang="en">
 +Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action.
 +</longdesc>
 +<shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action</shortdesc>
 +<content type="boolean" default="${OCF_RESKEY_kill_signals_default}" />
 +</parameter>
 +
 +<parameter name="signal_delay">
 +<longdesc lang="en">
 +How many seconds to wait after sending term/kill signals to processes in stop-action.
 +</longdesc>
 +<shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
 +<content type="boolean" default="${OCF_RESKEY_kill_signal_delay}" />
 +</parameter>
 +
 </parameters>
 <actions>
@@ -663,19 +693,49 @@ try_umount() {
 	}
 	return $OCF_ERR_GENERIC
 }
 -fs_stop() {
 -	local SUB="$1" timeout=$2 sig cnt
 -	for sig in TERM KILL; do
 -		cnt=$((timeout/2)) # try half time with TERM
 -		while [ $cnt -gt 0 ]; do
 -			try_umount "$SUB" &&
 -				return $OCF_SUCCESS
 -			ocf_exit_reason "Couldn't unmount $SUB; trying cleanup with $sig"
 +timeout_child() {
 +	local pid="$1" timeout="$2" killer ret
 +
 +	# start job in the background that will KILL the given process after timeout expires
 +	sleep $timeout && kill -s KILL $pid &
 +	killer=$!
 +
 +	# block until the child process either exits on its own or gets killed by the above killer pipeline
 +	wait $pid
 +	ret=$?
 +
 +	# ret would be 127 + child exit code if the timeout expired
 +	[ $ret -lt 128 ] && kill -s KILL $killer
 +	return $ret
 +}
 +fs_stop_loop() {
 +	local SUB="$1" signals="$2" sig
 +	while true; do
 +		for sig in $signals; do
 			signal_processes "$SUB" $sig
 -			cnt=$((cnt-1))
 -			sleep 1
 		done
 +		sleep $OCF_RESKEY_signal_delay
 +		try_umount "$SUB" && return $OCF_SUCCESS
 	done
 +}
 +fs_stop() {
 +	local SUB="$1" timeout=$2 grace_time ret
 +	grace_time=$((timeout/2))
 +
 +	# try gracefully terminating processes for up to half of the configured timeout
 +	fs_stop_loop "$SUB" "$OCF_RESKEY_term_signals" &
 +	timeout_child $! $grace_time
 +	ret=$?
 +	[ $ret -eq $OCF_SUCCESS ] && return $ret
 +
 +	# try killing them for the rest of the timeout
 +	fs_stop_loop "$SUB" "$OCF_RESKEY_kill_signals" &
 +	timeout_child $! $grace_time
 +	ret=$?
 +	[ $ret -eq $OCF_SUCCESS ] && return $ret
 +
 +	# timeout expired
 +	ocf_exit_reason "Couldn't unmount $SUB within given timeout"
 	return $OCF_ERR_GENERIC
 }
--- a/SOURCES/bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
+++ b/SOURCES/bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
@ -1,49 +0,0 @@
 From 7056635f3f94c1bcaaa5ed5563dc3b0e9f6749e0 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Tue, 18 Jul 2023 14:12:27 +0200
 Subject: [PATCH] Filesystem: dont use boolean type for non-boolean parameters
 ---
 heartbeat/Filesystem | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
 index ee55a4843..b9aae8d50 100755
 --- a/heartbeat/Filesystem
 +++ b/heartbeat/Filesystem
@@ -269,7 +269,7 @@ fuser cli tool. fuser is known to perform operations that can potentially
 block if unresponsive nfs mounts are in use on the system.
 </longdesc>
 <shortdesc lang="en">Kill processes before unmount</shortdesc>
 -<content type="boolean" default="${OCF_RESKEY_force_unmount_default}" />
 +<content type="string" default="${OCF_RESKEY_force_unmount_default}" />
 </parameter>
 <parameter name="term_signals">
@@ -277,7 +277,7 @@ block if unresponsive nfs mounts are in use on the system.
 Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action.
 </longdesc>
 <shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action</shortdesc>
 -<content type="boolean" default="${OCF_RESKEY_term_signals_default}" />
 +<content type="string" default="${OCF_RESKEY_term_signals_default}" />
 </parameter>
 <parameter name="kill_signals">
@@ -285,7 +285,7 @@ Signals (names or numbers, whitespace separated) to send processes during gracef
 Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action.
 </longdesc>
 <shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action</shortdesc>
 -<content type="boolean" default="${OCF_RESKEY_kill_signals_default}" />
 +<content type="string" default="${OCF_RESKEY_kill_signals_default}" />
 </parameter>
 <parameter name="signal_delay">
@@ -293,7 +293,7 @@ Signals (names or numbers, whitespace separated) to send processes during forcef
 How many seconds to wait after sending term/kill signals to processes in stop-action.
 </longdesc>
 <shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
 -<content type="boolean" default="${OCF_RESKEY_kill_signal_delay}" />
 +<content type="string" default="${OCF_RESKEY_kill_signal_delay}" />
 </parameter>
 </parameters>
--- a/SOURCES/bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
+++ b/SOURCES/bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
@ -1,23 +0,0 @@
 From f779fad52e5f515ca81218da6098398bdecac286 Mon Sep 17 00:00:00 2001
 From: Oyvind Albrigtsen <oalbrigt@redhat.com>
 Date: Thu, 20 Jul 2023 10:18:12 +0200
 Subject: [PATCH] Filesystem: fix incorrect variable name for signal_delay
 default in metadata
 ---
 heartbeat/Filesystem | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
 index b9aae8d50..066562891 100755
 --- a/heartbeat/Filesystem
 +++ b/heartbeat/Filesystem
@@ -293,7 +293,7 @@ Signals (names or numbers, whitespace separated) to send processes during forcef
 How many seconds to wait after sending term/kill signals to processes in stop-action.
 </longdesc>
 <shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
 -<content type="string" default="${OCF_RESKEY_kill_signal_delay}" />
 +<content type="string" default="${OCF_RESKEY_signal_delay_default}" />
 </parameter>
 </parameters>
--- a/SOURCES/python3-syntax-fixes.patch
+++ b/SOURCES/python3-syntax-fixes.patch
@ -590,3 +590,116 @@ diff -uNr a/bundled/aliyun/colorama/demos/demo07.py b/bundled/aliyun/colorama/de
 if __name__ == '__main__':
 diff -uNr a/bundled/aliyun/pycryptodome/Doc/conf.py b/bundled/aliyun/pycryptodome/Doc/conf.py
 --- a/bundled/aliyun/pycryptodome/Doc/conf.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/Doc/conf.py	2018-10-08 12:08:11.122188094 +0200
@@ -15,7 +15,7 @@
 # Modules to document with autodoc are in another directory
 sys.path.insert(0, os.path.abspath('../lib'))
 -print sys.path
 +print(sys.path)
 # Mock existance of native modules
 from Crypto.Util import _raw_api
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-10-08 12:08:11.123188075 +0200
@@ -302,7 +302,7 @@
     randfunc = kwargs.pop("randfunc", None)
     prime_filter = kwargs.pop("prime_filter", lambda x: True)
     if kwargs:
 -        print "Unknown parameters:", kwargs.keys()
 +        print("Unknown parameters:", kwargs.keys())
     if exact_bits is None:
         raise ValueError("Missing exact_bits parameter")
@@ -341,7 +341,7 @@
     exact_bits = kwargs.pop("exact_bits", None)
     randfunc = kwargs.pop("randfunc", None)
     if kwargs:
 -        print "Unknown parameters:", kwargs.keys()
 +        print("Unknown parameters:", kwargs.keys())
     if randfunc is None:
         randfunc = Random.new().read
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-10-08 12:08:11.124188057 +0200
@@ -912,4 +912,4 @@
     count = 30
     for x in xrange(count):
         _ = point * d
 -    print (time.time() - start) / count * 1000, "ms"
 +    print((time.time() - start) / count * 1000, "ms")
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-10-08 12:08:11.124188057 +0200
@@ -1276,7 +1276,7 @@
         tests += make_block_tests(AES, "AESNI", test_data, {'use_aesni': True})
         tests += [ TestMultipleBlocks(True) ]
     else:
 -        print "Skipping AESNI tests"
 +        print("Skipping AESNI tests")
     return tests
 if __name__ == '__main__':
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-10-08 12:08:11.125188038 +0200
@@ -894,7 +894,7 @@
         if config.get('slow_tests'):
             tests += list_test_cases(NISTTestVectorsGCM_no_clmul)
     else:
 -        print "Skipping test of PCLMULDQD in AES GCM"
 +        print("Skipping test of PCLMULDQD in AES GCM")
     return tests
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-10-08 12:08:11.125188038 +0200
@@ -39,7 +39,7 @@
     """Convert a text string with bytes in hex form to a byte string"""
     clean = b(rws(t))
     if len(clean)%2 == 1:
 -        print clean
 +        print(clean)
         raise ValueError("Even number of characters expected")
     return a2b_hex(clean)
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-10-08 12:08:11.126188020 +0200
@@ -25,11 +25,11 @@
 slow_tests = not "--skip-slow-tests" in sys.argv
 if not slow_tests:
 -    print "Skipping slow tests"
 +    print("Skipping slow tests")
 wycheproof_warnings = "--wycheproof-warnings" in sys.argv
 if wycheproof_warnings:
 -    print "Printing Wycheproof warnings"
 +    print("Printing Wycheproof warnings")
 config = {'slow_tests' : slow_tests, 'wycheproof_warnings' : wycheproof_warnings }
 SelfTest.run(stream=sys.stdout, verbosity=1, config=config)
 diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py
 --- a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-07-10 21:32:46.000000000 +0200
 +++ b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-10-08 12:08:11.126188020 +0200
@@ -369,13 +369,13 @@
            ]
     for key, words in data:
 -        print 'Trying key', key
 +        print('Trying key', key)
         key=binascii.a2b_hex(key)
         w2=key_to_english(key)
         if w2!=words:
 -            print 'key_to_english fails on key', repr(key), ', producing', str(w2)
 +            print('key_to_english fails on key', repr(key), ', producing', str(w2))
         k2=english_to_key(words)
         if k2!=key:
 -            print 'english_to_key fails on key', repr(key), ', producing', repr(k2)
 +            print('english_to_key fails on key', repr(key), ', producing', repr(k2))
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@ -43,7 +43,7 @@
 %global colorama_dir		%{bundled_lib_dir}/aliyun/%{colorama}
 # python-pycryptodome bundle
 %global pycryptodome		pycryptodome
-%global pycryptodome_version	3.20.0
+%global pycryptodome_version	3.6.4
 %global pycryptodome_dir	%{bundled_lib_dir}/aliyun/%{pycryptodome}
 # python-aliyun-sdk-core bundle
 %global aliyunsdkcore		aliyun-python-sdk-core
@ -61,10 +61,6 @@
 %global aliyuncli		aliyun-cli
 %global aliyuncli_version	2.1.10
 %global aliyuncli_dir		%{bundled_lib_dir}/aliyun/%{aliyuncli}
 ## fix CVEs
 # urllib3 bundle
 %global urllib3 		urllib3
 %global urllib3_version 	1.26.18
 # determine the ras-set to process based on configure invokation
 %bcond_with rgmanager
@ -73,7 +69,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.5
+Release:	35%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -92,7 +88,6 @@ Source7:	%{aliyunsdkcore}-%{aliyunsdkcore_version}.tar.gz
 Source8:	%{aliyunsdkecs}-%{aliyunsdkecs_version}.tar.gz
 Source9:	%{aliyunsdkvpc}-%{aliyunsdkvpc_version}.tar.gz
 Source10:	%{aliyuncli}-%{aliyuncli_version}.tar.gz
 Source11:	%{urllib3}-%{urllib3_version}.tar.gz
 Patch0: 	nova-compute-wait-NovaEvacuate.patch
 Patch1: 	bz1872754-pgsqlms-new-ra.patch
 Patch2: 	bz1995178-storage-mon-fix-typo.patch
@ -136,33 +131,6 @@ Patch39:	bz2141836-vdo-vol-dont-fail-probe-action.patch
 Patch40:	bz2049319-Filesystem-add-support-for-Amazon-EFS.patch
 Patch41:	bz2127117-nfsserver-nfsv4_only-parameter.patch
 Patch42:	bz2139131-mysql-common-return-error-if-kill-fails.patch
 Patch43:	bz2157873-1-all-ras-validate-all-OCF_CHECK_LEVEL-10.patch
 Patch44:	bz2157873-2-Filesystem-CTDB-validate-all-improvements.patch
 Patch45:	bz2157873-3-pgsqlms-validate-all-OCF_CHECK_LEVEL-10.patch
 Patch46:	bz2157873-4-exportfs-pgsql-validate-all-fixes.patch
 Patch47:	bz2157873-5-pgsqlms-alidate-all-OCF_CHECK_LEVEL-10.patch
 Patch48:	bz2040110-IPaddr2-IPsrcaddr-1-support-policy-based-routing.patch
 Patch49:	bz2149970-lvmlockd-add-use_lvmlockd-if-missing.patch
 Patch50:	bz2154727-ethmonitor-dont-log-iface-doesnt-exist-monitor.patch
 Patch51:	bz2039692-mysql-1-replication-fixes.patch
 Patch52:	bz2181019-azure-events-1-fix-no-transition-summary.patch
 Patch53:	bz2181019-azure-events-2-improve-logic.patch
 Patch54:	bz2183152-Filesystem-fail-efs-utils-not-installed.patch
 Patch55:	bz2039692-mysql-2-fix-demoted-score-bounce.patch
 Patch56:	bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
 Patch57:	bz2189243-Filesystem-1-improve-stop-action.patch
 Patch58:	bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
 Patch59:	bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
 Patch60:	bz1904465-mysql-common-improve-error-message.patch
 Patch61:	RHEL-15302-1-exportfs-make-fsid-optional.patch
 Patch62:	RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
 Patch63:	RHEL-15305-1-findif.sh-fix-loopback-handling.patch
 Patch64:	RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
 Patch65:	RHEL-17083-findif-EOS-fix.patch
 Patch66:	RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
 Patch67:	RHEL-34137-aws-agents-use-curl_retry.patch
 Patch68:	RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
 Patch69:	RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@ -175,8 +143,6 @@ Patch1006:	python3-syntax-fixes.patch
 Patch1007:	aliyuncli-python3-fixes.patch
 Patch1008:	bz1935422-python-pygments-fix-CVE-2021-20270.patch
 Patch1009:	bz1943464-python-pygments-fix-CVE-2021-27291.patch
 Patch1010:	RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
 Patch1011:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@ -271,8 +237,6 @@ Provides:	bundled(python-aliyun-sdk-ecs) = %{aliyunsdkecs_version}
 Provides:	bundled(python-aliyun-sdk-vpc) = %{aliyunsdkvpc_version}
 # aliyuncli bundle
 Provides:	bundled(aliyuncli) = %{aliyuncli_version}
 # urllib3 bundle
 Provides:	bundled(python-urllib3) = %{urllib3_version}
 %description aliyun
 Alibaba Cloud (Aliyun) resource agents allows Alibaba Cloud
@ -312,7 +276,7 @@ Provides:	bundled(python-pyparsing) = 2.1.10
 Provides:	bundled(python-requests) = 2.10.0
 Provides:	bundled(python-six) = 1.11.0
 Provides:	bundled(python-uritemplate) = 3.0.0
-Provides:	bundled(python-urllib3) = %{urllib3_version}
+Provides:	bundled(python-urllib3) = 1.15.1
 Provides:	bundled(python-websocket) = 0.47.0
 Provides:	bundled(python-yaml) = 3.12
 # python-pyroute2 bundle
@ -346,76 +310,49 @@ databases to be managed in a cluster environment.
 exit 1
 %endif
 %setup -q -n %{upstream_prefix}-%{upstream_version}
-%patch -p1 -P 0
+%patch0 -p1
-%patch -p1 -P 1
+%patch1 -p1
-%patch -p1 -P 2
+%patch2 -p1
-%patch -p1 -P 3
+%patch3 -p1
-%patch -p1 -P 4
+%patch4 -p1
-%patch -p1 -P 5
+%patch5 -p1
-%patch -p1 -P 6
+%patch6 -p1
-%patch -p1 -P 7
+%patch7 -p1
-%patch -p1 -P 8
+%patch8 -p1
-%patch -p1 -P 9
+%patch9 -p1
-%patch -p1 -P 10
+%patch10 -p1
-%patch -p1 -P 11
+%patch11 -p1
-%patch -p1 -P 12
+%patch12 -p1
-%patch -p1 -P 13
+%patch13 -p1
-%patch -p1 -P 14
+%patch14 -p1
-%patch -p1 -P 15
+%patch15 -p1
-%patch -p1 -P 16
+%patch16 -p1
-%patch -p1 -P 17
+%patch17 -p1
-%patch -p1 -P 18
+%patch18 -p1
-%patch -p1 -P 19
+%patch19 -p1
-%patch -p1 -P 20
+%patch20 -p1
-%patch -p1 -P 21
+%patch21 -p1
-%patch -p1 -P 22
+%patch22 -p1
-%patch -p1 -P 23
+%patch23 -p1
-%patch -p1 -P 24
+%patch24 -p1
-%patch -p1 -P 25
+%patch25 -p1
-%patch -p1 -P 26
+%patch26 -p1
-%patch -p1 -P 27
+%patch27 -p1
-%patch -p1 -P 28
+%patch28 -p1
-%patch -p1 -P 29
+%patch29 -p1
-%patch -p1 -P 30
+%patch30 -p1
-%patch -p1 -P 31
+%patch31 -p1
-%patch -p1 -P 32
+%patch32 -p1
-%patch -p1 -P 33
+%patch33 -p1
-%patch -p1 -P 34
+%patch34 -p1
-%patch -p1 -P 35
+%patch35 -p1
-%patch -p1 -P 36
+%patch36 -p1
-%patch -p1 -P 37
+%patch37 -p1
-%patch -p1 -P 38
+%patch38 -p1
-%patch -p1 -P 39
+%patch39 -p1
-%patch -p1 -P 40
+%patch40 -p1
-%patch -p1 -P 41
+%patch41 -p1
-%patch -p1 -P 42
+%patch42 -p1
 %patch -p1 -P 43
 %patch -p1 -P 44
 %patch -p1 -P 45
 %patch -p1 -P 46
 %patch -p1 -P 47
 %patch -p1 -P 48
 %patch -p1 -P 49
 %patch -p1 -P 50
 %patch -p1 -P 51
 %patch -p1 -P 52
 %patch -p1 -P 53
 %patch -p1 -P 54
 %patch -p1 -P 55
 %patch -p1 -P 56
 %patch -p1 -P 57
 %patch -p1 -P 58
 %patch -p1 -P 59
 %patch -p1 -P 60
 %patch -p1 -P 61
 %patch -p1 -P 62
 %patch -p1 -P 63
 %patch -p1 -P 64
 %patch -p1 -P 65
 %patch -p1 -P 66
 %patch -p1 -P 67 -F1
 %patch -p1 -P 68
 %patch -p1 -P 69
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@ -429,15 +366,15 @@ mkdir -p %{bundled_lib_dir}/aliyun
 %ifarch x86_64
 tar -xzf %SOURCE1 -C %{bundled_lib_dir}/gcp
 # gcp*: append bundled-directory to search path, gcloud-ra
-%patch -p1 -P 1000
+%patch1000 -p1
 # replace python-rsa with python-cryptography
-%patch -p1 -P 1001
+%patch1001 -p1
 # gcloud support info
-%patch -p1 -P 1002
+%patch1002 -p1
 # configure: skip bundled gcp lib checks
-%patch -p1 -P 1003 -F1
+%patch1003 -p1 -F1
 # gcloud remove python 2 detection
-%patch -p1 -P 1004
+%patch1004 -p1
 # rename gcloud
 mv %{googlecloudsdk_dir}/bin/gcloud %{googlecloudsdk_dir}/bin/gcloud-ra
 # keep googleapiclient
@ -544,16 +481,16 @@ mv %{bundled_lib_dir}/aliyun/%{aliyuncli}-%{aliyuncli_version} %{aliyuncli_dir}
 cp %{aliyuncli_dir}/README.rst %{aliyuncli}_README.rst
 cp %{aliyuncli_dir}/LICENSE %{aliyuncli}_LICENSE
 # aliyun*: use bundled libraries
-%patch -p1 -P 1005
+%patch1005 -p1
 # aliyun Python 3 fixes
-%patch -p1 -P 1006
+%patch1006 -p1
-%patch -p1 -P 1007
+%patch1007 -p1
 # fix CVE's in python-pygments
 pushd %{googlecloudsdk_dir}/lib/third_party
-%patch -p1 -P 1008 -F2
+%patch1008 -p1 -F2
-%patch -p1 -P 1009 -F2
+%patch1009 -p1 -F2
 popd
 %endif
@ -650,9 +587,6 @@ make install DESTDIR=%{buildroot}
 # google-cloud-sdk bundle
 %ifarch x86_64
 pushd %{googlecloudsdk_dir}
 # fix urllib3 CVEs
 rm -rf lib/third_party/urllib3
 %{__python3} -m pip install --target lib/third_party --no-index --find-links %{_sourcedir} urllib3
 mkdir -p %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 cp -a bin data lib %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 mkdir %{buildroot}/%{_bindir}
@ -681,9 +615,6 @@ popd
 # python-aliyun-sdk-core bundle
 pushd %{aliyunsdkcore_dir}
 %{__python3} setup.py install -O1 --skip-build --root %{buildroot} --install-lib /usr/lib/%{name}/%{bundled_lib_dir}/aliyun
 # fix urllib3 CVEs
 rm -rf %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3
 %{__python3} -m pip install --target %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages --no-index --find-links %{_sourcedir} urllib3
 popd
 # python-aliyun-sdk-ecs bundle
@ -704,14 +635,6 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra
 # aliyun_completer / aliyun_zsh_complete.sh
 rm %{buildroot}/%{_bindir}/aliyun_*
 popd
 # regular patch doesnt work in build-section
 pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010}
 popd
 pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1011}
 popd
 %endif
 ## tree fixup
@ -1005,102 +928,6 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 %changelog
 * Tue Oct  1 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.5
 - nfsserver: also stop rpc-statd for nfsv4_only to avoid stop failing
  in some cases
  Resolves: RHEL-61138
 * Thu Jul 25 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.4
 - bundled setuptools: fix CVE-2024-6345
  Resolves: RHEL-50360
 * Tue Jul 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.3
 - gcp-pd-move: fix TLS_VERSION_1 issue
  Resolves: RHEL-50041
 * Wed Jun 26 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.2
 - bundled urllib3: fix CVE-2024-37891
  Resolves: RHEL-44923
 * Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1
 - AWS agents: retry failed metadata requests to avoid instantly
  failing when there is a hiccup in the network or metadata service
 - db2: fix OCF_SUCESS typo
  Resolves: RHEL-34137, RHEL-32828
 * Thu Feb  8 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54
 - findif.sh: fix loopback IP handling
  Resolves: RHEL-15305
 * Wed Jan 24 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-53
 - bundled urllib3: fix CVE-2023-45803
 - bundled pycryptodome: fix CVE-2023-52323
  Resolves: RHEL-22431, RHEL-20916
 * Tue Nov 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-52
 - findif: also check that netmaskbits != EOS
  Resolves: RHEL-17083
 * Fri Nov 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-51
 - aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter
  and AWS Policy based authentication type
  Resolves: RHEL-16248
 * Thu Nov  2 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-49
 - exportfs: make "fsid" parameter optional
  Resolves: RHEL-15302
 * Wed Sep  6 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-48
 - mysql-common: improve error message
  Resolves: rhbz#1904465
 * Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-47
 - Filesystem: improve stop-action and allow setting term/kill signals
  and signal_delay for large filesystems
  Resolves: rhbz#2189243
 * Wed Jun 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-44
 - IPaddr2/IPsrcaddr: support policy-based routing
  Resolves: rhbz#2040110
 * Wed Jun 14 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-43
 - mysql: fix replication issues
  Resolves: rhbz#2039692
 * Mon May  1 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-42
 - azure-events*: fix for no "Transition Summary" for Pacemaker 2.1+
 - Filesystem: fail if AWS efs-utils not installed when fstype=efs
  Resolves: rhbz#2181019
  Resolves: rhbz#2183152
 * Wed Mar 22 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-41
 - lvmlockd: add "use_lvmlockd = 1" if it's commented out or missing
 - ethmonitor: dont log "Interface does not exist" for monitor-action
  Resolves: rhbz#2149970
  Resolves: rhbz#2154727
 * Tue Jan 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-40
 - all agents: dont check notify/promotable settings during
  validate-action
  Resolves: rhbz#2157873
 * Thu Nov 24 2022 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-35
 - mysql-common: return error in stop-action if kill fails to stop
  the process, so the node can get fenced