- storage_mon/findif: fix handler out of scope leak, unitialized value and check that netmaskbits != EOS

and check that netmaskbits != EOS

  Resolves: RHEL-17072

.resource-agents.metadata

@@ -0,0 +1 @@
+3b517ecdbe2103df77813050e5c998e102c5de7e ClusterLabs-resource-agents-fd0720f7.tar.gz

RHEL-15301-1-exportfs-make-fsid-optional.patch

@@ -0,0 +1,75 @@
+From b806487ca758fce838c988767556007ecf66a6e3 Mon Sep 17 00:00:00 2001
+From: Roger Zhou <zzhou@suse.com>
+Date: Mon, 10 Apr 2023 18:08:56 +0800
+Subject: [PATCH] exportfs: make the "fsid=" parameter optional
+
+Based on feedback [1] from the kernel developer @neilbrown regarding the
+NFS clustering use case, it has been determined that the fsid= parameter
+is now considered optional and safe to omit.
+
+[1] https://bugzilla.suse.com/show_bug.cgi?id=1201271#c49
+"""
+Since some time in 2007 NFS has used the UUID of a filesystem as the
+primary identifier for that filesystem, rather than using the device
+number.  So from that time there should have been reduced need for the
+"fsid=" option.  Probably there are some filesystems that this didn't
+work for.  btrfs has been problematic at time, particularly when subvols
+are exported.  But for quite some years this has all "just worked" at
+least for the major filesystems (ext4 xfs btrfs). [...] I would suggest
+getting rid of the use of fsid= altogether. [...] I'm confident that it
+was no longer an issue in SLE-12 and similarly not in SLE-15.
+"""
+---
+ heartbeat/exportfs | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/heartbeat/exportfs b/heartbeat/exportfs
+index 2307a9e67b..435a19646b 100755
+--- a/heartbeat/exportfs
++++ b/heartbeat/exportfs
+@@ -82,7 +82,7 @@ The directory or directories to export.
+ <content type="string" />
+ </parameter>
+ 
+-<parameter name="fsid" unique="0" required="1">
++<parameter name="fsid" unique="0" required="0">
+ <longdesc lang="en">
+ The fsid option to pass to exportfs. This can be a unique positive
+ integer, a UUID (assuredly sans comma characters), or the special string
+@@ -185,6 +185,8 @@ exportfs_methods() {
+ 
+ reset_fsid() {
+ 	CURRENT_FSID=$OCF_RESKEY_fsid
++	[ -z "$CURRENT_FSID" ] && CURRENT_FSID=`echo "$OCF_RESKEY_options" | sed -n 's/.*fsid=\([^,]*\).*/\1/p'`
++	echo $CURRENT_FSID
+ }
+ bump_fsid() {
+ 	CURRENT_FSID=$((CURRENT_FSID+1))
+@@ -322,7 +324,7 @@ export_one() {
+ 	if echo "$opts" | grep fsid >/dev/null; then
+ 		#replace fsid in options list
+ 		opts=`echo "$opts" | sed "s,fsid=[^,]*,fsid=$(get_fsid),g"`
+-	else
++	elif [ -n "$OCF_RESKEY_fsid" ]; then
+ 		#tack the fsid option onto our options list.
+ 		opts="${opts}${sep}fsid=$(get_fsid)"
+ 	fi
+@@ -448,8 +450,8 @@ exportfs_validate_all ()
+ 		ocf_exit_reason "$OCF_RESKEY_fsid cannot contain a comma"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+-	if [ $NUMDIRS -gt 1 ] &&
+-			! ocf_is_decimal "$OCF_RESKEY_fsid"; then
++	if [ $NUMDIRS -gt 1 ] && [ -n "$(reset_fsid)" ] &&
++			! ocf_is_decimal "$(reset_fsid)"; then
+ 		ocf_exit_reason "use integer fsid when exporting multiple directories"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+@@ -485,6 +487,6 @@ done
+ OCF_RESKEY_directory="${directories%% }"
+ 
+ NUMDIRS=`echo "$OCF_RESKEY_directory" | wc -w`
+-OCF_REQUIRED_PARAMS="directory fsid clientspec"
++OCF_REQUIRED_PARAMS="directory clientspec"
+ OCF_REQUIRED_BINARIES="exportfs"
+ ocf_rarun $*

RHEL-15301-2-ocft-exportfs-remove-fsid-required-test.patch

@@ -0,0 +1,43 @@
+From 1d1481aa6d848efab4d398ad6e74d80b5b32549f Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@debian.org>
+Date: Wed, 1 Nov 2023 18:25:45 +0100
+Subject: [PATCH] exportfs: remove test for "fsid=" parameter
+
+fsid parameter is now considered optional.
+---
+ tools/ocft/exportfs          | 5 -----
+ tools/ocft/exportfs-multidir | 5 -----
+ 2 files changed, 10 deletions(-)
+
+diff --git a/tools/ocft/exportfs b/tools/ocft/exportfs
+index 285a4b8ea0..1ec3d4c364 100644
+--- a/tools/ocft/exportfs
++++ b/tools/ocft/exportfs
+@@ -28,11 +28,6 @@ CASE "check base env"
+ 	Include prepare
+ 	AgentRun start OCF_SUCCESS
+ 
+-CASE "check base env: no 'OCF_RESKEY_fsid'"
+-	Include prepare
+-	Env OCF_RESKEY_fsid=
+-	AgentRun start OCF_ERR_CONFIGURED
+-
+ CASE "check base env: invalid 'OCF_RESKEY_directory'"
+ 	Include prepare
+ 	Env OCF_RESKEY_directory=/no_such
+diff --git a/tools/ocft/exportfs-multidir b/tools/ocft/exportfs-multidir
+index 00e41f0859..ac6d5c7f6a 100644
+--- a/tools/ocft/exportfs-multidir
++++ b/tools/ocft/exportfs-multidir
+@@ -28,11 +28,6 @@ CASE "check base env"
+ 	Include prepare
+ 	AgentRun start OCF_SUCCESS
+ 
+-CASE "check base env: no 'OCF_RESKEY_fsid'"
+-	Include prepare
+-	Env OCF_RESKEY_fsid=
+-	AgentRun start OCF_ERR_CONFIGURED
+-
+ CASE "check base env: invalid 'OCF_RESKEY_directory'"
+ 	Include prepare
+ 	Env OCF_RESKEY_directory=/no_such

RHEL-15304-findif.sh-fix-loopback-handling.patch

@@ -0,0 +1,45 @@
+From e4f84ae185b6943d1ff461d53c7f1b5295783086 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Wed, 1 Nov 2023 19:35:21 +0100
+Subject: [PATCH] findif.sh: fix loopback handling
+
+tools/ocft/IPaddr2 fails the loopback test because of the missing
+table local parameter:
+
+$ ip -o -f inet route list match 127.0.0.3 scope host
+
+$ ip -o -f inet route list match 127.0.0.3 table local scope host
+local 127.0.0.0/8 dev lo proto kernel src 127.0.0.1
+
+Also rename the function because it is called only in for the special
+loopback address case.
+---
+ heartbeat/findif.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
+index 5f1c19ec3..7c766e6e0 100644
+--- a/heartbeat/findif.sh
++++ b/heartbeat/findif.sh
+@@ -29,10 +29,10 @@ prefixcheck() {
+   fi
+   return 0
+ }
+-getnetworkinfo()
++getloopbackinfo()
+ {
+   local line netinfo
+-  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
++  ip -o -f inet route list match $OCF_RESKEY_ip table local scope host | (while read line;
+   do
+     netinfo=`echo $line | awk '{print $2}'`
+     case $netinfo in
+@@ -222,7 +222,7 @@ findif()
+   if [ $# = 0 ] ; then
+     case $OCF_RESKEY_ip in
+     127.*)
+-      set -- `getnetworkinfo`
++      set -- `getloopbackinfo`
+       shift;;
+     esac
+   fi

RHEL-16247-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch

@@ -0,0 +1,555 @@
+From f45f76600a7e02c860566db7d1350dc3b09449c2 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 6 Nov 2023 15:49:44 +0100
+Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
+ parameter and AWS Policy based authentication type
+
+---
+ heartbeat/aws-vpc-move-ip    | 43 +++++++++++++++++++----
+ heartbeat/aws-vpc-route53.in | 47 ++++++++++++++++++++-----
+ heartbeat/awseip             | 68 +++++++++++++++++++++++++++---------
+ heartbeat/awsvip             | 60 ++++++++++++++++++++++++-------
+ 4 files changed, 173 insertions(+), 45 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index dee040300f..54806f6eaa 100755
+--- a/heartbeat/aws-vpc-move-ip
++++ b/heartbeat/aws-vpc-move-ip
+@@ -36,6 +36,7 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_ip_default=""
+@@ -48,6 +49,7 @@ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
+@@ -58,8 +60,6 @@ OCF_RESKEY_lookup_type_default="InstanceId"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+-
+-[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
+ #######################################################################
+ 
+ 
+@@ -83,6 +83,10 @@ cat <<END
+ <longdesc lang="en">
+ Resource Agent to move IP addresses within a VPC of the Amazon Webservices EC2
+ by changing an entry in an specific routing table
++
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
++
++See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+ <shortdesc lang="en">Move IP within a VPC of the AWS EC2</shortdesc>
+ 
+@@ -95,6 +99,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -198,7 +211,7 @@ END
+ execute_cmd_as_role(){
+ 	cmd=$1
+ 	role=$2
+-	output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
++	output="$($AWSCLI_CMD sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --output=text)"
+ 	export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
+ 	export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
+ 	export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
+@@ -220,11 +233,11 @@ ec2ip_set_address_param_compat(){
+ }
+ 
+ ec2ip_validate() {
+-	for cmd in $OCF_RESKEY_awscli ip curl; do
++	for cmd in "$OCF_RESKEY_awscli" ip curl; do
+ 		check_binary "$cmd"
+ 	done
+ 
+-	if [ -z "$OCF_RESKEY_profile" ]; then
++	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+ 		ocf_exit_reason "profile parameter not set"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+@@ -262,7 +275,7 @@ ec2ip_monitor() {
+ 		for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 			ocf_log info "monitor: check routing table (API call) - $rtb"
+ 			if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-				cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
++				cmd="$AWSCLI_CMD --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+ 				ocf_log debug "executing command: $cmd"
+ 				ROUTE_TO_INSTANCE="$($cmd)"
+ 			else
+@@ -368,7 +381,7 @@ ec2ip_get_and_configure() {
+ 	EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
+ 	for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 		if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
++			cmd="$AWSCLI_CMD --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+ 			ocf_log debug "executing command: $cmd"
+ 			$cmd
+ 		else
+@@ -475,6 +488,22 @@ if ! ocf_is_root; then
+ 	exit $OCF_ERR_PERM
+ fi
+ 
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
++
+ ec2ip_set_address_param_compat
+ 
+ ec2ip_validate
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index 22cbb35833..18ab157e8a 100644
+--- a/heartbeat/aws-vpc-route53.in
++++ b/heartbeat/aws-vpc-route53.in
+@@ -46,24 +46,22 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+-#######################################################################
+-
+-
+-AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
+-#######################################################################
+-
+ 
+ usage() {
+ 	cat <<-EOT
+@@ -123,6 +121,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ The name of the AWS CLI profile of the root account. This
+@@ -196,7 +203,7 @@ r53_validate() {
+ 
+ 	# Check for required binaries
+ 	ocf_log debug "Checking for required binaries"
+-	for command in curl dig; do
++	for command in "${OCF_RESKEY_awscli}" curl dig; do
+ 		check_binary "$command"
+ 	done
+ 
+@@ -216,7 +223,10 @@ r53_validate() {
+ 	esac
+ 
+ 	# profile
+-	[[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
++	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
++		ocf_exit_reason "profile parameter not set"
++		return $OCF_ERR_CONFIGURED
++	fi
+ 
+ 	# TTL
+ 	[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
+@@ -417,7 +427,6 @@ _update_record() {
+ }
+ 
+ ###############################################################################
+-
+ case $__OCF_ACTION in
+ 	usage|help)
+ 		usage
+@@ -427,6 +436,26 @@ case $__OCF_ACTION in
+ 		metadata
+ 		exit $OCF_SUCCESS
+ 		;;
++esac
++
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
++AWSCLI_CMD="$AWSCLI_CMD --cli-connect-timeout 10"
++
++case $__OCF_ACTION in
+ 	start)
+ 		r53_validate || exit $?
+ 		r53_start
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index dc48460c85..49b0ca6155 100755
+--- a/heartbeat/awseip
++++ b/heartbeat/awseip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
++#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
++#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availability
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -44,11 +45,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -63,7 +68,7 @@ Resource Agent for Amazon AWS Elastic IP Addresses.
+ 
+ It manages AWS Elastic IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -79,6 +84,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -111,6 +125,14 @@ predefined private ip address for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
++<parameter name="region" required="0">
++<longdesc lang="en">
++Region for AWS resource (required for role-based authentication)
++</longdesc>
++<shortdesc lang="en">Region</shortdesc>
++<content type="string" default="${OCF_RESKEY_region_default}" />
++</parameter>
++
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -157,13 +179,13 @@ awseip_start() {
+                 NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+             fi
+         done
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
++        $AWSCLI_CMD ec2 associate-address  \
+             --network-interface-id ${NETWORK_ID} \
+             --allocation-id ${ALLOCATION_ID} \
+             --private-ip-address ${PRIVATE_IP_ADDRESS}
+         RET=$?
+     else
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
++        $AWSCLI_CMD ec2 associate-address  \
+             --instance-id ${INSTANCE_ID} \
+             --allocation-id ${ALLOCATION_ID}
+         RET=$?
+@@ -183,7 +205,7 @@ awseip_start() {
+ awseip_stop() {
+     awseip_monitor || return $OCF_SUCCESS
+ 
+-    ASSOCIATION_ID=$($AWSCLI --profile $OCF_RESKEY_profile --output json ec2 describe-addresses \
++    ASSOCIATION_ID=$($AWSCLI_CMD --output json ec2 describe-addresses \
+                          --allocation-id ${ALLOCATION_ID} | grep -m 1 "AssociationId" | awk -F'"' '{print$4}')
+ 
+     if [ -z "${ASSOCIATION_ID}" ]; then
+@@ -191,9 +213,7 @@ awseip_stop() {
+         return $OCF_NOT_RUNNING
+     fi
+ 
+-    $AWSCLI --profile ${OCF_RESKEY_profile} \
+-        ec2 disassociate-address \
+-        --association-id ${ASSOCIATION_ID}
++    $AWSCLI_CMD ec2 disassociate-address --association-id ${ASSOCIATION_ID}
+     RET=$?
+ 
+     # delay to avoid sending request too fast
+@@ -208,7 +228,7 @@ awseip_stop() {
+ }
+ 
+ awseip_monitor() {
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
++    $AWSCLI_CMD ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
+     RET=$?
+ 
+     if [ $RET -ne 0 ]; then
+@@ -218,9 +238,9 @@ awseip_monitor() {
+ }
+ 
+ awseip_validate() {
+-    check_binary ${AWSCLI}
++    check_binary "${OCF_RESKEY_awscli}"
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
++    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -238,9 +258,27 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
+-esac 
++    usage|help)
++        awseip_usage
++        exit $OCF_SUCCESS
++        ;;
++esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+@@ -272,10 +310,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awseip_validate
+         ;;
+-    usage|help)
+-        awseip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awseip_usage
+         exit $OCF_ERR_UNIMPLEMENTED
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index 037278e296..bdb4d68dd0 100755
+--- a/heartbeat/awsvip
++++ b/heartbeat/awsvip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
++#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
++#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availablity
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -43,11 +44,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -62,7 +67,7 @@ Resource Agent for Amazon AWS Secondary Private IP Addresses.
+ 
+ It manages AWS Secondary Private IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -78,6 +83,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -94,6 +108,14 @@ reserved secondary private ip for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
++<parameter name="region" required="0">
++<longdesc lang="en">
++Region for AWS resource (required for role-based authentication)
++</longdesc>
++<shortdesc lang="en">Region</shortdesc>
++<content type="string" default="${OCF_RESKEY_region_default}" />
++</parameter>
++
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -131,7 +153,7 @@ END
+ awsvip_start() {
+     awsvip_monitor && return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 assign-private-ip-addresses \
++    $AWSCLI_CMD ec2 assign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP} \
+         --allow-reassignment
+@@ -151,7 +173,7 @@ awsvip_start() {
+ awsvip_stop() {
+     awsvip_monitor || return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 unassign-private-ip-addresses \
++    $AWSCLI_CMD ec2 unassign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP}
+     RET=$?
+@@ -168,7 +190,7 @@ awsvip_stop() {
+ }
+ 
+ awsvip_monitor() {
+-    $AWSCLI --profile ${OCF_RESKEY_profile} ec2 describe-instances \
++    $AWSCLI_CMD ec2 describe-instances \
+             --instance-id "${INSTANCE_ID}" \
+             --query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
+             --output text | \
+@@ -182,9 +204,9 @@ awsvip_monitor() {
+ }
+ 
+ awsvip_validate() {
+-    check_binary ${AWSCLI}
++    check_binary "${OCF_RESKEY_awscli}"
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
++    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -202,9 +224,27 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
++    usage|help)
++        awsvip_usage
++        exit $OCF_SUCCESS
++        ;;
+ esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+ TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+ INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+@@ -236,10 +276,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awsvip_validate
+         ;;
+-    usage|help)
+-        awsvip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awsvip_usage
+         exit $OCF_ERR_UNIMPLEMENTED

RHEL-17072-1-storage_mon-findif-leak-unitialized-values-EOS-fixes.patch

@@ -0,0 +1,71 @@
+From 54fa7a59c36697cd8df5b619fff0b50af00df76e Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 20 Nov 2023 16:35:52 +0100
+Subject: [PATCH 1/2] storage_mon: fix file handler out of scope leak and
+ uninitialized values
+
+---
+ tools/storage_mon.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/storage_mon.c b/tools/storage_mon.c
+index 1aae29e58..cc415e97f 100644
+--- a/tools/storage_mon.c
++++ b/tools/storage_mon.c
+@@ -382,9 +382,11 @@ static int write_pid_file(const char *pidfile)
+ 		syslog(LOG_ERR, "Failed to write '%s' to %s: %s", pid, pidfile, strerror(errno));
+ 		goto done;
+ 	}
+-	close(fd);
+ 	rc = 0;
+ done:
++	if (fd != -1) {
++		close(fd);
++	}
+ 	if (pid != NULL) {
+ 		free(pid);
+ 	}
+@@ -663,6 +665,7 @@ storage_mon_client(void)
+ 	snprintf(request.message, SMON_MAX_MSGSIZE, "%s", SMON_GET_RESULT_COMMAND);
+ 	request.hdr.id = 0;
+ 	request.hdr.size = sizeof(struct storage_mon_check_value_req);
++	response.hdr.id = 0;
+ 	rc = qb_ipcc_send(conn, &request, request.hdr.size);
+ 	if (rc < 0) {
+ 		syslog(LOG_ERR, "qb_ipcc_send error : %d\n", rc);
+@@ -683,7 +686,11 @@ storage_mon_client(void)
+ 	/* greater than 0	: monitoring error. 		*/
+ 	/* -1			: communication system error.	*/
+ 	/* -2                   : Not all checks completed for first device in daemon mode. */ 
+-	rc = atoi(response.message);
++	if (strnlen(response.message, 1)) {
++		rc = atoi(response.message);
++	} else {
++		rc = -1;
++	}
+ 
+ 	syslog(LOG_DEBUG, "daemon response[%d]: %s \n", response.hdr.id, response.message);
+ 
+
+From b23ba4eaefb500199c4845751f4c5545c81f42f1 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 20 Nov 2023 16:37:37 +0100
+Subject: [PATCH 2/2] findif: also check that netmaskbits != EOS
+
+---
+ tools/findif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/findif.c b/tools/findif.c
+index a25395fec..ab108a3c4 100644
+--- a/tools/findif.c
++++ b/tools/findif.c
+@@ -669,7 +669,7 @@ main(int argc, char ** argv) {
+ 		}
+ 	}
+ 
+-	if (netmaskbits) {
++	if (netmaskbits != NULL && *netmaskbits != EOS) {
+ 		best_netmask = netmask;
+ 	}else if (best_netmask == 0L) {
+ 		/*

RHEL-17072-2-storage_mon-use-memset-to-fix-covscan-error.patch

@@ -0,0 +1,23 @@
+From cb968378959b8aa334e98daf62a1b08ef6525fb4 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 22 Nov 2023 10:32:31 +0100
+Subject: [PATCH] storage_mon: use memset() to fix "uninitialized value"
+ covscan error, as qb_ipcc_recv() will always set a message (according to
+ honzaf)
+
+---
+ tools/storage_mon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/storage_mon.c b/tools/storage_mon.c
+index cc415e97f..a9227ef90 100644
+--- a/tools/storage_mon.c
++++ b/tools/storage_mon.c
+@@ -655,6 +655,7 @@ storage_mon_client(void)
+ 	int32_t rc;
+ 
+ 
++	memset(&response, 0, sizeof(response));
+ 	snprintf(ipcs_name, SMON_MAX_IPCSNAME, "storage_mon_%s", attrname);
+ 	conn = qb_ipcc_connect(ipcs_name, 0);
+ 	if (conn == NULL) {

bz2110038-mysql-common-improve-error-message.patch

@@ -0,0 +1,68 @@
+From fcceb714085836de9db4493b527e94d85dd72626 Mon Sep 17 00:00:00 2001
+From: ut002970 <liuxingwei@uniontech.com>
+Date: Wed, 6 Sep 2023 15:27:05 +0800
+Subject: [PATCH 1/3] modify error message
+
+---
+ heartbeat/mysql-common.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+index 8104019b03..a93acc4c60 100755
+--- a/heartbeat/mysql-common.sh
++++ b/heartbeat/mysql-common.sh
+@@ -254,7 +254,7 @@ mysql_common_start()
+     while [ $start_wait = 1 ]; do
+         if ! ps $pid > /dev/null 2>&1; then
+             wait $pid
+-            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation"
++            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
+             return $OCF_ERR_GENERIC
+         fi
+         mysql_common_status info
+
+From 8f9b344cd5b3cb96ea0f94b7ab0306da2234ac00 Mon Sep 17 00:00:00 2001
+From: ut002970 <liuxingwei@uniontech.com>
+Date: Wed, 6 Sep 2023 15:56:24 +0800
+Subject: [PATCH 2/3] modify error message
+
+---
+ heartbeat/mysql-common.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+index a93acc4c60..d5b2286737 100755
+--- a/heartbeat/mysql-common.sh
++++ b/heartbeat/mysql-common.sh
+@@ -254,7 +254,7 @@ mysql_common_start()
+     while [ $start_wait = 1 ]; do
+         if ! ps $pid > /dev/null 2>&1; then
+             wait $pid
+-            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
++            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
+             return $OCF_ERR_GENERIC
+         fi
+         mysql_common_status info
+
+From a292b3c552bf3f2beea5f73e0d171546c0a1273c Mon Sep 17 00:00:00 2001
+From: ut002970 <liuxingwei@uniontech.com>
+Date: Wed, 6 Sep 2023 16:10:48 +0800
+Subject: [PATCH 3/3] modify error message
+
+---
+ heartbeat/mysql-common.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+index d5b2286737..d6b4e3cdf4 100755
+--- a/heartbeat/mysql-common.sh
++++ b/heartbeat/mysql-common.sh
+@@ -254,7 +254,7 @@ mysql_common_start()
+     while [ $start_wait = 1 ]; do
+         if ! ps $pid > /dev/null 2>&1; then
+             wait $pid
+-            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
++            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?). Check $OCF_RESKEY_log for details"
+             return $OCF_ERR_GENERIC
+         fi
+         mysql_common_status info

bz2207567-Filesystem-2-fix-incorrect-parameter-types.patch

@@ -0,0 +1,49 @@
+From 7056635f3f94c1bcaaa5ed5563dc3b0e9f6749e0 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 18 Jul 2023 14:12:27 +0200
+Subject: [PATCH] Filesystem: dont use boolean type for non-boolean parameters
+
+---
+ heartbeat/Filesystem | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
+index ee55a4843..b9aae8d50 100755
+--- a/heartbeat/Filesystem
++++ b/heartbeat/Filesystem
+@@ -269,7 +269,7 @@ fuser cli tool. fuser is known to perform operations that can potentially
+ block if unresponsive nfs mounts are in use on the system.
+ </longdesc>
+ <shortdesc lang="en">Kill processes before unmount</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_force_unmount_default}" />
++<content type="string" default="${OCF_RESKEY_force_unmount_default}" />
+ </parameter>
+ 
+ <parameter name="term_signals">
+@@ -277,7 +277,7 @@ block if unresponsive nfs mounts are in use on the system.
+ Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action.
+ </longdesc>
+ <shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_term_signals_default}" />
++<content type="string" default="${OCF_RESKEY_term_signals_default}" />
+ </parameter>
+ 
+ <parameter name="kill_signals">
+@@ -285,7 +285,7 @@ Signals (names or numbers, whitespace separated) to send processes during gracef
+ Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action.
+ </longdesc>
+ <shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_kill_signals_default}" />
++<content type="string" default="${OCF_RESKEY_kill_signals_default}" />
+ </parameter>
+ 
+ <parameter name="signal_delay">
+@@ -293,7 +293,7 @@ Signals (names or numbers, whitespace separated) to send processes during forcef
+ How many seconds to wait after sending term/kill signals to processes in stop-action.
+ </longdesc>
+ <shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_kill_signal_delay}" />
++<content type="string" default="${OCF_RESKEY_kill_signal_delay}" />
+ </parameter>
+ 
+ </parameters>

bz2207567-Filesystem-3-fix-signal_delay-default-value.patch

@@ -0,0 +1,23 @@
+From f779fad52e5f515ca81218da6098398bdecac286 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 20 Jul 2023 10:18:12 +0200
+Subject: [PATCH] Filesystem: fix incorrect variable name for signal_delay
+ default in metadata
+
+---
+ heartbeat/Filesystem | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
+index b9aae8d50..066562891 100755
+--- a/heartbeat/Filesystem
++++ b/heartbeat/Filesystem
+@@ -293,7 +293,7 @@ Signals (names or numbers, whitespace separated) to send processes during forcef
+ How many seconds to wait after sending term/kill signals to processes in stop-action.
+ </longdesc>
+ <shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
+-<content type="string" default="${OCF_RESKEY_kill_signal_delay}" />
++<content type="string" default="${OCF_RESKEY_signal_delay_default}" />
+ </parameter>
+ 
+ </parameters>

bz2209433-Delay-2-remove-incorrect-statement.patch

@@ -0,0 +1,30 @@
+From fe8a807dae0398b811d1ee63ebd7202280b2b678 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 18 Jul 2023 14:51:00 +0200
+Subject: [PATCH] Delay: remove statement about defaulting to "startdelay"
+ value if not specified
+
+---
+ heartbeat/Delay | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/heartbeat/Delay b/heartbeat/Delay
+index bc6c13559..5aa8f4608 100755
+--- a/heartbeat/Delay
++++ b/heartbeat/Delay
+@@ -71,7 +71,6 @@ How long in seconds to delay on start operation.
+ <parameter name="stopdelay" unique="0"  required="0">
+ <longdesc lang="en">
+ How long in seconds to delay on stop operation.
+-Defaults to "startdelay" if unspecified.
+ </longdesc>
+ <shortdesc lang="en">Stop delay</shortdesc>
+ <content type="integer" default="${OCF_RESKEY_stopdelay_default}" />
+@@ -80,7 +79,6 @@ Defaults to "startdelay" if unspecified.
+ <parameter name="mondelay" unique="0"  required="0">
+ <longdesc lang="en">
+ How long in seconds to delay on monitor operation.
+-Defaults to "startdelay" if unspecified.
+ </longdesc>
+ <shortdesc lang="en">Monitor delay</shortdesc>
+ <content type="integer" default="${OCF_RESKEY_mondelay_default}" />

ha-cloud-support-aws.patch

@@ -7,9 +7,10 @@ diff --color -uNr a/heartbeat/awseip b/heartbeat/awseip
  #
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
  OCF_RESKEY_api_delay_default="3"
- 
 diff --color -uNr a/heartbeat/awsvip b/heartbeat/awsvip
 --- a/heartbeat/awsvip	2020-12-03 14:31:17.000000000 +0100
 +++ b/heartbeat/awsvip	2021-02-15 16:47:48.960632484 +0100
@@ -19,9 +20,9 @@ diff --color -uNr a/heartbeat/awsvip b/heartbeat/awsvip
  #
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
- OCF_RESKEY_api_delay_default="3"
- 
+ OCF_RESKEY_region_default=""
 diff --color -uNr a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
 --- a/heartbeat/aws-vpc-move-ip	2020-12-03 14:31:17.000000000 +0100
 +++ b/heartbeat/aws-vpc-move-ip	2021-02-15 16:47:55.484644118 +0100
@@ -31,9 +32,9 @@ diff --color -uNr a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
  # Defaults
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
  OCF_RESKEY_region_default=""
- OCF_RESKEY_ip_default=""
 diff --color -uNr a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
 --- a/heartbeat/aws-vpc-route53.in	2020-12-03 14:31:17.000000000 +0100
 +++ b/heartbeat/aws-vpc-route53.in	2021-02-15 16:47:59.808651828 +0100
@@ -43,6 +44,6 @@ diff --color -uNr a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
  # Defaults
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
- OCF_RESKEY_hostedzoneid_default=""
- OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_region_default=""

resource-agents.spec

@@ -45,7 +45,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.10.0
-Release:	41%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	51%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 Source0:	%{upstream_prefix}-%{upstream_version}.tar.gz
@@ -104,8 +104,20 @@ Patch51:	bz2183133-Filesystem-fail-efs-utils-not-installed.patch
 Patch52:	bz2184779-Filesystem-systemd-drop-in-net-fs.patch
 Patch53:	bz2179003-mysql-2-fix-demoted-score-bounce.patch
 Patch54:	bz2142518-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
-Patch55:	bz2207567-Filesystem-improve-stop-action.patch
-Patch56:	bz2209433-Delay-increase-default-timeouts.patch
+Patch55:	bz2207567-Filesystem-1-improve-stop-action.patch
+Patch56:	bz2207567-Filesystem-2-fix-incorrect-parameter-types.patch
+Patch57:	bz2209433-Delay-1-increase-default-timeouts.patch
+Patch58:	bz2209433-Delay-2-remove-incorrect-statement.patch
+Patch59:	bz2207567-Filesystem-3-fix-signal_delay-default-value.patch
+Patch60:	bz2110038-mysql-common-improve-error-message.patch
+Patch61:	rhel-979-storage-mon-1-daemon-mode.patch
+Patch62:	rhel-979-storage-mon-2-remove-unnecessary-code.patch
+Patch63:	RHEL-15301-1-exportfs-make-fsid-optional.patch
+Patch64:	RHEL-15301-2-ocft-exportfs-remove-fsid-required-test.patch
+Patch65:	RHEL-15304-findif.sh-fix-loopback-handling.patch
+Patch66:	RHEL-16247-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
+Patch67:	RHEL-17072-1-storage_mon-findif-leak-unitialized-values-EOS-fixes.patch
+Patch68:	RHEL-17072-2-storage_mon-use-memset-to-fix-covscan-error.patch
 
 # bundled ha-cloud-support libs
 Patch500:	ha-cloud-support-aws.patch
@@ -118,7 +130,7 @@ Provides:	heartbeat-resources = %{version}
 # Build dependencies
 BuildRequires: make
 BuildRequires: automake autoconf pkgconfig gcc
-BuildRequires: libxslt glib2-devel
+BuildRequires: libxslt glib2-devel libqb-devel
 BuildRequires: systemd
 BuildRequires: which
 
@@ -229,68 +241,80 @@ databases to be managed in a cluster environment.
 exit 1
 %endif
 %setup -q -n %{upstream_prefix}-%{upstream_version}
-%patch0 -p1 -F1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
-%patch45 -p1
-%patch46 -p1
-%patch47 -p1
-%patch48 -p1
-%patch49 -p1
-%patch50 -p1
-%patch51 -p1
-%patch52 -p1
-%patch53 -p1
-%patch54 -p1
-%patch55 -p1
-%patch56 -p1
+%patch -p1 -P 0 -F1
+%patch -p1 -P 1
+%patch -p1 -P 2
+%patch -p1 -P 3
+%patch -p1 -P 4
+%patch -p1 -P 5
+%patch -p1 -P 6
+%patch -p1 -P 7
+%patch -p1 -P 8
+%patch -p1 -P 9
+%patch -p1 -P 10
+%patch -p1 -P 11
+%patch -p1 -P 12
+%patch -p1 -P 13
+%patch -p1 -P 14
+%patch -p1 -P 15
+%patch -p1 -P 16
+%patch -p1 -P 17
+%patch -p1 -P 18
+%patch -p1 -P 19
+%patch -p1 -P 20
+%patch -p1 -P 21
+%patch -p1 -P 22
+%patch -p1 -P 23
+%patch -p1 -P 24
+%patch -p1 -P 25
+%patch -p1 -P 26
+%patch -p1 -P 27
+%patch -p1 -P 28
+%patch -p1 -P 29
+%patch -p1 -P 30
+%patch -p1 -P 31
+%patch -p1 -P 32
+%patch -p1 -P 33
+%patch -p1 -P 34
+%patch -p1 -P 35
+%patch -p1 -P 36
+%patch -p1 -P 37
+%patch -p1 -P 38
+%patch -p1 -P 39
+%patch -p1 -P 40
+%patch -p1 -P 41
+%patch -p1 -P 42
+%patch -p1 -P 43
+%patch -p1 -P 44
+%patch -p1 -P 45
+%patch -p1 -P 46
+%patch -p1 -P 47
+%patch -p1 -P 48
+%patch -p1 -P 49
+%patch -p1 -P 50
+%patch -p1 -P 51
+%patch -p1 -P 52
+%patch -p1 -P 53
+%patch -p1 -P 54
+%patch -p1 -P 55
+%patch -p1 -P 56
+%patch -p1 -P 57
+%patch -p1 -P 58
+%patch -p1 -P 59
+%patch -p1 -P 60
+%patch -p1 -P 61
+%patch -p1 -P 62
+%patch -p1 -P 63
+%patch -p1 -P 64
+%patch -p1 -P 65
+%patch -p1 -P 66
+%patch -p1 -P 67
+%patch -p1 -P 68
 
 # bundled ha-cloud-support libs
-%patch500 -p1
-%patch501 -p1
-%patch502 -p1
+%patch -p1 -P 500
+%patch -p1 -P 501
+%patch -p1 -P 502
 
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@@ -607,13 +631,45 @@ rm -rf %{buildroot}/usr/share/doc/resource-agents
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
-* Wed Jul 12 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-41
+* Wed Nov 22 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-51
+- storage_mon/findif: fix handler out of scope leak, unitialized value
+  and check that netmaskbits != EOS
+
+  Resolves: RHEL-17072
+
+* Fri Nov 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-49
+- aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter
+  and AWS Policy based authentication type
+
+  Resolves: RHEL-16247
+
+* Thu Nov  2 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-47
+- exportfs: make "fsid" parameter optional
+- findif.sh: fix loopback IP handling
+
+  Resolves: RHEL-15301
+  Resolves: RHEL-15304
+
+* Mon Oct  2 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-46
+- storage-mon: add daemon-mode to deal with I/O hangs
+
+  Resolves: RHEL-979
+
+* Wed Sep  6 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-44
+- mysql-common: improve error message
+
+  Resolves: rhbz#2110038
+
+* Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-43
 - Filesystem: improve stop-action and allow setting term/kill signals
   and signal_delay for large filesystems
+
+  Resolves: rhbz#2207567
+
+* Tue Jul 18 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-42
 - Delay: increase stop, status and monitor timeouts to 40s to avoid
   failing with default values
 
-  Resolves: rhbz#2207567
   Resolves: rhbz#2209433
 
 * Wed Jun 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-40

rhel-979-storage-mon-2-remove-unnecessary-code.patch

@@ -0,0 +1,36 @@
+From c3c1f1a3005f6a6d3d03d6bf0f0ac7605838146f Mon Sep 17 00:00:00 2001
+From: Hideo Yamauchi <renayama19661014@ybb.ne.jp>
+Date: Tue, 26 Sep 2023 14:02:39 +0900
+Subject: [PATCH] Low: storage-mon: Remove unnecessary code and fix typos.
+
+---
+ tools/storage_mon.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/tools/storage_mon.c b/tools/storage_mon.c
+index 1231570c8..1aae29e58 100644
+--- a/tools/storage_mon.c
++++ b/tools/storage_mon.c
+@@ -318,12 +318,7 @@ static int32_t sigchld_handler(int32_t sig, void *data)
+ 								daemon_check_first_all_devices = TRUE;
+ 							}
+ 						}
+-#if 0
+-						if (shutting_down == FALSE) {
+-							finished_count++;
+-							test_forks[index] = 0;
+-						}
+-#endif
++
+ 						finished_count++;
+ 						test_forks[index] = 0;
+ 					
+@@ -521,7 +516,7 @@ static int test_device_main(gpointer data)
+ 				}
+ 			}
+ 		} else {
+-			/* Rrun the child process timeout watch timer. */
++			/* Run the child process timeout watch timer. */
+ 			qb_loop_timer_add(storage_mon_poll_handle, QB_LOOP_MED, timeout * QB_TIME_NS_IN_SEC, NULL, child_timeout_handler, &expire_handle); 
+ 		}
+ 	}