29 changed files with 2358 additions and 182 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,6 +6,7 @@ SOURCES/aliyun-python-sdk-vpc-3.0.2.tar.gz
 SOURCES/colorama-0.3.3.tar.gz
 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
 SOURCES/httplib2-0.20.4.tar.gz
-SOURCES/pycryptodome-3.6.4.tar.gz
+SOURCES/pycryptodome-3.20.0.tar.gz
 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 SOURCES/pyroute2-0.4.13.tar.gz
+SOURCES/urllib3-1.26.18.tar.gz
--- a/.resource-agents.metadata
+++ b/.resource-agents.metadata
@ -6,6 +6,7 @@ f14647a4d37a9a254c4e711b95a7654fc418e41e SOURCES/aliyun-python-sdk-vpc-3.0.2.tar
 0fe5bd8bca54dd71223778a1e0bcca9af324abb1 SOURCES/colorama-0.3.3.tar.gz
 81f039cf075e9c8b70d5af99c189296a9e031de3 SOURCES/google-cloud-sdk-360.0.0-linux-x86_64.tar.gz
 7caf4412d9473bf17352316249a8133fa70b7e37 SOURCES/httplib2-0.20.4.tar.gz
-326a73f58a62ebee00c11a12cfdd838b196e0e8e SOURCES/pycryptodome-3.6.4.tar.gz
+c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz
 c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 147149db11104c06d405fd077dcd2aa1c345f109 SOURCES/pyroute2-0.4.13.tar.gz
+84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz
--- a/SOURCES/7-gcp-bundled.patch
+++ b/SOURCES/7-gcp-bundled.patch
@ -1,6 +1,17 @@
+diff --color -uNr a/heartbeat/gcp-pd-move.in b/heartbeat/gcp-pd-move.in
+--- a/heartbeat/gcp-pd-move.in	2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-pd-move.in	2024-07-22 11:01:51.455543850 +0200
+@@ -32,6 +32,7 @@
+ from ocf import logger
+ 
+ try:
+  sys.path.insert(0, '/usr/lib/resource-agents/bundled/gcp')
+   import googleapiclient.discovery
+ except ImportError:
+   pass
 diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
--- a/heartbeat/gcp-vpc-move-ip.in	2022-06-16 09:45:21.419090782 +0200
-+++ b/heartbeat/gcp-vpc-move-ip.in	2022-06-16 10:11:22.978648598 +0200
+--- a/heartbeat/gcp-vpc-move-ip.in	2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-vpc-move-ip.in	2024-07-22 11:01:18.010752081 +0200
@@ -36,7 +36,7 @@
 . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
 
@ -11,8 +22,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-ip.in b/heartbeat/gcp-vpc-move-ip.in
 OCF_RESKEY_vpc_network_default="default"
 OCF_RESKEY_interface_default="eth0"
 diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-route.in
--- a/heartbeat/gcp-vpc-move-route.in	2022-06-16 09:45:21.420090788 +0200
-+++ b/heartbeat/gcp-vpc-move-route.in	2022-06-16 10:11:22.978648598 +0200
+--- a/heartbeat/gcp-vpc-move-route.in	2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-vpc-move-route.in	2024-07-22 11:01:18.011752105 +0200
@@ -45,6 +45,7 @@
 from ocf import *
 
@ -22,8 +33,8 @@ diff --color -uNr a/heartbeat/gcp-vpc-move-route.in b/heartbeat/gcp-vpc-move-rou
   import pyroute2
   try:
 diff --color -uNr a/heartbeat/gcp-vpc-move-vip.in b/heartbeat/gcp-vpc-move-vip.in
--- a/heartbeat/gcp-vpc-move-vip.in	2022-06-16 09:45:21.420090788 +0200
-+++ b/heartbeat/gcp-vpc-move-vip.in	2022-06-16 10:11:22.979648603 +0200
+--- a/heartbeat/gcp-vpc-move-vip.in	2024-07-22 10:59:42.170483160 +0200
+++ b/heartbeat/gcp-vpc-move-vip.in	2024-07-22 11:01:18.012752128 +0200
@@ -29,6 +29,7 @@
 from ocf import *
 
--- a/SOURCES/RHEL-15302-1-exportfs-make-fsid-optional.patch
+++ b/SOURCES/RHEL-15302-1-exportfs-make-fsid-optional.patch
@ -0,0 +1,75 @@
+From b806487ca758fce838c988767556007ecf66a6e3 Mon Sep 17 00:00:00 2001
+From: Roger Zhou <zzhou@suse.com>
+Date: Mon, 10 Apr 2023 18:08:56 +0800
+Subject: [PATCH] exportfs: make the "fsid=" parameter optional
+
+Based on feedback [1] from the kernel developer @neilbrown regarding the
+NFS clustering use case, it has been determined that the fsid= parameter
+is now considered optional and safe to omit.
+
+[1] https://bugzilla.suse.com/show_bug.cgi?id=1201271#c49
+"""
+Since some time in 2007 NFS has used the UUID of a filesystem as the
+primary identifier for that filesystem, rather than using the device
+number.  So from that time there should have been reduced need for the
+"fsid=" option.  Probably there are some filesystems that this didn't
+work for.  btrfs has been problematic at time, particularly when subvols
+are exported.  But for quite some years this has all "just worked" at
+least for the major filesystems (ext4 xfs btrfs). [...] I would suggest
+getting rid of the use of fsid= altogether. [...] I'm confident that it
+was no longer an issue in SLE-12 and similarly not in SLE-15.
+"""
+---
+ heartbeat/exportfs | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/heartbeat/exportfs b/heartbeat/exportfs
+index 2307a9e67b..435a19646b 100755
+--- a/heartbeat/exportfs
+++ b/heartbeat/exportfs
+@@ -82,7 +82,7 @@ The directory or directories to export.
+ <content type="string" />
+ </parameter>
+ 
+-<parameter name="fsid" unique="0" required="1">
+<parameter name="fsid" unique="0" required="0">
+ <longdesc lang="en">
+ The fsid option to pass to exportfs. This can be a unique positive
+ integer, a UUID (assuredly sans comma characters), or the special string
+@@ -185,6 +185,8 @@ exportfs_methods() {
+ 
+ reset_fsid() {
+ 	CURRENT_FSID=$OCF_RESKEY_fsid
+	[ -z "$CURRENT_FSID" ] && CURRENT_FSID=`echo "$OCF_RESKEY_options" | sed -n 's/.*fsid=\([^,]*\).*/\1/p'`
+	echo $CURRENT_FSID
+ }
+ bump_fsid() {
+ 	CURRENT_FSID=$((CURRENT_FSID+1))
+@@ -322,7 +324,7 @@ export_one() {
+ 	if echo "$opts" | grep fsid >/dev/null; then
+ 		#replace fsid in options list
+ 		opts=`echo "$opts" | sed "s,fsid=[^,]*,fsid=$(get_fsid),g"`
+-	else
+	elif [ -n "$OCF_RESKEY_fsid" ]; then
+ 		#tack the fsid option onto our options list.
+ 		opts="${opts}${sep}fsid=$(get_fsid)"
+ 	fi
+@@ -448,8 +450,8 @@ exportfs_validate_all ()
+ 		ocf_exit_reason "$OCF_RESKEY_fsid cannot contain a comma"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+-	if [ $NUMDIRS -gt 1 ] &&
+-			! ocf_is_decimal "$OCF_RESKEY_fsid"; then
+	if [ $NUMDIRS -gt 1 ] && [ -n "$(reset_fsid)" ] &&
+			! ocf_is_decimal "$(reset_fsid)"; then
+ 		ocf_exit_reason "use integer fsid when exporting multiple directories"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+@@ -485,6 +487,6 @@ done
+ OCF_RESKEY_directory="${directories%% }"
+ 
+ NUMDIRS=`echo "$OCF_RESKEY_directory" | wc -w`
+-OCF_REQUIRED_PARAMS="directory fsid clientspec"
+OCF_REQUIRED_PARAMS="directory clientspec"
+ OCF_REQUIRED_BINARIES="exportfs"
+ ocf_rarun $*
--- a/SOURCES/RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
+++ b/SOURCES/RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
@ -0,0 +1,43 @@
+From 1d1481aa6d848efab4d398ad6e74d80b5b32549f Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@debian.org>
+Date: Wed, 1 Nov 2023 18:25:45 +0100
+Subject: [PATCH] exportfs: remove test for "fsid=" parameter
+
+fsid parameter is now considered optional.
+---
+ tools/ocft/exportfs          | 5 -----
+ tools/ocft/exportfs-multidir | 5 -----
+ 2 files changed, 10 deletions(-)
+
+diff --git a/tools/ocft/exportfs b/tools/ocft/exportfs
+index 285a4b8ea0..1ec3d4c364 100644
+--- a/tools/ocft/exportfs
+++ b/tools/ocft/exportfs
+@@ -28,11 +28,6 @@ CASE "check base env"
+ 	Include prepare
+ 	AgentRun start OCF_SUCCESS
+ 
+-CASE "check base env: no 'OCF_RESKEY_fsid'"
+-	Include prepare
+-	Env OCF_RESKEY_fsid=
+-	AgentRun start OCF_ERR_CONFIGURED
+-
+ CASE "check base env: invalid 'OCF_RESKEY_directory'"
+ 	Include prepare
+ 	Env OCF_RESKEY_directory=/no_such
+diff --git a/tools/ocft/exportfs-multidir b/tools/ocft/exportfs-multidir
+index 00e41f0859..ac6d5c7f6a 100644
+--- a/tools/ocft/exportfs-multidir
+++ b/tools/ocft/exportfs-multidir
+@@ -28,11 +28,6 @@ CASE "check base env"
+ 	Include prepare
+ 	AgentRun start OCF_SUCCESS
+ 
+-CASE "check base env: no 'OCF_RESKEY_fsid'"
+-	Include prepare
+-	Env OCF_RESKEY_fsid=
+-	AgentRun start OCF_ERR_CONFIGURED
+-
+ CASE "check base env: invalid 'OCF_RESKEY_directory'"
+ 	Include prepare
+ 	Env OCF_RESKEY_directory=/no_such
--- a/SOURCES/RHEL-15305-1-findif.sh-fix-loopback-handling.patch
+++ b/SOURCES/RHEL-15305-1-findif.sh-fix-loopback-handling.patch
@ -0,0 +1,45 @@
+From e4f84ae185b6943d1ff461d53c7f1b5295783086 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Wed, 1 Nov 2023 19:35:21 +0100
+Subject: [PATCH] findif.sh: fix loopback handling
+
+tools/ocft/IPaddr2 fails the loopback test because of the missing
+table local parameter:
+
+$ ip -o -f inet route list match 127.0.0.3 scope host
+
+$ ip -o -f inet route list match 127.0.0.3 table local scope host
+local 127.0.0.0/8 dev lo proto kernel src 127.0.0.1
+
+Also rename the function because it is called only in for the special
+loopback address case.
+---
+ heartbeat/findif.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
+index 5f1c19ec3..7c766e6e0 100644
+--- a/heartbeat/findif.sh
+++ b/heartbeat/findif.sh
+@@ -29,10 +29,10 @@ prefixcheck() {
+   fi
+   return 0
+ }
+-getnetworkinfo()
+getloopbackinfo()
+ {
+   local line netinfo
+-  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
+  ip -o -f inet route list match $OCF_RESKEY_ip table local scope host | (while read line;
+   do
+     netinfo=`echo $line | awk '{print $2}'`
+     case $netinfo in
+@@ -222,7 +222,7 @@ findif()
+   if [ $# = 0 ] ; then
+     case $OCF_RESKEY_ip in
+     127.*)
+-      set -- `getnetworkinfo`
+      set -- `getloopbackinfo`
+       shift;;
+     esac
+   fi
--- a/SOURCES/RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
+++ b/SOURCES/RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
@ -0,0 +1,20 @@
+--- a/heartbeat/findif.sh	2024-02-08 11:31:53.414257686 +0100
+++ b/heartbeat/findif.sh	2023-11-02 10:20:12.150853167 +0100
+@@ -210,14 +210,14 @@
+   fi
+   findif_check_params $family || return $?
+ 
+-  if [ -n "$netmask" ] ; then
+  if [ -n "$netmask" ]; then
+       match=$match/$netmask
+   fi
+   if [ -n "$nic" ] ; then
+     # NIC supports more than two.
+-    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+    set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+   else
+-    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+    set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+   fi
+   if [ $# = 0 ] ; then
+     case $OCF_RESKEY_ip in
--- a/SOURCES/RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
+++ b/SOURCES/RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
@ -0,0 +1,555 @@
+From f45f76600a7e02c860566db7d1350dc3b09449c2 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 6 Nov 2023 15:49:44 +0100
+Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
+ parameter and AWS Policy based authentication type
+
+---
+ heartbeat/aws-vpc-move-ip    | 43 +++++++++++++++++++----
+ heartbeat/aws-vpc-route53.in | 47 ++++++++++++++++++++-----
+ heartbeat/awseip             | 68 +++++++++++++++++++++++++++---------
+ heartbeat/awsvip             | 60 ++++++++++++++++++++++++-------
+ 4 files changed, 173 insertions(+), 45 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index dee040300f..54806f6eaa 100755
+--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
+@@ -36,6 +36,7 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_ip_default=""
+@@ -48,6 +49,7 @@ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
+@@ -58,8 +60,6 @@ OCF_RESKEY_lookup_type_default="InstanceId"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+-
+-[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
+ #######################################################################
+ 
+ 
+@@ -83,6 +83,10 @@ cat <<END
+ <longdesc lang="en">
+ Resource Agent to move IP addresses within a VPC of the Amazon Webservices EC2
+ by changing an entry in an specific routing table
+
+Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+
+See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+ <shortdesc lang="en">Move IP within a VPC of the AWS EC2</shortdesc>
+ 
+@@ -95,6 +99,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -198,7 +211,7 @@ END
+ execute_cmd_as_role(){
+ 	cmd=$1
+ 	role=$2
+-	output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
+	output="$($AWSCLI_CMD sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --output=text)"
+ 	export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
+ 	export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
+ 	export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
+@@ -220,11 +233,11 @@ ec2ip_set_address_param_compat(){
+ }
+ 
+ ec2ip_validate() {
+-	for cmd in $OCF_RESKEY_awscli ip curl; do
+	for cmd in "$OCF_RESKEY_awscli" ip curl; do
+ 		check_binary "$cmd"
+ 	done
+ 
+-	if [ -z "$OCF_RESKEY_profile" ]; then
+	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+ 		ocf_exit_reason "profile parameter not set"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+@@ -262,7 +275,7 @@ ec2ip_monitor() {
+ 		for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 			ocf_log info "monitor: check routing table (API call) - $rtb"
+ 			if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-				cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+				cmd="$AWSCLI_CMD --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+ 				ocf_log debug "executing command: $cmd"
+ 				ROUTE_TO_INSTANCE="$($cmd)"
+ 			else
+@@ -368,7 +381,7 @@ ec2ip_get_and_configure() {
+ 	EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
+ 	for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 		if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+			cmd="$AWSCLI_CMD --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+ 			ocf_log debug "executing command: $cmd"
+ 			$cmd
+ 		else
+@@ -475,6 +488,22 @@ if ! ocf_is_root; then
+ 	exit $OCF_ERR_PERM
+ fi
+ 
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+	if [ -z "${OCF_RESKEY_region}" ]; then
+		ocf_exit_reason "region needs to be set when using role-based authentication"
+		exit $OCF_ERR_CONFIGURED
+	fi
+else
+	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+	exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
+
+ ec2ip_set_address_param_compat
+ 
+ ec2ip_validate
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index 22cbb35833..18ab157e8a 100644
+--- a/heartbeat/aws-vpc-route53.in
+++ b/heartbeat/aws-vpc-route53.in
+@@ -46,24 +46,22 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+OCF_RESKEY_region_default=""
+ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+-#######################################################################
+-
+-
+-AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
+-#######################################################################
+-
+ 
+ usage() {
+ 	cat <<-EOT
+@@ -123,6 +121,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
+ <parameter name="profile">
+ <longdesc lang="en">
+ The name of the AWS CLI profile of the root account. This
+@@ -196,7 +203,7 @@ r53_validate() {
+ 
+ 	# Check for required binaries
+ 	ocf_log debug "Checking for required binaries"
+-	for command in curl dig; do
+	for command in "${OCF_RESKEY_awscli}" curl dig; do
+ 		check_binary "$command"
+ 	done
+ 
+@@ -216,7 +223,10 @@ r53_validate() {
+ 	esac
+ 
+ 	# profile
+-	[[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
+	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+		ocf_exit_reason "profile parameter not set"
+		return $OCF_ERR_CONFIGURED
+	fi
+ 
+ 	# TTL
+ 	[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
+@@ -417,7 +427,6 @@ _update_record() {
+ }
+ 
+ ###############################################################################
+-
+ case $__OCF_ACTION in
+ 	usage|help)
+ 		usage
+@@ -427,6 +436,26 @@ case $__OCF_ACTION in
+ 		metadata
+ 		exit $OCF_SUCCESS
+ 		;;
+esac
+
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+	if [ -z "${OCF_RESKEY_region}" ]; then
+		ocf_exit_reason "region needs to be set when using role-based authentication"
+		exit $OCF_ERR_CONFIGURED
+	fi
+else
+	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+	exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
+AWSCLI_CMD="$AWSCLI_CMD --cli-connect-timeout 10"
+
+case $__OCF_ACTION in
+ 	start)
+ 		r53_validate || exit $?
+ 		r53_start
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index dc48460c85..49b0ca6155 100755
+--- a/heartbeat/awseip
+++ b/heartbeat/awseip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
+#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
+#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availability
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -44,11 +45,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -63,7 +68,7 @@ Resource Agent for Amazon AWS Elastic IP Addresses.
+ 
+ It manages AWS Elastic IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
+Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -79,6 +84,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -111,6 +125,14 @@ predefined private ip address for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
+<parameter name="region" required="0">
+<longdesc lang="en">
+Region for AWS resource (required for role-based authentication)
+</longdesc>
+<shortdesc lang="en">Region</shortdesc>
+<content type="string" default="${OCF_RESKEY_region_default}" />
+</parameter>
+
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -157,13 +179,13 @@ awseip_start() {
+                 NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+             fi
+         done
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
+        $AWSCLI_CMD ec2 associate-address  \
+             --network-interface-id ${NETWORK_ID} \
+             --allocation-id ${ALLOCATION_ID} \
+             --private-ip-address ${PRIVATE_IP_ADDRESS}
+         RET=$?
+     else
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
+        $AWSCLI_CMD ec2 associate-address  \
+             --instance-id ${INSTANCE_ID} \
+             --allocation-id ${ALLOCATION_ID}
+         RET=$?
+@@ -183,7 +205,7 @@ awseip_start() {
+ awseip_stop() {
+     awseip_monitor || return $OCF_SUCCESS
+ 
+-    ASSOCIATION_ID=$($AWSCLI --profile $OCF_RESKEY_profile --output json ec2 describe-addresses \
+    ASSOCIATION_ID=$($AWSCLI_CMD --output json ec2 describe-addresses \
+                          --allocation-id ${ALLOCATION_ID} | grep -m 1 "AssociationId" | awk -F'"' '{print$4}')
+ 
+     if [ -z "${ASSOCIATION_ID}" ]; then
+@@ -191,9 +213,7 @@ awseip_stop() {
+         return $OCF_NOT_RUNNING
+     fi
+ 
+-    $AWSCLI --profile ${OCF_RESKEY_profile} \
+-        ec2 disassociate-address \
+-        --association-id ${ASSOCIATION_ID}
+    $AWSCLI_CMD ec2 disassociate-address --association-id ${ASSOCIATION_ID}
+     RET=$?
+ 
+     # delay to avoid sending request too fast
+@@ -208,7 +228,7 @@ awseip_stop() {
+ }
+ 
+ awseip_monitor() {
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
+    $AWSCLI_CMD ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
+     RET=$?
+ 
+     if [ $RET -ne 0 ]; then
+@@ -218,9 +238,9 @@ awseip_monitor() {
+ }
+ 
+ awseip_validate() {
+-    check_binary ${AWSCLI}
+    check_binary "${OCF_RESKEY_awscli}"
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
+    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -238,9 +258,27 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
+-esac 
+    usage|help)
+        awseip_usage
+        exit $OCF_SUCCESS
+        ;;
+esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+	if [ -z "${OCF_RESKEY_region}" ]; then
+		ocf_exit_reason "region needs to be set when using role-based authentication"
+		exit $OCF_ERR_CONFIGURED
+	fi
+else
+	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+	exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+@@ -272,10 +310,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awseip_validate
+         ;;
+-    usage|help)
+-        awseip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awseip_usage
+         exit $OCF_ERR_UNIMPLEMENTED
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index 037278e296..bdb4d68dd0 100755
+--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
+#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
+#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availablity
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -43,11 +44,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
+OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -62,7 +67,7 @@ Resource Agent for Amazon AWS Secondary Private IP Addresses.
+ 
+ It manages AWS Secondary Private IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
+Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -78,6 +83,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
+<parameter name="auth_type">
+<longdesc lang="en">
+Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
+or "role" to use AWS Policies.
+</longdesc>
+<shortdesc lang="en">Authentication type</shortdesc>
+<content type="string" default="${OCF_RESKEY_auth_type_default}" />
+</parameter>
+
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -94,6 +108,14 @@ reserved secondary private ip for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
+<parameter name="region" required="0">
+<longdesc lang="en">
+Region for AWS resource (required for role-based authentication)
+</longdesc>
+<shortdesc lang="en">Region</shortdesc>
+<content type="string" default="${OCF_RESKEY_region_default}" />
+</parameter>
+
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -131,7 +153,7 @@ END
+ awsvip_start() {
+     awsvip_monitor && return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 assign-private-ip-addresses \
+    $AWSCLI_CMD ec2 assign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP} \
+         --allow-reassignment
+@@ -151,7 +173,7 @@ awsvip_start() {
+ awsvip_stop() {
+     awsvip_monitor || return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 unassign-private-ip-addresses \
+    $AWSCLI_CMD ec2 unassign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP}
+     RET=$?
+@@ -168,7 +190,7 @@ awsvip_stop() {
+ }
+ 
+ awsvip_monitor() {
+-    $AWSCLI --profile ${OCF_RESKEY_profile} ec2 describe-instances \
+    $AWSCLI_CMD ec2 describe-instances \
+             --instance-id "${INSTANCE_ID}" \
+             --query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
+             --output text | \
+@@ -182,9 +204,9 @@ awsvip_monitor() {
+ }
+ 
+ awsvip_validate() {
+-    check_binary ${AWSCLI}
+    check_binary "${OCF_RESKEY_awscli}"
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
+    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -202,9 +224,27 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
+    usage|help)
+        awsvip_usage
+        exit $OCF_SUCCESS
+        ;;
+ esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
+AWSCLI_CMD="${OCF_RESKEY_awscli}"
+if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
+elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
+	if [ -z "${OCF_RESKEY_region}" ]; then
+		ocf_exit_reason "region needs to be set when using role-based authentication"
+		exit $OCF_ERR_CONFIGURED
+	fi
+else
+	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
+	exit $OCF_ERR_CONFIGURED
+fi
+if [ -n "${OCF_RESKEY_region}" ]; then
+	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+ TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+ INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+@@ -236,10 +276,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awsvip_validate
+         ;;
+-    usage|help)
+-        awsvip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awsvip_usage
+         exit $OCF_ERR_UNIMPLEMENTED
--- a/SOURCES/RHEL-17083-findif-EOS-fix.patch
+++ b/SOURCES/RHEL-17083-findif-EOS-fix.patch
@ -0,0 +1,22 @@
+From b23ba4eaefb500199c4845751f4c5545c81f42f1 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 20 Nov 2023 16:37:37 +0100
+Subject: [PATCH 2/2] findif: also check that netmaskbits != EOS
+
+---
+ tools/findif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/findif.c b/tools/findif.c
+index a25395fec..ab108a3c4 100644
+--- a/tools/findif.c
+++ b/tools/findif.c
+@@ -669,7 +669,7 @@ main(int argc, char ** argv) {
+ 		}
+ 	}
+ 
+-	if (netmaskbits) {
+	if (netmaskbits != NULL && *netmaskbits != EOS) {
+ 		best_netmask = netmask;
+ 	}else if (best_netmask == 0L) {
+ 		/*
--- a/SOURCES/RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
+++ b/SOURCES/RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
@ -0,0 +1,23 @@
+From a9c4aeb971e9f4963345d0e215b729def62dd27c Mon Sep 17 00:00:00 2001
+From: pepadelic <162310096+pepadelic@users.noreply.github.com>
+Date: Mon, 15 Apr 2024 13:52:54 +0200
+Subject: [PATCH] Update db2: fix OCF_SUCESS name in db2_notify
+
+fix OCF_SUCESS to OCF_SUCCESS  in db2_notify
+---
+ heartbeat/db2 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/db2 b/heartbeat/db2
+index 95447ab6cb..1cd66f15af 100755
+--- a/heartbeat/db2
+++ b/heartbeat/db2
+@@ -848,7 +848,7 @@ db2_notify() {
+ 
+     # only interested in pre-start
+     [  $OCF_RESKEY_CRM_meta_notify_type = pre \
+-    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCESS
+    -a $OCF_RESKEY_CRM_meta_notify_operation = start ] || return $OCF_SUCCESS
+ 
+     # gets FIRST_ACTIVE_LOG
+     db2_get_cfg $dblist || return $?
--- a/SOURCES/RHEL-34137-aws-agents-use-curl_retry.patch
+++ b/SOURCES/RHEL-34137-aws-agents-use-curl_retry.patch
@ -0,0 +1,343 @@
+From fc0657b936f6a58f741e33f851b22f82bc68bffa Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 6 Feb 2024 13:28:12 +0100
+Subject: [PATCH 1/2] ocf-shellfuncs: add curl_retry()
+
+---
+ heartbeat/ocf-shellfuncs.in | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
+index c5edb6f57..a69a9743d 100644
+--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
+@@ -672,6 +672,40 @@ EOF
+ 	systemctl daemon-reload
+ }
+ 
+# usage: curl_retry RETRIES SLEEP ARGS URL
+#
+# Use --show-error in ARGS to log HTTP error code
+#
+# returns:
+#    0  success
+# exit:
+#    1  fail
+curl_retry()
+{
+	local retries=$1 sleep=$2 opts=$3 url=$4
+	local tries=$(($retries + 1))
+	local args="--fail $opts $url"
+	local result rc
+
+	for try in $(seq $tries); do
+		ocf_log debug "curl $args try $try of $tries"
+		result=$(echo "$args" | xargs curl 2>&1)
+		rc=$?
+
+		ocf_log debug "result: $result"
+		[ $rc -eq 0 ] && break
+		sleep $sleep
+	done
+
+	if [ $rc -ne 0 ]; then
+		ocf_exit_reason "curl $args failed $tries tries"
+		exit $OCF_ERR_GENERIC
+	fi
+
+	echo "$result"
+	return $rc
+}
+
+ # usage: crm_mon_no_validation args...
+ # run crm_mon without any cib schema validation
+ # This is useful when an agent runs in a bundle to avoid potential
+
+From 80d330557319bdae9e45aad1279e435fc481d4e7 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 6 Feb 2024 13:28:25 +0100
+Subject: [PATCH 2/2] AWS agents: use curl_retry()
+
+---
+ heartbeat/aws-vpc-move-ip    | 35 ++++++++++++++++++++++++++---------
+ heartbeat/aws-vpc-route53.in | 27 +++++++++++++++++++++++++--
+ heartbeat/awseip             | 36 +++++++++++++++++++++++++++++++-----
+ heartbeat/awsvip             | 32 ++++++++++++++++++++++++++++----
+ 4 files changed, 110 insertions(+), 20 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index 54806f6ea..6115e5ba8 100755
+--- a/heartbeat/aws-vpc-move-ip
+++ b/heartbeat/aws-vpc-move-ip
+@@ -47,6 +47,8 @@ OCF_RESKEY_interface_default="eth0"
+ OCF_RESKEY_iflabel_default=""
+ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -60,6 +62,8 @@ OCF_RESKEY_lookup_type_default="InstanceId"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ #######################################################################
+ 
+ 
+@@ -194,6 +198,22 @@ Name of resource type to lookup in route table.
+ <content type="string" default="${OCF_RESKEY_lookup_type_default}" />
+ </parameter>
+ 
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
+
+ </parameters>
+ 
+ <actions>
+@@ -250,8 +270,10 @@ ec2ip_validate() {
+ 		fi
+ 	fi
+ 
+-	TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ 	if [ -z "${EC2_INSTANCE_ID}" ]; then
+ 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
+@@ -365,14 +387,9 @@ ec2ip_get_instance_eni() {
+ 	fi
+ 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
+ 
+-	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
+-	ocf_log debug "executing command: $cmd"
+	cmd="curl_retry \"$OCF_RESKEY_curl_retries\" \"$OCF_RESKEY_curl_sleep\" \"--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'\" \"http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id\""
+ 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
+-	rc=$?
+-	if [ $rc != 0 ]; then
+-		ocf_log warn "command failed, rc: $rc"
+-		return $OCF_ERR_GENERIC
+-	fi
+	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 	ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
+ 	echo $EC2_NETWORK_INTERFACE_ID
+ }
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index 18ab157e8..eba2ed95c 100644
+--- a/heartbeat/aws-vpc-route53.in
+++ b/heartbeat/aws-vpc-route53.in
+@@ -53,6 +53,8 @@ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -62,6 +64,8 @@ OCF_RESKEY_ttl_default=10
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ usage() {
+ 	cat <<-EOT
+@@ -185,6 +189,22 @@ Time to live for Route53 ARECORD
+ <shortdesc lang="en">ARECORD TTL</shortdesc>
+ <content type="string" default="${OCF_RESKEY_ttl_default}" />
+ </parameter>
+
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
+ </parameters>
+ 
+ <actions>
+@@ -357,8 +377,11 @@ r53_monitor() {
+ _get_ip() {
+ 	case $OCF_RESKEY_ip in
+ 		local|public)
+-			TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
+			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
+			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+			;;
+ 		*.*.*.*)
+ 			IPADDRESS="${OCF_RESKEY_ip}";;
+ 	esac
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index 49b0ca615..ffb6223a1 100755
+--- a/heartbeat/awseip
+++ b/heartbeat/awseip
+@@ -49,12 +49,16 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+@@ -141,6 +145,22 @@ a short delay between API calls, to avoid sending API too quick
+ <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
+ </parameter>
+ 
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
+
+ </parameters>
+ 
+ <actions>
+@@ -171,14 +191,18 @@ awseip_start() {
+     awseip_monitor && return $OCF_SUCCESS
+ 
+     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
+-        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
+        NETWORK_INTERFACES_MACS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/")
+         for MAC in ${NETWORK_INTERFACES_MACS}; do
+-            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
+            curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/local-ipv4s" |
+                 grep -q "^${PRIVATE_IP_ADDRESS}$"
+             if [ $? -eq 0 ]; then
+-                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+                NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/interface-id")
+             fi
+         done
+        if [ -z "$NETWORK_ID" ]; then
+            ocf_exit_reason "Could not find network interface for private_ip_address: $PRIVATE_IP_ADDRESS"
+            exit $OCF_ERR_GENERIC
+        fi
+         $AWSCLI_CMD ec2 associate-address  \
+             --network-interface-id ${NETWORK_ID} \
+             --allocation-id ${ALLOCATION_ID} \
+@@ -282,8 +306,10 @@ fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+-TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ case $__OCF_ACTION in
+     start)
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index bdb4d68dd..f2b238a0f 100755
+--- a/heartbeat/awsvip
+++ b/heartbeat/awsvip
+@@ -48,12 +48,16 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+OCF_RESKEY_curl_retries_default="3"
+OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
+: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+@@ -124,6 +128,22 @@ a short delay between API calls, to avoid sending API too quick
+ <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
+ </parameter>
+ 
+<parameter name="curl_retries" unique="0">
+<longdesc lang="en">
+curl retries before failing
+</longdesc>
+<shortdesc lang="en">curl retries</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
+</parameter>
+
+<parameter name="curl_sleep" unique="0">
+<longdesc lang="en">
+curl sleep between tries
+</longdesc>
+<shortdesc lang="en">curl sleep</shortdesc>
+<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
+</parameter>
+
+ </parameters>
+ 
+ <actions>
+@@ -246,10 +266,14 @@ if [ -n "${OCF_RESKEY_region}" ]; then
+ 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+ fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+-TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+-MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
+-NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id")
+[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ case $__OCF_ACTION in
+     start)
--- a/SOURCES/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
+++ b/SOURCES/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
@ -0,0 +1,48 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+---
+ CHANGES.rst                               |  5 +++++
+ src/urllib3/util/retry.py                 |  4 +++-
+ test/test_retry.py                        |  6 ++++-
+ test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
+ 4 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+
+diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
--- a/SOURCES/RHEL-50360-setuptools-fix-CVE-2024-6345.patch
+++ b/SOURCES/RHEL-50360-setuptools-fix-CVE-2024-6345.patch
@ -0,0 +1,201 @@
+--- a/setuptools/package_index.py	1980-01-01 09:00:00.000000000 +0100
+++ b/setuptools/package_index.py	2024-07-25 10:11:40.537307665 +0200
+@@ -1,5 +1,6 @@
+ """PyPI and direct package downloading"""
+ import sys
+import subprocess
+ import os
+ import re
+ import shutil
+@@ -563,7 +564,7 @@
+             scheme = URL_SCHEME(spec)
+             if scheme:
+                 # It's a url, download it to tmpdir
+-                found = self._download_url(scheme.group(1), spec, tmpdir)
+                found = self._download_url(spec, tmpdir)
+                 base, fragment = egg_info_for_url(spec)
+                 if base.endswith('.py'):
+                     found = self.gen_setup(found, fragment, tmpdir)
+@@ -775,7 +776,7 @@
+                 raise DistutilsError("Download error for %s: %s"
+                                      % (url, v))
+ 
+-    def _download_url(self, scheme, url, tmpdir):
+    def _download_url(self, url, tmpdir):
+         # Determine download filename
+         #
+         name, fragment = egg_info_for_url(url)
+@@ -790,19 +791,59 @@
+ 
+         filename = os.path.join(tmpdir, name)
+ 
+-        # Download the file
+-        #
+-        if scheme == 'svn' or scheme.startswith('svn+'):
+-            return self._download_svn(url, filename)
+-        elif scheme == 'git' or scheme.startswith('git+'):
+-            return self._download_git(url, filename)
+-        elif scheme.startswith('hg+'):
+-            return self._download_hg(url, filename)
+-        elif scheme == 'file':
+-            return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
+-        else:
+-            self.url_ok(url, True)  # raises error if not allowed
+-            return self._attempt_download(url, filename)
+        return self._download_vcs(url, filename) or self._download_other(url, filename)
+
+    @staticmethod
+    def _resolve_vcs(url):
+        """
+        >>> rvcs = PackageIndex._resolve_vcs
+        >>> rvcs('git+http://foo/bar')
+        'git'
+        >>> rvcs('hg+https://foo/bar')
+        'hg'
+        >>> rvcs('git:myhost')
+        'git'
+        >>> rvcs('hg:myhost')
+        >>> rvcs('http://foo/bar')
+        """
+        scheme = urllib.parse.urlsplit(url).scheme
+        pre, sep, post = scheme.partition('+')
+        # svn and git have their own protocol; hg does not
+        allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
+        return next(iter({pre} & allowed), None)
+
+    def _download_vcs(self, url, spec_filename):
+        vcs = self._resolve_vcs(url)
+        if not vcs:
+            return
+        if vcs == 'svn':
+            raise DistutilsError(
+                f"Invalid config, SVN download is not supported: {url}"
+            )
+
+        filename, _, _ = spec_filename.partition('#')
+        url, rev = self._vcs_split_rev_from_url(url)
+
+        self.info(f"Doing {vcs} clone from {url} to {filename}")
+        subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
+
+        co_commands = dict(
+            git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
+            hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
+        )
+        if rev is not None:
+            self.info(f"Checking out {rev}")
+            subprocess.check_call(co_commands[vcs])
+
+        return filename
+
+    def _download_other(self, url, filename):
+        scheme = urllib.parse.urlsplit(url).scheme
+        if scheme == 'file':  # pragma: no cover
+            return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
+        # raise error if not allowed
+        self.url_ok(url, True)
+        return self._attempt_download(url, filename)
+ 
+     def scan_url(self, url):
+         self.process_url(url, True)
+@@ -829,76 +870,37 @@
+         os.unlink(filename)
+         raise DistutilsError("Unexpected HTML page found at " + url)
+ 
+-    def _download_svn(self, url, filename):
+-        url = url.split('#', 1)[0]  # remove any fragment for svn's sake
+-        creds = ''
+-        if url.lower().startswith('svn:') and '@' in url:
+-            scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
+-            if not netloc and path.startswith('//') and '/' in path[2:]:
+-                netloc, path = path[2:].split('/', 1)
+-                auth, host = splituser(netloc)
+-                if auth:
+-                    if ':' in auth:
+-                        user, pw = auth.split(':', 1)
+-                        creds = " --username=%s --password=%s" % (user, pw)
+-                    else:
+-                        creds = " --username=" + auth
+-                    netloc = host
+-                    parts = scheme, netloc, url, p, q, f
+-                    url = urllib.parse.urlunparse(parts)
+-        self.info("Doing subversion checkout from %s to %s", url, filename)
+-        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
+-        return filename
+-
+     @staticmethod
+-    def _vcs_split_rev_from_url(url, pop_prefix=False):
+-        scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
+-
+-        scheme = scheme.split('+', 1)[-1]
+-
+-        # Some fragment identification fails
+-        path = path.split('#', 1)[0]
+-
+-        rev = None
+-        if '@' in path:
+-            path, rev = path.rsplit('@', 1)
+-
+-        # Also, discard fragment
+-        url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
+-
+-        return url, rev
+-
+-    def _download_git(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+-
+-        self.info("Doing git clone from %s to %s", url, filename)
+-        os.system("git clone --quiet %s %s" % (url, filename))
+    def _vcs_split_rev_from_url(url):
+        """
+        Given a possible VCS URL, return a clean URL and resolved revision if any.
+ 
+-        if rev is not None:
+-            self.info("Checking out %s", rev)
+-            os.system("(cd %s && git checkout --quiet %s)" % (
+-                filename,
+-                rev,
+-            ))
+        >>> vsrfu = PackageIndex._vcs_split_rev_from_url
+        >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
+        ('https://github.com/pypa/setuptools', 'v69.0.0')
+        >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
+        ('https://github.com/pypa/setuptools', None)
+        >>> vsrfu('http://foo/bar')
+        ('http://foo/bar', None)
+        """
+        parts = urllib.parse.urlsplit(url)
+ 
+-        return filename
+        clean_scheme = parts.scheme.split('+', 1)[-1]
+ 
+-    def _download_hg(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+        # Some fragment identification fails
+        no_fragment_path, _, _ = parts.path.partition('#')
+ 
+-        self.info("Doing hg clone from %s to %s", url, filename)
+-        os.system("hg clone --quiet %s %s" % (url, filename))
+        pre, sep, post = no_fragment_path.rpartition('@')
+        clean_path, rev = (pre, post) if sep else (post, None)
+ 
+-        if rev is not None:
+-            self.info("Updating to %s", rev)
+-            os.system("(cd %s && hg up -C -r %s >&-)" % (
+-                filename,
+-                rev,
+-            ))
+        resolved = parts._replace(
+            scheme=clean_scheme,
+            path=clean_path,
+            # discard the fragment
+            fragment='',
+        ).geturl()
+ 
+-        return filename
+        return resolved, rev
+ 
+     def debug(self, msg, *args):
+         log.debug(msg, *args)
--- a/SOURCES/RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
+++ b/SOURCES/RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch
@ -0,0 +1,38 @@
+From 38eaf00bc81af7530c56eba282918762a47a9326 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 19 Sep 2024 13:01:53 +0200
+Subject: [PATCH] nfsserver: also stop rpc-statd for nfsv4_only to avoid stop
+ failing in some cases
+
+E.g. nfs_no_notify=true nfsv4_only=true nfs_shared_infodir=/nfsmq/nfsinfo would cause a "Failed to unmount a bind mount" error
+---
+ heartbeat/nfsserver | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/heartbeat/nfsserver b/heartbeat/nfsserver
+index 5793d7a70..fd9268afc 100755
+--- a/heartbeat/nfsserver
+++ b/heartbeat/nfsserver
+@@ -947,15 +947,13 @@ nfsserver_stop ()
+ 			sleep 1
+ 		  done
+ 
+-		  if ! ocf_is_true "$OCF_RESKEY_nfsv4_only"; then
+-			nfs_exec stop rpc-statd > /dev/null 2>&1
+-			ocf_log info "Stop: rpc-statd"
+-			rpcinfo -t localhost 100024 > /dev/null 2>&1
+-			rc=$?
+-			if [ "$rc" -eq "0" ]; then
+-				ocf_exit_reason "Failed to stop rpc-statd"
+-				return $OCF_ERR_GENERIC
+-			fi
+		  nfs_exec stop rpc-statd > /dev/null 2>&1
+		  ocf_log info "Stop: rpc-statd"
+		  rpcinfo -t localhost 100024 > /dev/null 2>&1
+		  rc=$?
+		  if [ "$rc" -eq "0" ]; then
+		  	ocf_exit_reason "Failed to stop rpc-statd"
+		  	return $OCF_ERR_GENERIC
+ 		  fi
+ 
+ 		  nfs_exec stop nfs-idmapd > /dev/null 2>&1
--- a/SOURCES/bz1904465-mysql-common-improve-error-message.patch
+++ b/SOURCES/bz1904465-mysql-common-improve-error-message.patch
@ -0,0 +1,68 @@
+From fcceb714085836de9db4493b527e94d85dd72626 Mon Sep 17 00:00:00 2001
+From: ut002970 <liuxingwei@uniontech.com>
+Date: Wed, 6 Sep 2023 15:27:05 +0800
+Subject: [PATCH 1/3] modify error message
+
+---
+ heartbeat/mysql-common.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+index 8104019b03..a93acc4c60 100755
+--- a/heartbeat/mysql-common.sh
+++ b/heartbeat/mysql-common.sh
+@@ -254,7 +254,7 @@ mysql_common_start()
+     while [ $start_wait = 1 ]; do
+         if ! ps $pid > /dev/null 2>&1; then
+             wait $pid
+-            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation"
+            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
+             return $OCF_ERR_GENERIC
+         fi
+         mysql_common_status info
+
+From 8f9b344cd5b3cb96ea0f94b7ab0306da2234ac00 Mon Sep 17 00:00:00 2001
+From: ut002970 <liuxingwei@uniontech.com>
+Date: Wed, 6 Sep 2023 15:56:24 +0800
+Subject: [PATCH 2/3] modify error message
+
+---
+ heartbeat/mysql-common.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+index a93acc4c60..d5b2286737 100755
+--- a/heartbeat/mysql-common.sh
+++ b/heartbeat/mysql-common.sh
+@@ -254,7 +254,7 @@ mysql_common_start()
+     while [ $start_wait = 1 ]; do
+         if ! ps $pid > /dev/null 2>&1; then
+             wait $pid
+-            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), please check your installation, log message you can check $OCF_RESKEY_log"
+            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
+             return $OCF_ERR_GENERIC
+         fi
+         mysql_common_status info
+
+From a292b3c552bf3f2beea5f73e0d171546c0a1273c Mon Sep 17 00:00:00 2001
+From: ut002970 <liuxingwei@uniontech.com>
+Date: Wed, 6 Sep 2023 16:10:48 +0800
+Subject: [PATCH 3/3] modify error message
+
+---
+ heartbeat/mysql-common.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+index d5b2286737..d6b4e3cdf4 100755
+--- a/heartbeat/mysql-common.sh
+++ b/heartbeat/mysql-common.sh
+@@ -254,7 +254,7 @@ mysql_common_start()
+     while [ $start_wait = 1 ]; do
+         if ! ps $pid > /dev/null 2>&1; then
+             wait $pid
+-            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?), Check $OCF_RESKEY_log for details"
+            ocf_exit_reason "MySQL server failed to start (pid=$pid) (rc=$?). Check $OCF_RESKEY_log for details"
+             return $OCF_ERR_GENERIC
+         fi
+         mysql_common_status info
--- a/SOURCES/bz2039692-mysql-1-replication-fixes.patch
+++ b/SOURCES/bz2039692-mysql-1-replication-fixes.patch
@ -0,0 +1,70 @@
+From 706b48fd93a75a582c538013aea1418b6ed69dd0 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 9 Mar 2023 15:57:59 +0100
+Subject: [PATCH] mysql: promotable fixes to avoid nodes getting bounced around
+ by setting -v 1/-v 2, and added OCF_CHECK_LEVEL=10 for promotable resources
+ to be able to distinguish between promoted and not
+
+---
+ heartbeat/mysql | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/heartbeat/mysql b/heartbeat/mysql
+index 9ab49ab20e..29ed427319 100755
+--- a/heartbeat/mysql
+++ b/heartbeat/mysql
+@@ -757,6 +757,10 @@ mysql_monitor() {
+         status_loglevel="info"
+     fi
+ 
+    if ocf_is_ms; then
+        OCF_CHECK_LEVEL=10
+    fi
+
+     mysql_common_status $status_loglevel
+     rc=$?
+ 
+@@ -777,7 +781,13 @@ mysql_monitor() {
+         return $rc
+     fi
+ 
+-    if [ $OCF_CHECK_LEVEL -gt 0 -a -n "$OCF_RESKEY_test_table" ]; then
+    if [ $OCF_CHECK_LEVEL -eq 10 ]; then
+        if [ -z "$OCF_RESKEY_test_table" ]; then
+            ocf_exit_reason "test_table not set"
+            return $OCF_ERR_CONFIGURED
+
+        fi
+
+         # Check if this instance is configured as a slave, and if so
+         # check slave status
+         if is_slave; then
+@@ -795,18 +805,16 @@ mysql_monitor() {
+             ocf_exit_reason "Failed to select from $test_table";
+             return $OCF_ERR_GENERIC;
+         fi
+-    else
+-        # In case no exnteded tests are enabled and we are in master/slave mode _always_ set the master score to 1 if we reached this point
+-        ocf_is_ms && $CRM_MASTER -v 1
+     fi
+ 
+     if ocf_is_ms && ! get_read_only; then
+         ocf_log debug "MySQL monitor succeeded (master)";
+         # Always set master score for the master
+-        $CRM_MASTER -v 2
+        $CRM_MASTER -v $((${OCF_RESKEY_max_slave_lag}+1))
+         return $OCF_RUNNING_MASTER
+     else
+         ocf_log debug "MySQL monitor succeeded";
+        ocf_is_ms && $CRM_MASTER -v 1
+         return $OCF_SUCCESS
+     fi
+ }
+@@ -873,7 +881,6 @@ mysql_start() {
+         # preference set by the administrator. We choose a low
+         # greater-than-zero preference.
+         $CRM_MASTER -v 1
+-
+     fi
+ 
+     # Initial monitor action
--- a/SOURCES/bz2039692-mysql-2-fix-demoted-score-bounce.patch
+++ b/SOURCES/bz2039692-mysql-2-fix-demoted-score-bounce.patch
@ -0,0 +1,32 @@
+From 34483f8029ea9ab25220cfee71d53adaf5aacaa0 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 14 Jun 2023 14:37:01 +0200
+Subject: [PATCH] mysql: fix promotion_score bouncing between ~3600 and 1 on
+ demoted nodes
+
+---
+ heartbeat/mysql | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/heartbeat/mysql b/heartbeat/mysql
+index 29ed42731..1df2fc0f2 100755
+--- a/heartbeat/mysql
+++ b/heartbeat/mysql
+@@ -517,17 +517,6 @@ check_slave() {
+ 
+                 exit $OCF_ERR_INSTALLED
+             fi
+-        elif ocf_is_ms; then
+-            # Even if we're not set to evict lagging slaves, we can
+-            # still use the seconds behind master value to set our
+-            # master preference.
+-            local master_pref
+-            master_pref=$((${OCF_RESKEY_max_slave_lag}-${secs_behind}))
+-            if [ $master_pref -lt 0 ]; then
+-                # Sanitize a below-zero preference to just zero
+-                master_pref=0
+-            fi
+-            $CRM_MASTER -v $master_pref
+         fi
+ 
+         # is the slave ok to have a VIP on it
--- a/SOURCES/bz2040110-IPaddr2-IPsrcaddr-1-support-policy-based-routing.patch
+++ b/SOURCES/bz2040110-IPaddr2-IPsrcaddr-1-support-policy-based-routing.patch
@ -0,0 +1,84 @@
+From 4d87bcfe5df8a1e40ee945e095ac9e7cca147ec4 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 29 Jun 2022 10:26:25 +0200
+Subject: [PATCH] IPaddr2/IPsrcaddr: add/modify table parameter to be able to
+ find interface while using policy based routing
+
+---
+ heartbeat/IPaddr2   | 12 ++++++++++++
+ heartbeat/IPsrcaddr |  5 ++++-
+ heartbeat/findif.sh |  2 +-
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
+index 97a7431a2..e8384c586 100755
+--- a/heartbeat/IPaddr2
+++ b/heartbeat/IPaddr2
+@@ -73,6 +73,7 @@ OCF_RESKEY_ip_default=""
+ OCF_RESKEY_cidr_netmask_default=""
+ OCF_RESKEY_broadcast_default=""
+ OCF_RESKEY_iflabel_default=""
+OCF_RESKEY_table_default=""
+ OCF_RESKEY_cidr_netmask_default=""
+ OCF_RESKEY_lvs_support_default=false
+ OCF_RESKEY_lvs_ipv6_addrlabel_default=false
+@@ -97,6 +98,7 @@ OCF_RESKEY_network_namespace_default=""
+ : ${OCF_RESKEY_cidr_netmask=${OCF_RESKEY_cidr_netmask_default}}
+ : ${OCF_RESKEY_broadcast=${OCF_RESKEY_broadcast_default}}
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+: ${OCF_RESKEY_table=${OCF_RESKEY_table_default}}
+ : ${OCF_RESKEY_lvs_support=${OCF_RESKEY_lvs_support_default}}
+ : ${OCF_RESKEY_lvs_ipv6_addrlabel=${OCF_RESKEY_lvs_ipv6_addrlabel_default}}
+ : ${OCF_RESKEY_lvs_ipv6_addrlabel_value=${OCF_RESKEY_lvs_ipv6_addrlabel_value_default}}
+@@ -239,6 +241,16 @@ If a label is specified in nic name, this parameter has no effect.
+ <content type="string" default="${OCF_RESKEY_iflabel_default}"/>
+ </parameter>
+ 
+<parameter name="table">
+<longdesc lang="en">
+Table to use to lookup which interface to use for the IP.
+
+This can be used for policy based routing. See man ip-rule(8).
+</longdesc>
+<shortdesc lang="en">Table</shortdesc>
+<content type="string" default="${OCF_RESKEY_table_default}" />
+</parameter>
+
+ <parameter name="lvs_support">
+ <longdesc lang="en">
+ Enable support for LVS Direct Routing configurations. In case a IP
+diff --git a/heartbeat/IPsrcaddr b/heartbeat/IPsrcaddr
+index 1bd41a930..cf106cc34 100755
+--- a/heartbeat/IPsrcaddr
+++ b/heartbeat/IPsrcaddr
+@@ -155,13 +155,16 @@ Metric. Only needed if incorrect metric value is used.
+ 
+ <parameter name="table">
+ <longdesc lang="en">
+-Table to modify. E.g. "local".
+Table to modify and use for interface lookup. E.g. "local".
+ 
+ The table has to have a route matching the "destination" parameter.
+
+This can be used for policy based routing. See man ip-rule(8).
+ </longdesc>
+ <shortdesc lang="en">Table</shortdesc>
+ <content type="string" default="${OCF_RESKEY_table_default}" />
+ </parameter>
+
+ </parameters>
+ 
+ <actions>
+diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
+index 66bc6d56a..1a40cc9a4 100644
+--- a/heartbeat/findif.sh
+++ b/heartbeat/findif.sh
+@@ -32,7 +32,7 @@ prefixcheck() {
+ getnetworkinfo()
+ {
+   local line netinfo
+-  ip -o -f inet route list match $OCF_RESKEY_ip table local scope host | (while read line;
+  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table=local}" scope host | (while read line;
+   do
+     netinfo=`echo $line | awk '{print $2}'`
+     case $netinfo in
--- a/SOURCES/bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
+++ b/SOURCES/bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
@ -0,0 +1,35 @@
+From da9e8e691f39494e14f8f11173b6ab6433384396 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 20 Jun 2023 14:19:23 +0200
+Subject: [PATCH] findif.sh: fix table parameter so it uses main table by
+ default
+
+---
+ heartbeat/findif.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
+index 1a40cc9a4b..6c04c98c19 100644
+--- a/heartbeat/findif.sh
+++ b/heartbeat/findif.sh
+@@ -32,7 +32,7 @@ prefixcheck() {
+ getnetworkinfo()
+ {
+   local line netinfo
+-  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table=local}" scope host | (while read line;
+  ip -o -f inet route list match $OCF_RESKEY_ip table "${OCF_RESKEY_table:=main}" scope host | (while read line;
+   do
+     netinfo=`echo $line | awk '{print $2}'`
+     case $netinfo in
+@@ -215,9 +215,9 @@ findif()
+   fi
+   if [ -n "$nic" ] ; then
+     # NIC supports more than two.
+-    set -- $(ip -o -f $family route list match $match $scope | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | grep "dev $nic " | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+   else
+-    set -- $(ip -o -f $family route list match $match $scope | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+    set -- $(ip -o -f $family route list match $match $scope table "${OCF_RESKEY_table:=main}" | awk 'BEGIN{best=0} /\// { mask=$1; sub(".*/", "", mask); if( int(mask)>=best ) { best=int(mask); best_ln=$0; } } END{print best_ln}')
+   fi
+   if [ $# = 0 ] ; then
+     case $OCF_RESKEY_ip in
--- a/SOURCES/bz2149970-lvmlockd-add-use_lvmlockd-if-missing.patch
+++ b/SOURCES/bz2149970-lvmlockd-add-use_lvmlockd-if-missing.patch
@ -0,0 +1,42 @@
+From 2695888c983df331b0fee407a5c69c493a360313 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 30 Nov 2022 12:07:05 +0100
+Subject: [PATCH] lvmlockd: add "use_lvmlockd = 1" if it's commented out or
+ missing
+
+---
+ heartbeat/lvmlockd | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/heartbeat/lvmlockd b/heartbeat/lvmlockd
+index dc7bd2d7e..f4b299f28 100755
+--- a/heartbeat/lvmlockd
+++ b/heartbeat/lvmlockd
+@@ -180,14 +180,23 @@ setup_lvm_config()
+ 	lock_type=$(echo "$out" | cut -d'=' -f2)
+ 
+ 	if [ -z "$use_lvmlockd" ]; then
+-		ocf_exit_reason "\"use_lvmlockd\" not set in /etc/lvm/lvm.conf ..."
+-		exit $OCF_ERR_CONFIGURED
+-	fi
+		ocf_log info "adding \"use_lvmlockd=1\" to /etc/lvm/lvm.conf ..."
+		cat >> /etc/lvm/lvm.conf << EOF
+
+global {
+    use_lvmlockd = 1
+}
+EOF
+ 
+-	if [ -n "$use_lvmlockd" ] && [ "$use_lvmlockd" != 1 ] ; then
+		if [ $? -ne 0 ]; then
+			ocf_exit_reason "unable to add \"use_lvmlockd=1\" to /etc/lvm/lvm.conf ..."
+			exit $OCF_ERR_CONFIGURED
+		fi
+	elif [ "$use_lvmlockd" != 1 ] ; then
+ 		ocf_log info "setting \"use_lvmlockd=1\" in /etc/lvm/lvm.conf ..."
+ 		sed -i 's,^[[:blank:]]*use_lvmlockd[[:blank:]]*=.*,\ \ \ \ use_lvmlockd = 1,g' /etc/lvm/lvm.conf
+ 	fi
+
+ 	if [ -n "$lock_type" ] ; then
+ 		# locking_type was removed from config in v2.03
+ 		ocf_version_cmp "$(lvmconfig --version | awk '/LVM ver/ {sub(/\(.*/, "", $3); print $3}')" "2.03"
--- a/SOURCES/bz2154727-ethmonitor-dont-log-iface-doesnt-exist-monitor.patch
+++ b/SOURCES/bz2154727-ethmonitor-dont-log-iface-doesnt-exist-monitor.patch
@ -0,0 +1,24 @@
+From e7a748d35fe56f2be727ecae1885a2f1366f41bf Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Wed, 15 Mar 2023 13:03:07 +0100
+Subject: [PATCH] ethmonitor: dont log "Interface does not exist" for
+ monitor-action
+
+---
+ heartbeat/ethmonitor | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/heartbeat/ethmonitor b/heartbeat/ethmonitor
+index 451738a0b5..f9c9ef4bdd 100755
+--- a/heartbeat/ethmonitor
+++ b/heartbeat/ethmonitor
+@@ -271,6 +271,9 @@ if_init() {
+ 			validate-all)
+ 				ocf_exit_reason "Interface $NIC does not exist"
+ 				exit $OCF_ERR_CONFIGURED;;
+			monitor)
+				ocf_log debug "Interface $NIC does not exist"
+				;;
+ 			*)	
+ 				## It might be a bond interface which is temporarily not available, therefore we want to continue here
+ 				ocf_log warn "Interface $NIC does not exist"
--- a/SOURCES/bz2181019-azure-events-1-fix-no-transition-summary.patch
+++ b/SOURCES/bz2181019-azure-events-1-fix-no-transition-summary.patch
@ -0,0 +1,54 @@
+From 81bb58b05d2ddabd17fe31af39f0e857e61db3c9 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 28 Mar 2023 16:53:45 +0200
+Subject: [PATCH] azure-events*: fix for no "Transition Summary" for Pacemaker
+ 2.1+
+
+---
+ heartbeat/azure-events-az.in | 8 ++++----
+ heartbeat/azure-events.in    | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/heartbeat/azure-events-az.in b/heartbeat/azure-events-az.in
+index 59d0953061..67c02c6422 100644
+--- a/heartbeat/azure-events-az.in
+++ b/heartbeat/azure-events-az.in
+@@ -311,10 +311,10 @@ class clusterHelper:
+ 		summary = clusterHelper._exec("crm_simulate", "-Ls")
+ 		if not summary:
+ 			ocf.logger.warning("transitionSummary: could not load transition summary")
+-			return False
+			return ""
+ 		if summary.find("Transition Summary:") < 0:
+-			ocf.logger.warning("transitionSummary: received unexpected transition summary: %s" % summary)
+-			return False
+			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
+			return ""
+ 		summary = summary.split("Transition Summary:")[1]
+ 		ret = summary.split("\n").pop(0)
+ 
+@@ -768,4 +768,4 @@ def main():
+ 	agent.run()
+ 
+ if __name__ == '__main__':
+-	main()
+\ No newline at end of file
+	main()
+diff --git a/heartbeat/azure-events.in b/heartbeat/azure-events.in
+index 66e129060a..5ad658df93 100644
+--- a/heartbeat/azure-events.in
+++ b/heartbeat/azure-events.in
+@@ -310,10 +310,10 @@ class clusterHelper:
+ 		summary = clusterHelper._exec("crm_simulate", "-Ls")
+ 		if not summary:
+ 			ocf.logger.warning("transitionSummary: could not load transition summary")
+-			return False
+			return ""
+ 		if summary.find("Transition Summary:") < 0:
+-			ocf.logger.warning("transitionSummary: received unexpected transition summary: %s" % summary)
+-			return False
+			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
+			return ""
+ 		summary = summary.split("Transition Summary:")[1]
+ 		ret = summary.split("\n").pop(0)
+ 
--- a/SOURCES/bz2181019-azure-events-2-improve-logic.patch
+++ b/SOURCES/bz2181019-azure-events-2-improve-logic.patch
@ -0,0 +1,77 @@
+From ff53e5c8d6867e580506d132fba6fcf6aa46b804 Mon Sep 17 00:00:00 2001
+From: Peter Varkoly <varkoly@suse.com>
+Date: Sat, 29 Apr 2023 08:09:11 +0200
+Subject: [PATCH] Use -LS instead of -Ls as parameter to get the Transition
+ Summary
+
+---
+ heartbeat/azure-events-az.in | 9 +++++----
+ heartbeat/azure-events.in    | 9 +++++----
+ 2 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/heartbeat/azure-events-az.in b/heartbeat/azure-events-az.in
+index 67c02c642..46d4d1f3d 100644
+--- a/heartbeat/azure-events-az.in
+++ b/heartbeat/azure-events-az.in
+@@ -298,7 +298,7 @@ class clusterHelper:
+ 		Get the current Pacemaker transition summary (used to check if all resources are stopped when putting a node standby)
+ 		"""
+ 		# <tniek> Is a global crm_simulate "too much"? Or would it be sufficient it there are no planned transitions for a particular node?
+-		# # crm_simulate -Ls
+		# # crm_simulate -LS
+ 		# 	Transition Summary:
+ 		# 	 * Promote rsc_SAPHana_HN1_HDB03:0      (Slave -> Master hsr3-db1)
+ 		# 	 * Stop    rsc_SAPHana_HN1_HDB03:1      (hsr3-db0)
+@@ -308,15 +308,16 @@ class clusterHelper:
+ 		# 	Transition Summary:
+ 		ocf.logger.debug("transitionSummary: begin")
+ 
+-		summary = clusterHelper._exec("crm_simulate", "-Ls")
+		summary = clusterHelper._exec("crm_simulate", "-LS")
+ 		if not summary:
+ 			ocf.logger.warning("transitionSummary: could not load transition summary")
+ 			return ""
+ 		if summary.find("Transition Summary:") < 0:
+ 			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
+ 			return ""
+-		summary = summary.split("Transition Summary:")[1]
+-		ret = summary.split("\n").pop(0)
+		j=summary.find('Transition Summary:') + len('Transition Summary:')
+		l=summary.lower().find('executing cluster transition:')
+		ret = list(filter(str.strip, summary[j:l].split("\n")))
+ 
+ 		ocf.logger.debug("transitionSummary: finished; return = %s" % str(ret))
+ 		return ret
+diff --git a/heartbeat/azure-events.in b/heartbeat/azure-events.in
+index 5ad658df9..90acaba62 100644
+--- a/heartbeat/azure-events.in
+++ b/heartbeat/azure-events.in
+@@ -297,7 +297,7 @@ class clusterHelper:
+ 		Get the current Pacemaker transition summary (used to check if all resources are stopped when putting a node standby)
+ 		"""
+ 		# <tniek> Is a global crm_simulate "too much"? Or would it be sufficient it there are no planned transitions for a particular node?
+-		# # crm_simulate -Ls
+		# # crm_simulate -LS
+ 		# 	Transition Summary:
+ 		# 	 * Promote rsc_SAPHana_HN1_HDB03:0      (Slave -> Master hsr3-db1)
+ 		# 	 * Stop    rsc_SAPHana_HN1_HDB03:1      (hsr3-db0)
+@@ -307,15 +307,16 @@ class clusterHelper:
+ 		# 	Transition Summary:
+ 		ocf.logger.debug("transitionSummary: begin")
+ 
+-		summary = clusterHelper._exec("crm_simulate", "-Ls")
+		summary = clusterHelper._exec("crm_simulate", "-LS")
+ 		if not summary:
+ 			ocf.logger.warning("transitionSummary: could not load transition summary")
+ 			return ""
+ 		if summary.find("Transition Summary:") < 0:
+ 			ocf.logger.debug("transitionSummary: no transactions: %s" % summary)
+ 			return ""
+-		summary = summary.split("Transition Summary:")[1]
+-		ret = summary.split("\n").pop(0)
+		j=summary.find('Transition Summary:') + len('Transition Summary:')
+		l=summary.lower().find('executing cluster transition:')
+		ret = list(filter(str.strip, summary[j:l].split("\n")))
+ 
+ 		ocf.logger.debug("transitionSummary: finished; return = %s" % str(ret))
+ 		return ret
--- a/SOURCES/bz2183152-Filesystem-fail-efs-utils-not-installed.patch
+++ b/SOURCES/bz2183152-Filesystem-fail-efs-utils-not-installed.patch
@ -0,0 +1,23 @@
+From b02b06c437b1d8cb1dcfe8ace47c2efc4a0e476c Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 30 Mar 2023 14:44:41 +0200
+Subject: [PATCH] Filesystem: fail if AWS efs-utils not installed when
+ fstype=efs
+
+---
+ heartbeat/Filesystem | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
+index 65088029ec..50c68f115b 100755
+--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
+@@ -456,7 +456,7 @@ fstype_supported()
+ 	# System (EFS)
+ 	case "$FSTYPE" in
+ 		fuse.*|glusterfs|rozofs) support="fuse";;
+-		efs) support="nfs4";;
+		efs) check_binary "mount.efs"; support="nfs4";;
+ 	esac
+ 
+ 	if [ "$support" != "$FSTYPE" ]; then
--- a/SOURCES/bz2189243-Filesystem-1-improve-stop-action.patch
+++ b/SOURCES/bz2189243-Filesystem-1-improve-stop-action.patch
@ -0,0 +1,125 @@
+From 48ed6e6d6510f42743e4463970e27f05637e4982 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 4 Jul 2023 14:40:19 +0200
+Subject: [PATCH] Filesystem: improve stop-action and allow setting term/kill
+ signals and signal_delay for large filesystems
+
+---
+ heartbeat/Filesystem | 80 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 70 insertions(+), 10 deletions(-)
+
+diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
+index 65a9dffb5..fe608ebfd 100755
+--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
+@@ -71,6 +71,9 @@ OCF_RESKEY_run_fsck_default="auto"
+ OCF_RESKEY_fast_stop_default="no"
+ OCF_RESKEY_force_clones_default="false"
+ OCF_RESKEY_force_unmount_default="true"
+OCF_RESKEY_term_signals_default="TERM"
+OCF_RESKEY_kill_signals_default="KILL"
+OCF_RESKEY_signal_delay_default="1"
+ 
+ # RHEL specific defaults
+ if is_redhat_based; then
+@@ -104,6 +107,9 @@ if [ -z "${OCF_RESKEY_fast_stop}" ]; then
+ fi
+ : ${OCF_RESKEY_force_clones=${OCF_RESKEY_force_clones_default}}
+ : ${OCF_RESKEY_force_unmount=${OCF_RESKEY_force_unmount_default}}
+: ${OCF_RESKEY_term_signals=${OCF_RESKEY_term_signals_default}}
+: ${OCF_RESKEY_kill_signals=${OCF_RESKEY_kill_signals_default}}
+: ${OCF_RESKEY_signal_delay=${OCF_RESKEY_signal_delay_default}}
+ 
+ # Variables used by multiple methods
+ HOSTOS=$(uname)
+@@ -266,6 +272,30 @@ block if unresponsive nfs mounts are in use on the system.
+ <content type="boolean" default="${OCF_RESKEY_force_unmount_default}" />
+ </parameter>
+ 
+<parameter name="term_signals">
+<longdesc lang="en">
+Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action.
+</longdesc>
+<shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action</shortdesc>
+<content type="boolean" default="${OCF_RESKEY_term_signals_default}" />
+</parameter>
+
+<parameter name="kill_signals">
+<longdesc lang="en">
+Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action.
+</longdesc>
+<shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action</shortdesc>
+<content type="boolean" default="${OCF_RESKEY_kill_signals_default}" />
+</parameter>
+
+<parameter name="signal_delay">
+<longdesc lang="en">
+How many seconds to wait after sending term/kill signals to processes in stop-action.
+</longdesc>
+<shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
+<content type="boolean" default="${OCF_RESKEY_kill_signal_delay}" />
+</parameter>
+
+ </parameters>
+ 
+ <actions>
+@@ -663,19 +693,49 @@ try_umount() {
+ 	}
+ 	return $OCF_ERR_GENERIC
+ }
+-fs_stop() {
+-	local SUB="$1" timeout=$2 sig cnt
+-	for sig in TERM KILL; do
+-		cnt=$((timeout/2)) # try half time with TERM
+-		while [ $cnt -gt 0 ]; do
+-			try_umount "$SUB" &&
+-				return $OCF_SUCCESS
+-			ocf_exit_reason "Couldn't unmount $SUB; trying cleanup with $sig"
+timeout_child() {
+	local pid="$1" timeout="$2" killer ret
+
+	# start job in the background that will KILL the given process after timeout expires
+	sleep $timeout && kill -s KILL $pid &
+	killer=$!
+
+	# block until the child process either exits on its own or gets killed by the above killer pipeline
+	wait $pid
+	ret=$?
+
+	# ret would be 127 + child exit code if the timeout expired
+	[ $ret -lt 128 ] && kill -s KILL $killer
+	return $ret
+}
+fs_stop_loop() {
+	local SUB="$1" signals="$2" sig
+	while true; do
+		for sig in $signals; do
+ 			signal_processes "$SUB" $sig
+-			cnt=$((cnt-1))
+-			sleep 1
+ 		done
+		sleep $OCF_RESKEY_signal_delay
+		try_umount "$SUB" && return $OCF_SUCCESS
+ 	done
+}
+fs_stop() {
+	local SUB="$1" timeout=$2 grace_time ret
+	grace_time=$((timeout/2))
+
+	# try gracefully terminating processes for up to half of the configured timeout
+	fs_stop_loop "$SUB" "$OCF_RESKEY_term_signals" &
+	timeout_child $! $grace_time
+	ret=$?
+	[ $ret -eq $OCF_SUCCESS ] && return $ret
+
+	# try killing them for the rest of the timeout
+	fs_stop_loop "$SUB" "$OCF_RESKEY_kill_signals" &
+	timeout_child $! $grace_time
+	ret=$?
+	[ $ret -eq $OCF_SUCCESS ] && return $ret
+
+	# timeout expired
+	ocf_exit_reason "Couldn't unmount $SUB within given timeout"
+ 	return $OCF_ERR_GENERIC
+ }
+ 
--- a/SOURCES/bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
+++ b/SOURCES/bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
@ -0,0 +1,49 @@
+From 7056635f3f94c1bcaaa5ed5563dc3b0e9f6749e0 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 18 Jul 2023 14:12:27 +0200
+Subject: [PATCH] Filesystem: dont use boolean type for non-boolean parameters
+
+---
+ heartbeat/Filesystem | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
+index ee55a4843..b9aae8d50 100755
+--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
+@@ -269,7 +269,7 @@ fuser cli tool. fuser is known to perform operations that can potentially
+ block if unresponsive nfs mounts are in use on the system.
+ </longdesc>
+ <shortdesc lang="en">Kill processes before unmount</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_force_unmount_default}" />
+<content type="string" default="${OCF_RESKEY_force_unmount_default}" />
+ </parameter>
+ 
+ <parameter name="term_signals">
+@@ -277,7 +277,7 @@ block if unresponsive nfs mounts are in use on the system.
+ Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action.
+ </longdesc>
+ <shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during graceful termination phase in stop-action</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_term_signals_default}" />
+<content type="string" default="${OCF_RESKEY_term_signals_default}" />
+ </parameter>
+ 
+ <parameter name="kill_signals">
+@@ -285,7 +285,7 @@ Signals (names or numbers, whitespace separated) to send processes during gracef
+ Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action.
+ </longdesc>
+ <shortdesc lang="en">Signals (names or numbers, whitespace separated) to send processes during forceful killing phase in stop-action</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_kill_signals_default}" />
+<content type="string" default="${OCF_RESKEY_kill_signals_default}" />
+ </parameter>
+ 
+ <parameter name="signal_delay">
+@@ -293,7 +293,7 @@ Signals (names or numbers, whitespace separated) to send processes during forcef
+ How many seconds to wait after sending term/kill signals to processes in stop-action.
+ </longdesc>
+ <shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
+-<content type="boolean" default="${OCF_RESKEY_kill_signal_delay}" />
+<content type="string" default="${OCF_RESKEY_kill_signal_delay}" />
+ </parameter>
+ 
+ </parameters>
--- a/SOURCES/bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
+++ b/SOURCES/bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
@ -0,0 +1,23 @@
+From f779fad52e5f515ca81218da6098398bdecac286 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 20 Jul 2023 10:18:12 +0200
+Subject: [PATCH] Filesystem: fix incorrect variable name for signal_delay
+ default in metadata
+
+---
+ heartbeat/Filesystem | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
+index b9aae8d50..066562891 100755
+--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
+@@ -293,7 +293,7 @@ Signals (names or numbers, whitespace separated) to send processes during forcef
+ How many seconds to wait after sending term/kill signals to processes in stop-action.
+ </longdesc>
+ <shortdesc lang="en">How many seconds to wait after sending term/kill signals to processes in stop-action</shortdesc>
+-<content type="string" default="${OCF_RESKEY_kill_signal_delay}" />
+<content type="string" default="${OCF_RESKEY_signal_delay_default}" />
+ </parameter>
+ 
+ </parameters>
--- a/SOURCES/python3-syntax-fixes.patch
+++ b/SOURCES/python3-syntax-fixes.patch
@ -590,116 +590,3 @@ diff -uNr a/bundled/aliyun/colorama/demos/demo07.py b/bundled/aliyun/colorama/de
 
 
 if __name__ == '__main__':
-diff -uNr a/bundled/aliyun/pycryptodome/Doc/conf.py b/bundled/aliyun/pycryptodome/Doc/conf.py
--- a/bundled/aliyun/pycryptodome/Doc/conf.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/Doc/conf.py	2018-10-08 12:08:11.122188094 +0200
-@@ -15,7 +15,7 @@
- 
- # Modules to document with autodoc are in another directory
- sys.path.insert(0, os.path.abspath('../lib'))
-print sys.path
-+print(sys.path)
- 
- # Mock existance of native modules
- from Crypto.Util import _raw_api
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-10-08 12:08:11.123188075 +0200
-@@ -302,7 +302,7 @@
-     randfunc = kwargs.pop("randfunc", None)
-     prime_filter = kwargs.pop("prime_filter", lambda x: True)
-     if kwargs:
-        print "Unknown parameters:", kwargs.keys()
-+        print("Unknown parameters:", kwargs.keys())
- 
-     if exact_bits is None:
-         raise ValueError("Missing exact_bits parameter")
-@@ -341,7 +341,7 @@
-     exact_bits = kwargs.pop("exact_bits", None)
-     randfunc = kwargs.pop("randfunc", None)
-     if kwargs:
-        print "Unknown parameters:", kwargs.keys()
-+        print("Unknown parameters:", kwargs.keys())
- 
-     if randfunc is None:
-         randfunc = Random.new().read
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-10-08 12:08:11.124188057 +0200
-@@ -912,4 +912,4 @@
-     count = 30
-     for x in xrange(count):
-         _ = point * d
-    print (time.time() - start) / count * 1000, "ms"
-+    print((time.time() - start) / count * 1000, "ms")
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-10-08 12:08:11.124188057 +0200
-@@ -1276,7 +1276,7 @@
-         tests += make_block_tests(AES, "AESNI", test_data, {'use_aesni': True})
-         tests += [ TestMultipleBlocks(True) ]
-     else:
-        print "Skipping AESNI tests"
-+        print("Skipping AESNI tests")
-     return tests
- 
- if __name__ == '__main__':
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-10-08 12:08:11.125188038 +0200
-@@ -894,7 +894,7 @@
-         if config.get('slow_tests'):
-             tests += list_test_cases(NISTTestVectorsGCM_no_clmul)
-     else:
-        print "Skipping test of PCLMULDQD in AES GCM"
-+        print("Skipping test of PCLMULDQD in AES GCM")
- 
-     return tests
- 
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-10-08 12:08:11.125188038 +0200
-@@ -39,7 +39,7 @@
-     """Convert a text string with bytes in hex form to a byte string"""
-     clean = b(rws(t))
-     if len(clean)%2 == 1:
-        print clean
-+        print(clean)
-         raise ValueError("Even number of characters expected")
-     return a2b_hex(clean)
- 
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-10-08 12:08:11.126188020 +0200
-@@ -25,11 +25,11 @@
- 
- slow_tests = not "--skip-slow-tests" in sys.argv
- if not slow_tests:
-    print "Skipping slow tests"
-+    print("Skipping slow tests")
- 
- wycheproof_warnings = "--wycheproof-warnings" in sys.argv
- if wycheproof_warnings:
-    print "Printing Wycheproof warnings"
-+    print("Printing Wycheproof warnings")
- 
- config = {'slow_tests' : slow_tests, 'wycheproof_warnings' : wycheproof_warnings }
- SelfTest.run(stream=sys.stdout, verbosity=1, config=config)
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py
--- a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-10-08 12:08:11.126188020 +0200
-@@ -369,13 +369,13 @@
-            ]
- 
-     for key, words in data:
-        print 'Trying key', key
-+        print('Trying key', key)
-         key=binascii.a2b_hex(key)
-         w2=key_to_english(key)
-         if w2!=words:
-            print 'key_to_english fails on key', repr(key), ', producing', str(w2)
-+            print('key_to_english fails on key', repr(key), ', producing', str(w2))
-         k2=english_to_key(words)
-         if k2!=key:
-            print 'english_to_key fails on key', repr(key), ', producing', repr(k2)
-+            print('english_to_key fails on key', repr(key), ', producing', repr(k2))
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@ -43,7 +43,7 @@
 %global colorama_dir		%{bundled_lib_dir}/aliyun/%{colorama}
 # python-pycryptodome bundle
 %global pycryptodome		pycryptodome
-%global pycryptodome_version	3.6.4
+%global pycryptodome_version	3.20.0
 %global pycryptodome_dir	%{bundled_lib_dir}/aliyun/%{pycryptodome}
 # python-aliyun-sdk-core bundle
 %global aliyunsdkcore		aliyun-python-sdk-core
@ -61,6 +61,10 @@
 %global aliyuncli		aliyun-cli
 %global aliyuncli_version	2.1.10
 %global aliyuncli_dir		%{bundled_lib_dir}/aliyun/%{aliyuncli}
+## fix CVEs
+# urllib3 bundle
+%global urllib3 		urllib3
+%global urllib3_version 	1.26.18

 # determine the ras-set to process based on configure invokation
 %bcond_with rgmanager
@ -69,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	40%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.5
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -88,6 +92,7 @@ Source7:	%{aliyunsdkcore}-%{aliyunsdkcore_version}.tar.gz
 Source8:	%{aliyunsdkecs}-%{aliyunsdkecs_version}.tar.gz
 Source9:	%{aliyunsdkvpc}-%{aliyunsdkvpc_version}.tar.gz
 Source10:	%{aliyuncli}-%{aliyuncli_version}.tar.gz
+Source11:	%{urllib3}-%{urllib3_version}.tar.gz
 Patch0: 	nova-compute-wait-NovaEvacuate.patch
 Patch1: 	bz1872754-pgsqlms-new-ra.patch
 Patch2: 	bz1995178-storage-mon-fix-typo.patch
@ -136,6 +141,28 @@ Patch44:	bz2157873-2-Filesystem-CTDB-validate-all-improvements.patch
 Patch45:	bz2157873-3-pgsqlms-validate-all-OCF_CHECK_LEVEL-10.patch
 Patch46:	bz2157873-4-exportfs-pgsql-validate-all-fixes.patch
 Patch47:	bz2157873-5-pgsqlms-alidate-all-OCF_CHECK_LEVEL-10.patch
+Patch48:	bz2040110-IPaddr2-IPsrcaddr-1-support-policy-based-routing.patch
+Patch49:	bz2149970-lvmlockd-add-use_lvmlockd-if-missing.patch
+Patch50:	bz2154727-ethmonitor-dont-log-iface-doesnt-exist-monitor.patch
+Patch51:	bz2039692-mysql-1-replication-fixes.patch
+Patch52:	bz2181019-azure-events-1-fix-no-transition-summary.patch
+Patch53:	bz2181019-azure-events-2-improve-logic.patch
+Patch54:	bz2183152-Filesystem-fail-efs-utils-not-installed.patch
+Patch55:	bz2039692-mysql-2-fix-demoted-score-bounce.patch
+Patch56:	bz2040110-IPaddr2-IPsrcaddr-2-fix-table-parameter.patch
+Patch57:	bz2189243-Filesystem-1-improve-stop-action.patch
+Patch58:	bz2189243-Filesystem-2-fix-incorrect-parameter-types.patch
+Patch59:	bz2189243-Filesystem-3-fix-signal_delay-default-value.patch
+Patch60:	bz1904465-mysql-common-improve-error-message.patch
+Patch61:	RHEL-15302-1-exportfs-make-fsid-optional.patch
+Patch62:	RHEL-15302-2-ocft-exportfs-remove-fsid-required-test.patch
+Patch63:	RHEL-15305-1-findif.sh-fix-loopback-handling.patch
+Patch64:	RHEL-16248-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
+Patch65:	RHEL-17083-findif-EOS-fix.patch
+Patch66:	RHEL-15305-2-findif.sh-dont-use-table-parameter.patch
+Patch67:	RHEL-34137-aws-agents-use-curl_retry.patch
+Patch68:	RHEL-32828-db2-fix-OCF_SUCESS-typo.patch
+Patch69:	RHEL-61138-nfsserver-also-stop-rpc-statd-for-nfsv4_only.patch

 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@ -148,6 +175,8 @@ Patch1006:	python3-syntax-fixes.patch
 Patch1007:	aliyuncli-python3-fixes.patch
 Patch1008:	bz1935422-python-pygments-fix-CVE-2021-20270.patch
 Patch1009:	bz1943464-python-pygments-fix-CVE-2021-27291.patch
+Patch1010:	RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
+Patch1011:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch

 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@ -242,6 +271,8 @@ Provides:	bundled(python-aliyun-sdk-ecs) = %{aliyunsdkecs_version}
 Provides:	bundled(python-aliyun-sdk-vpc) = %{aliyunsdkvpc_version}
 # aliyuncli bundle
 Provides:	bundled(aliyuncli) = %{aliyuncli_version}
+# urllib3 bundle
+Provides:	bundled(python-urllib3) = %{urllib3_version}

 %description aliyun
 Alibaba Cloud (Aliyun) resource agents allows Alibaba Cloud
@ -281,7 +312,7 @@ Provides:	bundled(python-pyparsing) = 2.1.10
 Provides:	bundled(python-requests) = 2.10.0
 Provides:	bundled(python-six) = 1.11.0
 Provides:	bundled(python-uritemplate) = 3.0.0
-Provides:	bundled(python-urllib3) = 1.15.1
+Provides:	bundled(python-urllib3) = %{urllib3_version}
 Provides:	bundled(python-websocket) = 0.47.0
 Provides:	bundled(python-yaml) = 3.12
 # python-pyroute2 bundle
@ -315,54 +346,76 @@ databases to be managed in a cluster environment.
 exit 1
 %endif
 %setup -q -n %{upstream_prefix}-%{upstream_version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
-%patch45 -p1
-%patch46 -p1
-%patch47 -p1
+%patch -p1 -P 0
+%patch -p1 -P 1
+%patch -p1 -P 2
+%patch -p1 -P 3
+%patch -p1 -P 4
+%patch -p1 -P 5
+%patch -p1 -P 6
+%patch -p1 -P 7
+%patch -p1 -P 8
+%patch -p1 -P 9
+%patch -p1 -P 10
+%patch -p1 -P 11
+%patch -p1 -P 12
+%patch -p1 -P 13
+%patch -p1 -P 14
+%patch -p1 -P 15
+%patch -p1 -P 16
+%patch -p1 -P 17
+%patch -p1 -P 18
+%patch -p1 -P 19
+%patch -p1 -P 20
+%patch -p1 -P 21
+%patch -p1 -P 22
+%patch -p1 -P 23
+%patch -p1 -P 24
+%patch -p1 -P 25
+%patch -p1 -P 26
+%patch -p1 -P 27
+%patch -p1 -P 28
+%patch -p1 -P 29
+%patch -p1 -P 30
+%patch -p1 -P 31
+%patch -p1 -P 32
+%patch -p1 -P 33
+%patch -p1 -P 34
+%patch -p1 -P 35
+%patch -p1 -P 36
+%patch -p1 -P 37
+%patch -p1 -P 38
+%patch -p1 -P 39
+%patch -p1 -P 40
+%patch -p1 -P 41
+%patch -p1 -P 42
+%patch -p1 -P 43
+%patch -p1 -P 44
+%patch -p1 -P 45
+%patch -p1 -P 46
+%patch -p1 -P 47
+%patch -p1 -P 48
+%patch -p1 -P 49
+%patch -p1 -P 50
+%patch -p1 -P 51
+%patch -p1 -P 52
+%patch -p1 -P 53
+%patch -p1 -P 54
+%patch -p1 -P 55
+%patch -p1 -P 56
+%patch -p1 -P 57
+%patch -p1 -P 58
+%patch -p1 -P 59
+%patch -p1 -P 60
+%patch -p1 -P 61
+%patch -p1 -P 62
+%patch -p1 -P 63
+%patch -p1 -P 64
+%patch -p1 -P 65
+%patch -p1 -P 66
+%patch -p1 -P 67 -F1
+%patch -p1 -P 68
+%patch -p1 -P 69

 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@ -376,15 +429,15 @@ mkdir -p %{bundled_lib_dir}/aliyun
 %ifarch x86_64
 tar -xzf %SOURCE1 -C %{bundled_lib_dir}/gcp
 # gcp*: append bundled-directory to search path, gcloud-ra
-%patch1000 -p1
+%patch -p1 -P 1000
 # replace python-rsa with python-cryptography
-%patch1001 -p1
+%patch -p1 -P 1001
 # gcloud support info
-%patch1002 -p1
+%patch -p1 -P 1002
 # configure: skip bundled gcp lib checks
-%patch1003 -p1 -F1
+%patch -p1 -P 1003 -F1
 # gcloud remove python 2 detection
-%patch1004 -p1
+%patch -p1 -P 1004
 # rename gcloud
 mv %{googlecloudsdk_dir}/bin/gcloud %{googlecloudsdk_dir}/bin/gcloud-ra
 # keep googleapiclient
@ -491,16 +544,16 @@ mv %{bundled_lib_dir}/aliyun/%{aliyuncli}-%{aliyuncli_version} %{aliyuncli_dir}
 cp %{aliyuncli_dir}/README.rst %{aliyuncli}_README.rst
 cp %{aliyuncli_dir}/LICENSE %{aliyuncli}_LICENSE
 # aliyun*: use bundled libraries
-%patch1005 -p1
+%patch -p1 -P 1005

 # aliyun Python 3 fixes
-%patch1006 -p1
-%patch1007 -p1
+%patch -p1 -P 1006
+%patch -p1 -P 1007

 # fix CVE's in python-pygments
 pushd %{googlecloudsdk_dir}/lib/third_party
-%patch1008 -p1 -F2
-%patch1009 -p1 -F2
+%patch -p1 -P 1008 -F2
+%patch -p1 -P 1009 -F2
 popd
 %endif

@ -597,6 +650,9 @@ make install DESTDIR=%{buildroot}
 # google-cloud-sdk bundle
 %ifarch x86_64
 pushd %{googlecloudsdk_dir}
+# fix urllib3 CVEs
+rm -rf lib/third_party/urllib3
+%{__python3} -m pip install --target lib/third_party --no-index --find-links %{_sourcedir} urllib3
 mkdir -p %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 cp -a bin data lib %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 mkdir %{buildroot}/%{_bindir}
@ -625,6 +681,9 @@ popd
 # python-aliyun-sdk-core bundle
 pushd %{aliyunsdkcore_dir}
 %{__python3} setup.py install -O1 --skip-build --root %{buildroot} --install-lib /usr/lib/%{name}/%{bundled_lib_dir}/aliyun
+# fix urllib3 CVEs
+rm -rf %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3
+%{__python3} -m pip install --target %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages --no-index --find-links %{_sourcedir} urllib3
 popd

 # python-aliyun-sdk-ecs bundle
@ -645,6 +704,14 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra
 # aliyun_completer / aliyun_zsh_complete.sh
 rm %{buildroot}/%{_bindir}/aliyun_*
 popd
+
+# regular patch doesnt work in build-section
+pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010}
+popd
+pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1011}
+popd
 %endif

 ## tree fixup
@ -938,6 +1005,96 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm

 %changelog
+* Tue Oct  1 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.5
+- nfsserver: also stop rpc-statd for nfsv4_only to avoid stop failing
+  in some cases
+
+  Resolves: RHEL-61138
+
+* Thu Jul 25 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.4
+- bundled setuptools: fix CVE-2024-6345
+
+  Resolves: RHEL-50360
+
+* Tue Jul 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.3
+- gcp-pd-move: fix TLS_VERSION_1 issue
+
+  Resolves: RHEL-50041
+
+* Wed Jun 26 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.2
+- bundled urllib3: fix CVE-2024-37891
+
+  Resolves: RHEL-44923
+
+* Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1
+- AWS agents: retry failed metadata requests to avoid instantly
+  failing when there is a hiccup in the network or metadata service
+- db2: fix OCF_SUCESS typo
+
+  Resolves: RHEL-34137, RHEL-32828
+
+* Thu Feb  8 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54
+- findif.sh: fix loopback IP handling
+
+  Resolves: RHEL-15305
+
+* Wed Jan 24 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-53
+- bundled urllib3: fix CVE-2023-45803
+- bundled pycryptodome: fix CVE-2023-52323
+
+  Resolves: RHEL-22431, RHEL-20916
+
+* Tue Nov 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-52
+- findif: also check that netmaskbits != EOS
+
+  Resolves: RHEL-17083
+
+* Fri Nov 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-51
+- aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter
+  and AWS Policy based authentication type
+
+  Resolves: RHEL-16248
+
+* Thu Nov  2 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-49
+- exportfs: make "fsid" parameter optional
+
+  Resolves: RHEL-15302
+
+* Wed Sep  6 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-48
+- mysql-common: improve error message
+
+  Resolves: rhbz#1904465
+
+* Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-47
+- Filesystem: improve stop-action and allow setting term/kill signals
+  and signal_delay for large filesystems
+
+  Resolves: rhbz#2189243
+
+* Wed Jun 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-44
+- IPaddr2/IPsrcaddr: support policy-based routing
+
+  Resolves: rhbz#2040110
+
+* Wed Jun 14 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-43
+- mysql: fix replication issues
+
+  Resolves: rhbz#2039692
+
+* Mon May  1 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-42
+- azure-events*: fix for no "Transition Summary" for Pacemaker 2.1+
+- Filesystem: fail if AWS efs-utils not installed when fstype=efs
+
+  Resolves: rhbz#2181019
+  Resolves: rhbz#2183152
+
+* Wed Mar 22 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-41
+- lvmlockd: add "use_lvmlockd = 1" if it's commented out or missing
+- ethmonitor: dont log "Interface does not exist" for monitor-action
+
+  Resolves: rhbz#2149970
+  Resolves: rhbz#2154727
+
 * Tue Jan 17 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-40
 - all agents: dont check notify/promotable settings during
  validate-action