diff --git a/SOURCES/bz1963163-fence_zvmip-add-ssl-tls-support.patch b/SOURCES/bz1963163-fence_zvmip-add-ssl-tls-support.patch new file mode 100644 index 0000000..1e43aa3 --- /dev/null +++ b/SOURCES/bz1963163-fence_zvmip-add-ssl-tls-support.patch @@ -0,0 +1,100 @@ +From 81be3c529ec1165f3135b4f14fbec2a19403cfbe Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Fri, 27 Aug 2021 08:53:36 +0200 +Subject: [PATCH] fence_zvmip: add ssl/tls support + +--- + agents/zvm/fence_zvmip.py | 20 ++++++++++++++++---- + tests/data/metadata/fence_zvmip.xml | 19 +++++++++++++++++++ + 2 files changed, 35 insertions(+), 4 deletions(-) + +diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py +index 001106a44..874eb699f 100644 +--- a/agents/zvm/fence_zvmip.py ++++ b/agents/zvm/fence_zvmip.py +@@ -26,12 +26,22 @@ def open_socket(options): + except socket.gaierror: + fail(EC_LOGIN_DENIED) + +- conn = socket.socket() ++ if "--ssl" in options: ++ import ssl ++ sock = socket.socket() ++ sslcx = ssl.create_default_context() ++ if "--ssl-insecure" in options: ++ sslcx.check_hostname = False ++ sslcx.verify_mode = ssl.CERT_NONE ++ conn = sslcx.wrap_socket(sock, server_hostname=options["--ip"]) ++ else: ++ conn = socket.socket() + conn.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + conn.settimeout(float(options["--shell-timeout"]) or None) + try: + conn.connect(addr) +- except socket.error: ++ except socket.error as e: ++ logging.debug(e) + fail(EC_LOGIN_DENIED) + + return conn +@@ -122,11 +132,12 @@ def get_list_of_images(options, command, data_as_plug): + images = set() + + if output_len > 3*INT4: ++ recvflag = socket.MSG_WAITALL if "--ssl" not in options else 0 + array_len = struct.unpack("!i", conn.recv(INT4))[0] + data = "" + + while True: +- read_data = conn.recv(1024, socket.MSG_WAITALL).decode("UTF-8") ++ read_data = conn.recv(1024, recvflag).decode("UTF-8") + data += read_data + if array_len == len(data): + break +@@ -146,7 +157,8 @@ def get_list_of_images(options, command, data_as_plug): + return (return_code, reason_code, images) + + def main(): +- device_opt = ["ipaddr", "login", "passwd", "port", "method", "missing_as_off", "inet4_only", "inet6_only"] ++ device_opt = ["ipaddr", "login", "passwd", "port", "method", "missing_as_off", ++ "inet4_only", "inet6_only", "ssl"] + + atexit.register(atexit_handler) + +diff --git a/tests/data/metadata/fence_zvmip.xml b/tests/data/metadata/fence_zvmip.xml +index f84115c08..d91192946 100644 +--- a/tests/data/metadata/fence_zvmip.xml ++++ b/tests/data/metadata/fence_zvmip.xml +@@ -91,6 +91,21 @@ to access the system's directory manager. + + Physical plug number on device, UUID or identification of machine + ++ ++ ++ ++ Use SSL connection with verifying certificate ++ ++ ++ ++ ++ Use SSL connection without verifying certificate ++ ++ ++ ++ ++ Use SSL connection with verifying certificate ++ + + + +@@ -181,6 +196,10 @@ to access the system's directory manager. + + Count of attempts to retry power on + ++ ++ ++ Path to gnutls-cli binary ++ + + + diff --git a/SPECS/fence-agents.spec b/SPECS/fence-agents.spec index 4658625..7eff500 100644 --- a/SPECS/fence-agents.spec +++ b/SPECS/fence-agents.spec @@ -79,7 +79,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.2.1 -Release: 82%{?alphatag:.%{alphatag}}%{?dist} +Release: 83%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Base URL: https://github.com/ClusterLabs/fence-agents @@ -234,6 +234,7 @@ Patch102: bz1977588-1-fencing-add-EC_FETCH_VM_UUID.patch Patch103: bz1977588-2-fence_kubevirt.patch Patch104: bz1977588-3-fence_kubevirt-fix-status.patch Patch105: bz1977588-4-fence_kubevirt-power-timeout-40s.patch +Patch106: bz1963163-fence_zvmip-add-ssl-tls-support.patch %if 0%{?fedora} || 0%{?rhel} > 7 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti @@ -423,6 +424,7 @@ BuildRequires: python3-pip %patch103 -p1 %patch104 -p1 -F1 %patch105 -p1 +%patch106 -p1 # prevent compilation of something that won't get used anyway sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac @@ -1368,6 +1370,10 @@ Fence agent for IBM z/VM over IP. %endif %changelog +* Thu Nov 11 2021 Oyvind Albrigtsen - 4.2.1-83 +- fence_zvmip: add SSL/TLS support + Resolves: rhbz#1963163 + * Thu Nov 4 2021 Oyvind Albrigtsen - 4.2.1-82 - fence_kubevirt: new fence agent Resolves: rhbz#1977588