From 169d424cf88594f15e7e66baa705df6b727aa807 Mon Sep 17 00:00:00 2001

From: Ken Gaillot <kgaillot@redhat.com>

Date: Tue, 4 Jun 2019 16:24:16 -0500

Subject: [PATCH 1/4] Log: pacemaker-remoted: use different default log if pid

 1

When pacemaker-remoted runs as pid 1 inside a container, there may not be a

/var/log/pacemaker directory. To get around this, use a default log of

/var/log/pcmk-init.log when running as pid 1.

This was chosen over alternatives (creating the /var/log/pacemaker directory,

or passing the log location as an environment variable when creating the

implicit container resource) because it both avoids forcing a restart of

active bundles due to configuration change (as well as preserving regression

test output) and allows users to configure an explicit log location via the

container image or the bundle's extra arguments.

---

 daemons/execd/pacemaker-execd.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/daemons/execd/pacemaker-execd.c b/daemons/execd/pacemaker-execd.c

index e2fdfca..cfa5500 100644

--- a/daemons/execd/pacemaker-execd.c

+++ b/daemons/execd/pacemaker-execd.c

@@ -429,6 +429,14 @@ static void spawn_pidone(int argc, char **argv, char **envp)

         return;

     }

+    /* Containers can be expected to have /var/log, but they may not have

+     * /var/log/pacemaker, so use a different default if no value has been

+     * explicitly configured in the container's environment.

+     */

+    if (daemon_option("logfile") == NULL) {

+        set_daemon_option("logfile", "/var/log/pcmk-init.log");

+    }

+

     sigfillset(&set);

     sigprocmask(SIG_BLOCK, &set, 0);

-- 

1.8.3.1

From 7e362387a092b5617b36a69961115f7703e4d801 Mon Sep 17 00:00:00 2001

From: Ken Gaillot <kgaillot@redhat.com>

Date: Fri, 17 May 2019 12:39:43 -0500

Subject: [PATCH 2/4] Refactor: libpe_status: add enum for bundle mount flags

More readable than 0 or 1

---

 lib/pengine/bundle.c  | 17 +++++++++--------

 lib/pengine/variant.h |  9 ++++++++-

 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/lib/pengine/bundle.c b/lib/pengine/bundle.c

index 3b32f04..b223f03 100644

--- a/lib/pengine/bundle.c

+++ b/lib/pengine/bundle.c

@@ -228,7 +228,7 @@ create_docker_resource(pe_resource_t *parent, pe__bundle_variant_data_t *data,

         for(GListPtr pIter = data->mounts; pIter != NULL; pIter = pIter->next) {

             pe__bundle_mount_t *mount = pIter->data;

-            if(mount->flags) {

+            if (is_set(mount->flags, pe__bundle_mount_subdir)) {

                 char *source = crm_strdup_printf(

                     "%s/%s-%d", mount->source, data->prefix, replica->offset);

@@ -396,7 +396,7 @@ create_podman_resource(pe_resource_t *parent, pe__bundle_variant_data_t *data,

         for(GListPtr pIter = data->mounts; pIter != NULL; pIter = pIter->next) {

             pe__bundle_mount_t *mount = pIter->data;

-            if(mount->flags) {

+            if (is_set(mount->flags, pe__bundle_mount_subdir)) {

                 char *source = crm_strdup_printf(

                     "%s/%s-%d", mount->source, data->prefix, replica->offset);

@@ -562,7 +562,7 @@ create_rkt_resource(pe_resource_t *parent, pe__bundle_variant_data_t *data,

         for(GListPtr pIter = data->mounts; pIter != NULL; pIter = pIter->next) {

             pe__bundle_mount_t *mount = pIter->data;

-            if(mount->flags) {

+            if (is_set(mount->flags, pe__bundle_mount_subdir)) {

                 char *source = crm_strdup_printf(

                     "%s/%s-%d", mount->source, data->prefix, replica->offset);

@@ -894,7 +894,7 @@ create_container(pe_resource_t *parent, pe__bundle_variant_data_t *data,

 static void

 mount_add(pe__bundle_variant_data_t *bundle_data, const char *source,

-          const char *target, const char *options, int flags)

+          const char *target, const char *options, uint32_t flags)

 {

     pe__bundle_mount_t *mount = calloc(1, sizeof(pe__bundle_mount_t));

@@ -1142,11 +1142,11 @@ pe__unpack_bundle(pe_resource_t *rsc, pe_working_set_t *data_set)

         const char *source = crm_element_value(xml_child, "source-dir");

         const char *target = crm_element_value(xml_child, "target-dir");

         const char *options = crm_element_value(xml_child, "options");

-        int flags = 0;

+        int flags = pe__bundle_mount_none;

         if (source == NULL) {

             source = crm_element_value(xml_child, "source-dir-root");

-            flags = 1;

+            set_bit(flags, pe__bundle_mount_subdir);

         }

         if (source && target) {

@@ -1251,9 +1251,10 @@ pe__unpack_bundle(pe_resource_t *rsc, pe_working_set_t *data_set)

          * reasonable.

          */

         mount_add(bundle_data, DEFAULT_REMOTE_KEY_LOCATION,

-                  DEFAULT_REMOTE_KEY_LOCATION, NULL, 0);

+                  DEFAULT_REMOTE_KEY_LOCATION, NULL, pe__bundle_mount_none);

-        mount_add(bundle_data, CRM_BUNDLE_DIR, "/var/log", NULL, 1);

+        mount_add(bundle_data, CRM_BUNDLE_DIR, "/var/log", NULL,

+                  pe__bundle_mount_subdir);

         port = calloc(1, sizeof(pe__bundle_port_t));

         if(bundle_data->control_port) {

diff --git a/lib/pengine/variant.h b/lib/pengine/variant.h

index f46aa11..7f77eef 100644

--- a/lib/pengine/variant.h

+++ b/lib/pengine/variant.h

@@ -51,11 +51,18 @@ typedef struct {

     pe_resource_t *remote;

 } pe__bundle_replica_t;

+enum pe__bundle_mount_flags {

+    pe__bundle_mount_none       = 0x00,

+

+    // mount instance-specific subdirectory rather than source directly

+    pe__bundle_mount_subdir     = 0x01

+};

+

 typedef struct {

     char *source;

     char *target;

     char *options;

-    int flags;

+    uint32_t flags; // bitmask of pe__bundle_mount_flags

 } pe__bundle_mount_t;

 typedef struct {

-- 

1.8.3.1

From 87eac95868930ffda4d964c2b6bd9960b6893cc9 Mon Sep 17 00:00:00 2001

From: Ken Gaillot <kgaillot@redhat.com>

Date: Fri, 17 May 2019 14:13:54 -0500

Subject: [PATCH 3/4] Fix: controller: don't check join status after remote

 node appears

Only cluster nodes have join state

---

 daemons/controld/controld_callbacks.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/controld/controld_callbacks.c b/daemons/controld/controld_callbacks.c

index 06ffb9d..3ce7470 100644

--- a/daemons/controld/controld_callbacks.c

+++ b/daemons/controld/controld_callbacks.c

@@ -228,7 +228,7 @@ peer_update_callback(enum crm_status_type type, crm_node_t * node, const void *d

         crm_trace("Alive=%d, appeared=%d, down=%d",

                   alive, appeared, (down? down->id : -1));

-        if (appeared && (alive > 0)) {

+        if (appeared && (alive > 0) && !is_remote) {

             register_fsa_input_before(C_FSA_INTERNAL, I_NODE_JOIN, NULL);

         }

-- 

1.8.3.1

From 5755b63850a17cd91bca28e83c39119378fe1887 Mon Sep 17 00:00:00 2001

From: Ken Gaillot <kgaillot@redhat.com>

Date: Sat, 18 May 2019 21:59:00 -0500

Subject: [PATCH 4/4] Doc: Pacemaker Explained: document effect of SELinux on

 bundle storage

---

 doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt | 15 ++++++++++++---

 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt b/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt

index e431626..4a181df 100644

--- a/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt

+++ b/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt

@@ -999,11 +999,11 @@ association with Docker, Inc. is implied.]

                        source-dir="/srv/html"

                        target-dir="/var/www/html"

-                       options="rw"/>

+                       options="rw,Z"/>

                        source-dir-root="/var/log/pacemaker/bundles"

                        target-dir="/etc/httpd/logs"

-                       options="rw"/>

+                       options="rw,Z"/>

    </storage>

    <primitive class="ocf" id="httpd" provider="heartbeat" type="apache"/>

 </bundle>

@@ -1293,7 +1293,8 @@ indexterm:[bundle,storage,storage-mapping]

 |options

 |

-|File system mount options to use when mapping the storage

+|A comma-separated list of file system mount options to use when mapping the

+ storage

  indexterm:[options,storage-mapping]

  indexterm:[storage-mapping,Property,options]

@@ -1322,6 +1323,14 @@ The +PCMK_authkey_location+ environment variable must not be set to anything

 other than the default of `/etc/pacemaker/authkey` on any node in the cluster.

 ====

+[IMPORTANT]

+====

+If SELinux is used in enforcing mode on the host, you must ensure the container

+is allowed to use any storage you mount into it. For Docker and podman bundles,

+adding "Z" to the mount options will create a container-specific label for the

+mount that allows the container access.

+====

+

 === Bundle Primitive ===

 A bundle may optionally contain one +<primitive>+ resource

-- 

1.8.3.1