From 2e7a40570d6b21534ec0215ac5ebc174796cf17c Mon Sep 17 00:00:00 2001
From: Ken Gaillot <kgaillot@redhat.com>
Date: Thu, 20 Aug 2020 10:02:20 -0500
Subject: [PATCH 1/2] Refactor: tools: rename function in cibsecret to be more
 clear

It led me to initially misdiagnose a problem.
---
 tools/cibsecret.in | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/tools/cibsecret.in b/tools/cibsecret.in
index 9b74ba3..dabbfc0 100644
--- a/tools/cibsecret.in
+++ b/tools/cibsecret.in
@@ -162,28 +162,28 @@ check_env() {
 }
 
 # This must be called (and return success) before calling $rsh or $rcp_to_from
-get_live_nodes() {
-    # Get a list of all cluster nodes
+get_live_peers() {
+    # Get a list of all other cluster nodes
     GLN_ALL_NODES="$(crm_node -l | awk '{print $2}' | grep -v "$(uname -n)")"
 
     # Make a list of those that respond to pings
     if [ "$(id -u)" = "0" ] && which fping >/dev/null 2>&1; then
-        LIVE_NODES=$(fping -a $GLN_ALL_NODES 2>/dev/null)
+        LIVE_NODES=$(fping -a $GLP_ALL_PEERS 2>/dev/null)
     else
         LIVE_NODES=""
-        for GLN_NODE in $GLN_ALL_NODES; do \
-            ping -c 2 -q "$GLN_NODE" >/dev/null 2>&1 &&
-                LIVE_NODES="$LIVE_NODES $GLN_NODE"
+        for GLP_NODE in $GLP_ALL_PEERS; do \
+            ping -c 2 -q "$GLP_NODE" >/dev/null 2>&1 &&
+                LIVE_NODES="$LIVE_NODES $GLP_NODE"
         done
     fi
 
     # Warn the user about any that didn't respond to pings
-    GLN_DOWN="$( (for GLN_NODE in $LIVE_NODES $GLN_ALL_NODES; do echo "$GLN_NODE"; done) | sort | uniq -u)"
-    if [ "$(echo "$GLN_DOWN" | wc -w)" = "1" ]; then
-        warn "node $GLN_DOWN is down"
+    GLP_DOWN="$( (for GLP_NODE in $LIVE_NODES $GLP_ALL_PEERS; do echo "$GLP_NODE"; done) | sort | uniq -u)"
+    if [ "$(echo "$GLP_DOWN" | wc -w)" = "1" ]; then
+        warn "node $GLP_DOWN is down"
         warn "you'll need to update it using \"$PROG sync\" later"
-    elif [ -n "$GLN_DOWN" ]; then
-        warn "nodes $(echo "$GLN_DOWN" | tr '\n' ' ')are down"
+    elif [ -n "$GLP_DOWN" ]; then
+        warn "nodes $(echo "$GLP_DOWN" | tr '\n' ' ')are down"
         warn "you'll need to update them using \"$PROG sync\" later"
     fi
 
@@ -235,7 +235,7 @@ scp_fun() {
 # TODO: this procedure should be replaced with csync2
 # provided that csync2 has already been configured
 sync_files() {
-    get_live_nodes || return
+    get_live_peers || return
     info "syncing $LRM_CIBSECRETS to $(echo "$LIVE_NODES" | tr '\n' ' ') ..."
     $rsh rm -rf "$LRM_CIBSECRETS" &&
         $rsh mkdir -p "$(dirname "$LRM_CIBSECRETS")" &&
@@ -244,7 +244,7 @@ sync_files() {
 
 sync_one() {
     SO_FILE="$1"
-    get_live_nodes || return
+    get_live_peers || return
     info "syncing $SO_FILE to $(echo "$LIVE_NODES" | tr '\n' ' ') ..."
     $rsh mkdir -p "$(dirname "$SO_FILE")" &&
         if [ -f "$SO_FILE" ]; then
-- 
1.8.3.1


From 9c1517e6a681f35d62b4714e854b258c17ab5e59 Mon Sep 17 00:00:00 2001
From: Ken Gaillot <kgaillot@redhat.com>
Date: Thu, 20 Aug 2020 10:03:23 -0500
Subject: [PATCH 2/2] Fix: tools: properly detect local node name

cibsecret had two serious problems when generating a list of other nodes to
sync secrets to:

* It used `uname -n` to remove the local node from the list. If the local node
  name is different from its uname, this could cause local secrets to be
  removed from the local node rather than synced to other nodes.

* It removed not just the local node name, but any node name that contained
  the local node name as a substring (e.g. "node1" and "node10"). This could
  cause secrets to not be synced to such nodes.

Now, use `crm_node -n` to determine the local node name, check crm_node for
errors to get better error messages, and remove only the node name that matches
the local node name in its entirety.
---
 tools/cibsecret.in | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/cibsecret.in b/tools/cibsecret.in
index dabbfc0..568833c 100644
--- a/tools/cibsecret.in
+++ b/tools/cibsecret.in
@@ -163,8 +163,14 @@ check_env() {
 
 # This must be called (and return success) before calling $rsh or $rcp_to_from
 get_live_peers() {
+    # Get local node name
+    GLP_LOCAL_NODE="$(crm_node -n)"
+    [ $? -eq 0 ] || fatal "couldn't get local node name"
+
     # Get a list of all other cluster nodes
-    GLN_ALL_NODES="$(crm_node -l | awk '{print $2}' | grep -v "$(uname -n)")"
+    GLP_ALL_PEERS="$(crm_node -l)"
+    [ $? -eq 0 ] || fatal "couldn't determine cluster nodes"
+    GLP_ALL_PEERS="$(echo "$GLP_ALL_PEERS" | awk '{print $2}' | grep -v "^${GLP_LOCAL_NODE}$")"
 
     # Make a list of those that respond to pings
     if [ "$(id -u)" = "0" ] && which fping >/dev/null 2>&1; then
-- 
1.8.3.1