diff --git a/SOURCES/015-cibsecret.patch b/SOURCES/015-cibsecret.patch new file mode 100644 index 0000000..d64cc65 --- /dev/null +++ b/SOURCES/015-cibsecret.patch @@ -0,0 +1,123 @@ +From 2e7a40570d6b21534ec0215ac5ebc174796cf17c Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Thu, 20 Aug 2020 10:02:20 -0500 +Subject: [PATCH 1/2] Refactor: tools: rename function in cibsecret to be more + clear + +It led me to initially misdiagnose a problem. +--- + tools/cibsecret.in | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/tools/cibsecret.in b/tools/cibsecret.in +index 9b74ba3..dabbfc0 100644 +--- a/tools/cibsecret.in ++++ b/tools/cibsecret.in +@@ -162,28 +162,28 @@ check_env() { + } + + # This must be called (and return success) before calling $rsh or $rcp_to_from +-get_live_nodes() { +- # Get a list of all cluster nodes ++get_live_peers() { ++ # Get a list of all other cluster nodes + GLN_ALL_NODES="$(crm_node -l | awk '{print $2}' | grep -v "$(uname -n)")" + + # Make a list of those that respond to pings + if [ "$(id -u)" = "0" ] && which fping >/dev/null 2>&1; then +- LIVE_NODES=$(fping -a $GLN_ALL_NODES 2>/dev/null) ++ LIVE_NODES=$(fping -a $GLP_ALL_PEERS 2>/dev/null) + else + LIVE_NODES="" +- for GLN_NODE in $GLN_ALL_NODES; do \ +- ping -c 2 -q "$GLN_NODE" >/dev/null 2>&1 && +- LIVE_NODES="$LIVE_NODES $GLN_NODE" ++ for GLP_NODE in $GLP_ALL_PEERS; do \ ++ ping -c 2 -q "$GLP_NODE" >/dev/null 2>&1 && ++ LIVE_NODES="$LIVE_NODES $GLP_NODE" + done + fi + + # Warn the user about any that didn't respond to pings +- GLN_DOWN="$( (for GLN_NODE in $LIVE_NODES $GLN_ALL_NODES; do echo "$GLN_NODE"; done) | sort | uniq -u)" +- if [ "$(echo "$GLN_DOWN" | wc -w)" = "1" ]; then +- warn "node $GLN_DOWN is down" ++ GLP_DOWN="$( (for GLP_NODE in $LIVE_NODES $GLP_ALL_PEERS; do echo "$GLP_NODE"; done) | sort | uniq -u)" ++ if [ "$(echo "$GLP_DOWN" | wc -w)" = "1" ]; then ++ warn "node $GLP_DOWN is down" + warn "you'll need to update it using \"$PROG sync\" later" +- elif [ -n "$GLN_DOWN" ]; then +- warn "nodes $(echo "$GLN_DOWN" | tr '\n' ' ')are down" ++ elif [ -n "$GLP_DOWN" ]; then ++ warn "nodes $(echo "$GLP_DOWN" | tr '\n' ' ')are down" + warn "you'll need to update them using \"$PROG sync\" later" + fi + +@@ -235,7 +235,7 @@ scp_fun() { + # TODO: this procedure should be replaced with csync2 + # provided that csync2 has already been configured + sync_files() { +- get_live_nodes || return ++ get_live_peers || return + info "syncing $LRM_CIBSECRETS to $(echo "$LIVE_NODES" | tr '\n' ' ') ..." + $rsh rm -rf "$LRM_CIBSECRETS" && + $rsh mkdir -p "$(dirname "$LRM_CIBSECRETS")" && +@@ -244,7 +244,7 @@ sync_files() { + + sync_one() { + SO_FILE="$1" +- get_live_nodes || return ++ get_live_peers || return + info "syncing $SO_FILE to $(echo "$LIVE_NODES" | tr '\n' ' ') ..." + $rsh mkdir -p "$(dirname "$SO_FILE")" && + if [ -f "$SO_FILE" ]; then +-- +1.8.3.1 + + +From 9c1517e6a681f35d62b4714e854b258c17ab5e59 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Thu, 20 Aug 2020 10:03:23 -0500 +Subject: [PATCH 2/2] Fix: tools: properly detect local node name + +cibsecret had two serious problems when generating a list of other nodes to +sync secrets to: + +* It used `uname -n` to remove the local node from the list. If the local node + name is different from its uname, this could cause local secrets to be + removed from the local node rather than synced to other nodes. + +* It removed not just the local node name, but any node name that contained + the local node name as a substring (e.g. "node1" and "node10"). This could + cause secrets to not be synced to such nodes. + +Now, use `crm_node -n` to determine the local node name, check crm_node for +errors to get better error messages, and remove only the node name that matches +the local node name in its entirety. +--- + tools/cibsecret.in | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/cibsecret.in b/tools/cibsecret.in +index dabbfc0..568833c 100644 +--- a/tools/cibsecret.in ++++ b/tools/cibsecret.in +@@ -163,8 +163,14 @@ check_env() { + + # This must be called (and return success) before calling $rsh or $rcp_to_from + get_live_peers() { ++ # Get local node name ++ GLP_LOCAL_NODE="$(crm_node -n)" ++ [ $? -eq 0 ] || fatal "couldn't get local node name" ++ + # Get a list of all other cluster nodes +- GLN_ALL_NODES="$(crm_node -l | awk '{print $2}' | grep -v "$(uname -n)")" ++ GLP_ALL_PEERS="$(crm_node -l)" ++ [ $? -eq 0 ] || fatal "couldn't determine cluster nodes" ++ GLP_ALL_PEERS="$(echo "$GLP_ALL_PEERS" | awk '{print $2}' | grep -v "^${GLP_LOCAL_NODE}$")" + + # Make a list of those that respond to pings + if [ "$(id -u)" = "0" ] && which fping >/dev/null 2>&1; then +-- +1.8.3.1 + diff --git a/SPECS/pacemaker.spec b/SPECS/pacemaker.spec index f28c094..b33bb5f 100644 --- a/SPECS/pacemaker.spec +++ b/SPECS/pacemaker.spec @@ -23,7 +23,7 @@ ## can be incremented to build packages reliably considered "newer" ## than previously built packages with the same pcmkversion) %global pcmkversion 2.0.4 -%global specversion 5 +%global specversion 6 ## Upstream commit (full commit ID, abbreviated commit ID, or tag) to build %global commit 2deceaa3ae1fbadd844f5c5b47fd33129fa2c227 @@ -263,6 +263,7 @@ Patch11: 011-cts.patch Patch12: 012-ipc_fix.patch Patch13: 013-pacemakerd.patch Patch14: 014-sbd.patch +Patch15: 015-cibsecret.patch # downstream-only commits #Patch100: xxx.patch @@ -960,6 +961,10 @@ exit 0 %license %{nagios_name}-%{nagios_hash}/COPYING %changelog +* Thu Aug 20 2020 Ken Gaillot - 2.0.4-6 +- Fix cibsecret bug when node name is different from hostname +- Resolves: rhbz1870873 + * Fri Jul 24 2020 Ken Gaillot - 2.0.4-5 - Synchronize start-up and shutdown with SBD - Resolves: rhbz1718324