diff --git a/SOURCES/bz1205848-Do-not-set-two_node-in-corosync-if-auto_tie_breaker-is-on.patch b/SOURCES/bz1205848-Do-not-set-two_node-in-corosync-if-auto_tie_breaker-is-on.patch new file mode 100644 index 0000000..c5c63d3 --- /dev/null +++ b/SOURCES/bz1205848-Do-not-set-two_node-in-corosync-if-auto_tie_breaker-is-on.patch @@ -0,0 +1,122 @@ +From e751df5b0e5d6849fa5a8332c7a0fed53c5b5141 Mon Sep 17 00:00:00 2001 +From: Tomas Jelinek +Date: Tue, 3 Mar 2015 15:21:29 +0100 +Subject: [PATCH] Do not set two_node in corosync if auto_tie_breaker is on + +--- + pcs/cluster.py | 23 ++++++-- + pcs/utils.py | 26 +++++++-- + 3 files changed, 170 insertions(+), 14 deletions(-) + +diff --git a/pcs/cluster.py b/pcs/cluster.py +index 8569b92..c4a9b4c 100644 +--- a/pcs/cluster.py ++++ b/pcs/cluster.py +@@ -351,6 +351,20 @@ def corosync_setup(argv,returnConfig=False): + cib_path = os.path.join(settings.cib_dir, "cib.xml") + if os.path.exists(cib_path) and not "--force" in utils.pcs_options: + utils.err("%s already exists, use --force to overwrite" % cib_path) ++ ++ for opt in ["--wait_for_all", "--auto_tie_breaker", "--last_man_standing"]: ++ if ( ++ opt in utils.pcs_options ++ and ++ utils.pcs_options[opt] not in ["0", "1"] ++ ): ++ utils.err( ++ "'%s' is not a valid value for %s, use 0 or 1" ++ % (utils.pcs_options[opt], opt) ++ ) ++ ++ auto_tie_breaker = False ++ + if "--corosync_conf" not in utils.pcs_options: + cluster_destroy([]) + +@@ -372,20 +386,21 @@ def corosync_setup(argv,returnConfig=False): + new_nodes_section += " }\n" + i = i+1 + +- two_node_section = "" +- if len(nodes) == 2: +- two_node_section = "two_node: 1" +- + quorum_options = "" + if "--wait_for_all" in utils.pcs_options: + quorum_options += "wait_for_all: " + utils.pcs_options["--wait_for_all"] + "\n" + if "--auto_tie_breaker" in utils.pcs_options: + quorum_options += "auto_tie_breaker: " + utils.pcs_options["--auto_tie_breaker"] + "\n" ++ if utils.pcs_options["--auto_tie_breaker"] == "1": ++ auto_tie_breaker = True + if "--last_man_standing" in utils.pcs_options: + quorum_options += "last_man_standing: " + utils.pcs_options["--last_man_standing"] + "\n" + if "--last_man_standing_window" in utils.pcs_options: + quorum_options += "last_man_standing_window: " + utils.pcs_options["--last_man_standing_window"] + "\n" + ++ two_node_section = "" ++ if len(nodes) == 2 and not auto_tie_breaker: ++ two_node_section = "two_node: 1" + + transport = "udpu" + if "--transport" in utils.pcs_options: +diff --git a/pcs/utils.py b/pcs/utils.py +index d35db1d..6911f0c 100644 +--- a/pcs/utils.py ++++ b/pcs/utils.py +@@ -527,7 +527,8 @@ def removeNodeFromCorosync(node): + node0 = node + node1 = None + +- for c_node in getNodesFromCorosyncConf(): ++ corosync_conf = getCorosyncConf() ++ for c_node in getNodesFromCorosyncConf(corosync_conf): + if c_node == node0: + node_found = True + num_nodes_in_conf = num_nodes_in_conf + 1 +@@ -539,7 +540,7 @@ def removeNodeFromCorosync(node): + in_node = False + node_match = False + node_buffer = [] +- for line in getCorosyncConf().split("\n"): ++ for line in corosync_conf.split("\n"): + if in_node: + node_buffer.append(line) + if ( +@@ -562,7 +563,8 @@ def removeNodeFromCorosync(node): + new_corosync_conf = "\n".join(new_corosync_conf_lines) + "\n" + + if removed_node: +- if num_nodes_in_conf == 3: ++ auto_tie_breaker = getQuorumOption(corosync_conf, "auto_tie_breaker") ++ if num_nodes_in_conf == 3 and auto_tie_breaker != "1": + new_corosync_conf = addQuorumOption(new_corosync_conf,("two_node","1")) + setCorosyncConf(new_corosync_conf) + reloadCorosync() +@@ -640,6 +642,24 @@ def rmQuorumOption(corosync_conf,option): + + return output.rstrip('\n') + "\n" + ++def getQuorumOption(corosync_conf, option): ++ lines = corosync_conf.split("\n") ++ value = None ++ ++ inQuorum = False ++ for line in lines: ++ line = line.strip() ++ if line.startswith("#"): ++ continue ++ if inQuorum and "}" in line: ++ inQuorum = False ++ elif inQuorum and line.split(":", 1)[0].strip() == option: ++ value = line.split(":", 1)[1].strip() ++ elif line.startswith("quorum {"): ++ inQuorum = True ++ ++ return value ++ + def getNextNodeID(corosync_conf): + currentNodes = [] + highest = 0 +-- +1.9.1 + diff --git a/SOURCES/secure-cookie.patch b/SOURCES/secure-cookie.patch new file mode 100644 index 0000000..d7d802f --- /dev/null +++ b/SOURCES/secure-cookie.patch @@ -0,0 +1,22 @@ +--- pcs-0.9.137/pcsd/pcsd.rb.secure_fix 2015-03-30 13:48:50.209887370 -0500 ++++ pcs-0.9.137/pcsd/pcsd.rb 2015-03-30 13:50:47.321660377 -0500 +@@ -32,7 +32,9 @@ end + + use Rack::Session::Cookie, + :expire_after => 60 * 60, +- :secret => secret ++ :secret => secret, ++ :secure => true, # only send over HTTPS ++ :httponly => true # don't provide to javascript + + #use Rack::SSL + +@@ -46,8 +48,6 @@ also_reload 'pcs.rb' + also_reload 'auth.rb' + also_reload 'wizard.rb' + +-enable :sessions +- + before do + $session = session + $cookies = cookies diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec index 0700e72..f0f6250 100644 --- a/SPECS/pcs.spec +++ b/SPECS/pcs.spec @@ -16,7 +16,7 @@ Name: pcs Version: 0.9.137 -Release: 13%{?dist} +Release: 13%{?dist}.2 License: GPLv2 URL: http://github.com/feist/pcs Group: System Environment/Base @@ -37,6 +37,8 @@ Patch8: bz1180390-Stop-deleted-resource-before-removing-its-constraint.patch Patch9: bz1180506-stop-cluster-nodes-in-parallel.patch Patch10: bz1180506-Warn-if-nodes-stop-will-cause-a-loss-of-the-quorum.patch Patch11: bz1180506-3-Keep-cluster-quorate-during-destruction-as-long-as-possible.patch +Patch12: bz1205848-Do-not-set-two_node-in-corosync-if-auto_tie_breaker-is-on.patch +Patch13: secure-cookie.patch # NOTE: Source20 and Patch200+ belong to python-clufter @@ -234,6 +236,14 @@ popd >/dev/null %changelog +* Wed Apr 15 2015 Tomas Jelinek - 0.9.137-13.el7_1.2 +- Fixes issues with cookie signing in pcsd +- Resolves: rhbz#1211567 + +* Thu Mar 26 2015 Tomas Jelinek - 0.9.137-13.el7_1.1 +- Do not set two_nodes=1 in corosync.conf when auto_tie_breaker=1 is set +- Resolves: rhbz#1205848 + * Tue Jan 20 2015 Tomas Jelinek - 0.9.137-13 - Keep cluster quorate during destruction as long as possible - Resolves: rhbz#1180506