|
|
3cbfd5 |
From 019c3108feff48d8ad496cd0759349c46170dc2d Mon Sep 17 00:00:00 2001
|
|
|
3cbfd5 |
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
|
|
|
3cbfd5 |
Date: Mon, 6 Apr 2020 10:23:51 +0200
|
|
|
3cbfd5 |
Subject: [PATCH 1/2] crypt: new resource agent
|
|
|
3cbfd5 |
|
|
|
3cbfd5 |
---
|
|
|
3cbfd5 |
doc/man/Makefile.am | 1 +
|
|
|
3cbfd5 |
heartbeat/Makefile.am | 1 +
|
|
|
3cbfd5 |
heartbeat/crypt | 337 ++++++++++++++++++++++++++++++++++++++++++
|
|
|
3cbfd5 |
3 files changed, 339 insertions(+)
|
|
|
3cbfd5 |
create mode 100755 heartbeat/crypt
|
|
|
3cbfd5 |
|
|
|
3cbfd5 |
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
|
|
|
3cbfd5 |
index 478fbe4f8..53c9975ec 100644
|
|
|
3cbfd5 |
--- a/doc/man/Makefile.am
|
|
|
3cbfd5 |
+++ b/doc/man/Makefile.am
|
|
|
3cbfd5 |
@@ -105,6 +105,7 @@ man_MANS = ocf_heartbeat_AoEtarget.7 \
|
|
|
3cbfd5 |
ocf_heartbeat_azure-lb.7 \
|
|
|
3cbfd5 |
ocf_heartbeat_clvm.7 \
|
|
|
3cbfd5 |
ocf_heartbeat_conntrackd.7 \
|
|
|
3cbfd5 |
+ ocf_heartbeat_crypt.7 \
|
|
|
3cbfd5 |
ocf_heartbeat_db2.7 \
|
|
|
3cbfd5 |
ocf_heartbeat_dhcpd.7 \
|
|
|
3cbfd5 |
ocf_heartbeat_docker.7 \
|
|
|
3cbfd5 |
diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am
|
|
|
3cbfd5 |
index 893115810..bbc9590ac 100644
|
|
|
3cbfd5 |
--- a/heartbeat/Makefile.am
|
|
|
3cbfd5 |
+++ b/heartbeat/Makefile.am
|
|
|
3cbfd5 |
@@ -101,6 +101,7 @@ ocf_SCRIPTS = AoEtarget \
|
|
|
3cbfd5 |
azure-lb \
|
|
|
3cbfd5 |
clvm \
|
|
|
3cbfd5 |
conntrackd \
|
|
|
3cbfd5 |
+ crypt \
|
|
|
3cbfd5 |
db2 \
|
|
|
3cbfd5 |
dhcpd \
|
|
|
3cbfd5 |
dnsupdate \
|
|
|
3cbfd5 |
diff --git a/heartbeat/crypt b/heartbeat/crypt
|
|
|
3cbfd5 |
new file mode 100755
|
|
|
3cbfd5 |
index 000000000..6bffdff89
|
|
|
3cbfd5 |
--- /dev/null
|
|
|
3cbfd5 |
+++ b/heartbeat/crypt
|
|
|
3cbfd5 |
@@ -0,0 +1,337 @@
|
|
|
3cbfd5 |
+#!/bin/sh
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# crypt/LUKS OCF RA. Manages cryptsetup devices.
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# Copyright (c) 2020 Red Hat GmbH, Heinz Mauelshagen
|
|
|
3cbfd5 |
+# All Rights Reserved.
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# This program is free software; you can redistribute it and/or modify
|
|
|
3cbfd5 |
+# it under the terms of version 2 of the GNU General Public License as
|
|
|
3cbfd5 |
+# published by the Free Software Foundation.
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# This program is distributed in the hope that it would be useful, but
|
|
|
3cbfd5 |
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
3cbfd5 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# Further, this software is distributed without any warranty that it is
|
|
|
3cbfd5 |
+# free of the rightful claim of any third person regarding infringement
|
|
|
3cbfd5 |
+# or the like. Any license provided herein, whether implied or
|
|
|
3cbfd5 |
+# otherwise, applies only to this software file. Patent licenses, if
|
|
|
3cbfd5 |
+# any, provided herein do not apply to combinations of this program with
|
|
|
3cbfd5 |
+# other software, or any other product whatsoever.
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# You should have received a copy of the GNU General Public License
|
|
|
3cbfd5 |
+# along with this program; if not, write the Free Software Foundation,
|
|
|
3cbfd5 |
+# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA.
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+#######################################################################
|
|
|
3cbfd5 |
+# Initialization:
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
|
|
|
3cbfd5 |
+. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+# Parameter defaults
|
|
|
3cbfd5 |
+OCF_RESKEY_encrypted_dev_default=""
|
|
|
3cbfd5 |
+OCF_RESKEY_crypt_dev_default=""
|
|
|
3cbfd5 |
+OCF_RESKEY_key_file_default=""
|
|
|
3cbfd5 |
+OCF_RESKEY_crypt_type_default=""
|
|
|
3cbfd5 |
+OCF_RESKEY_force_stop_default="false"
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+: ${OCF_RESKEY_encrypted_dev=${OCF_RESKEY_encrypted_dev_default}}
|
|
|
3cbfd5 |
+: ${OCF_RESKEY_crypt_dev=${OCF_RESKEY_crypt_dev_default}}
|
|
|
3cbfd5 |
+: ${OCF_RESKEY_key_file=${OCF_RESKEY_key_file_default}}
|
|
|
3cbfd5 |
+: ${OCF_RESKEY_crypt_type=${OCF_RESKEY_crypt_type_default}}
|
|
|
3cbfd5 |
+: ${OCF_RESKEY_force_stop=${OCF_RESKEY_force_stop_default}}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+#######################################################################
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+meta_data() {
|
|
|
3cbfd5 |
+ cat <
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<resource-agent name="crypt">
|
|
|
3cbfd5 |
+<version>1.0</version>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<longdesc lang="en">
|
|
|
3cbfd5 |
+This is a LUKS/crypt Resource Agent managing encrypted devices via cryptsetup(8).
|
|
|
3cbfd5 |
+The agent imposes limitations on device types supported: luks, luks[1..N].
|
|
|
3cbfd5 |
+</longdesc>
|
|
|
3cbfd5 |
+<shortdesc lang="en">LUKS/crypt resource agent</shortdesc>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<parameters>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<parameter name="encrypted_dev" unique="1" required="1">
|
|
|
3cbfd5 |
+<longdesc lang="en">
|
|
|
3cbfd5 |
+Encrypted backing device, which should be defined by UUID,
|
|
|
3cbfd5 |
+36 characters including '-'s as reported by blkid(8).
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+Although it can be defined as a block device path (e.g. /dev/sdh),
|
|
|
3cbfd5 |
+the UUID should be preferred over the block device path to allow for the
|
|
|
3cbfd5 |
+unique discovery of the crypt backing device given the volatile nature of
|
|
|
3cbfd5 |
+/dev entries (e.g. /dev/sdh on one node may be /dev/sdg on another).
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+Only define as block device path if you know what you are doing.
|
|
|
3cbfd5 |
+</longdesc>
|
|
|
3cbfd5 |
+<shortdesc lang="en">Encrypted device</shortdesc>
|
|
|
3cbfd5 |
+<content type="string" default="${OCF_RESKEY_encrypted_dev_default}" />
|
|
|
3cbfd5 |
+</parameter>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<parameter name="crypt_dev" unique="1" required="1">
|
|
|
3cbfd5 |
+<longdesc lang="en">
|
|
|
3cbfd5 |
+Encrypted device name, no path. I.e. the one given in "cryptsetup open name ...".
|
|
|
3cbfd5 |
+The resulting block device path is /dev/mapper/name.
|
|
|
3cbfd5 |
+</longdesc>
|
|
|
3cbfd5 |
+<shortdesc lang="en">Encrypted device</shortdesc>
|
|
|
3cbfd5 |
+<content type="string" default="${OCF_RESKEY_crypt_dev_default}" />
|
|
|
3cbfd5 |
+</parameter>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<parameter name="key_file" unique="1" required="1">
|
|
|
3cbfd5 |
+<longdesc lang="en">
|
|
|
3cbfd5 |
+Key file path containing the encryption passphrase
|
|
|
3cbfd5 |
+(aka key; see cryptsetup(8)). For LUKS, the passphrase as of the key_file
|
|
|
3cbfd5 |
+parameter is used to decrypt a randomly selected key when the device was created.
|
|
|
3cbfd5 |
+</longdesc>
|
|
|
3cbfd5 |
+<shortdesc lang="en">Key file</shortdesc>
|
|
|
3cbfd5 |
+<content type="string" default="${OCF_RESKEY_key_file_default}" />
|
|
|
3cbfd5 |
+</parameter>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<parameter name="crypt_type" unique="1" required="1">
|
|
|
3cbfd5 |
+<longdesc lang="en">
|
|
|
3cbfd5 |
+Encryption (device) type (e.g. "luks" or "luks2").
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+This parameter affirms the encryption format as of the crypt metadata
|
|
|
3cbfd5 |
+thus allowing for safety measures when starting the encrypted resource.
|
|
|
3cbfd5 |
+</longdesc>
|
|
|
3cbfd5 |
+<shortdesc lang="en">Encryption type</shortdesc>
|
|
|
3cbfd5 |
+<content type="string" default="${OCF_RESKEY_crypt_type_default}" />
|
|
|
3cbfd5 |
+</parameter>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<parameter name="force_stop" unique="0" required="0">
|
|
|
3cbfd5 |
+<longdesc lang="en">
|
|
|
3cbfd5 |
+If processes or kernel threads are using the crypt device, it cannot
|
|
|
3cbfd5 |
+be stopped. We will try to stop processes, first by sending TERM and
|
|
|
3cbfd5 |
+then, if that doesn't help in $PROC_CLEANUP_TIME seconds, using KILL.
|
|
|
3cbfd5 |
+The lsof(8) program is required to get the list of array users.
|
|
|
3cbfd5 |
+Of course, the kernel threads cannot be stopped this way.
|
|
|
3cbfd5 |
+If the processes are critical for data integrity, then set this
|
|
|
3cbfd5 |
+parameter to false. Note that in that case the stop operation
|
|
|
3cbfd5 |
+will fail and the node will be fenced.
|
|
|
3cbfd5 |
+</longdesc>
|
|
|
3cbfd5 |
+<shortdesc lang="en">force stop processes using the crpyt device</shortdesc>
|
|
|
3cbfd5 |
+<content type="boolean" default="${OCF_RESKEY_force_stop_default}" />
|
|
|
3cbfd5 |
+</parameter>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+</parameters>
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+<actions>
|
|
|
3cbfd5 |
+<action name="start" timeout="20s" />
|
|
|
3cbfd5 |
+<action name="stop" timeout="20s" />
|
|
|
3cbfd5 |
+<action name="monitor" timeout="20s" interval="10s" depth="0" />
|
|
|
3cbfd5 |
+<action name="meta-data" timeout="5s" />
|
|
|
3cbfd5 |
+<action name="validate-all" timeout="10s" />
|
|
|
3cbfd5 |
+</actions>
|
|
|
3cbfd5 |
+</resource-agent>
|
|
|
3cbfd5 |
+END
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+# Disable cryptsetup auto-recovery if cloned.
|
|
|
3cbfd5 |
+disable_locks=""
|
|
|
3cbfd5 |
+ocf_is_clone && disable_locks="--disable-locks"
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+crypt_usage() {
|
|
|
3cbfd5 |
+ cat <
|
|
|
3cbfd5 |
+usage: $0 {start|stop|monitor|usage|meta-data|validate-all}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+Expects to have a fully populated OCF RA-compliant environment set.
|
|
|
3cbfd5 |
+END
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+encrypted_dev="${OCF_RESKEY_encrypted_dev}"
|
|
|
3cbfd5 |
+crypt_dev="${OCF_RESKEY_crypt_dev}"
|
|
|
3cbfd5 |
+crypt_dev_path="/dev/mapper/$crypt_dev"
|
|
|
3cbfd5 |
+key_file="${OCF_RESKEY_key_file}"
|
|
|
3cbfd5 |
+crypt_type="${OCF_RESKEY_crypt_type}"
|
|
|
3cbfd5 |
+force_stop="${OCF_RESKEY_force_stop}"
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+crypt_validate_all() {
|
|
|
3cbfd5 |
+ if ! have_binary cryptsetup; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Please install cryptsetup(8)"
|
|
|
3cbfd5 |
+ return $OCF_ERR_INSTALLED
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if [ -z "$encrypted_dev" ]; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Undefined OCF_RESKEY_encrypted_dev"
|
|
|
3cbfd5 |
+ return $OCF_ERR_CONFIGURED
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if [ -n "$encrypted_dev" ]; then
|
|
|
3cbfd5 |
+ case "$encrypted_dev" in
|
|
|
3cbfd5 |
+ *-*-*-*) if [ `echo "$encrypted_dev" | wc -c` -ne 37 ]; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Bogus encrypted device UUID \"$encrypted_dev\""
|
|
|
3cbfd5 |
+ return $OCF_ERR_ARGS
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ encrypted_dev=/dev/disk/by-uuid/"$encrypted_dev";;
|
|
|
3cbfd5 |
+ *) case "$encrypted_dev" in
|
|
|
3cbfd5 |
+ /dev/*) ;;
|
|
|
3cbfd5 |
+ *) ocf_exit_reason "Bogus encrypted device path"
|
|
|
3cbfd5 |
+ return $OCF_ERR_ARGS;;
|
|
|
3cbfd5 |
+ esac
|
|
|
3cbfd5 |
+ esac
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if [ ! -b "$encrypted_dev" ]; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Encrypted device $encrypted_dev not accessible"
|
|
|
3cbfd5 |
+ return $OCF_ERR_ARGS
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ echo "$crypt_dev" | grep "/" >/dev/null
|
|
|
3cbfd5 |
+ if [ $? -eq 0 ] && [ -z "$crypt_dev" ]; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Crypt device \"$crypt_dev\" name has to at least 1 character long and without path"
|
|
|
3cbfd5 |
+ return $OCF_ERR_ARGS
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if [ ! -r "$key_file" ]; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Hash key file $key_file not accessible"
|
|
|
3cbfd5 |
+ return $OCF_ERR_ARGS
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if ! ocf_is_true "$force_stop" && "$force_stop" != "false" ]]; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Bogus force_stop=\"$force_stop\" attribute"
|
|
|
3cbfd5 |
+ return $OCF_ERR_CONFIGURED
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if "$force_stop" = "true" && ! have_binary lsof; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "Force stop requested, please install lsof(8)"
|
|
|
3cbfd5 |
+ return $OCF_ERR_INSTALLED
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ cryptsetup isLuks $encrypted_dev 2>/dev/null
|
|
|
3cbfd5 |
+ if [ $? -ne 0 ]; then
|
|
|
3cbfd5 |
+ ocf_exit_reason "$encrypted_dev is not a Luks formatted device"
|
|
|
3cbfd5 |
+ return $OCF_ERR_CONFIGURED
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ return $OCF_SUCCESS
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+get_users_pids() {
|
|
|
3cbfd5 |
+ ocf_log debug "running lsof to list \"$crypt_dev\" users..."
|
|
|
3cbfd5 |
+ ocf_run -warn 'lsof $crypt_dev_path | tail -n +2 | awk "{print $2}" | sort -u'
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+stop_crypt_users() {
|
|
|
3cbfd5 |
+ local pids=`get_users_pids`
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ if [ -z "$pids" ]; then
|
|
|
3cbfd5 |
+ ocf_log warn "lsof reported no users holding arrays"
|
|
|
3cbfd5 |
+ return 2
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ ocf_stop_processes TERM $PROC_CLEANUP_TIME $pids
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+show_users() {
|
|
|
3cbfd5 |
+ local dm_dev
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ ocf_log info "running lsof to list \"$crypt_dev\" users..."
|
|
|
3cbfd5 |
+ ocf_run -warn lsof $crypt_dev_path
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ dm_dev=$(basename $(realpath $crypt_dev_path))
|
|
|
3cbfd5 |
+ if [ -d /sys/block/$dm_dev/holders ]; then
|
|
|
3cbfd5 |
+ ocf_log debug "ls -l /sys/block/$dm_dev/holders"
|
|
|
3cbfd5 |
+ ocf_run -warn ls -l /sys/block/$dm_dev/holders
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+crypt_stop_one() {
|
|
|
3cbfd5 |
+ cryptsetup close $crypt_dev $disable_locks
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+#######################################################################
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# Action: START an encrypted resource
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+crypt_start() {
|
|
|
3cbfd5 |
+ local rc
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file
|
|
|
3cbfd5 |
+ rc=$?
|
|
|
3cbfd5 |
+ if [ $rc -eq 0 ];then
|
|
|
3cbfd5 |
+ crypt_monitor
|
|
|
3cbfd5 |
+ rc=$?
|
|
|
3cbfd5 |
+ else
|
|
|
3cbfd5 |
+ rc=$OCF_ERR_GERNERIC
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ [ $rc -ne $OCF_SUCCESS ] ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\""
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ return $rc
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# Action: STOP an encrypted resource
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+crypt_stop() {
|
|
|
3cbfd5 |
+ local rc
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ crypt_monitor
|
|
|
3cbfd5 |
+ rc=$?
|
|
|
3cbfd5 |
+ if [ $rc -ne $OCF_NOT_RUNNING ]; then
|
|
|
3cbfd5 |
+ crypt_stop_one
|
|
|
3cbfd5 |
+ crypt_monitor
|
|
|
3cbfd5 |
+ rc=$?
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $FORCESTOP; then
|
|
|
3cbfd5 |
+ stop_crypt_users
|
|
|
3cbfd5 |
+ case $? in
|
|
|
3cbfd5 |
+ 2) rc=$OCF_SUCCESS;;
|
|
|
3cbfd5 |
+ *) crypt_stop_one
|
|
|
3cbfd5 |
+ crypt_monitor
|
|
|
3cbfd5 |
+ rc=$?;;
|
|
|
3cbfd5 |
+ esac
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+ if [ $rc -ne $OCF_NOT_RUNNING ]; then
|
|
|
3cbfd5 |
+ ocf_log warn "Couldn't stop crypt device \"$crypt_dev\" (rc=$rc)"
|
|
|
3cbfd5 |
+ show_users
|
|
|
3cbfd5 |
+ ocf_exit_reason "Failed to stop crypt device \"$crypt_dev\"!"
|
|
|
3cbfd5 |
+ return $OCF_ERR_GENERIC
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ return $OCF_SUCCESS
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+# Action: MONITOR an encrypted resource
|
|
|
3cbfd5 |
+#
|
|
|
3cbfd5 |
+crypt_monitor() {
|
|
|
3cbfd5 |
+ cryptsetup status $crypt_dev $disable_locks &>/dev/null
|
|
|
3cbfd5 |
+ if [ $? -eq 0 ]; then
|
|
|
3cbfd5 |
+ [ -L $crypt_dev_path ] && return $OCF_SUCCESS
|
|
|
3cbfd5 |
+ return $OCF_ERR_GENERIC
|
|
|
3cbfd5 |
+ fi
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ [ "$__OCF_ACTION" = "monitor" ] && ! ocf_is_probe && ocf_exit_reason "Crypt resource not running"
|
|
|
3cbfd5 |
+ return $OCF_NOT_RUNNING
|
|
|
3cbfd5 |
+}
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+# Check for stange argument count.
|
|
|
3cbfd5 |
+if [ $# -ne 1 ]; then
|
|
|
3cbfd5 |
+ usage
|
|
|
3cbfd5 |
+ exit $OCF_ERR_ARGS
|
|
|
3cbfd5 |
+fi
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+case "$__OCF_ACTION" in
|
|
|
3cbfd5 |
+meta-data) meta_data
|
|
|
3cbfd5 |
+ exit $OCF_SUCCESS;;
|
|
|
3cbfd5 |
+usage|help) crypt_usage
|
|
|
3cbfd5 |
+ exit $OCF_SUCCESS;;
|
|
|
3cbfd5 |
+esac
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+# XME: remove once pacemaker is fixed and calls this action
|
|
|
3cbfd5 |
+crypt_validate_all
|
|
|
3cbfd5 |
+rc=$?
|
|
|
3cbfd5 |
+[ $rc -ne $OCF_SUCCESS ] && exit $rc
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+case "$__OCF_ACTION" in
|
|
|
3cbfd5 |
+start) crypt_start; rc=$?;;
|
|
|
3cbfd5 |
+stop) crypt_stop; rc=$?;;
|
|
|
3cbfd5 |
+monitor) crypt_monitor; rc=$?;;
|
|
|
3cbfd5 |
+validate-all) rc=$OCF_SUCCESS;; # crypt_validate_all would have errored out above already.
|
|
|
3cbfd5 |
+*) crypt_usage
|
|
|
3cbfd5 |
+ exit $OCF_ERR_UNIMPLEMENTED;;
|
|
|
3cbfd5 |
+esac
|
|
|
3cbfd5 |
+
|
|
|
3cbfd5 |
+ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
|
|
|
3cbfd5 |
+exit $rc
|
|
|
3cbfd5 |
|
|
|
3cbfd5 |
From 5e0d35f8db967419ea9f1234ab621b88babcf3ea Mon Sep 17 00:00:00 2001
|
|
|
3cbfd5 |
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
|
|
|
3cbfd5 |
Date: Tue, 7 Apr 2020 12:39:24 +0200
|
|
|
3cbfd5 |
Subject: [PATCH 2/2] crypt: force_stop check fixes
|
|
|
3cbfd5 |
|
|
|
3cbfd5 |
---
|
|
|
3cbfd5 |
heartbeat/crypt | 8 ++------
|
|
|
3cbfd5 |
1 file changed, 2 insertions(+), 6 deletions(-)
|
|
|
3cbfd5 |
|
|
|
3cbfd5 |
diff --git a/heartbeat/crypt b/heartbeat/crypt
|
|
|
3cbfd5 |
index 6bffdff89..8bfa1094d 100755
|
|
|
3cbfd5 |
--- a/heartbeat/crypt
|
|
|
3cbfd5 |
+++ b/heartbeat/crypt
|
|
|
3cbfd5 |
@@ -190,11 +190,7 @@ crypt_validate_all() {
|
|
|
3cbfd5 |
ocf_exit_reason "Hash key file $key_file not accessible"
|
|
|
3cbfd5 |
return $OCF_ERR_ARGS
|
|
|
3cbfd5 |
fi
|
|
|
3cbfd5 |
- if ! ocf_is_true "$force_stop" && "$force_stop" != "false" ]]; then
|
|
|
3cbfd5 |
- ocf_exit_reason "Bogus force_stop=\"$force_stop\" attribute"
|
|
|
3cbfd5 |
- return $OCF_ERR_CONFIGURED
|
|
|
3cbfd5 |
- fi
|
|
|
3cbfd5 |
- if "$force_stop" = "true" && ! have_binary lsof; then
|
|
|
3cbfd5 |
+ if ocf_is_true "$force_stop" && ! have_binary lsof; then
|
|
|
3cbfd5 |
ocf_exit_reason "Force stop requested, please install lsof(8)"
|
|
|
3cbfd5 |
return $OCF_ERR_INSTALLED
|
|
|
3cbfd5 |
fi
|
|
|
3cbfd5 |
@@ -273,7 +269,7 @@ crypt_stop() {
|
|
|
3cbfd5 |
crypt_monitor
|
|
|
3cbfd5 |
rc=$?
|
|
|
3cbfd5 |
fi
|
|
|
3cbfd5 |
- if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $FORCESTOP; then
|
|
|
3cbfd5 |
+ if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $force_stop; then
|
|
|
3cbfd5 |
stop_crypt_users
|
|
|
3cbfd5 |
case $? in
|
|
|
3cbfd5 |
2) rc=$OCF_SUCCESS;;
|