diff --git a/SOURCES/bz1535394-NovaEvacuate-add-support-for-keystone-v3-authentication.patch b/SOURCES/bz1535394-NovaEvacuate-add-support-for-keystone-v3-authentication.patch
new file mode 100644
index 0000000..43ad9fe
--- /dev/null
+++ b/SOURCES/bz1535394-NovaEvacuate-add-support-for-keystone-v3-authentication.patch
@@ -0,0 +1,55 @@
+From 121ec00c8ea0f2e8b0c6336bd78fcb58b0bd490c Mon Sep 17 00:00:00 2001
+From: Andrew Beekhof <andrew@beekhof.net>
+Date: Mon, 27 Nov 2017 13:35:18 +1100
+Subject: [PATCH] NovaEvacuate: Additional parameters for v3 keywstone
+ authentication
+
+Change-Id: I22d2733b17e5a6098b66c4644879b2e1255dbff5
+---
+ heartbeat/NovaEvacuate | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/heartbeat/NovaEvacuate b/heartbeat/NovaEvacuate
+index b6dadce..ba19ca4 100644
+--- a/heartbeat/NovaEvacuate
++++ b/heartbeat/NovaEvacuate
+@@ -65,7 +65,23 @@ Password for connecting to keystone in admin context
+ Tenant name for connecting to keystone in admin context.
+ Note that with Keystone V3 tenant names are only unique within a domain.
+ </longdesc>
+-<shortdesc lang="en">Tenant name</shortdesc>
++<shortdesc lang="en">Keystone v2 Tenant or v3 Project Name</shortdesc>
++<content type="string" default="" />
++</parameter>
++
++<parameter name="user_domain" unique="0" required="1">
++<longdesc lang="en">
++User's domain name. Used when authenticating to Keystone.
++</longdesc>
++<shortdesc lang="en">Keystone v3 User Domain</shortdesc>
++<content type="string" default="" />
++</parameter>
++
++<parameter name="project_domain" unique="0" required="1">
++<longdesc lang="en">
++Domain name containing project. Used when authenticating to Keystone.
++</longdesc>
++<shortdesc lang="en">Keystone v3 Project Domain</shortdesc>
+ <content type="string" default="" />
+ </parameter>
+
+@@ -289,6 +305,14 @@ evacuate_validate() {
+
+ fence_options="${fence_options} -t ${OCF_RESKEY_tenant_name}"
+
++ if [ -n "${OCF_RESKEY_user_domain}" ]; then
++ fence_options="${fence_options} -u ${OCF_RESKEY_user_domain}"
++ fi
++
++ if [ -n "${OCF_RESKEY_project_domain}" ]; then
++ fence_options="${fence_options} -P ${OCF_RESKEY_project_domain}"
++ fi
++
+ if [ -n "${OCF_RESKEY_region_name}" ]; then
+ fence_options="${fence_options} \
+ --region-name ${OCF_RESKEY_region_name}"
diff --git a/SOURCES/bz1537444-sap_redhat_cluster_connector-fix-unknown-gvi-function.patch b/SOURCES/bz1537444-sap_redhat_cluster_connector-fix-unknown-gvi-function.patch
new file mode 100644
index 0000000..b661edc
--- /dev/null
+++ b/SOURCES/bz1537444-sap_redhat_cluster_connector-fix-unknown-gvi-function.patch
@@ -0,0 +1,106 @@
+diff -uNr a/sap_redhat_cluster_connector-6353d27/sap_redhat_cluster_connector b/sap_redhat_cluster_connector-6353d27/sap_redhat_cluster_connector
+--- a/sap_redhat_cluster_connector-6353d27/sap_redhat_cluster_connector 2018-01-23 10:15:48.167424070 +0100
++++ b/sap_redhat_cluster_connector-6353d27/sap_redhat_cluster_connector 2018-01-22 10:19:06.001422855 +0100
+@@ -41,6 +41,11 @@
+ my $logident = "sap_redhat_cluster_connector";
+ my $logoptions = "pid";
+ my $logfacility = "LOG_USER";
++my $protocolVersion=1;
++my $haProd="RHEL HA add-on";
++my $haProdSAP="sap_redhat_cluster_connector";
++my $haProdDoc="https://access.redhat.com/solutions/963123";
++
+ #
+ # open syslog
+ #
+@@ -54,9 +59,10 @@
+ where cmd could be:
+ help
+ init
+- cpa --res RES --act ACT
+- lsr --out FILE --sid SID --ino INO | --dbhost HOST --dbtype TYPE
++ gvi --out FILE
++ cpa --res RES --act ACT
+ fra --res RES --act ACT [ --nod NODE ]
++ lsr --out FILE --sid SID --ino INO | --dbhost HOST --dbtype TYPE
+ lsn --out FILE --res RES
+ ";
+ }
+@@ -110,7 +116,7 @@
+
+ sub fire_resource_action {
+ my ($rsc, $act, $nod) = ("", "", "");
+- ($rsc, $act, $nod) = @_;
++ my ($rsc, $act, $nod) = @_;
+ my $rc=0;
+ my $sysconfig = "/etc/sysconfig/sap_redhat_cluster_connector";
+ $nowstring = localtime;
+@@ -349,10 +355,6 @@
+ printf "%s : lsn()\n", $nowstring;
+ # TODO: check implemented action
+ ###############################################################################################
+- ###############################################################################################
+- ###############################################################################################
+- ###############################################################################################
+- ###############################################################################################
+ #
+ # 1. GET HOSTNAME WHERE FUNCTION WAS CALLED
+ #
+@@ -452,6 +454,26 @@
+ return $rc;
+ }
+
++sub get_version_info($)
++{
++ my ($outfile, $resource) = @_;
++ my $rc=0;
++ $nowstring = localtime;
++ printf "%s : gvi()\n", $nowstring;
++ if ( $outfile ne "" ) {
++ #HASCRIPTCO-VERS
++ ##HAPROD
++ ##HAPROD-SAP
++ ##HAPROD-DOC
++ open OUTFILE, ">$outfile";
++ syslog("LOG_INFO", "gvi result: %s\n%s\n%s\n%s\n", $protocolVersion, $haProd, $haProdSAP, $haProdDoc);
++ printf OUTFILE "%s\n%s\n%s\n%s\n", $protocolVersion, $haProd, $haProdSAP, $haProdDoc;
++ close OUTFILE;
++ } else {
++ printf "%s\n%s\n%s\n%s\n", $protocolVersion, $haProd, $haProdSAP, $haProdDoc;
++ }
++ return $rc;
++}
+
+ #
+ # "main"
+@@ -492,7 +514,6 @@
+ syslog("LOG_INFO", "lsr call (out=%s,sid=%s,ino=%s)", $out, $sid, $ino);
+ $return_code=list_sap_resources($out, $sid, $ino);
+
+-
+ } elsif ( $cmd eq "fra" ) {
+ open($DEBUG, ">>$logident" . ".log");
+ *STDOUT=*$DEBUG;
+@@ -518,6 +539,14 @@
+ syslog("LOG_INFO", "lsn call (out=%s,res=%s)", $out, $res);
+ $return_code=list_sap_nodes($out, $res);
+
++ } elsif ( $cmd eq "gvi" ) {
++ open($DEBUG, ">>$logident" . ".log");
++ *STDOUT=*$DEBUG;
++ $result = GetOptions ("out=s" => \$out,
++ ) &&
++ checkavail(($out)) || paramproblem();
++ syslog("LOG_INFO", "gvi call (out=%s)", $out);
++ $return_code=get_version_info($out);
+
+ } else {
+ open($DEBUG, ">>$logident" . ".log");
+@@ -530,7 +559,6 @@
+ paramproblem()
+ }
+
+- syslog("LOG_INFO", "TEST END");
+ closelog();
+ exit $return_code;
+ #
diff --git a/SOURCES/bz1544483-redis-add-support-for-tunneling-replication-traffic.patch b/SOURCES/bz1544483-redis-add-support-for-tunneling-replication-traffic.patch
new file mode 100644
index 0000000..fa11895
--- /dev/null
+++ b/SOURCES/bz1544483-redis-add-support-for-tunneling-replication-traffic.patch
@@ -0,0 +1,160 @@
+From 273963331bd303f595e820ca6da17cd63f5514db Mon Sep 17 00:00:00 2001
+From: Damien Ciabrini <dciabrin@redhat.com>
+Date: Sat, 2 Dec 2017 11:53:56 +0100
+Subject: [PATCH] redis: add support for tunneling replication traffic
+
+Add parameters in the resource agent to assign specific redis port to
+each pacemaker node. When redis slave wants to connect to a redis
+master, it will instead connect to a tunnel host, on the port assigned
+to the targeted redis master.
+
+This makes it possible for redis replication traffic to go through
+pre-existing tunnels. This can be used to encrypt such traffic.
+---
+ heartbeat/redis | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 86 insertions(+), 3 deletions(-)
+
+diff --git a/heartbeat/redis b/heartbeat/redis
+index fcd8c234..d9e29e2c 100755
+--- a/heartbeat/redis
++++ b/heartbeat/redis
+@@ -38,6 +38,7 @@
+ : ${OCF_RESKEY_pidfile_name:=redis-server.pid}
+ : ${OCF_RESKEY_socket_name:=redis.sock}
+ : ${OCF_RESKEY_port:=6379}
++: ${OCF_RESKEY_tunnel_host:=127.0.0.1}
+
+ if [ -z "$OCF_RESKEY_config" ]; then
+ if [ -f "/etc/redis.conf" ]; then
+@@ -156,6 +157,39 @@ Port for replication client to connect to on remote server
+ <content type="string" default="${OCF_RESKEY_port}"/>
+ </parameter>
+
++<parameter name="tunnel_host" unique="0" required="0">
++<longdesc lang="en">
++When replication traffic is tunnelled, this is the host to target
++to forward outgoing traffic to the redis master. The resource
++agent configures the redis slave to target the master via
++tunnel_host:tunnel_port.
++
++Note that in order to enable replication traffic tunneling,
++parameter {tunnel_port_map} must be populated.
++</longdesc>
++<shortdesc lang="en">Tunnel host for replication traffic</shortdesc>
++<content type="string" default="${OCF_RESKEY_tunnel_host}"/>
++</parameter>
++
++<parameter name="tunnel_port_map" unique="0" required="0">
++<longdesc lang="en">
++A mapping of pacemaker node names to redis port number.
++
++To be used when redis servers need to tunnel replication traffic.
++On every node where the redis resource is running, the redis server
++listens to a different port. Each redis server can access its peers
++for replication traffic via a tunnel accessible at {tunnel_host}:port.
++
++The mapping the form of:
++pcmk1-name:port-for-redis1;pcmk2-name:port-for-redis2;pcmk3-name:port-for-redis3
++
++where the redis resource started on node pcmk1-name would listen on
++port port-for-redis1
++</longdesc>
++<shortdesc lang="en">Mapping of Redis server name to redis port</shortdesc>
++<content type="string" default=""/>
++</parameter>
++
+ <parameter name="wait_last_known_master" unique="0" required="0">
+ <longdesc lang="en">
+ During redis cluster bootstrap, wait for the last known master to be
+@@ -291,6 +325,8 @@ simple_status() {
+
+ function monitor() {
+ local res
++ local master_name
++ local last_known_master_port
+
+ simple_status
+ res=$?
+@@ -334,14 +370,48 @@ redis_monitor() {
+ return $OCF_ERR_GENERIC
+ fi
+ if [[ "${info[master_host]}" != "$(last_known_master)" ]]; then
+- ocf_log err "monitor: Slave mode current master does not match running master. current=${info[master_host]}, running=$(last_known_master)"
+- return $OCF_ERR_GENERIC
++ if [ -n "${OCF_RESKEY_tunnel_port_map}" ]; then
++ master_name=$(port_to_redis_node ${info[master_port]})
++ last_known_master_port=$(redis_node_to_port $(last_known_master))
++ if [[ "${info[master_host]}" != "${OCF_RESKEY_tunnel_host}" ]] ||
++ [[ "${info[master_port]}" != "${last_known_master_port}" ]]; then
++ ocf_log err "monitor: Slave mode current tunnelled connection to redis server does not match running master. tunnelled='${info[master_host]}:${info[master_port]} (${master_name})', running='$(last_known_master)'"
++ return $OCF_ERR_GENERIC
++ fi
++ else
++ ocf_log err "monitor: Slave mode current master does not match running master. current=${info[master_host]}, running=$(last_known_master)"
++ return $OCF_ERR_GENERIC
++ fi
+ fi
+ fi
+ fi
+ return $OCF_SUCCESS
+ }
+
++redis_node_to_port()
++{
++ local node=$1
++ echo "$OCF_RESKEY_tunnel_port_map" | tr ';' '\n' | tr -d ' ' | sed 's/:/ /' | awk -F' ' '$1=="'"$node"'" {print $2;exit}'
++}
++
++port_to_redis_node()
++{
++ local port=$1
++ echo "$OCF_RESKEY_tunnel_port_map" | tr ';' '\n' | tr -d ' ' | sed 's/:/ /' | awk -F' ' '$2=="'"$port"'" {print $1;exit}'
++}
++
++get_tunnel_port_from_master()
++{
++ local master_name=$1
++ crm_attribute --node "$master_name" -l forever --name ${INSTANCE_ATTR_NAME}-tunnel-port --query -q 2>/dev/null
++}
++
++get_master_from_tunnel_port()
++{
++ local master_name=$1
++ crm_attribute --node "$master_name" -l forever --name ${INSTANCE_ATTR_NAME}-tunnel-port --query -q 2>/dev/null
++}
++
+ function check_dump_file()
+ {
+ if ! have_binary "$REDIS_CHECK_DUMP"; then
+@@ -479,6 +549,7 @@ redis_promote() {
+ function demote() {
+ local master_host
+ local master_port
++ local tunnel_port
+
+ # client kill is only supported in Redis 2.8.12 or greater
+ version=$(redis_client -v | awk '{print $NF}')
+@@ -512,7 +583,19 @@ redis_demote() {
+ master_host="no-such-master"
+ fi
+
+- ocf_log info "demote: Setting master to '$master_host'"
++ if [ -n "${OCF_RESKEY_tunnel_port_map}" ]; then
++ # master_host can be the special marker "no-such-master"
++ # while a master is being selected. In this case, no
++ # tunnel port is returned, but this is not fatal.
++ tunnel_port=$(redis_node_to_port "$master_host")
++ if [ -n "$tunnel_port" ]; then
++ ocf_log info "demote: Setting master to '$master_host' via local tunnel '${OCF_RESKEY_tunnel_host}' on port '$tunnel_port'"
++ master_host="${OCF_RESKEY_tunnel_host}"
++ master_port="$tunnel_port"
++ fi
++ else
++ ocf_log info "demote: Setting master to '$master_host'"
++ fi
+
+ redis_client slaveof "$master_host" "$master_port"
+
+--
+2.14.3
+
diff --git a/SOURCES/bz1547142-galera-fix-temp-logfile-rights.patch b/SOURCES/bz1547142-galera-fix-temp-logfile-rights.patch
new file mode 100644
index 0000000..dd5090e
--- /dev/null
+++ b/SOURCES/bz1547142-galera-fix-temp-logfile-rights.patch
@@ -0,0 +1,28 @@
+From 2754db9d03995e944a53e364f304bc7b0b24d75d Mon Sep 17 00:00:00 2001
+From: Damien Ciabrini <dciabrin@redhat.com>
+Date: Thu, 2 Mar 2017 18:41:50 +0100
+Subject: [PATCH] galera: fix permission of temporary log file for mariadb
+ 10.1.21+
+
+Since MariaDB/server@8fcdd6b0ecbb966f4479856efe93a963a7a422f7,
+mysqld_safe relies on a helper subprocess to write into log files.
+This new logging mechanism expects log file to be writable by the
+user configured to run mysqld.
+
+Fix the generation of temporary log file accordingly.
+---
+ heartbeat/galera | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/heartbeat/galera b/heartbeat/galera
+index 0cab9a464..decbaa257 100755
+--- a/heartbeat/galera
++++ b/heartbeat/galera
+@@ -520,6 +520,7 @@ detect_last_commit()
+ last_commit="$(cat ${OCF_RESKEY_datadir}/grastate.dat | sed -n 's/^seqno.\s*\(.*\)\s*$/\1/p')"
+ if [ -z "$last_commit" ] || [ "$last_commit" = "-1" ]; then
+ local tmp=$(mktemp)
++ chown $OCF_RESKEY_user:$OCF_RESKEY_group $tmp
+
+ # if we pass here because grastate.dat doesn't exist,
+ # try not to bootstrap from this node if possible
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 11dd861..871b89d 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -48,7 +48,7 @@
Name: resource-agents
Summary: Open Source HA Reusable Cluster Resource Scripts
Version: 3.9.5
-Release: 105%{?dist}.6
+Release: 105%{?dist}.11
License: GPLv2+, LGPLv2+ and ASL 2.0
URL: https://github.com/ClusterLabs/resource-agents
%if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -241,6 +241,10 @@ Patch180: bz1497076-NovaEvacuate-Instance-HA-OSP12.patch
Patch181: bz1512586-galera-recover-from-empty-gvwstate.dat.patch
Patch182: bz1521019-db2-fix-hadr-promote-when-master-failed.patch
Patch183: bz1524454-ocf_attribute_target-fallback-fix.patch
+Patch184: bz1535394-NovaEvacuate-add-support-for-keystone-v3-authentication.patch
+Patch185: bz1537444-sap_redhat_cluster_connector-fix-unknown-gvi-function.patch
+Patch186: bz1544483-redis-add-support-for-tunneling-replication-traffic.patch
+Patch187: bz1547142-galera-fix-temp-logfile-rights.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -539,6 +543,10 @@ exit 1
%patch181 -p1
%patch182 -p1
%patch183 -p1
+%patch184 -p1
+%patch185 -p1
+#%patch186 -p1
+%patch187 -p1
%build
if [ ! -f configure ]; then
@@ -802,6 +810,21 @@ ccs_update_schema > /dev/null 2>&1 ||:
%endif
%changelog
+* Tue Feb 27 2018 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.9.5-105.11
+- galera: fix temp logfile rights to support MySQL 10.1.21+
+
+ Resolves: rhbz#1547142
+
+* Tue Jan 23 2018 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.9.5-105.8
+- sap_redhat_cluster_connector: fix unknown gvi function
+
+ Resolves: rhbz#1537444
+
+* Wed Jan 17 2018 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.9.5-105.7
+- NovaEvacuate: add support for keystone v3 authentication
+
+ Resolves: rhbz#1535394
+
* Mon Dec 11 2017 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.9.5-105.6
- ocf_attribute_target: add fallback for Pacemaker versions without
bundle support