diff --git a/SOURCES/bz1471182-crypt-1-new-ra.patch b/SOURCES/bz1471182-crypt-1-new-ra.patch
new file mode 100644
index 0000000..7ed08b5
--- /dev/null
+++ b/SOURCES/bz1471182-crypt-1-new-ra.patch
@@ -0,0 +1,415 @@
+From 019c3108feff48d8ad496cd0759349c46170dc2d Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 6 Apr 2020 10:23:51 +0200
+Subject: [PATCH 1/2] crypt: new resource agent
+
+---
+ doc/man/Makefile.am | 1 +
+ heartbeat/Makefile.am | 1 +
+ heartbeat/crypt | 337 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 339 insertions(+)
+ create mode 100755 heartbeat/crypt
+
+diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
+index 478fbe4f8..53c9975ec 100644
+--- a/doc/man/Makefile.am
++++ b/doc/man/Makefile.am
+@@ -105,6 +105,7 @@ man_MANS = ocf_heartbeat_AoEtarget.7 \
+ ocf_heartbeat_azure-lb.7 \
+ ocf_heartbeat_clvm.7 \
+ ocf_heartbeat_conntrackd.7 \
++ ocf_heartbeat_crypt.7 \
+ ocf_heartbeat_db2.7 \
+ ocf_heartbeat_dhcpd.7 \
+ ocf_heartbeat_docker.7 \
+diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am
+index 893115810..bbc9590ac 100644
+--- a/heartbeat/Makefile.am
++++ b/heartbeat/Makefile.am
+@@ -101,6 +101,7 @@ ocf_SCRIPTS = AoEtarget \
+ azure-lb \
+ clvm \
+ conntrackd \
++ crypt \
+ db2 \
+ dhcpd \
+ dnsupdate \
+diff --git a/heartbeat/crypt b/heartbeat/crypt
+new file mode 100755
+index 000000000..6bffdff89
+--- /dev/null
++++ b/heartbeat/crypt
+@@ -0,0 +1,337 @@
++#!/bin/sh
++#
++# crypt/LUKS OCF RA. Manages cryptsetup devices.
++#
++# Copyright (c) 2020 Red Hat GmbH, Heinz Mauelshagen
++# All Rights Reserved.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of version 2 of the GNU General Public License as
++# published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it would be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
++#
++# Further, this software is distributed without any warranty that it is
++# free of the rightful claim of any third person regarding infringement
++# or the like. Any license provided herein, whether implied or
++# otherwise, applies only to this software file. Patent licenses, if
++# any, provided herein do not apply to combinations of this program with
++# other software, or any other product whatsoever.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write the Free Software Foundation,
++# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA.
++#
++
++#######################################################################
++# Initialization:
++
++: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
++. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
++
++# Parameter defaults
++OCF_RESKEY_encrypted_dev_default=""
++OCF_RESKEY_crypt_dev_default=""
++OCF_RESKEY_key_file_default=""
++OCF_RESKEY_crypt_type_default=""
++OCF_RESKEY_force_stop_default="false"
++
++: ${OCF_RESKEY_encrypted_dev=${OCF_RESKEY_encrypted_dev_default}}
++: ${OCF_RESKEY_crypt_dev=${OCF_RESKEY_crypt_dev_default}}
++: ${OCF_RESKEY_key_file=${OCF_RESKEY_key_file_default}}
++: ${OCF_RESKEY_crypt_type=${OCF_RESKEY_crypt_type_default}}
++: ${OCF_RESKEY_force_stop=${OCF_RESKEY_force_stop_default}}
++
++#######################################################################
++
++meta_data() {
++ cat <<END
++<?xml version="1.0"?>
++<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
++<resource-agent name="crypt">
++<version>1.0</version>
++
++<longdesc lang="en">
++This is a LUKS/crypt Resource Agent managing encrypted devices via cryptsetup(8).
++The agent imposes limitations on device types supported: luks, luks[1..N].
++</longdesc>
++<shortdesc lang="en">LUKS/crypt resource agent</shortdesc>
++
++<parameters>
++
++<parameter name="encrypted_dev" unique="1" required="1">
++<longdesc lang="en">
++Encrypted backing device, which should be defined by UUID,
++36 characters including '-'s as reported by blkid(8).
++
++Although it can be defined as a block device path (e.g. /dev/sdh),
++the UUID should be preferred over the block device path to allow for the
++unique discovery of the crypt backing device given the volatile nature of
++/dev entries (e.g. /dev/sdh on one node may be /dev/sdg on another).
++
++Only define as block device path if you know what you are doing.
++</longdesc>
++<shortdesc lang="en">Encrypted device</shortdesc>
++<content type="string" default="${OCF_RESKEY_encrypted_dev_default}" />
++</parameter>
++
++<parameter name="crypt_dev" unique="1" required="1">
++<longdesc lang="en">
++Encrypted device name, no path. I.e. the one given in "cryptsetup open name ...".
++The resulting block device path is /dev/mapper/name.
++</longdesc>
++<shortdesc lang="en">Encrypted device</shortdesc>
++<content type="string" default="${OCF_RESKEY_crypt_dev_default}" />
++</parameter>
++
++<parameter name="key_file" unique="1" required="1">
++<longdesc lang="en">
++Key file path containing the encryption passphrase
++(aka key; see cryptsetup(8)). For LUKS, the passphrase as of the key_file
++parameter is used to decrypt a randomly selected key when the device was created.
++</longdesc>
++<shortdesc lang="en">Key file</shortdesc>
++<content type="string" default="${OCF_RESKEY_key_file_default}" />
++</parameter>
++
++<parameter name="crypt_type" unique="1" required="1">
++<longdesc lang="en">
++Encryption (device) type (e.g. "luks" or "luks2").
++
++This parameter affirms the encryption format as of the crypt metadata
++thus allowing for safety measures when starting the encrypted resource.
++</longdesc>
++<shortdesc lang="en">Encryption type</shortdesc>
++<content type="string" default="${OCF_RESKEY_crypt_type_default}" />
++</parameter>
++
++<parameter name="force_stop" unique="0" required="0">
++<longdesc lang="en">
++If processes or kernel threads are using the crypt device, it cannot
++be stopped. We will try to stop processes, first by sending TERM and
++then, if that doesn't help in $PROC_CLEANUP_TIME seconds, using KILL.
++The lsof(8) program is required to get the list of array users.
++Of course, the kernel threads cannot be stopped this way.
++If the processes are critical for data integrity, then set this
++parameter to false. Note that in that case the stop operation
++will fail and the node will be fenced.
++</longdesc>
++<shortdesc lang="en">force stop processes using the crpyt device</shortdesc>
++<content type="boolean" default="${OCF_RESKEY_force_stop_default}" />
++</parameter>
++
++</parameters>
++
++<actions>
++<action name="start" timeout="20s" />
++<action name="stop" timeout="20s" />
++<action name="monitor" timeout="20s" interval="10s" depth="0" />
++<action name="meta-data" timeout="5s" />
++<action name="validate-all" timeout="10s" />
++</actions>
++</resource-agent>
++END
++}
++
++# Disable cryptsetup auto-recovery if cloned.
++disable_locks=""
++ocf_is_clone && disable_locks="--disable-locks"
++
++crypt_usage() {
++ cat <<END
++usage: $0 {start|stop|monitor|usage|meta-data|validate-all}
++
++Expects to have a fully populated OCF RA-compliant environment set.
++END
++}
++
++encrypted_dev="${OCF_RESKEY_encrypted_dev}"
++crypt_dev="${OCF_RESKEY_crypt_dev}"
++crypt_dev_path="/dev/mapper/$crypt_dev"
++key_file="${OCF_RESKEY_key_file}"
++crypt_type="${OCF_RESKEY_crypt_type}"
++force_stop="${OCF_RESKEY_force_stop}"
++
++crypt_validate_all() {
++ if ! have_binary cryptsetup; then
++ ocf_exit_reason "Please install cryptsetup(8)"
++ return $OCF_ERR_INSTALLED
++ fi
++ if [ -z "$encrypted_dev" ]; then
++ ocf_exit_reason "Undefined OCF_RESKEY_encrypted_dev"
++ return $OCF_ERR_CONFIGURED
++ fi
++ if [ -n "$encrypted_dev" ]; then
++ case "$encrypted_dev" in
++ *-*-*-*) if [ `echo "$encrypted_dev" | wc -c` -ne 37 ]; then
++ ocf_exit_reason "Bogus encrypted device UUID \"$encrypted_dev\""
++ return $OCF_ERR_ARGS
++ fi
++ encrypted_dev=/dev/disk/by-uuid/"$encrypted_dev";;
++ *) case "$encrypted_dev" in
++ /dev/*) ;;
++ *) ocf_exit_reason "Bogus encrypted device path"
++ return $OCF_ERR_ARGS;;
++ esac
++ esac
++ fi
++ if [ ! -b "$encrypted_dev" ]; then
++ ocf_exit_reason "Encrypted device $encrypted_dev not accessible"
++ return $OCF_ERR_ARGS
++ fi
++ echo "$crypt_dev" | grep "/" >/dev/null
++ if [ $? -eq 0 ] && [ -z "$crypt_dev" ]; then
++ ocf_exit_reason "Crypt device \"$crypt_dev\" name has to at least 1 character long and without path"
++ return $OCF_ERR_ARGS
++ fi
++ if [ ! -r "$key_file" ]; then
++ ocf_exit_reason "Hash key file $key_file not accessible"
++ return $OCF_ERR_ARGS
++ fi
++ if ! ocf_is_true "$force_stop" && "$force_stop" != "false" ]]; then
++ ocf_exit_reason "Bogus force_stop=\"$force_stop\" attribute"
++ return $OCF_ERR_CONFIGURED
++ fi
++ if "$force_stop" = "true" && ! have_binary lsof; then
++ ocf_exit_reason "Force stop requested, please install lsof(8)"
++ return $OCF_ERR_INSTALLED
++ fi
++ cryptsetup isLuks $encrypted_dev 2>/dev/null
++ if [ $? -ne 0 ]; then
++ ocf_exit_reason "$encrypted_dev is not a Luks formatted device"
++ return $OCF_ERR_CONFIGURED
++ fi
++
++ return $OCF_SUCCESS
++}
++
++get_users_pids() {
++ ocf_log debug "running lsof to list \"$crypt_dev\" users..."
++ ocf_run -warn 'lsof $crypt_dev_path | tail -n +2 | awk "{print $2}" | sort -u'
++}
++
++stop_crypt_users() {
++ local pids=`get_users_pids`
++
++ if [ -z "$pids" ]; then
++ ocf_log warn "lsof reported no users holding arrays"
++ return 2
++ fi
++
++ ocf_stop_processes TERM $PROC_CLEANUP_TIME $pids
++}
++
++show_users() {
++ local dm_dev
++
++ ocf_log info "running lsof to list \"$crypt_dev\" users..."
++ ocf_run -warn lsof $crypt_dev_path
++
++ dm_dev=$(basename $(realpath $crypt_dev_path))
++ if [ -d /sys/block/$dm_dev/holders ]; then
++ ocf_log debug "ls -l /sys/block/$dm_dev/holders"
++ ocf_run -warn ls -l /sys/block/$dm_dev/holders
++ fi
++}
++
++crypt_stop_one() {
++ cryptsetup close $crypt_dev $disable_locks
++}
++
++#######################################################################
++#
++# Action: START an encrypted resource
++#
++crypt_start() {
++ local rc
++
++ cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file
++ rc=$?
++ if [ $rc -eq 0 ];then
++ crypt_monitor
++ rc=$?
++ else
++ rc=$OCF_ERR_GERNERIC
++ fi
++ [ $rc -ne $OCF_SUCCESS ] ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\""
++
++ return $rc
++}
++
++#
++# Action: STOP an encrypted resource
++#
++crypt_stop() {
++ local rc
++
++ crypt_monitor
++ rc=$?
++ if [ $rc -ne $OCF_NOT_RUNNING ]; then
++ crypt_stop_one
++ crypt_monitor
++ rc=$?
++ fi
++ if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $FORCESTOP; then
++ stop_crypt_users
++ case $? in
++ 2) rc=$OCF_SUCCESS;;
++ *) crypt_stop_one
++ crypt_monitor
++ rc=$?;;
++ esac
++ fi
++ if [ $rc -ne $OCF_NOT_RUNNING ]; then
++ ocf_log warn "Couldn't stop crypt device \"$crypt_dev\" (rc=$rc)"
++ show_users
++ ocf_exit_reason "Failed to stop crypt device \"$crypt_dev\"!"
++ return $OCF_ERR_GENERIC
++ fi
++
++ return $OCF_SUCCESS
++}
++
++#
++# Action: MONITOR an encrypted resource
++#
++crypt_monitor() {
++ cryptsetup status $crypt_dev $disable_locks &>/dev/null
++ if [ $? -eq 0 ]; then
++ [ -L $crypt_dev_path ] && return $OCF_SUCCESS
++ return $OCF_ERR_GENERIC
++ fi
++
++ [ "$__OCF_ACTION" = "monitor" ] && ! ocf_is_probe && ocf_exit_reason "Crypt resource not running"
++ return $OCF_NOT_RUNNING
++}
++
++# Check for stange argument count.
++if [ $# -ne 1 ]; then
++ usage
++ exit $OCF_ERR_ARGS
++fi
++
++case "$__OCF_ACTION" in
++meta-data) meta_data
++ exit $OCF_SUCCESS;;
++usage|help) crypt_usage
++ exit $OCF_SUCCESS;;
++esac
++
++# XME: remove once pacemaker is fixed and calls this action
++crypt_validate_all
++rc=$?
++[ $rc -ne $OCF_SUCCESS ] && exit $rc
++
++case "$__OCF_ACTION" in
++start) crypt_start; rc=$?;;
++stop) crypt_stop; rc=$?;;
++monitor) crypt_monitor; rc=$?;;
++validate-all) rc=$OCF_SUCCESS;; # crypt_validate_all would have errored out above already.
++*) crypt_usage
++ exit $OCF_ERR_UNIMPLEMENTED;;
++esac
++
++ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
++exit $rc
+
+From 5e0d35f8db967419ea9f1234ab621b88babcf3ea Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 7 Apr 2020 12:39:24 +0200
+Subject: [PATCH 2/2] crypt: force_stop check fixes
+
+---
+ heartbeat/crypt | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/heartbeat/crypt b/heartbeat/crypt
+index 6bffdff89..8bfa1094d 100755
+--- a/heartbeat/crypt
++++ b/heartbeat/crypt
+@@ -190,11 +190,7 @@ crypt_validate_all() {
+ ocf_exit_reason "Hash key file $key_file not accessible"
+ return $OCF_ERR_ARGS
+ fi
+- if ! ocf_is_true "$force_stop" && "$force_stop" != "false" ]]; then
+- ocf_exit_reason "Bogus force_stop=\"$force_stop\" attribute"
+- return $OCF_ERR_CONFIGURED
+- fi
+- if "$force_stop" = "true" && ! have_binary lsof; then
++ if ocf_is_true "$force_stop" && ! have_binary lsof; then
+ ocf_exit_reason "Force stop requested, please install lsof(8)"
+ return $OCF_ERR_INSTALLED
+ fi
+@@ -273,7 +269,7 @@ crypt_stop() {
+ crypt_monitor
+ rc=$?
+ fi
+- if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $FORCESTOP; then
++ if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $force_stop; then
+ stop_crypt_users
+ case $? in
+ 2) rc=$OCF_SUCCESS;;
diff --git a/SOURCES/bz1471182-crypt-2-fix-bashism.patch b/SOURCES/bz1471182-crypt-2-fix-bashism.patch
new file mode 100644
index 0000000..dace36f
--- /dev/null
+++ b/SOURCES/bz1471182-crypt-2-fix-bashism.patch
@@ -0,0 +1,22 @@
+From 2915fa336e95b609d3d738d335799f015022c493 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Sat, 13 Jun 2020 08:47:36 +0200
+Subject: [PATCH] crypt: fix bashism
+
+---
+ heartbeat/crypt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/crypt b/heartbeat/crypt
+index 8bfa1094d..2727b5b23 100755
+--- a/heartbeat/crypt
++++ b/heartbeat/crypt
+@@ -292,7 +292,7 @@ crypt_stop() {
+ # Action: MONITOR an encrypted resource
+ #
+ crypt_monitor() {
+- cryptsetup status $crypt_dev $disable_locks &>/dev/null
++ cryptsetup status $crypt_dev $disable_locks >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ [ -L $crypt_dev_path ] && return $OCF_SUCCESS
+ return $OCF_ERR_GENERIC
diff --git a/SOURCES/bz1471182-crypt-3-fix-missing-and.patch b/SOURCES/bz1471182-crypt-3-fix-missing-and.patch
new file mode 100644
index 0000000..8a0deaf
--- /dev/null
+++ b/SOURCES/bz1471182-crypt-3-fix-missing-and.patch
@@ -0,0 +1,22 @@
+From 635c344fb85ef225b8a0c094687d2838b0b0cd2c Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 26 Oct 2020 16:36:06 +0100
+Subject: [PATCH] crypt: fix missing && to set exit_reason
+
+---
+ heartbeat/crypt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/crypt b/heartbeat/crypt
+index 2727b5b23..0e49b6c2d 100755
+--- a/heartbeat/crypt
++++ b/heartbeat/crypt
+@@ -251,7 +251,7 @@ crypt_start() {
+ else
+ rc=$OCF_ERR_GERNERIC
+ fi
+- [ $rc -ne $OCF_SUCCESS ] ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\""
++ [ $rc -ne $OCF_SUCCESS ] && ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\""
+
+ return $rc
+ }
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 8025843..329e751 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -70,7 +70,7 @@
Name: resource-agents
Summary: Open Source HA Reusable Cluster Resource Scripts
Version: 4.1.1
-Release: 72%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release: 73%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/resource-agents
%if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -249,7 +249,9 @@ Patch157: bz1848025-sybaseASE-run-verify-for-start-action-only.patch
Patch158: bz1861001-sybaseASE-add-logfile-parameter.patch
Patch159: bz1891835-galera-set-bootstrap-attribute-before-promote.patch
Patch160: bz1891855-galera-recover-2-node-cluster.patch
-
+Patch161: bz1471182-crypt-1-new-ra.patch
+Patch162: bz1471182-crypt-2-fix-bashism.patch
+Patch163: bz1471182-crypt-3-fix-missing-and.patch
# bundle patches
Patch1000: 7-gcp-bundled.patch
@@ -566,6 +568,9 @@ exit 1
%patch158 -p1
%patch159 -p1
%patch160 -p1
+%patch161 -p1
+%patch162 -p1
+%patch163 -p1
chmod 755 heartbeat/nova-compute-wait
chmod 755 heartbeat/NovaEvacuate
@@ -1129,6 +1134,11 @@ ccs_update_schema > /dev/null 2>&1 ||:
%endif
%changelog
+* Mon Nov 2 2020 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.1.1-73
+- crypt: new resource agent
+
+ Resolves: rhbz#1471182
+
* Wed Oct 28 2020 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.1.1-72
- sybaseASE: Run verify_all() for start operation only
- sybaseASE: add logfile parameter