diff --git a/SOURCES/bz1471182-crypt-1-new-ra.patch b/SOURCES/bz1471182-crypt-1-new-ra.patch new file mode 100644 index 0000000..7ed08b5 --- /dev/null +++ b/SOURCES/bz1471182-crypt-1-new-ra.patch @@ -0,0 +1,415 @@ +From 019c3108feff48d8ad496cd0759349c46170dc2d Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Mon, 6 Apr 2020 10:23:51 +0200 +Subject: [PATCH 1/2] crypt: new resource agent + +--- + doc/man/Makefile.am | 1 + + heartbeat/Makefile.am | 1 + + heartbeat/crypt | 337 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 339 insertions(+) + create mode 100755 heartbeat/crypt + +diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am +index 478fbe4f8..53c9975ec 100644 +--- a/doc/man/Makefile.am ++++ b/doc/man/Makefile.am +@@ -105,6 +105,7 @@ man_MANS = ocf_heartbeat_AoEtarget.7 \ + ocf_heartbeat_azure-lb.7 \ + ocf_heartbeat_clvm.7 \ + ocf_heartbeat_conntrackd.7 \ ++ ocf_heartbeat_crypt.7 \ + ocf_heartbeat_db2.7 \ + ocf_heartbeat_dhcpd.7 \ + ocf_heartbeat_docker.7 \ +diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am +index 893115810..bbc9590ac 100644 +--- a/heartbeat/Makefile.am ++++ b/heartbeat/Makefile.am +@@ -101,6 +101,7 @@ ocf_SCRIPTS = AoEtarget \ + azure-lb \ + clvm \ + conntrackd \ ++ crypt \ + db2 \ + dhcpd \ + dnsupdate \ +diff --git a/heartbeat/crypt b/heartbeat/crypt +new file mode 100755 +index 000000000..6bffdff89 +--- /dev/null ++++ b/heartbeat/crypt +@@ -0,0 +1,337 @@ ++#!/bin/sh ++# ++# crypt/LUKS OCF RA. Manages cryptsetup devices. ++# ++# Copyright (c) 2020 Red Hat GmbH, Heinz Mauelshagen ++# All Rights Reserved. ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of version 2 of the GNU General Public License as ++# published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it would be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ++# ++# Further, this software is distributed without any warranty that it is ++# free of the rightful claim of any third person regarding infringement ++# or the like. Any license provided herein, whether implied or ++# otherwise, applies only to this software file. Patent licenses, if ++# any, provided herein do not apply to combinations of this program with ++# other software, or any other product whatsoever. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write the Free Software Foundation, ++# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA. ++# ++ ++####################################################################### ++# Initialization: ++ ++: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} ++. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs ++ ++# Parameter defaults ++OCF_RESKEY_encrypted_dev_default="" ++OCF_RESKEY_crypt_dev_default="" ++OCF_RESKEY_key_file_default="" ++OCF_RESKEY_crypt_type_default="" ++OCF_RESKEY_force_stop_default="false" ++ ++: ${OCF_RESKEY_encrypted_dev=${OCF_RESKEY_encrypted_dev_default}} ++: ${OCF_RESKEY_crypt_dev=${OCF_RESKEY_crypt_dev_default}} ++: ${OCF_RESKEY_key_file=${OCF_RESKEY_key_file_default}} ++: ${OCF_RESKEY_crypt_type=${OCF_RESKEY_crypt_type_default}} ++: ${OCF_RESKEY_force_stop=${OCF_RESKEY_force_stop_default}} ++ ++####################################################################### ++ ++meta_data() { ++ cat < ++ ++ ++1.0 ++ ++ ++This is a LUKS/crypt Resource Agent managing encrypted devices via cryptsetup(8). ++The agent imposes limitations on device types supported: luks, luks[1..N]. ++ ++LUKS/crypt resource agent ++ ++ ++ ++ ++ ++Encrypted backing device, which should be defined by UUID, ++36 characters including '-'s as reported by blkid(8). ++ ++Although it can be defined as a block device path (e.g. /dev/sdh), ++the UUID should be preferred over the block device path to allow for the ++unique discovery of the crypt backing device given the volatile nature of ++/dev entries (e.g. /dev/sdh on one node may be /dev/sdg on another). ++ ++Only define as block device path if you know what you are doing. ++ ++Encrypted device ++ ++ ++ ++ ++ ++Encrypted device name, no path. I.e. the one given in "cryptsetup open name ...". ++The resulting block device path is /dev/mapper/name. ++ ++Encrypted device ++ ++ ++ ++ ++ ++Key file path containing the encryption passphrase ++(aka key; see cryptsetup(8)). For LUKS, the passphrase as of the key_file ++parameter is used to decrypt a randomly selected key when the device was created. ++ ++Key file ++ ++ ++ ++ ++ ++Encryption (device) type (e.g. "luks" or "luks2"). ++ ++This parameter affirms the encryption format as of the crypt metadata ++thus allowing for safety measures when starting the encrypted resource. ++ ++Encryption type ++ ++ ++ ++ ++ ++If processes or kernel threads are using the crypt device, it cannot ++be stopped. We will try to stop processes, first by sending TERM and ++then, if that doesn't help in $PROC_CLEANUP_TIME seconds, using KILL. ++The lsof(8) program is required to get the list of array users. ++Of course, the kernel threads cannot be stopped this way. ++If the processes are critical for data integrity, then set this ++parameter to false. Note that in that case the stop operation ++will fail and the node will be fenced. ++ ++force stop processes using the crpyt device ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++END ++} ++ ++# Disable cryptsetup auto-recovery if cloned. ++disable_locks="" ++ocf_is_clone && disable_locks="--disable-locks" ++ ++crypt_usage() { ++ cat </dev/null ++ if [ $? -eq 0 ] && [ -z "$crypt_dev" ]; then ++ ocf_exit_reason "Crypt device \"$crypt_dev\" name has to at least 1 character long and without path" ++ return $OCF_ERR_ARGS ++ fi ++ if [ ! -r "$key_file" ]; then ++ ocf_exit_reason "Hash key file $key_file not accessible" ++ return $OCF_ERR_ARGS ++ fi ++ if ! ocf_is_true "$force_stop" && "$force_stop" != "false" ]]; then ++ ocf_exit_reason "Bogus force_stop=\"$force_stop\" attribute" ++ return $OCF_ERR_CONFIGURED ++ fi ++ if "$force_stop" = "true" && ! have_binary lsof; then ++ ocf_exit_reason "Force stop requested, please install lsof(8)" ++ return $OCF_ERR_INSTALLED ++ fi ++ cryptsetup isLuks $encrypted_dev 2>/dev/null ++ if [ $? -ne 0 ]; then ++ ocf_exit_reason "$encrypted_dev is not a Luks formatted device" ++ return $OCF_ERR_CONFIGURED ++ fi ++ ++ return $OCF_SUCCESS ++} ++ ++get_users_pids() { ++ ocf_log debug "running lsof to list \"$crypt_dev\" users..." ++ ocf_run -warn 'lsof $crypt_dev_path | tail -n +2 | awk "{print $2}" | sort -u' ++} ++ ++stop_crypt_users() { ++ local pids=`get_users_pids` ++ ++ if [ -z "$pids" ]; then ++ ocf_log warn "lsof reported no users holding arrays" ++ return 2 ++ fi ++ ++ ocf_stop_processes TERM $PROC_CLEANUP_TIME $pids ++} ++ ++show_users() { ++ local dm_dev ++ ++ ocf_log info "running lsof to list \"$crypt_dev\" users..." ++ ocf_run -warn lsof $crypt_dev_path ++ ++ dm_dev=$(basename $(realpath $crypt_dev_path)) ++ if [ -d /sys/block/$dm_dev/holders ]; then ++ ocf_log debug "ls -l /sys/block/$dm_dev/holders" ++ ocf_run -warn ls -l /sys/block/$dm_dev/holders ++ fi ++} ++ ++crypt_stop_one() { ++ cryptsetup close $crypt_dev $disable_locks ++} ++ ++####################################################################### ++# ++# Action: START an encrypted resource ++# ++crypt_start() { ++ local rc ++ ++ cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file ++ rc=$? ++ if [ $rc -eq 0 ];then ++ crypt_monitor ++ rc=$? ++ else ++ rc=$OCF_ERR_GERNERIC ++ fi ++ [ $rc -ne $OCF_SUCCESS ] ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\"" ++ ++ return $rc ++} ++ ++# ++# Action: STOP an encrypted resource ++# ++crypt_stop() { ++ local rc ++ ++ crypt_monitor ++ rc=$? ++ if [ $rc -ne $OCF_NOT_RUNNING ]; then ++ crypt_stop_one ++ crypt_monitor ++ rc=$? ++ fi ++ if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $FORCESTOP; then ++ stop_crypt_users ++ case $? in ++ 2) rc=$OCF_SUCCESS;; ++ *) crypt_stop_one ++ crypt_monitor ++ rc=$?;; ++ esac ++ fi ++ if [ $rc -ne $OCF_NOT_RUNNING ]; then ++ ocf_log warn "Couldn't stop crypt device \"$crypt_dev\" (rc=$rc)" ++ show_users ++ ocf_exit_reason "Failed to stop crypt device \"$crypt_dev\"!" ++ return $OCF_ERR_GENERIC ++ fi ++ ++ return $OCF_SUCCESS ++} ++ ++# ++# Action: MONITOR an encrypted resource ++# ++crypt_monitor() { ++ cryptsetup status $crypt_dev $disable_locks &>/dev/null ++ if [ $? -eq 0 ]; then ++ [ -L $crypt_dev_path ] && return $OCF_SUCCESS ++ return $OCF_ERR_GENERIC ++ fi ++ ++ [ "$__OCF_ACTION" = "monitor" ] && ! ocf_is_probe && ocf_exit_reason "Crypt resource not running" ++ return $OCF_NOT_RUNNING ++} ++ ++# Check for stange argument count. ++if [ $# -ne 1 ]; then ++ usage ++ exit $OCF_ERR_ARGS ++fi ++ ++case "$__OCF_ACTION" in ++meta-data) meta_data ++ exit $OCF_SUCCESS;; ++usage|help) crypt_usage ++ exit $OCF_SUCCESS;; ++esac ++ ++# XME: remove once pacemaker is fixed and calls this action ++crypt_validate_all ++rc=$? ++[ $rc -ne $OCF_SUCCESS ] && exit $rc ++ ++case "$__OCF_ACTION" in ++start) crypt_start; rc=$?;; ++stop) crypt_stop; rc=$?;; ++monitor) crypt_monitor; rc=$?;; ++validate-all) rc=$OCF_SUCCESS;; # crypt_validate_all would have errored out above already. ++*) crypt_usage ++ exit $OCF_ERR_UNIMPLEMENTED;; ++esac ++ ++ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc" ++exit $rc + +From 5e0d35f8db967419ea9f1234ab621b88babcf3ea Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Tue, 7 Apr 2020 12:39:24 +0200 +Subject: [PATCH 2/2] crypt: force_stop check fixes + +--- + heartbeat/crypt | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/heartbeat/crypt b/heartbeat/crypt +index 6bffdff89..8bfa1094d 100755 +--- a/heartbeat/crypt ++++ b/heartbeat/crypt +@@ -190,11 +190,7 @@ crypt_validate_all() { + ocf_exit_reason "Hash key file $key_file not accessible" + return $OCF_ERR_ARGS + fi +- if ! ocf_is_true "$force_stop" && "$force_stop" != "false" ]]; then +- ocf_exit_reason "Bogus force_stop=\"$force_stop\" attribute" +- return $OCF_ERR_CONFIGURED +- fi +- if "$force_stop" = "true" && ! have_binary lsof; then ++ if ocf_is_true "$force_stop" && ! have_binary lsof; then + ocf_exit_reason "Force stop requested, please install lsof(8)" + return $OCF_ERR_INSTALLED + fi +@@ -273,7 +269,7 @@ crypt_stop() { + crypt_monitor + rc=$? + fi +- if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $FORCESTOP; then ++ if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $force_stop; then + stop_crypt_users + case $? in + 2) rc=$OCF_SUCCESS;; diff --git a/SOURCES/bz1471182-crypt-2-fix-bashism.patch b/SOURCES/bz1471182-crypt-2-fix-bashism.patch new file mode 100644 index 0000000..dace36f --- /dev/null +++ b/SOURCES/bz1471182-crypt-2-fix-bashism.patch @@ -0,0 +1,22 @@ +From 2915fa336e95b609d3d738d335799f015022c493 Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Sat, 13 Jun 2020 08:47:36 +0200 +Subject: [PATCH] crypt: fix bashism + +--- + heartbeat/crypt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/heartbeat/crypt b/heartbeat/crypt +index 8bfa1094d..2727b5b23 100755 +--- a/heartbeat/crypt ++++ b/heartbeat/crypt +@@ -292,7 +292,7 @@ crypt_stop() { + # Action: MONITOR an encrypted resource + # + crypt_monitor() { +- cryptsetup status $crypt_dev $disable_locks &>/dev/null ++ cryptsetup status $crypt_dev $disable_locks >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -L $crypt_dev_path ] && return $OCF_SUCCESS + return $OCF_ERR_GENERIC diff --git a/SOURCES/bz1471182-crypt-3-fix-missing-and.patch b/SOURCES/bz1471182-crypt-3-fix-missing-and.patch new file mode 100644 index 0000000..8a0deaf --- /dev/null +++ b/SOURCES/bz1471182-crypt-3-fix-missing-and.patch @@ -0,0 +1,22 @@ +From 635c344fb85ef225b8a0c094687d2838b0b0cd2c Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Mon, 26 Oct 2020 16:36:06 +0100 +Subject: [PATCH] crypt: fix missing && to set exit_reason + +--- + heartbeat/crypt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/heartbeat/crypt b/heartbeat/crypt +index 2727b5b23..0e49b6c2d 100755 +--- a/heartbeat/crypt ++++ b/heartbeat/crypt +@@ -251,7 +251,7 @@ crypt_start() { + else + rc=$OCF_ERR_GERNERIC + fi +- [ $rc -ne $OCF_SUCCESS ] ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\"" ++ [ $rc -ne $OCF_SUCCESS ] && ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\"" + + return $rc + } diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec index 8025843..329e751 100644 --- a/SPECS/resource-agents.spec +++ b/SPECS/resource-agents.spec @@ -70,7 +70,7 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 4.1.1 -Release: 72%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist} +Release: 73%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/resource-agents %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} @@ -249,7 +249,9 @@ Patch157: bz1848025-sybaseASE-run-verify-for-start-action-only.patch Patch158: bz1861001-sybaseASE-add-logfile-parameter.patch Patch159: bz1891835-galera-set-bootstrap-attribute-before-promote.patch Patch160: bz1891855-galera-recover-2-node-cluster.patch - +Patch161: bz1471182-crypt-1-new-ra.patch +Patch162: bz1471182-crypt-2-fix-bashism.patch +Patch163: bz1471182-crypt-3-fix-missing-and.patch # bundle patches Patch1000: 7-gcp-bundled.patch @@ -566,6 +568,9 @@ exit 1 %patch158 -p1 %patch159 -p1 %patch160 -p1 +%patch161 -p1 +%patch162 -p1 +%patch163 -p1 chmod 755 heartbeat/nova-compute-wait chmod 755 heartbeat/NovaEvacuate @@ -1129,6 +1134,11 @@ ccs_update_schema > /dev/null 2>&1 ||: %endif %changelog +* Mon Nov 2 2020 Oyvind Albrigtsen - 4.1.1-73 +- crypt: new resource agent + + Resolves: rhbz#1471182 + * Wed Oct 28 2020 Oyvind Albrigtsen - 4.1.1-72 - sybaseASE: Run verify_all() for start operation only - sybaseASE: add logfile parameter