diff --git a/SOURCES/bz1394296-redis-fix-selinux-permissions.patch b/SOURCES/bz1394296-redis-fix-selinux-permissions.patch new file mode 100644 index 0000000..b6c7a98 --- /dev/null +++ b/SOURCES/bz1394296-redis-fix-selinux-permissions.patch @@ -0,0 +1,29 @@ +From 70b13e3c27944292cfe658284878de5cb3a4918c Mon Sep 17 00:00:00 2001 +From: Gabriele Cerami +Date: Wed, 2 Nov 2016 00:44:37 +0100 +Subject: [PATCH] Redis: restore rundir security context + +When selinux rules packages are installed, rundir does not yet exist, +and security context for it cannot be applied. Calling restorecon after +dir creation ensures that the proper context is applied to the rundir. +If the context is not applied, selinux denies write permission, the unix +socket cannot be created, and redis does not start +--- + heartbeat/redis | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/heartbeat/redis b/heartbeat/redis +index f85b2f7..1fe8906 100755 +--- a/heartbeat/redis ++++ b/heartbeat/redis +@@ -324,6 +324,10 @@ function start() { + + [[ ! -d "$REDIS_RUNDIR" ]] && mkdir -p "$REDIS_RUNDIR" + chown -R "$REDIS_USER" "$REDIS_RUNDIR" ++ if have_binary "restorecon"; then ++ restorecon -Rv "$REDIS_RUNDIR" ++ fi ++ + + # check for 0 byte database dump file. This is an unrecoverable start + # condition that we can avoid by deleting the 0 byte database file. diff --git a/SOURCES/bz1400103-nova-compute-wait-nova-compute-unfence.patch b/SOURCES/bz1400103-nova-compute-wait-nova-compute-unfence.patch new file mode 100644 index 0000000..dbc6526 --- /dev/null +++ b/SOURCES/bz1400103-nova-compute-wait-nova-compute-unfence.patch @@ -0,0 +1,250 @@ +diff -uNr a/heartbeat/nova-compute-wait b/heartbeat/nova-compute-wait +--- a/heartbeat/nova-compute-wait 2016-11-29 12:36:05.437464639 +0100 ++++ b/heartbeat/nova-compute-wait 2016-11-29 12:52:54.790724139 +0100 +@@ -1,30 +1,15 @@ + #!/bin/sh ++# Copyright 2015 Red Hat, Inc. + # ++# Description: Manages compute daemons + # +-# nova-compute-wait agent manages compute daemons. ++# Authors: Andrew Beekhof + # +-# Copyright (c) 2015 +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of version 2 of the GNU General Public License as +-# published by the Free Software Foundation. +-# +-# This program is distributed in the hope that it would be useful, but +-# WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +-# +-# Further, this software is distributed without any warranty that it is +-# free of the rightful claim of any third person regarding infringement +-# or the like. Any license provided herein, whether implied or +-# otherwise, applies only to this software file. Patent licenses, if +-# any, provided herein do not apply to combinations of this program with +-# other software, or any other product whatsoever. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program; if not, write the Free Software Foundation, +-# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA. ++# Support: openstack@lists.openstack.org ++# License: Apache Software License (ASL) 2.0 + # + ++ + ####################################################################### + # Initialization: + +@@ -137,6 +122,8 @@ + } + + nova_start() { ++ build_unfence_overlay ++ + state=$(attrd_updater -p -n evacuate -N ${NOVA_HOST} | sed -e 's/.*value=//' | tr -d '"' ) + if [ "x$state" = x ]; then + : never been fenced +@@ -147,8 +134,8 @@ + sleep ${OCF_RESKEY_evacuation_delay} + + else +- ocf_log info "Waiting for pending evacuations from ${NOVA_HOST}" + while [ "x$state" != "xno" ]; do ++ ocf_log info "Waiting for pending evacuations from ${NOVA_HOST}" + state=$(attrd_updater -p -n evacuate -N ${NOVA_HOST} | sed -e 's/.*value=//' | tr -d '"' ) + sleep 5 + done +@@ -156,14 +143,22 @@ + ocf_log info "Pausing to give evacuations from ${NOVA_HOST} time to complete" + sleep ${OCF_RESKEY_evacuation_delay} + fi ++ ++ touch "$statefile" ++ + return $OCF_SUCCESS + } + + nova_stop() { ++ rm -f "$statefile" + return $OCF_SUCCESS + } + + nova_monitor() { ++ if [ ! -f "$statefile" ]; then ++ return $OCF_NOT_RUNNING ++ fi ++ + return $OCF_SUCCESS + } + +@@ -171,17 +166,113 @@ + return $OCF_SUCCESS + } + ++build_unfence_overlay() { ++ fence_options="" ++ ++ if [ -z "${OCF_RESKEY_auth_url}" ]; then ++ candidates=$(/usr/sbin/stonith_admin -l ${NOVA_HOST}) ++ for candidate in ${candidates}; do ++ pcs stonith show $d | grep -q fence_compute ++ if [ $? = 0 ]; then ++ ocf_log info "Unfencing nova based on: $candidate" ++ fence_auth=$(pcs stonith show $candidate | grep Attributes: | sed -e s/Attributes:// -e s/-/_/g -e 's/[^ ]\+=/OCF_RESKEY_\0/g' -e s/passwd/password/g) ++ eval "export $fence_auth" ++ break ++ fi ++ done ++ fi ++ ++ # Copied from NovaEvacuate ++ if [ -z "${OCF_RESKEY_auth_url}" ]; then ++ ocf_exit_reason "auth_url not configured" ++ exit $OCF_ERR_CONFIGURED ++ fi ++ ++ fence_options="${fence_options} -k ${OCF_RESKEY_auth_url}" ++ ++ if [ -z "${OCF_RESKEY_username}" ]; then ++ ocf_exit_reason "username not configured" ++ exit $OCF_ERR_CONFIGURED ++ fi ++ ++ fence_options="${fence_options} -l ${OCF_RESKEY_username}" ++ ++ if [ -z "${OCF_RESKEY_password}" ]; then ++ ocf_exit_reason "password not configured" ++ exit $OCF_ERR_CONFIGURED ++ fi ++ ++ fence_options="${fence_options} -p ${OCF_RESKEY_password}" ++ ++ if [ -z "${OCF_RESKEY_tenant_name}" ]; then ++ ocf_exit_reason "tenant_name not configured" ++ exit $OCF_ERR_CONFIGURED ++ fi ++ ++ fence_options="${fence_options} -t ${OCF_RESKEY_tenant_name}" ++ ++ if [ -n "${OCF_RESKEY_domain}" ]; then ++ fence_options="${fence_options} -d ${OCF_RESKEY_domain}" ++ fi ++ ++ if [ -n "${OCF_RESKEY_region_name}" ]; then ++ fence_options="${fence_options} \ ++ --region-name ${OCF_RESKEY_region_name}" ++ fi ++ ++ if [ -n "${OCF_RESKEY_insecure}" ]; then ++ if ocf_is_true "${OCF_RESKEY_insecure}"; then ++ fence_options="${fence_options} --insecure" ++ fi ++ fi ++ ++ if [ -n "${OCF_RESKEY_no_shared_storage}" ]; then ++ if ocf_is_true "${OCF_RESKEY_no_shared_storage}"; then ++ fence_options="${fence_options} --no-shared-storage" ++ fi ++ fi ++ ++ if [ -n "${OCF_RESKEY_endpoint_type}" ]; then ++ case ${OCF_RESKEY_endpoint_type} in ++ adminURL|publicURL|internalURL) ++ ;; ++ *) ++ ocf_exit_reason "endpoint_type ${OCF_RESKEY_endpoint_type}" \ ++ "not valid. Use adminURL or publicURL or internalURL" ++ exit $OCF_ERR_CONFIGURED ++ ;; ++ esac ++ fence_options="${fence_options} -e ${OCF_RESKEY_endpoint_type}" ++ fi ++ ++ mkdir -p /run/systemd/system/openstack-nova-compute.service.d ++ cat</run/systemd/system/openstack-nova-compute.service.d/unfence-20.conf ++[Service] ++ExecStartPost=/sbin/fence_compute ${fence_options} -o on -n ${NOVA_HOST} ++EOF ++} ++ + nova_validate() { + rc=$OCF_SUCCESS + + check_binary crudini + check_binary nova-compute ++ check_binary fence_compute + + if [ ! -f /etc/nova/nova.conf ]; then + ocf_exit_reason "/etc/nova/nova.conf not found" + exit $OCF_ERR_CONFIGURED + fi + ++ # Is the state directory writable? ++ state_dir=$(dirname $statefile) ++ touch "$state_dir/$$" ++ if [ $? != 0 ]; then ++ ocf_exit_reason "Invalid state directory: $state_dir" ++ return $OCF_ERR_ARGS ++ fi ++ rm -f "$state_dir/$$" ++ + NOVA_HOST=$(crudini --get /etc/nova/nova.conf DEFAULT host 2>/dev/null) + if [ $? = 1 ]; then + short_host=$(uname -n | awk -F. '{print $1}') +@@ -198,6 +289,8 @@ + return $rc + } + ++statefile="${HA_RSCTMP}/${OCF_RESOURCE_INSTANCE}.active" ++ + : ${OCF_RESKEY_evacuation_delay=120} + case $__OCF_ACTION in + meta-data) meta_data +@@ -221,3 +314,4 @@ + rc=$? + ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc" + exit $rc ++ +diff -uNr a/heartbeat/NovaEvacuate b/heartbeat/NovaEvacuate +--- a/heartbeat/NovaEvacuate 2016-11-29 12:36:05.425464769 +0100 ++++ b/heartbeat/NovaEvacuate 2016-11-29 12:52:38.548900211 +0100 +@@ -1,30 +1,16 @@ + #!/bin/sh + # ++# Copyright 2015 Red Hat, Inc. + # +-# NovaCompute agent manages compute daemons. ++# Description: Manages evacuation of nodes running nova-compute + # +-# Copyright (c) 2015 ++# Authors: Andrew Beekhof + # +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of version 2 of the GNU General Public License as +-# published by the Free Software Foundation. +-# +-# This program is distributed in the hope that it would be useful, but +-# WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +-# +-# Further, this software is distributed without any warranty that it is +-# free of the rightful claim of any third person regarding infringement +-# or the like. Any license provided herein, whether implied or +-# otherwise, applies only to this software file. Patent licenses, if +-# any, provided herein do not apply to combinations of this program with +-# other software, or any other product whatsoever. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program; if not, write the Free Software Foundation, +-# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA. ++# Support: openstack@lists.openstack.org ++# License: Apache Software License (ASL) 2.0 + # + ++ + ####################################################################### + # Initialization: + diff --git a/SOURCES/bz1400103-redis-notify-clients-of-master-being-demoted.patch b/SOURCES/bz1400103-redis-notify-clients-of-master-being-demoted.patch new file mode 100644 index 0000000..a8dee96 --- /dev/null +++ b/SOURCES/bz1400103-redis-notify-clients-of-master-being-demoted.patch @@ -0,0 +1,22 @@ +From 24d8398461592d3bff82851625f21c9531bda8a9 Mon Sep 17 00:00:00 2001 +From: Oyvind Albrigtsen +Date: Tue, 22 Nov 2016 11:17:15 +0100 +Subject: [PATCH] redis: use "CLIENT KILL type normal" to notify clients of + master being demoted + +--- + heartbeat/redis | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/heartbeat/redis b/heartbeat/redis +index 1ea0025..296f56a 100755 +--- a/heartbeat/redis ++++ b/heartbeat/redis +@@ -466,6 +466,7 @@ function demote() { + ocf_log info "demote: Setting master to '$master_host'" + + redis_client slaveof "$master_host" "$master_port" ++ redis_client CLIENT KILL type normal + + # Wait forever for the slave to connect to the master and finish the + # sync. Timeout is controlled by Pacemaker "op start timeout=XX". diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec index 08a6617..6aee971 100644 --- a/SPECS/resource-agents.spec +++ b/SPECS/resource-agents.spec @@ -32,8 +32,8 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 3.9.5 -Release: 82%{?dist}.1 -License: GPLv2+ and LGPLv2+ +Release: 82%{?dist}.3 +License: GPLv2+, LGPLv2+ and ASL 2.0 URL: https://github.com/ClusterLabs/resource-agents %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} Group: System Environment/Base @@ -169,6 +169,9 @@ Patch124: bz1328386-3-oracle-monprofile-container-databases.patch Patch125: bz1303037-2-portblock.patch Patch126: bz1249430-2-tomcat-fix-selinux-enforced.patch Patch127: bz1391495-nfsserver-keep-options.patch +Patch128: bz1394296-redis-fix-selinux-permissions.patch +Patch129: bz1400103-redis-notify-clients-of-master-being-demoted.patch +Patch130: bz1400103-nova-compute-wait-nova-compute-unfence.patch Obsoletes: heartbeat-resources <= %{version} Provides: heartbeat-resources = %{version} @@ -403,6 +406,9 @@ exit 1 %patch125 -p1 %patch126 -p1 %patch127 -p1 +%patch128 -p1 +%patch129 -p1 +%patch130 -p1 %build if [ ! -f configure ]; then @@ -657,6 +663,16 @@ ccs_update_schema > /dev/null 2>&1 ||: %endif %changelog +* Wed Nov 30 2016 Oyvind Albrigtsen - 3.9.5-82.3 +- redis: notify clients of master being demoted + + Resolves: rhbz#1400103 + +* Mon Nov 14 2016 Oyvind Albrigtsen - 3.9.5-82.2 +- redis: fix SELinux permissions + + Resolves: rhbz#1394296 + * Fri Nov 4 2016 Oyvind Albrigtsen - 3.9.5-82.1 - nfsserver: fix to preserve options in /etc/sysconfig/nfs