StarlingX open source release updates

Signed-off-by: Dean Troyer <dtroyer@gmail.com>
This commit is contained in:
Dean Troyer 2018-05-30 16:16:32 -07:00
parent 81daa01b49
commit 9c72843aa1
257 changed files with 23461 additions and 0 deletions

202
LICENSE Normal file
View File

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

5
README.rst Normal file
View File

@ -0,0 +1,5 @@
=========
stx-gplv2
=========
StarlingX GPL v2 Licensed Packages

View File

@ -0,0 +1,3 @@
COPY_LIST="files/*"
TIS_PATCH_VER=3
BUILD_IS_SLOW=3

View File

@ -0,0 +1,25 @@
From dbe4403d95cb18d9857bc53420d293e5be1f3fd6 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:05:36 -0400
Subject: [PATCH 3/3] WRS: 0001-Further-parallelize-bash-build.patch
---
SPECS/bash.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/bash.spec b/SPECS/bash.spec
index 115d540..5e688c1 100644
--- a/SPECS/bash.spec
+++ b/SPECS/bash.spec
@@ -341,7 +341,7 @@ autoconf
# Recycles pids is neccessary. When bash's last fork's pid was X
# and new fork's pid is also X, bash has to wait for this same pid.
# Without Recycles pids bash will not wait.
-make "CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS`"
+make -j"%(nprocs)" "CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS`"
%install
rm -rf $RPM_BUILD_ROOT
--
1.9.1

View File

@ -0,0 +1,27 @@
From e1f17182a8d105770a2805c9950b776b4437f7ff Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:05:36 -0400
Subject: [PATCH 2/3] WRS: 0001-Update-package-versioning-for-TIS-format.patch
Conflicts:
SPECS/bash.spec
---
SPECS/bash.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/bash.spec b/SPECS/bash.spec
index 5f14bad..115d540 100644
--- a/SPECS/bash.spec
+++ b/SPECS/bash.spec
@@ -6,7 +6,7 @@
Version: %{baseversion}%{patchleveltag}
Name: bash
Summary: The GNU Bourne Again shell
-Release: 29%{?dist}
+Release: 29.el7_4%{?_tis_dist}.%{tis_patch_ver}
Group: System Environment/Shells
License: GPLv3+
Url: http://www.gnu.org/software/bash
--
1.9.1

View File

@ -0,0 +1,3 @@
spec-TiS-bash-history.patch
0001-Update-package-versioning-for-TIS-format.patch
0001-Further-parallelize-bash-build.patch

View File

@ -0,0 +1,40 @@
From e8d5b56c303237d0a0ab00ea5f4fbdea3208caa5 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:05:36 -0400
Subject: [PATCH 1/3] WRS: spec-TiS-bash-history.patch
Conflicts:
SPECS/bash.spec
---
SPECS/bash.spec | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/SPECS/bash.spec b/SPECS/bash.spec
index 9a6d496..5f14bad 100644
--- a/SPECS/bash.spec
+++ b/SPECS/bash.spec
@@ -192,6 +192,10 @@ Patch151: bash-cve-2016-9401.patch
#1473245
Patch152: bash-4.3-pipefd-leak.patch
+# Patches from WindRiver
+Patch500: bash-history-syslog.patch
+Patch501: bash-history-exit-child-on-parent-death.patch
+
BuildRequires: texinfo bison
BuildRequires: ncurses-devel
BuildRequires: autoconf, gettext
@@ -323,6 +327,10 @@ This package contains documentation files for %{name}.
%patch151 -p1 -b .cve-2016-9401
%patch152 -p1 -b .pipefd-leak
+# WindRiver patches
+%patch500 -p1 -b .history-syslog
+%patch501 -p1 -b .history-exit-child-on-parent-death
+
echo %{version} > _distribution
echo %{release} > _patchlevel
--
1.9.1

1
bash/centos/srpm_path Normal file
View File

@ -0,0 +1 @@
mirror:Source/bash-4.2.46-29.el7_4.src.rpm

View File

@ -0,0 +1,105 @@
From e3e273f70ea4f8b33f89478020a421bdc203666e Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Fri, 26 Aug 2016 16:04:48 -0400
Subject: [PATCH 2/2] WRS: Patch501:
bash-history-exit-child-on-parent-death.patch
---
shell.c | 16 +-
sig.c | 13 +
sig.h | 2 +
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/shell.c b/shell.c
index 7eca4e3..dcba61a 100644
--- a/shell.c
+++ b/shell.c
@@ -75,6 +75,7 @@
#if defined (SYSLOG_HISTORY)
# include <syslog.h>
# include <sys/socket.h>
+# include <sys/prctl.h>
# include "error.h"
#endif
@@ -338,6 +339,7 @@ static void shell_reinitialize __P((void));
static void show_shell_usage __P((FILE *, int));
#if defined (SYSLOG_HISTORY)
+int logger_terminated = 0;
static pid_t make_consumer_process __P(());
#endif
@@ -1687,6 +1689,16 @@ make_consumer_process ()
default_tty_job_signals ();
+ /* handle parent process deaths */
+ set_signal_handler(SIGTERM, sigterm_logger_sighandler);
+ prctl(PR_SET_PDEATHSIG, SIGTERM);
+
+ if (getppid() == 1)
+ {
+ /* parent has already died */
+ exit (0);
+ }
+
close(cmdline_hist_sock[0]);
ret = getsockopt(cmdline_hist_sock[1], SOL_SOCKET, SO_RCVBUF, &rcvbuf_size, &optlen);
@@ -1718,7 +1730,9 @@ make_consumer_process ()
/*syslog this bash command line*/
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s",
getpid(), current_user.uid, buffer);
- } while (1);
+ } while (!logger_terminated);
+
+ exit(0);
}
else
diff --git a/sig.c b/sig.c
index d38246d..5ad0c2d 100644
--- a/sig.c
+++ b/sig.c
@@ -561,6 +561,19 @@ termsig_handler (sig)
kill (getpid (), sig);
}
+sighandler
+sigterm_logger_sighandler (sig)
+ int sig;
+{
+#if defined (MUST_REINSTALL_SIGHANDLERS)
+ signal (sig, sigterm_logger_sighandler);
+#endif
+
+ logger_terminated = 1;
+
+ SIGRETURN (0);
+}
+
/* What we really do when SIGINT occurs. */
sighandler
sigint_sighandler (sig)
diff --git a/sig.h b/sig.h
index 540aa3e..8f47c56 100644
--- a/sig.h
+++ b/sig.h
@@ -115,11 +115,13 @@ extern volatile int sigwinch_received;
extern int interrupt_immediately;
extern int terminate_immediately;
+extern int logger_terminated;
/* Functions from sig.c. */
extern sighandler termsig_sighandler __P((int));
extern void termsig_handler __P((int));
extern sighandler sigint_sighandler __P((int));
+extern sighandler sigterm_logger_sighandler __P((int));
extern void initialize_signals __P((int));
extern void initialize_terminating_signals __P((void));
extern void reset_terminating_signals __P((void));
--
1.9.1

View File

@ -0,0 +1,335 @@
From 33e9b03f81e871594b1f8ab1740c09cd5593c27c Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Fri, 26 Aug 2016 16:04:44 -0400
Subject: [PATCH 1/2] WRS: Patch500: bash-history-syslog.patch
---
bashhist.c | 78 +-
config-top.h | 2 +-
shell.c | 111 +++
3 files changed, 173 insertions(+), 18 deletions(-)
diff --git a/bashhist.c b/bashhist.c
index 7240a5b..5116f8d 100644
--- a/bashhist.c
+++ b/bashhist.c
@@ -38,10 +38,6 @@
#include "bashintl.h"
-#if defined (SYSLOG_HISTORY)
-# include <syslog.h>
-#endif
-
#include "shell.h"
#include "flags.h"
#include "input.h"
@@ -54,6 +50,10 @@
#include <glob/glob.h>
#include <glob/strmatch.h>
+#if defined (SYSLOG_HISTORY)
+#include <sys/socket.h>
+#endif
+
#if defined (READLINE)
# include "bashline.h"
extern int rl_done, rl_dispatching; /* should really include readline.h */
@@ -68,6 +68,12 @@ static int check_history_control __P((char *));
static void hc_erasedups __P((char *));
static void really_add_history __P((char *));
+
+#if defined (SYSLOG_HISTORY)
+static void send_cmdline_mq __P((const char *));
+int cmdline_hist_sock[2];
+#endif
+
static struct ignorevar histignore =
{
"HISTIGNORE",
@@ -700,22 +706,11 @@ check_add_history (line, force)
}
#if defined (SYSLOG_HISTORY)
-#define SYSLOG_MAXLEN 600
-
void
bash_syslog_history (line)
const char *line;
{
- char trunc[SYSLOG_MAXLEN];
-
- if (strlen(line) < SYSLOG_MAXLEN)
- syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);
- else
- {
- strncpy (trunc, line, SYSLOG_MAXLEN);
- trunc[SYSLOG_MAXLEN - 1] = '\0';
- syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);
- }
+ send_cmdline_mq (line);
}
#endif
@@ -769,6 +764,10 @@ bash_add_history (line)
sprintf (new_line, "%s%s%s", current->line, chars_to_add, line);
offset = where_history ();
old = replace_history_entry (offset, new_line, current->data);
+
+#if defined (SYSLOG_HISTORY)
+ bash_syslog_history (new_line);
+#endif
free (new_line);
if (old)
@@ -779,11 +778,13 @@ bash_add_history (line)
}
if (add_it)
+ {
really_add_history (line);
#if defined (SYSLOG_HISTORY)
- bash_syslog_history (line);
+ bash_syslog_history (line);
#endif
+ }
using_history ();
}
@@ -906,4 +907,47 @@ history_should_ignore (line)
return match;
}
+
+#if defined (SYSLOG_HISTORY)
+
+#define MQ_SEND_MAX_ATTEMPT 2
+
+static void
+send_cmdline_mq (line)
+ const char *line;
+{
+ int ret = 0;
+ int attempt = 0;
+ int fail = 0;
+ size_t len_snd;
+ int sndbuf_size;
+
+ do {
+ if (attempt >= MQ_SEND_MAX_ATTEMPT)
+ {
+ fail = 1;
+ break;
+ }
+
+ len_snd = strlen(line)+1;
+ ret = send (cmdline_hist_sock[0], line, len_snd, MSG_DONTWAIT);
+ if (ret == EMSGSIZE)
+ {
+ socklen_t optlen = sizeof(sndbuf_size);
+ ret = getsockopt(cmdline_hist_sock[0], SOL_SOCKET, SO_SNDBUF,
+ &sndbuf_size, &optlen);
+ if (ret == 0) {
+ len_snd = sndbuf_size - 1;
+ continue;
+ }
+ }
+
+ attempt ++;
+ } while (ret < 0 && (errno == EAGAIN || errno == EINTR));
+
+ return;
+}
+
+#endif /*SYSLOG_HISTORY*/
+
#endif /* HISTORY */
diff --git a/config-top.h b/config-top.h
index 01e934e..c22c883 100644
--- a/config-top.h
+++ b/config-top.h
@@ -103,7 +103,7 @@
/* Define if you want each line saved to the history list in bashhist.c:
bash_add_history() to be sent to syslog(). */
-/* #define SYSLOG_HISTORY */
+#define SYSLOG_HISTORY
#if defined (SYSLOG_HISTORY)
# define SYSLOG_FACILITY LOG_USER
# define SYSLOG_LEVEL LOG_INFO
diff --git a/shell.c b/shell.c
index 6f9afcd..7eca4e3 100644
--- a/shell.c
+++ b/shell.c
@@ -72,6 +72,12 @@
# include <readline/history.h>
#endif
+#if defined (SYSLOG_HISTORY)
+# include <syslog.h>
+# include <sys/socket.h>
+# include "error.h"
+#endif
+
#if defined (READLINE)
# include "bashline.h"
#endif
@@ -106,6 +112,9 @@ extern int array_needs_making;
extern int gnu_error_format;
extern char *primary_prompt, *secondary_prompt;
extern char *this_command_name;
+#if defined (SYSLOG_HISTORY)
+extern int cmdline_hist_sock[2];
+#endif
/* Non-zero means that this shell has already been run; i.e. you should
call shell_reinitialize () if you need to start afresh. */
@@ -223,6 +232,7 @@ int dump_po_strings; /* Dump strings in $"..." in po format */
int wordexp_only = 0; /* Do word expansion only */
int protected_mode = 0; /* No command substitution with --wordexp */
+
#if defined (STRICT_POSIX)
int posixly_correct = 1; /* Non-zero means posix.2 superset. */
#else
@@ -327,6 +337,10 @@ static void shell_reinitialize __P((void));
static void show_shell_usage __P((FILE *, int));
+#if defined (SYSLOG_HISTORY)
+static pid_t make_consumer_process __P(());
+#endif
+
#ifdef __CYGWIN__
static void
_cygwin32_check_tmp ()
@@ -369,6 +383,11 @@ main (argc, argv, env)
env = environ;
#endif /* __OPENNT */
+
+#if defined (SYSLOG_HISTORY)
+ pid_t con_pid;
+#endif
+
USE_VAR(argc);
USE_VAR(argv);
USE_VAR(env);
@@ -747,6 +766,11 @@ main (argc, argv, env)
/* Initialize terminal state for interactive shells after the
.bash_profile and .bashrc are interpreted. */
get_tty_state ();
+
+#if defined (SYSLOG_HISTORY)
+ /*fork a child for bash history logging consumption*/
+ con_pid = make_consumer_process ();
+#endif
}
#if !defined (ONESHOT)
@@ -757,6 +781,13 @@ main (argc, argv, env)
/* Read commands until exit condition. */
reader_loop ();
+
+#if defined (SYSLOG_HISTORY)
+ if (interactive_shell && con_pid > 0) {
+ kill(con_pid, SIGKILL);
+ }
+#endif
+
exit_shell (last_command_exit_value);
}
@@ -1619,6 +1650,86 @@ set_shell_name (argv0)
shell_name = PROGRAM;
}
+
+#if defined (SYSLOG_HISTORY)
+#define SYSLOG_MAXLEN 1200
+
+/* Fork child process for bash history logging, handling errors.
+ Returns the pid of the newly made child in parent process context
+ and will not return in child process context. */
+static pid_t
+make_consumer_process ()
+{
+ pid_t pid;
+
+ if (socketpair(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0, cmdline_hist_sock) == -1)
+ {
+ return -1;
+ }
+
+
+ pid = fork ();
+ if (pid < 0)
+ {
+ return -1;
+ }
+
+ if (pid == 0)
+ {
+ int ret;
+ char *buffer;
+ int rcvbuf_size;
+ socklen_t optlen = sizeof(rcvbuf_size);
+
+#if defined (BUFFERED_INPUT)
+ unset_bash_input (0);
+#endif /* BUFFERED_INPUT */
+
+ default_tty_job_signals ();
+
+ close(cmdline_hist_sock[0]);
+
+ ret = getsockopt(cmdline_hist_sock[1], SOL_SOCKET, SO_RCVBUF, &rcvbuf_size, &optlen);
+ if (ret < 0)
+ {
+ rcvbuf_size = SYSLOG_MAXLEN;
+ }
+
+ buffer = (char *) malloc(rcvbuf_size);
+ if (buffer == NULL)
+ {
+ return -1;
+ }
+
+ do {
+ ret = recv(cmdline_hist_sock[1], buffer, rcvbuf_size, 0);
+
+ if (ret == -1 && errno == EINTR)
+ {
+ continue;
+ }
+ else if (ret < 0)
+ {
+ break;
+ }
+
+ buffer[ret] = '\0';
+
+ /*syslog this bash command line*/
+ syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s",
+ getpid(), current_user.uid, buffer);
+ } while (1);
+
+ }
+ else
+ {
+ /* In the parent. */
+ close(cmdline_hist_sock[1]);
+ }
+ return (pid);
+}
+#endif /*SYSLOG_HISTORY*/
+
static void
init_interactive ()
{
--
1.9.1

View File

@ -0,0 +1,5 @@
TAR_NAME=cgcs-users
VERSION=1.0
COPY_LIST="${CGCS_BASE}/downloads/ibsh-0.3e.tar.gz \
${PKG_BASE}/${TAR_NAME}-${VERSION}/*"
TIS_PATCH_VER=2

View File

@ -0,0 +1,86 @@
%define _bindir /bin
Summary: ibsh Iron Bar Shell
Name: cgcs-users
Version: 1.0
Release: 0%{?_tis_dist}.%{tis_patch_ver}
License: GPLv2+
Packager: Wind River <info@windriver.com>
Source0: ibsh-0.3e.tar.gz
Source1: admin.cmds
Source2: admin.xtns
Source3: operator.cmds
Source4: operator.xtns
Source5: secadmin.cmds
Source6: secadmin.xtns
Source7: LICENSE
Patch1: ibsh-0.3e.patch
Patch2: ibsh-0.3e-cgcs.patch
Patch3: ibsh-0.3e-cgcs-copyright.patch
%description
CGCS add default users types
%package -n cgcs-users-devel
Summary: ibsh Iron Bar Shell - Development files
Group: devel
%description -n cgcs-users-devel
This package contains symbolic links, header files, and related items
necessary for software development.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
make %{?_smp_mflags} ibsh
%install
rm -rf ${RPM_BUILD_ROOT}
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/cmds
mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/xtns
cp globals.cmds ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/
cp globals.xtns ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/
cp ${RPM_SOURCE_DIR}/admin.cmds ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/cmds/
cp ${RPM_SOURCE_DIR}/admin.xtns ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/xtns/
cp ${RPM_SOURCE_DIR}/operator.cmds ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/cmds/
cp ${RPM_SOURCE_DIR}/operator.xtns ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/xtns/
cp ${RPM_SOURCE_DIR}/secadmin.cmds ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/cmds/
cp ${RPM_SOURCE_DIR}/secadmin.xtns ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/xtns/
install -d 755 ${RPM_BUILD_ROOT}%{_bindir}
install -m 755 ibsh ${RPM_BUILD_ROOT}%{_bindir}/ibsh
%clean
rm -rf ${RPM_SOURCE_DIR}
%post
chown root ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh
chgrp root ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh
chown root:root ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/globals.*
chown root:root ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/cmds/admin.cmds
chown root:root ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/cmds/operator.cmds
chown root:root ${RPM_BUILD_ROOT}/%{_sysconfdir}/ibsh/cmds/secadmin.cmds
%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/ibsh
%dir %{_sysconfdir}/ibsh/cmds
%dir %{_sysconfdir}/ibsh/xtns
%{_sysconfdir}/ibsh/globals.cmds
%{_sysconfdir}/ibsh/globals.xtns
%{_sysconfdir}/ibsh/cmds/secadmin.cmds
%{_sysconfdir}/ibsh/cmds/operator.cmds
%{_sysconfdir}/ibsh/cmds/admin.cmds
%{_sysconfdir}/ibsh/xtns/operator.xtns
%{_sysconfdir}/ibsh/xtns/admin.xtns
%{_sysconfdir}/ibsh/xtns/secadmin.xtns
%{_bindir}/ibsh
%files -n cgcs-users-devel
%defattr(-,root,root,-)

View File

@ -0,0 +1,346 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License;
they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims;
this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system;
it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation;
we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty;
and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions;
type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

View File

@ -0,0 +1,11 @@
# Add any commands the user may execute. Even shell commands.
# You have to allow logout and/or exit, so the user can logout!
# cd and pwd should also be allowed. Note: other shell builtin
# commands are not yet implemented!
nova
system
neutron
cinder
glance
ceilometer
heat

View File

@ -0,0 +1,6 @@
# Add any extension the user may use.
.doc
.txt
.tgz
.tar

View File

@ -0,0 +1,26 @@
diff --git a/config.c b/config.c
index c1087a5..add7c53 100644
--- a/config.c
+++ b/config.c
@@ -6,6 +6,8 @@
This file is part of IBSH (Iron Bars Shell) , a restricted Unix shell
Copyright (C) 2005 Attila Nagyidai
+ Copyright(c) 2013-2017 Wind River Systems, Inc. All rights reserved.
+
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
diff --git a/main.c b/main.c
index cf3ae9e..6cda04e 100644
--- a/main.c
+++ b/main.c
@@ -6,6 +6,8 @@
This file is part of IBSH (Iron Bars Shell) , a restricted Unix shell
Copyright (C) 2005 Attila Nagyidai
+ Copyright(c) 2013-2017 Wind River Systems, Inc. All rights reserved.
+
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2

View File

@ -0,0 +1,87 @@
Index: cgcs-users-1.0-r0/main.c
===================================================================
--- cgcs-users-1.0-r0.orig/main.c
+++ cgcs-users-1.0-r0/main.c
@@ -37,6 +37,7 @@
/* Header files */
#include "ibsh.h"
+#include "stdlib.h"
/* Main: */
/* Handle arguments, read config files, start command processing. */
@@ -57,13 +58,28 @@
/* use our builtin code, otherwise use execve. After execve, check if the user didnt */
/* use the last command to create some illegal content. If yes, erase that. Give the */
/* notice only afterwards. */
+
+void ALRMhandler(int sig) {
+ OPENLOG;
+ syslog(LOG_INFO, "CLI timeout, user %s has logged out.", loggedin.uname);
+ CLOSELOG;
+ exit(0);
+}
+
int main(int argc, char **argv)
{
char temp[STRING_SIZE], *buf;
struct stat info;
uid_t ruid, euid;
gid_t rgid, egid;
+ unsigned int tout_cli = 0;
+ const char* tout = getenv("TMOUT");
+ if (tout)
+ tout_cli = atoi(tout);
+ else
+ //default to 5 mins
+ tout_cli = 300;
/* setuid protection */
ruid = getuid();
@@ -107,6 +123,7 @@ int main(int argc, char **argv)
signal( SIGQUIT, SIG_IGN );
signal( SIGTERM, SIG_IGN );
signal( SIGTSTP, SIG_IGN );
+ signal( SIGALRM, ALRMhandler );
LoadConfig();
/* Command mode */
@@ -144,6 +161,7 @@ int main(int argc, char **argv)
/* will be allowed to run, unless it is mentioned in the */
/* config files. Files that are created with an extension */
/* that is listed in the other config file, must be deleted! */
+ alarm(tout_cli);
for ( ; ; ) {
/* Where is he ? */
getcwd(real_path, STRING_SIZE);
@@ -153,12 +171,14 @@ int main(int argc, char **argv)
}
/* We don't want the user to know where he actually is. */
/* This is the prompt! */
- printf("[%s]%% ", jail_path);
+ //printf("[%s]%% ", jail_path);
+ printf("[%s]%% ", loggedin.uname);
/* scanf("%s", user_command); */
myscanf(user_command, real_path);
+ alarm(tout_cli);
/* Command interpretation and execution. */
if ( (CommandOK(user_command, loggedin.udir, jail_path, filtered_command)) == 0 ) {
- printf("Sorry, can't let you do that!\n");
+ //printf("Sorry, can't let you do that!\n");
log_attempt(loggedin.uname); /* v0.2a */
continue;
}
Index: cgcs-users-1.0-r0/config.c
===================================================================
--- cgcs-users-1.0-r0.orig/config.c
+++ cgcs-users-1.0-r0/config.c
@@ -166,7 +166,7 @@ int LoadConfig( void )
// Delete '\n'
tmp2[i][strlen(tmp2[i]) - 1] = '\0';
strncpy(extensions[i],tmp2[i],strlen(tmp2[i]));
- printf("EXTENSIONS %s\n",extensions[i]);
+ //printf("EXTENSIONS %s\n",extensions[i]);
i++;
}
}

View File

@ -0,0 +1,860 @@
Index: cgcs-users-1.0-r0/AUTHORS.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/AUTHORS.orig
@@ -0,0 +1,15 @@
+AUTHORS OF PROJECT IBSH
+
+Attila Nagyidai <attila at ibsh.net>
+ * Original program author, project admin, developer.
+
+Shy <shy at ibsh.net>
+ * Developer, debugger, tester, and many more.
+
+Witzy <witzy at ibsh.net>
+ * Developer, debugger, tester, and many more.
+
+http://www.ibsh.net
+irc:
+irc.freenode.net #ibsh
+irc.geek-power.org #ibsh
Index: cgcs-users-1.0-r0/BUGS.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/BUGS.orig
@@ -0,0 +1,19 @@
+** Open BUGS **
+None, so far.
+
+** Fixed BUGS **
+- Input length checking on all inputs, string copies, etc. is fixed.
+- The myscanf function will no longer accept more then 80 chars at once,
+so ibsh hopefully wont crash on a too long input.
+- Added signal.h in the header file, the lack of it caused compilation
+problems on some systems.
+- Fixed the infinite loop in DelBadFiles. This function is temporarily
+taken out of the project
+- Removed the involvment of /bin/sh from system. Added path checking.
+- In jail root, not only ../ is not allowed, but .. too.
+- Fixed a bug, that happened on bsd, when the user pressed ^D.
+- Fixed a bug with opendir
+- Fixed a format string vulnerability in logprintbadfile(). Thanks to
+Kim Streich for the report.
+
+2005.05.23
Index: cgcs-users-1.0-r0/ChangeLog.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/ChangeLog.orig
@@ -0,0 +1,34 @@
+0.3e - a buffer overflow and a string bug, both found by RazoR (Nikolay Alexandrov), fixed.
+0.3d - a format string vulnerability, found by Kim Streich, is fixed.
+0.3b-0.3c - bugfixes.
+0.3a - The admin has the opportunity, to create separate cmds file for each user.
+ This way the sysadmin has complete control over sensitive applications, which
+ should only be allowed to a selected few.
+ - The admin has the opportunity, to create separate xtns file for each user.
+ - The extensions policy has been changed. Now both globals.xtns and the user
+ extension files will list the extensions, that are _allowed_ ! In earlier versions,
+ the forbidden extensions were listed, that is allow everything, except to deny a few.
+ From this version on, it's deny everything, except allow the ones, listed in these files.
+ - While the code for the search of illegal/dangerous material stored in user space is
+ back, it will not erase any files any more. Instead, it will remove all
+ rights from that file, so it can not be executed, or read. Files, with the +x bit set,
+ will be chmodded to -x. This is another "defense line" to stop the user to execute
+ programs, stored in user space.
+ - The access to all linux binaries, and source code files, stored in user space, if any,
+ will be blocked.
+ - Absolute path for restricted users can not be longer then 255 characters. All files,
+ that are longer (with full path), will be renamed.
+ - Minor bug fixes.
+
+0.2a - Major bug fixes.
+ - User activities are logged with syslog.
+ - hhsytem revised, hardened. /bin/sh isnt involved anymore into program starting.
+ If the home directory is in the PATH, it's ignored.
+ - erasing illegal content is temporarily suspended and removed.
+
+0.1b - Major bug fixes.
+ - The config files are accidentally missing from this release!
+
+0.1a - The first version of the program.
+
+2005.05.23.
Index: cgcs-users-1.0-r0/CONTRIBUTORS.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/CONTRIBUTORS.orig
@@ -0,0 +1,7 @@
+CONTRIBUTORS TO PROJECT IBSH
+
+Kim Streich <kstreich at gmail.com>
+ * bug finder, debugger, tester.
+
+RazoR (Nikolay Alexandrov) <Nikolay@Alexandrov.ws>
+ * bug finder, debugger, tester.
Index: cgcs-users-1.0-r0/COPYING.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/COPYING.orig
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
Index: cgcs-users-1.0-r0/COPYRIGHT.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/COPYRIGHT.orig
@@ -0,0 +1,17 @@
+This file is part of IBSH (Iron Bars Shell) , a restricted Unix shell
+Copyright (C) 2005 Attila Nagyidai
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
Index: cgcs-users-1.0-r0/INSTALL.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/INSTALL.orig
@@ -0,0 +1,23 @@
+Installing ibsh is really easy, so no need for the usual sections
+in this document. There is no configure script either, so if
+something wrong, make will fail.
+
+# make ibsh
+# make ibsh_install
+
+Optionally:
+
+# make clean
+
+
+To uninstall ibsh:
+
+# make ibsh_uninstall
+
+
+Of course you will have to enable this shell by:
+# echo /bin/ibsh >> /etc/shells
+or however you like it.
+And make sure the permissions read 0755 !
+
+2005.03.24.
Index: cgcs-users-1.0-r0/main.c.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/main.c.orig
@@ -0,0 +1,233 @@
+/*
+ Created: 03.19.05 11:34:57 by Attila Nagyidai
+
+ $Id: C\040Console.c,v 1.1.2.1 2003/08/13 00:38:46 neum Exp $
+
+ This file is part of IBSH (Iron Bars Shell) , a restricted Unix shell
+ Copyright (C) 2005 Attila Nagyidai
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version 2
+ of the License, or (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+ Author: Attila Nagyidai
+ Email: na@ent.hu
+
+ Co-Author: Shy
+ Email: shy@cpan.org
+
+ Co-Author: Witzy
+ Email: stazzz@altern.org
+
+ URL: http://ibsh.sourceforge.net
+ IRC: irc.freenode.net #ibsh
+ RSS, Statistics, etc: http://sourceforge.net/projects/ibsh/
+
+*/
+
+/* Header files */
+#include "ibsh.h"
+
+/* Main: */
+/* Handle arguments, read config files, start command processing. */
+/* IBSH doesnt use any command line arguments, but my text editor */
+/* uses this code in all new c files to create. And i didnt have the */
+/* heart to remove it. ;p */
+/* Technical Description: */
+/* Get the passwd entry for the user. The uid is easily aquired, since */
+/* it is the real user id. After that, grab the passwd file entry upon */
+/* the id, and copy the information to the loggedin struct. */
+/* Add some signal handlers too. */
+/* The infinite loop: */
+/* Get the current directory, the full path. Compute the jailpath from that, */
+/* that is the directories below the users homedir, which is the jail root. */
+/* The jail ceiling if you like. Print some prompt to the user with the jailpath, */
+/* and read stdin for incoming commands. Filter out the bad commands, typos, the */
+/* not allowed commands. It the command is ok, execute it. If it is a shell builtin, */
+/* use our builtin code, otherwise use execve. After execve, check if the user didnt */
+/* use the last command to create some illegal content. If yes, erase that. Give the */
+/* notice only afterwards. */
+int main(int argc, char **argv)
+{
+ char temp[STRING_SIZE], *buf;
+ struct stat info;
+ uid_t ruid, euid;
+ gid_t rgid, egid;
+
+
+ /* setuid protection */
+ ruid = getuid();
+ euid = geteuid();
+ rgid = getgid();
+ egid = getegid();
+ if ( (ruid!=euid) || (ruid==0) || (euid==0) || (rgid!=egid) || (rgid==0) || (egid==0) ) {
+ OPENLOG;
+ syslog(LOG_ERR, "setuid/setgid violation!");
+ CLOSELOG;
+ printf("ibsh: setuid/setgid violation!! exiting...\n");
+#ifdef DEBUG
+ printf("ruid: %d;euid: %d;rgid: %d;egid: %d\n", ruid,euid,rgid,egid);
+#endif
+ exit(0);
+ }
+
+ /* To Do: The code of your application goes here */
+ /* First part: */
+ /* Get essential information about the user who got this shell: */
+ /* first the username, then the user id. Upon this, retrieve the */
+ /* user's record in the passwd file. */
+ bzero(&loggedin, sizeof(loggedin));
+ loggedin.uid = getuid();
+ loggedin.record = getpwuid(loggedin.uid);
+ if ( loggedin.record == NULL ) {
+ loggedin.record = getpwnam(loggedin.uname);
+ if ( loggedin.record == NULL ) {
+ openlog(loggedin.uname, LOG_PID, LOG_AUTH);
+ syslog(LOG_ERR, "Can not obtain user information");
+ printf("Can not obtain user information\n");
+ closelog();
+ exit(0);
+ }
+ }
+ strncpy(loggedin.uname, loggedin.record->pw_name, PAM_SIZE);
+ strncpy(loggedin.udir, loggedin.record->pw_dir, STRING_SIZE);
+
+ /* Second part: */
+ /* Handle some signal catching. Read the configuration files. */
+ signal( SIGINT, SIG_IGN );
+ signal( SIGQUIT, SIG_IGN );
+ signal( SIGTERM, SIG_IGN );
+ signal( SIGTSTP, SIG_IGN );
+ LoadConfig();
+
+ /* Command mode */
+ if(argc == 3) {
+ if ( argv[1][1] == 'c' ) {
+ if ( CommandOK(argv[2], loggedin.udir, "/", filtered_command) == 1) {
+ exitcode = hhsystem(filtered_command);
+ OPENLOG;
+ syslog(LOG_INFO, "command %s ordered, command %s has been executed.",
+ argv[2], filtered_command);
+ printf("command %s ordered, command %s has been executed.\n",
+ argv[2], filtered_command);
+ CLOSELOG;
+ exit(exitcode);
+ }
+ printf("CommandOK failed (%s/%s)\n", loggedin.udir, filtered_command);
+ exit(0);
+ }
+ else {
+ printf("Invalid are (%s)\n", argv[1]);
+ exit(0);
+ }
+ }
+
+ OPENLOG;
+ syslog(LOG_INFO, "user %s has logged in.", loggedin.uname);
+ CLOSELOG;
+
+
+#ifdef INCLUDE_DELETE_BAD_FILES
+ DelBadFiles(loggedin.udir);
+#endif
+ if ( chdir (loggedin.udir) < 0 )
+ return -1;
+
+
+ /* Third part: */
+ /* Start reading and processing the user issued commands. */
+ /* Split the command by the spaces, filter out anything, */
+ /* that would allow the user to access files outside the */
+ /* jail. Filter out multiples and pipes as well. No program */
+ /* will be allowed to run, unless it is mentioned in the */
+ /* config files. Files that are created with an extension */
+ /* that is listed in the other config file, must be deleted! */
+ for ( ; ; ) {
+ /* Where is he ? */
+ if ( getcwd(real_path, STRING_SIZE) == NULL )
+ return -1;
+ GetPositionInJail(real_path, loggedin.udir, jail_path);
+ if ( (strlen(jail_path)) == 0 ) {
+ strncpy(jail_path, "/", 2);
+ }
+ /* We don't want the user to know where he actually is. */
+ /* This is the prompt! */
+ printf("[%s]%% ", jail_path);
+ /* scanf("%s", user_command); */
+ myscanf(user_command, real_path);
+ /* Command interpretation and execution. */
+ if ( (CommandOK(user_command, loggedin.udir, jail_path, filtered_command)) == 0 ) {
+ printf("Sorry, can't let you do that!\n");
+ log_attempt(loggedin.uname); /* v0.2a */
+ continue;
+ }
+ /* If the user issued command starts with a shell builtin. */
+ bzero(temp, strlen(temp));
+ if ( (buf = strstr(filtered_command, "cd")) != NULL ) {
+ if ( (strcmp(buf, filtered_command)) == 0 ) {
+ LTrim3(filtered_command, temp);
+ if ( (strcmp(temp, real_path)) != 0 ) {
+ if ( (strcmp(temp, "..")) == 0 ) {
+ PathMinusOne(jail_path, temp, 1,sizeof(temp));
+ }
+ if ( (strcmp(temp, "/")) == 0 ) {
+ strncpy(temp, loggedin.udir, LINE_SIZE);
+ }
+ exitcode = chdir(temp);
+ if ( exitcode == -1 ) {
+ printf("ibsh: cd: %s: No such file or directory\n", temp);
+ }
+ }
+ continue;
+ }
+ }
+ else if ( (buf = strstr(filtered_command, "pwd")) != NULL ) {
+ if ( (strcmp(buf, filtered_command)) == 0 ) {
+ printf("%s\n", jail_path);
+ continue;
+ }
+ }
+ else if ( (buf = strstr(filtered_command, "logout")) != NULL ) {
+ if ( (strcmp(buf, filtered_command)) == 0 ) {
+ OPENLOG;
+ syslog(LOG_INFO, "user %s has logged out.", loggedin.uname);
+ CLOSELOG;
+ break;
+ }
+ }
+ else if ( (buf = strstr(filtered_command, "exit")) != NULL ) {
+ if ( (strcmp(buf, filtered_command)) == 0 ) {
+ OPENLOG;
+ syslog(LOG_INFO, "user %s has logged out.", loggedin.uname);
+ printf("user %s has logged out\n", loggedin.uname);
+ CLOSELOG;
+ break;
+ }
+ }
+ else {
+ exitcode = hhsystem(filtered_command);
+ if ( exitcode < 0 ) {
+ printf("%s\n", strerror(errno));
+ }
+ }
+ if ( getcwd(real_path, STRING_SIZE) == NULL )
+ return -1;
+#ifdef INCLUDE_BAD_FILES
+ DelBadFiles(loggedin.udir);
+#endif
+ if ( chdir (real_path) < 0 )
+ return 1;
+ }
+ return 0;
+}
+
Index: cgcs-users-1.0-r0/Makefile.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/Makefile.orig
@@ -0,0 +1,56 @@
+# This is the makefile for ibsh 0.3e
+CC = gcc -g -O3
+OBJECTS = main.o command.o jail.o execute.o config.o misc.o antixploit.o delbadfiles.o
+
+all ibsh: ${OBJECTS} ibsh.h
+ ${CC} -o ibsh ${OBJECTS}
+
+main.o: main.c ibsh.h
+ ${CC} -c main.c
+
+command.o: command.c ibsh.h
+ ${CC} -c command.c
+
+jail.o: jail.c ibsh.h
+ ${CC} -c jail.c
+
+execute.o: execute.c ibsh.h
+ ${CC} -c execute.c
+
+config.o: config.c ibsh.h
+ ${CC} -c config.c
+
+misc.o: misc.c ibsh.h
+ ${CC} -c misc.c
+
+antixploit.o: antixploit.c ibsh.h
+ ${CC} -c antixploit.c
+
+delbadfiles.o: delbadfiles.c ibsh.h
+ ${CC} -c delbadfiles.c
+
+ibsh_install:
+ cp ./ibsh /bin/
+ mkdir /etc/ibsh
+ mkdir /etc/ibsh/cmds
+ mkdir /etc/ibsh/xtns
+ cp ./globals.cmds /etc/ibsh/
+ cp ./globals.xtns /etc/ibsh/
+
+ibsh_uninstall:
+ rm -rf /etc/ibsh/globals.cmds
+ rm -rf /etc/ibsh/globals.xtns
+ rm -rf /etc/ibsh/cmds/*.*
+ rm -rf /etc/ibsh/xtns/*.*
+ rmdir /etc/ibsh/cmds
+ rmdir /etc/ibsh/xtns
+ rmdir /etc/ibsh
+ rm -rf /bin/ibsh
+
+clean:
+ rm -rf ibsh
+ rm -rf *.o
+
+
+# 13:49 2005.04.06.
+
Index: cgcs-users-1.0-r0/README.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/README.orig
@@ -0,0 +1,29 @@
+ Iron Bars SHell - a restricted interactive shell.
+
+Overview
+
+ For long i have been in the search of a decent restricted shell, but in vain.
+ The few i found, were really easy to hack, and there were quite a few docs
+ around on the web about hacking restricted shells with a menu interface.
+ For my definitions, a restricted shell must not only prevent the user to
+ escape her jail, but also not to access any files outside the jail.
+ The system administrator must have total control over the restricted shell.
+ These are the major features incorporated and realized by ibsh.
+
+
+Features
+
+ Please read the changelog.
+
+
+Installation
+
+ Read the INSTALL file.
+
+
+Contact
+ See Authors file.
+
+
+Attila Nagyidai
+2005.05.23.
Index: cgcs-users-1.0-r0/Release.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/Release.orig
@@ -0,0 +1,17 @@
+This release introduces minor bugfixes, and important new and renewed features.
+Erasing evil files in the home directory of the user is incorporated again, with
+many improvements. First of all: no file will be erased! Only the access to them
+will be blocked. The extension policy has changed, now ibsh blocks those extensions,
+that are NOT listed. This goes in sync with the usual method of operation of ibsh.
+The execute permission of files in the user space, will be removed.
+New customizing features were added: each user now can have her own commands and
+extensions file, created and maintained by the system administrator. Some users
+(employees) may require access to special programs. User configuration files allow
+this access only those, who need it, not for everybody.
+Ibsh now scans not only the extensions of files, but the content too! Whatever the permission
+for a certain file exists, if that contains source code, or is a linux binary, access
+will be blocked.
+The absolute path for the users is now limited to 255 characters. Longer, already
+existing filenames will be renamed.
+
+06/04/2005
Index: cgcs-users-1.0-r0/TODO.orig
===================================================================
--- /dev/null
+++ cgcs-users-1.0-r0/TODO.orig
@@ -0,0 +1,10 @@
+TODO
+
+ - tab completion.
+ - shell variables.
+ - some changes to the prompt, maybe variable prompt.
+ - history
+ - to be able to use corporate, or other large/complicated programs in a safe
+ working environment, yet be able to share files/work with others.
+
+2005.05.23.

View File

@ -0,0 +1,7 @@
# Add any commands the user may execute. Even shell commands.
# You have to allow logout and/or exit, so the user can logout!
# cd and pwd should also be allowed. Note: other shell builtin
# commands are not yet implemented!
touch
vi

View File

@ -0,0 +1,4 @@
# Add any extension the user may use.
.doc
.txt

View File

@ -0,0 +1,12 @@
# Add any commands the user may execute. Even shell commands.
# You have to allow logout and/or exit, so the user can logout!
# cd and pwd should also be allowed. Note: other shell builtin
# commands are not yet implemented!
#
touch
tar
scp
sftp
ssh
vi

View File

@ -0,0 +1,6 @@
# Add any extension the user may use.
.doc
.txt
.tgz
.tar

View File

@ -0,0 +1,16 @@
Metadata-Version: 1.1
Name: resource-agents
Version: 3.9.5
Summary: Open Source HA Reusable Cluster Resource Scripts
Home-page:
Author:
Author-email:
License: GPLv2+ and LGPLv2+
Description:
A set of scripts to interface with several services to operate in a
High Availability environment for both Pacemaker and rgmanager
service managers.
Platform: UNKNOWN

View File

@ -0,0 +1 @@
TIS_PATCH_VER=12

View File

@ -0,0 +1,28 @@
From 2bc73669b8de70bf32d2f786b158738506e480ff Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 08/10] WRS:
0001-Update-package-versioning-for-TIS-format.patch
Conflicts:
SPECS/resource-agents.spec
---
SPECS/resource-agents.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 6be3418..28a8129 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -48,7 +48,7 @@
Name: resource-agents
Summary: Open Source HA Reusable Cluster Resource Scripts
Version: 3.9.5
-Release: 105%{?dist}
+Release: 105.el7%{?_tis_dist}.%{tis_patch_ver}
License: GPLv2+, LGPLv2+ and ASL 2.0
URL: https://github.com/ClusterLabs/resource-agents
%if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
--
1.9.1

View File

@ -0,0 +1,27 @@
From d48b31c66589b0c5a9831dcf4123a80fa8ccd89a Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Tue, 6 Mar 2018 12:19:53 -0600
Subject: [PATCH 1/1] Disable creation of the debug package as it causes a seg
fault in dwz
---
SPECS/resource-agents.spec | 3 +++
1 file changed, 3 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 2536cb7..e5fbbeb 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -35,6 +35,9 @@
} || %{?__transaction_systemd_inhibit:1}%{?!__transaction_systemd_inhibit:0}%{nil \
} || %(test -f /usr/lib/os-release; test $? -ne 0; echo $?))
+# Disable debug package, it currently triggers a segfault in dwz tool
+%define debug_package %{nil}
+
%global upstream_prefix ClusterLabs-resource-agents
%global upstream_version 5434e96
--
1.8.3.1

View File

@ -0,0 +1,32 @@
From 231334d30e9ad3f32dc915f973c71ac18d9c8191 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 05/10] WRS: Fix-VG-activity-bug-in-heartbeat-LVM-script.patch
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 28b6e50..832d588 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -247,6 +247,7 @@ Patch1111: pgsql.patch
Patch1113: create-var-run-resource-agents.patch
Patch1114: notify-rmon-of-shutdown-before-shutting-down.patch
+Patch1115: Fix-VG-activity-bug-in-heartbeat-LVM-script.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -551,6 +552,7 @@ exit 1
%patch1113 -p1
%patch1114 -p1
+%patch1115 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,33 @@
From c4165b39531872b7b56d497c4ebd86b5d1d79800 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Wed, 25 Oct 2017 16:18:02 -0400
Subject: [PATCH]
Modify-error-code-of-bz1454699-fix-to-prevent-inactive-controller-reboot-loop
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 19580ef..2536cb7 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -252,6 +252,7 @@ Patch1116: ocf-shellfuncs_change_logtag.patch
Patch1117: lvm_cleanup_refs_on_stop.patch
Patch1118: ipaddr2_if_down.patch
Patch1119: ipaddr2_ignore_lo_if_state.patch
+Patch1120: Modify-error-code-of-bz1454699-fix-to-prevent-inactive-controller-reboot-loop.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -561,6 +562,7 @@ exit 1
%patch1117 -p1
%patch1118 -p1
%patch1119 -p1
+%patch1120 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,12 @@
spec-include-TiS-patches.patch
spec-avoid-dir-collisions.patch
spec-add-create-var-run-resource-agents.patch
spec-notify-rmon-of-shutdown-before-shutting-down.patch
Fix-VG-activity-bug-in-heartbeat-LVM-script.patch
spec-include-tis-logtag-patch.patch
spec-lvm-cleanup-refs-on-stop.patch
0001-Update-package-versioning-for-TIS-format.patch
ipaddr2-if-down.patch
spec-add-ipaddr2-ignore-lo-state.patch
Modify-error-code-of-bz1454699-fix-to-prevent-inactive-controller-reboot-loop.patch
Disable-creation-of-the-debug-package.patch

View File

@ -0,0 +1,32 @@
From 1c5dc7640e843a553df5663305a739fc0c7aa9e1 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 09/10] WRS: ipaddr2-if-down.patch
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 28a8129..71d6cc4 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -250,6 +250,7 @@ Patch1114: notify-rmon-of-shutdown-before-shutting-down.patch
Patch1115: Fix-VG-activity-bug-in-heartbeat-LVM-script.patch
Patch1116: ocf-shellfuncs_change_logtag.patch
Patch1117: lvm_cleanup_refs_on_stop.patch
+Patch1118: ipaddr2_if_down.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -557,6 +558,7 @@ exit 1
%patch1115 -p1
%patch1116 -p1
%patch1117 -p1
+%patch1118 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,32 @@
From bc7c08fdf1a415af73757a4fc86e5c35fe9ab3f8 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 03/10] WRS: spec-add-create-var-run-resource-agents.patch
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 52c3c93..ba7af5b 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -245,6 +245,7 @@ Patch1109: umount-in-namespace.patch
Patch1110: lvm_vg_activation.patch
Patch1111: pgsql.patch
+Patch1113: create-var-run-resource-agents.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -547,6 +548,7 @@ exit 1
%patch1110 -p1
%patch1111 -p1
+%patch1113 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,32 @@
From 389034e186f6dfabdfa4bb75671a3f21d448bcbb Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 10/10] WRS: spec-add-ipaddr2-ignore-lo-state.patch
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 71d6cc4..460fc8f 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -251,6 +251,7 @@ Patch1115: Fix-VG-activity-bug-in-heartbeat-LVM-script.patch
Patch1116: ocf-shellfuncs_change_logtag.patch
Patch1117: lvm_cleanup_refs_on_stop.patch
Patch1118: ipaddr2_if_down.patch
+Patch1119: ipaddr2_ignore_lo_if_state.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -559,6 +560,7 @@ exit 1
%patch1116 -p1
%patch1117 -p1
%patch1118 -p1
+%patch1119 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,56 @@
From 72fdb47d6d79b950fc900c88d77605911cdcb4b1 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:58 -0400
Subject: [PATCH 02/10] WRS: spec-avoid-dir-collisions.patch
---
SPECS/resource-agents.spec | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 453398a..52c3c93 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -642,14 +642,15 @@ rm -rf %{buildroot}
%endif
%if %{with linuxha}
-%dir /usr/lib/ocf
-%dir /usr/lib/ocf/resource.d
-%dir /usr/lib/ocf/lib
+#%dir /usr/lib/ocf
+#%dir /usr/lib/ocf/resource.d
+#%dir /usr/lib/ocf/lib
-/usr/lib/ocf/lib/heartbeat
+/usr/lib/ocf/lib/heartbeat/*
-/usr/lib/ocf/resource.d/heartbeat
-/usr/lib/ocf/resource.d/openstack
+/usr/lib/ocf/resource.d/heartbeat/*
+/usr/lib/ocf/resource.d/heartbeat/.ocf-*
+/usr/lib/ocf/resource.d/openstack/*
%if %{with rgmanager}
/usr/lib/ocf/resource.d/redhat
%endif
@@ -669,7 +670,7 @@ rm -rf %{buildroot}
%{_includedir}/heartbeat
-%dir %attr (1755, root, root) %{_var}/run/resource-agents
+#%dir %attr (1755, root, root) %{_var}/run/resource-agents
%{_mandir}/man7/*.7*
@@ -780,7 +781,7 @@ rm -rf %{buildroot}
%exclude %{_mandir}/man8/ldirectord.8.gz
# For compatability with pre-existing agents
-%dir %{_sysconfdir}/ha.d
+#%dir %{_sysconfdir}/ha.d
%{_sysconfdir}/ha.d/shellfuncs
%{_libexecdir}/heartbeat
--
1.9.1

View File

@ -0,0 +1,50 @@
From 8d7740777cbbcdfa00f3e12b7e292aca2b696137 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:58 -0400
Subject: [PATCH 01/10] WRS: spec-include-TiS-patches.patch
---
SPECS/resource-agents.spec | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index db6b69c..453398a 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -236,6 +236,16 @@ Patch175: bz1449681-2-saphana-saphanatopology-update-0.152.21.patch
Patch176: bz1342376-2-rabbitmq-cluster-backup-and-restore-users-policies.patch
Patch177: bz1342376-3-rabbitmq-cluster-backup-and-restore-users-policies.patch
+# WRS
+Patch1105: filesystem_rmon.patch
+Patch1106: new_ocf_return_codes.patch
+Patch1107: ipaddr2_check_if_state.patch
+Patch1108: copyright.patch
+Patch1109: umount-in-namespace.patch
+Patch1110: lvm_vg_activation.patch
+Patch1111: pgsql.patch
+
+
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -528,6 +538,16 @@ exit 1
%patch176 -p1
%patch177 -p1
+# WRS
+%patch1105 -p1
+%patch1106 -p1
+%patch1107 -p1
+%patch1108 -p1
+%patch1109 -p1
+%patch1110 -p1
+%patch1111 -p1
+
+
%build
if [ ! -f configure ]; then
./autogen.sh
--
1.9.1

View File

@ -0,0 +1,32 @@
From 80e779cf7c6f667ccca0d91c13229520649e2920 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 06/10] WRS: spec-include-tis-logtag-patch.patch
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 832d588..e3a7ce1 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -248,6 +248,7 @@ Patch1111: pgsql.patch
Patch1113: create-var-run-resource-agents.patch
Patch1114: notify-rmon-of-shutdown-before-shutting-down.patch
Patch1115: Fix-VG-activity-bug-in-heartbeat-LVM-script.patch
+Patch1116: ocf-shellfuncs_change_logtag.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -553,6 +554,7 @@ exit 1
%patch1113 -p1
%patch1114 -p1
%patch1115 -p1
+%patch1116 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,32 @@
From 273da7710af8e7fbaf39eb1d31872089b77f0b0b Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 07/10] WRS: spec-lvm-cleanup-refs-on-stop.patch
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index e3a7ce1..6be3418 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -249,6 +249,7 @@ Patch1113: create-var-run-resource-agents.patch
Patch1114: notify-rmon-of-shutdown-before-shutting-down.patch
Patch1115: Fix-VG-activity-bug-in-heartbeat-LVM-script.patch
Patch1116: ocf-shellfuncs_change_logtag.patch
+Patch1117: lvm_cleanup_refs_on_stop.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -555,6 +556,7 @@ exit 1
%patch1114 -p1
%patch1115 -p1
%patch1116 -p1
+%patch1117 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,33 @@
From 057decd3b529f9bea96cf4071ae206c4dddc871c Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:11:59 -0400
Subject: [PATCH 04/10] WRS:
spec-notify-rmon-of-shutdown-before-shutting-down.patch
---
SPECS/resource-agents.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index ba7af5b..28b6e50 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -246,6 +246,7 @@ Patch1110: lvm_vg_activation.patch
Patch1111: pgsql.patch
Patch1113: create-var-run-resource-agents.patch
+Patch1114: notify-rmon-of-shutdown-before-shutting-down.patch
Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version}
@@ -549,6 +550,7 @@ exit 1
%patch1111 -p1
%patch1113 -p1
+%patch1114 -p1
%build
if [ ! -f configure ]; then
--
1.9.1

View File

@ -0,0 +1,58 @@
From 98591b479bd64c2835ab1e8884118c57dd499b9c Mon Sep 17 00:00:00 2001
From: Chris Friesen <chris.friesen@windriver.com>
Date: Tue, 21 Jun 2016 14:29:36 -0400
Subject: [PATCH] Fix VG activity bug in heartbeat/LVM script
There is currently an issue in the lvm2 package where if you create an LVM thin
pool, then create a thin volume in the pool, then the udev rule doesn't think
there should be a /dev// symlink for the thin pool, but "vgmknodes" and
"vgscan --mknodes" both think that there should be such a symlink. This is a
bug, but it's in the field in CentOS 7 at least and likely elsewhere.
The end result of this is that on such a system running either "vgscan
--mknodes" or "vgmknodes" and then running "vgchange -an " will
leave the /dev/ directory with a dangling symlink in it.
This breaks the LVM_status() function in this OCF script, since the
/dev/ directory exists and is not empty even though the volume
group is not active.
This commit changes the code to directly query lvm about the volume group
activity rather than relying on side effects.
---
heartbeat/LVM | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/heartbeat/LVM b/heartbeat/LVM
index 1c23c05..d91a3bc 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -350,19 +350,16 @@ LVM_status() {
ocf_exit_reason "LVM Volume $1 is not available"
return $OCF_ERR_GENERIC
fi
-
- if [ -d /dev/$1 ]; then
- test "`cd /dev/$1 && ls`" != ""
- rc=$?
- if [ $rc -ne 0 ]; then
- ocf_exit_reason "VG $1 with no logical volumes is not supported by this RA!"
- fi
- fi
- if [ $rc -ne 0 ]; then
+ # Ask lvm whether the volume group is active. This maps to
+ # the question "Are there any logical volumes that are active in
+ # the specified volume group?".
+ lvs --noheadings -o selected -S lv_active=active,vg_name=${1}|grep -q 1
+ if [ $? -ne 0 ]; then
ocf_log $loglevel "LVM Volume $1 is not available (stopped)"
rc=$OCF_NOT_RUNNING
else
+ rc=0
case $(get_vg_mode) in
1) # exclusive with tagging.
# If vg is running, make sure the correct tag is present. Otherwise we
--
1.9.1

View File

@ -0,0 +1,27 @@
From b9fdbdf20d62655c9b529f744f8efb9fb66c5851 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Wed, 25 Oct 2017 16:13:20 -0400
Subject: [PATCH] Modify error code of
bz1454699-LVM-status-check-for-missing-VG.patch to prevent controler-1 reboot
loop
---
heartbeat/LVM | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/heartbeat/LVM b/heartbeat/LVM
index 5347765..e4cd0ea 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -348,7 +348,7 @@ LVM_status() {
fi
if ! echo "$output" | grep -q "Found.*\"$1\""; then
ocf_exit_reason "LVM Volume $1 is not available"
- return $OCF_ERR_GENERIC
+ return $OCF_NOT_RUNNING
fi
# Ask lvm whether the volume group is active. This maps to
--
1.9.1

View File

@ -0,0 +1,51 @@
From 81bcbfb829001ccf61b515edb3d53ac8f15df334 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Fri, 26 Aug 2016 15:06:10 -0400
Subject: [PATCH 04/12] WRS: Patch108: copyright.patch
---
heartbeat/Filesystem | 2 ++
heartbeat/LVM | 1 +
heartbeat/pgsql | 1 +
3 files changed, 4 insertions(+)
diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
index 27f03d2..af821b2 100755
--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
@@ -2,6 +2,8 @@
#
# Support: linux-ha@lists.linux-ha.org
# License: GNU General Public License (GPL)
+#
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
#
# Filesystem
# Description: Manages a Filesystem on a shared storage medium.
diff --git a/heartbeat/LVM b/heartbeat/LVM
index e435e7b..c11fed7 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -10,6 +10,7 @@
# Support: linux-ha@lists.linux-ha.org
# License: GNU General Public License (GPL)
# Copyright: (C) 2002 - 2005 International Business Machines, Inc.
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
#
# This code significantly inspired by the LVM resource
# in FailSafe by Lars Marowsky-Bree
diff --git a/heartbeat/pgsql b/heartbeat/pgsql
index 794f85e..b176b1d 100755
--- a/heartbeat/pgsql
+++ b/heartbeat/pgsql
@@ -9,6 +9,7 @@
#
# Copyright: 2006-2012 Serge Dubrouski <sergeyfd@gmail.com>
# and other Linux-HA contributors
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
# License: GNU General Public License (GPL)
#
###############################################################################
--
1.9.1

View File

@ -0,0 +1,28 @@
From 142af55450aa91fe2d7fc3586388efebae64af97 Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Tue, 3 May 2016 21:53:21 -0400
Subject: [PATCH 1/1] Create /var/run/resource-agents, if needed
---
heartbeat/ocf-shellfuncs.in | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
index fd916e7..56f01e6 100644
--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
@@ -165,6 +165,11 @@ __ocf_set_defaults() {
ha_log "ERROR: Need to tell us our resource instance name."
exit $OCF_ERR_ARGS
fi
+
+ # TODO: Find a better way to ensure this dir exists
+ if [ ! -d "$HA_RSCTMP" ]; then
+ mkdir -p $HA_RSCTMP
+ fi
}
hadate() {
--
1.9.1

View File

@ -0,0 +1,204 @@
From ec5790e7d930bd3436d67319c5214a7bf64fa164 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:12:25 -0400
Subject: [PATCH 01/13] WRS: Patch1105: filesystem_rmon.patch
---
heartbeat/Filesystem | 59 +++++++++++++++++++++++++++++++++++++++++++++++++---
heartbeat/LVM | 58 +++++++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 110 insertions(+), 7 deletions(-)
diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
index d834096..8cd9c6b 100755
--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
@@ -19,6 +19,7 @@
# OCF_RESKEY_run_fsck
# OCF_RESKEY_fast_stop
# OCF_RESKEY_force_clones
+# OCF_RESKEY_rmon_rsc_name
#
#OCF_RESKEY_device : name of block device for the filesystem. e.g. /dev/sda1, /dev/md0
# Or a -U or -L option for mount, or an NFS mount specification
@@ -30,6 +31,7 @@
#OCF_RESKEY_fast_stop : fast stop: yes(default)/no
#OCF_RESKEY_force_clones : allow running the resource as clone. e.g. local xfs mounts
# for each brick in a glusterfs setup
+#OCF_RESKEY_rmon_rsc_name: resource name to use when notifing RMON
#
#
# This assumes you want to manage a filesystem on a shared (SCSI) bus,
@@ -1137,20 +1139,65 @@ if [ "$OP" != "monitor" ]; then
ocf_log info "Running $OP for $DEVICE on $MOUNTPOINT"
fi
+RMON_NOTIFY="/usr/local/bin/rmon_resource_notify"
+
+rmon_notify() {
+ local RSC_STATE=$1 TIMEOUT=$2
+
+ if [ -z "OCF_RESKEY_rmon_rsc_name" ]
+ then
+ ocf_log err "No RMON resource name given for $OCF_RESKEY_directory"
+ return
+ fi
+
+ if [[ -x $RMON_NOTIFY ]]
+ then
+ $RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+ --resource-state $RSC_STATE \
+ --resource-type mount \
+ --device $OCF_RESKEY_device \
+ --mount-point $OCF_RESKEY_directory \
+ --timeout $TIMEOUT \
+ >/dev/null 2>&1
+ else
+ ocf_log err "$RMON_NOTIFY not available, failed to execute: \
+$RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+--resource-state $RSC_STATE --resource-type mount \
+--device $OCF_RESKEY_device --mount-point $OCF_RESKEY_directory \
+--timeout $TIMEOUT"
+ fi
+}
+
# These operations do not require the clone checking + OCFS2
# initialization.
case $OP in
status) Filesystem_status
- exit $?
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc
;;
monitor) Filesystem_monitor
- exit $?
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc
;;
validate-all) Filesystem_validate_all
exit $?
;;
stop) Filesystem_stop
- exit $?
+ rc=$?
+ rmon_notify "disabled" 300
+ exit $rc
;;
esac
@@ -1199,6 +1246,12 @@ fi
case $OP in
start) Filesystem_start
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ fi
+ exit $rc
;;
notify) Filesystem_notify
;;
diff --git a/heartbeat/LVM b/heartbeat/LVM
index eae7a91..733d113 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -22,6 +22,7 @@
#
# OCF parameters are as below:
# OCF_RESKEY_volgrpname
+# OCF_RESKEY_rmon_rsc_name
#
#######################################################################
# Initialization:
@@ -711,6 +712,34 @@ then
exit $OCF_ERR_CONFIGURED
fi
+RMON_NOTIFY="/usr/local/bin/rmon_resource_notify"
+
+rmon_notify() {
+ local RSC_STATE=$1 TIMEOUT=$2
+
+ if [ -z "OCF_RESKEY_rmon_rsc_name" ]
+ then
+ ocf_log err "No RMON resource name given for $OCF_RESKEY_volgrpname"
+ return
+ fi
+
+ if [[ -x $RMON_NOTIFY ]]
+ then
+ $RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+ --resource-state $RSC_STATE \
+ --resource-type lvg \
+ --volume-group $OCF_RESKEY_volgrpname \
+ --timeout $TIMEOUT \
+ >/dev/null 2>&1
+ else
+ ocf_log err "$RMON_NOTIFY not available, failed to execute: \
+$RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+--resource-state $RSC_STATE --resource-type lvg \
+--volume-group $OCF_RESKEY_volgrpname \
+--timeout $TIMEOUT"
+ fi
+}
+
# Get the LVM version number, for this to work we assume(thanks to panjiam):
#
# LVM1 outputs like this
@@ -752,16 +781,37 @@ case "$1" in
start)
LVM_validate_all
LVM_start $VOLUME
- exit $?;;
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ fi
+ exit $rc;;
stop) LVM_stop $VOLUME
- exit $?;;
+ rc=$?
+ rmon_notify "disabled" 300
+ exit $rc;;
status) LVM_status $VOLUME $1
- exit $?;;
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc;;
monitor) LVM_status $VOLUME
- exit $?;;
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc;;
validate-all) LVM_validate_all
;;
--
1.9.1

View File

@ -0,0 +1,58 @@
From fb5a76d9050c60b601a5dbbad65ed3dbff041af1 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:12:36 -0400
Subject: [PATCH 03/13] WRS: Patch1107: ipaddr2_check_if_state.patch
---
heartbeat/IPaddr2 | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
index aef6dc7..67a7ca3 100755
--- a/heartbeat/IPaddr2
+++ b/heartbeat/IPaddr2
@@ -880,7 +880,12 @@ ip_start() {
local ip_status=`ip_served`
if [ "$ip_status" = "ok" ]; then
- exit $OCF_SUCCESS
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ then
+ exit $OCF_SUCCESS
+ else
+ exit $OCF_ERR_GENERIC
+ fi
fi
if [ -n "$IP_CIP" ] && [ $ip_status = "no" ] || [ $ip_status = "partial2" ]; then
@@ -939,7 +944,12 @@ ip_start() {
fi
;;
esac
- exit $OCF_SUCCESS
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ then
+ exit $OCF_SUCCESS
+ else
+ exit $OCF_ERR_GENERIC
+ fi
}
ip_stop() {
@@ -1015,7 +1025,12 @@ ip_monitor() {
case $ip_status in
ok)
$ARP_SEND_FUN refresh
- return $OCF_SUCCESS
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ then
+ return $OCF_SUCCESS
+ else
+ return $OCF_NOT_RUNNING
+ fi
;;
partial|no|partial2)
exit $OCF_NOT_RUNNING
--
1.9.1

View File

@ -0,0 +1,58 @@
From 573f0835621c5e64c6270260f607624aea29d21a Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com>
Date: Sat, 21 Jan 2017 02:36:39 -0500
Subject: [PATCH 1/1] ipaddr2_if_down
---
heartbeat/IPaddr2 | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
index 67a7ca3..2cd822d 100755
--- a/heartbeat/IPaddr2
+++ b/heartbeat/IPaddr2
@@ -884,7 +884,12 @@ ip_start() {
then
exit $OCF_SUCCESS
else
- exit $OCF_ERR_GENERIC
+ if [ "$OCF_RESKEY_dc" = "yes" ]; then
+ ocf_log info "NIC $NIC is DOWN..."
+ exit $OCF_SUCCESS
+ else
+ exit $OCF_ERR_GENERIC
+ fi
fi
fi
@@ -948,7 +953,12 @@ ip_start() {
then
exit $OCF_SUCCESS
else
- exit $OCF_ERR_GENERIC
+ if [ "$OCF_RESKEY_dc" = "yes" ]; then
+ ocf_log info "NIC $NIC is DOWN"
+ exit $OCF_SUCCESS
+ else
+ exit $OCF_ERR_GENERIC
+ fi
fi
}
@@ -1029,7 +1039,12 @@ ip_monitor() {
then
return $OCF_SUCCESS
else
- return $OCF_NOT_RUNNING
+ if [ "$OCF_RESKEY_dc" = "yes" ]; then
+ ocf_log info "NIC $NIC is DOWN"
+ return $OCF_SUCCESS
+ else
+ return $OCF_NOT_RUNNING
+ fi
fi
;;
partial|no|partial2)
--
1.9.1

View File

@ -0,0 +1,43 @@
From 81bb87debd2a683bad2173d6cb16327c776fe3b3 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:13:46 -0400
Subject: [PATCH 13/13] WRS: Patch1119: ipaddr2_ignore_lo_if_state.patch
---
heartbeat/IPaddr2 | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
index 2cd822d..59620d2 100755
--- a/heartbeat/IPaddr2
+++ b/heartbeat/IPaddr2
@@ -880,7 +880,7 @@ ip_start() {
local ip_status=`ip_served`
if [ "$ip_status" = "ok" ]; then
- if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ] || [ "$NIC" = "lo" ]
then
exit $OCF_SUCCESS
else
@@ -949,7 +949,7 @@ ip_start() {
fi
;;
esac
- if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ] || [ "$NIC" = "lo" ]
then
exit $OCF_SUCCESS
else
@@ -1035,7 +1035,7 @@ ip_monitor() {
case $ip_status in
ok)
$ARP_SEND_FUN refresh
- if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ] || [ "$NIC" = "lo" ]
then
return $OCF_SUCCESS
else
--
1.9.1

View File

@ -0,0 +1,121 @@
CGTS-5173: LVM ocf cleanup refs on stop
In LVM ocf script, LVM_stop() fails if any of the created logical volume
dm block devices are being held by any process with the following error
err ERROR: Logical volume cinder-volumes/volume-96a8becd-a1c1-4508-8b25-9bcbcfeff2fa
contains a filesystem in use. Can't deactivate volume group "cinder-volumes"
with 1 open logical volume(s)
So here we want to have defensive code to scan through any process that
holds what dm block devices and causes LVM_stop() to fail. There are
2 cases:
* dm block devices are mounted and processes are accessing files located
in this mount point. We first need to kill all the processes which are
opening files and then umount the dm block devices.
* processes just hold/open dm block devices directly. We need to kill
these processes.
---
heartbeat/LVM | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 76 insertions(+)
diff --git a/heartbeat/LVM b/heartbeat/LVM
index 69f284c..e56f7d8 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -616,6 +616,81 @@ EOF
}
#
+# Kill provided process that holds lv
+#
+log_and_kill_process_hold_lv() {
+ p_info=$(ps -lfLp ${1} | tail -1)
+ ocf_log warn "lv ${2} is being held by this process (will be forced killed):"
+ ocf_log warn ${p_info}
+ kill -s KILL ${1}
+}
+
+#
+# Scan for processes that hold any lvs and kill them
+#
+scan_and_kill_processes_hold_lv() {
+ vg_name=${1}
+
+ # Get list of logical volumes which are busy
+ lv_paths=$(lvdisplay -c ${vg_name} | awk -F ":" '{print $1}')
+ for lv_path in ${lv_paths}; do
+ open_num=$(lvdisplay ${lv_path} | grep "# open" | awk '{print $3}')
+ if [ ${open_num} -gt 0 ]; then
+ lv_name=$(lvdisplay ${lv_path} | grep "LV Name" | awk '{print $3}')
+ lv_block=$(lvdisplay ${lv_path} | grep "Block device" | awk '{print $3}')
+
+ lv_list="${lv_list}
+${lv_name}|${lv_block}"
+ lv_block_list="${lv_block_list} ${lv_block}"
+ fi
+ done
+
+ # Exit if there is no busy logical volume
+ [ -z "${lv_list}" ] && exit 0
+
+ # Checking to see if any of these busy logical volumes are caused by mount
+ mountinfo=$(cat /proc/1/mountinfo)
+ while read -r line; do
+ mount_majorminor=$(echo ${line} | awk '{print $3}')
+ mount_point=$(echo ${line} | awk '{print $5}')
+
+ for lv in ${lv_block_list}; do
+ if [ "${lv}" == "${mount_majorminor}" ]; then
+ lv_name=$(echo "${lv_list}" | grep ${lv} | awk -F "|" '{print $1}')
+ ocf_log warn "lv ${lv_name} is busy mounted at ${mount_point} (will be forced unmounted)"
+ processes_holding_mount_point=$(fuser -m ${mount_point} 2>/dev/null)
+ if [ -n "${processes_holding_mount_point}" ]; then
+ for p in ${processes_holding_mount_point}; do
+ log_and_kill_process_hold_lv "${p}" "${lv_name}"
+ done
+ fi
+ umount ${mount_point}
+ [ $? -ne 0 ] && ocf_log warn "Cannot umount ${mount_point}"
+ fi
+ done
+ done <<< "${mountinfo}"
+
+ # Now checking to see if any process holding these logical volumes
+ all_processes=$(ps -e | awk '{print $1}')
+ for p in ${all_processes}; do
+ [ ! -d /proc/${p}/fd ] && continue
+ opened_file_list=$(ls -l /proc/${p}/fd | awk -F "->" '{print $2}')
+
+ for f in ${opened_file_list}; do
+ [ ! -b "${f}" ] && continue
+ f_majorminor=$(printf "%d:%d" $(stat -c '0x%t 0x%T' ${f}))
+
+ for lv in ${lv_block_list}; do
+ if [ "${lv}" == "${f_majorminor}" ]; then
+ lv_name=$(echo "${lv_list}" | grep ${lv} | awk -F "|" '{print $1}')
+ log_and_kill_process_hold_lv "${p}" "${lv_name}"
+ fi
+ done
+ done
+ done
+}
+
+#
# Disable the LVM volume
#
LVM_stop() {
@@ -647,6 +722,7 @@ LVM_stop() {
break
fi
+ scan_and_kill_processes_hold_lv $vg
res=$OCF_ERR_GENERIC
ocf_log warn "$vg still Active"
ocf_log info "Retry deactivating volume group $vg"
--
1.9.1

View File

@ -0,0 +1,160 @@
From 3304fb0e1f1eeb2bfe52611541c5dd12bdc908e0 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:12:54 -0400
Subject: [PATCH 06/13] WRS: Patch1110: lvm_vg_activation.patch
---
heartbeat/LVM | 130 +++++++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 116 insertions(+), 14 deletions(-)
diff --git a/heartbeat/LVM b/heartbeat/LVM
index 5de88b6..3a52e56 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -449,6 +449,81 @@ retry_exclusive_start()
}
#
+# Activate one volume explicitly.
+#
+activate_volume() {
+ ocf_run lvchange $1 /dev/${2}/$3
+ if [ $? -eq 0 ] ; then
+ ocf_log info "Succesfully activated $LV."
+ else
+ ocf_log err "Problem activating $LV."
+ fi
+}
+
+#
+# Kick off parallel activation of all volumes
+#
+activate_all_volumes() {
+ VG=$1
+ shift
+ lvchange_args="$*"
+
+ # Get the list of volumes, without the first line which is column headings.
+ VOLS=`lvs $VG |tail -n +2`
+
+ while read -r LINE; do
+ # Convert the line into an array.
+ LINE_ARRAY=($LINE)
+
+ # First array element is the volume/snapshot name.
+ LV=${LINE_ARRAY[0]}
+
+ # Third array element is the attributes.
+ ATTR=${LINE_ARRAY[2]}
+
+ # Fifth character in the attributes is "a" if it's active.
+ ACTIVE=${ATTR:4:1}
+ if [ "$ACTIVE" == "a" ]; then
+ ocf_log info "$LV is already active."
+ continue
+ fi
+
+ SNAPSHOT_ORIGIN=${LINE_ARRAY[4]}
+ if [ "$SNAPSHOT_ORIGIN" != "" ] ; then
+ # If this is a snapshot, don't activate it.
+ continue
+ fi
+
+ ( activate_volume "$*" $VG $LV ) &
+ done <<< "$VOLS"
+}
+
+#
+# Scan for inactive volumes and log any that are found.
+#
+log_inactive_volumes() {
+ # Get the list of volumes, without the first line which is column headings.
+ VOLS=`lvs $1 |tail -n +2`
+
+ while read -r LINE; do
+ # Convert the line into an array.
+ LINE_ARRAY=($LINE)
+
+ # First array element is the volume/snapshot name.
+ LV=${LINE_ARRAY[0]}
+
+ # Third array element is the attributes.
+ ATTR=${LINE_ARRAY[2]}
+
+ # Fifth character in the attributes is "a" if it's active.
+ ACTIVE=${ATTR:4:1}
+ if [ "$ACTIVE" != "a" ]; then
+ ocf_log err "Volume $LV is not active after expiry of timeout."
+ fi
+ done <<< "$VOLS"
+}
+
+#
# Enable LVM volume
#
LVM_start() {
@@ -489,20 +564,47 @@ EOF
: ;;
esac
- if ! ocf_run vgchange $vgchange_options $vg; then
- if [ $clvmd -eq 0 ]; then
- return $OCF_ERR_GENERIC
- fi
-
- # Failure to exclusively activate cluster vg.:
- # This could be caused by a remotely active LV, Attempt
- # to disable volume group cluster wide and try again.
- # Allow for some settling
- sleep 5
- if ! retry_exclusive_start; then
- return $OCF_ERR_GENERIC
- fi
- fi
+ # Kick off activation of all volumes. If it doesn't complete within
+ # the timeout period, then we'll log the not-yet-activated volumes and
+ # continue on.
+ (ocf_run vgchange $vgchange_options $1) & PID=$!
+
+ # Check every second for up to TIMEOUT seconds whether the vgchange has
+ # completed.
+ TIMEOUT=300
+ TIMED_OUT=true
+ SECONDS=0;
+ PARALLEL_ACTIVATE_DELAY=10
+ PARALLEL_ACTIVATE_DONE=false
+ while [ $SECONDS -lt $TIMEOUT ] ; do
+ kill -0 $PID &> /dev/null
+ if [ $? -eq 1 ] ; then
+ # process with pid of $PID doesn't exist, vgchange command completed
+ TIMED_OUT=false
+ break
+ fi
+ if [ $SECONDS -ge $PARALLEL_ACTIVATE_DELAY ] && \
+ [ "$PARALLEL_ACTIVATE_DONE" != true ] && \
+ [ "$1" == "cinder-volumes" ] ; then
+ # This will kick off parallel activation of all LVs in the VG.
+ # The delay is to ensure the VG is activated first.
+ PARALLEL_ACTIVATE_DONE=true
+ ocf_log info Explicitly activating all volumes in $1 with: $vgchange_options
+ activate_all_volumes $1 $vgchange_options
+ fi
+ sleep 1
+ done
+
+ if [ "$TIMED_OUT" = true ] ; then
+ ocf_log err "Timed out running ocf_run vgchange $vgchange_options $1"
+ log_inactive_volumes $1
+ else
+ # Child process completed, get its status.
+ wait $PID
+ if [ $? -ne 0 ] ; then
+ return $OCF_ERR_GENERIC
+ fi
+ fi
if LVM_status $vg; then
: OK Volume $vg activated just fine!
--
1.9.1

View File

@ -0,0 +1,62 @@
From 111343419dd381d81303354dad48cca5095ab080 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Fri, 26 Aug 2016 15:06:02 -0400
Subject: [PATCH 02/12] WRS: Patch106: new_ocf_return_codes.patch
---
heartbeat/ocf-returncodes | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/heartbeat/ocf-returncodes b/heartbeat/ocf-returncodes
index dd5f017..9200889 100644
--- a/heartbeat/ocf-returncodes
+++ b/heartbeat/ocf-returncodes
@@ -4,6 +4,7 @@
#
# Copyright (c) 2004 SUSE LINUX AG, Andrew Beekhof
# All Rights Reserved.
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
#
#
# This library is free software; you can redistribute it and/or
@@ -53,3 +54,37 @@ OCF_NOT_RUNNING=7
#
OCF_RUNNING_MASTER=8
OCF_FAILED_MASTER=9
+
+# Non-standard values particular to Wind River deployments.
+#
+# OCF does not include the concept of data sync states for master/slave
+# resources.
+#
+# OCF_DATA_INCONSISTENT:
+# The resource's data is not useable.
+#
+# OCF_DATA_OUTDATED:
+# The resource's data is consistent, but a peer with more recent data
+# has been seen.
+#
+# OCF_DATA_CONSISTENT:
+# The resource's data is consistent, but it is unsure that this is the
+# most recent data.
+#
+# OCF_SYNC:
+# The resource is syncing data.
+#
+# OCF_STANDALONE:
+# The resource is operating as standalone. No peer is available or
+# syncing is not possible (i.e. split brain fencing).
+#
+OCF_DATA_INCONSISTENT=32
+OCF_DATA_OUTDATED=33
+OCF_DATA_CONSISTENT=34
+OCF_DATA_SYNC=35
+OCF_DATA_STANDALONE=36
+OCF_RUNNING_MASTER_DATA_INCONSISTENT=37
+OCF_RUNNING_MASTER_DATA_OUTDATED=38
+OCF_RUNNING_MASTER_DATA_CONSISTENT=39
+OCF_RUNNING_MASTER_DATA_SYNC=40
+OCF_RUNNING_MASTER_DATA_STANDALONE=41
--
1.9.1

View File

@ -0,0 +1,54 @@
From bf3f5ed67ee862cbd4fd3f4f8c2c3760ebd88900 Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Fri, 17 Jun 2016 00:31:20 -0400
Subject: [PATCH 1/1] Notify rmon of shutdown before shutting down LVM and
Filesystem
---
heartbeat/Filesystem | 9 +++++----
heartbeat/LVM | 9 +++++----
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
index 05e4097..d5f3417 100755
--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
@@ -1200,10 +1200,11 @@ case $OP in
validate-all) Filesystem_validate_all
exit $?
;;
- stop) Filesystem_stop
- rc=$?
- rmon_notify "disabled" 300
- exit $rc
+ stop)
+ rmon_notify "disabled" 300
+ Filesystem_stop
+ rc=$?
+ exit $rc
;;
esac
diff --git a/heartbeat/LVM b/heartbeat/LVM
index 3a52e56..69f284c 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -891,10 +891,11 @@ case "$1" in
fi
exit $rc;;
- stop) LVM_stop $VOLUME
- rc=$?
- rmon_notify "disabled" 300
- exit $rc;;
+ stop)
+ rmon_notify "disabled" 300
+ LVM_stop $VOLUME
+ rc=$?
+ exit $rc;;
status) LVM_status $VOLUME $1
rc=$?
--
1.9.1

View File

@ -0,0 +1,28 @@
From 3b5735f43d0ca1a3ca29b9fec50959340c21c995 Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Thu, 25 Aug 2016 13:07:16 -0400
Subject: [PATCH 1/1] Set OCF_ prefix in logs for syslog destination sorting
---
heartbeat/ocf-shellfuncs.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
index 56f01e6..cfe5b21 100644
--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
@@ -179,9 +179,9 @@ hadate() {
set_logtag() {
if [ -z "$HA_LOGTAG" ]; then
if [ -n "$OCF_RESOURCE_INSTANCE" ]; then
- HA_LOGTAG="$__SCRIPT_NAME($OCF_RESOURCE_INSTANCE)[$$]"
+ HA_LOGTAG="OCF_$__SCRIPT_NAME($OCF_RESOURCE_INSTANCE)[$$]"
else
- HA_LOGTAG="$__SCRIPT_NAME[$$]"
+ HA_LOGTAG="OCF_$__SCRIPT_NAME[$$]"
fi
fi
}
--
1.9.1

View File

@ -0,0 +1,87 @@
From 386e3919b703c5a3d06edfc5b078ab67604139ab Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:12:59 -0400
Subject: [PATCH 07/13] WRS: Patch1111: pgsql.patch
---
heartbeat/pgsql | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/heartbeat/pgsql b/heartbeat/pgsql
index 768608e..28cc046 100755
--- a/heartbeat/pgsql
+++ b/heartbeat/pgsql
@@ -38,6 +38,7 @@ get_pgsql_param() {
OCF_RESKEY_pgctl_default=/usr/bin/pg_ctl
OCF_RESKEY_psql_default=/usr/bin/psql
OCF_RESKEY_pgdata_default=/var/lib/pgsql/data
+OCF_RESKEY_pgconf_default=/etc/postgresql
OCF_RESKEY_pgdba_default=postgres
OCF_RESKEY_pghost_default=""
OCF_RESKEY_pgport_default=5432
@@ -67,10 +68,11 @@ OCF_RESKEY_stop_escalate_in_slave_default=30
: ${OCF_RESKEY_pgctl=${OCF_RESKEY_pgctl_default}}
: ${OCF_RESKEY_psql=${OCF_RESKEY_psql_default}}
: ${OCF_RESKEY_pgdata=${OCF_RESKEY_pgdata_default}}
+: ${OCF_RESKEY_pgconf=${OCF_RESKEY_pgconf_default}}
: ${OCF_RESKEY_pgdba=${OCF_RESKEY_pgdba_default}}
: ${OCF_RESKEY_pghost=${OCF_RESKEY_pghost_default}}
: ${OCF_RESKEY_pgport=${OCF_RESKEY_pgport_default}}
-: ${OCF_RESKEY_config=${OCF_RESKEY_pgdata}/postgresql.conf}
+: ${OCF_RESKEY_config=${OCF_RESKEY_pgconf}/postgresql.conf}
: ${OCF_RESKEY_start_opt=${OCF_RESKEY_start_opt_default}}
: ${OCF_RESKEY_pgdb=${OCF_RESKEY_pgdb_default}}
: ${OCF_RESKEY_logfile=${OCF_RESKEY_logfile_default}}
@@ -166,6 +168,14 @@ Path to PostgreSQL data directory.
<content type="string" default="${OCF_RESKEY_pgdata_default}" />
</parameter>
+<parameter name="pgconf" unique="0" required="0">
+<longdesc lang="en">
+Path to PostgreSQL config directory.
+</longdesc>
+<shortdesc lang="en">pgconf</shortdesc>
+<content type="string" default="${OCF_RESKEY_pgconf_default}" />
+</parameter>
+
<parameter name="pgdba" unique="0" required="0">
<longdesc lang="en">
User that owns PostgreSQL.
@@ -220,7 +230,7 @@ SQL script that will be used for monitor operations.
Path to the PostgreSQL configuration file for the instance.
</longdesc>
<shortdesc lang="en">Configuration file</shortdesc>
-<content type="string" default="${OCF_RESKEY_pgdata}/postgresql.conf" />
+<content type="string" default="${OCF_RESKEY_pgconf}/postgresql.conf" />
</parameter>
<parameter name="pgdb" unique="0" required="0">
@@ -549,6 +559,12 @@ pgsql_real_start() {
ocf_log debug "PostgreSQL still hasn't started yet. Waiting..."
done
+ # WRS: Create an unversioned symlink under /var/run so SM can easily
+ # find the PID file.
+ if [ ! -h $PIDFILE_SYMLINK ]; then
+ /bin/ln -s $PIDFILE $PIDFILE_SYMLINK
+ fi
+
ocf_log info "PostgreSQL is started."
return $rc
}
@@ -1756,10 +1772,11 @@ fi
PIDFILE=${OCF_RESKEY_pgdata}/postmaster.pid
+PIDFILE_SYMLINK=/var/run/postmaster.pid
BACKUPLABEL=${OCF_RESKEY_pgdata}/backup_label
RESOURCE_NAME=`echo $OCF_RESOURCE_INSTANCE | cut -d ":" -f 1`
PGSQL_WAL_RECEIVER_STATUS_ATTR="${RESOURCE_NAME}-receiver-status"
-RECOVERY_CONF=${OCF_RESKEY_pgdata}/recovery.conf
+RECOVERY_CONF=${OCF_RESKEY_pgconf}/recovery.conf
NODENAME=$(ocf_local_nodename | tr '[A-Z]' '[a-z]')
if is_replication; then
--
1.9.1

View File

@ -0,0 +1,27 @@
From eb45b8271ce64a046d41c93b1cffd641245ce55f Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 15:12:48 -0400
Subject: [PATCH 05/13] WRS: Patch1109: umount-in-namespace.patch
---
heartbeat/Filesystem | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
index f536298..05e4097 100755
--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
@@ -804,6 +804,10 @@ signal_processes() {
}
try_umount() {
local SUB=$1
+
+ # We need to ensure we umount in namespaces, too
+ /usr/sbin/umount-in-namespace $SUB
+
$UMOUNT $umount_force $SUB
list_mounts | grep -q " $SUB " >/dev/null 2>&1 || {
ocf_log info "unmounted $SUB successfully"
--
1.9.1

View File

@ -0,0 +1 @@
mirror:Source/resource-agents-3.9.5-105.el7.src.rpm

View File

@ -0,0 +1,38 @@
---
heartbeat/Filesystem | 3 ++-
heartbeat/LVM | 1 +
heartbeat/pgsql | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
@@ -2,7 +2,8 @@
#
# Support: linux-ha@lists.linux-ha.org
# License: GNU General Public License (GPL)
-#
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
+#
# Filesystem
# Description: Manages a Filesystem on a shared storage medium.
# Original Author: Eric Z. Ayers (eric.ayers@compgen.com)
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -10,6 +10,7 @@
# Support: linux-ha@lists.linux-ha.org
# License: GNU General Public License (GPL)
# Copyright: (C) 2002 - 2005 International Business Machines, Inc.
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
#
# This code significantly inspired by the LVM resource
# in FailSafe by Lars Marowsky-Bree
--- a/heartbeat/pgsql
+++ b/heartbeat/pgsql
@@ -9,6 +9,7 @@
#
# Copyright: 2006-2012 Serge Dubrouski <sergeyfd@gmail.com>
# and other Linux-HA contributors
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
# License: GNU General Public License (GPL)
#
###############################################################################

View File

@ -0,0 +1,15 @@
Index: resource-agents-3.9.5/heartbeat/exportfs
===================================================================
--- resource-agents-3.9.5/heartbeat/exportfs 2013-02-07 07:17:42.000000000 -0500
+++ resource-agents-3.9.5/heartbeat/exportfs 2015-12-18 12:40:18.382930869 -0500
@@ -184,7 +184,9 @@
is_exported() {
local dir=$1
- local spec=$2
+ # Because clientspec contains square brackets when using IPv6, and the exports entry does not,
+ # it is necessary to remove the square brackets to compare them with each other.
+ local spec=$(echo $2|sed -r 's/(\[|\])//g')
exportfs |
sed -e '$! N; s/\n[[:space:]]\+/ /; t; s/[[:space:]]\+\([^[:space:]]\+\)\(\n\|$\)/ \1\2/g; P;D;' |
grep -q -x -F "$dir $spec"

View File

@ -0,0 +1,193 @@
---
heartbeat/Filesystem | 59 ++++++++++++++++++++++++++++++++++++++++++++++++---
heartbeat/LVM | 59 +++++++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 111 insertions(+), 7 deletions(-)
--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
@@ -19,6 +19,7 @@
# OCF_RESKEY_run_fsck
# OCF_RESKEY_fast_stop
# OCF_RESKEY_force_clones
+# OCF_RESKEY_rmon_rsc_name
#
#OCF_RESKEY_device : name of block device for the filesystem. e.g. /dev/sda1, /dev/md0
# Or a -U or -L option for mount, or an NFS mount specification
@@ -30,6 +31,7 @@
#OCF_RESKEY_fast_stop : fast stop: yes(default)/no
#OCF_RESKEY_force_clones : allow running the resource as clone. e.g. local xfs mounts
# for each brick in a glusterfs setup
+#OCF_RESKEY_rmon_rsc_name: resource name to use when notifing RMON
#
#
# This assumes you want to manage a filesystem on a shared (SCSI) bus,
@@ -1053,20 +1055,65 @@ if [ "$OP" != "monitor" ]; then
ocf_log info "Running $OP for $DEVICE on $MOUNTPOINT"
fi
+RMON_NOTIFY="/usr/local/bin/rmon_resource_notify"
+
+rmon_notify() {
+ local RSC_STATE=$1 TIMEOUT=$2
+
+ if [ -z "OCF_RESKEY_rmon_rsc_name" ]
+ then
+ ocf_log err "No RMON resource name given for $OCF_RESKEY_directory"
+ return
+ fi
+
+ if [[ -x $RMON_NOTIFY ]]
+ then
+ $RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+ --resource-state $RSC_STATE \
+ --resource-type mount \
+ --device $OCF_RESKEY_device \
+ --mount-point $OCF_RESKEY_directory \
+ --timeout $TIMEOUT \
+ >/dev/null 2>&1
+ else
+ ocf_log err "$RMON_NOTIFY not available, failed to execute: \
+$RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+--resource-state $RSC_STATE --resource-type mount \
+--device $OCF_RESKEY_device --mount-point $OCF_RESKEY_directory \
+--timeout $TIMEOUT"
+ fi
+}
+
# These operations do not require the clone checking + OCFS2
# initialization.
case $OP in
status) Filesystem_status
- exit $?
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc
;;
monitor) Filesystem_monitor
- exit $?
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc
;;
validate-all) Filesystem_validate_all
exit $?
;;
stop) Filesystem_stop
- exit $?
+ rc=$?
+ rmon_notify "disabled" 300
+ exit $rc
;;
esac
@@ -1114,6 +1161,12 @@ fi
case $OP in
start) Filesystem_start
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ fi
+ exit $rc
;;
notify) Filesystem_notify
;;
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -22,6 +22,7 @@
#
# OCF parameters are as below:
# OCF_RESKEY_volgrpname
+# OCF_RESKEY_rmon_rsc_name
#
#######################################################################
# Initialization:
@@ -311,6 +312,35 @@ then
exit $OCF_ERR_CONFIGURED
fi
+RMON_NOTIFY="/usr/local/bin/rmon_resource_notify"
+
+rmon_notify() {
+ local RSC_STATE=$1 TIMEOUT=$2
+
+ if [ -z "OCF_RESKEY_rmon_rsc_name" ]
+ then
+ ocf_log err "No RMON resource name given for $OCF_RESKEY_volgrpname"
+ return
+ fi
+
+ if [[ -x $RMON_NOTIFY ]]
+ then
+ $RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+ --resource-state $RSC_STATE \
+ --resource-type lvg \
+ --volume-group $OCF_RESKEY_volgrpname \
+ --timeout $TIMEOUT \
+ >/dev/null 2>&1
+ else
+ ocf_log err "$RMON_NOTIFY not available, failed to execute: \
+$RMON_NOTIFY --resource-name $OCF_RESKEY_rmon_rsc_name \
+--resource-state $RSC_STATE --resource-type lvg \
+--volume-group $OCF_RESKEY_volgrpname \
+--timeout $TIMEOUT"
+ fi
+}
+
+
# Get the LVM version number, for this to work we assume(thanks to panjiam):
#
# LVM1 outputs like this
@@ -345,16 +375,37 @@ OP_METHOD=$1
case "$1" in
start) LVM_start $VOLUME
- exit $?;;
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ fi
+ exit $rc;;
stop) LVM_stop $VOLUME
- exit $?;;
+ rc=$?
+ rmon_notify "disabled" 300
+ exit $rc;;
status) LVM_status $VOLUME $1
- exit $?;;
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc;;
monitor) LVM_monitor $VOLUME
- exit $?;;
+ rc=$?
+ if [ $rc -eq $OCF_SUCCESS ]
+ then
+ rmon_notify "enabled" 300
+ else
+ rmon_notify "disabled" 300
+ fi
+ exit $rc;;
validate-all) LVM_validate_all
;;

View File

@ -0,0 +1,37 @@
---
heartbeat/IPaddr2 | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/heartbeat/IPaddr2
+++ b/heartbeat/IPaddr2
@@ -13,6 +13,7 @@
# Copyright (c) 2003 Tuomo Soini
# Copyright (c) 2004-2006 SUSE LINUX AG, Lars Marowsky-Brée
# All Rights Reserved.
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of version 2 of the GNU General Public License as
@@ -50,6 +51,7 @@
# OCF_RESKEY_nic
# OCF_RESKEY_cidr_netmask
# OCF_RESKEY_iflabel
+# OCF_RESKEY_if_type
# OCF_RESKEY_mac
# OCF_RESKEY_clusterip_hash
# OCF_RESKEY_arp_interval
@@ -314,7 +316,13 @@ ip_init() {
BASEIP="$OCF_RESKEY_ip"
BRDCAST="$OCF_RESKEY_broadcast"
- NIC="$OCF_RESKEY_nic"
+ IFTYPE="$OCF_RESKEY_if_type"
+ if [ -n "${IFTYPE}" ]
+ then
+ NIC=`grep ${IFTYPE}= /etc/platform/platform.conf | cut -f2 -d '='`
+ else
+ NIC="$OCF_RESKEY_nic"
+ fi
# Note: We had a version out there for a while which used
# netmask instead of cidr_netmask. Don't remove this aliasing code!
if

View File

@ -0,0 +1,48 @@
---
heartbeat/IPaddr2 | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/heartbeat/IPaddr2
+++ b/heartbeat/IPaddr2
@@ -661,7 +661,12 @@ ip_start() {
local ip_status=`ip_served`
if [ "$ip_status" = "ok" ]; then
- exit $OCF_SUCCESS
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ then
+ exit $OCF_SUCCESS
+ else
+ exit $OCF_ERR_GENERIC
+ fi
fi
if [ -n "$IP_CIP" ] && [ $ip_status = "no" ] || [ $ip_status = "partial2" ]; then
@@ -714,7 +719,12 @@ ip_start() {
fi
;;
esac
- exit $OCF_SUCCESS
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ then
+ exit $OCF_SUCCESS
+ else
+ exit $OCF_ERR_GENERIC
+ fi
}
ip_stop() {
@@ -788,7 +798,12 @@ ip_monitor() {
local ip_status=`ip_served`
case $ip_status in
ok)
- return $OCF_SUCCESS
+ if [ -n "`ip link show $NIC | grep \"state UP\"`" ]
+ then
+ return $OCF_SUCCESS
+ else
+ return $OCF_NOT_RUNNING
+ fi
;;
partial|no|partial2)
exit $OCF_NOT_RUNNING

View File

@ -0,0 +1,155 @@
commit 69217b67c0d018f129c7cbf526aebf0b236be701
Author: Chris Friesen <chris.friesen@windriver.com>
Date: Thu Sep 17 15:26:16 2015 -0400
CGCS-2553/CGTS-2534: tweak LVM success criteria
It turns out that activating an LVM LV which has a snapshot (or activating
the snapshot) will take an amount of time that is proportional to the
delta between the snapshot and the original volume.
Because of this it's possible that running "vgchange" could take a long
time, since it also activates the LVs.
If this happens, rather than timeout the whole script we want to log which
LVs/snapshots havn't yet been activated, and then just continue on.
Accordingly, we want to set the internal timeout in the "start" operation
to something less than the timeout for the "start" action.
There will be corresponding changes in cinder to properly handle this case.
diff --git a/heartbeat/LVM b/heartbeat/LVM
index bd1a47a..24b0244 100755
--- a/heartbeat/LVM
+++ b/heartbeat/LVM
@@ -186,6 +186,81 @@ LVM_monitor() {
}
#
+# Activate one volume explicitly.
+#
+activate_volume() {
+ ocf_run lvchange $1 /dev/${2}/$3
+ if [ $? -eq 0 ] ; then
+ ocf_log info "Succesfully activated $LV."
+ else
+ ocf_log err "Problem activating $LV."
+ fi
+}
+
+#
+# Kick off parallel activation of all volumes
+#
+activate_all_volumes() {
+ VG=$1
+ shift
+ lvchange_args="$*"
+
+ # Get the list of volumes, without the first line which is column headings.
+ VOLS=`lvs $VG |tail -n +2`
+
+ while read -r LINE; do
+ # Convert the line into an array.
+ LINE_ARRAY=($LINE)
+
+ # First array element is the volume/snapshot name.
+ LV=${LINE_ARRAY[0]}
+
+ # Third array element is the attributes.
+ ATTR=${LINE_ARRAY[2]}
+
+ # Fifth character in the attributes is "a" if it's active.
+ ACTIVE=${ATTR:4:1}
+ if [ "$ACTIVE" == "a" ]; then
+ ocf_log info "$LV is already active."
+ continue
+ fi
+
+ SNAPSHOT_ORIGIN=${LINE_ARRAY[4]}
+ if [ "$SNAPSHOT_ORIGIN" != "" ] ; then
+ # If this is a snapshot, don't activate it.
+ continue
+ fi
+
+ ( activate_volume "$*" $VG $LV ) &
+ done <<< "$VOLS"
+}
+
+#
+# Scan for inactive volumes and log any that are found.
+#
+log_inactive_volumes() {
+ # Get the list of volumes, without the first line which is column headings.
+ VOLS=`lvs $1 |tail -n +2`
+
+ while read -r LINE; do
+ # Convert the line into an array.
+ LINE_ARRAY=($LINE)
+
+ # First array element is the volume/snapshot name.
+ LV=${LINE_ARRAY[0]}
+
+ # Third array element is the attributes.
+ ATTR=${LINE_ARRAY[2]}
+
+ # Fifth character in the attributes is "a" if it's active.
+ ACTIVE=${ATTR:4:1}
+ if [ "$ACTIVE" != "a" ]; then
+ ocf_log err "Volume $LV is not active after expiry of timeout."
+ fi
+ done <<< "$VOLS"
+}
+
+#
# Enable LVM volume
#
LVM_start() {
@@ -218,7 +293,47 @@ LVM_start() {
vgchange_options="$vgchange_options --monitor y"
fi
- ocf_run vgchange $vgchange_options $1 || return $OCF_ERR_GENERIC
+ # Kick off activation of all volumes. If it doesn't complete within
+ # the timeout period, then we'll log the not-yet-activated volumes and
+ # continue on.
+ (ocf_run vgchange $vgchange_options $1) & PID=$!
+
+ # Check every second for up to TIMEOUT seconds whether the vgchange has
+ # completed.
+ TIMEOUT=300
+ TIMED_OUT=true
+ SECONDS=0;
+ PARALLEL_ACTIVATE_DELAY=10
+ PARALLEL_ACTIVATE_DONE=false
+ while [ $SECONDS -lt $TIMEOUT ] ; do
+ kill -0 $PID &> /dev/null
+ if [ $? -eq 1 ] ; then
+ # process with pid of $PID doesn't exist, vgchange command completed
+ TIMED_OUT=false
+ break
+ fi
+ if [ $SECONDS -ge $PARALLEL_ACTIVATE_DELAY ] && \
+ [ "$PARALLEL_ACTIVATE_DONE" != true ] && \
+ [ "$1" == "cinder-volumes" ] ; then
+ # This will kick off parallel activation of all LVs in the VG.
+ # The delay is to ensure the VG is activated first.
+ PARALLEL_ACTIVATE_DONE=true
+ ocf_log info Explicitly activating all volumes in $1 with: $vgchange_options
+ activate_all_volumes $1 $vgchange_options
+ fi
+ sleep 1
+ done
+
+ if [ "$TIMED_OUT" = true ] ; then
+ ocf_log err "Timed out running ocf_run vgchange $vgchange_options $1"
+ log_inactive_volumes $1
+ else
+ # Child process completed, get its status.
+ wait $PID
+ if [ $? -ne 0 ] ; then
+ return $OCF_ERR_GENERIC
+ fi
+ fi
if LVM_status $1; then
: OK Volume $1 activated just fine!

View File

@ -0,0 +1,52 @@
---
heartbeat/ocf-returncodes | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
--- a/heartbeat/ocf-returncodes
+++ b/heartbeat/ocf-returncodes
@@ -5,6 +5,7 @@
# Copyright (c) 2004 SUSE LINUX AG, Andrew Beekhof
# All Rights Reserved.
#
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -53,3 +54,37 @@ OCF_NOT_RUNNING=7
#
OCF_RUNNING_MASTER=8
OCF_FAILED_MASTER=9
+
+# Non-standard values particular to Wind River deployments.
+#
+# OCF does not include the concept of data sync states for master/slave
+# resources.
+#
+# OCF_DATA_INCONSISTENT:
+# The resource's data is not useable.
+#
+# OCF_DATA_OUTDATED:
+# The resource's data is consistent, but a peer with more recent data
+# has been seen.
+#
+# OCF_DATA_CONSISTENT:
+# The resource's data is consistent, but it is unsure that this is the
+# most recent data.
+#
+# OCF_SYNC:
+# The resource is syncing data.
+#
+# OCF_STANDALONE:
+# The resource is operating as standalone. No peer is available or
+# syncing is not possible (i.e. split brain fencing).
+#
+OCF_DATA_INCONSISTENT=32
+OCF_DATA_OUTDATED=33
+OCF_DATA_CONSISTENT=34
+OCF_DATA_SYNC=35
+OCF_DATA_STANDALONE=36
+OCF_RUNNING_MASTER_DATA_INCONSISTENT=37
+OCF_RUNNING_MASTER_DATA_OUTDATED=38
+OCF_RUNNING_MASTER_DATA_CONSISTENT=39
+OCF_RUNNING_MASTER_DATA_SYNC=40
+OCF_RUNNING_MASTER_DATA_STANDALONE=41

View File

@ -0,0 +1,18 @@
---
heartbeat/ocf-shellfuncs.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/heartbeat/ocf-shellfuncs.in
+++ b/heartbeat/ocf-shellfuncs.in
@@ -174,9 +174,9 @@ hadate() {
set_logtag() {
if [ -z "$HA_LOGTAG" ]; then
if [ -n "$OCF_RESOURCE_INSTANCE" ]; then
- HA_LOGTAG="$__SCRIPT_NAME($OCF_RESOURCE_INSTANCE)[$$]"
+ HA_LOGTAG="OCF_$__SCRIPT_NAME($OCF_RESOURCE_INSTANCE)[$$]"
else
- HA_LOGTAG="$__SCRIPT_NAME[$$]"
+ HA_LOGTAG="OCF_$__SCRIPT_NAME[$$]"
fi
fi
}

View File

@ -0,0 +1,77 @@
Index: resource-agents-3.9.5/heartbeat/pgsql
===================================================================
--- resource-agents-3.9.5.orig/heartbeat/pgsql
+++ resource-agents-3.9.5/heartbeat/pgsql
@@ -38,6 +38,7 @@ get_pgsql_param() {
OCF_RESKEY_pgctl_default=/usr/bin/pg_ctl
OCF_RESKEY_psql_default=/usr/bin/psql
OCF_RESKEY_pgdata_default=/var/lib/pgsql/data
+OCF_RESKEY_pgconf_default=/etc/postgresql
OCF_RESKEY_pgdba_default=postgres
OCF_RESKEY_pghost_default=""
OCF_RESKEY_pgport_default=5432
@@ -67,10 +68,11 @@ OCF_RESKEY_stop_escalate_in_slave_defaul
: ${OCF_RESKEY_pgctl=${OCF_RESKEY_pgctl_default}}
: ${OCF_RESKEY_psql=${OCF_RESKEY_psql_default}}
: ${OCF_RESKEY_pgdata=${OCF_RESKEY_pgdata_default}}
+: ${OCF_RESKEY_pgconf=${OCF_RESKEY_pgconf_default}}
: ${OCF_RESKEY_pgdba=${OCF_RESKEY_pgdba_default}}
: ${OCF_RESKEY_pghost=${OCF_RESKEY_pghost_default}}
: ${OCF_RESKEY_pgport=${OCF_RESKEY_pgport_default}}
-: ${OCF_RESKEY_config=${OCF_RESKEY_pgdata}/postgresql.conf}
+: ${OCF_RESKEY_config=${OCF_RESKEY_pgconf}/postgresql.conf}
: ${OCF_RESKEY_start_opt=${OCF_RESKEY_start_opt_default}}
: ${OCF_RESKEY_pgdb=${OCF_RESKEY_pgdb_default}}
: ${OCF_RESKEY_logfile=${OCF_RESKEY_logfile_default}}
@@ -166,6 +168,14 @@ Path to PostgreSQL data directory.
<content type="string" default="${OCF_RESKEY_pgdata_default}" />
</parameter>
+<parameter name="pgconf" unique="0" required="0">
+<longdesc lang="en">
+Path to PostgreSQL config directory.
+</longdesc>
+<shortdesc lang="en">pgconf</shortdesc>
+<content type="string" default="${OCF_RESKEY_pgconf_default}" />
+</parameter>
+
<parameter name="pgdba" unique="0" required="0">
<longdesc lang="en">
User that owns PostgreSQL.
@@ -220,7 +230,7 @@ SQL script that will be used for monitor
Path to the PostgreSQL configuration file for the instance.
</longdesc>
<shortdesc lang="en">Configuration file</shortdesc>
-<content type="string" default="${OCF_RESKEY_pgdata}/postgresql.conf" />
+<content type="string" default="${OCF_RESKEY_pgconf}/postgresql.conf" />
</parameter>
<parameter name="pgdb" unique="0" required="0">
@@ -475,6 +485,12 @@ pgsql_real_start() {
local postgres_options
local rc
+ # WRS: Create an unversioned symlink under /var/run so SM can easily
+ # find the PID file.
+ if [ ! -h $PIDFILE_SYMLINK ]; then
+ /bin/ln -s $PIDFILE $PIDFILE_SYMLINK
+ fi
+
if pgsql_status; then
ocf_log info "PostgreSQL is already running. PID=`cat $PIDFILE`"
if is_replication; then
@@ -1717,12 +1733,12 @@ then
exit $OCF_ERR_GENERIC
fi
-
PIDFILE=${OCF_RESKEY_pgdata}/postmaster.pid
+PIDFILE_SYMLINK=/var/run/postmaster.pid
BACKUPLABEL=${OCF_RESKEY_pgdata}/backup_label
RESOURCE_NAME=`echo $OCF_RESOURCE_INSTANCE | cut -d ":" -f 1`
PGSQL_WAL_RECEIVER_STATUS_ATTR="${RESOURCE_NAME}-receiver-status"
-RECOVERY_CONF=${OCF_RESKEY_pgdata}/recovery.conf
+RECOVERY_CONF=${OCF_RESKEY_pgconf}/recovery.conf
NODENAME=`uname -n | tr '[A-Z]' '[a-z]'`
if is_replication; then

View File

@ -0,0 +1,17 @@
---
heartbeat/Filesystem | 4 ++++
1 file changed, 4 insertions(+)
--- a/heartbeat/Filesystem
+++ b/heartbeat/Filesystem
@@ -727,6 +727,10 @@ signal_processes() {
}
try_umount() {
local SUB=$1
+
+ # We need to ensure we umount in namespaces, too
+ /usr/sbin/umount-in-namespace $SUB
+
$UMOUNT $umount_force $SUB
list_mounts | grep -q " $SUB " >/dev/null 2>&1 || {
ocf_log info "unmounted $SUB successfully"

6
dpkg/.gitignore vendored Normal file
View File

@ -0,0 +1,6 @@
!.distro
.distro/centos7/rpmbuild/RPMS
.distro/centos7/rpmbuild/SRPMS
.distro/centos7/rpmbuild/BUILD
.distro/centos7/rpmbuild/BUILDROOT
.distro/centos7/rpmbuild/SOURCES/dpkg*tar.gz

4
dpkg/README Normal file
View File

@ -0,0 +1,4 @@
Many Titanium Cloud init services are using start-stop-daemon. It's not available under
centos. Just pull it from dpkg but don't install everything.
Source: http://ftp.de.debian.org/debian/pool/main/d/dpkg/

View File

@ -0,0 +1,2 @@
COPY_LIST="$CGCS_BASE/downloads/dpkg_1.18.24.tar.xz"
TIS_PATCH_VER=1

43
dpkg/centos/dpkg.spec Normal file
View File

@ -0,0 +1,43 @@
Summary: dpkg
Name: dpkg
Version: 1.18.24
Release: 0%{?_tis_dist}.%{tis_patch_ver}
License: GPLv2 and GPLv2+ and LGPLv2+ and Public Domain and BSD
Group: base
Packager: Wind River <info@windriver.com>
URL: unknown
Source0: %{name}_%{version}.tar.xz
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: ncurses-static
BuildRequires: perl-version
%description
dpkg
%define local_bindir /usr/bin/
%prep
%setup
%build
./configure --prefix=$RPM_BUILD_ROOT \
--disable-dselect \
--disable-update-alternatives \
--without-liblzma
make -j"%(nproc)"
%install
# Don't install everything, it's too dangerous
# make install
install -d -m 755 %{buildroot}%{local_bindir}
install -p -D -m 700 utils/start-stop-daemon %{buildroot}%{local_bindir}/start-stop-daemon
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
%{local_bindir}/*

View File

@ -0,0 +1,4 @@
COPY_LIST="$FILES_BASE/* \
$DISTRO/patches/* \
$CGCS_BASE/downloads/drbd-8.4.3.tar.gz"
TIS_PATCH_VER=6

407
drbd-tools/centos/drbd.spec Normal file
View File

@ -0,0 +1,407 @@
# Define init script directory. %{_initddir} is available from Fedora
# 9 forward; CentOS knows 5 only %{_initrddir}. Neither are known to
# autoconf...
%{!?_initddir: %{expand: %%global _initddir %{_initrddir}}}
# Compatibility macro wrappers for legacy RPM versions that do not
# support conditional builds
%{!?bcond_without: %{expand: %%global bcond_without() %%{expand:%%%%{!?_without_%%{1}:%%%%global with_%%{1} 1}}}}
%{!?bcond_with: %{expand: %%global bcond_with() %%{expand:%%%%{?_with_%%{1}:%%%%global with_%%{1} 1}}}}
%{!?with: %{expand: %%global with() %%{expand:%%%%{?with_%%{1}:1}%%%%{!?with_%%{1}:0}}}}
%{!?without: %{expand: %%global without() %%{expand:%%%%{?with_%%{1}:0}%%%%{!?with_%%{1}:1}}}}
# Conditionals
# Invoke "rpmbuild --without <feature>" or "rpmbuild --with <feature>"
# to disable or enable specific features
%bcond_without udev
%bcond_without pacemaker
%bcond_with rgmanager
%bcond_without heartbeat
# conditionals may not contain "-" nor "_", hence "bashcompletion"
%bcond_without bashcompletion
# --with xen is ignored on any non-x86 architecture
%bcond_without xen
%bcond_without legacy_utils
#%ifnarch %{ix86} x86_64
%global _without_xen --without-xen
#%endif
Name: drbd
Summary: DRBD driver for Linux
Version: 8.4.3
Release: 0%{?_tis_dist}.%{tis_patch_ver}
Source: http://oss.linbit.com/%{name}/8.3/%{name}-%{version}.tar.gz
Source1: drbd.service
# WRS
Patch0001: 0001-skip_wait_con_int_on_simplex.patch
Patch0002: 0002-drbd-conditional-crm-dependency.patch
Patch0003: 0003-drbd_report_condition.patch
Patch0004: 0004-drbdadm-ipaddr-change.patch
Patch0005: 0005-drbd_reconnect_standby_standalone.patch
Patch0006: 0006-avoid-kernel-userspace-version-check.patch
Patch0007: 0007-Update-OCF-to-attempt-connect-in-certain-states.patch
Patch0008: 0008-Increase-short-cmd-timeout-to-15-secs.patch
License: GPLv2+
ExclusiveOS: linux
Group: System Environment/Kernel
URL: http://www.drbd.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: flex
Requires: %{name}-utils = %{version}
%if %{with udev}
Requires: %{name}-udev = %{version}
BuildRequires: udev
%endif
%if %{with pacemaker}
Requires: %{name}-pacemaker = %{version}
%endif
## %if %{with rgmanager}
## ## No.
## ## We don't want to annoy the majority of our userbase on pacemaker
## ## by pulling in the full rgmanager stack via drbd-rgmanager as well.
## Requires: %{name}-rgmanager = %{version}
## %endif
%if %{with heartbeat}
Requires: %{name}-heartbeat = %{version}
%endif
%if %{with bashcompletion}
Requires: %{name}-bash-completion = %{version}
%endif
BuildRequires: systemd-devel
%description
DRBD mirrors a block device over the network to another machine.
Think of it as networked raid 1. It is a building block for
setting up high availability (HA) clusters.
This is a virtual package, installing the full DRBD userland suite.
# Just a few docs go into the "drbd" package. Everything else is part
# of one of the drbd-* packages.
%files
%defattr(-,root,root,-)
%doc COPYING
%doc ChangeLog
%doc README
%package utils
Summary: Management utilities for DRBD
Group: System Environment/Kernel
# We used to have one monolithic userland package.
# Since all other packages require drbd-utils,
# it should be sufficient to add the conflict here.
Conflicts: drbd < 8.3.6
# These exist in centos extras:
Conflicts: drbd82 drbd83
Requires(post): chkconfig
Requires(preun): chkconfig
%description utils
DRBD mirrors a block device over the network to another machine.
Think of it as networked raid 1. It is a building block for
setting up high availability (HA) clusters.
This packages includes the DRBD administration tools.
%files utils
%defattr(755,root,root,-)
/sbin/drbdsetup
/sbin/drbdadm
/sbin/drbdmeta
%if %{with legacy_utils}
%dir /lib/drbd/
/lib/drbd/drbdsetup-83
/lib/drbd/drbdadm-83
%endif
%{_initddir}/%{name}
%attr(644,root,root) %{_unitdir}/%{name}.service
%{_sbindir}/drbd-overview
%dir %{_prefix}/lib/%{name}
%{_prefix}/lib/%{name}/outdate-peer.sh
%{_prefix}/lib/%{name}/snapshot-resync-target-lvm.sh
%{_prefix}/lib/%{name}/unsnapshot-resync-target-lvm.sh
%{_prefix}/lib/%{name}/notify-out-of-sync.sh
%{_prefix}/lib/%{name}/notify-split-brain.sh
%{_prefix}/lib/%{name}/notify-emergency-reboot.sh
%{_prefix}/lib/%{name}/notify-emergency-shutdown.sh
%{_prefix}/lib/%{name}/notify-io-error.sh
%{_prefix}/lib/%{name}/notify-pri-lost-after-sb.sh
%{_prefix}/lib/%{name}/notify-pri-lost.sh
%{_prefix}/lib/%{name}/notify-pri-on-incon-degr.sh
%{_prefix}/lib/%{name}/notify.sh
%defattr(-,root,root,-)
%dir %{_var}/lib/%{name}
%config(noreplace) %attr(640, root, root) %{_sysconfdir}/drbd.conf
%dir %attr(740, root, root) %{_sysconfdir}/drbd.d
%config(noreplace) %{_sysconfdir}/drbd.d/global_common.conf
%{_mandir}/man8/drbd.8.*
%{_mandir}/man8/drbdsetup.8.*
%{_mandir}/man8/drbdadm.8.*
%{_mandir}/man5/drbd.conf.5.*
%{_mandir}/man8/drbdmeta.8.*
%doc scripts/drbd.conf.example
%doc COPYING
%doc ChangeLog
%doc README
%if %{with udev}
%package udev
Summary: udev integration scripts for DRBD
Group: System Environment/Kernel
Requires: %{name}-utils = %{version}-%{release}, udev
%description udev
This package contains udev helper scripts for DRBD, managing symlinks to
DRBD devices in /dev/drbd/by-res and /dev/drbd/by-disk.
%files udev
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/udev/rules.d/65-drbd.rules*
%endif # with udev
%if %{with pacemaker}
%package pacemaker
Summary: Pacemaker resource agent for DRBD
Group: System Environment/Base
Requires: %{name}-utils = %{version}-%{release}
License: GPLv2
%description pacemaker
This package contains the master/slave DRBD resource agent for the
Pacemaker High Availability cluster manager.
%files pacemaker
%defattr(755,root,root,-)
%{_prefix}/lib/%{name}/crm-fence-peer.sh
%{_prefix}/lib/%{name}/crm-unfence-peer.sh
%{_prefix}/lib/%{name}/stonith_admin-fence-peer.sh
%{_prefix}/lib/ocf/resource.d/linbit/drbd
%endif # with pacemaker
# Dependencies for drbd-rgmanager are particularly awful. On RHEL 5
# and prior (and corresponding Fedora releases), %{_datadir}/cluster
# was owned by rgmanager version 2, so we have to depend on that.
#
# With Red Hat Cluster 3.0.1 (around Fedora 12), the DRBD resource
# agent was merged in, and it became part of the resource-agents 3
# package (which of course is different from resource-agents on all
# other platforms -- go figure). So for resource-agents >= 3, we must
# generally conflict.
#
# Then for RHEL 6, Red Hat in all their glory decided to keep the
# packaging scheme, but kicked DRBD out of the resource-agents
# package. Thus, for RHEL 6 specifically, we must not conflict with
# resource-agents >=3, but instead require it.
#
# The saga continues:
# In RHEL 6.1 they have listed the drbd resource agent as valid agent,
# but do not include it in their resource-agents package. -> So we
# drop any dependency regarding rgmanager's version.
#
# All of this for exactly two (2) files.
%if %{with rgmanager}
%package rgmanager
Summary: Red Hat Cluster Suite agent for DRBD
Group: System Environment/Base
Requires: %{name}-utils = %{version}-%{release}
%description rgmanager
This package contains the DRBD resource agent for the Red Hat Cluster Suite
resource manager.
As of Red Hat Cluster Suite 3.0.1, the DRBD resource agent is included
in the Cluster distribution.
%files rgmanager
%defattr(755,root,root,-)
%{_datadir}/cluster/drbd.sh
%{_prefix}/lib/%{name}/rhcs_fence
%defattr(-,root,root,-)
%{_datadir}/cluster/drbd.metadata
%endif # with rgmanager
%if %{with heartbeat}
%package heartbeat
Summary: Heartbeat resource agent for DRBD
Group: System Environment/Base
Requires: %{name}-utils = %{version}-%{release}
License: GPLv2
%description heartbeat
This package contains the DRBD resource agents for the Heartbeat cluster
resource manager (in v1 compatibility mode).
%files heartbeat
%defattr(755,root,root,-)
%{_sysconfdir}/ha.d/resource.d/drbddisk
%{_sysconfdir}/ha.d/resource.d/drbdupper
%defattr(-,root,root,-)
%{_mandir}/man8/drbddisk.8.*
%endif # with heartbeat
%if %{with bashcompletion}
%package bash-completion
Summary: Programmable bash completion support for drbdadm
Group: System Environment/Base
Requires: %{name}-utils = %{version}-%{release}
%description bash-completion
This package contains programmable bash completion support for the drbdadm
management utility.
%files bash-completion
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/bash_completion.d/drbdadm*
%endif # with bashcompletion
%prep
%setup -q
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%build
%configure \
--with-utils \
--without-km \
%{?_without_udev} \
%{?_without_xen} \
%{?_without_pacemaker} \
%{?_without_heartbeat} \
%{?_with_rgmanager} \
%{?_without_bashcompletion} \
%{?_without_legacy_utils} \
--with-initdir=%{_initddir}
make %{?_smp_mflags}
%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
install -m 755 -d %{buildroot}%{_unitdir}
install -m 644 -p -D %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
%clean
rm -rf %{buildroot}
%post utils
chkconfig --add drbd
%if %{without udev}
for i in `seq 0 15` ; do
test -b /dev/drbd$i || mknod -m 0660 /dev/drbd$i b 147 $i;
done
%endif #without udev
%preun utils
if [ $1 -eq 0 ]; then
%{_initrddir}/drbd stop >/dev/null 2>&1
/sbin/chkconfig --del drbd
fi
%changelog
* Tue Feb 5 2013 Philipp Reisner <phil@linbit.com> - 8.4.3-1
- New upstream release.
* Thu Sep 6 2012 Philipp Reisner <phil@linbit.com> - 8.4.2-1
- New upstream release.
* Tue Feb 21 2012 Lars Ellenberg <lars@linbit.com> - 8.4.1-2
- Build fix for RHEL 6 and ubuntu lucid
* Tue Dec 20 2011 Philipp Reisner <phil@linbit.com> - 8.4.1-1
- New upstream release.
* Wed Jul 15 2011 Philipp Reisner <phil@linbit.com> - 8.4.0-1
- New upstream release.
* Fri Jan 28 2011 Philipp Reisner <phil@linbit.com> - 8.3.10-1
- New upstream release.
* Fri Oct 22 2010 Philipp Reisner <phil@linbit.com> - 8.3.9-1
- New upstream release.
* Wed Jun 2 2010 Philipp Reisner <phil@linbit.com> - 8.3.8-1
- New upstream release.
* Thu Jan 13 2010 Philipp Reisner <phil@linbit.com> - 8.3.7-1
- New upstream release.
* Thu Nov 8 2009 Philipp Reisner <phil@linbit.com> - 8.3.6-1
- New upstream release.
* Thu Oct 27 2009 Philipp Reisner <phil@linbit.com> - 8.3.5-1
- New upstream release.
* Wed Oct 21 2009 Florian Haas <florian@linbit.com> - 8.3.4-12
- Packaging makeover.
* Thu Oct 6 2009 Philipp Reisner <phil@linbit.com> - 8.3.4-1
- New upstream release.
* Thu Oct 5 2009 Philipp Reisner <phil@linbit.com> - 8.3.3-1
- New upstream release.
* Fri Jul 3 2009 Philipp Reisner <phil@linbit.com> - 8.3.2-1
- New upstream release.
* Fri Mar 27 2009 Philipp Reisner <phil@linbit.com> - 8.3.1-1
- New upstream release.
* Thu Dec 18 2008 Philipp Reisner <phil@linbit.com> - 8.3.0-1
- New upstream release.
* Thu Nov 12 2008 Philipp Reisner <phil@linbit.com> - 8.2.7-1
- New upstream release.
* Fri May 30 2008 Philipp Reisner <phil@linbit.com> - 8.2.6-1
- New upstream release.
* Tue Feb 12 2008 Philipp Reisner <phil@linbit.com> - 8.2.5-1
- New upstream release.
* Fri Jan 11 2008 Philipp Reisner <phil@linbit.com> - 8.2.4-1
- New upstream release.
* Wed Jan 9 2008 Philipp Reisner <phil@linbit.com> - 8.2.3-1
- New upstream release.
* Fri Nov 2 2007 Philipp Reisner <phil@linbit.com> - 8.2.1-1
- New upstream release.
* Fri Sep 28 2007 Philipp Reisner <phil@linbit.com> - 8.2.0-1
- New upstream release.
* Mon Sep 3 2007 Philipp Reisner <phil@linbit.com> - 8.0.6-1
- New upstream release.
* Fri Aug 3 2007 Philipp Reisner <phil@linbit.com> - 8.0.5-1
- New upstream release.
* Wed Jun 27 2007 Philipp Reisner <phil@linbit.com> - 8.0.4-1
- New upstream release.
* Mon May 7 2007 Philipp Reisner <phil@linbit.com> - 8.0.3-1
- New upstream release.
* Fri Apr 6 2007 Philipp Reisner <phil@linbit.com> - 8.0.2-1
- New upstream release.
* Mon Mar 3 2007 Philipp Reisner <phil@linbit.com> - 8.0.1-1
- New upstream release.
* Wed Jan 24 2007 Philipp Reisner <phil@linbit.com> - 8.0.0-1
- New upstream release.

View File

@ -0,0 +1,17 @@
[Unit]
Description=Control drbd resources.
After=network.target sshd.service
[Service]
Type=forking
Restart=no
KillMode=process
RemainAfterExit=yes
ExecStart=/etc/rc.d/init.d/drbd start
ExecStop=/etc/rc.d/init.d/drbd stop
ExecReload=/etc/rc.d/init.d/drbd reload
TimeoutSec=5min
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,18 @@
---
scripts/drbd | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/scripts/drbd
+++ b/scripts/drbd
@@ -185,7 +185,10 @@ case "$1" in
done
[ -d /var/lock/subsys ] && touch /var/lock/subsys/drbd # for RedHat
- $DRBDADM wait-con-int # User interruptible version of wait-connect all
+
+ if [ ! -e /etc/platform/simplex ] ; then # Skip if simplex
+ $DRBDADM wait-con-int # User interruptible version of wait-connect all
+ fi
$DRBDADM sh-b-pri all # Become primary if configured
log_end_msg 0

View File

@ -0,0 +1,26 @@
Index: drbd-8.3.11/scripts/drbd.ocf
===================================================================
--- drbd-8.3.11.orig/scripts/drbd.ocf
+++ drbd-8.3.11/scripts/drbd.ocf
@@ -202,13 +202,17 @@ do_drbdadm() {
}
set_master_score() {
- # Use quiet mode (-Q) to quench logging. Actual score updates
- # will get logged by attrd anyway
- do_cmd ${HA_SBIN_DIR}/crm_master -Q -l reboot -v $1
+ if [ -x ${HA_SBIN_DIR}/crm_master ]; then
+ # Use quiet mode (-Q) to quench logging. Actual score updates
+ # will get logged by attrd anyway
+ do_cmd ${HA_SBIN_DIR}/crm_master -Q -l reboot -v $1
+ fi
}
remove_master_score() {
- do_cmd ${HA_SBIN_DIR}/crm_master -l reboot -D
+ if [ -x ${HA_SBIN_DIR}/crm_master ]; then
+ do_cmd ${HA_SBIN_DIR}/crm_master -l reboot -D
+ fi
}
_sh_status_process() {

View File

@ -0,0 +1,387 @@
---
scripts/drbd | 1
scripts/drbd.ocf | 259 ++++++++++++++++++++++---------------------------------
2 files changed, 109 insertions(+), 151 deletions(-)
--- a/scripts/drbd.ocf
+++ b/scripts/drbd.ocf
@@ -5,6 +5,8 @@
#
# Copyright (c) 2009 LINBIT HA-Solutions GmbH,
# Copyright (c) 2009 Florian Haas, Lars Ellenberg
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
+#
# Based on the Heartbeat drbd OCF Resource Agent by Lars Marowsky-Bree
# (though it turned out to be an almost complete rewrite)
#
@@ -216,20 +218,6 @@ do_drbdadm() {
return $ret
}
-set_master_score() {
- if [ -x ${HA_SBIN_DIR}/crm_master ]; then
- # Use quiet mode (-Q) to quench logging. Actual score updates
- # will get logged by attrd anyway
- do_cmd ${HA_SBIN_DIR}/crm_master -Q -l reboot -v $1
- fi
-}
-
-remove_master_score() {
- if [ -x ${HA_SBIN_DIR}/crm_master ]; then
- do_cmd ${HA_SBIN_DIR}/crm_master -l reboot -D
- fi
-}
-
_sh_status_process() {
# _volume not present should not happen,
# but may help make this agent work even if it talks to drbd 8.3.
@@ -242,6 +230,7 @@ _sh_status_process() {
DRBD_DSTATE_LOCAL[$_volume]=${_disk:-Unconfigured}
DRBD_DSTATE_REMOTE[$_volume]=${_pdsk:-DUnknown}
}
+
drbd_set_status_variables() {
# drbdsetup sh-status prints these values to stdout,
# and then prints _sh_status_process.
@@ -322,119 +311,9 @@ maybe_outdate_self()
ocf_log notice "outdating $DRBD_RESOURCE: according to OCF_RESKEY_CRM_meta_notify_master_uname, '$host' is still master"
do_drbdadm outdate $DRBD_RESOURCE
- # on some pacemaker versions, -INFINITY may cause resource instance stop/start.
- # But in this case that is ok, it may even clear the replication link
- # problem.
- set_master_score -INFINITY
-
return 0
}
-drbd_update_master_score() {
- # NOTE
- # there may be constraint scores from rules on role=Master,
- # that in some ways can add to the node attribute based master score we
- # specify below. If you think you want to add personal preferences,
- # in case the scores given by this RA do not suffice, this is the
- # value space you can work with:
- # -INFINITY: Do not promote. Really. Won't work anyways.
- # Too bad, at least with current (Oktober 2009) Pacemaker,
- # negative master scores cause instance stop; restart cycle :(
- # missing, zero: Do not promote.
- # I think my data is not good enough.
- # Though, of course, you may try, and it might even work.
- # 5: please, do not promote, unless this is your only option.
- # 10: promotion is probably a bad idea, our local data is no good,
- # you'd probably run into severe performance problems, and risk
- # application crashes or blocking IO in case you lose the
- # replication connection.
- # 1000: Ok to be promoted, we have good data locally (though we don't
- # know about the peer, so possibly it has even better data?).
- # You sould use the crm-fence-peer.sh handler or similar
- # mechanism to avoid data divergence.
- # 10000: Please promote me/keep me Primary.
- # I'm confident that my data is as good as it gets.
- #
- # For multi volume, we need to compare who is "better" a bit more sophisticated.
- # The ${XXX[*]//UpToDate}, without being in double quotes, results in a single space,
- # if all are UpToDate.
- : == DEBUG == ${DRBD_ROLE_LOCAL[*]}/${DRBD_DSTATE_LOCAL[*]//UpToDate/ }/${DRBD_DSTATE_REMOTE[*]//UpToDate/ }/ ==
- case ${DRBD_ROLE_LOCAL[*]}/${DRBD_DSTATE_LOCAL[*]//UpToDate/ }/${DRBD_DSTATE_REMOTE[*]//UpToDate/ }/ in
- *Primary*/\ /*/)
- # I am Primary, all local disks are UpToDate
- set_master_score 10000
- ;;
- */\ /*DUnknown*/)
- # all local disks are UpToDate,
- # but I'm not Primary,
- # and I'm not sure about the peer's disk state(s).
- # We may need to outdate ourselves?
- # But if we outdate in a MONITOR, and are disconnected
- # secondary because of a hard primary crash, before CRM noticed
- # that there is no more master, we'd make us utterly useless!
- # Trust that the primary will also notice the disconnect,
- # and will place an appropriate fencing constraint via
- # its fence-peer handler callback.
- set_master_score 1000
- ;;
- */\ /*/)
- # We know something about our peer, which means that either the
- # replication link is established, or it was not even
- # consistent last time we talked to each other.
- # Also all our local disks are UpToDate, which means even if we are
- # currently synchronizing, we do so as SyncSource.
- set_master_score 10000
- ;;
-
- */*/\ /)
- # At least one of our local disks is not up to date.
- # But our peer is ALL OK.
- # We can expect to have access to useful
- # data, but must expect degraded performance.
- set_master_score 10
- ;;
- */*Attaching*/*/|\
- */*Negotiating*/*/)
- # some transitional state.
- # just don't do anything
- : ;;
-
- Unconfigured*|\
- */*Diskless*/*/|\
- */*Failed*/*/|\
- */*Inconsistent*/*/|\
- */*Outdated*/*/)
- # ALWAYS put the cluster in MAINTENANCE MODE
- # if you add a volume to a live replication group,
- # because the new volume will typically come up as Inconsistent
- # the first time, which would cause a monitor to revoke the
- # master score!
- #
- # At least some of our local disks are not really useable.
- # Our peer is not all good either (or some previous case block
- # would have matched). We have no access to useful data.
- # DRBD would refuse to be promoted, anyways.
- #
- # set_master_score -INFINITY
- # Too bad, at least with current (Oktober 2009) Pacemaker,
- # negative master scores cause instance stop; restart cycle :(
- # Hope that this will suffice.
- remove_master_score
- ;;
- *)
- # All local disks seem to be Consistent.
- # They _may_ be up to date, or not.
- # We hope that fencing mechanisms have put constraints in
- # place, so we won't be promoted with stale data.
- # But in case this was a cluster crash,
- # at least allow _someone_ to be promoted.
- set_master_score 5
- ;;
- esac
-
- return $OCF_SUCCESS
-}
-
is_drbd_enabled() {
test -f /proc/drbd
}
@@ -488,7 +367,103 @@ drbd_status() {
return $rc
}
-# I'm sorry, but there is no $OCF_DEGRADED_MASTER or similar yet.
+drbd_condition() {
+ local status
+ local rc
+
+ status=$1
+ rc=$status
+
+ if [ $status -ne $OCF_SUCCESS -a $status -ne $OCF_RUNNING_MASTER ]
+ then
+ return $rc
+ fi
+
+ drbd_set_status_variables
+
+ ocf_log info "${OCF_RESKEY_drbd_resource} ${DRBD_ROLE_LOCAL}/${DRBD_DSTATE_LOCAL}/${DRBD_DSTATE_REMOTE} ${DRBD_CSTATE}"
+
+ case "${DRBD_DSTATE_LOCAL}" in
+ UpToDate)
+ case "${DRBD_CSTATE}" in
+ StandAlone)
+ rc=$OCF_DATA_STANDALONE
+ ocf_log info "${OCF_RESKEY_drbd_resource} standalone, attempting to reconnect."
+ do_drbdadm connect ${OCF_RESKEY_drbd_resource}
+ ;;
+ StartingSyncT | WFBitMapT | WFSyncUUID | SyncTarget | \
+ PausedSyncT)
+ rc=$OCF_DATA_SYNC
+ #drbd-overview | grep -A 1 drbd-cgcs | grep sync\'ed | cut -f2,3 -d' '
+ ocf_log info "${OCF_RESKEY_drbd_resource} syncing"
+ ;;
+ *)
+ ;;
+ esac
+ ;;
+ Consistent)
+ case "${DRBD_CSTATE}" in
+ StandAlone)
+ rc=$OCF_DATA_STANDALONE
+ ocf_log info "${OCF_RESKEY_drbd_resource} standalone, attempting to reconnect"
+ do_drbdadm connect ${OCF_RESKEY_drbd_resource}
+ ;;
+ *)
+ rc=$OCF_DATA_CONSISTENT
+ ocf_log info "${OCF_RESKEY_drbd_resource} consistent"
+ ;;
+ esac
+ ;;
+ Outdated)
+ rc=$OCF_DATA_OUTDATED
+ ocf_log info "${OCF_RESKEY_drbd_resource} outdated"
+ ;;
+ *)
+ case "${DRBD_CSTATE}" in
+ StandAlone)
+ rc=$OCF_DATA_STANDALONE
+ ocf_log info "${OCF_RESKEY_drbd_resource} standalone"
+ ;;
+ StartingSyncT | WFBitMapT | WFSyncUUID | SyncTarget | \
+ PausedSyncT)
+ rc=$OCF_DATA_SYNC
+ ocf_log info "${OCF_RESKEY_drbd_resource} sync"
+ ;;
+ *)
+ rc=$OCF_DATA_INCONSISTENT
+ ocf_log info "${OCF_RESKEY_drbd_resource} inconsistent"
+ ;;
+ esac
+ ;;
+ esac
+
+ if [ $status -eq $OCF_RUNNING_MASTER ]
+ then
+ if [ $rc -eq $OCF_DATA_INCONSISTENT ]
+ then
+ rc=$OCF_RUNNING_MASTER_DATA_INCONSISTENT
+
+ elif [ $rc -eq $OCF_DATA_OUTDATED ]
+ then
+ rc=$OCF_RUNNING_MASTER_DATA_OUTDATED
+
+ elif [ $rc -eq $OCF_DATA_CONSISTENT ]
+ then
+ rc=$OCF_RUNNING_MASTER_DATA_CONSISTENT
+
+ elif [ $rc -eq $OCF_DATA_SYNC ]
+ then
+ rc=$OCF_RUNNING_MASTER_DATA_SYNC
+
+ elif [ $rc -eq $OCF_DATA_STANDALONE ]
+ then
+ rc=$OCF_RUNNING_MASTER_DATA_STANDALONE
+ fi
+ fi
+
+ return $rc
+}
+
drbd_monitor() {
local status
@@ -501,7 +476,8 @@ drbd_monitor() {
drbd_status
status=$?
- drbd_update_master_score
+ drbd_condition $status
+ status=$?
return $status
}
@@ -578,7 +554,8 @@ drbd_start() {
# "running" already, anyways, right?
figure_out_drbd_peer_uname
do_drbdadm $DRBD_TO_PEER adjust $DRBD_RESOURCE
- rc=$OCF_SUCCESS
+ drbd_condition $OCF_SUCCESS
+ rc=$?
break
;;
$OCF_NOT_RUNNING)
@@ -606,9 +583,6 @@ drbd_start() {
$first_try || sleep 1
first_try=false
done
- # in case someone does not configure monitor,
- # we must at least call it once after start.
- drbd_update_master_score
return $rc
}
@@ -642,7 +616,8 @@ drbd_promote() {
break
;;
$OCF_RUNNING_MASTER)
- rc=$OCF_SUCCESS
+ drbd_condition $OCF_SUCCESS
+ rc=$?
break
esac
$first_try || sleep 1
@@ -666,7 +641,8 @@ drbd_demote() {
status=$?
case "$status" in
$OCF_SUCCESS)
- rc=$OCF_SUCCESS
+ drbd_condition $OCF_SUCCESS
+ rc=$?
break
;;
$OCF_NOT_RUNNING)
@@ -718,14 +694,9 @@ drbd_stop() {
# outdate myself in drbd on-disk meta data.
maybe_outdate_self
- # do not let old master scores laying around.
- # they may confuse crm if this node was set to standby.
- remove_master_score
-
return $rc
}
-
drbd_notify() {
local n_type=$OCF_RESKEY_CRM_meta_notify_type
local n_op=$OCF_RESKEY_CRM_meta_notify_operation
@@ -760,7 +731,6 @@ drbd_notify() {
# After something has been done is a good time to
# recheck our status:
drbd_set_status_variables
- drbd_update_master_score
: == DEBUG == ${DRBD_DSTATE_REMOTE[*]} ==
case ${DRBD_DSTATE_REMOTE[*]} in
@@ -793,17 +763,6 @@ ls_stat_is_block_maj_147() {
[[ $1 = b* ]] && [[ $5 == 147,* ]]
}
-check_crm_feature_set()
-{
- set -- ${OCF_RESKEY_crm_feature_set//[!0-9]/ }
- local a=${1:-0} b=${2:-0} c=${3:-0}
-
- (( a > 3 )) ||
- (( a == 3 && b > 0 )) ||
- (( a == 3 && b == 0 && c > 0 )) ||
- ocf_log warn "You may be disappointed: This RA is intended for pacemaker 1.0 or better!"
-}
-
drbd_validate_all () {
DRBDADM="drbdadm"
DRBDSETUP="drbdsetup"
@@ -821,7 +780,6 @@ drbd_validate_all () {
if (( $DRBDADM_VERSION_CODE >= 0x080400 )); then
DRBD_HAS_MULTI_VOLUME=true
fi
- check_crm_feature_set
# Check clone and M/S options.
meta_expect clone-max -le 2
@@ -890,7 +848,6 @@ drbd_validate_all () {
# hm. probably misconfigured constraint somewhere.
# sorry. don't retry anywhere.
ocf_log err "DRBD resource ${DRBD_RESOURCE} not found in configuration file ${OCF_RESKEY_drbdconf}."
- remove_master_score
return $OCF_ERR_INSTALLED
fi
fi
--- a/scripts/drbd
+++ b/scripts/drbd
@@ -4,6 +4,7 @@
# description: Loads and unloads the drbd module
#
# Copyright 2001-2010 LINBIT
+# Copyright (c) 2014 Wind River Systems, Inc. All rights reserved.
#
# Philipp Reisner, Lars Ellenberg
#

View File

@ -0,0 +1,132 @@
Index: git/user/drbdadm_adjust.c
===================================================================
--- git.orig/user/drbdadm_adjust.c
+++ git/user/drbdadm_adjust.c
@@ -157,6 +157,7 @@ static int opts_equal(struct context_def
static int addr_equal(struct d_resource* conf, struct d_resource* running)
{
int equal;
+ char *peer_addr, *peer_af, *peer_port;
if (conf->peer == NULL && running->peer == NULL) return 1;
if (running->peer == NULL) return 0;
@@ -165,16 +166,29 @@ static int addr_equal(struct d_resource*
!strcmp(conf->me->port, running->me->port) &&
!strcmp(conf->me->address_family, running->me->address_family);
- if(conf->me->proxy)
- equal = equal &&
- !strcmp(conf->me->proxy->inside_addr, running->peer->address) &&
- !strcmp(conf->me->proxy->inside_port, running->peer->port) &&
- !strcmp(conf->me->proxy->inside_af, running->peer->address_family);
- else
- equal = equal && conf->peer &&
- !strcmp(conf->peer->address, running->peer->address) &&
- !strcmp(conf->peer->port, running->peer->port) &&
- !strcmp(conf->peer->address_family, running->peer->address_family);
+ if(conf->me->proxy) {
+ peer_addr = conf->me->proxy->inside_addr;
+ peer_port = conf->me->proxy->inside_port;
+ peer_af = conf->me->proxy->inside_af;
+ } else {
+ peer_addr = conf->peer->address;
+ peer_port = conf->peer->port;
+ peer_af = conf->peer->address_family;
+ }
+
+ equal = equal && conf->peer &&
+ !strcmp(peer_addr, running->peer->address) &&
+ !strcmp(peer_port, running->peer->port) &&
+ !strcmp(peer_af, running->peer->address_family);
+
+ if (verbose > 2)
+ fprintf(stderr, "Network addresses differ:\n"
+ "\trunning: %s:%s:%s -- %s:%s:%s\n"
+ "\t config: %s:%s:%s -- %s:%s:%s\n",
+ running->me->address_family, running->me->address, running->me->port,
+ running->peer->address_family, running->peer->address, running->peer->port,
+ conf->me->address_family, conf->me->address, conf->me->port,
+ peer_af, peer_addr, peer_port);
return equal;
}
@@ -690,8 +704,7 @@ int adm_adjust(struct cfg_ctx *ctx)
if (ctx->res->me->proxy && can_do_proxy)
do_connect |= proxy_reconf(ctx, running);
- if (do_connect && running)
- do_disconnect = running->net_options != NULL;
+ do_disconnect = do_connect && running && (running->peer || running->net_options);
if (do_res_options)
schedule_deferred_cmd(adm_set_default_res_options, ctx, "resource-options", CFG_RESOURCE);
@@ -716,8 +729,12 @@ int adm_adjust(struct cfg_ctx *ctx)
}
if (do_connect) {
- if (do_disconnect && ctx->res->peer)
- schedule_deferred_cmd(adm_disconnect, ctx, "disconnect", CFG_NET_PREREQ);
+ /* "disconnect" specifying the end-point addresses currently in-use,
+ * before "connect"ing with the addresses currently in-config-file. */
+ if (do_disconnect) {
+ struct cfg_ctx tmp_ctx = { .res = running, .vol = vol, };
+ schedule_deferred_cmd(adm_disconnect, &tmp_ctx, "disconnect", CFG_NET_PREREQ);
+ }
schedule_deferred_cmd(adm_connect, ctx, "connect", CFG_NET);
do_net_options = 0;
}
Index: git/user/legacy/drbdadm_adjust.c
===================================================================
--- git.orig/user/legacy/drbdadm_adjust.c
+++ git/user/legacy/drbdadm_adjust.c
@@ -133,6 +133,7 @@ static int opts_equal(struct d_option* c
static int addr_equal(struct d_resource* conf, struct d_resource* running)
{
int equal;
+ char *peer_addr, *peer_af, *peer_port;
if (conf->peer == NULL && running->peer == NULL) return 1;
if (running->peer == NULL) return 0;
@@ -141,18 +142,31 @@ static int addr_equal(struct d_resource*
!strcmp(conf->me->port, running->me->port) &&
!strcmp(conf->me->address_family, running->me->address_family);
- if(conf->me->proxy)
- equal = equal &&
- !strcmp(conf->me->proxy->inside_addr, running->peer->address) &&
- !strcmp(conf->me->proxy->inside_port, running->peer->port) &&
- !strcmp(conf->me->proxy->inside_af, running->peer->address_family);
- else
- equal = equal && conf->peer &&
- !strcmp(conf->peer->address, running->peer->address) &&
- !strcmp(conf->peer->port, running->peer->port) &&
- !strcmp(conf->peer->address_family, running->peer->address_family);
+ if(conf->me->proxy) {
+ peer_addr = conf->me->proxy->inside_addr;
+ peer_port = conf->me->proxy->inside_port;
+ peer_af = conf->me->proxy->inside_af;
+ } else {
+ peer_addr = conf->peer->address;
+ peer_port = conf->peer->port;
+ peer_af = conf->peer->address_family;
+ }
+
+ equal = equal && conf->peer &&
+ !strcmp(peer_addr, running->peer->address) &&
+ !strcmp(peer_port, running->peer->port) &&
+ !strcmp(peer_af, running->peer->address_family);
+
+ if (verbose > 2)
+ fprintf(stderr, "Network addresses differ:\n"
+ "\trunning: %s:%s:%s -- %s:%s:%s\n"
+ "\t config: %s:%s:%s -- %s:%s:%s\n",
+ running->me->address_family, running->me->address, running->me->port,
+ running->peer->address_family, running->peer->address, running->peer->port,
+ conf->me->address_family, conf->me->address, conf->me->port,
+ peer_af, peer_addr, peer_port);
- return equal;
+ return equal;
}
static int proto_equal(struct d_resource* conf, struct d_resource* running)

View File

@ -0,0 +1,34 @@
Index: git/scripts/drbd.ocf
===================================================================
--- git.orig/scripts/drbd.ocf
+++ git/scripts/drbd.ocf
@@ -418,6 +418,29 @@ drbd_condition() {
rc=$OCF_DATA_OUTDATED
ocf_log info "${OCF_RESKEY_drbd_resource} outdated"
;;
+ Inconsistent)
+ case "${DRBD_CSTATE}" in
+ StandAlone)
+ rc=$OCF_DATA_STANDALONE
+ if [ $status -eq $OCF_SUCCESS ]
+ then
+ ocf_log info "${OCF_RESKEY_drbd_resource} standby standalone, attempting to reconnect."
+ do_drbdadm connect ${OCF_RESKEY_drbd_resource}
+ else
+ ocf_log info "${OCF_RESKEY_drbd_resource} standalone"
+ fi
+ ;;
+ StartingSyncT | WFBitMapT | WFSyncUUID | SyncTarget | \
+ PausedSyncT)
+ rc=$OCF_DATA_SYNC
+ ocf_log info "${OCF_RESKEY_drbd_resource} sync"
+ ;;
+ *)
+ rc=$OCF_DATA_INCONSISTENT
+ ocf_log info "${OCF_RESKEY_drbd_resource} inconsistent"
+ ;;
+ esac
+ ;;
*)
case "${DRBD_CSTATE}" in
StandAlone)

View File

@ -0,0 +1,55 @@
From ea19e3020367cfaf6da20dd690433ee72a24120c Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Mon, 2 May 2016 15:17:54 -0400
Subject: [PATCH 1/1] Avoid kernel/userspace version check
---
user/drbdadm_usage_cnt.c | 32 +-------------------------------
1 file changed, 1 insertion(+), 31 deletions(-)
diff --git a/user/drbdadm_usage_cnt.c b/user/drbdadm_usage_cnt.c
index ff6d5c8..c6cb4ad 100644
--- a/user/drbdadm_usage_cnt.c
+++ b/user/drbdadm_usage_cnt.c
@@ -244,37 +244,7 @@ static int vcs_ver_cmp(struct vcs_rel *rev1, struct vcs_rel *rev2)
void warn_on_version_mismatch(void)
{
- char *msg;
- int cmp;
-
- /* get the kernel module version from /proc/drbd */
- vcs_get_current();
-
- /* get the userland version from REL_VERSION */
- vcs_get_userland();
-
- cmp = vcs_ver_cmp(&userland_version, &current_vcs_rel);
- /* no message if equal */
- if (cmp == 0)
- return;
- if (cmp > 0xffff || cmp < -0xffff) /* major version differs! */
- msg = "mixing different major numbers will not work!";
- else if (cmp < 0) /* userland is older. always warn. */
- msg = "you should upgrade your drbd tools!";
- else if (cmp & 0xff00) /* userland is newer minor version */
- msg = "please don't mix different DRBD series.";
- else /* userland is newer, but only differ in sublevel. */
- msg = "preferably kernel and userland versions should match.";
-
- fprintf(stderr, "DRBD module version: %u.%u.%u\n"
- " userland version: %u.%u.%u\n%s\n",
- current_vcs_rel.version.major,
- current_vcs_rel.version.minor,
- current_vcs_rel.version.sublvl,
- userland_version.version.major,
- userland_version.version.minor,
- userland_version.version.sublvl,
- msg);
+ return;
}
void add_lib_drbd_to_path(void)
--
1.8.3.1

View File

@ -0,0 +1,40 @@
From 5677e262d5b3f5ecc114f1aace4ffd77a7772282 Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Tue, 21 Feb 2017 12:37:02 -0500
Subject: [PATCH] Update OCF to attempt connect in certain states
---
scripts/drbd.ocf | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/scripts/drbd.ocf b/scripts/drbd.ocf
index 0e26ea9..84332b0 100644
--- a/scripts/drbd.ocf
+++ b/scripts/drbd.ocf
@@ -415,8 +415,21 @@ drbd_condition() {
esac
;;
Outdated)
- rc=$OCF_DATA_OUTDATED
- ocf_log info "${OCF_RESKEY_drbd_resource} outdated"
+ case "${DRBD_CSTATE}" in
+ StandAlone)
+ rc=$OCF_DATA_STANDALONE
+ if [ $status -eq $OCF_SUCCESS ]
+ then
+ ocf_log info "${OCF_RESKEY_drbd_resource} outdated standalone, attempting to reconnect."
+ do_drbdadm -- --discard-my-data connect ${OCF_RESKEY_drbd_resource}
+ else
+ ocf_log info "${OCF_RESKEY_drbd_resource} outdated"
+ fi
+ ;;
+ *)
+ rc=$OCF_DATA_OUTDATED
+ ocf_log info "${OCF_RESKEY_drbd_resource} outdated"
+ esac
;;
Inconsistent)
case "${DRBD_CSTATE}" in
--
1.8.3.1

View File

@ -0,0 +1,25 @@
From 100b44d99b0bcbac92abd2122becbfd88d155e09 Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Wed, 22 Nov 2017 20:45:28 -0500
Subject: [PATCH] Increase short cmd timeout to 15 secs
---
user/drbdadm_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/user/drbdadm_main.c b/user/drbdadm_main.c
index b89e91a..19c5a44 100644
--- a/user/drbdadm_main.c
+++ b/user/drbdadm_main.c
@@ -1467,7 +1467,7 @@ void m__system(char **argv, int flags, const char *res_name, pid_t *kid, int *fd
alarm_raised = 0;
switch (flags & SLEEPS_MASK) {
case SLEEPS_SHORT:
- timeout = 5;
+ timeout = 15;
break;
case SLEEPS_LONG:
timeout = COMM_TIMEOUT + 1;
--
1.8.3.1

16
drbd/PKG-INFO Normal file
View File

@ -0,0 +1,16 @@
Metadata-Version: 1.1
Name: drbd-kernel
Version: 8.4.7
Summary: Kernel driver for DRBD
Home-page:
Author:
Author-email:
License: GPLv2+
Description:
This module is the kernel-dependent driver for DRBD. This is split out so
that multiple kernel driver versions can be installed, one for each
installed kernel.
Platform: UNKNOWN

View File

@ -0,0 +1,4 @@
COPY_LIST="$FILES_BASE/* \
$DISTRO/patches/* \
$CGCS_BASE/downloads/drbd-8.4.7-1.tar.gz"
TIS_PATCH_VER=3

View File

@ -0,0 +1,159 @@
%if "%{?_tis_build_type}" == "rt"
%define bt_ext -rt
%else
%undefine bt_ext
%endif
# Define the kmod package name here.
%define kmod_name drbd
Name: drbd-kernel%{?bt_ext}
Summary: Kernel driver for DRBD
Version: 8.4.7
%define upstream_release 1
Release: %{upstream_release}%{?_tis_dist}.%{tis_patch_ver}
%global tarball_version %(echo "%{version}-%{?upstream_release}" | sed -e "s,%{?dist}$,,")
Group: System Environment/Kernel
License: GPLv2+
Summary: %{kmod_name} kernel module(s)
BuildRequires: kernel%{?bt_ext}-devel, redhat-rpm-config, perl, openssl
ExclusiveArch: x86_64
# Sources.
Source0: http://oss.linbit.com/drbd/drbd-%{tarball_version}.tar.gz
# WRS
Patch0001: 0001-remove_bind_before_connect_error.patch
%define kversion %(rpm -q kernel%{?bt_ext}-devel | sort --version-sort | tail -1 | sed 's/kernel%{?bt_ext}-devel-//')
Summary: drbd kernel module(s)
Group: System Environment/Kernel
%global _use_internal_dependency_generator 0
Provides: kernel-modules >= %{kversion}
Provides: drbd-kernel = %{?epoch:%{epoch}:}%{version}-%{release}
Requires(post): /usr/sbin/depmod
Requires(postun): /usr/sbin/depmod
BuildRequires: kernel%{?bt_ext}-devel
%description
This module is the kernel-dependent driver for DRBD. This is split out so
that multiple kernel driver versions can be installed, one for each
installed kernel.
%package -n kmod-drbd%{?bt_ext}
Summary: drbd kernel module(s)
%description -n kmod-drbd%{?bt_ext}
This module is the kernel-dependent driver for DRBD. This is split out so
that multiple kernel driver versions can be installed, one for each
installed kernel.
%post -n kmod-drbd%{?bt_ext}
echo "Working. This may take some time ..."
if [ -e "/boot/System.map-%{kversion}" ]; then
/usr/sbin/depmod -aeF "/boot/System.map-%{kversion}" "%{kversion}" > /dev/null || :
fi
modules=( $(find /lib/modules/%{kversion}/extra/drbd | grep '\.ko$') )
if [ -x "/sbin/weak-modules" ]; then
printf '%s\n' "${modules[@]}" | /sbin/weak-modules --add-modules
fi
echo "Done."
%preun -n kmod-drbd%{?bt_ext}
rpm -ql kmod-drbd%{?bt_ext}-%{version}-%{release}.x86_64 | grep '\.ko$' > /var/run/rpm-kmod-drbd%{?bt_ext}-modules
%postun -n kmod-drbd%{?bt_ext}
echo "Working. This may take some time ..."
if [ -e "/boot/System.map-%{kversion}" ]; then
/usr/sbin/depmod -aeF "/boot/System.map-%{kversion}" "%{kversion}" > /dev/null || :
fi
modules=( $(cat /var/run/rpm-kmod-drbd%{?bt_ext}-modules) )
rm /var/run/rpm-kmod-drbd%{?bt_ext}-modules
if [ -x "/sbin/weak-modules" ]; then
printf '%s\n' "${modules[@]}" | /sbin/weak-modules --remove-modules
fi
echo "Done."
%files -n kmod-drbd%{?bt_ext}
%defattr(644,root,root,755)
/lib/modules/%{kversion}/
%config(noreplace)/etc/depmod.d/drbd.conf
%doc /usr/share/doc/kmod-drbd-%{version}/
# Disable the building of the debug package(s).
%define debug_package %{nil}
%prep
%setup -q -n drbd-%{tarball_version}
%patch0001 -p1
%build
rm -rf obj
mkdir obj
ln -s ../scripts obj/
cp -r drbd obj/default
make -C obj/default %{_smp_mflags} all KDIR=/usr/src/kernels/%{kversion}
%install
pwd
%{__install} -d %{buildroot}/lib/modules/%{kversion}/extra/%{kmod_name}/
%{__install} obj/default/%{kmod_name}.ko %{buildroot}/lib/modules/%{kversion}/extra/%{kmod_name}/
%{__install} -d %{buildroot}%{_sysconfdir}/depmod.d/
%{__install} -d %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}-%{version}/
%{__install} ChangeLog %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}-%{version}/
%{__install} COPYING %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}-%{version}/
mv obj/default/.kernel.config.gz obj/k-config-$kernelrelease.gz
%{__install} obj/k-config-$kernelrelease.gz %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}-%{version}/
echo "override drbd * weak-updates" > %{buildroot}%{_sysconfdir}/depmod.d/drbd.conf
# Strip the modules(s).
find %{buildroot} -type f -name \*.ko -exec %{__strip} --strip-debug \{\} \;
# Always Sign the modules(s).
# If the module signing keys are not defined, define them here.
%{!?privkey: %define privkey /usr/src/kernels/%{kversion}/signing_key.priv}
%{!?pubkey: %define pubkey /usr/src/kernels/%{kversion}/signing_key.x509}
for module in $(find %{buildroot} -type f -name \*.ko);
do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
sha256 %{privkey} %{pubkey} $module;
done
%clean
%{__rm} -rf %{buildroot}
%changelog
* Wed Dec 16 2015 Philipp Reisner <phil@linbit.com> - 8.4.7-1
- New upstream release.
* Wed Sep 16 2015 Lars Ellenberg <lars@linbit.com> - 8.4.6-5
- New upstream release.
* Thu Jul 30 2015 Lars Ellenberg <lars@linbit.com> - 8.4.6-4
- New upstream release.
* Fri Apr 3 2015 Philipp Reisner <phil@linbit.com> - 8.4.6-1
- New upstream release.
* Mon Jun 2 2014 Philipp Reisner <phil@linbit.com> - 8.4.5-1
- New upstream release.
* Fri Oct 11 2013 Philipp Reisner <phil@linbit.com> - 8.4.4-1
- New upstream release.
* Tue Feb 5 2013 Philipp Reisner <phil@linbit.com> - 8.4.3-1
- New upstream release.
* Thu Sep 6 2012 Philipp Reisner <phil@linbit.com> - 8.4.2-1
- New upstream release.
* Tue Dec 20 2011 Philipp Reisner <phil@linbit.com> - 8.4.1-1
- New upstream release.
* Mon Jul 18 2011 Philipp Reisner <phil@linbit.com> - 8.4.0-1
- New upstream release.
* Fri Jan 28 2011 Philipp Reisner <phil@linbit.com> - 8.3.10-1
- New upstream release.
* Thu Nov 25 2010 Andreas Gruenbacher <agruen@linbit.com> - 8.3.9-1
- Convert to a Kernel Module Package.

View File

@ -0,0 +1,11 @@
%defattr(644,root,root,755)
%doc COPYING
%doc ChangeLog
%if 0%(grep -q "release 5" /etc/redhat-release && echo 1)
/lib/modules/%verrel%variant
%doc obj/k-config-%verrel%variant.gz
%else
/lib/modules/%verrel%dotvariant
%doc obj/k-config-%verrel%dotvariant.gz
%endif
%config /etc/depmod.d/drbd.conf

View File

@ -0,0 +1,12 @@
Index: drbd-8.4.7-1/drbd/drbd_receiver.c
===================================================================
--- drbd-8.4.7-1.orig/drbd/drbd_receiver.c
+++ drbd-8.4.7-1/drbd/drbd_receiver.c
@@ -718,6 +718,7 @@ out:
/* peer not (yet) available, network problem */
case ECONNREFUSED: case ENETUNREACH:
case EHOSTDOWN: case EHOSTUNREACH:
+ case EADDRNOTAVAIL:
disconnect_on_error = 0;
break;
default:

15
haproxy/PKG-INFO Normal file
View File

@ -0,0 +1,15 @@
Metadata-Version: 1.1
Name: haproxy
Version: 1.5.18
Summary: Abstract asynchronous event notification library
Home-page:
Author:
Author-email:
License: GPLv2+
Description:
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
availability environments.
Platform: UNKNOWN

View File

@ -0,0 +1,2 @@
COPY_LIST="haproxy/*"
TIS_PATCH_VER=7

View File

@ -0,0 +1,27 @@
From 79f025b91d461a948ca6449eb25a11a6c89144b5 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 7/7] WRS: 0001-Update-package-versioning-for-TIS-format.patch
Conflicts:
SPECS/haproxy.spec
---
SPECS/haproxy.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index c1547ef..097aa79 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -8,7 +8,7 @@
Name: haproxy
Version: 1.5.18
-Release: 6%{?dist}
+Release: 6.el7%{?_tis_dist}.%{tis_patch_ver}
Summary: TCP/HTTP proxy and load balancer for high availability environments
Group: System Environment/Daemons
--
1.9.1

View File

@ -0,0 +1,7 @@
spec-include-TiS-config.patch
haproxy-spec-add-init-script.patch
spec-add-haproxy-env-var-patch.patch
meta_remove_bad_logrotate.patch
haproxy-service-file.patch
meta_add_support_for_tpm.patch
0001-Update-package-versioning-for-TIS-format.patch

View File

@ -0,0 +1,26 @@
From c4d74c67ee001af849e7a30e824cc0f8e38ef948 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 5/7] WRS: haproxy-service-file.patch
---
SOURCES/haproxy.service | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/SOURCES/haproxy.service b/SOURCES/haproxy.service
index 2d4c954..c2f1086 100644
--- a/SOURCES/haproxy.service
+++ b/SOURCES/haproxy.service
@@ -4,7 +4,8 @@ After=syslog.target network.target
[Service]
EnvironmentFile=/etc/sysconfig/haproxy
-ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS
+ExecStart=/etc/init.d/haproxy start
+ExecStop=/etc/init.d/haproxy stop
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
--
1.9.1

View File

@ -0,0 +1,47 @@
From 959767df3285a81f1c5650018ed846fe90a68c9d Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 2/7] WRS: haproxy-spec-add-init-script.patch
---
SPECS/haproxy.spec | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 42ddeb0..cbd9161 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -21,6 +21,7 @@ Source2: %{name}.cfg
Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Source5: halog.1
+Source10: %{name}.sh
# WRS
Source6: 503.http
@@ -81,11 +82,14 @@ popd
%{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628"
%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
+mkdir -p /etc/init.d
+
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
+%{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name}
%{__install} -d -m 0755 %{buildroot}%{haproxy_home}
%{__install} -d -m 0755 %{buildroot}%{haproxy_datadir}
%{__install} -d -m 0755 %{buildroot}%{_bindir}
@@ -149,6 +153,7 @@ fi
%{_bindir}/halog
%{_bindir}/iprange
%{_mandir}/man1/*
+/etc/init.d/%{name}
%attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home}
# WRS
--
1.9.1

View File

@ -0,0 +1,42 @@
From a5329bf1468f55c8d6b983e5999c12139dc7479d Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 6/7] WRS: meta_add_support_for_tpm.patch
---
SPECS/haproxy.spec | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 3d112e0..c1547ef 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -30,6 +30,7 @@ Patch1: iprange-return-type.patch
Patch2: haproxy-tcp-user-timeout.patch
Patch3: haproxy-systemd-wrapper-exit-code.patch
Patch4: haproxy-env-var.patch
+Patch5: haproxy-tpm-support.patch
BuildRequires: pcre-devel
BuildRequires: zlib-devel
@@ -41,6 +42,9 @@ Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
+Requires: tpm2-openssl-engine
+
+
%description
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
availability environments. Indeed, it can:
@@ -62,6 +66,7 @@ availability environments. Indeed, it can:
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
%build
regparm_opts=
--
1.9.1

View File

@ -0,0 +1,40 @@
From 3eac39ba534b92dbcb3a898442b09be7acc389bb Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 4/7] WRS: meta_remove_bad_logrotate.patch
---
SPECS/haproxy.spec | 3 ---
1 file changed, 3 deletions(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index af94d46..3d112e0 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -18,7 +18,6 @@ URL: http://www.haproxy.org/
Source0: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz
Source1: %{name}.service
Source2: %{name}.cfg
-Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Source5: halog.1
Source10: %{name}.sh
@@ -88,7 +87,6 @@ mkdir -p /etc/init.d
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
-%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
%{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name}
@@ -147,7 +145,6 @@ fi
%dir %{haproxy_datadir}
%{haproxy_datadir}/*
%config(noreplace) %{haproxy_confdir}/%{name}.cfg
-%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_unitdir}/%{name}.service
%{_sbindir}/%{name}
--
1.9.1

View File

@ -0,0 +1,32 @@
From 2e37207c026047e2ce1bc9a5278faddfea81c011 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 3/7] WRS: spec-add-haproxy-env-var-patch.patch
---
SPECS/haproxy.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index cbd9161..af94d46 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -30,6 +30,7 @@ Patch0: halog-unused-variables.patch
Patch1: iprange-return-type.patch
Patch2: haproxy-tcp-user-timeout.patch
Patch3: haproxy-systemd-wrapper-exit-code.patch
+Patch4: haproxy-env-var.patch
BuildRequires: pcre-devel
BuildRequires: zlib-devel
@@ -61,6 +62,7 @@ availability environments. Indeed, it can:
%patch1 -p0
%patch2 -p1
%patch3 -p1
+%patch4 -p1
%build
regparm_opts=
--
1.9.1

View File

@ -0,0 +1,58 @@
From 419d06285552bc31dce214d37edb925b4a82c68b Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 1/7] WRS: spec-include-TiS-config.patch
---
SPECS/haproxy.spec | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index b4dde9e..42ddeb0 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -22,6 +22,9 @@ Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Source5: halog.1
+# WRS
+Source6: 503.http
+
Patch0: halog-unused-variables.patch
Patch1: iprange-return-type.patch
Patch2: haproxy-tcp-user-timeout.patch
@@ -79,7 +82,7 @@ popd
%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
-%{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
+%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
@@ -106,6 +109,11 @@ do
%{__rm} -f $textfile.old
done
+# WRS
+%{__install} -d 755 %{buildroot}/etc/haproxy/errors/
+%{__install} -m 755 %{SOURCE6} %{buildroot}/etc/haproxy/errors/503.http
+
+
%pre
getent group %{haproxy_group} >/dev/null || groupadd -f -g 188 -r %{haproxy_group}
if ! getent passwd %{haproxy_user} >/dev/null ; then
@@ -143,6 +151,10 @@ fi
%{_mandir}/man1/*
%attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home}
+# WRS
+%dir /etc/haproxy/errors/
+/etc/haproxy/errors/*
+
%changelog
* Mon May 01 2017 Ryan O'Hara <rohara@redhat.com> - 1.5.18-6
- Use KillMode=mixed in systemd service file (#1444709)
--
1.9.1

1
haproxy/centos/srpm_path Normal file
View File

@ -0,0 +1 @@
mirror:Source/haproxy-1.5.18-6.el7.src.rpm

9
haproxy/haproxy/503.http Normal file
View File

@ -0,0 +1,9 @@
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

View File

@ -0,0 +1,245 @@
Index: haproxy-1.5.11/src/cfgparse.c
===================================================================
--- haproxy-1.5.11.orig/src/cfgparse.c
+++ haproxy-1.5.11/src/cfgparse.c
@@ -5789,12 +5789,19 @@ out:
*/
int readcfgfile(const char *file)
{
- char thisline[LINESIZE];
+ char *thisline;
+ int linesize = LINESIZE;
FILE *f;
int linenum = 0;
int err_code = 0;
struct cfg_section *cs = NULL;
struct cfg_section *ics;
+ int readbytes = 0;
+
+ if ((thisline = malloc(sizeof(*thisline) * linesize)) == NULL) {
+ Alert("parsing [%s] : out of memory.\n", file);
+ return -1;
+ }
/* Register internal sections */
if (!cfg_register_section("listen", cfg_parse_listen) ||
@@ -5810,11 +5817,14 @@ int readcfgfile(const char *file)
if ((f=fopen(file,"r")) == NULL)
return -1;
- while (fgets(thisline, sizeof(thisline), f) != NULL) {
+next_line:
+ while (fgets(thisline + readbytes, linesize - readbytes, f) != NULL) {
int arg, kwm = KWM_STD;
char *end;
char *args[MAX_LINE_ARGS + 1];
char *line = thisline;
+ int dquote = 0; /* double quote */
+ int squote = 0; /* simple quote */
linenum++;
@@ -5824,11 +5834,25 @@ int readcfgfile(const char *file)
/* Check if we reached the limit and the last char is not \n.
* Watch out for the last line without the terminating '\n'!
*/
- Alert("parsing [%s:%d]: line too long, limit: %d.\n",
- file, linenum, (int)sizeof(thisline)-1);
- err_code |= ERR_ALERT | ERR_FATAL;
+ char *newline;
+ int newlinesize = linesize * 2;
+
+ newline = realloc(thisline, sizeof(*thisline) * newlinesize);
+ if (newline == NULL) {
+ Alert("parsing [%s:%d]: line too long, cannot allocate memory.\n",
+ file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ continue;
+ }
+
+ readbytes = linesize - 1;
+ linesize = newlinesize;
+ thisline = newline;
+ continue;
}
+ readbytes = 0;
+
/* skip leading spaces */
while (isspace((unsigned char)*line))
line++;
@@ -5837,10 +5861,26 @@ int readcfgfile(const char *file)
args[arg] = line;
while (*line && arg < MAX_LINE_ARGS) {
- /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
- * C equivalent value. Other combinations left unchanged (eg: \1).
- */
- if (*line == '\\') {
+ if (*line == '"' && !squote) { /* double quote outside single quotes */
+ if (dquote)
+ dquote = 0;
+ else
+ dquote = 1;
+ memmove(line, line + 1, end - line);
+ end--;
+ }
+ else if (*line == '\'' && !dquote) { /* single quote outside double quotes */
+ if (squote)
+ squote = 0;
+ else
+ squote = 1;
+ memmove(line, line + 1, end - line);
+ end--;
+ }
+ else if (*line == '\\' && !squote) {
+ /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
+ * C equivalent value. Other combinations left unchanged (eg: \1).
+ */
int skip = 0;
if (line[1] == ' ' || line[1] == '\\' || line[1] == '#') {
*line = line[1];
@@ -5872,6 +5912,15 @@ int readcfgfile(const char *file)
Alert("parsing [%s:%d] : invalid or incomplete '\\x' sequence in '%s'.\n", file, linenum, args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
}
+ } else if (line[1] == '"') {
+ *line = '"';
+ skip = 1;
+ } else if (line[1] == '\'') {
+ *line = '\'';
+ skip = 1;
+ } else if (line[1] == '$' && dquote) { /* escaping of $ only inside double quotes */
+ *line = '$';
+ skip = 1;
}
if (skip) {
memmove(line + 1, line + 1 + skip, end - (line + skip));
@@ -5879,23 +5928,117 @@ int readcfgfile(const char *file)
}
line++;
}
- else if (*line == '#' || *line == '\n' || *line == '\r') {
+ else if ((!squote && !dquote && *line == '#') || *line == '\n' || *line == '\r') {
/* end of string, end of loop */
*line = 0;
break;
}
- else if (isspace((unsigned char)*line)) {
+ else if (!squote && !dquote && isspace((unsigned char)*line)) {
/* a non-escaped space is an argument separator */
*line++ = '\0';
while (isspace((unsigned char)*line))
line++;
args[++arg] = line;
}
+ else if (dquote && *line == '$') {
+ /* environment variables are evaluated inside double quotes */
+ char *var_beg;
+ char *var_end;
+ char save_char;
+ char *value;
+ int val_len;
+ int newlinesize;
+ int braces = 0;
+
+ var_beg = line + 1;
+ var_end = var_beg;
+
+ if (*var_beg == '{') {
+ var_beg++;
+ var_end++;
+ braces = 1;
+ }
+
+ if (!isalpha((int)(unsigned char)*var_beg) && *var_beg != '_') {
+ Alert("parsing [%s:%d] : Variable expansion: Unrecognized character '%c' in variable name.\n", file, linenum, *var_beg);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* skip current line */
+ }
+
+ while (isalnum((int)(unsigned char)*var_end) || *var_end == '_')
+ var_end++;
+
+ save_char = *var_end;
+ *var_end = '\0';
+ value = getenv(var_beg);
+ *var_end = save_char;
+ val_len = value ? strlen(value) : 0;
+
+ if (braces) {
+ if (*var_end == '}') {
+ var_end++;
+ braces = 0;
+ } else {
+ Alert("parsing [%s:%d] : Variable expansion: Mismatched braces.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* skip current line */
+ }
+ }
+
+ newlinesize = (end - thisline) - (var_end - line) + val_len + 1;
+
+ /* if not enough space in thisline */
+ if (newlinesize > linesize) {
+ char *newline;
+
+ newline = realloc(thisline, newlinesize * sizeof(*thisline));
+ if (newline == NULL) {
+ Alert("parsing [%s:%d] : Variable expansion: Not enough memory.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* slip current line */
+ }
+ /* recompute pointers if realloc returns a new pointer */
+ if (newline != thisline) {
+ int i;
+ int diff;
+
+ for (i = 0; i <= arg; i++) {
+ diff = args[i] - thisline;
+ args[i] = newline + diff;
+ }
+
+ diff = var_end - thisline;
+ var_end = newline + diff;
+ diff = end - thisline;
+ end = newline + diff;
+ diff = line - thisline;
+ line = newline + diff;
+ thisline = newline;
+ }
+ linesize = newlinesize;
+ }
+
+ /* insert value inside the line */
+ memmove(line + val_len, var_end, end - var_end + 1);
+ memcpy(line, value, val_len);
+ end += val_len - (var_end - line);
+ line += val_len;
+ }
else {
line++;
}
}
+ if (dquote) {
+ Alert("parsing [%s:%d] : Mismatched double quotes.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ }
+
+ if (squote) {
+ Alert("parsing [%s:%d] : Mismatched simple quotes.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ }
+
/* empty line */
if (!**args)
continue;
@@ -5966,6 +6109,7 @@ int readcfgfile(const char *file)
break;
}
cursection = NULL;
+ free(thisline);
fclose(f);
return err_code;
}

View File

@ -0,0 +1,319 @@
From a2a25214f6f4913b774bdd6c0b80d3ea424d3a1b Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Wed, 22 Mar 2017 12:07:24 -0400
Subject: [PATCH] haproxy tpm support
---
include/types/global.h | 13 +++++
src/cfgparse.c | 28 ++++++++++
src/haproxy.c | 26 ++++++++-
src/ssl_sock.c | 147 +++++++++++++++++++++++++++++++++++++++++++------
4 files changed, 197 insertions(+), 17 deletions(-)
diff --git a/include/types/global.h b/include/types/global.h
index f1525ae..2e9c077 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -30,6 +30,10 @@
#include <types/proxy.h>
#include <types/task.h>
+#ifdef USE_OPENSSL
+#include <openssl/engine.h>
+#endif
+
#ifndef UNIX_MAX_PATH
#define UNIX_MAX_PATH 108
#endif
@@ -71,6 +75,14 @@ enum {
SSL_SERVER_VERIFY_REQUIRED = 1,
};
+// WRS: Define a new TPM configuration structure
+struct tpm_conf {
+ char *tpm_object;
+ char *tpm_engine;
+ EVP_PKEY *tpm_key;
+ ENGINE *tpm_engine_ref;
+};
+
/* FIXME : this will have to be redefined correctly */
struct global {
#ifdef USE_OPENSSL
@@ -87,6 +99,7 @@ struct global {
char *connect_default_ciphers;
int listen_default_ssloptions;
int connect_default_ssloptions;
+ struct tpm_conf tpm; // tpm configuration
#endif
unsigned int ssl_server_verify; /* default verify mode on servers side */
struct freq_ctr conn_per_sec;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 6a7f80c..3bc6e79 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1541,6 +1541,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
goto out;
#endif
}
+ else if (!strcmp(args[0], "tpm-object")) {
+ if (global.tpm.tpm_object) {
+ free(global.tpm.tpm_object);
+ }
+#ifdef USE_OPENSSL
+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
+ global.tpm.tpm_object = strdup(args[1]);
+ }
+#else
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif
+ }
+ else if (!strcmp(args[0], "tpm-engine")) {
+ if (global.tpm.tpm_engine) {
+ free(global.tpm.tpm_engine);
+ }
+#ifdef USE_OPENSSL
+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
+ global.tpm.tpm_engine = strdup(args[1]);
+ }
+#else
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif
+ }
else {
struct cfg_kw_list *kwl;
int index;
diff --git a/src/haproxy.c b/src/haproxy.c
index 862697d..2a1a0dc 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -959,6 +959,24 @@ static void deinit_stick_rules(struct list *rules)
}
}
+static void deinit_tpm_engine()
+{
+ /*
+ * if the tpm engine is present then
+ * deinit it, this is needed to
+ * flush the TPM key handle from TPM memory
+ */
+ if (global.tpm.tpm_engine_ref) {
+ ENGINE_finish(global.tpm.tpm_engine_ref);
+ }
+
+ if (global.tpm.tpm_key) {
+ EVP_PKEY_free(global.tpm.tpm_key);
+ }
+ free(global.tpm.tpm_engine); global.tpm.tpm_engine = NULL;
+ free(global.tpm.tpm_object); global.tpm.tpm_object = NULL;
+}
+
void deinit(void)
{
struct proxy *p = proxy, *p0;
@@ -1218,7 +1236,13 @@ void deinit(void)
free(uap);
}
-
+
+ /* if HAProxy was in TPM mode then deinit
+ * that configuration as well.
+ */
+ if (global.tpm.tpm_object && global.tpm.tpm_object != '\0')
+ deinit_tpm_engine();
+
userlist_free(userlist);
protocol_unbind_all();
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ead4c7b..4e16026 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -50,6 +50,7 @@
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
+#include <openssl/engine.h>
#include <common/buffer.h>
#include <common/compat.h>
@@ -1115,6 +1116,80 @@ end:
return ret;
}
+/*
+ * initialize the TPM engine and load the
+ * TPM object as private key within the Engine.
+ * Only do this for the first bind since TPM can
+ * only load 3-4 contexes before it runs out of memory
+ */
+static int ssl_sock_load_tpm_key(SSL_CTX *ctx, char **err) {
+ if (!global.tpm.tpm_object || global.tpm.tpm_object[0] == '\0') {
+ /* not in TPM mode */
+ return -1;
+ }
+ if (!global.tpm.tpm_key) {
+ Warning ("Could not find tpm_key; initializing engine\n");
+ /* no key present; load the dynamic TPM engine */
+ if (global.tpm.tpm_engine && global.tpm.tpm_engine[0]) {
+ ENGINE_load_dynamic();
+ ENGINE *engine = ENGINE_by_id("dynamic");
+ if (!engine) {
+ memprintf(err, "%s Unable to load the dynamic engine "
+ "(needed for loading custom TPM engine)\n",
+ err && *err ? *err : "");
+ return 1;
+ }
+
+ ENGINE_ctrl_cmd_string(engine, "SO_PATH", global.tpm.tpm_engine, 0);
+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
+ /* stow away for ENGINE cleanup */
+ global.tpm.tpm_engine_ref = engine;
+
+ if (ENGINE_init(engine) != 1) {
+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
+ memprintf(err, "%s Unable to init the TPM engine (%s). Err: %s\n",
+ err && *err ? *err : "",
+ global.tpm.tpm_engine, error_str);
+ goto tpm_err;
+ }
+ EVP_PKEY *pkey = ENGINE_load_private_key(engine,
+ global.tpm.tpm_object,
+ NULL, NULL);
+ if (!pkey) {
+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
+ memprintf(err, "%s Unable to load TPM object (%s). Err: %s\n",
+ err && *err ? *err : "",
+ global.tpm.tpm_object, error_str);
+ goto tpm_err;
+ }
+ global.tpm.tpm_key = pkey;
+ }
+ else { /* no TPM engine found */
+ memprintf(err, "%s TPM engine option not set when TPM mode expected\n",
+ err && *err ? *err : "");
+ goto tpm_err;
+ }
+ }
+
+ if (SSL_CTX_use_PrivateKey(ctx, global.tpm.tpm_key) <= 0){
+ const char *error_str = ERR_error_string(ERR_get_error(),
+ NULL);
+ memprintf(err, "%s Invalid private key provided from TPM engine(%s). Err: %s\n",
+ err && *err ? *err : "",
+ global.tpm.tpm_object, error_str);
+ goto tpm_err;
+ }
+
+ return 0;
+
+tpm_err:
+ ENGINE_finish(global.tpm.tpm_engine_ref);
+ global.tpm.tpm_engine_ref = NULL;
+ EVP_PKEY_free(global.tpm.tpm_key);
+ global.tpm.tpm_key = NULL;
+ return 1;
+}
+
static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
{
int ret;
@@ -1127,26 +1202,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
return 1;
}
- if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
- memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- SSL_CTX_free(ctx);
- return 1;
+ /* NOTE (knasim-wrs): US93721: TPM support
+ * This SSL context applies to SSL frontends only.
+ * If the TPM option is set then the Private key
+ * is stored in TPM.
+ *
+ * Launch the OpenSSL TPM engine and load the TPM
+ * Private Key. The Public key will still be located
+ * at the provided path and needs to be loaded as
+ * per usual.
+ */
+ if (global.tpm.tpm_object) {
+ ret = ssl_sock_load_tpm_key(ctx, err);
+ if (ret > 0) {
+ /* tpm configuration failed */
+ SSL_CTX_free(ctx);
+ return 1;
+ }
}
-
- ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
- if (ret <= 0) {
- memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- if (ret < 0) /* serious error, must do that ourselves */
+ else { /* non TPM mode */
+ if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
+ memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
SSL_CTX_free(ctx);
- return 1;
+ return 1;
+ }
}
- if (SSL_CTX_check_private_key(ctx) <= 0) {
- memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- return 1;
+ ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
+ if (ret <= 0) {
+ memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
+ if (ret < 0) /* serious error, must do that ourselves */
+ SSL_CTX_free(ctx);
+ return 1;
+ }
+
+ /*
+ * only match the private key to the public key
+ * for non TPM mode. This op would never work for
+ * TPM since the private key has been wrapped, whereas
+ * the public key is still the original one.
+ */
+ if (!global.tpm.tpm_object) {
+ if (SSL_CTX_check_private_key(ctx) <= 0) {
+ memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
+ return 1;
+ }
}
/* we must not free the SSL_CTX anymore below, since it's already in
@@ -1725,6 +1828,18 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
cfgerr++;
return cfgerr;
}
+
+ /* NOTE (knasim-wrs): US93721: TPM support
+ * This SSL context applies to SSL backends only.
+ * Since Titanium backends don't support SSL, there
+ * is no need to offload these keys in TPM or reuse the
+ * same TPM key for the frontend engine.
+ *
+ * If SSL backends are to be supported in the future,
+ * over TPM, then create a new TPM Engine context and
+ * load the backend key in TPM, in a similar fashion to
+ * the frontend key.
+ */
if (srv->ssl_ctx.client_crt) {
if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
--
1.8.3.1

80
haproxy/haproxy/haproxy.cfg Executable file
View File

@ -0,0 +1,80 @@
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
chroot /usr/share/haproxy
uid 99
gid 99
daemon
#debug
#quiet
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
listen appli1-rewrite 0.0.0.0:10001
cookie SERVERID rewrite
balance roundrobin
server app1_1 192.168.34.23:8080 cookie app1inst1 check inter 2000 rise 2 fall 5
server app1_2 192.168.34.32:8080 cookie app1inst2 check inter 2000 rise 2 fall 5
server app1_3 192.168.34.27:8080 cookie app1inst3 check inter 2000 rise 2 fall 5
server app1_4 192.168.34.42:8080 cookie app1inst4 check inter 2000 rise 2 fall 5
listen appli2-insert 0.0.0.0:10002
option httpchk
balance roundrobin
cookie SERVERID insert indirect nocache
server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3
server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3
capture cookie vgnvisitor= len 32
option httpclose # disable keep-alive
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address
listen appli3-relais 0.0.0.0:10003
dispatch 192.168.135.17:80
listen appli4-backup 0.0.0.0:10004
option httpchk /index.html
option persist
balance roundrobin
server inst1 192.168.114.56:80 check inter 2000 fall 3
server inst2 192.168.114.56:81 check inter 2000 fall 3 backup
listen ssl-relay 0.0.0.0:8443
option ssl-hello-chk
balance source
server inst1 192.168.110.56:443 check inter 2000 fall 3
server inst2 192.168.110.57:443 check inter 2000 fall 3
server back1 192.168.120.58:443 backup
listen appli5-backup 0.0.0.0:10005
option httpchk *
balance roundrobin
cookie SERVERID insert indirect nocache
server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3
server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3
server inst3 192.168.114.57:80 backup check inter 2000 fall 3
capture cookie ASPSESSION len 32
timeout server 20000
option httpclose # disable keep-alive
option checkcache # block response if set-cookie & cacheable
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address
errorloc 502 http://192.168.114.58/error502.html
errorfile 503 /etc/haproxy/errors/503.http

120
haproxy/haproxy/haproxy.sh Executable file
View File

@ -0,0 +1,120 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: HA-Proxy
# Required-Start: networking
# Required-Stop: networking
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: HA-Proxy TCP/HTTP reverse proxy
# Description: HA-Proxy is a TCP/HTTP reverse proxy
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/haproxy
NAME=haproxy
DESC="HA-Proxy TCP/HTTP reverse proxy"
PIDFILE="/var/run/$NAME.pid"
TPM_DATA_DIR="/var/run/TPM_haproxy/"
OPTS="-D -f /etc/haproxy/haproxy.cfg -p $PIDFILE"
RETVAL=0
# This is only needed till TPM In-Kernel
# ResourceMgr comes in
remove_TPM_transients () {
_HANDLES=`find $TPM_DATA_DIR -type f -name "hp*.bin" -printf "%f "`
for handle in $_HANDLES; do
handle_addr=`echo $handle | sed 's/hp\([0-9]*\)\.bin/\1/g'`
tss2_flushcontext -ha $handle_addr &> /dev/null
done
rm -f $TPM_DATA_DIR/*
}
start() {
if [ -e $PIDFILE ]; then
PIDDIR=/proc/$(cat $PIDFILE)
if [ -d $PIDDIR ]; then
echo "$DESC already running."
return
else
echo "Removing stale PID file $PIDFILE"
rm -f $PIDFILE
fi
fi
# TODO: This is a temporary workaround till
# we eventually add a resource manager for TPM
mkdir -p $TPM_DATA_DIR
echo -n "Starting $NAME: "
TPM_DATA_DIR=$TPM_DATA_DIR start-stop-daemon --start --pidfile $PIDFILE -x "$DAEMON" -- $OPTS
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo "done."
else
remove_TPM_transients
echo "failed."
fi
}
stop() {
if [ ! -e $PIDFILE ]; then return; fi
echo -n "Stopping $DESC..."
start-stop-daemon --stop --quiet --retry 3 --oknodo --pidfile $PIDFILE -x "$DAEMON"
if [ -n "`pidof $DAEMON`" ] ; then
pkill -KILL -f $DAEMON
fi
echo "done."
rm -f $PIDFILE
rm -f /var/lock/subsys/$NAME
remove_TPM_transients
}
status()
{
pid=`cat $PIDFILE 2>/dev/null`
if [ -n "$pid" ]; then
if ps -p $pid &>/dev/null ; then
echo "$DESC is running"
RETVAL=0
return
else
RETVAL=1
fi
fi
echo "$DESC is not running"
RETVAL=1
}
check() {
/usr/sbin/$NAME -c -q -V -f /etc/$NAME/$NAME.cfg
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|force-reload|reload)
stop
start
;;
status)
status
;;
check)
check
;;
*)
echo "Usage: $0 {start|stop|force-reload|restart|reload|status|check}"
RETVAL=1
;;
esac
exit $RETVAL

12
integrity/PKG-INFO Normal file
View File

@ -0,0 +1,12 @@
Metadata-Version: 1.1
Name: integrity-kmod
Version: 4.12
Summary: Integrity Linux* Kernel Modules
Home-page: http://tpmdd.sourceforge.net/
Author:
Author-email:
License: GPL
Description:
This package contains the Linux driver and modules for the Integrity subsystem
Platform: UNKNOWN

Some files were not shown because too many files have changed in this diff Show More