From c05bea26ee2f2d0ac26b813e814e49672cefd001edc56a0a49141cf59357358c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 28 Aug 2024 11:02:43 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main csync2 revision 729a63ec10ef92f50150e99e503d57cc --- .gitattributes | 23 +++ _service | 16 ++ csync2-2.0+git.1600444747.83b3644.tar.bz2 | 3 + csync2-README.quickstart | 61 +++++++ csync2-rm-ssl-cert | 45 +++++ csync2.changes | 190 ++++++++++++++++++++++ csync2.spec | 124 ++++++++++++++ 7 files changed, 462 insertions(+) create mode 100644 .gitattributes create mode 100644 _service create mode 100644 csync2-2.0+git.1600444747.83b3644.tar.bz2 create mode 100644 csync2-README.quickstart create mode 100644 csync2-rm-ssl-cert create mode 100644 csync2.changes create mode 100644 csync2.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/_service b/_service new file mode 100644 index 0000000..9ecd214 --- /dev/null +++ b/_service @@ -0,0 +1,16 @@ + + + https://github.com/LINBIT/csync2.git + git + .git + 2.0+git.%ct.%h + master + + + + csync2*.tar + bz2 + + + + diff --git a/csync2-2.0+git.1600444747.83b3644.tar.bz2 b/csync2-2.0+git.1600444747.83b3644.tar.bz2 new file mode 100644 index 0000000..88df0af --- /dev/null +++ b/csync2-2.0+git.1600444747.83b3644.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:25601c3922604cc5494c1bb0c8798689a28e33d39207a0521e6e2f04759a4c00 +size 93711 diff --git a/csync2-README.quickstart b/csync2-README.quickstart new file mode 100644 index 0000000..274ea3f --- /dev/null +++ b/csync2-README.quickstart @@ -0,0 +1,61 @@ +Getting started with csync2 : + +There's no need to define the port for csync2 in /etc/services, although the +manual says so. Port 30865/tcp is defined in /etc/xinetd.d/csync2. All commands +detailed here need to be executed as root, so be extra careful. + +The config file for csync2 is /etc/csync2/csync2.cfg. Here is an example : + +mygroup { + host host1; + host host2; + key /etc/csync2/mygroup.key; + include /etc/csync2/csync2.cfg; + include /etc/testfile; +} + +This will sync the csync2 configuration and /etc/testfile between host1 and +host2. Create the file on host1. Note that hostnames need to be the FQDN +returned by "hostname". + +Generate the pre-shared key used for authentication : + csync2 -k /etc/csync2/mygroup.key + +Copy the configuration file and the pre-shared key to host2: + scp /etc/csync2/csync2.cfg /etc/csync2/mygroup.key host2:/etc/csync2/ + +The SSL key and certificate are generated upon package installation, but you +can replace them with your own if you like. The files are : + /etc/csync2/csync2_ssl_key.pem + /etc/csync2/csync2_ssl_cert.pem + +Note that the common name (CN) in each node's SSL certificate must be the +same, or the SSL connection will fail. If you ever replace a node, and its +SSL key changes, existing nodes will still have a cached copy of the old key, +and the connection will fail. To remove the old key from an existing node's +cache, run the following command on each existing node: + csync2-rm-ssl-cert + +The csync2 service is disabled by default. To start it on both your hosts +using systemd (preferred): + systemctl enable csync2.socket + systemctl start csync2.socket + +If you would prefer to do it the old way with xinetd, run: + chkconfig csync2 on + chkconfig --level 345 xinetd on + service xinetd restart + +If you are running iptables, you need to open tcp port 30865 on both hosts so +that the other host can connect. + +Now you should be able to run and initial verbose sync on both hosts : + csync2 -xv + +Once everything looks good, you can add a file with the following line as +/etc/cron.d/csync2 or add it to /etc/crontab : + +*/5 * * * * root csync2 -x + +Happy syncing! + diff --git a/csync2-rm-ssl-cert b/csync2-rm-ssl-cert new file mode 100644 index 0000000..ac08a6d --- /dev/null +++ b/csync2-rm-ssl-cert @@ -0,0 +1,45 @@ +#!/bin/bash + +if [ $# -eq 0 -o "$1" = "-h" ]; then + cat < + +Options: + -h Display this usage information + +END + exit 0 +fi + +DBFILE=/var/lib/csync2/$(hostname).db3 +if [ ! -f "$DBFILE" ]; then + echo "Local csync2 database ($DBFILE) not found." + exit 1 +fi + +# Strip double and single quotes from hostname so they can't interfere with the SQL +PEERNAME=$(echo $1 | sed -e "s/['\"]//g") + +certcount() +{ + echo "SELECT COUNT(peername) FROM x509_cert WHERE peername='$1';" | sqlite3 $DBFILE +} + +if [ $(certcount "$PEERNAME") -eq 0 ]; then + echo "Certificate for '$PEERNAME' not in local database." + exit 0 +fi + +echo "DELETE FROM x509_cert WHERE peername='$PEERNAME';" | sqlite3 $DBFILE + +if [ $(certcount "$PEERNAME") -ne 0 ]; then + echo "Error removing certificate for '$PEERNAME' from local database." + exit 1 +fi + +echo "Certificate for '$PEERNAME' removed from local database." + diff --git a/csync2.changes b/csync2.changes new file mode 100644 index 0000000..042298a --- /dev/null +++ b/csync2.changes @@ -0,0 +1,190 @@ +------------------------------------------------------------------- +Wed Apr 7 19:21:54 UTC 2021 - Peter Varkoly + +- Update to 2.0+git.1600444747.83b3644: + * VUL-1: CVE-2019-15522: csync2: daemon fails to enforce TLS + (bsc#1147137) + * VUL-1: CVE-2019-15523: csync2: incorrect TLS handshake error handling + (bsc#1147139 + * use standard %lld instead of non-standard %Ld format specifier + * try to avoid (temporary) -rw------- root:root files on receiving side + * fix diff mode truncation to first 512 byte + * disable xinetd template by default as preparation for systemd socket unit + * add systemd csync2.socket and csync2@.service templates + * escape peername in SQL statements +- VUL-1: csync2: bad TLS key generation on installation (bsc#1145032) + Adapt suggested changes in %post section. + Do not hide output on standard error during generating the keys. +- Remove patches contained by update: + * 0003-Set-AC_PROG_CPP-in-configure.ac.patch + * 0002-Patch-sonames.patch + * 0001-Add-COPYING-as-docfile.patch + +------------------------------------------------------------------- +Mon May 27 08:13:02 UTC 2019 - Kristoffer Gronlund + +- Update to 2.0+git.1542296533.b974921: + * Convert documentation to asciidoc + * Add error handling for out-of-memory while parsing config file + * create_key: use all random bits; add some error handling + +- Update patches + * Add 0001-Add-COPYING-as-docfile.patch + * Add 0002-Patch-sonames.patch + * Add 0003-Set-AC_PROG_CPP-in-configure.ac.patch + * Remove add-COPYING.patch + * Remove add-ac_prog_cpp.patch + * Remove fix-sonames.patch + +------------------------------------------------------------------- +Mon May 27 08:13:02 UTC 2019 - Kristoffer Gronlund + +- Update patches + * Add 0001-Add-COPYING-as-docfile.patch + * Add 0002-Patch-sonames.patch + * Add 0003-Set-AC_PROG_CPP-in-configure.ac.patch + * Remove add-COPYING.patch + * Remove add-ac_prog_cpp.patch + * Remove fix-sonames.patch + +------------------------------------------------------------------- +Wed Aug 15 14:20:12 UTC 2018 - kgronlund@suse.com + +- comparison of peer names provided via command line should not be case sensitive (bsc#1082576) +- fix for inetd stderr >& stdout +- fix log message when generating backup files, demote log level +- document -l and -N switches + +------------------------------------------------------------------- +Tue Aug 14 14:10:16 UTC 2018 - kgronlund@suse.com + +- Avoid systemd service removal errors when uninstalling (bsc#1093165) + +------------------------------------------------------------------- +Thu Jul 19 13:46:24 UTC 2017 - tchvatal@suse.com + +- Remove systemd dep in favor of systemd-rpm-macros +- Format a bit with spec-cleaner +- Add proper dependency over openssl +- Remove all the tex deps as we now reduce from 300 to 160 buildrequires +- Remove xinetd service and use only socket activation to keep + only one tool for the job + * Also remove patch csync2-fix-xinetd.patch + +------------------------------------------------------------------- +Thu Jul 13 11:24:17 UTC 2017 - olaf@aepfle.de + +- Requires(post) hostname|openssl + +------------------------------------------------------------------- +Fri May 6 21:13:01 UTC 2016 - jengelh@inai.de + +- Avoid runtime dependency on systemd, the macros can all deal with + its absence. +- Ensure csync@.service template instances are disabled on package + removal. + +------------------------------------------------------------------- +Wed Apr 27 09:49:11 UTC 2016 - kgronlund@suse.com + +- Update to csync2-2.0-6-g10636a4: + - Document the -N flag to bind csync2 to a specific ip address. + - fix diff mode truncation to first 512 byte + - fix diff mode prefix substitution + +- Drop merged patches: + - Remove csync2-librsync-1.0.0.patch + - Remove fix-csync2_ssl_cert-filename.patch + +------------------------------------------------------------------- +Thu Mar 26 11:25:01 UTC 2015 - dimstar@opensuse.org + +- Add csync2-librsync-1.0.0.patch: Fix build with librsync 1.0.0. + +------------------------------------------------------------------- +Thu Sep 26 09:07:40 UTC 2013 - tserong@suse.com + +- Ensure COPYING file is included in package + + Added add-COPYING.patch + +------------------------------------------------------------------- +Wed Sep 11 05:12:22 UTC 2013 - tserong@suse.com + +- Update to upstream version 2.0-rc2. Changes since 1.34 too numerous + to list, but include: + + Database abstraction layer (default build uses sqlite3) + + IPv6 support + + Native GnuTLS support + + tempdir and lock-timeout config options + + do-local-only config option for actions +- Reworked patches and extra source being carried in openSUSE: + + Added csync2.socket and csync2@.service for use via systemd + + Added add-ac_prog_cpp.patch + + Added fix-csync2_ssl_cert-filename.patch + + Added fix-sonames.patch + + Updated csync2-fix-xinetd.patch + + Updated README.quickstart + + Removed fix-missing-sentinels.diff (upstream) + + Removed csync2-1.34-pure-gnutls-r2.patch (obsolete) + + Removed force-debug-stderr-off-inetd.patch (obsolete) + + Removed bind-to-local-hostname.patch (obsolete) + +------------------------------------------------------------------- +Fri May 10 12:56:38 UTC 2013 - tserong@suse.com + +- Try to bind to "local" IP explicitly to avoid "identification failed" + errors with multiple IPs on same subnet (bnc#757327) + + Added bind-to-local-hostname.patch + +------------------------------------------------------------------- +Thu Feb 28 06:00:00 UTC 2013 - coolo@suse.com + +- update license to new format + +------------------------------------------------------------------- +Mon Jun 4 08:56:27 UTC 2012 - tserong@suse.com + +- Drop requirement on libgnutls-extra-devel (unnecessary on openSUSE) + +------------------------------------------------------------------- +Mon Mar 19 12:51:03 UTC 2012 - tserong@suse.com + +- Force debug output off completely when running under xinetd (fixes + protocol breakage when target directories don't exist; bnc#752563) + +------------------------------------------------------------------- +Mon Feb 20 19:10:40 UTC 2012 - coolo@suse.com + +- factory has librsync split into devel package + +------------------------------------------------------------------- +Wed Oct 26 09:19:16 UTC 2011 - tserong@suse.com + +- Remove explicit lib dependencies from spec file + +------------------------------------------------------------------- +Tue Sep 20 12:41:40 UTC 2011 - tserong@suse.com + +- Add csync2-rm-ssl-cert helper script (bnc#709811) + +------------------------------------------------------------------- +Sun Sep 18 00:06:31 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + +------------------------------------------------------------------- +Tue Jun 8 00:59:40 UTC 2010 - tserong@novell.com + +- Fix build against gnutls 2.8 in factory (integrated patch from + http://bugs.gentoo.org/show_bug.cgi?id=274213) + +------------------------------------------------------------------- +Mon Dec 14 16:57:21 CET 2009 - ro@suse.de + +- fix build against current openssl + +------------------------------------------------------------------- +Fri Dec 4 09:58:35 UTC 2009 - jshi@novell.com + +- Init import of csync2 for DRBD configuration file sync (fate#307419) + diff --git a/csync2.spec b/csync2.spec new file mode 100644 index 0000000..673c249 --- /dev/null +++ b/csync2.spec @@ -0,0 +1,124 @@ +# +# spec file for package csync2 +# +# Copyright (c) 2021 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: csync2 +Version: 2.0+git.1600444747.83b3644 +Release: 0 +Summary: Cluster synchronization tool +License: GPL-2.0-or-later +Group: Productivity/Clustering/HA +URL: http://oss.linbit.com/csync2/ +#Source0: http://oss.linbit.com/csync2/%{name}-%{version}.tar.gz +Source0: %{name}-%{version}.tar.bz2 +Source1: csync2-README.quickstart +Source2: csync2-rm-ssl-cert +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: flex +BuildRequires: libgnutls-devel +BuildRequires: librsync-devel +BuildRequires: pkgconfig +BuildRequires: sqlite3-devel +BuildRequires: systemd-rpm-macros +Requires: sqlite3 +Requires(post): openssl +%if 0%{?suse_version} > 1320 +# Conflicts with net-tools in Leap +Requires(post): hostname +%endif + +%description +Csync2 is a cluster synchronization tool. It can be used to keep files on +multiple hosts in a cluster in sync. Csync2 can handle complex setups with +much more than just 2 hosts, handle file deletions and can detect conflicts. +It is expedient for HA-clusters, HPC-clusters, COWs and server farms. + +%prep +%setup -q + +%build +autoreconf -fvi +%configure \ + --enable-sqlite3 \ + --enable-systemd \ + --sysconfdir=%{_sysconfdir}/csync2 \ + --docdir=%{_docdir}/%{name} +make %{?_smp_mflags} + +%install +%make_install +mkdir -p %{buildroot}%{_localstatedir}/lib/csync2 +install -p -m 644 %{SOURCE1} %{buildroot}%{_docdir}/%{name}/README.quickstart +install -p -m 755 %{SOURCE2} %{buildroot}%{_sbindir}/csync2-rm-ssl-cert +mkdir -p %{buildroot}%{_unitdir} +# We need these empty files to be able to %%ghost them +touch %{buildroot}%{_sysconfdir}/csync2/csync2_ssl_key.pem +touch %{buildroot}%{_sysconfdir}/csync2/csync2_ssl_cert.pem + +%pre +%service_add_pre csync2.socket csync2@.service + +%post +%service_add_post csync2.socket csync2@.service +umask 077 +if [ ! -f %{_sysconfdir}/csync2/csync2_ssl_key.pem ]; then + %{_bindir}/openssl ecparam -genkey -name secp384r1 -out %{_sysconfdir}/csync2/csync2_ssl_key.pem +fi +FQDN=`hostname` +if [ "x${FQDN}" = "x" ]; then + FQDN=localhost.localdomain +fi +if [ ! -f %{_sysconfdir}/csync2/csync2_ssl_cert.pem ]; then +cat << EOF | %{_bindir}/openssl req -new -key %{_sysconfdir}/csync2/csync2_ssl_key.pem -x509 -days 3000 -out %{_sysconfdir}/csync2/csync2_ssl_cert.pem +-- +SomeState +SomeCity +SomeOrganization +SomeOrganization +SomeName +name@example.com +EOF +fi + +%preun +%service_del_preun csync2.socket csync2@.service +# Cleanup all databases upon last removal +if [ $1 -eq 0 ]; then + rm -f %{_localstatedir}/lib/csync2/* +fi + +%postun +%service_del_postun csync2.socket csync2@.service + +%files +%{_sbindir}/csync2 +%{_sbindir}/csync2-compare +%{_unitdir}/csync2.socket +%{_unitdir}/csync2@.service +%dir %{_localstatedir}/lib/csync2/ +# Using docdir here ensures correct doc file tagging +%{_docdir}/%{name} +%dir %{_sysconfdir}/csync2/ +%config(noreplace) %{_sysconfdir}/csync2/csync2.cfg +%ghost %config %{_sysconfdir}/csync2/csync2_ssl_key.pem +%ghost %config %{_sysconfdir}/csync2/csync2_ssl_cert.pem +%{_sbindir}/csync2-rm-ssl-cert +%{_mandir}/man1/csync2.1* + +%changelog