Sync from SUSE:SLFO:Main csync2 revision 729a63ec10ef92f50150e99e503d57cc

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

_service

@@ -0,0 +1,16 @@
+<services>
+  <service name="tar_scm" mode="disabled">
+    <param name="url">https://github.com/LINBIT/csync2.git</param>
+    <param name="scm">git</param>
+    <param name="exclude">.git</param>
+    <param name="versionformat">2.0+git.%ct.%h</param>
+    <param name="revision">master</param>
+  </service>
+
+  <service name="recompress" mode="disabled">
+    <param name="file">csync2*.tar</param>
+    <param name="compression">bz2</param>
+  </service>
+
+  <service name="set_version" mode="disabled"/>
+</services>

csync2-README.quickstart

@@ -0,0 +1,61 @@
+Getting started with csync2 :
+
+There's no need to define the port for csync2 in /etc/services, although the
+manual says so. Port 30865/tcp is defined in /etc/xinetd.d/csync2. All commands
+detailed here need to be executed as root, so be extra careful.
+
+The config file for csync2 is /etc/csync2/csync2.cfg. Here is an example :
+
+mygroup {
+  host host1;
+  host host2;
+  key     /etc/csync2/mygroup.key;
+  include /etc/csync2/csync2.cfg;
+  include /etc/testfile;
+}
+
+This will sync the csync2 configuration and /etc/testfile between host1 and
+host2. Create the file on host1. Note that hostnames need to be the FQDN
+returned by "hostname".
+
+Generate the pre-shared key used for authentication :
+  csync2 -k /etc/csync2/mygroup.key
+
+Copy the configuration file and the pre-shared key to host2:
+  scp /etc/csync2/csync2.cfg /etc/csync2/mygroup.key host2:/etc/csync2/
+
+The SSL key and certificate are generated upon package installation, but you
+can replace them with your own if you like. The files are :
+  /etc/csync2/csync2_ssl_key.pem
+  /etc/csync2/csync2_ssl_cert.pem
+
+Note that the common name (CN) in each node's SSL certificate must be the
+same, or the SSL connection will fail.  If you ever replace a node, and its
+SSL key changes, existing nodes will still have a cached copy of the old key,
+and the connection will fail.  To remove the old key from an existing node's
+cache, run the following command on each existing node:
+  csync2-rm-ssl-cert <replaced-hostname>
+
+The csync2 service is disabled by default. To start it on both your hosts
+using systemd (preferred):
+  systemctl enable csync2.socket
+  systemctl start csync2.socket
+
+If you would prefer to do it the old way with xinetd, run:
+  chkconfig csync2 on
+  chkconfig --level 345 xinetd on
+  service xinetd restart
+
+If you are running iptables, you need to open tcp port 30865 on both hosts so
+that the other host can connect.
+
+Now you should be able to run and initial verbose sync on both hosts :
+    csync2 -xv
+
+Once everything looks good, you can add a file with the following line as
+/etc/cron.d/csync2 or add it to /etc/crontab :
+
+*/5 * * * * root csync2 -x
+
+Happy syncing!
+

csync2-rm-ssl-cert

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+if [ $# -eq 0 -o "$1" = "-h" ]; then
+	cat <<END
+
+Remove a peer's SSL certificate from csync2's local database.  Use this after
+replacing a peer node (or regenerating its SSL certificate).
+
+Usage: $0 [-h] <hostname>
+
+Options:
+    -h          Display this usage information
+
+END
+	exit 0
+fi
+
+DBFILE=/var/lib/csync2/$(hostname).db3
+if [ ! -f "$DBFILE" ]; then
+	echo "Local csync2 database ($DBFILE) not found."
+	exit 1
+fi
+
+# Strip double and single quotes from hostname so they can't interfere with the SQL
+PEERNAME=$(echo $1 | sed -e "s/['\"]//g")
+
+certcount()
+{
+	echo "SELECT COUNT(peername) FROM x509_cert WHERE peername='$1';" | sqlite3 $DBFILE
+}
+
+if [ $(certcount "$PEERNAME") -eq 0 ]; then
+	echo "Certificate for '$PEERNAME' not in local database."
+	exit 0
+fi
+
+echo "DELETE FROM x509_cert WHERE peername='$PEERNAME';" | sqlite3 $DBFILE
+
+if [ $(certcount "$PEERNAME") -ne 0 ]; then
+	echo "Error removing certificate for '$PEERNAME' from local database."
+	exit 1
+fi
+
+echo "Certificate for '$PEERNAME' removed from local database."
+

csync2.changes

@@ -0,0 +1,190 @@
+-------------------------------------------------------------------
+Wed Apr  7 19:21:54 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+
+- Update to 2.0+git.1600444747.83b3644:
+  * VUL-1: CVE-2019-15522: csync2: daemon fails to enforce TLS
+    (bsc#1147137)
+  * VUL-1: CVE-2019-15523: csync2: incorrect TLS handshake error handling
+    (bsc#1147139
+  * use standard %lld instead of non-standard %Ld format specifier
+  * try to avoid (temporary) -rw------- root:root files on receiving side
+  * fix diff mode truncation to first 512 byte
+  * disable xinetd template by default as preparation for systemd socket unit
+  * add systemd csync2.socket and csync2@.service templates
+  * escape peername in SQL statements
+- VUL-1: csync2: bad TLS key generation on installation (bsc#1145032)
+  Adapt suggested changes in %post section.
+  Do not hide output on standard error during generating the keys.
+- Remove patches contained by update:
+  * 0003-Set-AC_PROG_CPP-in-configure.ac.patch
+  * 0002-Patch-sonames.patch
+  * 0001-Add-COPYING-as-docfile.patch
+
+-------------------------------------------------------------------
+Mon May 27 08:13:02 UTC 2019 - Kristoffer Gronlund <kgronlund@suse.com>
+
+- Update to 2.0+git.1542296533.b974921:
+  * Convert documentation to asciidoc
+  * Add error handling for out-of-memory while parsing config file
+  * create_key: use all random bits; add some error handling
+
+- Update patches
+  * Add 0001-Add-COPYING-as-docfile.patch
+  * Add 0002-Patch-sonames.patch
+  * Add 0003-Set-AC_PROG_CPP-in-configure.ac.patch
+  * Remove add-COPYING.patch
+  * Remove add-ac_prog_cpp.patch
+  * Remove fix-sonames.patch
+
+-------------------------------------------------------------------
+Mon May 27 08:13:02 UTC 2019 - Kristoffer Gronlund <kgronlund@suse.com>
+
+- Update patches
+  * Add 0001-Add-COPYING-as-docfile.patch
+  * Add 0002-Patch-sonames.patch
+  * Add 0003-Set-AC_PROG_CPP-in-configure.ac.patch
+  * Remove add-COPYING.patch
+  * Remove add-ac_prog_cpp.patch
+  * Remove fix-sonames.patch
+
+-------------------------------------------------------------------
+Wed Aug 15 14:20:12 UTC 2018 - kgronlund@suse.com
+
+- comparison of peer names provided via command line should not be case sensitive (bsc#1082576)
+- fix for inetd stderr >& stdout
+- fix log message when generating backup files, demote log level
+- document -l and -N switches
+ 
+-------------------------------------------------------------------
+Tue Aug 14 14:10:16 UTC 2018 - kgronlund@suse.com
+
+- Avoid systemd service removal errors when uninstalling (bsc#1093165)
+
+-------------------------------------------------------------------
+Thu Jul 19 13:46:24 UTC 2017 - tchvatal@suse.com
+
+- Remove systemd dep in favor of systemd-rpm-macros
+- Format a bit with spec-cleaner
+- Add proper dependency over openssl
+- Remove all the tex deps as we now reduce from 300 to 160 buildrequires
+- Remove xinetd service and use only socket activation to keep
+  only one tool for the job
+  * Also remove patch csync2-fix-xinetd.patch
+
+-------------------------------------------------------------------
+Thu Jul 13 11:24:17 UTC 2017 - olaf@aepfle.de
+
+- Requires(post) hostname|openssl
+
+-------------------------------------------------------------------
+Fri May  6 21:13:01 UTC 2016 - jengelh@inai.de
+
+- Avoid runtime dependency on systemd, the macros can all deal with
+  its absence.
+- Ensure csync@.service template instances are disabled on package
+  removal.
+
+-------------------------------------------------------------------
+Wed Apr 27 09:49:11 UTC 2016 - kgronlund@suse.com
+
+- Update to csync2-2.0-6-g10636a4:
+  - Document the -N flag to bind csync2 to a specific ip address.
+  - fix diff mode truncation to first 512 byte
+  - fix diff mode prefix substitution
+
+- Drop merged patches:
+  - Remove csync2-librsync-1.0.0.patch
+  - Remove fix-csync2_ssl_cert-filename.patch
+
+-------------------------------------------------------------------
+Thu Mar 26 11:25:01 UTC 2015 - dimstar@opensuse.org
+
+- Add csync2-librsync-1.0.0.patch: Fix build with librsync 1.0.0.
+
+-------------------------------------------------------------------
+Thu Sep 26 09:07:40 UTC 2013 - tserong@suse.com
+
+- Ensure COPYING file is included in package
+  + Added add-COPYING.patch
+
+-------------------------------------------------------------------
+Wed Sep 11 05:12:22 UTC 2013 - tserong@suse.com
+
+- Update to upstream version 2.0-rc2.  Changes since 1.34 too numerous
+  to list, but include:
+  + Database abstraction layer (default build uses sqlite3)
+  + IPv6 support
+  + Native GnuTLS support
+  + tempdir and lock-timeout config options
+  + do-local-only config option for actions
+- Reworked patches and extra source being carried in openSUSE:
+  + Added csync2.socket and csync2@.service for use via systemd
+  + Added add-ac_prog_cpp.patch
+  + Added fix-csync2_ssl_cert-filename.patch
+  + Added fix-sonames.patch
+  + Updated csync2-fix-xinetd.patch
+  + Updated README.quickstart
+  + Removed fix-missing-sentinels.diff (upstream)
+  + Removed csync2-1.34-pure-gnutls-r2.patch (obsolete)
+  + Removed force-debug-stderr-off-inetd.patch (obsolete)
+  + Removed bind-to-local-hostname.patch (obsolete)
+
+-------------------------------------------------------------------
+Fri May 10 12:56:38 UTC 2013 - tserong@suse.com
+
+- Try to bind to "local" IP explicitly to avoid "identification failed"
+  errors with multiple IPs on same subnet (bnc#757327)
+  + Added bind-to-local-hostname.patch
+
+-------------------------------------------------------------------
+Thu Feb 28 06:00:00 UTC 2013 - coolo@suse.com
+
+- update license to new format
+
+-------------------------------------------------------------------
+Mon Jun  4 08:56:27 UTC 2012 - tserong@suse.com
+
+- Drop requirement on libgnutls-extra-devel (unnecessary on openSUSE)
+
+-------------------------------------------------------------------
+Mon Mar 19 12:51:03 UTC 2012 - tserong@suse.com
+
+- Force debug output off completely when running under xinetd (fixes
+  protocol breakage when target directories don't exist; bnc#752563)
+
+-------------------------------------------------------------------
+Mon Feb 20 19:10:40 UTC 2012 - coolo@suse.com
+
+- factory has librsync split into devel package
+
+-------------------------------------------------------------------
+Wed Oct 26 09:19:16 UTC 2011 - tserong@suse.com
+
+- Remove explicit lib dependencies from spec file
+
+-------------------------------------------------------------------
+Tue Sep 20 12:41:40 UTC 2011 - tserong@suse.com
+
+- Add csync2-rm-ssl-cert helper script (bnc#709811)
+
+-------------------------------------------------------------------
+Sun Sep 18 00:06:31 UTC 2011 - jengelh@medozas.de
+
+- Remove redundant tags/sections from specfile
+
+-------------------------------------------------------------------
+Tue Jun  8 00:59:40 UTC 2010 - tserong@novell.com
+
+- Fix build against gnutls 2.8 in factory (integrated patch from
+  http://bugs.gentoo.org/show_bug.cgi?id=274213)
+
+-------------------------------------------------------------------
+Mon Dec 14 16:57:21 CET 2009 - ro@suse.de
+
+- fix build against current openssl 
+
+-------------------------------------------------------------------
+Fri Dec  4 09:58:35 UTC 2009 - jshi@novell.com
+
+- Init import of csync2 for DRBD configuration file sync (fate#307419) 
+

csync2.spec

@@ -0,0 +1,124 @@
+#
+# spec file for package csync2
+#
+# Copyright (c) 2021 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           csync2
+Version:        2.0+git.1600444747.83b3644
+Release:        0
+Summary:        Cluster synchronization tool
+License:        GPL-2.0-or-later
+Group:          Productivity/Clustering/HA
+URL:            http://oss.linbit.com/csync2/
+#Source0:       http://oss.linbit.com/csync2/%{name}-%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.bz2
+Source1:        csync2-README.quickstart
+Source2:        csync2-rm-ssl-cert
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  bison
+BuildRequires:  flex
+BuildRequires:  libgnutls-devel
+BuildRequires:  librsync-devel
+BuildRequires:  pkgconfig
+BuildRequires:  sqlite3-devel
+BuildRequires:  systemd-rpm-macros
+Requires:       sqlite3
+Requires(post): openssl
+%if 0%{?suse_version} > 1320
+# Conflicts with net-tools in Leap
+Requires(post): hostname
+%endif
+
+%description
+Csync2 is a cluster synchronization tool. It can be used to keep files on
+multiple hosts in a cluster in sync. Csync2 can handle complex setups with
+much more than just 2 hosts, handle file deletions and can detect conflicts.
+It is expedient for HA-clusters, HPC-clusters, COWs and server farms.
+
+%prep
+%setup -q
+
+%build
+autoreconf -fvi
+%configure \
+    --enable-sqlite3 \
+    --enable-systemd \
+    --sysconfdir=%{_sysconfdir}/csync2 \
+    --docdir=%{_docdir}/%{name}
+make %{?_smp_mflags}
+
+%install
+%make_install
+mkdir -p %{buildroot}%{_localstatedir}/lib/csync2
+install -p -m 644 %{SOURCE1} %{buildroot}%{_docdir}/%{name}/README.quickstart
+install -p -m 755 %{SOURCE2} %{buildroot}%{_sbindir}/csync2-rm-ssl-cert
+mkdir -p %{buildroot}%{_unitdir}
+# We need these empty files to be able to %%ghost them
+touch %{buildroot}%{_sysconfdir}/csync2/csync2_ssl_key.pem
+touch %{buildroot}%{_sysconfdir}/csync2/csync2_ssl_cert.pem
+
+%pre
+%service_add_pre csync2.socket csync2@.service
+
+%post
+%service_add_post csync2.socket csync2@.service
+umask 077
+if [ ! -f %{_sysconfdir}/csync2/csync2_ssl_key.pem ]; then
+    %{_bindir}/openssl ecparam -genkey -name secp384r1 -out %{_sysconfdir}/csync2/csync2_ssl_key.pem
+fi
+FQDN=`hostname`
+if [ "x${FQDN}" = "x" ]; then
+   FQDN=localhost.localdomain
+fi
+if [ ! -f %{_sysconfdir}/csync2/csync2_ssl_cert.pem ]; then
+cat << EOF | %{_bindir}/openssl req -new -key %{_sysconfdir}/csync2/csync2_ssl_key.pem -x509 -days 3000 -out %{_sysconfdir}/csync2/csync2_ssl_cert.pem
+--
+SomeState
+SomeCity
+SomeOrganization
+SomeOrganization
+SomeName
+name@example.com
+EOF
+fi
+
+%preun
+%service_del_preun csync2.socket csync2@.service
+# Cleanup all databases upon last removal
+if [ $1 -eq 0 ]; then
+  rm -f %{_localstatedir}/lib/csync2/*
+fi
+
+%postun
+%service_del_postun csync2.socket csync2@.service
+
+%files
+%{_sbindir}/csync2
+%{_sbindir}/csync2-compare
+%{_unitdir}/csync2.socket
+%{_unitdir}/csync2@.service
+%dir %{_localstatedir}/lib/csync2/
+# Using docdir here ensures correct doc file tagging
+%{_docdir}/%{name}
+%dir %{_sysconfdir}/csync2/
+%config(noreplace) %{_sysconfdir}/csync2/csync2.cfg
+%ghost %config %{_sysconfdir}/csync2/csync2_ssl_key.pem
+%ghost %config %{_sysconfdir}/csync2/csync2_ssl_cert.pem
+%{_sbindir}/csync2-rm-ssl-cert
+%{_mandir}/man1/csync2.1*
+
+%changelog