Sync from SUSE:SLFO:Main keepalived revision f692db42d8dd3c08f82855d979a82302

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

harden_keepalived.service.patch

@@ -0,0 +1,24 @@
+Index: keepalived-2.2.2/keepalived/keepalived.service.in
+===================================================================
+--- keepalived-2.2.2.orig/keepalived/keepalived.service.in
++++ keepalived-2.2.2/keepalived/keepalived.service.in
+@@ -8,6 +8,19 @@ After=network-online.target syslog.targe
+ Documentation=https://keepalived.org
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=@SYSTEMD_SERVICE_TYPE@
+ PIDFile=@RUN_DIR@/run/keepalived.pid
+ KillMode=process

keepalive-init.patch

@@ -0,0 +1,71 @@
+Index: keepalived-2.0.7/keepalived/etc/init.d/keepalived.suse.init.in
+===================================================================
+--- keepalived-2.0.7.orig/keepalived/etc/init.d/keepalived.suse.init.in
++++ keepalived-2.0.7/keepalived/etc/init.d/keepalived.suse.init.in
+@@ -1,23 +1,24 @@
+ #! /bin/sh
+ 
+ ### BEGIN INIT INFO
+-# Provides:	 keepalived
++# Provides:	      keepalived
+ # Required-Start: $remote_fs $syslog
+-# Required-Stop : $remote_fs $syslog
+-# Default-Start : 3 5
+-# Default-Stop  : 0 1 2 6
+-# Description   : Start keepalived to allow XY and provide YZ
+-# continued on second line by '#<TAB>'
++# Required-Stop:  $remote_fs $syslog
++# Default-Start:  3 5
++# Default-Stop:   0 1 2 6
++# Short-Description:  Start keepalived to manage IPVS & LVS
++# Description:  Start keepalived to manage IPVS & LVS
+ ### END INIT INFO
+ 
+ 
+-DAEMON="Keepalived daemon"
+-DAEMON_BIN="@sbindir@/keepalived"
+-DAEMON_CONF="@sysconfdir@/keepalived/keepalived.conf"
+-DAEMON_PIDFILE="@localstatedir@/run/keepalived.pid"
+-DAEMON_OPT="-d"
++DAEMON='Keepalived daemon'
++DAEMON_BIN='@sbindir@/keepalived'
++DAEMON_CONF='@sysconfdir@/keepalived/keepalived.conf'
++DAEMON_PIDFILE='@localstatedir@/run/keepalived.pid'
++DAEMON_SYSCONF='/etc/sysconfig/keepalived'
++DAEMON_OPT='-d'
+ #DAEMON_USER="root"
+-SUPPORTS_HUP="yes"
++SUPPORTS_HUP='yes'
+ #       PidFile @localstatedir@/run/keepalived.pid
+ #       DatabaseOwner root
+ 
+@@ -25,6 +26,18 @@ pid_par=${DAEMON_PIDFILE:+"-p $DAEMON_PI
+ usr_par=${DAEMON_USER:+"-u $DAEMON_USER"}
+ 
+ test -x $DAEMON_BIN || exit 5
++test -x $DAEMON_BIN || { echo "$DAEMON_BIN not installed or executable";
++    if [ "$1" = "stop" ]; then exit 0;
++    else exit 5; fi; }
++
++test -r $DAEMON_CONF || { echo "$DAEMON_CONF not existing or readable";
++    if [ "$1" = "stop" ]; then exit 0;
++    else exit 6; fi; }
++
++# read sysconfig variables that might overwrite the daemon options
++if [ -r "$DAEMON_SYSCONF" ]; then
++   . "$DAEMON_SYSCONF"
++fi
+ 
+ # Shell functions sourced from /etc/rc.status:
+ #      rc_check         check and set local and overall rc status
+@@ -72,8 +85,8 @@ case "$1" in
+ 		    0) echo -n "- Warning: daemon already running. " ;;
+ 		    1) echo -n "- Warning: ${DAEMON_PIDFILE} exists. " ;;
+ 		esac
+-#		echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT}"
+-		startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT}
++#		echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT} ${KEEPALIVED_OPTIONS}"
++		startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT} ${KEEPALIVED_OPTIONS}
+ 		rc_status -v
+ 		;;
+ 	stop)

keepalive-rpmlintrc

@@ -0,0 +1,2 @@
+# Those PEM files are only examples:
+addFilter("pem-certificate /usr/share/doc/packages/keepalived/samples/.*.pem")

keepalived.spec

@@ -0,0 +1,236 @@
+#
+# spec file for package keepalived
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir /var/adm/fillup-templates
+%endif
+
+%if 0%{?suse_version} > 1500
+%bcond_without dbus
+%bcond_without keepalived_nftables
+%else
+%bcond_with    dbus
+%bcond_with    keepalived_nftables
+%endif
+
+%if 0%{?suse_version} >= 1500
+%bcond_without keepalived_regex
+%else
+%bcond_with    keepalived_regex
+%endif
+%bcond_without json
+%bcond_without systemd
+
+Name:           keepalived
+Version:        2.2.8
+Release:        0
+Summary:        A keepalive facility for Linux
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Routing
+URL:            https://www.keepalived.org/
+Source:         https://www.keepalived.org/software/%{name}-%{version}.tar.gz
+Source2:        keepalive-rpmlintrc
+Patch0:         keepalive-init.patch
+Patch1:         harden_keepalived.service.patch
+BuildRequires:  file-devel
+BuildRequires:  net-snmp-devel
+BuildRequires:  pkgconfig
+BuildRequires:  snmp-mibs
+BuildRequires:  pkgconfig(dbus-1)
+BuildRequires:  pkgconfig(gio-2.0)
+BuildRequires:  pkgconfig(openssl)
+%if %{with json}
+BuildRequires:  pkgconfig(json-c)
+%endif
+BuildRequires:  pkgconfig(libipset)
+BuildRequires:  pkgconfig(libiptc)
+BuildRequires:  pkgconfig(libnl-3.0)
+%if %{with keepalived_regex}
+BuildRequires:  pkgconfig(libpcre2-8)
+%endif
+BuildRequires:  pkgconfig(libnfnetlink)
+%if %{with keepalived_nftables}
+BuildRequires:  pkgconfig(libnftables)
+BuildRequires:  pkgconfig(libnftnl)
+%endif
+BuildRequires:  pkgconfig(popt)
+BuildRequires:  pkgconfig(xtables)
+Requires(pre):  pwdutils
+Requires(pre):  %fillup_prereq
+%if %{with systemd}
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  pkgconfig(libsystemd)
+%{?systemd_ordering}
+%else
+Requires(pre):  %insserv_prereq
+%endif
+
+%description
+This project provides facilities for load balancing and high-availability to
+Linux system and Linux-based infrastructures. The load-balancing framework
+relies on the Linux Virtual Server (IPVS) kernel module providing Layer4 load
+balancing.  Keepalived implements a set of checkers to dynamically and
+adaptively maintain and manage loadbalanced server pool according their health.
+High-availability is achieved by the VRRP protocol, a fundamental brick for
+router failover. In addition, Keepalived implements a set of hooks to the VRRP
+finite state machine, providing low-level and high-speed protocol interactions.
+Keepalived frameworks can be used independently or all together to provide
+resilient infrastructures.
+
+%prep
+%setup -q
+%patch0 -p1
+chmod 644 doc/samples/*
+%patch1 -p1
+
+%build
+export STRIP=true
+export CPPFLAGS="$(pkg-config --cflags libnfnetlink libiptc libipset xtables)"
+export CFLAGS="%optflags -DOPENSSL_NO_SSL_INTERN"
+#  --enable-dbus-create-instance \
+%configure \
+  --disable-silent-rules \
+  --docdir=%{_defaultdocdir}/%{name}/ \
+  --enable-bfd \
+  %if %{with json}
+  --enable-json \
+  %endif
+  --enable-snmp \
+  --enable-snmp-rfc \
+  %if %{with dbus}
+  --enable-dbus \
+  %endif
+  %if %{with keepalived_regex}
+  --enable-regex \
+  %endif
+  %if %{with keepalived_nftables}
+  --enable-nftables \
+  --disable-iptables \
+  %else
+  --enable-iptables \
+  --enable-libipset \
+  %endif
+  %if %{with systemd}
+  --enable-systemd \
+  --with-init=systemd \
+  --with-systemdsystemunitdir="%{_unitdir}" \
+  %else
+  --with-init=SUSE \
+  %endif
+  --enable-sha1 \
+  --enable-gnu-std-paths \
+  --enable-hardening \
+  --enable-log-file \
+  --enable-routes \
+  --disable-dynamic-linking \
+  --disable-libiptc-dynamic \
+  --disable-libipset-dynamic \
+  --disable-libnl-dynamic \
+  --enable-libnl \
+  --enable-json
+make %{?_smp_mflags}
+
+%install
+%make_install
+install -dD -m 0750 %{buildroot}%{_var}/lib/%{name}
+install -D  -m 0644 %{buildroot}/etc/sysconfig/keepalived %{buildroot}%{_fillupdir}/sysconfig.%{name}
+
+%if %{with systemd}
+ln -s /sbin/service %{buildroot}%{_sbindir}/rckeepalived
+%else
+install -D -m 0750 keepalived/etc/init.d/keepalived.suse.init %{buildroot}/etc/init.d/keepalived
+ln -s /etc/init.d/keepalived %{buildroot}%{_sbindir}/rckeepalived
+%endif
+
+chmod -R o= %{buildroot}/etc/keepalived
+rm -rv %{buildroot}/etc/keepalived/samples/ %{buildroot}/etc/sysconfig/keepalived
+cp -rv \
+  AUTHOR ChangeLog CONTRIBUTORS README doc/samples/ doc/keepalived.conf.SYNOPSIS doc/NOTE_vrrp_vmac.txt \
+  %{buildroot}%{_defaultdocdir}/%{name}/
+
+%check
+# A build could silently have LVS support disabled if the kernel includes can't
+# be properly found, we need to avoid that.
+if ! grep -q "#define _WITH_LVS_ *1" lib/config.h; then
+    %{__echo} "ERROR: We do not want keepalived lacking LVS support." >&2
+    exit 1
+fi
+
+%pre
+getent group %{name} >/dev/null || /usr/sbin/groupadd -r %{name}
+getent passwd %{name} >/dev/null || \
+	/usr/sbin/useradd -g %{name} -s /bin/false -r -c "Keepalived" \
+	-d %{_var}/lib/%{name} %{name}
+%if %{with systemd}
+%service_add_pre %{name}.service
+%endif
+
+%preun
+%if %{with systemd}
+%service_del_preun %{name}.service
+%else
+%stop_on_removal %{name}
+%endif
+
+%post
+%fillup_only %{name}
+%if %{with systemd}
+%service_add_post %{name}.service
+%endif
+
+%postun
+%if %{with systemd}
+%service_del_postun %{name}.service
+%else
+%insserv_cleanup
+%restart_on_update %{name}
+%endif
+
+%files
+%defattr(-,root,root)
+%license COPYING
+%doc %{_defaultdocdir}/%{name}/
+%dir  %{_sysconfdir}/keepalived
+%dir %attr(-,keepalived,keepalived) %{_var}/lib/%{name}
+%config(noreplace) %ghost %attr(0640,root,root) %{_sysconfdir}/keepalived/keepalived.conf
+%config %attr(0640,root,root) %{_sysconfdir}/keepalived/keepalived.conf.sample
+%{_fillupdir}/sysconfig.%{name}
+%{_bindir}/genhash
+%{_sbindir}/rckeepalived
+%{_sbindir}/keepalived
+%{_mandir}/man1/genhash.1*
+%{_mandir}/man5/keepalived.conf.5*
+%{_mandir}/man8/keepalived.8*
+%{_datadir}/snmp/mibs/KEEPALIVED-MIB.txt
+%{_datadir}/snmp/mibs/VRRP-MIB.txt
+%{_datadir}/snmp/mibs/VRRPv3-MIB.txt
+#
+%if %{with dbus}
+%config /etc/dbus-1/system.d/org.keepalived.Vrrp1.conf
+%{_datadir}/dbus-1/interfaces/org.keepalived.Vrrp1.Instance.xml
+%{_datadir}/dbus-1/interfaces/org.keepalived.Vrrp1.Vrrp.xml
+%endif
+#
+%if %{with systemd}
+%{_unitdir}/%name.service
+%else
+/etc/init.d/keepalived
+%endif
+
+%changelog