Accepting request 509615 from network:ha-clustering:Factory

1

OBS-URL: https://build.opensuse.org/request/show/509615
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/corosync?expand=0&rev=40
This commit is contained in:
Dominique Leuenberger 2017-07-21 20:35:26 +00:00 committed by Git OBS Bridge
commit 3c1b08885e
7 changed files with 535 additions and 372 deletions

View File

@ -0,0 +1,235 @@
--- corosync-2.4.2.orig/exec/totemcrypto.c 2016-11-08 00:39:12.000000000 +0800
+++ corosync-2.4.2/exec/totemcrypto.c 2017-07-12 11:09:43.693227825 +0800
@@ -206,6 +206,13 @@
(const char *)format, ##args); \
} while (0);
+enum sym_key_type {
+ SYM_KEY_TYPE_CRYPT,
+ SYM_KEY_TYPE_HASH
+};
+
+#define MAX_WRAPPED_KEY_LEN 128
+
/*
* crypt/decrypt functions
*/
@@ -226,38 +233,147 @@
return CRYPTO_CIPHER_TYPE_AES256;
}
-static int init_nss_crypto(struct crypto_instance *instance)
+static PK11SymKey *import_symmetric_key(struct crypto_instance *instance, enum sym_key_type key_type)
{
- PK11SlotInfo* crypt_slot = NULL;
- SECItem crypt_param;
+ SECItem key_item;
+ PK11SlotInfo *slot;
+ PK11SymKey *res_key;
+ CK_MECHANISM_TYPE cipher;
+ CK_ATTRIBUTE_TYPE operation;
+ CK_MECHANISM_TYPE wrap_mechanism;
+ int wrap_key_len;
+ PK11SymKey *wrap_key;
+ PK11Context *wrap_key_crypt_context;
+ SECItem tmp_sec_item;
+ SECItem wrapped_key;
+ int wrapped_key_len;
+ unsigned char wrapped_key_data[MAX_WRAPPED_KEY_LEN];
+
+ memset(&key_item, 0, sizeof(key_item));
+ slot = NULL;
+ wrap_key = NULL;
+ res_key = NULL;
+ wrap_key_crypt_context = NULL;
+
+ key_item.type = siBuffer;
+ key_item.data = instance->private_key;
+
+ switch (key_type) {
+ case SYM_KEY_TYPE_CRYPT:
+ key_item.len = cipher_key_len[instance->crypto_cipher_type];
+ cipher = cipher_to_nss[instance->crypto_cipher_type];
+ operation = CKA_ENCRYPT|CKA_DECRYPT;
+ break;
+ case SYM_KEY_TYPE_HASH:
+ key_item.len = instance->private_key_len;
+ cipher = hash_to_nss[instance->crypto_hash_type];
+ operation = CKA_SIGN;
+ break;
+ }
+
+ slot = PK11_GetBestSlot(cipher, NULL);
+ if (slot == NULL) {
+ log_printf(instance->log_level_security, "Unable to find security slot (%d): %s",
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+ goto exit_res_key;
+ }
- if (!cipher_to_nss[instance->crypto_cipher_type]) {
- return 0;
+ /*
+ * Without FIPS it would be possible to just use
+ * res_key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, operation, &key_item, NULL);
+ * with FIPS NSS Level 2 certification has to be "workarounded" (so it becomes Level 1) by using
+ * following method:
+ * 1. Generate wrap key
+ * 2. Encrypt authkey with wrap key
+ * 3. Unwrap encrypted authkey using wrap key
+ */
+
+ /*
+ * Generate wrapping key
+ */
+ wrap_mechanism = PK11_GetBestWrapMechanism(slot);
+ wrap_key_len = PK11_GetBestKeyLength(slot, wrap_mechanism);
+ wrap_key = PK11_KeyGen(slot, wrap_mechanism, NULL, wrap_key_len, NULL);
+ if (wrap_key == NULL) {
+ log_printf(instance->log_level_security, "Unable to generate wrapping key (%d): %s",
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+ goto exit_res_key;
}
- crypt_param.type = siBuffer;
- crypt_param.data = instance->private_key;
- crypt_param.len = cipher_key_len[instance->crypto_cipher_type];
+ /*
+ * Encrypt authkey with wrapping key
+ */
- crypt_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL);
- if (crypt_slot == NULL) {
- log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
- PR_GetError());
- return -1;
+ /*
+ * Initialization of IV is not needed because PK11_GetBestWrapMechanism should return ECB mode
+ */
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
+ wrap_key_crypt_context = PK11_CreateContextBySymKey(wrap_mechanism, CKA_ENCRYPT,
+ wrap_key, &tmp_sec_item);
+ if (wrap_key_crypt_context == NULL) {
+ log_printf(instance->log_level_security, "Unable to create encrypt context (%d): %s",
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+ goto exit_res_key;
+ }
+
+ wrapped_key_len = (int)sizeof(wrapped_key_data);
+
+ if (PK11_CipherOp(wrap_key_crypt_context, wrapped_key_data, &wrapped_key_len,
+ sizeof(wrapped_key_data), key_item.data, key_item.len) != SECSuccess) {
+ log_printf(instance->log_level_security, "Unable to encrypt authkey (%d): %s",
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+ goto exit_res_key;
+ }
+
+ if (PK11_Finalize(wrap_key_crypt_context) != SECSuccess) {
+ log_printf(instance->log_level_security, "Unable to finalize encryption of authkey (%d): %s",
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+ goto exit_res_key;
}
- instance->nss_sym_key = PK11_ImportSymKey(crypt_slot,
- cipher_to_nss[instance->crypto_cipher_type],
- PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT,
- &crypt_param, NULL);
+ /*
+ * Finally unwrap sym key
+ */
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
+ wrapped_key.data = wrapped_key_data;
+ wrapped_key.len = wrapped_key_len;
+
+ res_key = PK11_UnwrapSymKey(wrap_key, wrap_mechanism, &tmp_sec_item, &wrapped_key,
+ cipher, operation, key_item.len);
+ if (res_key == NULL) {
+ log_printf(instance->log_level_security, "Failure to import key into NSS (%d): %s",
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+ goto exit_res_key;
+ }
+
+exit_res_key:
+ if (wrap_key_crypt_context != NULL) {
+ PK11_DestroyContext(wrap_key_crypt_context, PR_TRUE);
+ }
+
+ if (wrap_key != NULL) {
+ PK11_FreeSymKey(wrap_key);
+ }
+
+ if (slot != NULL) {
+ PK11_FreeSlot(slot);
+ }
+
+ return (res_key);
+}
+
+static int init_nss_crypto(struct crypto_instance *instance)
+{
+
+ if (!cipher_to_nss[instance->crypto_cipher_type]) {
+ return 0;
+ }
+
+ instance->nss_sym_key = import_symmetric_key(instance, SYM_KEY_TYPE_CRYPT);
if (instance->nss_sym_key == NULL) {
- log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)",
- PR_GetError());
return -1;
}
- PK11_FreeSlot(crypt_slot);
-
return 0;
}
@@ -312,9 +428,9 @@
nss_sec_param);
if (!crypt_context) {
log_printf(instance->log_level_security,
- "PK11_CreateContext failed (encrypt) crypt_type=%d (err %d)",
+ "PK11_CreateContext failed (encrypt) crypt_type=%d (%d): %s",
(int)cipher_to_nss[instance->crypto_cipher_type],
- PR_GetError());
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
goto out;
}
@@ -447,36 +563,16 @@
static int init_nss_hash(struct crypto_instance *instance)
{
- PK11SlotInfo* hash_slot = NULL;
- SECItem hash_param;
if (!hash_to_nss[instance->crypto_hash_type]) {
return 0;
}
- hash_param.type = siBuffer;
- hash_param.data = instance->private_key;
- hash_param.len = instance->private_key_len;
-
- hash_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL);
- if (hash_slot == NULL) {
- log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
- PR_GetError());
- return -1;
- }
-
- instance->nss_sym_key_sign = PK11_ImportSymKey(hash_slot,
- hash_to_nss[instance->crypto_hash_type],
- PK11_OriginUnwrap, CKA_SIGN,
- &hash_param, NULL);
+ instance->nss_sym_key_sign = import_symmetric_key(instance, SYM_KEY_TYPE_HASH);
if (instance->nss_sym_key_sign == NULL) {
- log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)",
- PR_GetError());
return -1;
}
- PK11_FreeSlot(hash_slot);
-
return 0;
}

View File

@ -1,361 +0,0 @@
--- corosync-2.4.2.orig/exec/totemconfig.c 2017-07-10 10:47:11.640061522 +0800
+++ corosync-2.4.2/exec/totemconfig.c 2017-07-10 12:47:33.936275775 +0800
@@ -1416,7 +1416,6 @@
{
int fd;
int res;
- ssize_t expected_key_len = sizeof (totem_config->private_key);
int saved_errno;
char error_str[100];
const char *error_ptr;
@@ -1430,7 +1429,7 @@
goto parse_error;
}
- res = read (fd, totem_config->private_key, expected_key_len);
+ res = read (fd, totem_config->private_key, TOTEM_PRIVATE_KEY_LEN_MAX);
saved_errno = errno;
close (fd);
@@ -1442,15 +1441,14 @@
goto parse_error;
}
- totem_config->private_key_len = expected_key_len;
-
- if (res != expected_key_len) {
+ if (res < TOTEM_PRIVATE_KEY_LEN_MIN) {
snprintf (error_string_response, sizeof(error_string_response),
- "Could only read %d bits of 1024 bits from %s.\n",
- res * 8, key_location);
+ "Could only read %d bits of minimum %u bits from %s.\n",
+ res * 8, TOTEM_PRIVATE_KEY_LEN_MIN * 8, key_location);
goto parse_error;
}
+ totem_config->private_key_len = res;
return 0;
parse_error:
@@ -1467,8 +1465,8 @@
int res;
size_t key_len;
- memset (totem_config->private_key, 0, 128);
- totem_config->private_key_len = 128;
+ memset (totem_config->private_key, 0, sizeof(totem_config->private_key));
+ totem_config->private_key_len = 0;
if (strcmp(totem_config->crypto_cipher_type, "none") == 0 &&
strcmp(totem_config->crypto_hash_type, "none") == 0) {
@@ -1485,15 +1483,19 @@
got_key = 1;
} else { /* Or the key itself may be in the cmap */
if (icmap_get("totem.key", NULL, &key_len, NULL) == CS_OK) {
- if (key_len > sizeof (totem_config->private_key)) {
+ if (key_len > sizeof(totem_config->private_key)) {
sprintf(error_string_response, "key is too long");
goto key_error;
}
+ if (key_len < TOTEM_PRIVATE_KEY_LEN_MIN) {
+ sprintf(error_string_response, "key is too short");
+ goto key_error;
+ }
if (icmap_get("totem.key", totem_config->private_key, &key_len, NULL) == CS_OK) {
totem_config->private_key_len = key_len;
got_key = 1;
} else {
- sprintf(error_string_response, "can't store private key");
+ sprintf(error_string_response, "can't store load key");
goto key_error;
}
}
--- corosync-2.4.2.orig/include/corosync/totem/totem.h 2016-11-08 00:39:12.000000000 +0800
+++ corosync-2.4.2/include/corosync/totem/totem.h 2017-07-10 12:38:17.344259264 +0800
@@ -90,7 +90,11 @@
int log_subsys_id;
};
-enum { TOTEM_PRIVATE_KEY_LEN = 128 };
+enum {
+ TOTEM_PRIVATE_KEY_LEN = 128,
+ TOTEM_PRIVATE_KEY_LEN_MIN = 1024,
+ TOTEM_PRIVATE_KEY_LEN_MAX = 4096
+};
enum { TOTEM_RRP_MODE_BYTES = 64 };
typedef enum {
@@ -119,7 +123,7 @@
/*
* key information
*/
- unsigned char private_key[TOTEM_PRIVATE_KEY_LEN];
+ unsigned char private_key[TOTEM_PRIVATE_KEY_LEN_MAX];
unsigned int private_key_len;
--- corosync-2.4.2.orig/tools/corosync-keygen.c 2016-11-08 00:39:12.000000000 +0800
+++ corosync-2.4.2/tools/corosync-keygen.c 2017-07-10 11:30:12.340138080 +0800
@@ -1,10 +1,11 @@
/*
* Copyright (c) 2004 MontaVista Software, Inc.
- * Copyright (c) 2005-2011 Red Hat, Inc.
+ * Copyright (c) 2005-2017 Red Hat, Inc.
*
* All rights reserved.
*
* Author: Steven Dake (sdake@redhat.com)
+ * Jan Friesse (jfriesse@redhat.com)
*
* This software licensed under BSD license, the text of which follows:
*
@@ -47,16 +48,25 @@
#include <netinet/in.h>
+#include <corosync/totem/totem.h>
+
#define DEFAULT_KEYFILE COROSYSCONFDIR "/authkey"
+#define DEFAULT_KEYFILE_LEN TOTEM_PRIVATE_KEY_LEN_MIN
+
+#define DEFAULT_RANDOM_DEV "/dev/urandom"
+
static const char usage[] =
- "Usage: corosync-keygen [-k <keyfile>] [-l]\n"
+ "Usage: corosync-keygen [-k <keyfile>] [-s size] [-m <randomfile>] [-l] [-h]\n"
" -k / --key-file=<filename> - Write to the specified keyfile\n"
" instead of the default " DEFAULT_KEYFILE ".\n"
- " -l / --less-secure - Use a less secure random number source\n"
- " (/dev/urandom) that is guaranteed not to require user\n"
- " input for entropy. This can be used when this\n"
- " application is used from a script.\n";
+ " -r / --random-file - Random number source file. Default is \n"
+ " /dev/urandom. As an example /dev/random may be requested\n"
+ " (that may require user input for entropy).\n"
+ " -l / --less-secure - Not used, option is kept only\n"
+ " for compatibility.\n"
+ " -s / --size - Length of key.\n"
+ " -h / --help - Print basic usage.\n";
int main (int argc, char *argv[])
@@ -64,27 +74,49 @@
int authkey_fd;
int random_fd;
char *keyfile = NULL;
- unsigned char key[128];
+ unsigned char key[TOTEM_PRIVATE_KEY_LEN_MAX];
ssize_t res;
ssize_t bytes_read;
+ size_t key_len = DEFAULT_KEYFILE_LEN;
+ const char *random_dev = DEFAULT_RANDOM_DEV;
+ long long int tmpll;
+ char *ep;
int c;
int option_index;
- int less_secure = 0;
static struct option long_options[] = {
{ "key-file", required_argument, NULL, 'k' },
{ "less-secure", no_argument, NULL, 'l' },
+ { "random-file", required_argument, NULL, 'r' },
+ { "size", required_argument, NULL, 's' },
{ "help", no_argument, NULL, 'h' },
{ 0, 0, NULL, 0 },
};
- while ((c = getopt_long (argc, argv, "k:lh",
+ while ((c = getopt_long (argc, argv, "k:r:s:lh",
long_options, &option_index)) != -1) {
switch (c) {
case 'k':
keyfile = optarg;
break;
case 'l':
- less_secure = 1;
+ /*
+ * Only kept for compatibility
+ */
+ break;
+ case 'r':
+ random_dev = optarg;
+ break;
+ case 's':
+ tmpll = strtoll(optarg, &ep, 10);
+ if (tmpll < TOTEM_PRIVATE_KEY_LEN_MIN ||
+ tmpll > TOTEM_PRIVATE_KEY_LEN_MAX ||
+ errno != 0 || *ep != '\0') {
+ errx (1, "Unsupported key size (supported <%u,%u>)\n",
+ TOTEM_PRIVATE_KEY_LEN_MIN,
+ TOTEM_PRIVATE_KEY_LEN_MAX);
+ }
+
+ key_len = (size_t)tmpll;
break;
case 'h':
printf ("%s\n", usage);
@@ -102,32 +134,30 @@
keyfile = (char *)DEFAULT_KEYFILE;
}
- if (less_secure) {
- printf ("Gathering %lu bits for key from /dev/urandom.\n", (unsigned long)(sizeof (key) * 8));
- random_fd = open ("/dev/urandom", O_RDONLY);
- } else {
- printf ("Gathering %lu bits for key from /dev/random.\n", (unsigned long)(sizeof (key) * 8));
- printf ("Press keys on your keyboard to generate entropy.\n");
- random_fd = open ("/dev/random", O_RDONLY);
- }
+ printf ("Gathering %lu bits for key from %s.\n", (unsigned long)(key_len * 8), random_dev);
+ random_fd = open (random_dev, O_RDONLY);
if (random_fd == -1) {
err (1, "Failed to open random source");
}
+ if (strcmp(random_dev, "/dev/random") == 0) {
+ printf ("Press keys on your keyboard to generate entropy.\n");
+ }
/*
* Read random data
*/
bytes_read = 0;
retry_read:
- res = read (random_fd, &key[bytes_read], sizeof (key) - bytes_read);
+ res = read (random_fd, &key[bytes_read], key_len - bytes_read);
if (res == -1) {
err (1, "Could not read /dev/random");
}
bytes_read += res;
- if (bytes_read != sizeof (key)) {
- printf ("Press keys on your keyboard to generate entropy (bits = %d).\n", (int)(bytes_read * 8));
+ if (bytes_read != key_len) {
+ printf ("Press keys on your keyboard to generate entropy (%d bits still needed).\n",
+ (int)((key_len - bytes_read) * 8));
goto retry_read;
}
close (random_fd);
@@ -135,7 +165,7 @@
/*
* Open key
*/
- authkey_fd = open (keyfile, O_CREAT|O_WRONLY, 0600);
+ authkey_fd = open (keyfile, O_CREAT|O_WRONLY|O_TRUNC, 0600);
if (authkey_fd == -1) {
err (2, "Could not create %s", keyfile);
}
@@ -148,8 +178,8 @@
/*
* Write key
*/
- res = write (authkey_fd, key, sizeof (key));
- if (res != sizeof (key)) {
+ res = write (authkey_fd, key, key_len);
+ if (res != key_len) {
err (4, "Could not write %s", keyfile);
}
--- corosync-2.4.2.orig/man/corosync-keygen.8 2016-11-08 00:39:12.000000000 +0800
+++ corosync-2.4.2/man/corosync-keygen.8 2017-07-10 12:55:30.260289906 +0800
@@ -1,5 +1,5 @@
.\"/*
-.\" * Copyright (C) 2010 Red Hat, Inc.
+.\" * Copyright (C) 2010-2017 Red Hat, Inc.
.\" *
.\" * All rights reserved.
.\" *
@@ -31,11 +31,11 @@
.\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" * THE POSSIBILITY OF SUCH DAMAGE.
.\" */
-.TH COROSYNC-KEYGEN 8 2010-05-30
+.TH COROSYNC-KEYGEN 8 2017-07-03
.SH NAME
corosync-keygen \- Generate an authentication key for Corosync.
.SH SYNOPSIS
-.B "corosync-keygen [\-k <filename>] [\-l]"
+.B "corosync-keygen [\-k <filename>] [-m <randomfile>] [\-s size] [\-l] [\-h]"
.SH DESCRIPTION
If you want to configure corosync to use cryptographic techniques to ensure authenticity
@@ -57,8 +57,6 @@
If a message "Invalid digest" appears from the corosync executive, the keys
are not consistent between processors.
.PP
-.B Note: corosync-keygen
-will ask for user input to assist in generating entropy unless the -l option is used.
.SH OPTIONS
.TP
.B -k <filename>
@@ -66,30 +64,55 @@
.br
The default is /etc/corosync/authkey.
.TP
+.B -r
+Random number source file. Default is /dev/urandom. As an example /dev/random may be
+used when really superb randomness is needed.
+.TP
+.B -s size
+Size of the generated key in bytes. Default is 1024 bytes. Allowed range is <1024, 4096>.
+.TP
+.TP
.B -l
-Use a less secure random data source that will not require user input to help generate
-entropy. This may be useful when this utility is used from a script or hardware random number
-generator is not available (f.e. in virtual machine).
+Option is not used and it's kept only for compatibility.
+.TP
+.B -h
+Print basic usage.
.SH EXAMPLES
.TP
Generate the key.
-.PP
+.nf
# corosync-keygen
-.br
Corosync Cluster Engine Authentication key generator.
-.br
-Gathering 1024 bits for key from /dev/random.
-.br
-Press keys on your keyboard to generate entropy.
-.br
-.PP
-$ corosync-keygen -l -k /tmp/authkey
-.br
+Gathering 8192 bits for key from /dev/urandom.
+Writing corosync key to /etc/corosync/authkey
+.fi
+
+.TP
+Generate longer key and store it in the /tmp/authkey file.
+.nf
+$ corosync-keygen -s 2048 -k /tmp/authkey
Corosync Cluster Engine Authentication key generator.
-.br
+Gathering 16384 bits for key from /dev/urandom.
Writing corosync key to /tmp/authkey.
-.br
+.fi
+
+.TP
+Generate superb key using /dev/random
+.nf
+# corosync-keygen -r /dev/random
+Corosync Cluster Engine Authentication key generator.
+Gathering 8192 bits for key from /dev/random.
+Press keys on your keyboard to generate entropy.
+Press keys on your keyboard to generate entropy (7928 bits still needed).
+Press keys on your keyboard to generate entropy (7880 bits still needed).
+ ...
+Press keys on your keyboard to generate entropy (104 bits still needed).
+Press keys on your keyboard to generate entropy (56 bits still needed).
+Press keys on your keyboard to generate entropy (8 bits still needed).
+Writing corosync key to /etc/corosync/authkey.
+.fi
+
.SH SEE ALSO
.BR corosync_overview (8),
.BR corosync.conf (5),

View File

@ -0,0 +1,196 @@
--- corosync-2.4.2.orig/exec/main.c 2017-07-11 16:45:28.979262348 +0800
+++ corosync-2.4.2/exec/main.c 2017-07-11 16:44:05.195259862 +0800
@@ -889,8 +889,10 @@
}
-static void corosync_setscheduler (void)
+static int corosync_set_rr_scheduler (void)
{
+ int ret_val = 0;
+
#if defined(HAVE_PTHREAD_SETSCHEDPARAM) && defined(HAVE_SCHED_GET_PRIORITY_MAX) && defined(HAVE_SCHED_SETSCHEDULER)
int res;
@@ -907,6 +909,7 @@
#ifdef HAVE_QB_LOG_THREAD_PRIORITY_SET
qb_log_thread_priority_set (SCHED_OTHER, 0);
#endif
+ ret_val = -1;
} else {
/*
@@ -928,11 +931,15 @@
LOGSYS_PERROR (errno, LOGSYS_LEVEL_WARNING,
"Could not get maximum scheduler priority");
sched_priority = 0;
+ ret_val = -1;
}
#else
log_printf(LOGSYS_LEVEL_WARNING,
"The Platform is missing process priority setting features. Leaving at default.");
+ ret_val = -1;
#endif
+
+ return (ret_val);
}
@@ -1159,29 +1166,46 @@
const char *error_string;
struct totem_config totem_config;
int res, ch;
- int background, setprio, testonly;
+ int background, sched_rr, prio, testonly;
struct stat stat_out;
enum e_corosync_done flock_err;
uint64_t totem_config_warnings;
struct scheduler_pause_timeout_data scheduler_pause_timeout_data;
+ long int tmpli;
+ char *ep;
/* default configuration
*/
background = 1;
- setprio = 1;
+ sched_rr = 1;
+ prio = 0;
testonly = 0;
- while ((ch = getopt (argc, argv, "fprtv")) != EOF) {
+ while ((ch = getopt (argc, argv, "fP:prtv")) != EOF) {
switch (ch) {
case 'f':
background = 0;
break;
case 'p':
- setprio = 0;
+ sched_rr = 0;
+ break;
+ case 'P':
+ if (strcmp(optarg, "max") == 0) {
+ prio = INT_MIN;
+ } else if (strcmp(optarg, "min") == 0) {
+ prio = INT_MAX;
+ } else {
+ tmpli = strtol(optarg, &ep, 10);
+ if (errno != 0 || *ep != '\0' || tmpli > INT_MAX || tmpli < INT_MIN) {
+ fprintf(stderr, "Priority value %s is invalid", optarg);
+ logsys_system_fini();
+ return EXIT_FAILURE;
+ }
+ }
break;
case 'r':
- setprio = 1;
+ sched_rr = 1;
break;
case 't':
testonly = 1;
@@ -1197,9 +1221,10 @@
fprintf(stderr, \
"usage:\n"\
" -f : Start application in foreground.\n"\
- " -p : Do not set process priority.\n"\
+ " -p : Do not set realtime scheduling.\n"\
" -t : Test configuration and exit.\n"\
" -r : Set round robin realtime scheduling (default).\n"\
+ " -P num : Set priority of process (no effect when -r is used)\n"\
" -v : Display version and SVN revision of Corosync and exit.\n");
logsys_system_fini();
return EXIT_FAILURE;
@@ -1207,15 +1232,6 @@
}
/*
- * Set round robin realtime scheduling with priority 99
- * Lock all memory to avoid page faults which may interrupt
- * application healthchecking
- */
- if (setprio) {
- corosync_setscheduler ();
- }
-
- /*
* Other signals are registered later via qb_loop_signal_add
*/
(void)signal (SIGSEGV, sigsegv_handler);
@@ -1319,6 +1335,24 @@
corosync_exit_error (COROSYNC_DONE_EXIT);
}
+ /*
+ * Set round robin realtime scheduling with priority 99
+ */
+ if (sched_rr) {
+ if (corosync_set_rr_scheduler () != 0) {
+ prio = INT_MIN;
+ } else {
+ prio = 0;
+ }
+ }
+
+ if (prio != 0) {
+ if (setpriority(PRIO_PGRP, 0, prio) != 0) {
+ LOGSYS_PERROR(errno, LOGSYS_LEVEL_WARNING,
+ "Could not set priority %d", prio);
+ }
+ }
+
ip_version = totem_config.ip_version;
totem_config.totem_memb_ring_id_create_or_load = corosync_ring_id_create_or_load;
@@ -1345,6 +1379,11 @@
corosync_tty_detach ();
}
+ /*
+ * Lock all memory to avoid page faults which may interrupt
+ * application healthchecking
+ */
+
corosync_mlockall();
corosync_poll_handle = qb_loop_create ();
--- corosync-2.4.2.orig/man/corosync.8 2016-11-08 00:39:12.000000000 +0800
+++ corosync-2.4.2/man/corosync.8 2017-07-11 16:48:06.555267022 +0800
@@ -31,11 +31,11 @@
.\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" * THE POSSIBILITY OF SUCH DAMAGE.
.\" */
-.TH COROSYNC 8 2010-05-30
+.TH COROSYNC 8 2017-07-07
.SH NAME
corosync \- The Corosync Cluster Engine.
.SH SYNOPSIS
-.B "corosync [\-f] [\-p] [\-r] [\-v]"
+.B "corosync [\-f] [-P num] [\-p] [\-r] [\-v]"
.SH DESCRIPTION
.B corosync
Corosync provides clustering infracture such as membership, messaging and quorum.
@@ -45,10 +45,22 @@
Start application in foreground.
.TP
.B -p
-Do not set process priority.
+Do not set realtime scheduling.
.TP
+.B -P
+Set priority of process. Has effect only when
.B -r
-Set round robin realtime scheduling (default).
+is not used. Can be ether numeric value with similar meaning as
+.BR nice (1)
+or
+.B max
+/
+.B min
+meaning maximal / minimal priority (so minimal / maximal nice value).
+.TP
+.B -r
+Set round robin realtime scheduling with maximal priority (default). When setting
+of scheduler fails, fallback to set maximal priority.
.TP
.B -t
Test configuration and then exit.

View File

@ -0,0 +1,68 @@
--- corosync-2.4.2.orig/exec/main.c 2017-07-11 17:23:41.903330368 +0800
+++ corosync-2.4.2/exec/main.c 2017-07-11 17:31:08.687343622 +0800
@@ -1424,9 +1424,13 @@
* Join multicast group and setup delivery
* and configuration change functions
*/
- totempg_initialize (
+ if(totempg_initialize (
corosync_poll_handle,
- &totem_config);
+ &totem_config) != 0) {
+
+ log_printf (LOGSYS_LEVEL_ERROR, "Can't initialize TOTEM layer");
+ corosync_exit_error (COROSYNC_DONE_FATAL_ERR);
+ }
totempg_service_ready_register (
main_service_ready);
--- corosync-2.4.2.orig/exec/totempg.c 2016-11-08 00:39:12.000000000 +0800
+++ corosync-2.4.2/exec/totempg.c 2017-07-11 17:27:47.615337658 +0800
@@ -814,6 +814,10 @@
totempg_confchg_fn,
totempg_waiting_trans_ack_cb);
+ if (res == -1) {
+ goto error_exit;
+ }
+
totemmrp_callback_token_create (
&callback_token_received_handle,
TOTEM_CALLBACK_TOKEN_RECEIVED,
@@ -827,6 +831,7 @@
list_init (&totempg_groups_list);
+error_exit:
return (res);
}
--- corosync-2.4.2.orig/exec/totemsrp.c 2016-11-08 00:39:12.000000000 +0800
+++ corosync-2.4.2/exec/totemsrp.c 2017-07-11 17:30:30.887342501 +0800
@@ -851,6 +851,7 @@
int waiting_trans_ack))
{
struct totemsrp_instance *instance;
+ int res;
instance = malloc (sizeof (struct totemsrp_instance));
if (instance == NULL) {
@@ -993,7 +994,7 @@
}
}
- totemrrp_initialize (
+ res = totemrrp_initialize (
poll_handle,
&instance->totemrrp_context,
totem_config,
@@ -1004,6 +1005,9 @@
main_token_seqid_get,
main_msgs_missing,
target_set_completed);
+ if (res == -1) {
+ goto error_exit;
+ }
/*
* Must have net_mtu adjusted by totemrrp_initialize first

View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Wed Jul 12 05:25:45 UTC 2017 - bliu@suse.com
- some upstream fixes for corosync(bsc#1048259)
Added:
bsc#1047860-add-version.patch
0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch
0008-main.c-add-option-to-set-priority.patch
0009-totem-Propagate-totem-initialization-failure.patch
Removed:
bnc#867767-add-version.patch
0007-improve-corosync-keygen.patch(since this patch is not for corosync v2.x)
Modified:
corosync.spec, add judgement whether /etc/sysconfig/corosycn* exist before remove these files
-------------------------------------------------------------------
Mon Jul 10 06:54:23 UTC 2017 - bliu@suse.com

View File

@ -52,7 +52,7 @@ Url: http://corosync.github.io/corosync/
Source0: %{name}-%{version}.tar.gz
Source2: baselibs.conf
Patch1: corosync-init-lockfile-path-error.patch
Patch2: bnc#867767-add-version.patch
Patch2: bsc#1047860-add-version.patch
Patch3: bnc#872651-stop-cluster.patch
Patch4: bnc#882449-corosync-conf-example.patch
Patch5: corosync-2.3.4-fix-bashisms.patch
@ -67,7 +67,9 @@ Patch13: 0003-totemrrp-Fix-situation-when-all-rings-are-faulty.patch
Patch14: 0004-main-Display-reason-why-cluster-cannot-be-formed.patch
Patch15: 0005-votequorum-Report-errors-from-votequorum_exec_send_r.patch
Patch16: 0006-coroapi-Use-size_t-for-private_data_size.patch
Patch17: 0007-improve-corosync-keygen.patch
Patch17: 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch
Patch18: 0008-main.c-add-option-to-set-priority.patch
Patch19: 0009-totem-Propagate-totem-initialization-failure.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# openais is indeed gone and should be uninstalled. Yes, we do not
@ -144,6 +146,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%build
%if %{with_runautogen}
@ -291,7 +295,9 @@ fi
%endif
%postun
rm /etc/sysconfig/corosync
if [ -f /etc/sysconfig/corosync ]; then
rm /etc/sysconfig/corosync
fi
%if %{with_systemd} && 0%{?systemd_postun:1}
%systemd_postun
%endif
@ -499,8 +505,8 @@ NSS certificates and an init script.
%if %{sles_version} > 0
ln -s /run/corosync-qdevice /var/run/
%endif
%if %{with_systemd} && 0%{?systemd_post:1}
%systemd_post corosync-qdevice.service
%if %{with_systemd}
%service_add_post corosync-qdevice.service
%endif
%preun -n corosync-qdevice
@ -517,11 +523,12 @@ unlink /var/run/corosync-qdevice
%endif
%postun -n corosync-qdevice
rm /etc/sysconfig/corosync-qdevice
if [ -f /etc/sysconfig/corosync-qdevice ]; then
rm /etc/sysconfig/corosync-qdevice
fi
%if %{with_systemd} && 0%{?systemd_postun:1}
%systemd_postun
%endif
#rm /etc/sysconfig/corosync-qdevice
%files -n corosync-qdevice
%defattr(-,root,root,-)
@ -582,8 +589,8 @@ exit 0
ln -s /run/corosync-qnetd /var/run/
%endif
%{fillup_and_insserv -n corosync-qnetd}
%if %{with_systemd} && 0%{?systemd_post:1}
%systemd_post corosync-qnetd.service
%if %{with_systemd}
%service_add_post corosync-qnetd.service
%endif
%preun -n corosync-qnetd
@ -600,11 +607,12 @@ unlink /var/run/corosync-qnetd
%endif
%postun -n corosync-qnetd
rm /etc/sysconfig/corosync-qnetd
if [ -f /etc/sysconfig/corosync-qnetd ];then
rm /etc/sysconfig/corosync-qnetd
fi
%if %{with_systemd} && 0%{?systemd_postun:1}
%systemd_postun
%endif
#rm /etc/sysconfig/corosync-qnetd
%files -n corosync-qnetd
%defattr(-,root,root,-)