From 9b7f65cbfb543a0cb14b108a901fd1ecfccf976bfcbbcfa85a043c91d7ef871c Mon Sep 17 00:00:00 2001 From: Bin Liu Date: Wed, 12 Jul 2017 05:54:18 +0000 Subject: [PATCH] Accepting request 509614 from home:BinLiu:branches:network:ha-clustering:Factory - some upstream fixes for corosync(bsc#1048259) Added: bsc#1047860-add-version.patch 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch 0008-main.c-add-option-to-set-priority.patch 0009-totem-Propagate-totem-initialization-failure.patch Removed: bnc#867767-add-version.patch 0007-improve-corosync-keygen.patch(since this patch is not for corosync v2.x) Modified: corosync.spec, add judgement whether /etc/sysconfig/corosycn* exist before remove these files OBS-URL: https://build.opensuse.org/request/show/509614 OBS-URL: https://build.opensuse.org/package/show/network:ha-clustering:Factory/corosync?expand=0&rev=94 --- ...osync-work-when-FIPS-mode-is-enabled.patch | 235 ++++++++++++ 0007-improve-corosync-keygen.patch | 361 ------------------ 0008-main.c-add-option-to-set-priority.patch | 196 ++++++++++ ...opagate-totem-initialization-failure.patch | 68 ++++ ...ion.patch => bsc#1047860-add-version.patch | 0 corosync.changes | 17 + corosync.spec | 30 +- 7 files changed, 535 insertions(+), 372 deletions(-) create mode 100644 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch delete mode 100644 0007-improve-corosync-keygen.patch create mode 100644 0008-main.c-add-option-to-set-priority.patch create mode 100644 0009-totem-Propagate-totem-initialization-failure.patch rename bnc#867767-add-version.patch => bsc#1047860-add-version.patch (100%) diff --git a/0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch b/0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch new file mode 100644 index 0000000..cf5c22b --- /dev/null +++ b/0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch @@ -0,0 +1,235 @@ +--- corosync-2.4.2.orig/exec/totemcrypto.c 2016-11-08 00:39:12.000000000 +0800 ++++ corosync-2.4.2/exec/totemcrypto.c 2017-07-12 11:09:43.693227825 +0800 +@@ -206,6 +206,13 @@ + (const char *)format, ##args); \ + } while (0); + ++enum sym_key_type { ++ SYM_KEY_TYPE_CRYPT, ++ SYM_KEY_TYPE_HASH ++}; ++ ++#define MAX_WRAPPED_KEY_LEN 128 ++ + /* + * crypt/decrypt functions + */ +@@ -226,38 +233,147 @@ + return CRYPTO_CIPHER_TYPE_AES256; + } + +-static int init_nss_crypto(struct crypto_instance *instance) ++static PK11SymKey *import_symmetric_key(struct crypto_instance *instance, enum sym_key_type key_type) + { +- PK11SlotInfo* crypt_slot = NULL; +- SECItem crypt_param; ++ SECItem key_item; ++ PK11SlotInfo *slot; ++ PK11SymKey *res_key; ++ CK_MECHANISM_TYPE cipher; ++ CK_ATTRIBUTE_TYPE operation; ++ CK_MECHANISM_TYPE wrap_mechanism; ++ int wrap_key_len; ++ PK11SymKey *wrap_key; ++ PK11Context *wrap_key_crypt_context; ++ SECItem tmp_sec_item; ++ SECItem wrapped_key; ++ int wrapped_key_len; ++ unsigned char wrapped_key_data[MAX_WRAPPED_KEY_LEN]; ++ ++ memset(&key_item, 0, sizeof(key_item)); ++ slot = NULL; ++ wrap_key = NULL; ++ res_key = NULL; ++ wrap_key_crypt_context = NULL; ++ ++ key_item.type = siBuffer; ++ key_item.data = instance->private_key; ++ ++ switch (key_type) { ++ case SYM_KEY_TYPE_CRYPT: ++ key_item.len = cipher_key_len[instance->crypto_cipher_type]; ++ cipher = cipher_to_nss[instance->crypto_cipher_type]; ++ operation = CKA_ENCRYPT|CKA_DECRYPT; ++ break; ++ case SYM_KEY_TYPE_HASH: ++ key_item.len = instance->private_key_len; ++ cipher = hash_to_nss[instance->crypto_hash_type]; ++ operation = CKA_SIGN; ++ break; ++ } ++ ++ slot = PK11_GetBestSlot(cipher, NULL); ++ if (slot == NULL) { ++ log_printf(instance->log_level_security, "Unable to find security slot (%d): %s", ++ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); ++ goto exit_res_key; ++ } + +- if (!cipher_to_nss[instance->crypto_cipher_type]) { +- return 0; ++ /* ++ * Without FIPS it would be possible to just use ++ * res_key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, operation, &key_item, NULL); ++ * with FIPS NSS Level 2 certification has to be "workarounded" (so it becomes Level 1) by using ++ * following method: ++ * 1. Generate wrap key ++ * 2. Encrypt authkey with wrap key ++ * 3. Unwrap encrypted authkey using wrap key ++ */ ++ ++ /* ++ * Generate wrapping key ++ */ ++ wrap_mechanism = PK11_GetBestWrapMechanism(slot); ++ wrap_key_len = PK11_GetBestKeyLength(slot, wrap_mechanism); ++ wrap_key = PK11_KeyGen(slot, wrap_mechanism, NULL, wrap_key_len, NULL); ++ if (wrap_key == NULL) { ++ log_printf(instance->log_level_security, "Unable to generate wrapping key (%d): %s", ++ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); ++ goto exit_res_key; + } + +- crypt_param.type = siBuffer; +- crypt_param.data = instance->private_key; +- crypt_param.len = cipher_key_len[instance->crypto_cipher_type]; ++ /* ++ * Encrypt authkey with wrapping key ++ */ + +- crypt_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL); +- if (crypt_slot == NULL) { +- log_printf(instance->log_level_security, "Unable to find security slot (err %d)", +- PR_GetError()); +- return -1; ++ /* ++ * Initialization of IV is not needed because PK11_GetBestWrapMechanism should return ECB mode ++ */ ++ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item)); ++ wrap_key_crypt_context = PK11_CreateContextBySymKey(wrap_mechanism, CKA_ENCRYPT, ++ wrap_key, &tmp_sec_item); ++ if (wrap_key_crypt_context == NULL) { ++ log_printf(instance->log_level_security, "Unable to create encrypt context (%d): %s", ++ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); ++ goto exit_res_key; ++ } ++ ++ wrapped_key_len = (int)sizeof(wrapped_key_data); ++ ++ if (PK11_CipherOp(wrap_key_crypt_context, wrapped_key_data, &wrapped_key_len, ++ sizeof(wrapped_key_data), key_item.data, key_item.len) != SECSuccess) { ++ log_printf(instance->log_level_security, "Unable to encrypt authkey (%d): %s", ++ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); ++ goto exit_res_key; ++ } ++ ++ if (PK11_Finalize(wrap_key_crypt_context) != SECSuccess) { ++ log_printf(instance->log_level_security, "Unable to finalize encryption of authkey (%d): %s", ++ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); ++ goto exit_res_key; + } + +- instance->nss_sym_key = PK11_ImportSymKey(crypt_slot, +- cipher_to_nss[instance->crypto_cipher_type], +- PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT, +- &crypt_param, NULL); ++ /* ++ * Finally unwrap sym key ++ */ ++ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item)); ++ wrapped_key.data = wrapped_key_data; ++ wrapped_key.len = wrapped_key_len; ++ ++ res_key = PK11_UnwrapSymKey(wrap_key, wrap_mechanism, &tmp_sec_item, &wrapped_key, ++ cipher, operation, key_item.len); ++ if (res_key == NULL) { ++ log_printf(instance->log_level_security, "Failure to import key into NSS (%d): %s", ++ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); ++ goto exit_res_key; ++ } ++ ++exit_res_key: ++ if (wrap_key_crypt_context != NULL) { ++ PK11_DestroyContext(wrap_key_crypt_context, PR_TRUE); ++ } ++ ++ if (wrap_key != NULL) { ++ PK11_FreeSymKey(wrap_key); ++ } ++ ++ if (slot != NULL) { ++ PK11_FreeSlot(slot); ++ } ++ ++ return (res_key); ++} ++ ++static int init_nss_crypto(struct crypto_instance *instance) ++{ ++ ++ if (!cipher_to_nss[instance->crypto_cipher_type]) { ++ return 0; ++ } ++ ++ instance->nss_sym_key = import_symmetric_key(instance, SYM_KEY_TYPE_CRYPT); + if (instance->nss_sym_key == NULL) { +- log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)", +- PR_GetError()); + return -1; + } + +- PK11_FreeSlot(crypt_slot); +- + return 0; + } + +@@ -312,9 +428,9 @@ + nss_sec_param); + if (!crypt_context) { + log_printf(instance->log_level_security, +- "PK11_CreateContext failed (encrypt) crypt_type=%d (err %d)", ++ "PK11_CreateContext failed (encrypt) crypt_type=%d (%d): %s", + (int)cipher_to_nss[instance->crypto_cipher_type], +- PR_GetError()); ++ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto out; + } + +@@ -447,36 +563,16 @@ + + static int init_nss_hash(struct crypto_instance *instance) + { +- PK11SlotInfo* hash_slot = NULL; +- SECItem hash_param; + + if (!hash_to_nss[instance->crypto_hash_type]) { + return 0; + } + +- hash_param.type = siBuffer; +- hash_param.data = instance->private_key; +- hash_param.len = instance->private_key_len; +- +- hash_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL); +- if (hash_slot == NULL) { +- log_printf(instance->log_level_security, "Unable to find security slot (err %d)", +- PR_GetError()); +- return -1; +- } +- +- instance->nss_sym_key_sign = PK11_ImportSymKey(hash_slot, +- hash_to_nss[instance->crypto_hash_type], +- PK11_OriginUnwrap, CKA_SIGN, +- &hash_param, NULL); ++ instance->nss_sym_key_sign = import_symmetric_key(instance, SYM_KEY_TYPE_HASH); + if (instance->nss_sym_key_sign == NULL) { +- log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)", +- PR_GetError()); + return -1; + } + +- PK11_FreeSlot(hash_slot); +- + return 0; + } + diff --git a/0007-improve-corosync-keygen.patch b/0007-improve-corosync-keygen.patch deleted file mode 100644 index 29cb42d..0000000 --- a/0007-improve-corosync-keygen.patch +++ /dev/null @@ -1,361 +0,0 @@ ---- corosync-2.4.2.orig/exec/totemconfig.c 2017-07-10 10:47:11.640061522 +0800 -+++ corosync-2.4.2/exec/totemconfig.c 2017-07-10 12:47:33.936275775 +0800 -@@ -1416,7 +1416,6 @@ - { - int fd; - int res; -- ssize_t expected_key_len = sizeof (totem_config->private_key); - int saved_errno; - char error_str[100]; - const char *error_ptr; -@@ -1430,7 +1429,7 @@ - goto parse_error; - } - -- res = read (fd, totem_config->private_key, expected_key_len); -+ res = read (fd, totem_config->private_key, TOTEM_PRIVATE_KEY_LEN_MAX); - saved_errno = errno; - close (fd); - -@@ -1442,15 +1441,14 @@ - goto parse_error; - } - -- totem_config->private_key_len = expected_key_len; -- -- if (res != expected_key_len) { -+ if (res < TOTEM_PRIVATE_KEY_LEN_MIN) { - snprintf (error_string_response, sizeof(error_string_response), -- "Could only read %d bits of 1024 bits from %s.\n", -- res * 8, key_location); -+ "Could only read %d bits of minimum %u bits from %s.\n", -+ res * 8, TOTEM_PRIVATE_KEY_LEN_MIN * 8, key_location); - goto parse_error; - } - -+ totem_config->private_key_len = res; - return 0; - - parse_error: -@@ -1467,8 +1465,8 @@ - int res; - size_t key_len; - -- memset (totem_config->private_key, 0, 128); -- totem_config->private_key_len = 128; -+ memset (totem_config->private_key, 0, sizeof(totem_config->private_key)); -+ totem_config->private_key_len = 0; - - if (strcmp(totem_config->crypto_cipher_type, "none") == 0 && - strcmp(totem_config->crypto_hash_type, "none") == 0) { -@@ -1485,15 +1483,19 @@ - got_key = 1; - } else { /* Or the key itself may be in the cmap */ - if (icmap_get("totem.key", NULL, &key_len, NULL) == CS_OK) { -- if (key_len > sizeof (totem_config->private_key)) { -+ if (key_len > sizeof(totem_config->private_key)) { - sprintf(error_string_response, "key is too long"); - goto key_error; - } -+ if (key_len < TOTEM_PRIVATE_KEY_LEN_MIN) { -+ sprintf(error_string_response, "key is too short"); -+ goto key_error; -+ } - if (icmap_get("totem.key", totem_config->private_key, &key_len, NULL) == CS_OK) { - totem_config->private_key_len = key_len; - got_key = 1; - } else { -- sprintf(error_string_response, "can't store private key"); -+ sprintf(error_string_response, "can't store load key"); - goto key_error; - } - } ---- corosync-2.4.2.orig/include/corosync/totem/totem.h 2016-11-08 00:39:12.000000000 +0800 -+++ corosync-2.4.2/include/corosync/totem/totem.h 2017-07-10 12:38:17.344259264 +0800 -@@ -90,7 +90,11 @@ - int log_subsys_id; - }; - --enum { TOTEM_PRIVATE_KEY_LEN = 128 }; -+enum { -+ TOTEM_PRIVATE_KEY_LEN = 128, -+ TOTEM_PRIVATE_KEY_LEN_MIN = 1024, -+ TOTEM_PRIVATE_KEY_LEN_MAX = 4096 -+}; - enum { TOTEM_RRP_MODE_BYTES = 64 }; - - typedef enum { -@@ -119,7 +123,7 @@ - /* - * key information - */ -- unsigned char private_key[TOTEM_PRIVATE_KEY_LEN]; -+ unsigned char private_key[TOTEM_PRIVATE_KEY_LEN_MAX]; - - unsigned int private_key_len; - ---- corosync-2.4.2.orig/tools/corosync-keygen.c 2016-11-08 00:39:12.000000000 +0800 -+++ corosync-2.4.2/tools/corosync-keygen.c 2017-07-10 11:30:12.340138080 +0800 -@@ -1,10 +1,11 @@ - /* - * Copyright (c) 2004 MontaVista Software, Inc. -- * Copyright (c) 2005-2011 Red Hat, Inc. -+ * Copyright (c) 2005-2017 Red Hat, Inc. - * - * All rights reserved. - * - * Author: Steven Dake (sdake@redhat.com) -+ * Jan Friesse (jfriesse@redhat.com) - * - * This software licensed under BSD license, the text of which follows: - * -@@ -47,16 +48,25 @@ - - #include - -+#include -+ - #define DEFAULT_KEYFILE COROSYSCONFDIR "/authkey" - -+#define DEFAULT_KEYFILE_LEN TOTEM_PRIVATE_KEY_LEN_MIN -+ -+#define DEFAULT_RANDOM_DEV "/dev/urandom" -+ - static const char usage[] = -- "Usage: corosync-keygen [-k ] [-l]\n" -+ "Usage: corosync-keygen [-k ] [-s size] [-m ] [-l] [-h]\n" - " -k / --key-file= - Write to the specified keyfile\n" - " instead of the default " DEFAULT_KEYFILE ".\n" -- " -l / --less-secure - Use a less secure random number source\n" -- " (/dev/urandom) that is guaranteed not to require user\n" -- " input for entropy. This can be used when this\n" -- " application is used from a script.\n"; -+ " -r / --random-file - Random number source file. Default is \n" -+ " /dev/urandom. As an example /dev/random may be requested\n" -+ " (that may require user input for entropy).\n" -+ " -l / --less-secure - Not used, option is kept only\n" -+ " for compatibility.\n" -+ " -s / --size - Length of key.\n" -+ " -h / --help - Print basic usage.\n"; - - - int main (int argc, char *argv[]) -@@ -64,27 +74,49 @@ - int authkey_fd; - int random_fd; - char *keyfile = NULL; -- unsigned char key[128]; -+ unsigned char key[TOTEM_PRIVATE_KEY_LEN_MAX]; - ssize_t res; - ssize_t bytes_read; -+ size_t key_len = DEFAULT_KEYFILE_LEN; -+ const char *random_dev = DEFAULT_RANDOM_DEV; -+ long long int tmpll; -+ char *ep; - int c; - int option_index; -- int less_secure = 0; - static struct option long_options[] = { - { "key-file", required_argument, NULL, 'k' }, - { "less-secure", no_argument, NULL, 'l' }, -+ { "random-file", required_argument, NULL, 'r' }, -+ { "size", required_argument, NULL, 's' }, - { "help", no_argument, NULL, 'h' }, - { 0, 0, NULL, 0 }, - }; - -- while ((c = getopt_long (argc, argv, "k:lh", -+ while ((c = getopt_long (argc, argv, "k:r:s:lh", - long_options, &option_index)) != -1) { - switch (c) { - case 'k': - keyfile = optarg; - break; - case 'l': -- less_secure = 1; -+ /* -+ * Only kept for compatibility -+ */ -+ break; -+ case 'r': -+ random_dev = optarg; -+ break; -+ case 's': -+ tmpll = strtoll(optarg, &ep, 10); -+ if (tmpll < TOTEM_PRIVATE_KEY_LEN_MIN || -+ tmpll > TOTEM_PRIVATE_KEY_LEN_MAX || -+ errno != 0 || *ep != '\0') { -+ errx (1, "Unsupported key size (supported <%u,%u>)\n", -+ TOTEM_PRIVATE_KEY_LEN_MIN, -+ TOTEM_PRIVATE_KEY_LEN_MAX); -+ } -+ -+ key_len = (size_t)tmpll; - break; - case 'h': - printf ("%s\n", usage); -@@ -102,32 +134,30 @@ - keyfile = (char *)DEFAULT_KEYFILE; - } - -- if (less_secure) { -- printf ("Gathering %lu bits for key from /dev/urandom.\n", (unsigned long)(sizeof (key) * 8)); -- random_fd = open ("/dev/urandom", O_RDONLY); -- } else { -- printf ("Gathering %lu bits for key from /dev/random.\n", (unsigned long)(sizeof (key) * 8)); -- printf ("Press keys on your keyboard to generate entropy.\n"); -- random_fd = open ("/dev/random", O_RDONLY); -- } -+ printf ("Gathering %lu bits for key from %s.\n", (unsigned long)(key_len * 8), random_dev); -+ random_fd = open (random_dev, O_RDONLY); - - if (random_fd == -1) { - err (1, "Failed to open random source"); - } - -+ if (strcmp(random_dev, "/dev/random") == 0) { -+ printf ("Press keys on your keyboard to generate entropy.\n"); -+ } - /* - * Read random data - */ - bytes_read = 0; - - retry_read: -- res = read (random_fd, &key[bytes_read], sizeof (key) - bytes_read); -+ res = read (random_fd, &key[bytes_read], key_len - bytes_read); - if (res == -1) { - err (1, "Could not read /dev/random"); - } - bytes_read += res; -- if (bytes_read != sizeof (key)) { -- printf ("Press keys on your keyboard to generate entropy (bits = %d).\n", (int)(bytes_read * 8)); -+ if (bytes_read != key_len) { -+ printf ("Press keys on your keyboard to generate entropy (%d bits still needed).\n", -+ (int)((key_len - bytes_read) * 8)); - goto retry_read; - } - close (random_fd); -@@ -135,7 +165,7 @@ - /* - * Open key - */ -- authkey_fd = open (keyfile, O_CREAT|O_WRONLY, 0600); -+ authkey_fd = open (keyfile, O_CREAT|O_WRONLY|O_TRUNC, 0600); - if (authkey_fd == -1) { - err (2, "Could not create %s", keyfile); - } -@@ -148,8 +178,8 @@ - /* - * Write key - */ -- res = write (authkey_fd, key, sizeof (key)); -- if (res != sizeof (key)) { -+ res = write (authkey_fd, key, key_len); -+ if (res != key_len) { - err (4, "Could not write %s", keyfile); - } - ---- corosync-2.4.2.orig/man/corosync-keygen.8 2016-11-08 00:39:12.000000000 +0800 -+++ corosync-2.4.2/man/corosync-keygen.8 2017-07-10 12:55:30.260289906 +0800 -@@ -1,5 +1,5 @@ - .\"/* --.\" * Copyright (C) 2010 Red Hat, Inc. -+.\" * Copyright (C) 2010-2017 Red Hat, Inc. - .\" * - .\" * All rights reserved. - .\" * -@@ -31,11 +31,11 @@ - .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF - .\" * THE POSSIBILITY OF SUCH DAMAGE. - .\" */ --.TH COROSYNC-KEYGEN 8 2010-05-30 -+.TH COROSYNC-KEYGEN 8 2017-07-03 - .SH NAME - corosync-keygen \- Generate an authentication key for Corosync. - .SH SYNOPSIS --.B "corosync-keygen [\-k ] [\-l]" -+.B "corosync-keygen [\-k ] [-m ] [\-s size] [\-l] [\-h]" - .SH DESCRIPTION - - If you want to configure corosync to use cryptographic techniques to ensure authenticity -@@ -57,8 +57,6 @@ - If a message "Invalid digest" appears from the corosync executive, the keys - are not consistent between processors. - .PP --.B Note: corosync-keygen --will ask for user input to assist in generating entropy unless the -l option is used. - .SH OPTIONS - .TP - .B -k -@@ -66,30 +64,55 @@ - .br - The default is /etc/corosync/authkey. - .TP -+.B -r -+Random number source file. Default is /dev/urandom. As an example /dev/random may be -+used when really superb randomness is needed. -+.TP -+.B -s size -+Size of the generated key in bytes. Default is 1024 bytes. Allowed range is <1024, 4096>. -+.TP -+.TP - .B -l --Use a less secure random data source that will not require user input to help generate --entropy. This may be useful when this utility is used from a script or hardware random number --generator is not available (f.e. in virtual machine). -+Option is not used and it's kept only for compatibility. -+.TP -+.B -h -+Print basic usage. - - .SH EXAMPLES - .TP - Generate the key. --.PP -+.nf - # corosync-keygen --.br - Corosync Cluster Engine Authentication key generator. --.br --Gathering 1024 bits for key from /dev/random. --.br --Press keys on your keyboard to generate entropy. --.br --.PP --$ corosync-keygen -l -k /tmp/authkey --.br -+Gathering 8192 bits for key from /dev/urandom. -+Writing corosync key to /etc/corosync/authkey -+.fi -+ -+.TP -+Generate longer key and store it in the /tmp/authkey file. -+.nf -+$ corosync-keygen -s 2048 -k /tmp/authkey - Corosync Cluster Engine Authentication key generator. --.br -+Gathering 16384 bits for key from /dev/urandom. - Writing corosync key to /tmp/authkey. --.br -+.fi -+ -+.TP -+Generate superb key using /dev/random -+.nf -+# corosync-keygen -r /dev/random -+Corosync Cluster Engine Authentication key generator. -+Gathering 8192 bits for key from /dev/random. -+Press keys on your keyboard to generate entropy. -+Press keys on your keyboard to generate entropy (7928 bits still needed). -+Press keys on your keyboard to generate entropy (7880 bits still needed). -+ ... -+Press keys on your keyboard to generate entropy (104 bits still needed). -+Press keys on your keyboard to generate entropy (56 bits still needed). -+Press keys on your keyboard to generate entropy (8 bits still needed). -+Writing corosync key to /etc/corosync/authkey. -+.fi -+ - .SH SEE ALSO - .BR corosync_overview (8), - .BR corosync.conf (5), diff --git a/0008-main.c-add-option-to-set-priority.patch b/0008-main.c-add-option-to-set-priority.patch new file mode 100644 index 0000000..30723bb --- /dev/null +++ b/0008-main.c-add-option-to-set-priority.patch @@ -0,0 +1,196 @@ +--- corosync-2.4.2.orig/exec/main.c 2017-07-11 16:45:28.979262348 +0800 ++++ corosync-2.4.2/exec/main.c 2017-07-11 16:44:05.195259862 +0800 +@@ -889,8 +889,10 @@ + } + + +-static void corosync_setscheduler (void) ++static int corosync_set_rr_scheduler (void) + { ++ int ret_val = 0; ++ + #if defined(HAVE_PTHREAD_SETSCHEDPARAM) && defined(HAVE_SCHED_GET_PRIORITY_MAX) && defined(HAVE_SCHED_SETSCHEDULER) + int res; + +@@ -907,6 +909,7 @@ + #ifdef HAVE_QB_LOG_THREAD_PRIORITY_SET + qb_log_thread_priority_set (SCHED_OTHER, 0); + #endif ++ ret_val = -1; + } else { + + /* +@@ -928,11 +931,15 @@ + LOGSYS_PERROR (errno, LOGSYS_LEVEL_WARNING, + "Could not get maximum scheduler priority"); + sched_priority = 0; ++ ret_val = -1; + } + #else + log_printf(LOGSYS_LEVEL_WARNING, + "The Platform is missing process priority setting features. Leaving at default."); ++ ret_val = -1; + #endif ++ ++ return (ret_val); + } + + +@@ -1159,29 +1166,46 @@ + const char *error_string; + struct totem_config totem_config; + int res, ch; +- int background, setprio, testonly; ++ int background, sched_rr, prio, testonly; + struct stat stat_out; + enum e_corosync_done flock_err; + uint64_t totem_config_warnings; + struct scheduler_pause_timeout_data scheduler_pause_timeout_data; ++ long int tmpli; ++ char *ep; + + /* default configuration + */ + background = 1; +- setprio = 1; ++ sched_rr = 1; ++ prio = 0; + testonly = 0; + +- while ((ch = getopt (argc, argv, "fprtv")) != EOF) { ++ while ((ch = getopt (argc, argv, "fP:prtv")) != EOF) { + + switch (ch) { + case 'f': + background = 0; + break; + case 'p': +- setprio = 0; ++ sched_rr = 0; ++ break; ++ case 'P': ++ if (strcmp(optarg, "max") == 0) { ++ prio = INT_MIN; ++ } else if (strcmp(optarg, "min") == 0) { ++ prio = INT_MAX; ++ } else { ++ tmpli = strtol(optarg, &ep, 10); ++ if (errno != 0 || *ep != '\0' || tmpli > INT_MAX || tmpli < INT_MIN) { ++ fprintf(stderr, "Priority value %s is invalid", optarg); ++ logsys_system_fini(); ++ return EXIT_FAILURE; ++ } ++ } + break; + case 'r': +- setprio = 1; ++ sched_rr = 1; + break; + case 't': + testonly = 1; +@@ -1197,9 +1221,10 @@ + fprintf(stderr, \ + "usage:\n"\ + " -f : Start application in foreground.\n"\ +- " -p : Do not set process priority.\n"\ ++ " -p : Do not set realtime scheduling.\n"\ + " -t : Test configuration and exit.\n"\ + " -r : Set round robin realtime scheduling (default).\n"\ ++ " -P num : Set priority of process (no effect when -r is used)\n"\ + " -v : Display version and SVN revision of Corosync and exit.\n"); + logsys_system_fini(); + return EXIT_FAILURE; +@@ -1207,15 +1232,6 @@ + } + + /* +- * Set round robin realtime scheduling with priority 99 +- * Lock all memory to avoid page faults which may interrupt +- * application healthchecking +- */ +- if (setprio) { +- corosync_setscheduler (); +- } +- +- /* + * Other signals are registered later via qb_loop_signal_add + */ + (void)signal (SIGSEGV, sigsegv_handler); +@@ -1319,6 +1335,24 @@ + corosync_exit_error (COROSYNC_DONE_EXIT); + } + ++ /* ++ * Set round robin realtime scheduling with priority 99 ++ */ ++ if (sched_rr) { ++ if (corosync_set_rr_scheduler () != 0) { ++ prio = INT_MIN; ++ } else { ++ prio = 0; ++ } ++ } ++ ++ if (prio != 0) { ++ if (setpriority(PRIO_PGRP, 0, prio) != 0) { ++ LOGSYS_PERROR(errno, LOGSYS_LEVEL_WARNING, ++ "Could not set priority %d", prio); ++ } ++ } ++ + ip_version = totem_config.ip_version; + + totem_config.totem_memb_ring_id_create_or_load = corosync_ring_id_create_or_load; +@@ -1345,6 +1379,11 @@ + corosync_tty_detach (); + } + ++ /* ++ * Lock all memory to avoid page faults which may interrupt ++ * application healthchecking ++ */ ++ + corosync_mlockall(); + + corosync_poll_handle = qb_loop_create (); +--- corosync-2.4.2.orig/man/corosync.8 2016-11-08 00:39:12.000000000 +0800 ++++ corosync-2.4.2/man/corosync.8 2017-07-11 16:48:06.555267022 +0800 +@@ -31,11 +31,11 @@ + .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + .\" * THE POSSIBILITY OF SUCH DAMAGE. + .\" */ +-.TH COROSYNC 8 2010-05-30 ++.TH COROSYNC 8 2017-07-07 + .SH NAME + corosync \- The Corosync Cluster Engine. + .SH SYNOPSIS +-.B "corosync [\-f] [\-p] [\-r] [\-v]" ++.B "corosync [\-f] [-P num] [\-p] [\-r] [\-v]" + .SH DESCRIPTION + .B corosync + Corosync provides clustering infracture such as membership, messaging and quorum. +@@ -45,10 +45,22 @@ + Start application in foreground. + .TP + .B -p +-Do not set process priority. ++Do not set realtime scheduling. + .TP ++.B -P ++Set priority of process. Has effect only when + .B -r +-Set round robin realtime scheduling (default). ++is not used. Can be ether numeric value with similar meaning as ++.BR nice (1) ++or ++.B max ++/ ++.B min ++meaning maximal / minimal priority (so minimal / maximal nice value). ++.TP ++.B -r ++Set round robin realtime scheduling with maximal priority (default). When setting ++of scheduler fails, fallback to set maximal priority. + .TP + .B -t + Test configuration and then exit. diff --git a/0009-totem-Propagate-totem-initialization-failure.patch b/0009-totem-Propagate-totem-initialization-failure.patch new file mode 100644 index 0000000..d0ef055 --- /dev/null +++ b/0009-totem-Propagate-totem-initialization-failure.patch @@ -0,0 +1,68 @@ +--- corosync-2.4.2.orig/exec/main.c 2017-07-11 17:23:41.903330368 +0800 ++++ corosync-2.4.2/exec/main.c 2017-07-11 17:31:08.687343622 +0800 +@@ -1424,9 +1424,13 @@ + * Join multicast group and setup delivery + * and configuration change functions + */ +- totempg_initialize ( ++ if(totempg_initialize ( + corosync_poll_handle, +- &totem_config); ++ &totem_config) != 0) { ++ ++ log_printf (LOGSYS_LEVEL_ERROR, "Can't initialize TOTEM layer"); ++ corosync_exit_error (COROSYNC_DONE_FATAL_ERR); ++ } + + totempg_service_ready_register ( + main_service_ready); +--- corosync-2.4.2.orig/exec/totempg.c 2016-11-08 00:39:12.000000000 +0800 ++++ corosync-2.4.2/exec/totempg.c 2017-07-11 17:27:47.615337658 +0800 +@@ -814,6 +814,10 @@ + totempg_confchg_fn, + totempg_waiting_trans_ack_cb); + ++ if (res == -1) { ++ goto error_exit; ++ } ++ + totemmrp_callback_token_create ( + &callback_token_received_handle, + TOTEM_CALLBACK_TOKEN_RECEIVED, +@@ -827,6 +831,7 @@ + + list_init (&totempg_groups_list); + ++error_exit: + return (res); + } + +--- corosync-2.4.2.orig/exec/totemsrp.c 2016-11-08 00:39:12.000000000 +0800 ++++ corosync-2.4.2/exec/totemsrp.c 2017-07-11 17:30:30.887342501 +0800 +@@ -851,6 +851,7 @@ + int waiting_trans_ack)) + { + struct totemsrp_instance *instance; ++ int res; + + instance = malloc (sizeof (struct totemsrp_instance)); + if (instance == NULL) { +@@ -993,7 +994,7 @@ + } + } + +- totemrrp_initialize ( ++ res = totemrrp_initialize ( + poll_handle, + &instance->totemrrp_context, + totem_config, +@@ -1004,6 +1005,9 @@ + main_token_seqid_get, + main_msgs_missing, + target_set_completed); ++ if (res == -1) { ++ goto error_exit; ++ } + + /* + * Must have net_mtu adjusted by totemrrp_initialize first diff --git a/bnc#867767-add-version.patch b/bsc#1047860-add-version.patch similarity index 100% rename from bnc#867767-add-version.patch rename to bsc#1047860-add-version.patch diff --git a/corosync.changes b/corosync.changes index 027ba36..3f95f07 100644 --- a/corosync.changes +++ b/corosync.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Wed Jul 12 05:25:45 UTC 2017 - bliu@suse.com + +- some upstream fixes for corosync(bsc#1048259) +Added: + bsc#1047860-add-version.patch + 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch + 0008-main.c-add-option-to-set-priority.patch + 0009-totem-Propagate-totem-initialization-failure.patch + +Removed: + bnc#867767-add-version.patch + 0007-improve-corosync-keygen.patch(since this patch is not for corosync v2.x) + +Modified: + corosync.spec, add judgement whether /etc/sysconfig/corosycn* exist before remove these files + ------------------------------------------------------------------- Mon Jul 10 06:54:23 UTC 2017 - bliu@suse.com diff --git a/corosync.spec b/corosync.spec index 3271f79..189a4bb 100644 --- a/corosync.spec +++ b/corosync.spec @@ -52,7 +52,7 @@ Url: http://corosync.github.io/corosync/ Source0: %{name}-%{version}.tar.gz Source2: baselibs.conf Patch1: corosync-init-lockfile-path-error.patch -Patch2: bnc#867767-add-version.patch +Patch2: bsc#1047860-add-version.patch Patch3: bnc#872651-stop-cluster.patch Patch4: bnc#882449-corosync-conf-example.patch Patch5: corosync-2.3.4-fix-bashisms.patch @@ -67,7 +67,9 @@ Patch13: 0003-totemrrp-Fix-situation-when-all-rings-are-faulty.patch Patch14: 0004-main-Display-reason-why-cluster-cannot-be-formed.patch Patch15: 0005-votequorum-Report-errors-from-votequorum_exec_send_r.patch Patch16: 0006-coroapi-Use-size_t-for-private_data_size.patch -Patch17: 0007-improve-corosync-keygen.patch +Patch17: 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch +Patch18: 0008-main.c-add-option-to-set-priority.patch +Patch19: 0009-totem-Propagate-totem-initialization-failure.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # openais is indeed gone and should be uninstalled. Yes, we do not @@ -144,6 +146,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 %build %if %{with_runautogen} @@ -291,7 +295,9 @@ fi %endif %postun -rm /etc/sysconfig/corosync +if [ -f /etc/sysconfig/corosync ]; then + rm /etc/sysconfig/corosync +fi %if %{with_systemd} && 0%{?systemd_postun:1} %systemd_postun %endif @@ -499,8 +505,8 @@ NSS certificates and an init script. %if %{sles_version} > 0 ln -s /run/corosync-qdevice /var/run/ %endif -%if %{with_systemd} && 0%{?systemd_post:1} -%systemd_post corosync-qdevice.service +%if %{with_systemd} +%service_add_post corosync-qdevice.service %endif %preun -n corosync-qdevice @@ -517,11 +523,12 @@ unlink /var/run/corosync-qdevice %endif %postun -n corosync-qdevice -rm /etc/sysconfig/corosync-qdevice +if [ -f /etc/sysconfig/corosync-qdevice ]; then + rm /etc/sysconfig/corosync-qdevice +fi %if %{with_systemd} && 0%{?systemd_postun:1} %systemd_postun %endif -#rm /etc/sysconfig/corosync-qdevice %files -n corosync-qdevice %defattr(-,root,root,-) @@ -582,8 +589,8 @@ exit 0 ln -s /run/corosync-qnetd /var/run/ %endif %{fillup_and_insserv -n corosync-qnetd} -%if %{with_systemd} && 0%{?systemd_post:1} -%systemd_post corosync-qnetd.service +%if %{with_systemd} +%service_add_post corosync-qnetd.service %endif %preun -n corosync-qnetd @@ -600,11 +607,12 @@ unlink /var/run/corosync-qnetd %endif %postun -n corosync-qnetd -rm /etc/sysconfig/corosync-qnetd +if [ -f /etc/sysconfig/corosync-qnetd ];then + rm /etc/sysconfig/corosync-qnetd +fi %if %{with_systemd} && 0%{?systemd_postun:1} %systemd_postun %endif -#rm /etc/sysconfig/corosync-qnetd %files -n corosync-qnetd %defattr(-,root,root,-)