From b2b5e57b795b551d338e85020459f584aebabb8787b18a9e7254e9ab7c16a2a5 Mon Sep 17 00:00:00 2001 From: Thomas Renninger Date: Thu, 4 Feb 2021 10:37:36 +0000 Subject: [PATCH] Accepting request 869197 from home:trenn:branches:network:ha-clustering:Factory - This update has one part (fence-agents part) of a fix for bsc#1178294 It still needs cobbler adjustings - Update to version 4.7.0+git.1612425309.e4f51e44: * Add fence_ipmilanplus as fence_ipmilan wrapper always enabling lanplus (bsc#1178294) * fence_vbox: updated metadata file * fence_vbox: do not flood host account with vboxmanage calls * fence_aws/fence_gce: allow building without cloud libs * fence_gce: default to onoff * fence_lpar: Make --managed a required option * fence_zvmip: fix shell-timeout when using new disable-timeout parameter * Adds service account authentication to GCE fence agent * spec: dont build -all subpackage as noarch - Patch that went mainline and got deleted: D 0001-Adds-service-account-authentication-to-GCE-fence-age.patch OBS-URL: https://build.opensuse.org/request/show/869197 OBS-URL: https://build.opensuse.org/package/show/network:ha-clustering:Factory/fence-agents?expand=0&rev=122 --- ...ount-authentication-to-GCE-fence-age.patch | 239 ------------------ _service | 2 +- _servicedata | 2 +- ...gents-4.7.0+git.1607346448.17bd8552.tar.xz | 3 - ...gents-4.7.0+git.1612425309.e4f51e44.tar.xz | 3 + fence-agents.changes | 18 ++ fence-agents.spec | 4 +- 7 files changed, 24 insertions(+), 247 deletions(-) delete mode 100644 0001-Adds-service-account-authentication-to-GCE-fence-age.patch delete mode 100644 fence-agents-4.7.0+git.1607346448.17bd8552.tar.xz create mode 100644 fence-agents-4.7.0+git.1612425309.e4f51e44.tar.xz diff --git a/0001-Adds-service-account-authentication-to-GCE-fence-age.patch b/0001-Adds-service-account-authentication-to-GCE-fence-age.patch deleted file mode 100644 index 3aee29b..0000000 --- a/0001-Adds-service-account-authentication-to-GCE-fence-age.patch +++ /dev/null @@ -1,239 +0,0 @@ -From 877be689d75892fe069154cf3bc02909f3edaf50 Mon Sep 17 00:00:00 2001 -From: Tim Megela -Date: Mon, 7 Dec 2020 16:06:38 -0500 -Subject: [PATCH 1/1] Adds service account authentication to GCE fence agent - -Adds the ability to use a service acount for authentiation using --serviceaccount. -Adds additional debug information. ---- - .travis.yml | 1 + - agents/gce/fence_gce.py | 65 ++++++++++++++++++++++++++----- - configure.ac | 1 + - tests/data/metadata/fence_gce.xml | 5 +++ - 4 files changed, 62 insertions(+), 10 deletions(-) - -diff --git a/.travis.yml b/.travis.yml -index 03cac18a..8e006e85 100644 ---- a/.travis.yml -+++ b/.travis.yml -@@ -24,6 +24,7 @@ before_install: - - pip install pexpect - - pip install boto3 - - pip install google-api-python-client -+ - pip install oauth2client - - pip install python-novaclient - - pip install python-keystoneclient - -diff --git a/agents/gce/fence_gce.py b/agents/gce/fence_gce.py -index a3d98a01..bf5f5693 100644 ---- a/agents/gce/fence_gce.py -+++ b/agents/gce/fence_gce.py -@@ -1,5 +1,13 @@ - #!@PYTHON@ -tt - -+# -+# Requires the googleapiclient and oauth2client -+# RHEL 7.x: google-api-python-client==1.6.7 python-gflags==2.0 pyasn1==0.4.8 rsa==3.4.2 -+# RHEL 8.x: nothing additional needed -+# SLES 12.x: python-google-api-python-client python-oauth2client python-oauth2client-gce -+# SLES 15.x: python3-google-api-python-client python3-oauth2client -+# -+ - import atexit - import logging - import json -@@ -20,7 +28,11 @@ sys.path.append("@FENCEAGENTSLIBDIR@") - - import googleapiclient.discovery - from fencing import fail_usage, run_delay, all_opt, atexit_handler, check_input, process_input, show_docs, fence_action -- -+try: -+ from oauth2client.client import GoogleCredentials -+ from oauth2client.service_account import ServiceAccountCredentials -+except: -+ pass - - METADATA_SERVER = 'http://metadata.google.internal/computeMetadata/v1/' - METADATA_HEADERS = {'Metadata-Flavor': 'Google'} -@@ -33,19 +45,22 @@ def replace_api_uri(options, http_request): - uri_replacements = [] - # put any env var replacements first, then baremetalsolution if in options - if "FENCE_GCE_URI_REPLACEMENTS" in os.environ: -+ logging.debug("FENCE_GCE_URI_REPLACEMENTS environment variable exists") - env_uri_replacements = os.environ["FENCE_GCE_URI_REPLACEMENTS"] - try: - uri_replacements_json = json.loads(env_uri_replacements) - if isinstance(uri_replacements_json, list): - uri_replacements = uri_replacements_json -+ else: -+ logging.warning("FENCE_GCE_URI_REPLACEMENTS exists, but is not a JSON List") - except ValueError as e: - logging.warning("FENCE_GCE_URI_REPLACEMENTS exists but is not valid JSON") -- if options.get('--baremetalsolution') is not None: -+ if "--baremetalsolution" in options: - uri_replacements.append( - { - "matchlength": 4, - "match": "https://compute.googleapis.com/compute/v1/projects/(.*)/zones/(.*)/instances/(.*)/reset(.*)", -- "replace": "https://baremetalsolution.googleapis.com/v1alpha1/projects/\\1/locations/\\2/instances/\\3/resetInstance\\4" -+ "replace": "https://baremetalsolution.googleapis.com/v1alpha1/projects/\\1/locations/\\2/instances/\\3:resetInstance\\4" - }) - for uri_replacement in uri_replacements: - # each uri_replacement should have matchlength, match, and replace -@@ -113,7 +128,14 @@ def get_nodes_list(conn, options): - - - def get_power_status(conn, options): -- logging.info("get_power_status"); -+ logging.debug("get_power_status") -+ # if this is bare metal we need to just send back the opposite of the -+ # requested action: if on send off, if off send on -+ if "--baremetalsolution" in options: -+ if options.get("--action") == "on": -+ return "off" -+ else: -+ return "on" - try: - instance = retry_api_execute(options, conn.instances().get( - project=options["--project"], -@@ -125,6 +147,10 @@ def get_power_status(conn, options): - - - def wait_for_operation(conn, options, operation): -+ if 'name' not in operation: -+ logging.warning('Cannot wait for operation to complete, the' -+ ' requested operation will continue asynchronously') -+ return - project = options["--project"] - zone = options["--zone"] - while True: -@@ -140,6 +166,7 @@ def wait_for_operation(conn, options, operation): - - - def set_power_status(conn, options): -+ logging.debug("set_power_status"); - try: - if options["--action"] == "off": - logging.info("Issuing poweroff of %s in zone %s" % (options["--plug"], options["--zone"])) -@@ -147,6 +174,7 @@ def set_power_status(conn, options): - project=options["--project"], - zone=options["--zone"], - instance=options["--plug"])) -+ logging.info("Poweroff command completed, waiting for the operation to complete") - wait_for_operation(conn, options, operation) - logging.info("Poweroff of %s in zone %s complete" % (options["--plug"], options["--zone"])) - elif options["--action"] == "on": -@@ -162,12 +190,14 @@ def set_power_status(conn, options): - - - def power_cycle(conn, options): -+ logging.debug("power_cycle"); - try: - logging.info('Issuing reset of %s in zone %s' % (options["--plug"], options["--zone"])) - operation = retry_api_execute(options, conn.instances().reset( - project=options["--project"], - zone=options["--zone"], - instance=options["--plug"])) -+ logging.info("Reset command completed, waiting for the operation to complete") - wait_for_operation(conn, options, operation) - logging.info('Reset of %s in zone %s complete' % (options["--plug"], options["--zone"])) - return True -@@ -176,7 +206,8 @@ def power_cycle(conn, options): - return False - - --def get_zone(conn, options, instance): -+def get_zone(conn, options): -+ logging.debug("get_zone"); - project = options['--project'] - instance = options['--plug'] - fl = 'name="%s"' % instance -@@ -207,6 +238,7 @@ def get_metadata(metadata_key, params=None, timeout=None): - Raises: - urlerror.HTTPError: raises when the GET request fails. - """ -+ logging.debug("get_metadata"); - timeout = timeout or 60 - metadata_url = os.path.join(METADATA_SERVER, metadata_key) - params = urlparse.urlencode(params or {}) -@@ -280,13 +312,22 @@ def define_new_opts(): - "default" : 5, - "order" : 8 - } -+ all_opt["serviceaccount"] = { -+ "getopt" : ":", -+ "longopt" : "serviceaccount", -+ "help" : "--serviceaccount=[filename] Service account json file location e.g. serviceaccount=/somedir/service_account.json", -+ "shortdesc" : "Service Account to use for authentication to the google cloud APIs.", -+ "required" : "0", -+ "order" : 9 -+ } - - - def main(): - conn = None - - device_opt = ["port", "no_password", "zone", "project", "stackdriver-logging", -- "method", "baremetalsolution", "apitimeout", "retries", "retrysleep"] -+ "method", "baremetalsolution", "apitimeout", "retries", "retrysleep", -+ "serviceaccount"] - - atexit.register(atexit_handler) - -@@ -337,10 +378,12 @@ def main(): - - # Prepare cli - try: -- credentials = None -- if tuple(googleapiclient.__version__) < tuple("1.6.0"): -- import oauth2client.client -- credentials = oauth2client.client.GoogleCredentials.get_application_default() -+ if options.get("--serviceaccount"): -+ credentials = ServiceAccountCredentials.from_json_keyfile_name(options.get("--serviceaccount")) -+ logging.debug("using credentials from service account") -+ else: -+ credentials = GoogleCredentials.get_application_default() -+ logging.debug("using application default credentials") - conn = googleapiclient.discovery.build( - 'compute', 'v1', credentials=credentials, cache_discovery=False) - except Exception as err: -@@ -353,6 +396,8 @@ def main(): - except Exception as err: - fail_usage("Failed retrieving GCE project. Please provide --project option: {}".format(str(err))) - -+ if "--baremetalsolution" in options: -+ options["--zone"] = "none" - if not options.get("--zone"): - try: - options["--zone"] = get_zone(conn, options) -diff --git a/configure.ac b/configure.ac -index c9016c8a..a21f99e8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -241,6 +241,7 @@ if echo "$AGENTS_LIST" | grep -q -E "ovh|vmware_soap"; then - fi - if echo "$AGENTS_LIST" | grep -q gce; then - AC_PYTHON_MODULE(googleapiclient) -+ AC_PYTHON_MODULE(oauth2client) - if test "x${HAVE_PYMOD_GOOGLEAPICLIENT}" != xyes; then - AGENTS_LIST=$(echo "$AGENTS_LIST" | sed -E "s#gce/fence_gce.py( |$)##") - AC_MSG_WARN("Not building fence_ovh and fence_gce") -diff --git a/tests/data/metadata/fence_gce.xml b/tests/data/metadata/fence_gce.xml -index 78c0b0d6..33478721 100644 ---- a/tests/data/metadata/fence_gce.xml -+++ b/tests/data/metadata/fence_gce.xml -@@ -68,6 +68,11 @@ For instructions see: https://cloud.google.com/compute/docs/tutorials/python-gui - - Time to sleep in seconds between API retries, default is 5. - -+ -+ -+ -+ Service Account to use for authentication to the google cloud APIs. -+ - - - --- -2.26.2 - diff --git a/_service b/_service index 428ffca..dc6e5a0 100644 --- a/_service +++ b/_service @@ -6,7 +6,7 @@ fence-agents @PARENT_TAG@+git.%ct.%h v(.*) - v4.7.0 + master enable diff --git a/_servicedata b/_servicedata index 82ad5b7..52de77e 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ git://github.com/ClusterLabs/fence-agents.git - d3227d206443b2f33876e3620aa9015b81638d39 \ No newline at end of file + 08a4521f9361c7ca4877e691fa82cc0e8f51d707 \ No newline at end of file diff --git a/fence-agents-4.7.0+git.1607346448.17bd8552.tar.xz b/fence-agents-4.7.0+git.1607346448.17bd8552.tar.xz deleted file mode 100644 index ecc1eeb..0000000 --- a/fence-agents-4.7.0+git.1607346448.17bd8552.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:93a5833bfef8c3d129e46909dd289dfeb9527ce8af08a1f3fbeeb95d2d7dd598 -size 249404 diff --git a/fence-agents-4.7.0+git.1612425309.e4f51e44.tar.xz b/fence-agents-4.7.0+git.1612425309.e4f51e44.tar.xz new file mode 100644 index 0000000..bedad67 --- /dev/null +++ b/fence-agents-4.7.0+git.1612425309.e4f51e44.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0e35b338436eb97f5b29138b328720e386289daec6aeb1f3ccfb0bf77e9e3f12 +size 249984 diff --git a/fence-agents.changes b/fence-agents.changes index 4f722a3..5d75b14 100644 --- a/fence-agents.changes +++ b/fence-agents.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Thu Feb 04 10:02:29 UTC 2021 - trenn@suse.de + +- This update has one part (fence-agents part) of a fix for bsc#1178294 + It still needs cobbler adjustings +- Update to version 4.7.0+git.1612425309.e4f51e44: + * Add fence_ipmilanplus as fence_ipmilan wrapper always enabling lanplus (bsc#1178294) + * fence_vbox: updated metadata file + * fence_vbox: do not flood host account with vboxmanage calls + * fence_aws/fence_gce: allow building without cloud libs + * fence_gce: default to onoff + * fence_lpar: Make --managed a required option + * fence_zvmip: fix shell-timeout when using new disable-timeout parameter + * Adds service account authentication to GCE fence agent + * spec: dont build -all subpackage as noarch +- Patch that went mainline and got deleted: +D 0001-Adds-service-account-authentication-to-GCE-fence-age.patch + ------------------------------------------------------------------- Wed Feb 3 09:41:25 UTC 2021 - Thomas Renninger diff --git a/fence-agents.spec b/fence-agents.spec index 6abfc16..b6273d1 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -29,12 +29,11 @@ Name: fence-agents Summary: Fence Agents for High Availability License: GPL-2.0-only AND LGPL-2.1-only Group: Productivity/Clustering/HA -Version: 4.7.0+git.1607346448.17bd8552 +Version: 4.7.0+git.1612425309.e4f51e44 Release: 0 URL: https://github.com/ClusterLabs/fence-agents Source0: %{name}-%{version}.tar.xz Patch1: 0001-Use-Python-3-for-all-scripts-bsc-1065966.patch -Patch2: 0001-Adds-service-account-authentication-to-GCE-fence-age.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: %{python_version} @@ -140,7 +139,6 @@ development. %if "%{python_version}" == "python3" %patch1 -p1 %endif -%patch2 -p1 %build CFLAGS="${CFLAGS} ${RPM_OPT_FLAGS}"