Created attachment 208560 [details] [PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.2 * fixes CVE-2018-16878, CVE-2018-16877, CVE-2019-3885 https://github.com/ClusterLabs/pacemaker/blob/Pacemaker-2.0.2/ChangeLog - Features added since Pacemaker-2.0.1 + tools: crm_resource --validate can get resource parameters from command line + tools: crm_resource --clear prints out any cleared constraints + tools: new crm_rule tool for checking rule expiration (experimental) + tools: stonith_admin supports XML output for machine parsing (experimental) + resources: new HealthIOWait resource agent for node health tracking - Changes since Pacemaker-2.0.1 + Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885 + build: crm_report bug report URL is now configurable at build time + build: private libpengine/libtransitioner libraries combined as libpacemaker + controller: avoid memory leak when duplicate monitor is scheduled + scheduler: respect order constraints when resources are being probed + scheduler: one group stop shouldn't make another required + libcrmcommon: handle out-of-range integers in configuration better + libcrmcommon: export logfile environment variable if using default + libcrmcommon: avoid segmentation fault when beginning formatted text list + libcrmservice: fix use-after-free memory error in alert handling + libstonithd: handle more than 64KB output from fence agents - Features added since Pacemaker-2.0.0 + Pacemaker bundles support podman for container management + fencing: SBD may be used in a cluster that has guest nodes or bundles + fencing: fencing history is synchronized among all nodes + fencing: stonith_admin has option to clear fence history + tools: crm_mon can show fencing action failures and history + tools: crm_resource --clear supports new --expired option + Pacemaker Remote: new options to restrict TLS Diffie-Hellman prime length - Changes since Pacemaker-2.0.0 + scheduler: clone notifications could be scheduled for a stopped Pacemaker Remote node and block all further cluster actions (regression since 2.0.0) + libcrmcommon: correct behavior for completing interrupted live migrations (regression since 2.0.0) + tools: crm_resource -C could fail to clean up all failures in one run (regression since 2.0.0) + Pacemaker Remote: avoid unnecessary downtime when moving resource to Pacemaker Remote node that fails to come up (regression since 1.1.18) + tools: restore stonith_admin ability to confirm unseen nodes are down (regression since 1.1.12) + build: minor logging fixes to allow compatibility with GCC 9 -Werror + build: spec file now puts XML schemas in new pacemaker-schemas package + build: spec file now provides virtual pcmk-cluster-manager package + pacemaker-attrd: wait a short time before re-attempting failed writes + pacemaker-attrd: ignore attribute delays when writing after node (re-)join + pacemaker-attrd: start new election immediately if writer is lost + pacemaker-attrd: clear election dampening when the writer leaves + pacemaker-attrd: detect alert configuration changes when CIB is replaced + CIB: inform originator of CIB upgrade failure + controller: support resource agents that require node name even for meta-data + controller: don't record pending clone notifications in CIB + controller: DC detects completion of another node's shutdown more accurately + controller: shut down DC if unable to update node attributes + controller: handle corosync peer/join notifications for new node in any order + controller: clear election dampening when DC is lost + executor: cancel recurring monitors if fence device registration is lost + fencing: check for fence device update when resource defaults change + fencing: avoid pacemaker-fenced crash possible with stonith_admin misuse + fencing: limit fencing history to 500 entries + fencing: stonith_admin now complains if no action option is specified + pacemakerd: do not modify kernel.sysrq on Linux + scheduler: regression test compatibility with glib 2.59.0 + scheduler: avoid unnecessary recovery of cleaned guest nodes and bundles + scheduler: ensure failures causing fencing not expired until fencing done + scheduler: start unique clone instances in numerical order + scheduler: convert unique clones to anonymous clones when not supported + scheduler: associate pending tasks with correct clone instance + scheduler: ensure bundle clone notifications are directed to correct host + scheduler: avoid improper bundle monitor rescheduling or fail count clearing + scheduler: honor asymmetric orderings even when restarting + scheduler: don't order non-DC shutdowns before DC fencing + ACLs: assume unprivileged ACL user if can't get user info + Pacemaker Remote: get Diffie-Hellman prime bit length from GnuTLS API + libcrmservice: cancel DBus call when cancelling systemd/upstart actions + libcrmservice: order systemd resources relative to pacemaker_remote + libpe_status: add public API constructor/destructor for pe_working_set_t + tools: fix crm_resource --clear when lifetime was used with ban/move + tools: fix crm_resource --move when lifetime was used with previous move + tools: make crm_mon CIB connection errors non-fatal if previously successful + tools: improve crm_mon messages when generating HTML output + tools: crm_mon cluster connection failure is now "critical" in nagios mode + tools: crm_mon listing of standby nodes shows if they have active resources + tools: crm_diff now ignores attribute ordering when comparing in CIB mode + tools: improve crm_report detection of logs, CIB directory, and processes + tools: crm_verify returns reliable exit codes + tools: crm_simulate resource history uses same name as live cluster would
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/91239853
ping? any objections on me getting it committed?
I'll take this one - maintainer timeout 4+weeks merging the patch from bug #241456 and updating necessary codes
Created attachment 209805 [details] [PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3
- Features added since Pacemaker-2.0.2 + controller: new 'fence-reaction' cluster option specifies whether local node should 'stop' or 'panic' if notified of own fencing + controller: more cluster properties support ISO 8601 time specifications + controller: calculate cluster recheck interval dynamically when possible + Pacemaker Remote: allow file for environment variables when used in bundle + Pacemaker Remote: allow configurable listen address and TLS priorities + tools: crm_mon now supports standard --output-as/--output-to options + tools: crm_mon HTML output supports user-defined CSS stylesheet + tools: stonith_admin supports HTML output in addition to text and XML + tools: crm_simulate supports --repeat option to repeat profiling tests + tools: new pcmk_simtimes tool compares crm_simulate profiling output + agents: SysInfo supports K, T, and P units in addition to Kb and G - Changes since Pacemaker-2.0.2 + fencer: do not block concurrent fencing actions on a device (regression since 2.0.2) + all: avoid Year 2038 issues + all: allow ISO 8601 strings of form "<date>T<time> <offset>" + rpm: pacemaker-cts package now explicitly requires pacemaker-cli + controller: set timeout on scheduler responses to avoid infinite wait + controller: confirm cancel of failed monitors, to avoid transition timeout + executor: let controller cancel monitors, to avoid transition timeout + executor: return error for stonith probes if stonith connection was lost + fencer: ensure concurrent fencing commands always get triggered to execute + fencer: fail pending actions and re-sync history after crash and restart + fencer: don't let command with long delay block other pending commands + fencer: allow functioning even if CIB updates arrive unceasingly + scheduler: wait for probe actions to complete to prevent unnecessary restart/re-promote of dependent resources + scheduler: avoid invalid transition when guest node host is not fenceable + scheduler: properly detect dangling migrations, to avoid restart loop + scheduler: avoid scheduling actions on remote node that is shutting down + scheduler: avoid delay in recovery of failed remote connections + scheduler: clarify action failure log messages by including failure time + scheduler: calculate secure digests for unfencing, for replaying saved CIBs + libcrmcommon: avoid possible use-of-NULL when applying XML diffs + libcrmcommon: correctly apply XML diffs with multiple move/create changes + libcrmcommon: return error when applying XML diffs with unknown operations + tools: avoid duplicate lines between nodes in crm_simulate dot graph + tools: count disabled/blocked resources correctly in crm_mon/crm_simulate + tools: crm_mon --interval now accepts ISO 8601 and has correct help + tools: organize crm_mon text output with list headings, indents, bullets + tools: crm_report: fail if tar is not available + tools: crm_report: correct argument parsing + tools: crm_report: don't ignore log if unrelated file is too large + tools: stonith_admin --list-targets should show what fencer would use + agents: calculate #health_disk correctly in SysInfo + agents: handle run-as-user properly in ClusterMon
Created attachment 209823 [details] [PATCH] net/pacemaker2: update 2.0.0-rc4 to 2.0.3 commented that 'socket' on its rc.d script based on reports from flo@ and https://bugs.clusterlabs.org/show_bug.cgi?id=5397
A commit references this bug: Author: egypcio Date: Mon Feb 3 14:22:43 UTC 2020 New revision: 525041 URL: https://svnweb.freebsd.org/changeset/ports/525041 Log: net/pacemaker2: update 2.0.0-rc4 to 2.0.3 * fixes CVE-2018-16878, CVE-2018-16877, CVE-2019-3885; * implements https://bugs.clusterlabs.org/show_bug.cgi?id=5397#c3 PR: 241460 Reviewed by: flo Approved by: portmgr (maintainer timeout) Changes: head/net/pacemaker2/Makefile head/net/pacemaker2/distinfo head/net/pacemaker2/files/pacemaker.in head/net/pacemaker2/pkg-plist
A commit references this bug: Author: egypcio Date: Tue Feb 4 11:06:53 UTC 2020 New revision: 525145 URL: https://svnweb.freebsd.org/changeset/ports/525145 Log: reset maintainership after consecutive timeouts (12+ weeks). % make -s -C /usr/ports search maint=dpejesh@yahoo.com display=path Path: /usr/ports/devel/kronosnet Path: /usr/ports/devel/libqb Path: /usr/ports/devel/py-parallax Path: /usr/ports/devel/py-tinyrpc Path: /usr/ports/net-mgmt/crmsh Path: /usr/ports/net-mgmt/resource-agents Path: /usr/ports/net/corosync2 Path: /usr/ports/net/corosync3 Path: /usr/ports/net/pacemaker1 Path: /usr/ports/net/pacemaker2 PR: 230127, 232865, 232866, 232867 PR: 241431, 241434, 241445, 241456, 241460 Changes: head/devel/kronosnet/Makefile head/devel/libqb/Makefile head/devel/py-parallax/Makefile head/devel/py-tinyrpc/Makefile head/net/corosync2/Makefile.common head/net/pacemaker1/Makefile.common head/net-mgmt/crmsh/Makefile head/net-mgmt/resource-agents/Makefile