Bug 241456

Summary:

[PATCH] net/pacemaker1: update 1.1.19 to 1.1.22

Product:

Ports & Packages

Reporter:

Vinícius Zavam <egypcio>

Component:

Individual Port(s)

Assignee:

Vinícius Zavam <egypcio>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

dpejesh, flo

Priority:

---

Keywords:

buildisok, patch, security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (dpejesh)

Hardware:

Any

OS:

Any

See Also:

https://bugs.clusterlabs.org/show_bug.cgi?id=5397

Bug Depends on:

Bug Blocks:

241460

Attachments:

Description	Flags
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.21	none
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.22	none

Description Vinícius Zavam freebsd_committer

2019-10-24 09:33:05 UTC

Created attachment 208556 [details]
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.21

* fix for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885.

https://github.com/ClusterLabs/pacemaker/blob/Pacemaker-1.1.21/ChangeLog

- Changes since Pacemaker-1.1.20
  + Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885
  + tools: ensure crm_resource --clean-up works with multiple failures
  + build: crm_report bug report URL is now configurable at build time
  + crmd: avoid memory leak when duplicate monitor is scheduled
  + pengine: respect order constraints when resources are being probed
  + pengine: one group stop shouldn't make another required
  + pengine: silence log message about symmetrical property of serialize orders
  + libcrmcommon: handle out-of-range integers in configuration better
  + libcrmservice: fix use-after-free memory error in alert handling

- Features added since Pacemaker-1.1.19
  + fencing: SBD may now be used in a cluster that has guest nodes or bundles
  + fencing: synchronize fencing history among all nodes
  + fencing: stonith_admin now has option to clear fence history
  + tools: crm_mon now supports showing fencing action failures and history
  + tools: crm_resource --clear supports new --expired option
  + Pacemaker Remote: option to restrict TLS Diffie-Hellman prime length

- Changes since Pacemaker-1.1.19
  + Pacemaker Remote: avoid unnecessary downtime when moving resource to
  + Pacemaker Remote node that fails to come up (regression since 1.1.18)
  + tools: restore stonith_admin ability to confirm unseen nodes are down
  + build: minor logging fixes to allow compatibility with GCC 9 -Werror
  + attrd: wait a short time before re-attempting failed writes
  + attrd: ignore attribute delays when writing after node (re-)join
  + attrd: start new election immediately if writer is lost
  + attrd: detect alert configuration changes when CIB is entirely replaced
  + attrd: clear election dampening when the writer leaves
  + CIB: inform originator of CIB upgrade failure
  + crmd: clear election dampening when DC is lost
  + fencing: limit fencing history to 500 entries
  + fencing: stonith_admin now complains if no action option is specified
  + pengine: regression test compatibility with glib 2.59.0
  + pengine: don't order non-DC shutdowns before DC fencing
  + pengine: avoid unnecessary recovery of cleaned guest nodes
  + pengine: convert unique clones to anonymous if not supported by standard
  + pengine: don't send clone notifications to a stopped remote node
  + pengine: ensure bundle clone notifications are directed to correct host
  + pengine: avoid improper bundle monitor rescheduling or fail count clearing
  + pengine: honor asymmetric orderings even when restarting
  + ACLs: assume unprivileged ACL user if can't get user info
  + Pacemaker Remote: get Diffie-Hellman prime bit length from GnuTLS API
  + libcrmservice: cancel DBus call when cancelling systemd/upstart actions
  + libcrmservice: order systemd resources relative to pacemaker_remote
  + libpe_status: add public API constructor/destructor for pe_working_set_t
  + tools: fix crm_resource --clear when lifetime was used with ban/move
  + tools: fix crm_resource --move when lifetime was used with previous move
  + tools: make crm_mon CIB connection errors non-fatal if previously successful
  + tools: improve crm_mon messages when generating HTML output
  + tools: crm_mon cluster connection failure is now "critical" in nagios mode
  + tools: crm_mon listing of standby nodes shows if they have active resources
  + tools: improve crm_report detection of logs
  + tools: crm_simulate resource history uses same name as live cluster would

Comment 1 Automation User 2019-10-24 12:35:28 UTC

Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/91209053

Comment 2 Vinícius Zavam freebsd_committer

2019-11-22 11:37:39 UTC

ping? any objections on me getting it committed?

Comment 3 Florian Smeets freebsd_committer

2019-11-23 08:17:42 UTC

Hi,

not objection from me, but if you commit this version you will break pacemaker1 and pacemaker2, they won't run correctly.

https://bugs.clusterlabs.org/show_bug.cgi?id=5397#c3

Regarding maintainer timeout of corosync/pacemaker and the required libs, don't wait for anyone, just go ahead. I have a PR that has a maintainer timeout of > one year 232867. I tried to coordinate this with portmgr, but they just told me to RTFM about maintainer timeouts... so i just kept this all in my tree, it's working there *shrugs*.

I'm very happy to work with you to get all of this into the tree though.

Florian

Comment 4 Vinícius Zavam freebsd_committer

2019-11-29 14:52:11 UTC

(In reply to Florian Smeets from comment #3)

cool stuff, thanks for sharing.
AFAIK we can bump it to 1.1.20 at least. correct?

Comment 5 Florian Smeets freebsd_committer

2019-11-29 15:13:57 UTC

(In reply to Vinícius Zavam from comment #4)
IMHO we should update to 1.1.21 and 2.0.2 with the following additional patch to both ports, this is how I've been using it for the last few months without problems (on 12.X)

Index: files/pacemaker.in
===================================================================
--- files/pacemaker.in	(revision 518576)
+++ files/pacemaker.in	(working copy)
@@ -29,7 +29,6 @@

 	export PATH="${PATH}:/usr/local/sbin:/usr/local/bin"
 	export PCMK_ipc_buffer=${pacemaker_ipc_buffer}
-	export PCMK_ipc_type=socket
 }

 run_rc_command "$1"

I just saw that 2.0.3 and 1.1.22 came out 3-4 days ago.

Comment 6 Vinícius Zavam freebsd_committer

2019-12-09 12:29:29 UTC

cool! let's work on this, and use the patch (reported to work on FreeBSD).
I'll take this one - maintainer timeout 4+weeks

Comment 7 Vinícius Zavam freebsd_committer

2019-12-09 16:16:25 UTC

Created attachment 209804 [details]
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.22

Comment 8 Vinícius Zavam freebsd_committer

2019-12-09 16:18:26 UTC

- Features added since Pacemaker-1.1.21
  + crmd: new 'fence-reaction' cluster option specifies whether local node
          should 'stop' or 'panic' if notified of own fencing
  + Pacemaker Remote: allow file for environment variables when used in bundle
  + Pacemaker Remote: allow configurable listen address and TLS priorities
  + tools: crm_simulate --repeat option to repeat profiling tests
  + tools: new pcmk_simtimes tool to compare crm_simulate profiling output

- Changes since Pacemaker-1.1.21
  + fencing: do not block concurrent fencing actions on a device
             (regression since 1.1.21)
  + crmd: set timeout on scheduler responses to avoid infinite wait
  + crmd: confirm cancel of failed monitors, to avoid transition timeout
  + lrmd: let controller cancel monitors, to avoid transition timeout
  + lrmd: return error for stonith probes if stonith connection was lost
  + fencing: ensure concurrent fencing commands always get triggered to execute
  + fencing: fail pending actions and re-sync history after crash and restart
  + fencing: don't let command with long delay block other pending commands
  + fencing: allow functioning even if CIB updates arrive unceasingly
  + pengine: avoid invalid transition when guest node host is not fenceable
  + pengine: calculate secure digests for unfencing, for replaying saved CIBs
  + pengine: properly detect dangling migrations, to avoid restart loop
  + pengine: avoid delay in recovery of failed remote connections
  + pengine: avoid scheduling actions on remote node that is shutting down
  + pengine: wait for probe actions to complete to prevent unnecessary
             restart/re-promote of dependent resources
  + libcrmcommon: avoid possible use-of-NULL when applying XML diffs
  + libcrmcommon: correctly apply XML diffs with multiple move/create changes
  + libcrmcommon: return error when applying XML diffs containing unknown operations
  + tools: fail if tar is not available when running crm_report
  + tools: correct crm_report argument parsing
  + tools: crm_report: don't ignore log if unrelated file is too large
  + agents: calculate #health_disk correctly in SysInfo
  + agents: handle run-as-user properly in ClusterMon

Comment 9 Vinícius Zavam freebsd_committer

2019-12-09 16:19:23 UTC

patch is up to date; this one merges changes from flo@ and brings 1.1.22 to the ports tree.

Comment 10 commit-hook freebsd_committer

2020-02-03 14:21:45 UTC

A commit references this bug:

Author: egypcio
Date: Mon Feb  3 14:21:12 UTC 2020
New revision: 525040
URL: https://svnweb.freebsd.org/changeset/ports/525040

Log:
  net/pacemaker1: update 1.1.19 to 1.1.22

    * fixes CVE-2018-16878, CVE-2018-16877, CVE-2019-3885;
    * implement https://bugs.clusterlabs.org/show_bug.cgi?id=5397#c3

  PR:		241456
  Reviewed by:	flo
  Approved by:	portmgr (maintainer timeout)

Changes:
  head/net/pacemaker1/Makefile
  head/net/pacemaker1/distinfo
  head/net/pacemaker1/files/pacemaker.in
  head/net/pacemaker1/files/patch-lrmd_Makefile.am
  head/net/pacemaker1/files/patch-mcp_Makefile.am
  head/net/pacemaker1/pkg-plist

Comment 11 commit-hook freebsd_committer

2020-02-04 11:07:15 UTC

A commit references this bug:

Author: egypcio
Date: Tue Feb  4 11:06:53 UTC 2020
New revision: 525145
URL: https://svnweb.freebsd.org/changeset/ports/525145

Log:
  reset maintainership after consecutive timeouts (12+ weeks).

    % make -s -C /usr/ports search maint=dpejesh@yahoo.com display=path
    Path:   /usr/ports/devel/kronosnet
    Path:   /usr/ports/devel/libqb
    Path:   /usr/ports/devel/py-parallax
    Path:   /usr/ports/devel/py-tinyrpc
    Path:   /usr/ports/net-mgmt/crmsh
    Path:   /usr/ports/net-mgmt/resource-agents
    Path:   /usr/ports/net/corosync2
    Path:   /usr/ports/net/corosync3
    Path:   /usr/ports/net/pacemaker1
    Path:   /usr/ports/net/pacemaker2

  PR:	230127, 232865, 232866, 232867
  PR:	241431, 241434, 241445, 241456, 241460

Changes:
  head/devel/kronosnet/Makefile
  head/devel/libqb/Makefile
  head/devel/py-parallax/Makefile
  head/devel/py-tinyrpc/Makefile
  head/net/corosync2/Makefile.common
  head/net/pacemaker1/Makefile.common
  head/net-mgmt/crmsh/Makefile
  head/net-mgmt/resource-agents/Makefile