Bug 241456 - [PATCH] net/pacemaker1: update 1.1.19 to 1.1.22
Summary: [PATCH] net/pacemaker1: update 1.1.19 to 1.1.22
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Vinícius Zavam
URL:
Keywords: buildisok, patch, security
Depends on:
Blocks: 241460
  Show dependency treegraph
 
Reported: 2019-10-24 09:33 UTC by Vinícius Zavam
Modified: 2019-12-09 16:19 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (dpejesh)


Attachments
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.21 (15.41 KB, patch)
2019-10-24 09:33 UTC, Vinícius Zavam
no flags Details | Diff
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.22 (17.93 KB, patch)
2019-12-09 16:16 UTC, Vinícius Zavam
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vinícius Zavam freebsd_committer 2019-10-24 09:33:05 UTC
Created attachment 208556 [details]
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.21

* fix for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885.

https://github.com/ClusterLabs/pacemaker/blob/Pacemaker-1.1.21/ChangeLog

- Changes since Pacemaker-1.1.20
  + Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885
  + tools: ensure crm_resource --clean-up works with multiple failures
  + build: crm_report bug report URL is now configurable at build time
  + crmd: avoid memory leak when duplicate monitor is scheduled
  + pengine: respect order constraints when resources are being probed
  + pengine: one group stop shouldn't make another required
  + pengine: silence log message about symmetrical property of serialize orders
  + libcrmcommon: handle out-of-range integers in configuration better
  + libcrmservice: fix use-after-free memory error in alert handling

- Features added since Pacemaker-1.1.19
  + fencing: SBD may now be used in a cluster that has guest nodes or bundles
  + fencing: synchronize fencing history among all nodes
  + fencing: stonith_admin now has option to clear fence history
  + tools: crm_mon now supports showing fencing action failures and history
  + tools: crm_resource --clear supports new --expired option
  + Pacemaker Remote: option to restrict TLS Diffie-Hellman prime length

- Changes since Pacemaker-1.1.19
  + Pacemaker Remote: avoid unnecessary downtime when moving resource to
  + Pacemaker Remote node that fails to come up (regression since 1.1.18)
  + tools: restore stonith_admin ability to confirm unseen nodes are down
  + build: minor logging fixes to allow compatibility with GCC 9 -Werror
  + attrd: wait a short time before re-attempting failed writes
  + attrd: ignore attribute delays when writing after node (re-)join
  + attrd: start new election immediately if writer is lost
  + attrd: detect alert configuration changes when CIB is entirely replaced
  + attrd: clear election dampening when the writer leaves
  + CIB: inform originator of CIB upgrade failure
  + crmd: clear election dampening when DC is lost
  + fencing: limit fencing history to 500 entries
  + fencing: stonith_admin now complains if no action option is specified
  + pengine: regression test compatibility with glib 2.59.0
  + pengine: don't order non-DC shutdowns before DC fencing
  + pengine: avoid unnecessary recovery of cleaned guest nodes
  + pengine: convert unique clones to anonymous if not supported by standard
  + pengine: don't send clone notifications to a stopped remote node
  + pengine: ensure bundle clone notifications are directed to correct host
  + pengine: avoid improper bundle monitor rescheduling or fail count clearing
  + pengine: honor asymmetric orderings even when restarting
  + ACLs: assume unprivileged ACL user if can't get user info
  + Pacemaker Remote: get Diffie-Hellman prime bit length from GnuTLS API
  + libcrmservice: cancel DBus call when cancelling systemd/upstart actions
  + libcrmservice: order systemd resources relative to pacemaker_remote
  + libpe_status: add public API constructor/destructor for pe_working_set_t
  + tools: fix crm_resource --clear when lifetime was used with ban/move
  + tools: fix crm_resource --move when lifetime was used with previous move
  + tools: make crm_mon CIB connection errors non-fatal if previously successful
  + tools: improve crm_mon messages when generating HTML output
  + tools: crm_mon cluster connection failure is now "critical" in nagios mode
  + tools: crm_mon listing of standby nodes shows if they have active resources
  + tools: improve crm_report detection of logs
  + tools: crm_simulate resource history uses same name as live cluster would
Comment 1 Automation User 2019-10-24 12:35:28 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/91209053
Comment 2 Vinícius Zavam freebsd_committer 2019-11-22 11:37:39 UTC
ping? any objections on me getting it committed?
Comment 3 Florian Smeets freebsd_committer 2019-11-23 08:17:42 UTC
Hi,

not objection from me, but if you commit this version you will break pacemaker1 and pacemaker2, they won't run correctly.

https://bugs.clusterlabs.org/show_bug.cgi?id=5397#c3

Regarding maintainer timeout of corosync/pacemaker and the required libs, don't wait for anyone, just go ahead. I have a PR that has a maintainer timeout of > one year 232867. I tried to coordinate this with portmgr, but they just told me to RTFM about maintainer timeouts... so i just kept this all in my tree, it's working there *shrugs*.

I'm very happy to work with you to get all of this into the tree though.

Florian
Comment 4 Vinícius Zavam freebsd_committer 2019-11-29 14:52:11 UTC
(In reply to Florian Smeets from comment #3)

cool stuff, thanks for sharing.
AFAIK we can bump it to 1.1.20 at least. correct?
Comment 5 Florian Smeets freebsd_committer 2019-11-29 15:13:57 UTC
(In reply to Vinícius Zavam from comment #4)
IMHO we should update to 1.1.21 and 2.0.2 with the following additional patch to both ports, this is how I've been using it for the last few months without problems (on 12.X)

Index: files/pacemaker.in
===================================================================
--- files/pacemaker.in	(revision 518576)
+++ files/pacemaker.in	(working copy)
@@ -29,7 +29,6 @@

 	export PATH="${PATH}:/usr/local/sbin:/usr/local/bin"
 	export PCMK_ipc_buffer=${pacemaker_ipc_buffer}
-	export PCMK_ipc_type=socket
 }

 run_rc_command "$1"

I just saw that 2.0.3 and 1.1.22 came out 3-4 days ago.
Comment 6 Vinícius Zavam freebsd_committer 2019-12-09 12:29:29 UTC
cool! let's work on this, and use the patch (reported to work on FreeBSD).
I'll take this one - maintainer timeout 4+weeks
Comment 7 Vinícius Zavam freebsd_committer 2019-12-09 16:16:25 UTC
Created attachment 209804 [details]
[PATCH] net/pacemaker1: update 1.1.19 to 1.1.22
Comment 8 Vinícius Zavam freebsd_committer 2019-12-09 16:18:26 UTC
- Features added since Pacemaker-1.1.21
  + crmd: new 'fence-reaction' cluster option specifies whether local node
          should 'stop' or 'panic' if notified of own fencing
  + Pacemaker Remote: allow file for environment variables when used in bundle
  + Pacemaker Remote: allow configurable listen address and TLS priorities
  + tools: crm_simulate --repeat option to repeat profiling tests
  + tools: new pcmk_simtimes tool to compare crm_simulate profiling output

- Changes since Pacemaker-1.1.21
  + fencing: do not block concurrent fencing actions on a device
             (regression since 1.1.21)
  + crmd: set timeout on scheduler responses to avoid infinite wait
  + crmd: confirm cancel of failed monitors, to avoid transition timeout
  + lrmd: let controller cancel monitors, to avoid transition timeout
  + lrmd: return error for stonith probes if stonith connection was lost
  + fencing: ensure concurrent fencing commands always get triggered to execute
  + fencing: fail pending actions and re-sync history after crash and restart
  + fencing: don't let command with long delay block other pending commands
  + fencing: allow functioning even if CIB updates arrive unceasingly
  + pengine: avoid invalid transition when guest node host is not fenceable
  + pengine: calculate secure digests for unfencing, for replaying saved CIBs
  + pengine: properly detect dangling migrations, to avoid restart loop
  + pengine: avoid delay in recovery of failed remote connections
  + pengine: avoid scheduling actions on remote node that is shutting down
  + pengine: wait for probe actions to complete to prevent unnecessary
             restart/re-promote of dependent resources
  + libcrmcommon: avoid possible use-of-NULL when applying XML diffs
  + libcrmcommon: correctly apply XML diffs with multiple move/create changes
  + libcrmcommon: return error when applying XML diffs containing unknown operations
  + tools: fail if tar is not available when running crm_report
  + tools: correct crm_report argument parsing
  + tools: crm_report: don't ignore log if unrelated file is too large
  + agents: calculate #health_disk correctly in SysInfo
  + agents: handle run-as-user properly in ClusterMon
Comment 9 Vinícius Zavam freebsd_committer 2019-12-09 16:19:23 UTC
patch is up to date; this one merges changes from flo@ and brings 1.1.22 to the ports tree.