Created attachment 208556 [details] [PATCH] net/pacemaker1: update 1.1.19 to 1.1.21 * fix for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885. https://github.com/ClusterLabs/pacemaker/blob/Pacemaker-1.1.21/ChangeLog - Changes since Pacemaker-1.1.20 + Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885 + tools: ensure crm_resource --clean-up works with multiple failures + build: crm_report bug report URL is now configurable at build time + crmd: avoid memory leak when duplicate monitor is scheduled + pengine: respect order constraints when resources are being probed + pengine: one group stop shouldn't make another required + pengine: silence log message about symmetrical property of serialize orders + libcrmcommon: handle out-of-range integers in configuration better + libcrmservice: fix use-after-free memory error in alert handling - Features added since Pacemaker-1.1.19 + fencing: SBD may now be used in a cluster that has guest nodes or bundles + fencing: synchronize fencing history among all nodes + fencing: stonith_admin now has option to clear fence history + tools: crm_mon now supports showing fencing action failures and history + tools: crm_resource --clear supports new --expired option + Pacemaker Remote: option to restrict TLS Diffie-Hellman prime length - Changes since Pacemaker-1.1.19 + Pacemaker Remote: avoid unnecessary downtime when moving resource to + Pacemaker Remote node that fails to come up (regression since 1.1.18) + tools: restore stonith_admin ability to confirm unseen nodes are down + build: minor logging fixes to allow compatibility with GCC 9 -Werror + attrd: wait a short time before re-attempting failed writes + attrd: ignore attribute delays when writing after node (re-)join + attrd: start new election immediately if writer is lost + attrd: detect alert configuration changes when CIB is entirely replaced + attrd: clear election dampening when the writer leaves + CIB: inform originator of CIB upgrade failure + crmd: clear election dampening when DC is lost + fencing: limit fencing history to 500 entries + fencing: stonith_admin now complains if no action option is specified + pengine: regression test compatibility with glib 2.59.0 + pengine: don't order non-DC shutdowns before DC fencing + pengine: avoid unnecessary recovery of cleaned guest nodes + pengine: convert unique clones to anonymous if not supported by standard + pengine: don't send clone notifications to a stopped remote node + pengine: ensure bundle clone notifications are directed to correct host + pengine: avoid improper bundle monitor rescheduling or fail count clearing + pengine: honor asymmetric orderings even when restarting + ACLs: assume unprivileged ACL user if can't get user info + Pacemaker Remote: get Diffie-Hellman prime bit length from GnuTLS API + libcrmservice: cancel DBus call when cancelling systemd/upstart actions + libcrmservice: order systemd resources relative to pacemaker_remote + libpe_status: add public API constructor/destructor for pe_working_set_t + tools: fix crm_resource --clear when lifetime was used with ban/move + tools: fix crm_resource --move when lifetime was used with previous move + tools: make crm_mon CIB connection errors non-fatal if previously successful + tools: improve crm_mon messages when generating HTML output + tools: crm_mon cluster connection failure is now "critical" in nagios mode + tools: crm_mon listing of standby nodes shows if they have active resources + tools: improve crm_report detection of logs + tools: crm_simulate resource history uses same name as live cluster would
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/91209053
ping? any objections on me getting it committed?
Hi, not objection from me, but if you commit this version you will break pacemaker1 and pacemaker2, they won't run correctly. https://bugs.clusterlabs.org/show_bug.cgi?id=5397#c3 Regarding maintainer timeout of corosync/pacemaker and the required libs, don't wait for anyone, just go ahead. I have a PR that has a maintainer timeout of > one year 232867. I tried to coordinate this with portmgr, but they just told me to RTFM about maintainer timeouts... so i just kept this all in my tree, it's working there *shrugs*. I'm very happy to work with you to get all of this into the tree though. Florian
(In reply to Florian Smeets from comment #3) cool stuff, thanks for sharing. AFAIK we can bump it to 1.1.20 at least. correct?
(In reply to Vinícius Zavam from comment #4) IMHO we should update to 1.1.21 and 2.0.2 with the following additional patch to both ports, this is how I've been using it for the last few months without problems (on 12.X) Index: files/pacemaker.in =================================================================== --- files/pacemaker.in (revision 518576) +++ files/pacemaker.in (working copy) @@ -29,7 +29,6 @@ export PATH="${PATH}:/usr/local/sbin:/usr/local/bin" export PCMK_ipc_buffer=${pacemaker_ipc_buffer} - export PCMK_ipc_type=socket } run_rc_command "$1" I just saw that 2.0.3 and 1.1.22 came out 3-4 days ago.
cool! let's work on this, and use the patch (reported to work on FreeBSD). I'll take this one - maintainer timeout 4+weeks
Created attachment 209804 [details] [PATCH] net/pacemaker1: update 1.1.19 to 1.1.22
- Features added since Pacemaker-1.1.21 + crmd: new 'fence-reaction' cluster option specifies whether local node should 'stop' or 'panic' if notified of own fencing + Pacemaker Remote: allow file for environment variables when used in bundle + Pacemaker Remote: allow configurable listen address and TLS priorities + tools: crm_simulate --repeat option to repeat profiling tests + tools: new pcmk_simtimes tool to compare crm_simulate profiling output - Changes since Pacemaker-1.1.21 + fencing: do not block concurrent fencing actions on a device (regression since 1.1.21) + crmd: set timeout on scheduler responses to avoid infinite wait + crmd: confirm cancel of failed monitors, to avoid transition timeout + lrmd: let controller cancel monitors, to avoid transition timeout + lrmd: return error for stonith probes if stonith connection was lost + fencing: ensure concurrent fencing commands always get triggered to execute + fencing: fail pending actions and re-sync history after crash and restart + fencing: don't let command with long delay block other pending commands + fencing: allow functioning even if CIB updates arrive unceasingly + pengine: avoid invalid transition when guest node host is not fenceable + pengine: calculate secure digests for unfencing, for replaying saved CIBs + pengine: properly detect dangling migrations, to avoid restart loop + pengine: avoid delay in recovery of failed remote connections + pengine: avoid scheduling actions on remote node that is shutting down + pengine: wait for probe actions to complete to prevent unnecessary restart/re-promote of dependent resources + libcrmcommon: avoid possible use-of-NULL when applying XML diffs + libcrmcommon: correctly apply XML diffs with multiple move/create changes + libcrmcommon: return error when applying XML diffs containing unknown operations + tools: fail if tar is not available when running crm_report + tools: correct crm_report argument parsing + tools: crm_report: don't ignore log if unrelated file is too large + agents: calculate #health_disk correctly in SysInfo + agents: handle run-as-user properly in ClusterMon
patch is up to date; this one merges changes from flo@ and brings 1.1.22 to the ports tree.
A commit references this bug: Author: egypcio Date: Mon Feb 3 14:21:12 UTC 2020 New revision: 525040 URL: https://svnweb.freebsd.org/changeset/ports/525040 Log: net/pacemaker1: update 1.1.19 to 1.1.22 * fixes CVE-2018-16878, CVE-2018-16877, CVE-2019-3885; * implement https://bugs.clusterlabs.org/show_bug.cgi?id=5397#c3 PR: 241456 Reviewed by: flo Approved by: portmgr (maintainer timeout) Changes: head/net/pacemaker1/Makefile head/net/pacemaker1/distinfo head/net/pacemaker1/files/pacemaker.in head/net/pacemaker1/files/patch-lrmd_Makefile.am head/net/pacemaker1/files/patch-mcp_Makefile.am head/net/pacemaker1/pkg-plist
A commit references this bug: Author: egypcio Date: Tue Feb 4 11:06:53 UTC 2020 New revision: 525145 URL: https://svnweb.freebsd.org/changeset/ports/525145 Log: reset maintainership after consecutive timeouts (12+ weeks). % make -s -C /usr/ports search maint=dpejesh@yahoo.com display=path Path: /usr/ports/devel/kronosnet Path: /usr/ports/devel/libqb Path: /usr/ports/devel/py-parallax Path: /usr/ports/devel/py-tinyrpc Path: /usr/ports/net-mgmt/crmsh Path: /usr/ports/net-mgmt/resource-agents Path: /usr/ports/net/corosync2 Path: /usr/ports/net/corosync3 Path: /usr/ports/net/pacemaker1 Path: /usr/ports/net/pacemaker2 PR: 230127, 232865, 232866, 232867 PR: 241431, 241434, 241445, 241456, 241460 Changes: head/devel/kronosnet/Makefile head/devel/libqb/Makefile head/devel/py-parallax/Makefile head/devel/py-tinyrpc/Makefile head/net/corosync2/Makefile.common head/net/pacemaker1/Makefile.common head/net-mgmt/crmsh/Makefile head/net-mgmt/resource-agents/Makefile