From f262d0ee90545ab837443f0f74e01938b3e33a2c Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Thu, 4 Jun 2020 11:40:13 -0500 Subject: [PATCH 1/5] Doc: tools: correct license header in cibsecret GPL 2.1 or later doesn't exist; GPL 2 or later appears to be what was intended --- tools/cibsecret.in | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/tools/cibsecret.in b/tools/cibsecret.in index ee8349fb40d..7f0ba8c14d4 100644 --- a/tools/cibsecret.in +++ b/tools/cibsecret.in @@ -1,22 +1,11 @@ #!/bin/sh -# Copyright 2011-2018 the Pacemaker project contributors +# Copyright 2011-2020 the Pacemaker project contributors # # The version control history for this file may have further details. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This software is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# This source code is licensed under the GNU General Public License version 2 +# or later (GPLv2+) WITHOUT ANY WARRANTY. # # cibsecret From da5d065779afea5cd99bff57b7919077b9a94d4d Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Thu, 4 Jun 2020 11:44:11 -0500 Subject: [PATCH 2/5] Low: build: avoid resource-agents as build dependency when cibsecrets are enabled Don't include the OCF shell library in the cibsecret tool until after usage scenarios are checked. This allows --help to be used even if the library is not installed -- most importantly, when generating the man page with help2man when building the package. --- tools/cibsecret.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/cibsecret.in b/tools/cibsecret.in index 7f0ba8c14d4..6a7ff0f9577 100644 --- a/tools/cibsecret.in +++ b/tools/cibsecret.in @@ -14,8 +14,6 @@ # Secrets are ASCII files, holding one value per file: # // -. @OCF_ROOT_DIR@/lib/heartbeat/ocf-shellfuncs - LRM_CIBSECRETS=@LRM_CIBSECRETS_DIR@ PROG=`basename $0` @@ -347,6 +345,8 @@ case "$cmd" in *) usage 1; esac +. @OCF_ROOT_DIR@/lib/heartbeat/ocf-shellfuncs + check_env # we'll need these two often From a1b6175e0648c51b2ef1177ca7e35c51558e7792 Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Thu, 4 Jun 2020 11:50:13 -0500 Subject: [PATCH 3/5] Build: rpm: add spec option for enabling CIB secrets --- rpm/pacemaker.spec.in | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rpm/pacemaker.spec.in b/rpm/pacemaker.spec.in index ba5f808b3a5..46d2110a245 100644 --- a/rpm/pacemaker.spec.in +++ b/rpm/pacemaker.spec.in @@ -41,6 +41,9 @@ ## Add option to enable support for stonith/external fencing agents %bcond_with stonithd +## Add option to enable support for storing sensitive information outside CIB +%bcond_with cibsecrets + ## Add option to create binaries suitable for use with profiling tools %bcond_with profiling @@ -309,8 +312,8 @@ when related resources fail and can be configured to periodically check resource health. Available rpmbuild rebuild options: - --with(out) : coverage doc stonithd hardening pre_release profiling - upstart_job + --with(out) : cibsecrets coverage doc stonithd hardening pre_release + profiling upstart_job %package cli License: GPLv2+ and LGPLv2+ @@ -492,6 +495,7 @@ export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}" %{!?with_legacy_links: --disable-legacy-links} \ %{?with_profiling: --with-profiling} \ %{?with_coverage: --with-coverage} \ + %{?with_cibsecrets: --with-cibsecrets} \ %{!?with_doc: --with-brand=} \ %{?gnutls_priorities: --with-gnutls-priorities="%{gnutls_priorities}"} \ --with-initdir=%{_initrddir} \ @@ -754,6 +758,9 @@ exit 0 %{_sbindir}/attrd_updater %{_sbindir}/cibadmin +%if %{with cibsecrets} +%{_sbindir}/cibsecret +%endif %{_sbindir}/crm_diff %{_sbindir}/crm_error %{_sbindir}/crm_failcount From e89016a164ed53f3728c566895063280d9792c50 Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Thu, 4 Jun 2020 14:56:31 -0500 Subject: [PATCH 4/5] Test: cts-cli: distribute crm_mon regression test data files ... and move them to cts/cli --- cts/Makefile.am | 3 +++ cts/{ => cli}/crm_mon-partial.xml | 0 cts/{ => cli}/crm_mon.xml | 0 cts/cts-cli.in | 4 ++-- 4 files changed, 5 insertions(+), 2 deletions(-) rename cts/{ => cli}/crm_mon-partial.xml (100%) rename cts/{ => cli}/crm_mon.xml (100%) diff --git a/cts/Makefile.am b/cts/Makefile.am index 7abbad7780b..6abb42f8e7a 100644 --- a/cts/Makefile.am +++ b/cts/Makefile.am @@ -62,7 +62,10 @@ cts_SCRIPTS = CTSlab.py \ clidir = $(testdir)/cli dist_cli_DATA = cli/crm_diff_new.xml \ cli/crm_diff_old.xml \ + cli/crm_mon.xml \ + cli/crm_mon-partial.xml \ cli/regression.acls.exp \ + cli/regression.crm_mon.exp \ cli/regression.dates.exp \ cli/regression.rules.exp \ cli/regression.tools.exp \ diff --git a/cts/crm_mon-partial.xml b/cts/cli/crm_mon-partial.xml similarity index 100% rename from cts/crm_mon-partial.xml rename to cts/cli/crm_mon-partial.xml diff --git a/cts/crm_mon.xml b/cts/cli/crm_mon.xml similarity index 100% rename from cts/crm_mon.xml rename to cts/cli/crm_mon.xml diff --git a/cts/cts-cli.in b/cts/cts-cli.in index 12f3311dd91..d6425b608a2 100755 --- a/cts/cts-cli.in +++ b/cts/cts-cli.in @@ -99,7 +99,7 @@ function test_assert() { } function test_crm_mon() { - export CIB_file="$SRCDIR/cts/crm_mon.xml" + export CIB_file="$test_home/cli/crm_mon.xml" desc="Basic text output" cmd="crm_mon -1" @@ -174,7 +174,7 @@ function test_crm_mon() { unset CIB_file - export CIB_file="$SRCDIR/cts/crm_mon-partial.xml" + export CIB_file="$test_home/cli/crm_mon-partial.xml" desc="Text output of partially active resources" cmd="crm_mon -1" From 8317a3c7b4fd215ee922e45073de0899b928904e Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Thu, 4 Jun 2020 15:05:47 -0500 Subject: [PATCH 5/5] Refactor: libcrmcommon: don't use strncat() where strcat() will do ... otherwise newer gcc will complain --- lib/common/cib_secrets.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common/cib_secrets.c b/lib/common/cib_secrets.c index 2ffbcc35c05..0e79efbfe85 100644 --- a/lib/common/cib_secrets.c +++ b/lib/common/cib_secrets.c @@ -156,7 +156,7 @@ pcmk__substitute_secrets(const char *rsc_id, GHashTable *params) continue; } else { - strncat(hash_file, ".sign", 5); + strcat(hash_file, ".sign"); hash = read_local_file(hash_file); if (hash == NULL) { crm_err("md5 sum for rsc %s parameter %s "