![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package corosync for openSUSE:Factory checked in at 2017-07-21 22:35:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/corosync (Old) and /work/SRC/openSUSE:Factory/.corosync.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "corosync" Fri Jul 21 22:35:26 2017 rev:40 rq:509615 version:2.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/corosync/corosync.changes 2017-07-11 08:23:34.974593701 +0200 +++ /work/SRC/openSUSE:Factory/.corosync.new/corosync.changes 2017-07-21 22:35:28.366599396 +0200 @@ -1,0 +2,17 @@ +Wed Jul 12 05:25:45 UTC 2017 - bliu@suse.com + +- some upstream fixes for corosync(bsc#1048259) +Added: + bsc#1047860-add-version.patch + 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch + 0008-main.c-add-option-to-set-priority.patch + 0009-totem-Propagate-totem-initialization-failure.patch + +Removed: + bnc#867767-add-version.patch + 0007-improve-corosync-keygen.patch(since this patch is not for corosync v2.x) + +Modified: + corosync.spec, add judgement whether /etc/sysconfig/corosycn* exist before remove these files + +------------------------------------------------------------------- Old: ---- 0007-improve-corosync-keygen.patch bnc#867767-add-version.patch New: ---- 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch 0008-main.c-add-option-to-set-priority.patch 0009-totem-Propagate-totem-initialization-failure.patch bsc#1047860-add-version.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ corosync.spec ++++++ --- /var/tmp/diff_new_pack.y0jKbu/_old 2017-07-21 22:35:29.102495586 +0200 +++ /var/tmp/diff_new_pack.y0jKbu/_new 2017-07-21 22:35:29.106495022 +0200 @@ -52,7 +52,7 @@ Source0: %{name}-%{version}.tar.gz Source2: baselibs.conf Patch1: corosync-init-lockfile-path-error.patch -Patch2: bnc#867767-add-version.patch +Patch2: bsc#1047860-add-version.patch Patch3: bnc#872651-stop-cluster.patch Patch4: bnc#882449-corosync-conf-example.patch Patch5: corosync-2.3.4-fix-bashisms.patch @@ -67,7 +67,9 @@ Patch14: 0004-main-Display-reason-why-cluster-cannot-be-formed.patch Patch15: 0005-votequorum-Report-errors-from-votequorum_exec_send_r.patch Patch16: 0006-coroapi-Use-size_t-for-private_data_size.patch -Patch17: 0007-improve-corosync-keygen.patch +Patch17: 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch +Patch18: 0008-main.c-add-option-to-set-priority.patch +Patch19: 0009-totem-Propagate-totem-initialization-failure.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # openais is indeed gone and should be uninstalled. Yes, we do not @@ -144,6 +146,8 @@ %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 %build %if %{with_runautogen} @@ -291,7 +295,9 @@ %endif %postun -rm /etc/sysconfig/corosync +if [ -f /etc/sysconfig/corosync ]; then + rm /etc/sysconfig/corosync +fi %if %{with_systemd} && 0%{?systemd_postun:1} %systemd_postun %endif @@ -499,8 +505,8 @@ %if %{sles_version} > 0 ln -s /run/corosync-qdevice /var/run/ %endif -%if %{with_systemd} && 0%{?systemd_post:1} -%systemd_post corosync-qdevice.service +%if %{with_systemd} +%service_add_post corosync-qdevice.service %endif %preun -n corosync-qdevice @@ -517,11 +523,12 @@ %endif %postun -n corosync-qdevice -rm /etc/sysconfig/corosync-qdevice +if [ -f /etc/sysconfig/corosync-qdevice ]; then + rm /etc/sysconfig/corosync-qdevice +fi %if %{with_systemd} && 0%{?systemd_postun:1} %systemd_postun %endif -#rm /etc/sysconfig/corosync-qdevice %files -n corosync-qdevice %defattr(-,root,root,-) @@ -582,8 +589,8 @@ ln -s /run/corosync-qnetd /var/run/ %endif %{fillup_and_insserv -n corosync-qnetd} -%if %{with_systemd} && 0%{?systemd_post:1} -%systemd_post corosync-qnetd.service +%if %{with_systemd} +%service_add_post corosync-qnetd.service %endif %preun -n corosync-qnetd @@ -600,11 +607,12 @@ %endif %postun -n corosync-qnetd -rm /etc/sysconfig/corosync-qnetd +if [ -f /etc/sysconfig/corosync-qnetd ];then + rm /etc/sysconfig/corosync-qnetd +fi %if %{with_systemd} && 0%{?systemd_postun:1} %systemd_postun %endif -#rm /etc/sysconfig/corosync-qnetd %files -n corosync-qnetd %defattr(-,root,root,-) ++++++ 0007-Make-corosync-work-when-FIPS-mode-is-enabled.patch ++++++ --- corosync-2.4.2.orig/exec/totemcrypto.c 2016-11-08 00:39:12.000000000 +0800 +++ corosync-2.4.2/exec/totemcrypto.c 2017-07-12 11:09:43.693227825 +0800 @@ -206,6 +206,13 @@ (const char *)format, ##args); \ } while (0); +enum sym_key_type { + SYM_KEY_TYPE_CRYPT, + SYM_KEY_TYPE_HASH +}; + +#define MAX_WRAPPED_KEY_LEN 128 + /* * crypt/decrypt functions */ @@ -226,38 +233,147 @@ return CRYPTO_CIPHER_TYPE_AES256; } -static int init_nss_crypto(struct crypto_instance *instance) +static PK11SymKey *import_symmetric_key(struct crypto_instance *instance, enum sym_key_type key_type) { - PK11SlotInfo* crypt_slot = NULL; - SECItem crypt_param; + SECItem key_item; + PK11SlotInfo *slot; + PK11SymKey *res_key; + CK_MECHANISM_TYPE cipher; + CK_ATTRIBUTE_TYPE operation; + CK_MECHANISM_TYPE wrap_mechanism; + int wrap_key_len; + PK11SymKey *wrap_key; + PK11Context *wrap_key_crypt_context; + SECItem tmp_sec_item; + SECItem wrapped_key; + int wrapped_key_len; + unsigned char wrapped_key_data[MAX_WRAPPED_KEY_LEN]; + + memset(&key_item, 0, sizeof(key_item)); + slot = NULL; + wrap_key = NULL; + res_key = NULL; + wrap_key_crypt_context = NULL; + + key_item.type = siBuffer; + key_item.data = instance->private_key; + + switch (key_type) { + case SYM_KEY_TYPE_CRYPT: + key_item.len = cipher_key_len[instance->crypto_cipher_type]; + cipher = cipher_to_nss[instance->crypto_cipher_type]; + operation = CKA_ENCRYPT|CKA_DECRYPT; + break; + case SYM_KEY_TYPE_HASH: + key_item.len = instance->private_key_len; + cipher = hash_to_nss[instance->crypto_hash_type]; + operation = CKA_SIGN; + break; + } + + slot = PK11_GetBestSlot(cipher, NULL); + if (slot == NULL) { + log_printf(instance->log_level_security, "Unable to find security slot (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto exit_res_key; + } - if (!cipher_to_nss[instance->crypto_cipher_type]) { - return 0; + /* + * Without FIPS it would be possible to just use + * res_key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, operation, &key_item, NULL); + * with FIPS NSS Level 2 certification has to be "workarounded" (so it becomes Level 1) by using + * following method: + * 1. Generate wrap key + * 2. Encrypt authkey with wrap key + * 3. Unwrap encrypted authkey using wrap key + */ + + /* + * Generate wrapping key + */ + wrap_mechanism = PK11_GetBestWrapMechanism(slot); + wrap_key_len = PK11_GetBestKeyLength(slot, wrap_mechanism); + wrap_key = PK11_KeyGen(slot, wrap_mechanism, NULL, wrap_key_len, NULL); + if (wrap_key == NULL) { + log_printf(instance->log_level_security, "Unable to generate wrapping key (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto exit_res_key; } - crypt_param.type = siBuffer; - crypt_param.data = instance->private_key; - crypt_param.len = cipher_key_len[instance->crypto_cipher_type]; + /* + * Encrypt authkey with wrapping key + */ - crypt_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL); - if (crypt_slot == NULL) { - log_printf(instance->log_level_security, "Unable to find security slot (err %d)", - PR_GetError()); - return -1; + /* + * Initialization of IV is not needed because PK11_GetBestWrapMechanism should return ECB mode + */ + memset(&tmp_sec_item, 0, sizeof(tmp_sec_item)); + wrap_key_crypt_context = PK11_CreateContextBySymKey(wrap_mechanism, CKA_ENCRYPT, + wrap_key, &tmp_sec_item); + if (wrap_key_crypt_context == NULL) { + log_printf(instance->log_level_security, "Unable to create encrypt context (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto exit_res_key; + } + + wrapped_key_len = (int)sizeof(wrapped_key_data); + + if (PK11_CipherOp(wrap_key_crypt_context, wrapped_key_data, &wrapped_key_len, + sizeof(wrapped_key_data), key_item.data, key_item.len) != SECSuccess) { + log_printf(instance->log_level_security, "Unable to encrypt authkey (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto exit_res_key; + } + + if (PK11_Finalize(wrap_key_crypt_context) != SECSuccess) { + log_printf(instance->log_level_security, "Unable to finalize encryption of authkey (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto exit_res_key; } - instance->nss_sym_key = PK11_ImportSymKey(crypt_slot, - cipher_to_nss[instance->crypto_cipher_type], - PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT, - &crypt_param, NULL); + /* + * Finally unwrap sym key + */ + memset(&tmp_sec_item, 0, sizeof(tmp_sec_item)); + wrapped_key.data = wrapped_key_data; + wrapped_key.len = wrapped_key_len; + + res_key = PK11_UnwrapSymKey(wrap_key, wrap_mechanism, &tmp_sec_item, &wrapped_key, + cipher, operation, key_item.len); + if (res_key == NULL) { + log_printf(instance->log_level_security, "Failure to import key into NSS (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto exit_res_key; + } + +exit_res_key: + if (wrap_key_crypt_context != NULL) { + PK11_DestroyContext(wrap_key_crypt_context, PR_TRUE); + } + + if (wrap_key != NULL) { + PK11_FreeSymKey(wrap_key); + } + + if (slot != NULL) { + PK11_FreeSlot(slot); + } + + return (res_key); +} + +static int init_nss_crypto(struct crypto_instance *instance) +{ + + if (!cipher_to_nss[instance->crypto_cipher_type]) { + return 0; + } + + instance->nss_sym_key = import_symmetric_key(instance, SYM_KEY_TYPE_CRYPT); if (instance->nss_sym_key == NULL) { - log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)", - PR_GetError()); return -1; } - PK11_FreeSlot(crypt_slot); - return 0; } @@ -312,9 +428,9 @@ nss_sec_param); if (!crypt_context) { log_printf(instance->log_level_security, - "PK11_CreateContext failed (encrypt) crypt_type=%d (err %d)", + "PK11_CreateContext failed (encrypt) crypt_type=%d (%d): %s", (int)cipher_to_nss[instance->crypto_cipher_type], - PR_GetError()); + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); goto out; } @@ -447,36 +563,16 @@ static int init_nss_hash(struct crypto_instance *instance) { - PK11SlotInfo* hash_slot = NULL; - SECItem hash_param; if (!hash_to_nss[instance->crypto_hash_type]) { return 0; } - hash_param.type = siBuffer; - hash_param.data = instance->private_key; - hash_param.len = instance->private_key_len; - - hash_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL); - if (hash_slot == NULL) { - log_printf(instance->log_level_security, "Unable to find security slot (err %d)", - PR_GetError()); - return -1; - } - - instance->nss_sym_key_sign = PK11_ImportSymKey(hash_slot, - hash_to_nss[instance->crypto_hash_type], - PK11_OriginUnwrap, CKA_SIGN, - &hash_param, NULL); + instance->nss_sym_key_sign = import_symmetric_key(instance, SYM_KEY_TYPE_HASH); if (instance->nss_sym_key_sign == NULL) { - log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)", - PR_GetError()); return -1; } - PK11_FreeSlot(hash_slot); - return 0; } ++++++ 0008-main.c-add-option-to-set-priority.patch ++++++ --- corosync-2.4.2.orig/exec/main.c 2017-07-11 16:45:28.979262348 +0800 +++ corosync-2.4.2/exec/main.c 2017-07-11 16:44:05.195259862 +0800 @@ -889,8 +889,10 @@ } -static void corosync_setscheduler (void) +static int corosync_set_rr_scheduler (void) { + int ret_val = 0; + #if defined(HAVE_PTHREAD_SETSCHEDPARAM) && defined(HAVE_SCHED_GET_PRIORITY_MAX) && defined(HAVE_SCHED_SETSCHEDULER) int res; @@ -907,6 +909,7 @@ #ifdef HAVE_QB_LOG_THREAD_PRIORITY_SET qb_log_thread_priority_set (SCHED_OTHER, 0); #endif + ret_val = -1; } else { /* @@ -928,11 +931,15 @@ LOGSYS_PERROR (errno, LOGSYS_LEVEL_WARNING, "Could not get maximum scheduler priority"); sched_priority = 0; + ret_val = -1; } #else log_printf(LOGSYS_LEVEL_WARNING, "The Platform is missing process priority setting features. Leaving at default."); + ret_val = -1; #endif + + return (ret_val); } @@ -1159,29 +1166,46 @@ const char *error_string; struct totem_config totem_config; int res, ch; - int background, setprio, testonly; + int background, sched_rr, prio, testonly; struct stat stat_out; enum e_corosync_done flock_err; uint64_t totem_config_warnings; struct scheduler_pause_timeout_data scheduler_pause_timeout_data; + long int tmpli; + char *ep; /* default configuration */ background = 1; - setprio = 1; + sched_rr = 1; + prio = 0; testonly = 0; - while ((ch = getopt (argc, argv, "fprtv")) != EOF) { + while ((ch = getopt (argc, argv, "fP:prtv")) != EOF) { switch (ch) { case 'f': background = 0; break; case 'p': - setprio = 0; + sched_rr = 0; + break; + case 'P': + if (strcmp(optarg, "max") == 0) { + prio = INT_MIN; + } else if (strcmp(optarg, "min") == 0) { + prio = INT_MAX; + } else { + tmpli = strtol(optarg, &ep, 10); + if (errno != 0 || *ep != '\0' || tmpli > INT_MAX || tmpli < INT_MIN) { + fprintf(stderr, "Priority value %s is invalid", optarg); + logsys_system_fini(); + return EXIT_FAILURE; + } + } break; case 'r': - setprio = 1; + sched_rr = 1; break; case 't': testonly = 1; @@ -1197,9 +1221,10 @@ fprintf(stderr, \ "usage:\n"\ " -f : Start application in foreground.\n"\ - " -p : Do not set process priority.\n"\ + " -p : Do not set realtime scheduling.\n"\ " -t : Test configuration and exit.\n"\ " -r : Set round robin realtime scheduling (default).\n"\ + " -P num : Set priority of process (no effect when -r is used)\n"\ " -v : Display version and SVN revision of Corosync and exit.\n"); logsys_system_fini(); return EXIT_FAILURE; @@ -1207,15 +1232,6 @@ } /* - * Set round robin realtime scheduling with priority 99 - * Lock all memory to avoid page faults which may interrupt - * application healthchecking - */ - if (setprio) { - corosync_setscheduler (); - } - - /* * Other signals are registered later via qb_loop_signal_add */ (void)signal (SIGSEGV, sigsegv_handler); @@ -1319,6 +1335,24 @@ corosync_exit_error (COROSYNC_DONE_EXIT); } + /* + * Set round robin realtime scheduling with priority 99 + */ + if (sched_rr) { + if (corosync_set_rr_scheduler () != 0) { + prio = INT_MIN; + } else { + prio = 0; + } + } + + if (prio != 0) { + if (setpriority(PRIO_PGRP, 0, prio) != 0) { + LOGSYS_PERROR(errno, LOGSYS_LEVEL_WARNING, + "Could not set priority %d", prio); + } + } + ip_version = totem_config.ip_version; totem_config.totem_memb_ring_id_create_or_load = corosync_ring_id_create_or_load; @@ -1345,6 +1379,11 @@ corosync_tty_detach (); } + /* + * Lock all memory to avoid page faults which may interrupt + * application healthchecking + */ + corosync_mlockall(); corosync_poll_handle = qb_loop_create (); --- corosync-2.4.2.orig/man/corosync.8 2016-11-08 00:39:12.000000000 +0800 +++ corosync-2.4.2/man/corosync.8 2017-07-11 16:48:06.555267022 +0800 @@ -31,11 +31,11 @@ .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF .\" * THE POSSIBILITY OF SUCH DAMAGE. .\" */ -.TH COROSYNC 8 2010-05-30 +.TH COROSYNC 8 2017-07-07 .SH NAME corosync \- The Corosync Cluster Engine. .SH SYNOPSIS -.B "corosync [\-f] [\-p] [\-r] [\-v]" +.B "corosync [\-f] [-P num] [\-p] [\-r] [\-v]" .SH DESCRIPTION .B corosync Corosync provides clustering infracture such as membership, messaging and quorum. @@ -45,10 +45,22 @@ Start application in foreground. .TP .B -p -Do not set process priority. +Do not set realtime scheduling. .TP +.B -P +Set priority of process. Has effect only when .B -r -Set round robin realtime scheduling (default). +is not used. Can be ether numeric value with similar meaning as +.BR nice (1) +or +.B max +/ +.B min +meaning maximal / minimal priority (so minimal / maximal nice value). +.TP +.B -r +Set round robin realtime scheduling with maximal priority (default). When setting +of scheduler fails, fallback to set maximal priority. .TP .B -t Test configuration and then exit. ++++++ 0009-totem-Propagate-totem-initialization-failure.patch ++++++ --- corosync-2.4.2.orig/exec/main.c 2017-07-11 17:23:41.903330368 +0800 +++ corosync-2.4.2/exec/main.c 2017-07-11 17:31:08.687343622 +0800 @@ -1424,9 +1424,13 @@ * Join multicast group and setup delivery * and configuration change functions */ - totempg_initialize ( + if(totempg_initialize ( corosync_poll_handle, - &totem_config); + &totem_config) != 0) { + + log_printf (LOGSYS_LEVEL_ERROR, "Can't initialize TOTEM layer"); + corosync_exit_error (COROSYNC_DONE_FATAL_ERR); + } totempg_service_ready_register ( main_service_ready); --- corosync-2.4.2.orig/exec/totempg.c 2016-11-08 00:39:12.000000000 +0800 +++ corosync-2.4.2/exec/totempg.c 2017-07-11 17:27:47.615337658 +0800 @@ -814,6 +814,10 @@ totempg_confchg_fn, totempg_waiting_trans_ack_cb); + if (res == -1) { + goto error_exit; + } + totemmrp_callback_token_create ( &callback_token_received_handle, TOTEM_CALLBACK_TOKEN_RECEIVED, @@ -827,6 +831,7 @@ list_init (&totempg_groups_list); +error_exit: return (res); } --- corosync-2.4.2.orig/exec/totemsrp.c 2016-11-08 00:39:12.000000000 +0800 +++ corosync-2.4.2/exec/totemsrp.c 2017-07-11 17:30:30.887342501 +0800 @@ -851,6 +851,7 @@ int waiting_trans_ack)) { struct totemsrp_instance *instance; + int res; instance = malloc (sizeof (struct totemsrp_instance)); if (instance == NULL) { @@ -993,7 +994,7 @@ } } - totemrrp_initialize ( + res = totemrrp_initialize ( poll_handle, &instance->totemrrp_context, totem_config, @@ -1004,6 +1005,9 @@ main_token_seqid_get, main_msgs_missing, target_set_completed); + if (res == -1) { + goto error_exit; + } /* * Must have net_mtu adjusted by totemrrp_initialize first ++++++ bsc#1047860-add-version.patch ++++++ --- /dev/null 2015-07-20 08:30:37.121221591 +0800 +++ corosync-2.4.1/.tarball-version 2016-10-17 09:24:34.907779088 +0800 @@ -0,0 +1 @@ +2.4.2