Hello community, here is the log from the commit of package cluster-glue for openSUSE:Factory checked in at 2018-04-17 11:08:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cluster-glue (Old) and /work/SRC/openSUSE:Factory/.cluster-glue.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cluster-glue" Tue Apr 17 11:08:35 2018 rev:65 rq:595783 version:1.0.12+v1.git.1523280117.43b22d15 Changes: -------- --- /work/SRC/openSUSE:Factory/cluster-glue/cluster-glue.changes 2018-02-25 12:16:21.144613115 +0100 +++ /work/SRC/openSUSE:Factory/.cluster-glue.new/cluster-glue.changes 2018-04-17 11:08:38.647364784 +0200 @@ -1,0 +2,8 @@ +Wed Apr 11 20:13:03 UTC 2018 - [email protected] + +- Update to version 1.0.12+v1.git.1523280117.43b22d15: + * High: external/ec2: Avoid unicode errors and improve performance (bsc#1088656) +- Medium: external/ec2: Mitigate fence race (bsc#1088656) + * Add 0001-Medium-external-ec2-Mitigate-fence-race-bsc-1088656.patch + +------------------------------------------------------------------- Old: ---- cluster-glue-1.0.12+v1.git.1511436818.71ae59fa.tar.bz2 New: ---- 0001-Medium-external-ec2-Mitigate-fence-race-bsc-1088656.patch cluster-glue-1.0.12+v1.git.1523280117.43b22d15.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cluster-glue.spec ++++++ --- /var/tmp/diff_new_pack.diF3kw/_old 2018-04-17 11:08:39.207338676 +0200 +++ /var/tmp/diff_new_pack.diF3kw/_new 2018-04-17 11:08:39.211338490 +0200 @@ -23,10 +23,10 @@ # Directory where we install documentation %global glue_docdir %{_defaultdocdir}/%{name} Name: cluster-glue -Version: 1.0.12+v1.git.1511436818.71ae59fa +Version: 1.0.12+v1.git.1523280117.43b22d15 Release: 0 Summary: Reusable cluster components -License: GPL-2.0 AND LGPL-2.1+ +License: GPL-2.0-only AND LGPL-2.1-or-later Group: Productivity/Clustering/HA Url: https://github.com/ClusterLabs/cluster-glue.git Source: %{name}-%{version}.tar.bz2 @@ -39,6 +39,9 @@ # PATCH-FIX-UPSTREAM: fix warnings seen by GCC7 # PATCH-FIX-OPENSUSE: Port scripts to Python 3 Patch5: 0001-Port-scripts-to-Python-3.patch +# PATCH-FIX-UPSTREAM: Medium: external/ec2: Mitigate fence race (bsc#1088656) +Patch6: 0001-Medium-external-ec2-Mitigate-fence-race-bsc-1088656.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: docbook-xsl-stylesheets @@ -105,6 +108,7 @@ %patch1 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export CFLAGS="${CFLAGS} %{optflags}" ++++++ 0001-Medium-external-ec2-Mitigate-fence-race-bsc-1088656.patch ++++++ >From 76138dfb642cae548f2aa48c0a9caaa16509b319 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristoffer=20Gr=C3=B6nlund?= <[email protected]> Date: Wed, 11 Apr 2018 10:19:00 +0200 Subject: [PATCH] Medium: external/ec2: Mitigate fence race (bsc#1088656) Minimize risk of fence race by performing instance status check after instance_for_port lookup. --- lib/plugins/stonith/external/ec2 | 47 +++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/lib/plugins/stonith/external/ec2 b/lib/plugins/stonith/external/ec2 index 7ff4b512..8e6798a1 100755 --- a/lib/plugins/stonith/external/ec2 +++ b/lib/plugins/stonith/external/ec2 @@ -170,6 +170,33 @@ EOF exit 0; } +function is_instance_running() +{ + local myinstance + local mystatus + + # get my instance id + myinstance="$(curl http://169.254.169.254/latest/meta-data/instance-id)" + + # check my status. + # When the EC2 instance be stopped by the "aws ec2 stop-instances" , the stop processing of the OS is executed. + # While the OS stop processing, Pacemaker can execute the STONITH processing. + # So, If my status is not "running", it determined that I was already fenced. And to prevent fencing each other + # in split-brain, I don't fence other node. + if [ -z "$myinstance" ]; then + ha_log.sh err "Failed to get Instance ID. Unable to check instance status." + return 1 + fi + + mystatus="$(instance_status $myinstance)" + + if [ "$mystatus" != "running" ]; then #do not fence + ha_log.sh warn "Already fenced (Instance status = $mystatus). Aborting fence attempt." + return 1 + fi + return 0 +} + function instance_for_port() { local port=$1 @@ -312,24 +339,6 @@ case $action in ;; esac -# get my instance id -myinstance=`curl http://169.254.169.254/latest/meta-data/instance-id` - -# check my status. -# When the EC2 instance be stopped by the "aws ec2 stop-instances" , the stop processing of the OS is executed. -# While the OS stop processing, Pacemaker can execute the STONITH processing. -# So, If my status is not "running", it determined that I was already fenced. And to prevent fencing each other -# in split-brain, I don't fence other node. -if [ -z "$myinstance" ]; then - ha_log.sh err "Failed to get My Instance ID. so can not check my status." - exit 1 -fi -mystatus=`instance_status $myinstance` -if [ "$mystatus" != "running" ]; then #do not fence - ha_log.sh warn "I was already fenced (My instance status=$mystatus). I don't fence other node." - exit 1 -fi - if [ -z "$port" ]; then port="$node_to_fence" fi @@ -340,6 +349,8 @@ if [ ! -z "$port" ]; then instance=`instance_for_port $port $options` fi +is_instance_running || exit 1 + case $action in reboot|reset) status=`instance_status $instance` -- 2.16.2 ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.diF3kw/_old 2018-04-17 11:08:39.275335506 +0200 +++ /var/tmp/diff_new_pack.diF3kw/_new 2018-04-17 11:08:39.275335506 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">git://github.com/ClusterLabs/cluster-glue.git</param> - <param name="changesrevision">609cc3866108464ee3f47ff4aeb47e01db31fee1</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">6734e0d0f6c20e44f31ab3f6664569adb3109dfd</param></service></servicedata> \ No newline at end of file ++++++ cluster-glue-1.0.12+v1.git.1511436818.71ae59fa.tar.bz2 -> cluster-glue-1.0.12+v1.git.1523280117.43b22d15.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cluster-glue-1.0.12+v1.git.1511436818.71ae59fa/lib/plugins/stonith/external/ec2 new/cluster-glue-1.0.12+v1.git.1523280117.43b22d15/lib/plugins/stonith/external/ec2 --- old/cluster-glue-1.0.12+v1.git.1511436818.71ae59fa/lib/plugins/stonith/external/ec2 2017-11-23 12:33:38.000000000 +0100 +++ new/cluster-glue-1.0.12+v1.git.1523280117.43b22d15/lib/plugins/stonith/external/ec2 2018-04-09 15:21:57.000000000 +0200 @@ -20,7 +20,10 @@ If the tag containing the uname is not [Name], then it will need to be specified using the [tag] option. " + # +# Copyright (c) 2018 Stefan Schneider <[email protected]> +# Copyright (c) 2018 Kristoffer Gronlund <[email protected]> # Copyright (c) 2011-2013 Andrew Beekhof # Copyright (c) 2014 NIPPON TELEGRAPH AND TELEPHONE CORPORATION # All Rights Reserved. @@ -69,15 +72,15 @@ { cat <<EOF `basename $0` - A fencing agent for Amazon EC2 instances - + $description - + Usage: `basename $0` -o|--action [-n|--port] [options] Options: -h, --help This text -V, --version Version information -q, --quiet Reduced output mode - + Commands: -o, --action Action to perform: on|off|reboot|status|monitor -n, --port The name of a machine/instance to control/check @@ -90,7 +93,7 @@ -U, --unknown-are-stopped Assume any unknown instance is safely stopped EOF - exit 0; + exit 0; } function getinfo_xml() @@ -173,11 +176,7 @@ local instance="" # Look for port name -n in the INSTANCE data - instance=`aws ec2 describe-instances $options | grep "^INSTANCES[[:space:]].*[[:space:]]$port[[:space:]]" | awk '{print $8}'` - if [ -z $instance ]; then - # Look for port name -n in the Name TAG - instance=`aws ec2 describe-tags $options | grep "^TAGS[[:space:]]$ec2_tag[[:space:]].*[[:space:]]instance[[:space:]]$port$" | awk '{print $3}'` - fi + instance=`aws ec2 describe-instances $options --filters "Name=tag-value,Values=${port}" "Name=tag-key,Values=${ec2_tag}" --query 'Reservations[*].Instances[*].InstanceId' ` if [ -z $instance ]; then instance_not_found=1 @@ -212,9 +211,7 @@ if [ "$unknown_are_stopped" = 1 -a $instance_not_found ]; then ha_log.sh info "$instance stopped (unknown)" else - status=`aws ec2 describe-instances $options --instance-ids $instance | awk '{ - if (/^STATE\t/) { printf "%s", $3 } - }'` + status=`aws ec2 describe-instances $options --instance-ids $instance --query 'Reservations[*].Instances[*].State.Name' ` rc=$? fi ha_log.sh info "status check for $instance is $status" @@ -225,15 +222,15 @@ function monitor() { # Is the device ok? - aws ec2 describe-instances $options | grep INSTANCES &> /dev/null + aws ec2 describe-instances $options --filters "Name=tag-key,Values=${ec2_tag}" | grep INSTANCES &> /dev/null } TEMP=`getopt -o qVho:e:p:n:t:U --long version,help,action:,port:,option:,profile:,tag:,quiet,unknown-are-stopped \ - -n 'fence_ec2' -- "$@"` + -n 'fence_ec2' -- "$@"` -if [ $? != 0 ];then - usage - exit 1 +if [ $? != 0 ]; then + usage + exit 1 fi # Note the quotes around `$TEMP': they are essential! @@ -242,7 +239,7 @@ if [ -z $1 ]; then # If there are no command line args, look for options from stdin while read line; do - case $line in + case $line in option=*|action=*) action=`echo $line | sed s/.*=//`;; port=*) port=`echo $line | sed s/.*=//`;; profile=*) ec2_profile=`echo $line | sed s/.*=//`;; @@ -264,7 +261,7 @@ -U|--unknown-are-stopped) unknown_are_stopped=1; shift;; -q|--quiet) quiet=1; shift;; -V|--version) echo "1.0.0"; exit 0;; - --help|-h) + --help|-h) usage; exit 0;; --) shift ; break ;; @@ -283,7 +280,7 @@ action=`echo $action | tr 'A-Z' 'a-z'` -case $action in +case $action in metadata) metadata ;; @@ -343,7 +340,7 @@ instance=`instance_for_port $port $options` fi -case $action in +case $action in reboot|reset) status=`instance_status $instance` if [ "$status" != "stopped" ]; then @@ -393,10 +390,7 @@ ;; gethosts|hostlist|list) # List of names we know about - a=`aws ec2 describe-instances $options | awk -v tag_pat="^TAGS\t$ec2_tag\t" -F '\t' '{ - if (/^INSTANCES/) { printf "%s\n", $8 } - else if ( $1"\t"$2"\t" ~ tag_pat ) { printf "%s\n", $3 } - }' | sort -u` + a=`aws ec2 describe-instances $options --filters "Name=tag-key,Values=${ec2_tag}" --query 'Reservations[*].Instances[*].Tags[?Key==\`'${ec2_tag}'\`].Value' | sort -u` echo $a ;; stat|status)
