commit 176377c0898ba27f2d941e65b69533fe915a1c95 Author: Thomas Lamprecht Date: Tue Mar 24 16:29:02 2020 +0100 initial import Signed-off-by: Thomas Lamprecht diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..2323e8f --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "src"] + path = src + url = ../mirror_corosync-qdevice diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..82ec2c5 --- /dev/null +++ b/Makefile @@ -0,0 +1,64 @@ +include /usr/share/dpkg/pkg-info.mk +include /usr/share/dpkg/architecture.mk + +PACKAGE=corosync-qdevice + +CSVERSION=${DEB_VERSION_UPSTREAM} + +BUILDDIR=${PACKAGE}-${CSVERSION} +CSSRC=src + +ARCH:=$(shell dpkg-architecture -qDEB_BUILD_ARCH) +GITVERSION:=$(shell git rev-parse HEAD) + +MAIN_DEB=corosync-qdevice_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb \ + +OTHER_DEBS=\ +corosync-qnetd_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb + +DBG_DEBS=\ +corosync-qdevice_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb \ +corosync-qnet-dbgsym_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb + +DEBS=${MAIN_DEB} ${OTHER_DEBS} ${DBG_DEBS} + +DSC=${PACKAGE}_${DEB_VERSION}.dsc + +all: ${DEBS} + echo ${DEBS} + +${BUILDDIR}: submodule debian/changelog + rm -rf $@ $@.tmp + cp -a ${CSSRC} $@.tmp + cp -a debian $@.tmp + mv $@.tmp $@ + +.PHONY: deb +deb: ${DEBS} +${OTHER_DEBS} ${DBG_DEBS}: ${MAIN_DEB} +${MAIN_DEB}: ${BUILDDIR} + cd ${BUILDDIR}; dpkg-buildpackage -b -us -uc + lintian ${MAIN_DEB} ${OTHER_DEBS} + +.PHONY: dsc +dsc: ${DSC} +${DSC}: ${BUILDDIR} + cd ${BUILDDIR}; dpkg-buildpackage -S -us -uc -d -nc + +.PHONY: submodule +submodule: + test -f "${CSSRC}/Makefile.am" || git submodule update --init ${CSSRC} + +.PHONY: upload +upload: ${DEBS} + tar cf - ${DEBS} | ssh -X repoman@repo.proxmox.com -- upload --product pve --dist buster --arch ${DEB_BUILD_ARCH} + +.PHONY: clean +distclean: clean +clean: + rm -rf *.deb *.changes *.dsc *.buildinfo ${BUILDDIR} ${PACKAGE}-*/ + find . -name '*~' -exec rm {} ';' + +.PHONY: dinstall +dinstall: ${DEBS} + dpkg -i ${DEBS} diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..6e0f465 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,43 @@ +corosync-qdevice (3.0.0-5) unstable; urgency=medium + + * drop problematic sys-v init script + + -- Proxmox Support Team Tue, 24 Mar 2020 16:24:54 +0100 + +corosync-qdevice (3.0.0-4) unstable; urgency=medium + + * [c680521] Revert "Require pacemaker for qdevice autopkgtest" + The actual bug is the Corosync daemon not running after installation, + which was fixed by switching to Debhelper compatibility level 12 in the + 3.0.1-2 upload of Corosync. + + -- Ferenc Wágner Mon, 04 Feb 2019 00:33:24 +0100 + +corosync-qdevice (3.0.0-3) unstable; urgency=medium + + * [2772eac] Fix Vcs-Browser URL + * [8041dc0] Require pacemaker for qdevice autopkgtest (Closes: #921265) + * [fd9d7ba] Use minimal upstream signing key + + -- Valentin Vidic Sun, 03 Feb 2019 23:11:20 +0100 + +corosync-qdevice (3.0.0-2) unstable; urgency=medium + + * [ee08d93] Fix cert database upgrade (Closes: #919901) + * [631309b] Add autopkgtests + * [d03ebb2] Add myself to Uploaders + + -- Valentin Vidic Wed, 30 Jan 2019 21:34:53 +0100 + +corosync-qdevice (3.0.0-1) unstable; urgency=medium + + * [8264197] Initial packaging after the split from Corosync + * [b2bcd82] Get rid of the empty default files + * [6fbd903] Do not enable corosync-qdevice the Debhelper 12 way + * [70cddbb] Do not generate HTML versions of the man pages + * [d31f9b1] Skip dh_dwz until further investigation + * [f3ccfeb] Update the qnetd NSS DB if necessary + * [320d791] New patch: Use PrivateTmp=yes for hardening in systemd service + files + + -- Ferenc Wágner Fri, 04 Jan 2019 02:45:19 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..48082f7 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +12 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..99bac51 --- /dev/null +++ b/debian/control @@ -0,0 +1,59 @@ +Source: corosync-qdevice +Section: admin +Priority: optional +Maintainer: Debian HA Maintainers +Uploaders: + Ferenc Wágner , + Valentin Vidic , +Standards-Version: 4.3.0 +Build-Depends: + debhelper (>= 12~), + libcmap-dev, + libcorosync-common-dev, + libnss3-dev, +# protect backports from silent log loss (#898266): + libqb-dev (>= 1.0.3), + libsystemd-dev [linux-any], + libvotequorum-dev, + pkg-config, +Homepage: https://github.com/corosync/corosync-qdevice +Vcs-Git: https://salsa.debian.org/ha-team/corosync-qdevice.git +Vcs-Browser: https://salsa.debian.org/ha-team/corosyn-qdevice + +Package: corosync-qdevice +Architecture: any +Pre-Depends: + ${misc:Pre-Depends}, +Depends: + ${shlibs:Depends}, + ${misc:Depends}, + corosync (>= 2), + libnss3-tools, +Description: cluster engine quorum device daemon + corosync-qdevice is a daemon running on each node of a cluster. It provides + a configured number of votes to the quorum subsystem based on a third-party + arbitrator's decision. Its primary use is to allow a cluster to sustain more + node failures than standard quorum rules allow. It is recommended for clusters + with an even number of nodes and highly recommended for 2 node clusters. + +Package: corosync-qnetd +Architecture: any +Pre-Depends: + ${misc:Pre-Depends}, +Depends: + adduser, + libnss3-tools, +# for ps and w in corosync-qnetd-certutil: + procps, + ${shlibs:Depends}, + ${misc:Depends}, +Description: cluster engine quorum device network daemon + Corosync-qnetd is a daemon running outside of the cluster with the purpose + of providing a vote to the corosync-qdevice model net. It's designed to + support multiple clusters and be almost configuration and state free. + New clusters are handled dynamically and no configuration file exists. + It's also able to run as non-root user - which is recommended. + Connection between the corosync-qdevice model net client can be optionally + configured with TLS client certificate checking. The communication protocol + between server and client is designed to be very simple and allow + backwards compatibility. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..3471ef4 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,64 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: corosync-qdevice +Source: https://github.com/corosync/corosync-qdevice/releases + +Files: * +Comment: Based on the distributed LICENSE file +Copyright: 2015-2018 Red Hat, Inc. +License: BSD-3-clause + +Files: build-aux/git-version-gen + build-aux/gitlog-to-changelog +Copyright: 2007-2010 Free Software Foundation, Inc. + 2018 Red Hat, Inc. +License: GPL-3+ + +Files: debian/* +Copyright: 2018 Ferenc Wágner +License: BSD-3-clause + +License: BSD-3-clause + All rights reserved. + . + This software licensed under BSD license, the text of which follows: + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + - Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + - Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + - Neither the name of the MontaVista Software, Inc. nor the names of its + contributors may be used to endorse or promote products derived from this + software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + THE POSSIBILITY OF SUCH DAMAGE. + +License: GPL-3+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the complete text of the GNU General + Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". diff --git a/debian/corosync-qdevice.install b/debian/corosync-qdevice.install new file mode 100644 index 0000000..e588738 --- /dev/null +++ b/debian/corosync-qdevice.install @@ -0,0 +1,7 @@ +lib/systemd/system/corosync-qdevice.service +usr/sbin/corosync-qdevice +usr/sbin/corosync-qdevice-net-certutil +usr/sbin/corosync-qdevice-tool +usr/share/man/man8/corosync-qdevice.8 +usr/share/man/man8/corosync-qdevice-net-certutil.8 +usr/share/man/man8/corosync-qdevice-tool.8 diff --git a/debian/corosync-qdevice.maintscript b/debian/corosync-qdevice.maintscript new file mode 100644 index 0000000..7e78ebf --- /dev/null +++ b/debian/corosync-qdevice.maintscript @@ -0,0 +1 @@ +rm_conffile /etc/default/corosync-qdevice 3.0.0-1~ diff --git a/debian/corosync-qnetd.install b/debian/corosync-qnetd.install new file mode 100644 index 0000000..8eea848 --- /dev/null +++ b/debian/corosync-qnetd.install @@ -0,0 +1,8 @@ +etc/corosync/qnetd +lib/systemd/system/corosync-qnetd.service +usr/bin/corosync-qnetd +usr/bin/corosync-qnetd-certutil +usr/bin/corosync-qnetd-tool +usr/share/man/man8/corosync-qnetd.8 +usr/share/man/man8/corosync-qnetd-certutil.8 +usr/share/man/man8/corosync-qnetd-tool.8 diff --git a/debian/corosync-qnetd.maintscript b/debian/corosync-qnetd.maintscript new file mode 100644 index 0000000..8c6c036 --- /dev/null +++ b/debian/corosync-qnetd.maintscript @@ -0,0 +1 @@ +rm_conffile /etc/default/corosync-qnetd 3.0.0-1~ diff --git a/debian/corosync-qnetd.postinst b/debian/corosync-qnetd.postinst new file mode 100755 index 0000000..8b48365 --- /dev/null +++ b/debian/corosync-qnetd.postinst @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +dir=/etc/corosync/qnetd +db="$dir/nssdb" +pwdfile="$db/pwdfile.txt" +user=coroqnetd + +if [ "$1" = configure ]; then + adduser --system --group --quiet --home "$dir" \ + --no-create-home --disabled-login "$user" + + # https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql + if ! [ -f "$db/cert9.db" ]; then + if [ -f "$dir/nssdb/cert8.db" ]; then + # password file should have an empty line to be accepted + [ -f "$pwdfile" -a ! -s "$pwdfile" ] && echo > "$pwdfile" + + # upgrade to SQLite database + certutil -N -d "sql:$db" -f "$pwdfile" -@ "$pwdfile" + chmod g+r "$db/cert9.db" "$db/key4.db" + else + corosync-qnetd-certutil -i -G + fi + chgrp "$user" "$db" "$db/cert9.db" "$db/key4.db" + fi +fi + +#DEBHELPER# diff --git a/debian/corosync-qnetd.postrm b/debian/corosync-qnetd.postrm new file mode 100755 index 0000000..e542865 --- /dev/null +++ b/debian/corosync-qnetd.postrm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = purge ]; then + rm -rf /etc/corosync/qnetd/nssdb +fi + +#DEBHELPER# diff --git a/debian/patches/Run-corosync-qnetd-unprivileged.patch b/debian/patches/Run-corosync-qnetd-unprivileged.patch new file mode 100644 index 0000000..4f9e4ac --- /dev/null +++ b/debian/patches/Run-corosync-qnetd-unprivileged.patch @@ -0,0 +1,22 @@ +From: =?utf-8?q?Ferenc_W=C3=A1gner?= +Date: Fri, 28 Oct 2016 16:19:30 +0200 +Subject: Run corosync-qnetd unprivileged + +--- + init/corosync-qnetd.service.in | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in +index a8d6a7e..54e91c9 100644 +--- a/init/corosync-qnetd.service.in ++++ b/init/corosync-qnetd.service.in +@@ -11,8 +11,7 @@ ExecStart=@BINDIR@/corosync-qnetd -f $COROSYNC_QNETD_OPTIONS + Type=notify + StandardError=null + Restart=on-abnormal +-# Uncomment and set user who should be used for executing qnetd +-#User=coroqnetd ++User=coroqnetd + RuntimeDirectory=corosync-qnetd + RuntimeDirectoryMode=0770 + diff --git a/debian/patches/Use-PrivateTmp-yes-for-hardening-in-systemd-service-files.patch b/debian/patches/Use-PrivateTmp-yes-for-hardening-in-systemd-service-files.patch new file mode 100644 index 0000000..4b3a4cf --- /dev/null +++ b/debian/patches/Use-PrivateTmp-yes-for-hardening-in-systemd-service-files.patch @@ -0,0 +1,33 @@ +From: =?utf-8?q?Ferenc_W=C3=A1gner?= +Date: Thu, 3 Jan 2019 22:54:35 +0100 +Subject: Use PrivateTmp=yes for hardening in systemd service files + +--- + init/corosync-qdevice.service.in | 1 + + init/corosync-qnetd.service.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in +index 5f3314c..3e98d54 100644 +--- a/init/corosync-qdevice.service.in ++++ b/init/corosync-qdevice.service.in +@@ -13,6 +13,7 @@ StandardError=null + Restart=on-failure + RuntimeDirectory=corosync-qdevice + RuntimeDirectoryMode=0770 ++PrivateTmp=yes + + [Install] + WantedBy=multi-user.target +diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in +index 54e91c9..bd586bd 100644 +--- a/init/corosync-qnetd.service.in ++++ b/init/corosync-qnetd.service.in +@@ -14,6 +14,7 @@ Restart=on-abnormal + User=coroqnetd + RuntimeDirectory=corosync-qnetd + RuntimeDirectoryMode=0770 ++PrivateTmp=yes + + [Install] + WantedBy=multi-user.target diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..21a1410 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +Run-corosync-qnetd-unprivileged.patch +Use-PrivateTmp-yes-for-hardening-in-systemd-service-files.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..2f3e76f --- /dev/null +++ b/debian/rules @@ -0,0 +1,33 @@ +#!/usr/bin/make -f + +# see FEATURE AREAS in dpkg-buildflags(1) +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# Ensure that we link against all needed libraries (cf. Policy 10.2) +export DEB_LDFLAGS_MAINT_APPEND=-Wl,-z,defs + +%: + dh $@ + +# Explicit BASHPATH fixes reproducible build on merged-usr vs non-merged: +override_dh_auto_configure: + dh_auto_configure -- \ + BASHPATH=/bin/bash \ + ac_cv_prog_GROFF="" \ + --with-initconfigdir=/etc/default \ + --enable-systemd + +override_dh_auto_install: + dh_auto_install +# we don't need the upstream license + rm debian/tmp/usr/share/doc/corosync-qdevice/LICENSE + +override_dh_missing: + dh_missing --fail-missing + +override_dh_installsystemd: + dh_installsystemd -p corosync-qdevice --no-enable --no-start + dh_installsystemd --remaining-packages + +# dh_dwz fails with "Too few files for multifile optimization", so: +override_dh_dwz: diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..4ad2d31 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,7 @@ +Depends: corosync-qnetd +Restrictions: needs-root, isolation-container +Tests: qnetd + +Depends: corosync-qnetd, corosync-qdevice +Restrictions: needs-root, isolation-container +Tests: qdevice diff --git a/debian/tests/qdevice b/debian/tests/qdevice new file mode 100755 index 0000000..57b4e34 --- /dev/null +++ b/debian/tests/qdevice @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +# setup TLS certificates +corosync-qdevice-net-certutil -i -c /etc/corosync/qnetd/nssdb/qnetd-cacert.crt 2>&1 +corosync-qdevice-net-certutil -r -n debian 2>&1 +corosync-qnetd-certutil -s -c /etc/corosync/qdevice/net/nssdb/qdevice-net-node.crq -n debian 2>&1 +corosync-qdevice-net-certutil -M -c /etc/corosync/qnetd/nssdb/cluster-debian.crt 2>&1 + +# service config +cat >>/etc/corosync/corosync.conf <