initial import

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "src"]
+	path = src
+	url = ../mirror_corosync-qdevice

Makefile

@@ -0,0 +1,64 @@
+include /usr/share/dpkg/pkg-info.mk
+include /usr/share/dpkg/architecture.mk
+
+PACKAGE=corosync-qdevice
+
+CSVERSION=${DEB_VERSION_UPSTREAM}
+
+BUILDDIR=${PACKAGE}-${CSVERSION}
+CSSRC=src
+
+ARCH:=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
+GITVERSION:=$(shell git rev-parse HEAD)
+
+MAIN_DEB=corosync-qdevice_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb \
+
+OTHER_DEBS=\
+corosync-qnetd_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb
+
+DBG_DEBS=\
+corosync-qdevice_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb \
+corosync-qnet-dbgsym_${DEB_VERSION}_${DEB_BUILD_ARCH}.deb
+
+DEBS=${MAIN_DEB} ${OTHER_DEBS} ${DBG_DEBS}
+
+DSC=${PACKAGE}_${DEB_VERSION}.dsc
+
+all: ${DEBS}
+	echo ${DEBS}
+
+${BUILDDIR}: submodule debian/changelog
+	rm -rf $@ $@.tmp
+	cp -a ${CSSRC} $@.tmp
+	cp -a debian $@.tmp
+	mv $@.tmp $@
+
+.PHONY: deb
+deb: ${DEBS}
+${OTHER_DEBS} ${DBG_DEBS}: ${MAIN_DEB}
+${MAIN_DEB}: ${BUILDDIR}
+	cd ${BUILDDIR}; dpkg-buildpackage -b -us -uc
+	lintian ${MAIN_DEB} ${OTHER_DEBS}
+
+.PHONY: dsc
+dsc: ${DSC}
+${DSC}: ${BUILDDIR}
+	cd ${BUILDDIR}; dpkg-buildpackage -S -us -uc -d -nc
+
+.PHONY: submodule
+submodule:
+	test -f "${CSSRC}/Makefile.am" || git submodule update --init ${CSSRC}
+
+.PHONY: upload
+upload: ${DEBS}
+	tar cf - ${DEBS} | ssh -X repoman@repo.proxmox.com -- upload --product pve --dist buster --arch ${DEB_BUILD_ARCH}
+
+.PHONY: clean
+distclean: clean
+clean:
+	rm -rf *.deb *.changes *.dsc *.buildinfo ${BUILDDIR} ${PACKAGE}-*/
+	find . -name '*~' -exec rm {} ';'
+
+.PHONY: dinstall
+dinstall: ${DEBS}
+	dpkg -i ${DEBS}

debian/changelog

@@ -0,0 +1,43 @@
+corosync-qdevice (3.0.0-5) unstable; urgency=medium
+
+  * drop problematic sys-v init script
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 24 Mar 2020 16:24:54 +0100
+
+corosync-qdevice (3.0.0-4) unstable; urgency=medium
+
+  * [c680521] Revert "Require pacemaker for qdevice autopkgtest"
+    The actual bug is the Corosync daemon not running after installation,
+    which was fixed by switching to Debhelper compatibility level 12 in the
+    3.0.1-2 upload of Corosync.
+
+ -- Ferenc Wágner <wferi@debian.org>  Mon, 04 Feb 2019 00:33:24 +0100
+
+corosync-qdevice (3.0.0-3) unstable; urgency=medium
+
+  * [2772eac] Fix Vcs-Browser URL
+  * [8041dc0] Require pacemaker for qdevice autopkgtest (Closes: #921265)
+  * [fd9d7ba] Use minimal upstream signing key
+
+ -- Valentin Vidic <vvidic@debian.org>  Sun, 03 Feb 2019 23:11:20 +0100
+
+corosync-qdevice (3.0.0-2) unstable; urgency=medium
+
+  * [ee08d93] Fix cert database upgrade (Closes: #919901)
+  * [631309b] Add autopkgtests
+  * [d03ebb2] Add myself to Uploaders
+
+ -- Valentin Vidic <vvidic@debian.org>  Wed, 30 Jan 2019 21:34:53 +0100
+
+corosync-qdevice (3.0.0-1) unstable; urgency=medium
+
+  * [8264197] Initial packaging after the split from Corosync
+  * [b2bcd82] Get rid of the empty default files
+  * [6fbd903] Do not enable corosync-qdevice the Debhelper 12 way
+  * [70cddbb] Do not generate HTML versions of the man pages
+  * [d31f9b1] Skip dh_dwz until further investigation
+  * [f3ccfeb] Update the qnetd NSS DB if necessary
+  * [320d791] New patch: Use PrivateTmp=yes for hardening in systemd service
+    files
+
+ -- Ferenc Wágner <wferi@debian.org>  Fri, 04 Jan 2019 02:45:19 +0100

debian/compat

@@ -0,0 +1 @@
+12

debian/control

@@ -0,0 +1,59 @@
+Source: corosync-qdevice
+Section: admin
+Priority: optional
+Maintainer: Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>
+Uploaders:
+ Ferenc Wágner <wferi@debian.org>,
+ Valentin Vidic <vvidic@debian.org>,
+Standards-Version: 4.3.0
+Build-Depends:
+ debhelper (>= 12~),
+ libcmap-dev,
+ libcorosync-common-dev,
+ libnss3-dev,
+# protect backports from silent log loss (#898266):
+ libqb-dev (>= 1.0.3),
+ libsystemd-dev [linux-any],
+ libvotequorum-dev,
+ pkg-config,
+Homepage: https://github.com/corosync/corosync-qdevice
+Vcs-Git: https://salsa.debian.org/ha-team/corosync-qdevice.git
+Vcs-Browser: https://salsa.debian.org/ha-team/corosyn-qdevice
+
+Package: corosync-qdevice
+Architecture: any
+Pre-Depends:
+ ${misc:Pre-Depends},
+Depends:
+ ${shlibs:Depends},
+ ${misc:Depends},
+ corosync (>= 2),
+ libnss3-tools,
+Description: cluster engine quorum device daemon
+ corosync-qdevice is a daemon running on each node of a cluster. It provides
+ a configured number of votes to the quorum subsystem based on a third-party
+ arbitrator's decision. Its primary use is to allow a cluster to sustain more
+ node failures than standard quorum rules allow. It is recommended for clusters
+ with an even number of nodes and highly recommended for 2 node clusters.
+
+Package: corosync-qnetd
+Architecture: any
+Pre-Depends:
+ ${misc:Pre-Depends},
+Depends:
+ adduser,
+ libnss3-tools,
+# for ps and w in corosync-qnetd-certutil:
+ procps,
+ ${shlibs:Depends},
+ ${misc:Depends},
+Description: cluster engine quorum device network daemon
+ Corosync-qnetd is a daemon running outside of the cluster with the purpose
+ of providing a vote to the corosync-qdevice model net. It's designed to
+ support multiple clusters and be almost configuration and state free.
+ New clusters are handled dynamically and no configuration file exists.
+ It's also able to run as non-root user - which is recommended.
+ Connection between the corosync-qdevice model net client can be optionally
+ configured with TLS client certificate checking. The communication protocol
+ between server and client is designed to be very simple and allow
+ backwards compatibility.

debian/copyright

@@ -0,0 +1,64 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: corosync-qdevice
+Source: https://github.com/corosync/corosync-qdevice/releases
+
+Files: *
+Comment: Based on the distributed LICENSE file
+Copyright: 2015-2018 Red Hat, Inc.
+License: BSD-3-clause
+
+Files: build-aux/git-version-gen
+       build-aux/gitlog-to-changelog
+Copyright: 2007-2010 Free Software Foundation, Inc.
+           2018 Red Hat, Inc.
+License: GPL-3+
+
+Files: debian/*
+Copyright: 2018 Ferenc Wágner <wferi@debian.org>
+License: BSD-3-clause
+
+License: BSD-3-clause
+ All rights reserved.
+ .
+ This software licensed under BSD license, the text of which follows:
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ .
+ - Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+ - Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+ - Neither the name of the MontaVista Software, Inc. nor the names of its
+   contributors may be used to endorse or promote products derived from this
+   software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ THE POSSIBILITY OF SUCH DAMAGE.
+
+License: GPL-3+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".

debian/corosync-qdevice.install

@@ -0,0 +1,7 @@
+lib/systemd/system/corosync-qdevice.service
+usr/sbin/corosync-qdevice
+usr/sbin/corosync-qdevice-net-certutil
+usr/sbin/corosync-qdevice-tool
+usr/share/man/man8/corosync-qdevice.8
+usr/share/man/man8/corosync-qdevice-net-certutil.8
+usr/share/man/man8/corosync-qdevice-tool.8

debian/corosync-qdevice.maintscript

@@ -0,0 +1 @@
+rm_conffile /etc/default/corosync-qdevice 3.0.0-1~

debian/corosync-qnetd.install

@@ -0,0 +1,8 @@
+etc/corosync/qnetd
+lib/systemd/system/corosync-qnetd.service
+usr/bin/corosync-qnetd
+usr/bin/corosync-qnetd-certutil
+usr/bin/corosync-qnetd-tool
+usr/share/man/man8/corosync-qnetd.8
+usr/share/man/man8/corosync-qnetd-certutil.8
+usr/share/man/man8/corosync-qnetd-tool.8

debian/corosync-qnetd.maintscript

@@ -0,0 +1 @@
+rm_conffile /etc/default/corosync-qnetd 3.0.0-1~

debian/corosync-qnetd.postinst

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+dir=/etc/corosync/qnetd
+db="$dir/nssdb"
+pwdfile="$db/pwdfile.txt"
+user=coroqnetd
+
+if [ "$1" = configure ]; then
+    adduser --system --group --quiet --home "$dir" \
+        --no-create-home --disabled-login "$user"
+
+    # https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
+    if ! [ -f "$db/cert9.db" ]; then
+	if [ -f "$dir/nssdb/cert8.db" ]; then
+	    # password file should have an empty line to be accepted
+	    [ -f "$pwdfile" -a ! -s "$pwdfile" ] && echo > "$pwdfile"
+
+	    # upgrade to SQLite database
+	    certutil -N -d "sql:$db" -f "$pwdfile" -@ "$pwdfile"
+	    chmod g+r "$db/cert9.db" "$db/key4.db"
+	else
+            corosync-qnetd-certutil -i -G
+	fi
+	chgrp "$user" "$db" "$db/cert9.db" "$db/key4.db"
+    fi
+fi
+
+#DEBHELPER#

debian/corosync-qnetd.postrm

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = purge ]; then
+    rm -rf /etc/corosync/qnetd/nssdb
+fi
+
+#DEBHELPER#

debian/patches/Run-corosync-qnetd-unprivileged.patch

@@ -0,0 +1,22 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi@debian.org>
+Date: Fri, 28 Oct 2016 16:19:30 +0200
+Subject: Run corosync-qnetd unprivileged
+
+---
+ init/corosync-qnetd.service.in | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
+index a8d6a7e..54e91c9 100644
+--- a/init/corosync-qnetd.service.in
++++ b/init/corosync-qnetd.service.in
+@@ -11,8 +11,7 @@ ExecStart=@BINDIR@/corosync-qnetd -f $COROSYNC_QNETD_OPTIONS
+ Type=notify
+ StandardError=null
+ Restart=on-abnormal
+-# Uncomment and set user who should be used for executing qnetd
+-#User=coroqnetd
++User=coroqnetd
+ RuntimeDirectory=corosync-qnetd
+ RuntimeDirectoryMode=0770
+ 

debian/patches/Use-PrivateTmp-yes-for-hardening-in-systemd-service-files.patch

@@ -0,0 +1,33 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi@debian.org>
+Date: Thu, 3 Jan 2019 22:54:35 +0100
+Subject: Use PrivateTmp=yes for hardening in systemd service files
+
+---
+ init/corosync-qdevice.service.in | 1 +
+ init/corosync-qnetd.service.in   | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in
+index 5f3314c..3e98d54 100644
+--- a/init/corosync-qdevice.service.in
++++ b/init/corosync-qdevice.service.in
+@@ -13,6 +13,7 @@ StandardError=null
+ Restart=on-failure
+ RuntimeDirectory=corosync-qdevice
+ RuntimeDirectoryMode=0770
++PrivateTmp=yes
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
+index 54e91c9..bd586bd 100644
+--- a/init/corosync-qnetd.service.in
++++ b/init/corosync-qnetd.service.in
+@@ -14,6 +14,7 @@ Restart=on-abnormal
+ User=coroqnetd
+ RuntimeDirectory=corosync-qnetd
+ RuntimeDirectoryMode=0770
++PrivateTmp=yes
+ 
+ [Install]
+ WantedBy=multi-user.target

debian/patches/series

@@ -0,0 +1,2 @@
+Run-corosync-qnetd-unprivileged.patch
+Use-PrivateTmp-yes-for-hardening-in-systemd-service-files.patch

debian/rules

@@ -0,0 +1,33 @@
+#!/usr/bin/make -f
+
+# see FEATURE AREAS in dpkg-buildflags(1)
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# Ensure that we link against all needed libraries (cf. Policy 10.2)
+export DEB_LDFLAGS_MAINT_APPEND=-Wl,-z,defs
+
+%:
+	dh $@
+
+# Explicit BASHPATH fixes reproducible build on merged-usr vs non-merged:
+override_dh_auto_configure:
+	dh_auto_configure -- \
+	    BASHPATH=/bin/bash \
+	    ac_cv_prog_GROFF="" \
+	    --with-initconfigdir=/etc/default \
+	    --enable-systemd
+
+override_dh_auto_install:
+	dh_auto_install
+# we don't need the upstream license
+	rm debian/tmp/usr/share/doc/corosync-qdevice/LICENSE
+
+override_dh_missing:
+	dh_missing --fail-missing
+
+override_dh_installsystemd:
+	dh_installsystemd -p corosync-qdevice --no-enable --no-start
+	dh_installsystemd --remaining-packages
+
+# dh_dwz fails with "Too few files for multifile optimization", so:
+override_dh_dwz:

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tests/control

@@ -0,0 +1,7 @@
+Depends: corosync-qnetd
+Restrictions: needs-root, isolation-container
+Tests: qnetd
+
+Depends: corosync-qnetd, corosync-qdevice
+Restrictions: needs-root, isolation-container
+Tests: qdevice

debian/tests/qdevice

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+# setup TLS certificates
+corosync-qdevice-net-certutil -i -c /etc/corosync/qnetd/nssdb/qnetd-cacert.crt 2>&1
+corosync-qdevice-net-certutil -r -n debian 2>&1
+corosync-qnetd-certutil -s -c /etc/corosync/qdevice/net/nssdb/qdevice-net-node.crq -n debian 2>&1
+corosync-qdevice-net-certutil -M -c /etc/corosync/qnetd/nssdb/cluster-debian.crt 2>&1
+
+# service config
+cat >>/etc/corosync/corosync.conf <<EOF
+quorum {
+        device {
+                model: net
+                votes: 1
+
+                net {
+                        host: 127.0.0.1
+                }
+        }
+}
+EOF
+
+# service start
+corosync-cfgtool -R
+service corosync-qdevice start
+
+# service status
+service corosync status
+service corosync-qnetd status
+service corosync-qdevice status
+
+# wait for qdevice to connect
+sleep 3
+
+# quorum status
+printf "\n=== corosync-qdevice-tool ===\n"
+corosync-qdevice-tool -v -s
+
+printf "\n=== corosync-qnetd-tool ===\n"
+corosync-qnetd-tool -v -s
+corosync-qnetd-tool -v -l
+
+printf "\n=== corosync-quorumtool ===\n"
+corosync-quorumtool || true

debian/tests/qnetd

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+service corosync-qnetd status
+
+corosync-qnetd-tool -v -s

debian/upstream/signing-key.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFByeXcBEAC/nGvC9wpsm+nmHg0oB7Y5yHdzO8YTMIO1dIc6x6oz4S7+JidH
+omxyqvdBKdH7f30//0leCptIXUXoRhlYOFQK4hMDkFHHBpuswc/WzzV87P1FhFs/
+XittxTFpe1jwITNgficTcPUBNOkmrWKKgIGXsPvriK1X8XCGXE+bL8yrM+HQwHyG
+ubMZvALfNaSRNPD1dhIffb23pCD2jAxX6W133e48sKCs4FHJPitTkUbqlcPBscAc
+aRYrxbvG6sJxWkFg4P+B6awPm4I1R5gs+SXTQ9XC9NuAmw0fpkTZBKODmlKqrCkX
+2rjINZR0rRHmmuy4tXWlIrPLUH+UpnxFiTMByGAxnU0udQ0bcO+BDumqWYMj18Q9
+i+pbjAnYyELFlItsshZ5ybZ3m7SPbDvy1zdJoAXqhjI243kQ2s0PX6u91eF0lkAT
+axpDQTLP2OVTLLxp6nMjgAtmQipiMuw8UANOvAZg/zuER8yT2ifE5HLq9Sw6uGDx
+6jyGEsCPIJOVn3Udzm0kKi/3mXovvWXNV2VYs5BDQ6LE+iI2wrbTkF4wu6RRHBmG
+Xcc9hH5q6p11Xh1ZZqqZfIb6tA8bHXFZUjd+fklHDAYUfu2hry434JyyEcvEAsPA
+DJTKi3hipy5sQ67YVU7St7RD9VCf3+BMzHsj11zxz/v0OGsKfkiXcM+RzwARAQAB
+tDNDb3Jvc3luYyBSZWxlYXNlIFNpZ25pbmcgS2V5IDxkaXNjdXNzQGNvcm9zeW5j
+Lm9yZz6JAjYEEwECACAFAlByeXcCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
+CRDf0BXKVVywIA0OD/0Sdb/l8mlB9M3v6d3j5pvgZG4ReXD/iOqMM7TRstsSuTRO
+Rwo6O9MWWuA92Q/PYn/PcI4IJTfZ5oqdxpojPdRRlUJxFWkSL7q19XJh9rbQt9kk
+pC/rtCh5RX3g4EurmTigVZfJrykN1Q6RA/myVRFcKAzjCocT4KHJr0Vx+38fx6Kl
+O2fGPqWPK++0IWN5jyxtsi47pKtONmIMyUXbjwNLrmPe5qo6+HBrNy6h/rzqnsoU
+63+pPC2APR9KYyg+7yi1rljcS39ZMKsGwxiFowpKTKIc4SojZ5oNuwZ6y+LwPjxV
+AppEit9eaQCMaK/AchcrPUUhAliVXoGXq0qqZ6JoQYv31PdR+FpiU64HToqeX3Eb
+lfqQnV68xVk/Wg4kgBGoSqnLEA0X8tZG45P9WdW3+vbIjRsFR+ac5w9JOm6VPEF3
+pohCD6IHzJ67/S2/ehLeUEgvXgh3yaqiDLnthH+q1znC82lQgOqV5++0GNysfsJ/
+pbhNtcJ4Ft3+TkEDiFT5IohxkO7bYKiFk2VU97JgodUB5u6tHt91FpJYeUUS0wJ3
+3kiaYTLZzixaZvJLYDO5Ddv4M+pxoRDe22JwqyevOP2yOg8pMbIv3JbneN9X7Rar
+ZYyPK5z1oBhhmhbX+7CQbS1qPVXU6OOm/3UX48+npf1upK4Sgwa3T6mzIUE/9Q==
+=A2iJ
+-----END PGP PUBLIC KEY BLOCK-----

src

@@ -0,0 +1 @@
+Subproject commit 5cb2ff57f8b02219cf9e1b1562b0a4f3dd39b769