diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/0001-Revert-Refactor-main-substitute-is_auth_req-macro.patch b/0001-Revert-Refactor-main-substitute-is_auth_req-macro.patch new file mode 100644 index 0000000..3ab2586 --- /dev/null +++ b/0001-Revert-Refactor-main-substitute-is_auth_req-macro.patch @@ -0,0 +1,30 @@ +From 35bf0b7b048d715f671eb68974fb6b4af6528c67 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Mon, 4 Jul 2022 09:39:47 +0200 +Subject: [PATCH] Revert "Refactor: main: substitute is_auth_req macro" + +This reverts commit da79b8ba28ad4837a0fee13e5f8fb6f89fe0e24c. + +authfile != authkey + +Signed-off-by: Jan Friesse +--- + src/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/main.c b/src/main.c +index b50a883..b4a174f 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -364,7 +364,7 @@ static int setup_config(int type) + if (rv < 0) + goto out; + +- if (is_auth_req()) { ++ if (booth_conf->authfile[0] != '\0') { + rv = read_authkey(); + if (rv < 0) + goto out; +-- +2.37.1 + diff --git a/0001-config-Add-enable-authfile-option.patch b/0001-config-Add-enable-authfile-option.patch new file mode 100644 index 0000000..a3adc72 --- /dev/null +++ b/0001-config-Add-enable-authfile-option.patch @@ -0,0 +1,106 @@ +From 466246c2fa8ea1bcc06593fbf7b900d0665606b1 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Tue, 26 Jul 2022 18:39:38 +0200 +Subject: [PATCH] config: Add enable-authfile option + +This option enables (or disables) usage of authfile. Can be 'yes' or 'no'. +Default is 'no'. + +Booth usage of authfile was broken for long time (since commit +da79b8ba28ad4837a0fee13e5f8fb6f89fe0e24c). + +Pcs was adding authfile by default, but it was not used. Once booth bug +was fixed problem appears because mixed clusters (with fixed version and +without fixed one) stops working. + +This non-upstream option is added and used to allow use of +authfile without breaking compatibility for clusters +consisting of mixed versions (usually happens before all nodes are +updated) of booth (user have to explicitly +enable usage of authfile). + +This patch is transitional and will be removed in future major version of +distribution. + +Signed-off-by: Jan Friesse +--- + docs/boothd.8.txt | 7 +++++++ + src/config.c | 17 +++++++++++++++++ + src/config.h | 1 + + src/main.c | 2 +- + 4 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/docs/boothd.8.txt b/docs/boothd.8.txt +index f58f27e..12f66f9 100644 +--- a/docs/boothd.8.txt ++++ b/docs/boothd.8.txt +@@ -230,6 +230,13 @@ will always bind and listen to both UDP and TCP ports. + parameter to a higher value. The time skew test is performed + only in concert with authentication. + ++*'enable-authfile'*:: ++ Enables (or disables) usage of authfile. Can be 'yes' or 'no'. ++ Default is 'no'. ++ This is non-upstream option used to allow use of authfile without ++ breaking compatibility for clusters consisting of mixed ++ versions of booth. ++ + *'site'*:: + Defines a site Raft member with the given IP. Sites can + acquire tickets. The sites' IP should be managed by the cluster. +diff --git a/src/config.c b/src/config.c +index 8e41553..b9df3e3 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -729,6 +729,23 @@ no_value: + booth_conf->maxtimeskew = atoi(val); + continue; + } ++ ++ if (strcmp(key, "enable-authfile") == 0) { ++ if (strcasecmp(val, "yes") == 0 || ++ strcasecmp(val, "on") == 0 || ++ strcasecmp(val, "1") == 0) { ++ booth_conf->enable_authfile = 1; ++ } else if (strcasecmp(val, "no") == 0 || ++ strcasecmp(val, "off") == 0 || ++ strcasecmp(val, "0") == 0) { ++ booth_conf->enable_authfile = 0; ++ } else { ++ error = "Expected yes/no value for enable-authfile"; ++ goto err; ++ } ++ ++ continue; ++ } + #endif + + if (strcmp(key, "site") == 0) { +diff --git a/src/config.h b/src/config.h +index bca73bc..da1e917 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -297,6 +297,7 @@ struct booth_config { + struct stat authstat; + char authkey[BOOTH_MAX_KEY_LEN]; + int authkey_len; ++ int enable_authfile; + /** Maximum time skew between peers allowed */ + int maxtimeskew; + +diff --git a/src/main.c b/src/main.c +index b4a174f..0fdb295 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -364,7 +364,7 @@ static int setup_config(int type) + if (rv < 0) + goto out; + +- if (booth_conf->authfile[0] != '\0') { ++ if (booth_conf->authfile[0] != '\0' && booth_conf->enable_authfile) { + rv = read_authkey(); + if (rv < 0) + goto out; +-- +2.37.1 + diff --git a/0001-unit-file-Remove-Alias-directive.patch b/0001-unit-file-Remove-Alias-directive.patch new file mode 100644 index 0000000..9457836 --- /dev/null +++ b/0001-unit-file-Remove-Alias-directive.patch @@ -0,0 +1,30 @@ +From dd090510d7fba88c41adc1b70804c1c79b036736 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Tue, 27 Sep 2022 18:50:31 +0200 +Subject: [PATCH] unit file: Remove Alias directive + +Recent change in systemd made imposible to enable booth@.service any +longer - more details in BZ +https://bugzilla.redhat.com/show_bug.cgi?id=2128998. Solution is to +delete Alias directive. + +Signed-off-by: Jan Friesse +--- + conf/booth@.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/conf/booth@.service.in b/conf/booth@.service.in +index e516194..e4b8fbc 100644 +--- a/conf/booth@.service.in ++++ b/conf/booth@.service.in +@@ -8,7 +8,6 @@ ConditionFileNotEmpty=/etc/booth/%i.conf + Conflicts=pacemaker.service + + [Install] +-Alias=boothd + WantedBy=multi-user.target + + [Service] +-- +2.27.0 + diff --git a/booth.rpmlintrc b/booth.rpmlintrc index a0a2c1c..ae1945c 100644 --- a/booth.rpmlintrc +++ b/booth.rpmlintrc @@ -1,7 +1,6 @@ -# no-documentation is fine for booth-arbitrator and booth (virtual package) and debug packages +# no-documentation is fine for booth-arbitrator and booth (virtual package) addFilter(r'booth-arbitrator\.[^:]+: W: no-documentation') addFilter(r'booth\.[^:]+: W: no-documentation') -addFilter(r'booth-debugsource\.[^:]+: W: no-documentation') # permissions for chroot addFilter(r'booth-core\.[^:]+: (E|W): non-standard-dir-perm /var/lib/booth 750') @@ -20,8 +19,5 @@ addFilter(r'booth-(site|test)\.[^:]+: (W|E): only-non-binary-in-usr-lib') addFilter(r'booth-site\.[^:]+: (W|E): dangling-symlink /usr/sbin/geostore /usr/sbin/boothd') addFilter(r'booth-test\.[^:]+: (W|E): dangling-symlink /usr/share/booth/tests/src/boothd /usr/sbin/boothd') -# Ignore all errors in debuginfo packages -addFilter(r'booth-core-debuginfo\.[^:]+: (W|E):') - -# booth-arbitrator contains just unit files -addFilter(r'booth-arbitrator\.[^:]+: (W|E): only-non-binary-in-usr-lib') +# booth unit test is distributed non-executable by upstream +addFilter(r'booth-test\.[^:]+: (W|E): non-executable-script /usr/share/booth/tests/unit-test.py') diff --git a/booth.spec b/booth.spec index 8a7166e..b690cc1 100644 --- a/booth.spec +++ b/booth.spec @@ -22,6 +22,23 @@ %bcond_with html_man %bcond_with glue %bcond_with run_build_tests +%bcond_with include_unit_test + +# set following to the result of `git describe --abbrev=128 $commit` +# This will be used to fill booth_ver, booth_numcomm and booth_sha1. +# It is important to keep abbrev to get full length sha1! When updating source use +# `spectool -g booth.spec` to download source. +%global git_describe_str v1.0-262-gd0ac26cc0c2fb4069c2d095cc0bbe3f94f02c05e + +# Set this to 1 when rebasing (changing git_describe_str) and increase otherwise +%global release 3 + +# Run shell script to parse git_describe str into version, numcomm and sha1 hash +%global booth_ver %(s=%{git_describe_str}; vver=${s%%%%-*}; echo ${vver:1}) +%global booth_numcomm %(s=%{git_describe_str}; t=${s#*-}; echo ${t%%%%-*}) +%global booth_sha1 %(s=%{git_describe_str}; t=${s##*-}; echo ${t:1}) +%global booth_short_sha1 %(s=%{booth_sha1}; echo ${s:0:7}) +%global booth_archive_name %{name}-%{booth_ver}-%{booth_numcomm}-%{booth_short_sha1} ## User and group to use for nonprivileged services (should be in sync with pacemaker) %global uname hacluster @@ -39,12 +56,15 @@ %global test_path %{_datadir}/booth/tests Name: booth -Version: 1.2 -Release: 6%{?dist} +Version: %{booth_ver} +Release: %{booth_numcomm}.%{release}.%{booth_short_sha1}.git%{?dist} Summary: Ticket Manager for Multi-site Clusters -License: GPL-2.0-or-later +License: GPLv2+ Url: https://github.com/%{github_owner}/%{name} -Source0: https://github.com/%{github_owner}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/%{github_owner}/%{name}/archive/%{booth_short_sha1}/%{booth_archive_name}.tar.gz +Patch0: 0001-Revert-Refactor-main-substitute-is_auth_req-macro.patch +Patch1: 0001-config-Add-enable-authfile-option.patch +Patch2: 0001-unit-file-Remove-Alias-directive.patch # direct build process dependencies BuildRequires: autoconf @@ -58,7 +78,7 @@ BuildRequires: asciidoctor BuildRequires: gcc BuildRequires: pkgconfig # linking dependencies -BuildRequires: gnutls-devel +BuildRequires: libgcrypt-devel BuildRequires: libxml2-devel ## just for include BuildRequires: pacemaker-libs-devel @@ -127,13 +147,13 @@ Support for running Booth, ticket manager for multi-site clusters, as an arbitrator. %post arbitrator -%systemd_post booth-arbitrator.service +%systemd_post booth@.service booth-arbitrator.service %preun arbitrator -%systemd_preun booth-arbitrator.service +%systemd_preun booth@.service booth-arbitrator.service %postun arbitrator -%systemd_postun_with_restart booth-arbitrator.service +%systemd_postun_with_restart booth@.service booth-arbitrator.service %package site Summary: Booth support for running as a full-fledged site @@ -163,6 +183,9 @@ Requires: %{name}-arbitrator = %{version}-%{release} Requires: %{name}-site = %{version}-%{release} Requires: gdb Requires: %{__python3} +%if 0%{?with_include_unit_test} +Requires: python3-pexpect +%endif # runtests.py suite (for perl and ss) Requires: perl-interpreter iproute @@ -172,7 +195,7 @@ Automated tests for running Booth, ticket manager for multi-site clusters. # BUILD # %prep -%autosetup -n %{name}-%{version} -S git_am +%autosetup -n %{name}-%{booth_sha1} -S git_am %build ./autogen.sh @@ -204,6 +227,10 @@ mkdir -p %{buildroot}/%{test_path} # Copy tests from tarball cp -a -t %{buildroot}/%{test_path} \ -- conf test +%if 0%{?with_include_unit_test} +cp -a -t %{buildroot}/%{test_path} \ + -- unit-tests script/unit-test.py +%endif chmod +x %{buildroot}/%{test_path}/test/booth_path chmod +x %{buildroot}/%{test_path}/test/live_test.sh mkdir -p %{buildroot}/%{test_path}/src @@ -286,68 +313,13 @@ VERBOSE=1 make check %{_usr}/lib/ocf/resource.d/booth/sharedrsc %changelog -* Fri Sep 19 2025 Python Maint - 1.2-6 -- Rebuilt for Python 3.14.0rc3 bytecode - -* Thu Aug 21 2025 Cristian Le -- Convert STI tests to TMT (rhbz#2382867) - -* Fri Aug 15 2025 Python Maint - 1.2-5 -- Rebuilt for Python 3.14.0rc2 bytecode - -* Wed Jul 23 2025 Fedora Release Engineering - 1.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Thu Jan 16 2025 Fedora Release Engineering - 1.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Wed Jul 17 2024 Fedora Release Engineering - 1.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Fri Jun 07 2024 Jan Friesse - 1.2-1 -- New upstream release - -* Tue Jan 23 2024 Fedora Release Engineering - 1.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 1.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Oct 18 2023 Jan Friesse - 1.1-1 -- New upstream release -- Upstream releases should now be released regularly, so convert spec - to use them instead of git snapshots - -* Wed Jul 19 2023 Fedora Release Engineering - 1.0-283.4.9d4029a.git -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jun 06 2023 Jan Friesse - 1.0-283.3.9d4029a.git -- migrated to SPDX license - -* Wed Jan 18 2023 Fedora Release Engineering - 1.0-283.2.9d4029a.git -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Mon Nov 21 2022 Jan Friesse - 1.0-283.1.9d4029a.git -- Rebase to newest upstream snapshot - -* Fri Sep 30 2022 Jan Friesse - 1.0-272.1.7acb757.git -- Rebase to newest upstream snapshot - -* Thu Sep 29 2022 Jan Friesse - 1.0-266.4.f288d59.git +* Thu Sep 29 2022 Jan Friesse - 1.0-262.3.d0ac26c.git - Remove Alias directive from booth@.service unit file -* Tue Aug 09 2022 Jan Friesse - 1.0-266.3.f288d59.git -- Remove template unit from systemd_(post|preun|postun_with_restart) macro - -* Wed Jul 20 2022 Fedora Release Engineering - 1.0-266.2.f288d59.git -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Wed Jul 20 2022 Jan Friesse - 1.0-266.1.f288d59.git -- Rebase to newest upstream snapshot -- This version fixes a critical bug that caused the authfile directive - to be ignored. After installing the patched version, nodes may stop - communicating. Solution is to either remove authfile from configuration - file or update all other nodes. +* Thu Jul 28 2022 Jan Friesse - 1.0-262.2.d0ac26c.git +- Fix authfile directive handling in booth config file + (fixes CVE-2022-2553) +- Add enable-authfile option * Thu May 19 2022 Jan Friesse - 1.0-262.1.d0ac26c.git - Rebase to newest upstream snapshot diff --git a/plans.fmf b/plans.fmf deleted file mode 100644 index eb36cda..0000000 --- a/plans.fmf +++ /dev/null @@ -1,13 +0,0 @@ -summary: Run all tests -discover: - how: fmf -prepare: - - name: Disable installing everything from srpm - how: install - exclude: ".*" - - name: Install the main test package - how: install - package: - - booth-test -execute: - how: tmt diff --git a/sources b/sources index 67b588e..1b611a5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (booth-1.2.tar.gz) = b63217e561fd5e8ede1ba432ec6b4ef6efb73dc16a501814cf07b82f87a23c3f734ebf09c56a5d521668ee57ed02be48d257aabb1d2e3c4840f1219ef13d3fde +SHA512 (booth-1.0-262-d0ac26c.tar.gz) = 71f95d33e2c4351651b2e8daab151821eccbfb2f34d5cbb826f999c0c706cdc2c335698e479e63d2d852ed7cd360239b9eeb695533474c91c6681e6b8b5f7dbc diff --git a/tests/main.fmf b/tests/main.fmf deleted file mode 100644 index 6e8835d..0000000 --- a/tests/main.fmf +++ /dev/null @@ -1,3 +0,0 @@ -/upstream: - summary: Run upstream tests - test: ./upstream/runtest.sh diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..8ee75ea --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,9 @@ +- hosts: localhost + roles: + - role: standard-test-basic + tags: + - classic + tests: + - upstream + required_packages: + - booth-test diff --git a/tests/upstream/runtest.sh b/tests/upstream/runtest.sh old mode 100755 new mode 100644