Merge pull request #3783 from kgaillot/release3

kgaillot · web-flow · commit c3297df03365 · 2025-01-08T16:22:51.000-06:00
Backport a few commits for 3.0.0 final release
diff --git a/INSTALL.md b/INSTALL.md
@@ -18,7 +18,7 @@
 | 3.6 or later    | python3            | python3            | python3        |
 | 0.18 or later   | gettext-devel      | gettext-tools      | gettext        |
 | 0.18 or later   |                    |                    | autopoint      |
-| 3.1.7 or later  | gnutls-devel       | libgnutls-devel    | libgnutls-dev  |
+| 3.4.6 or later  | gnutls-devel       | libgnutls-devel    | libgnutls-dev  |
 
 Also:
 * make must be GNU (or compatible) (setting MAKE=gmake might also work but is
diff --git a/configure.ac b/configure.ac
@@ -1,7 +1,7 @@
 dnl
 dnl autoconf for Pacemaker
 dnl
-dnl Copyright 2009-2024 the Pacemaker project contributors
+dnl Copyright 2009-2025 the Pacemaker project contributors
 dnl
 dnl The version control history for this file may have further details.
 dnl
@@ -1565,7 +1565,7 @@ dnl ========================================================================
 dnl    GnuTLS
 dnl ========================================================================
 
-PKG_CHECK_MODULES(GNUTLS, [gnutls >= 3.1.7],
+PKG_CHECK_MODULES(GNUTLS, [gnutls >= 3.4.6],
                   [CPPFLAGS="${CPPFLAGS} ${GNUTLS_CFLAGS}"
                    LIBS="${LIBS} ${GNUTLS_LIBS}"])
 
diff --git a/doc/sphinx/Pacemaker_Administration/configuring.rst b/doc/sphinx/Pacemaker_Administration/configuring.rst
@@ -229,9 +229,9 @@ To use TLS certificates, the administrator's machine also needs their
 public/private key pair, signed client certificate, and root CA certificate.
 Those must additionally be specified with the following environment variables:
 
-* :ref:`CIB_ca_file <file>`
-* :ref:`CIB_cert_file <file>`
-* :ref:`CIB_key_file <file>`
+* :ref:`CIB_ca_file <CIB_ca_file>`
+* :ref:`CIB_cert_file <CIB_cert_file>`
+* :ref:`CIB_key_file <CIB_key_file>`
 
 As an example, if **node1** is a cluster node, and the CIB is configured with
 ``remote-tls-port`` set to 1234, the administrator could read the current
@@ -246,6 +246,9 @@ the daemon user's password:
    # export CIB_key_file=/etc/pacemaker/admin.key.pem
    # cibadmin -Q
 
+Optionally, :ref:`CIB_crl_file <CIB_crl_file>` may be set to the location of a
+Certificate Revocation List in PEM format.
+
 .. note::
 
    Pacemaker must have been built with PAM support for remote access to work.
diff --git a/doc/sphinx/Pacemaker_Administration/options.rst b/doc/sphinx/Pacemaker_Administration/options.rst
@@ -72,6 +72,60 @@ Pacemaker uses several environment variables set on the client side.
      - The host to connect to. Used with :ref:`CIB_port <CIB_port>` for
        connecting to a remote CIB instance; ignored if
        :ref:`CIB_port <CIB_port>` is not set.
+   * - .. _CIB_ca_file:
+
+       .. index::
+          single: CIB_ca_file
+          single: environment variable; CIB_ca_file
+
+       CIB_ca_file
+     - 
+     - If this, :ref:`CIB_cert_file <CIB_cert_file>`, and
+       :ref:`CIB_key_file <CIB_key_file>` are set, remote CIB administration
+       will be encrypted using X.509 (SSL/TLS) certificates, with this root
+       certificate for the certificate authority. Used with :ref:`CIB_port
+       <CIB_port>` for connecting to a remote CIB instance; ignored if
+       :ref:`CIB_port <CIB_port>` is not set.
+   * - .. _CIB_cert_file:
+
+       .. index::
+          single: CIB_cert_file
+          single: environment variable; CIB_cert_file
+
+       CIB_cert_file
+     - 
+     - If this, :ref:`CIB_ca_file <CIB_ca_file>`, and
+       :ref:`CIB_key_file <CIB_key_file>` are set, remote CIB administration
+       will be encrypted using X.509 (SSL/TLS) certificates, with this
+       certificate for the local host. Used with :ref:`CIB_port <CIB_port>` for
+       connecting to a remote CIB instance; ignored if
+       :ref:`CIB_port <CIB_port>` is not set.
+   * - .. _CIB_key_file:
+
+       .. index::
+          single: CIB_key_file
+          single: environment variable; CIB_key_file
+
+       CIB_key_file
+     - 
+     - If this, :ref:`CIB_ca_file <CIB_ca_file>`, and
+       :ref:`CIB_cert_file <CIB_cert_file>` are set, remote CIB administration
+       will be encrypted using X.509 (SSL/TLS) certificates, with this
+       private key for the local host. Used with :ref:`CIB_port <CIB_port>` for
+       connecting to a remote CIB instance; ignored if
+       :ref:`CIB_port <CIB_port>` is not set.
+   * - .. _CIB_crl_file:
+
+       .. index::
+          single: CIB_crl_file
+          single: environment variable; CIB_crl_file
+
+       CIB_crl_file
+     - 
+     - If this, :ref:`CIB_ca_file <CIB_ca_file>`,
+       :ref:`CIB_cert_file <CIB_cert_file>`, and
+       :ref:`CIB_key_file <CIB_key_file>` are all set, then certificates listed
+       in this PEM-format Certificate Revocation List file will be rejected.
    * - .. _CIB_shadow:
 
        .. index::
diff --git a/doc/sphinx/Pacemaker_Development/components.rst b/doc/sphinx/Pacemaker_Development/components.rst
@@ -341,16 +341,13 @@ Working with the scheduler is difficult. Challenges include:
   later. For example, data unpacked from the CIB can safely be used anytime
   after ``unpack_cib(),`` but actions may become optional or required anytime
   before ``pcmk__create_graph()``. There's no easy way to deal with this.
-* Many names of struct members, functions, etc., are suboptimal, but are part
-  of the public API and cannot be changed until an API backward compatibility
-  break.
 
 
 .. index::
    single: pcmk_scheduler_t
 
-Cluster Working Set
-___________________
+The Scheduler Object
+____________________
 
 The main data object for the scheduler is ``pcmk_scheduler_t``, which contains
 all information needed about nodes, resources, constraints, etc., both as the
@@ -363,18 +360,21 @@ transition graph XML. The variable name is usually ``scheduler``.
 Resources
 _________
 
-``pcmk_resource_t`` is the data object representing cluster resources. A
-resource has a variant: :term:`primitive`, group, clone, or :term:`bundle`.
+``pcmk_resource_t`` is the data object representing cluster resources. It has a
+couple of public members for backward compatibility reasons, but most of the
+implementation is in the internal ``pcmk__resource_private_t`` type.
 
-The resource object has members for two sets of methods,
-``resource_object_functions_t`` from the ``libpe_status`` public API, and
-``resource_alloc_functions_t`` whose implementation is internal to
+A resource has a variant: :term:`primitive`, group, clone, or :term:`bundle`.
+
+The private resource object has members for two sets of methods,
+``pcmk__rsc_methods_t`` from ``libcrmcommon``, and
+``pcmk__assignment_methods_t`` whose implementation is internal to
 ``libpacemaker``. The actual functions vary by variant.
 
-The object functions have basic capabilities such as unpacking the resource
+The resource methods have basic capabilities such as unpacking the resource
 XML, and determining the current or planned location of the resource.
 
-The :term:`assignment <assign>` functions have more obscure capabilities needed
+The :term:`assignment <assign>` methods have more obscure capabilities needed
 for scheduling, such as processing location and ordering constraints. For
 example, ``pcmk__create_internal_constraints()`` simply calls the
 ``internal_constraints()`` method for each top-level resource in the cluster.
@@ -390,25 +390,33 @@ with the highest :term:`score` for a given resource. The scheduler does a bunch
 of processing to generate the scores, then the actual assignment is
 straightforward.
 
+The scheduler node implementation is a little confusing.
+
+``pcmk_node_t`` (``struct pcmk__scored_node``) is the primary object used.
+
+It contains two sub-structs, ``pcmk__node_private_t *priv`` (which is internal)
+and ``struct pcmk__node_details *details`` (which is public for backward
+compatibility reasons), that contain all node information that is independent
+of resource assignment (the node name, etc.).
+
+It contains one other (internal) sub-struct, ``struct pcmk__node_assignment
+*assign``, which contains information particular to a specific resource being
+assigned.
+
 Node lists are frequently used. For example, ``pcmk_scheduler_t`` has a
-``nodes`` member which is a list of all nodes in the cluster, and
-``pcmk_resource_t`` has a ``running_on`` member which is a list of all nodes on
-which the resource is (or might be) active. These are lists of ``pcmk_node_t``
-objects.
+``nodes`` member which is a list of all nodes in the cluster, and the internal
+resource object has an ``active_nodes`` member which is a list of all nodes on
+which the resource is (or might be) active.
 
-The ``pcmk_node_t`` object contains a ``struct pe_node_shared_s *details``
-member with all node information that is independent of resource assignment
-(the node name, etc.).
+Only the scheduler's ``nodes`` list has the full, original node instances. All
+other node lists have shallow copies created by ``pe__copy_node()``, which
+share ``details`` and ``priv`` from the main list (but can differ in their
+``assign`` member).
 
-The working set's ``nodes`` member contains the original of this information.
-All other node lists contain copies of ``pcmk_node_t`` where only the
-``details`` member points to the originals in the working set's ``nodes`` list.
-In this way, the other members of ``pcmk_node_t`` (such as ``weight``, which is
-the node score) may vary by node list, while the common details are shared.
 
 .. index::
    single: pcmk_action_t
-   single: pe_action_flags
+   single: pcmk__action_flags
 
 Actions
 _______
@@ -418,16 +426,16 @@ taken. These could be resource actions, cluster-wide actions such as fencing a
 node, or "pseudo-actions" which are abstractions used as convenient points for
 ordering other actions against.
 
-It has a ``flags`` member which is a bitmask of ``enum pe_action_flags``. The
-most important of these are ``pe_action_runnable`` (if not set, the action is
-"blocked" and cannot be added to the transition graph) and
-``pe_action_optional`` (actions with this set will not be added to the
-transition graph; actions often start out as optional, and may become required
-later).
+Its (internal) implementation has a ``flags`` member which is a bitmask of
+``enum pcmk__action_flags``. The most important of these are
+``pcmk__action_runnable`` (if not set, the action is "blocked" and cannot be
+added to the transition graph) and ``pcmk__action_optional`` (actions with this
+set will not be added to the transition graph; actions often start out as
+optional, and may become required later).
 
 
 .. index::
-   single: pe__colocation_t
+   single: pcmk__colocation_t
 
 Colocations
 ___________
@@ -462,30 +470,45 @@ The resource assignment functions have several methods related to colocations:
 
 
 .. index::
-   single: pe__ordering_t
-   single: pe_ordering
+   single: pcmk__action_relation_t
+   single: action; relation
 
-Orderings
-_________
+Action Relations
+________________
 
 Ordering constraints are simple in concept, but they are one of the most
 important, powerful, and difficult to follow aspects of the scheduler code.
 
-``pe__ordering_t`` is the data object representing an ordering, better thought
-of as a relationship between two actions, since the relation can be more
-complex than just "this one runs after that one".
+``pcmk__action_relation_t`` is the data object representing an ordering, better
+thought of as a relationship between two actions, since the relation can be
+more complex than just "this one runs after that one".
 
-For an ordering "A then B", the code generally refers to A as "first" or
+For a relation "A then B", the code generally refers to A as "first" or
 "before", and B as "then" or "after".
 
-Much of the power comes from ``enum pe_ordering``, which are flags that
-determine how an ordering behaves. There are many obscure flags with big
-effects. A few examples:
-
-* ``pe_order_none`` means the ordering is disabled and will be ignored. It's 0,
-  meaning no flags set, so it must be compared with equality rather than
-  ``pcmk_is_set()``.
-* ``pe_order_optional`` means the ordering does not make either action
-  required, so it only applies if they both become required for other reasons.
-* ``pe_order_implies_first`` means that if action B becomes required for any
-  reason, then action A will become required as well.
+Much of the power comes from ``enum pcmk__action_relation_flags``, which are
+flags that determine how a relation behaves. There are many obscure flags with
+big effects. A few examples:
+
+* ``pcmk__ar_none`` means the relation is disabled and will be ignored. The
+  value is 0, meaning no flags set, so it must be compared with equality rather
+  than ``pcmk_is_set()``.
+* ``pcmk__ar_ordered`` without any other flags set means the relation does not
+  make either action required, so it applies only if they both become required
+  for other reasons.
+* ``pcmk__ar_then_implies_first`` means that if action B becomes required for
+  any reason, then action A will become required as well.
+
+Adding a New Scheduler Regression Test
+______________________________________
+
+#. Choose a test name.
+#. Copy the uncompressed input CIB to cts/scheduler/xml/TESTNAME.xml. It's
+   helpful to add an XML comment at the top describing the essential features of
+   the test (which configuration and status scenarios are being tested).
+#. Edit ``cts/cts-scheduler.in`` and add the test name and description to the
+   ``TESTS`` array.
+#. Run ``cts/cts-scheduler --update --run TESTNAME`` to generate the expected
+   transition graph, scores, etc. Look over the generated files to make sure
+   they are as expected.
+#. Commit your changes.
diff --git a/doc/sphinx/Pacemaker_Development/python.rst b/doc/sphinx/Pacemaker_Development/python.rst
@@ -54,7 +54,7 @@ or "GNU Lesser General Public License version 2.1 or later (LGPLv2.1+)".
 Python Version Compatibility
 ############################
 
-Pacemaker targets compatibility with Python 3.4 and later.
+Pacemaker targets compatibility with Python 3.6 and later.
 
 Do not use features not available in all targeted Python versions. An
 example is the ``subprocess.run()`` function.
diff --git a/doc/sphinx/Pacemaker_Explained/collective.rst b/doc/sphinx/Pacemaker_Explained/collective.rst
@@ -251,10 +251,10 @@ _____________
    | globally-unique   | **true** if     |  .. index::                                           |
    |                   | clone-node-max  |     single: clone; option, globally-unique            |
    |                   | is greater than |     single: option; globally-unique (clone)           |
-   |                   | 1, otherwise    |     single: globally-unique; clone option             |
-   |                   | **false**       |                                                       |
-   |                   |                 | If **true**, each clone instance performs a           |
-   |                   |                 | distinct function, such that a single node can run    |
+   |                   | 1 *(since*      |     single: globally-unique; clone option             |
+   |                   | *3.0.0)*,       |                                                       |
+   |                   | otherwise       | If **true**, each clone instance performs a           |
+   |                   | **false**       | distinct function, such that a single node can run    |
    |                   |                 | more than one instance at the same time               |
    +-------------------+-----------------+-------------------------------------------------------+
    | clone-max         | 0               | .. index::                                            |
diff --git a/python/pylintrc b/python/pylintrc
@@ -45,7 +45,7 @@ extension-pkg-allow-list=
 
 # Minimum supported python version
 # CHANGED
-py-version = 3.4
+py-version = 3.6
 
 # Control the amount of potential inferred values when inferring a single
 # object. This can help the performance when dealing with large functions or
diff --git a/rpm/pacemaker.spec.in b/rpm/pacemaker.spec.in
@@ -1,5 +1,5 @@
 #
-# Copyright 2008-2024 the Pacemaker project contributors
+# Copyright 2008-2025 the Pacemaker project contributors
 #
 # The version control history for this file may have further details.
 #
@@ -270,7 +270,7 @@ BuildRequires: sed
 
 # Required for core functionality
 BuildRequires: pkgconfig(glib-2.0) >= 2.42
-BuildRequires: pkgconfig(gnutls) >= 3.1.7
+BuildRequires: pkgconfig(gnutls) >= 3.4.6
 BuildRequires: pkgconfig(libxml-2.0) >= 2.9.2
 BuildRequires: pkgconfig(systemd)
 BuildRequires: libxslt-devel
@@ -624,7 +624,6 @@ exit 0
 %files
 ###########################################################
 %config(noreplace) %{_sysconfdir}/sysconfig/pacemaker
-%config(noreplace) %{_sysconfdir}/logrotate.d/pacemaker
 %{_sbindir}/pacemakerd
 %{_unitdir}/pacemaker.service
 
@@ -660,8 +659,11 @@ exit 0
 %{ocf_root}/resource.d/pacemaker/controld
 %{ocf_root}/resource.d/pacemaker/remote
 
+# The logrotate script is here rather than the main pacemaker package so
+# pacemaker-remoted can use it
 %files cli
 %dir %attr (750, root, %{gname}) %{_sysconfdir}/pacemaker
+%config(noreplace) %{_sysconfdir}/logrotate.d/pacemaker
 %config(noreplace) %{_sysconfdir}/sysconfig/crm_mon
 
 %{_unitdir}/crm_mon.service
diff --git a/rpm/rpmlintrc b/rpm/rpmlintrc
@@ -7,6 +7,9 @@ addFilter("E: hardcoded-library-path in /usr/lib/os-release")
 # When building developer packages
 addFilter("W: invalid-url Source0:")
 
+# rpmlint doesn't like logrotate script being in pacemaker-cli package
+addFilter("E: incoherent-logrotate-file /etc/logrotate.d/pacemaker")
+
 # pacemaker_remote scriptlets use a state file
 addFilter("W: dangerous-command-in-%(pre|postun|posttrans) rm")
 
