diff --git a/001-makefile-cleanup.patch b/001-makefile-cleanup.patch new file mode 100644 index 0000000..c2f5746 --- /dev/null +++ b/001-makefile-cleanup.patch @@ -0,0 +1,535 @@ +From d720014c2cf7ff00004b64ca9cf817ffc00e6ffb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Fri, 10 Jun 2016 15:00:03 +0200 +Subject: [PATCH 1/5] Build: Makefile.common to define MAINTAINERCLEANFILES + + AM_CPPFLAGS + +Fallout after 89fba95. +--- + attrd/Makefile.am | 5 +---- + lib/cib/Makefile.am | 5 +---- + lib/cluster/Makefile.am | 5 +---- + lib/common/Makefile.am | 8 +++----- + lib/fencing/Makefile.am | 6 +----- + lib/lrmd/Makefile.am | 8 +------- + lib/pengine/Makefile.am | 5 +---- + lib/transition/Makefile.am | 5 +---- + lrmd/Makefile.am | 1 - + 9 files changed, 10 insertions(+), 38 deletions(-) + +diff --git a/attrd/Makefile.am b/attrd/Makefile.am +index 9d5e223..0c5d456 100644 +--- a/attrd/Makefile.am ++++ b/attrd/Makefile.am +@@ -15,10 +15,7 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # +-MAINTAINERCLEANFILES = Makefile.in +- +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl ++include $(top_srcdir)/Makefile.common + + halibdir = $(CRM_DAEMON_DIR) + halib_PROGRAMS = attrd +diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am +index 1ebd7b0..687b9f3 100644 +--- a/lib/cib/Makefile.am ++++ b/lib/cib/Makefile.am +@@ -15,10 +15,7 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # +-MAINTAINERCLEANFILES = Makefile.in +- +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl ++include $(top_srcdir)/Makefile.common + + ## libraries + lib_LTLIBRARIES = libcib.la +diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am +index 5b6f3f7..f5f40bc 100644 +--- a/lib/cluster/Makefile.am ++++ b/lib/cluster/Makefile.am +@@ -15,10 +15,7 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # +-MAINTAINERCLEANFILES = Makefile.in +- +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl ++include $(top_srcdir)/Makefile.common + + headerdir=$(pkgincludedir)/crm/cluster + +diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am +index 8ef08db..7ae1dc8 100644 +--- a/lib/common/Makefile.am ++++ b/lib/common/Makefile.am +@@ -15,12 +15,10 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # +-MAINTAINERCLEANFILES = Makefile.in ++include $(top_srcdir)/Makefile.common + +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl \ +- -I$(top_builddir)/lib/gnu -I$(top_srcdir)/lib/gnu \ +- -DSBINDIR=\"$(sbindir)\" ++AM_CPPFLAGS += -I$(top_builddir)/lib/gnu -I$(top_srcdir)/lib/gnu \ ++ -DSBINDIR=\"$(sbindir)\" + + ## libraries + lib_LTLIBRARIES = libcrmcommon.la +diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am +index 3320466..aa57ba5 100644 +--- a/lib/fencing/Makefile.am ++++ b/lib/fencing/Makefile.am +@@ -16,11 +16,7 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # +-MAINTAINERCLEANFILES = Makefile.in +- +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl \ +- -I$(top_builddir) -I$(top_srcdir) ++include $(top_srcdir)/Makefile.common + + lib_LTLIBRARIES = libstonithd.la + +diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am +index d5ae2f4..8c76a78 100644 +--- a/lib/lrmd/Makefile.am ++++ b/lib/lrmd/Makefile.am +@@ -14,13 +14,7 @@ + # License along with this library; if not, write to the Free Software + # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + # +-# +- +-MAINTAINERCLEANFILES = Makefile.in +- +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl \ +- -I$(top_builddir) -I$(top_srcdir) ++include $(top_srcdir)/Makefile.common + + lib_LTLIBRARIES = liblrmd.la + +diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am +index b9191d5..4544377 100644 +--- a/lib/pengine/Makefile.am ++++ b/lib/pengine/Makefile.am +@@ -15,10 +15,7 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # +-MAINTAINERCLEANFILES = Makefile.in +- +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl ++include $(top_srcdir)/Makefile.common + + ## libraries + lib_LTLIBRARIES = libpe_rules.la libpe_status.la +diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am +index 4447f1b..6cc9bca 100644 +--- a/lib/transition/Makefile.am ++++ b/lib/transition/Makefile.am +@@ -15,10 +15,7 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # +-MAINTAINERCLEANFILES = Makefile.in +- +-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \ +- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl ++include $(top_srcdir)/Makefile.common + + ## libraries + lib_LTLIBRARIES = libtransitioner.la +diff --git a/lrmd/Makefile.am b/lrmd/Makefile.am +index a8fb07a..556d48a 100644 +--- a/lrmd/Makefile.am ++++ b/lrmd/Makefile.am +@@ -14,7 +14,6 @@ + # License along with this library; if not, write to the Free Software + # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + # +- + include $(top_srcdir)/Makefile.common + + testdir = $(datadir)/$(PACKAGE)/tests/lrmd +-- +1.8.3.1 + + +From bfad92c9e23f3bf7a73e86017eed46ba7fd63c12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Fri, 10 Jun 2016 17:38:46 +0200 +Subject: [PATCH 2/5] Build: Makefile.am files: drop extraneous variables + + targets + +- empty variables +- non-fitting .PHONY definitions +- unemployed install-exec-local + uninstall-local target pairs (per file) +- AM_CFLAGS unnecessarily initialized with current AM_CPPFLAGS value +- empty header_HEADERS variable + superfluous headerdir definition +--- + Makefile.am | 2 -- + attrd/Makefile.am | 8 -------- + fencing/Makefile.am | 2 -- + include/crm/Makefile.am | 1 - + include/crm/fencing/Makefile.am | 3 --- + lib/cib/Makefile.am | 5 ----- + lib/cluster/Makefile.am | 8 -------- + lib/common/Makefile.am | 4 ---- + lib/fencing/Makefile.am | 2 -- + lib/lrmd/Makefile.am | 3 --- + lib/pengine/Makefile.am | 4 ---- + lib/services/Makefile.am | 2 -- + lib/transition/Makefile.am | 5 ----- + tools/Makefile.am | 11 ----------- + 14 files changed, 60 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 0edf0c9..5d1a689 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -73,5 +73,3 @@ dist-clean-local: + + maintainer-clean-local: + rm -f libltdl.tar +- +-.PHONY: rpm pkg handy handy-copy +diff --git a/attrd/Makefile.am b/attrd/Makefile.am +index 0c5d456..9a841e5 100644 +--- a/attrd/Makefile.am ++++ b/attrd/Makefile.am +@@ -21,8 +21,6 @@ halibdir = $(CRM_DAEMON_DIR) + halib_PROGRAMS = attrd + ## SOURCES + +-noinst_HEADERS = +- + attrd_SOURCES = + attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ + $(top_builddir)/lib/common/libcrmcommon.la \ +@@ -37,9 +35,3 @@ endif + + clean-generic: + rm -f *.log *.debug *.xml *~ +- +-install-exec-local: +- +-uninstall-local: +- +-.PHONY: install-exec-hook +diff --git a/fencing/Makefile.am b/fencing/Makefile.am +index 383c217..bef6e6e 100644 +--- a/fencing/Makefile.am ++++ b/fencing/Makefile.am +@@ -17,8 +17,6 @@ + # + include $(top_srcdir)/Makefile.common + +-SUBDIRS = +- + ## binary progs + testdir = $(datadir)/$(PACKAGE)/tests/fencing + test_SCRIPTS = regression.py +diff --git a/include/crm/Makefile.am b/include/crm/Makefile.am +index ef96011..bdb627c 100644 +--- a/include/crm/Makefile.am ++++ b/include/crm/Makefile.am +@@ -19,7 +19,6 @@ MAINTAINERCLEANFILES = Makefile.in + + headerdir=$(pkgincludedir)/crm + +-noinst_HEADERS = + header_HEADERS = crm.h cib.h attrd.h msg_xml.h transition.h stonith-ng.h cluster.h lrmd.h services.h error.h compatibility.h + + SUBDIRS = common pengine cib fencing cluster +diff --git a/include/crm/fencing/Makefile.am b/include/crm/fencing/Makefile.am +index f85c842..57a787b 100644 +--- a/include/crm/fencing/Makefile.am ++++ b/include/crm/fencing/Makefile.am +@@ -17,7 +17,4 @@ + # + MAINTAINERCLEANFILES = Makefile.in + +-headerdir=$(pkgincludedir)/crm/fencing +- + noinst_HEADERS = internal.h +-header_HEADERS = +diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am +index 687b9f3..07bf261 100644 +--- a/lib/cib/Makefile.am ++++ b/lib/cib/Makefile.am +@@ -21,7 +21,6 @@ include $(top_srcdir)/Makefile.common + lib_LTLIBRARIES = libcib.la + + ## SOURCES +-noinst_HEADERS = + libcib_la_SOURCES = cib_ops.c cib_utils.c cib_client.c cib_native.c cib_attrs.c + libcib_la_SOURCES += cib_file.c cib_remote.c + +@@ -31,7 +30,3 @@ libcib_la_CFLAGS = -I$(top_srcdir) + + clean-generic: + rm -f *.log *.debug *.xml *~ +- +-install-exec-local: +- +-uninstall-local: +diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am +index f5f40bc..dcc1fbd 100644 +--- a/lib/cluster/Makefile.am ++++ b/lib/cluster/Makefile.am +@@ -17,10 +17,6 @@ + # + include $(top_srcdir)/Makefile.common + +-headerdir=$(pkgincludedir)/crm/cluster +- +-header_HEADERS = +- + ## libraries + lib_LTLIBRARIES = libcrmcluster.la + +@@ -45,7 +41,3 @@ endif + + clean-generic: + rm -f *.log *.debug *.xml *~ +- +-install-exec-local: +- +-uninstall-local: +diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am +index 7ae1dc8..111628f 100644 +--- a/lib/common/Makefile.am ++++ b/lib/common/Makefile.am +@@ -44,7 +44,3 @@ libcrmcommon_la_SOURCES += $(top_builddir)/lib/gnu/md5.c + + clean-generic: + rm -f *.log *.debug *.xml *~ +- +-install-exec-local: +- +-uninstall-local: +diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am +index aa57ba5..a9f9874 100644 +--- a/lib/fencing/Makefile.am ++++ b/lib/fencing/Makefile.am +@@ -23,5 +23,3 @@ lib_LTLIBRARIES = libstonithd.la + libstonithd_la_SOURCES = st_client.c + libstonithd_la_LDFLAGS = -version-info 4:1:2 + libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la +- +-AM_CFLAGS = $(AM_CPPFLAGS) +diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am +index 8c76a78..c23fef5 100644 +--- a/lib/lrmd/Makefile.am ++++ b/lib/lrmd/Makefile.am +@@ -23,6 +23,3 @@ liblrmd_la_LDFLAGS = -version-info 4:0:3 + liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/services/libcrmservice.la \ + $(top_builddir)/lib/fencing/libstonithd.la +- +- +-AM_CFLAGS = $(AM_CPPFLAGS) +diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am +index 4544377..a0d19e5 100644 +--- a/lib/pengine/Makefile.am ++++ b/lib/pengine/Makefile.am +@@ -34,7 +34,3 @@ libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.l + + clean-generic: + rm -f *.log *.debug *~ +- +-install-exec-local: +- +-uninstall-local: +diff --git a/lib/services/Makefile.am b/lib/services/Makefile.am +index a9fe26d..2797b53 100644 +--- a/lib/services/Makefile.am ++++ b/lib/services/Makefile.am +@@ -39,5 +39,3 @@ endif + if BUILD_SYSTEMD + libcrmservice_la_SOURCES += systemd.c + endif +- +-AM_CFLAGS = $(AM_CPPFLAGS) +diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am +index 6cc9bca..7bcfc1a 100644 +--- a/lib/transition/Makefile.am ++++ b/lib/transition/Makefile.am +@@ -21,7 +21,6 @@ include $(top_srcdir)/Makefile.common + lib_LTLIBRARIES = libtransitioner.la + + ## SOURCES +-noinst_HEADERS = + libtransitioner_la_SOURCES = unpack.c graph.c utils.c + + libtransitioner_la_LDFLAGS = -version-info 2:5:0 +@@ -30,7 +29,3 @@ libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la + + clean-generic: + rm -f *~ +- +-install-exec-local: +- +-uninstall-local: +diff --git a/tools/Makefile.am b/tools/Makefile.am +index 555b1db..59ce743 100644 +--- a/tools/Makefile.am ++++ b/tools/Makefile.am +@@ -26,9 +26,6 @@ COMMONLIBS = \ + $(top_builddir)/lib/cib/libcib.la \ + $(CURSESLIBS) $(CLUSTERLIBS) + +-headerdir = $(pkgincludedir)/crm +-header_HEADERS = +- + pcmkdir = $(datadir)/$(PACKAGE) + pcmk_DATA = report.common report.collector + +@@ -57,8 +54,6 @@ endif + + ## SOURCES + +-noinst_HEADERS = +- + MAN8DEPS = crm_attribute crm_node + + crmadmin_SOURCES = crmadmin.c +@@ -143,10 +138,4 @@ ipmiservicelogd_CFLAGS = $(OPENIPMI_SERVICELOG_CFLAGS) $(SERVICELOG_CFLAGS) + ipmiservicelogd_LDFLAGS = $(top_builddir)/lib/common/libcrmcommon.la $(OPENIPMI_SERVICELOG_LIBS) $(SERVICELOG_LIBS) + endif + +-install-exec-local: +- +-uninstall-local: +- +-.PHONY: install-exec-hook +- + CLEANFILES = $(man8_MANS) +-- +1.8.3.1 + + +From 048efbf21a84568816b35522ed5f7b84f9ffdc41 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Mon, 20 Jun 2016 15:10:34 +0200 +Subject: [PATCH 3/5] Build: drop superfluous libcrmcluster_la_DEPENDENCIES var + +--- + lib/cluster/Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am +index dcc1fbd..ffa2a73 100644 +--- a/lib/cluster/Makefile.am ++++ b/lib/cluster/Makefile.am +@@ -23,7 +23,6 @@ lib_LTLIBRARIES = libcrmcluster.la + libcrmcluster_la_SOURCES = election.c cluster.c membership.c + libcrmcluster_la_LDFLAGS = -version-info 6:0:2 + libcrmcluster_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la $(CLUSTERLIBS) +-libcrmcluster_la_DEPENDENCIES = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la + + if BUILD_CS_SUPPORT + libcrmcluster_la_SOURCES += cpg.c +-- +1.8.3.1 + + +From f5042bf76d048cb1fb77f9a60253cbf5a0ee9fc1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Mon, 20 Jun 2016 21:09:00 +0200 +Subject: [PATCH 4/5] Build: cib/Makefile.am: avoid second-guessing Libtool + +Explicitly referring to location that is an implementation detail of +Libtool is not very reasonable and appears to be working regardless. +--- + lib/cib/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am +index 07bf261..0c57eee 100644 +--- a/lib/cib/Makefile.am ++++ b/lib/cib/Makefile.am +@@ -24,7 +24,7 @@ lib_LTLIBRARIES = libcib.la + libcib_la_SOURCES = cib_ops.c cib_utils.c cib_client.c cib_native.c cib_attrs.c + libcib_la_SOURCES += cib_file.c cib_remote.c + +-libcib_la_LDFLAGS = -version-info 5:1:1 -L$(top_builddir)/lib/pengine/.libs ++libcib_la_LDFLAGS = -version-info 5:1:1 + libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la + libcib_la_CFLAGS = -I$(top_srcdir) + +-- +1.8.3.1 + + +From 8a86b03d1dbb8bab4a38f39544c519a2e7e85136 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Fri, 10 Jun 2016 17:55:57 +0200 +Subject: [PATCH 5/5] Build: Makefile.am f.: move/drop comments to reflect + previous commits + +* "# lex/yacc issues": +- introduced with 800b0c3 ("CFLAGS = $(CFLAGS_COPY:-Werror=)") +- comment + the statement got separated as of ae6fb13 + +* "# utils.h pengine.h" +- introduced with a4d9634 +- became superfluous as of ef1f2e2 +--- + fencing/Makefile.am | 4 +--- + pengine/Makefile.am | 2 +- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fencing/Makefile.am b/fencing/Makefile.am +index bef6e6e..79fe2ed 100644 +--- a/fencing/Makefile.am ++++ b/fencing/Makefile.am +@@ -56,9 +56,6 @@ BUILT_SOURCES = standalone_config.h + + stonithd_SOURCES += standalone_config.c config.y config.l + stonithd_AM_LFLAGS = -o$(LEX_OUTPUT_ROOT).c +- +-# lex/yacc issues: +- + endif + stonithd_YFLAGS = -d + +@@ -69,6 +66,7 @@ stonithd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/pengine/libpengine.la \ + $(CRYPTOLIB) $(CLUSTERLIBS) + ++# lex/yacc issues: + CFLAGS = $(CFLAGS_COPY:-Werror=) + + CLEANFILES = $(man7_MANS) $(man8_MANS) +diff --git a/pengine/Makefile.am b/pengine/Makefile.am +index 172a86b..170b728 100644 +--- a/pengine/Makefile.am ++++ b/pengine/Makefile.am +@@ -58,8 +58,8 @@ man7_MANS = pengine.7 + endif + + ## SOURCES ++ + noinst_HEADERS = allocate.h utils.h pengine.h +-#utils.h pengine.h + + libpengine_la_LDFLAGS = -version-info 11:0:1 + # -L$(top_builddir)/lib/pils -lpils -export-dynamic -module -avoid-version +-- +1.8.3.1 + diff --git a/002-build-cleanup.patch b/002-build-cleanup.patch new file mode 100644 index 0000000..6fe5701 --- /dev/null +++ b/002-build-cleanup.patch @@ -0,0 +1,678 @@ +From f4305372f80faafb5a1856f68b06c4dd87f8f521 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Fri, 17 Jun 2016 21:47:34 +0200 +Subject: [PATCH 1/3] Build: drop acinclude.m4 never ever used by pacemaker + proper + +It was rather used by the management tool being part of heartbeat +project -- pacemaker's precursor -- hence the shared codebase that +just wasn't split carefully. + +[note that hearbeat also mistakenly carries that file along while + the reason disappeared as of: + http://hg.linux-ha.org/heartbeat-STABLE_3_0/rev/cf17a3d4167b#l1.39] +--- + acinclude.m4 | 39 --------------------------------------- + 1 file changed, 39 deletions(-) + delete mode 100644 acinclude.m4 + +diff --git a/acinclude.m4 b/acinclude.m4 +deleted file mode 100644 +index fa8fef2..0000000 +--- a/acinclude.m4 ++++ /dev/null +@@ -1,39 +0,0 @@ +-dnl +-dnl local autoconf/automake macros needed for heartbeat +-dnl Started by David Lee February 2006 +-dnl +-dnl License: GNU General Public License (GPL) +- +- +-dnl AM_CHECK_PYTHON_HEADERS: Find location of python include files. +-dnl Taken from: +-dnl http://source.macgimp.org/ +-dnl which is GPL and is attributed to James Henstridge. +-dnl +-dnl AM_CHECK_PYTHON_HEADERS([ACTION-IF-POSSIBLE], [ACTION-IF-NOT-POSSIBLE]) +-dnl Imports: +-dnl $PYTHON +-dnl Exports: +-dnl PYTHON_INCLUDES +- +-AC_DEFUN([AM_CHECK_PYTHON_HEADERS], +-[AC_REQUIRE([AM_PATH_PYTHON]) +-AC_MSG_CHECKING(for headers required to compile python extensions) +-dnl deduce PYTHON_INCLUDES +-py_prefix=`$PYTHON -c "import sys; print sys.prefix"` +-py_exec_prefix=`$PYTHON -c "import sys; print sys.exec_prefix"` +-PYTHON_INCLUDES="-I${py_prefix}/include/python${PYTHON_VERSION}" +-if test "$py_prefix" != "$py_exec_prefix"; then +- PYTHON_INCLUDES="$PYTHON_INCLUDES -I${py_exec_prefix}/include/python${PYTHON_VERSION}" +-fi +-AC_SUBST(PYTHON_INCLUDES) +-dnl check if the headers exist: +-save_CPPFLAGS="$CPPFLAGS" +-CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" +-AC_TRY_CPP([#include ],dnl +-[AC_MSG_RESULT(found) +-$1],dnl +-[AC_MSG_RESULT(not found) +-$2]) +-CPPFLAGS="$save_CPPFLAGS" +-]) +-- +1.8.3.1 + + +From 4e0d5c81dae95be2bd3598d2f0dd639b64e5486a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Fri, 17 Jun 2016 22:59:42 +0200 +Subject: [PATCH 2/3] Build: configure.ac: drop unused CC_ERRORS, move + CC_EXTRAS + +... so as not to delimit the comment and respective code with unrelated +stuff. +--- + configure.ac | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 1a393fc..c5b30dc 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1703,10 +1703,6 @@ dnl not have CFLAGS in their environment then this should have + dnl no effect. However if CFLAGS was exported from the user's + dnl environment, then the new CFLAGS will also be exported + dnl to sub processes. +- +-CC_ERRORS="" +-CC_EXTRAS="" +- + if export | fgrep " CFLAGS=" > /dev/null; then + SAVED_CFLAGS="$CFLAGS" + unset CFLAGS +@@ -1714,6 +1710,8 @@ if export | fgrep " CFLAGS=" > /dev/null; then + unset SAVED_CFLAGS + fi + ++CC_EXTRAS="" ++ + if test "$GCC" != yes; then + CFLAGS="$CFLAGS -g" + enable_fatal_warnings=no +-- +1.8.3.1 + + +From 9632cd73b758dd4d41c2dbf2b9f10679cc3ee1a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Tue, 21 Jun 2016 19:05:52 +0200 +Subject: [PATCH 3/3] Refactor: sanitizing touch on makefiles about to receive + hardening + +* whitespace cleanup +* internally provided -D... and -I... switches belong to CPPFLAGS rather + than CFLAGS +* use a following order of the per-target flags: + - CPPFLAGS + - YFLAGS + - CFLAGS + - LDFLAGS + - LDADD/LIBADD + - SOURCES + +This is in part to reflect common conditional inclusion of additional +sources (which should preferably immediately follow the main SOURCES +definition) sometimes connected with extending other flags as well. +--- + attrd/Makefile.am | 12 ++++++------ + cib/Makefile.am | 18 +++++++++--------- + crmd/Makefile.am | 31 +++++++++++++++---------------- + fencing/Makefile.am | 30 ++++++++++++++++-------------- + lib/cib/Makefile.am | 9 +++++---- + lib/cluster/Makefile.am | 3 +-- + lib/common/Makefile.am | 8 ++++---- + lib/fencing/Makefile.am | 8 ++++---- + lib/lrmd/Makefile.am | 10 +++++----- + lib/pengine/Makefile.am | 12 ++++++------ + lib/services/Makefile.am | 24 ++++++++++++------------ + lib/transition/Makefile.am | 9 +++++---- + lrmd/Makefile.am | 46 ++++++++++++++++++++++------------------------ + mcp/Makefile.am | 4 ++-- + pengine/Makefile.am | 16 +++++++--------- + 15 files changed, 119 insertions(+), 121 deletions(-) + +diff --git a/attrd/Makefile.am b/attrd/Makefile.am +index 9a841e5..a116e0e 100644 +--- a/attrd/Makefile.am ++++ b/attrd/Makefile.am +@@ -17,16 +17,16 @@ + # + include $(top_srcdir)/Makefile.common + +-halibdir = $(CRM_DAEMON_DIR) +-halib_PROGRAMS = attrd ++halibdir = $(CRM_DAEMON_DIR) ++halib_PROGRAMS = attrd + ## SOURCES + +-attrd_SOURCES = +-attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ +- $(top_builddir)/lib/common/libcrmcommon.la \ +- $(top_builddir)/lib/cib/libcib.la \ ++attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ ++ $(top_builddir)/lib/common/libcrmcommon.la \ ++ $(top_builddir)/lib/cib/libcib.la \ + $(CLUSTERLIBS) + ++attrd_SOURCES = + if BUILD_ATOMIC_ATTRD + attrd_SOURCES += main.c commands.c + else +diff --git a/cib/Makefile.am b/cib/Makefile.am +index 8508223..fcb8ce9 100644 +--- a/cib/Makefile.am ++++ b/cib/Makefile.am +@@ -23,23 +23,23 @@ hadir = $(sysconfdir)/ha.d + halibdir = $(CRM_DAEMON_DIR) + commmoddir = $(halibdir)/modules/comm + +-COMMONLIBS = $(top_builddir)/lib/common/libcrmcommon.la \ +- $(top_builddir)/lib/cib/libcib.la ++COMMONLIBS = $(top_builddir)/lib/common/libcrmcommon.la \ ++ $(top_builddir)/lib/cib/libcib.la + + ## binary progs + halib_PROGRAMS = cib cibmon + + ## SOURCES +-noinst_HEADERS = callbacks.h cibio.h cibmessages.h common.h notify.h ++noinst_HEADERS = callbacks.h cibio.h cibmessages.h common.h notify.h + +-cib_SOURCES = io.c messages.c notify.c \ +- callbacks.c main.c remote.c common.c ++cib_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ ++ $(COMMONLIBS) $(CRYPTOLIB) $(CLUSTERLIBS) + +-cib_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ +- $(COMMONLIBS) $(CRYPTOLIB) $(CLUSTERLIBS) ++cib_SOURCES = io.c messages.c notify.c \ ++ callbacks.c main.c remote.c common.c + +-cibmon_SOURCES = cibmon.c +-cibmon_LDADD = $(COMMONLIBS) ++cibmon_LDADD = $(COMMONLIBS) ++cibmon_SOURCES = cibmon.c + + clean-generic: + rm -f *.log *.debug *.xml *~ +diff --git a/crmd/Makefile.am b/crmd/Makefile.am +index c28da0b..979e266 100644 +--- a/crmd/Makefile.am ++++ b/crmd/Makefile.am +@@ -24,20 +24,10 @@ halib_PROGRAMS = crmd + + ## SOURCES + +-noinst_HEADERS = crmd.h crmd_fsa.h crmd_messages.h fsa_defines.h \ +- fsa_matrix.h fsa_proto.h crmd_utils.h crmd_callbacks.h \ ++noinst_HEADERS = crmd.h crmd_fsa.h crmd_messages.h fsa_defines.h \ ++ fsa_matrix.h fsa_proto.h crmd_utils.h crmd_callbacks.h \ + crmd_lrm.h te_callbacks.h tengine.h + +-crmd_SOURCES = main.c crmd.c corosync.c notify.c \ +- fsa.c control.c messages.c membership.c callbacks.c \ +- election.c join_client.c join_dc.c subsystems.c throttle.c \ +- cib.c pengine.c tengine.c lrm.c lrm_state.c remote_lrmd_ra.c \ +- utils.c misc.c te_events.c te_actions.c te_utils.c te_callbacks.c +- +-if BUILD_HEARTBEAT_SUPPORT +-crmd_SOURCES += heartbeat.c +-endif +- + crmd_LDADD = $(top_builddir)/lib/fencing/libstonithd.la \ + $(top_builddir)/lib/transition/libtransitioner.la \ + $(top_builddir)/lib/pengine/libpe_rules.la \ +@@ -45,19 +35,28 @@ crmd_LDADD = $(top_builddir)/lib/fencing/libstonithd.la \ + $(top_builddir)/lib/cluster/libcrmcluster.la \ + $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/services/libcrmservice.la \ +- $(top_builddir)/lib/lrmd/liblrmd.la \ ++ $(top_builddir)/lib/lrmd/liblrmd.la \ + $(CLUSTERLIBS) + ++crmd_SOURCES = main.c crmd.c corosync.c notify.c \ ++ fsa.c control.c messages.c membership.c callbacks.c \ ++ election.c join_client.c join_dc.c subsystems.c throttle.c \ ++ cib.c pengine.c tengine.c lrm.c lrm_state.c remote_lrmd_ra.c \ ++ utils.c misc.c te_events.c te_actions.c te_utils.c te_callbacks.c ++if BUILD_HEARTBEAT_SUPPORT ++crmd_SOURCES += heartbeat.c ++endif ++ + if BUILD_XML_HELP +-man7_MANS = crmd.7 ++man7_MANS = crmd.7 + endif + +-graphs: fsa_inputs.png fsa_inputs_by_action.png fsa_actions_by_state.png ++graphs: fsa_inputs.png fsa_inputs_by_action.png fsa_actions_by_state.png + + %.png: %.dot + dot -Tpng $< > $@ + +-%.dot : fsa_matrix.h make_dot.pl ++%.dot: fsa_matrix.h make_dot.pl + perl $(top_srcdir)/crmd/make_dot.pl $(top_srcdir)/crmd/fsa_matrix.h $(top_builddir)/crmd + + CLEANFILES = $(man7_MANS) +diff --git a/fencing/Makefile.am b/fencing/Makefile.am +index 79fe2ed..1d591fc 100644 +--- a/fencing/Makefile.am ++++ b/fencing/Makefile.am +@@ -24,13 +24,13 @@ test_SCRIPTS = regression.py + halibdir = $(CRM_DAEMON_DIR) + halib_PROGRAMS = stonithd stonith-test + +-sbin_PROGRAMS = stonith_admin +-sbin_SCRIPTS = fence_legacy fence_pcmk ++sbin_PROGRAMS = stonith_admin ++sbin_SCRIPTS = fence_legacy fence_pcmk + +-noinst_HEADERS = internal.h ++noinst_HEADERS = internal.h + + if BUILD_XML_HELP +-man7_MANS = stonithd.7 ++man7_MANS = stonithd.7 + endif + + stonith_test_SOURCES = test.c +@@ -49,23 +49,25 @@ stonith_admin_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/fencing/libstonithd.la \ + $(CRYPTOLIB) $(CLUSTERLIBS) + +-stonithd_CFLAGS = -I$(top_srcdir)/pengine +-stonithd_SOURCES = main.c commands.c remote.c +-if BUILD_STONITH_CONFIG +-BUILT_SOURCES = standalone_config.h +- +-stonithd_SOURCES += standalone_config.c config.y config.l +-stonithd_AM_LFLAGS = -o$(LEX_OUTPUT_ROOT).c +-endif +-stonithd_YFLAGS = -d ++stonithd_CPPFLAGS = -I$(top_srcdir)/pengine $(AM_CPPFLAGS) ++stonithd_YFLAGS = -d + + stonithd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/cluster/libcrmcluster.la \ + $(top_builddir)/lib/fencing/libstonithd.la \ + $(top_builddir)/lib/pengine/libpe_status.la \ +- $(top_builddir)/pengine/libpengine.la \ ++ $(top_builddir)/pengine/libpengine.la \ + $(CRYPTOLIB) $(CLUSTERLIBS) + ++stonithd_SOURCES = main.c commands.c remote.c ++ ++if BUILD_STONITH_CONFIG ++BUILT_SOURCES = standalone_config.h ++ ++stonithd_SOURCES += standalone_config.c config.y config.l ++stonithd_AM_LFLAGS = -o$(LEX_OUTPUT_ROOT).c ++endif ++ + # lex/yacc issues: + CFLAGS = $(CFLAGS_COPY:-Werror=) + +diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am +index 0c57eee..e414a7f 100644 +--- a/lib/cib/Makefile.am ++++ b/lib/cib/Makefile.am +@@ -18,15 +18,16 @@ + include $(top_srcdir)/Makefile.common + + ## libraries +-lib_LTLIBRARIES = libcib.la ++lib_LTLIBRARIES = libcib.la + + ## SOURCES + libcib_la_SOURCES = cib_ops.c cib_utils.c cib_client.c cib_native.c cib_attrs.c +-libcib_la_SOURCES += cib_file.c cib_remote.c ++libcib_la_SOURCES += cib_file.c cib_remote.c + + libcib_la_LDFLAGS = -version-info 5:1:1 +-libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la +-libcib_la_CFLAGS = -I$(top_srcdir) ++libcib_la_CPPFLAGS = -I$(top_srcdir) $(AM_CPPFLAGS) ++ ++libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la + + clean-generic: + rm -f *.log *.debug *.xml *~ +diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am +index ffa2a73..06d7066 100644 +--- a/lib/cluster/Makefile.am ++++ b/lib/cluster/Makefile.am +@@ -20,10 +20,10 @@ include $(top_srcdir)/Makefile.common + ## libraries + lib_LTLIBRARIES = libcrmcluster.la + +-libcrmcluster_la_SOURCES = election.c cluster.c membership.c + libcrmcluster_la_LDFLAGS = -version-info 6:0:2 + libcrmcluster_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la $(CLUSTERLIBS) + ++libcrmcluster_la_SOURCES = election.c cluster.c membership.c + if BUILD_CS_SUPPORT + libcrmcluster_la_SOURCES += cpg.c + if BUILD_CS_PLUGIN +@@ -32,7 +32,6 @@ else + libcrmcluster_la_SOURCES += corosync.c + endif + endif +- + if BUILD_HEARTBEAT_SUPPORT + libcrmcluster_la_SOURCES += heartbeat.c + #libcrmcluster_la_LIBADD += -ldl +diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am +index 111628f..7550ec1 100644 +--- a/lib/common/Makefile.am ++++ b/lib/common/Makefile.am +@@ -31,16 +31,16 @@ lib_LTLIBRARIES = libcrmcommon.la + + CFLAGS = $(CFLAGS_COPY:-Wcast-qual=) -fPIC + ++libcrmcommon_la_LDFLAGS = -version-info 9:0:6 ++libcrmcommon_la_LIBADD = @LIBADD_DL@ $(GNUTLSLIBS) -lm ++ + libcrmcommon_la_SOURCES = compat.c digest.c ipc.c io.c procfs.c utils.c xml.c \ + iso8601.c remote.c mainloop.c logging.c watchdog.c \ + xpath.c + if BUILD_CIBSECRETS + libcrmcommon_la_SOURCES += cib_secrets.c + endif +- +-libcrmcommon_la_LDFLAGS = -version-info 9:0:6 +-libcrmcommon_la_LIBADD = @LIBADD_DL@ $(GNUTLSLIBS) -lm +-libcrmcommon_la_SOURCES += $(top_builddir)/lib/gnu/md5.c ++libcrmcommon_la_SOURCES += $(top_builddir)/lib/gnu/md5.c + + clean-generic: + rm -f *.log *.debug *.xml *~ +diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am +index a9f9874..85ae40a 100644 +--- a/lib/fencing/Makefile.am ++++ b/lib/fencing/Makefile.am +@@ -18,8 +18,8 @@ + # + include $(top_srcdir)/Makefile.common + +-lib_LTLIBRARIES = libstonithd.la ++lib_LTLIBRARIES = libstonithd.la + +-libstonithd_la_SOURCES = st_client.c +-libstonithd_la_LDFLAGS = -version-info 4:1:2 +-libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la ++libstonithd_la_LDFLAGS = -version-info 4:1:2 ++libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la ++libstonithd_la_SOURCES = st_client.c +diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am +index c23fef5..25f3d55 100644 +--- a/lib/lrmd/Makefile.am ++++ b/lib/lrmd/Makefile.am +@@ -16,10 +16,10 @@ + # + include $(top_srcdir)/Makefile.common + +-lib_LTLIBRARIES = liblrmd.la ++lib_LTLIBRARIES = liblrmd.la + +-liblrmd_la_SOURCES = lrmd_client.c proxy_common.c +-liblrmd_la_LDFLAGS = -version-info 4:0:3 +-liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \ +- $(top_builddir)/lib/services/libcrmservice.la \ ++liblrmd_la_LDFLAGS = -version-info 4:0:3 ++liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \ ++ $(top_builddir)/lib/services/libcrmservice.la \ + $(top_builddir)/lib/fencing/libstonithd.la ++liblrmd_la_SOURCES = lrmd_client.c proxy_common.c +diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am +index a0d19e5..de760c3 100644 +--- a/lib/pengine/Makefile.am ++++ b/lib/pengine/Makefile.am +@@ -18,19 +18,19 @@ + include $(top_srcdir)/Makefile.common + + ## libraries +-lib_LTLIBRARIES = libpe_rules.la libpe_status.la ++lib_LTLIBRARIES = libpe_rules.la libpe_status.la + + ## SOURCES +-noinst_HEADERS = unpack.h variant.h ++noinst_HEADERS = unpack.h variant.h + + libpe_rules_la_LDFLAGS = -version-info 2:6:0 +-libpe_rules_la_SOURCES = rules.c common.c + libpe_rules_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la ++libpe_rules_la_SOURCES = rules.c common.c + + libpe_status_la_LDFLAGS = -version-info 11:0:1 +-libpe_status_la_SOURCES = status.c unpack.c utils.c complex.c native.c \ +- group.c clone.c rules.c common.c remote.c +-libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.la ++libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.la ++libpe_status_la_SOURCES = status.c unpack.c utils.c complex.c native.c \ ++ group.c clone.c rules.c common.c remote.c + + clean-generic: + rm -f *.log *.debug *~ +diff --git a/lib/services/Makefile.am b/lib/services/Makefile.am +index 2797b53..c789fbd 100644 +--- a/lib/services/Makefile.am ++++ b/lib/services/Makefile.am +@@ -18,24 +18,24 @@ + + MAINTAINERCLEANFILES = Makefile.in + +-AM_CPPFLAGS = -I$(top_builddir)/include ++AM_CPPFLAGS = -I$(top_builddir)/include + +-lib_LTLIBRARIES = libcrmservice.la +-noinst_HEADERS = upstart.h systemd.h services_private.h ++lib_LTLIBRARIES = libcrmservice.la ++noinst_HEADERS = upstart.h systemd.h services_private.h + +-libcrmservice_la_SOURCES = services.c services_linux.c +-libcrmservice_la_LDFLAGS = -version-info 4:1:1 +-libcrmservice_la_CFLAGS = $(GIO_CFLAGS) -DOCF_ROOT_DIR=\"@OCF_ROOT_DIR@\" +-libcrmservice_la_LIBADD = $(GIO_LIBS) $(top_builddir)/lib/common/libcrmcommon.la $(DBUS_LIBS) ++libcrmservice_la_LDFLAGS = -version-info 4:1:1 ++libcrmservice_la_CPPFLAGS = -DOCF_ROOT_DIR=\"@OCF_ROOT_DIR@\" $(AM_CPPFLAGS) ++libcrmservice_la_CFLAGS = $(GIO_CFLAGS) + ++libcrmservice_la_LIBADD = $(GIO_LIBS) $(top_builddir)/lib/common/libcrmcommon.la $(DBUS_LIBS) ++ ++libcrmservice_la_SOURCES = services.c services_linux.c + if BUILD_DBUS +-libcrmservice_la_SOURCES += dbus.c ++libcrmservice_la_SOURCES += dbus.c + endif +- + if BUILD_UPSTART +-libcrmservice_la_SOURCES += upstart.c ++libcrmservice_la_SOURCES += upstart.c + endif +- + if BUILD_SYSTEMD +-libcrmservice_la_SOURCES += systemd.c ++libcrmservice_la_SOURCES += systemd.c + endif +diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am +index 7bcfc1a..9bc039e 100644 +--- a/lib/transition/Makefile.am ++++ b/lib/transition/Makefile.am +@@ -18,14 +18,15 @@ + include $(top_srcdir)/Makefile.common + + ## libraries +-lib_LTLIBRARIES = libtransitioner.la ++lib_LTLIBRARIES = libtransitioner.la + + ## SOURCES +-libtransitioner_la_SOURCES = unpack.c graph.c utils.c + + libtransitioner_la_LDFLAGS = -version-info 2:5:0 +-libtransitioner_la_CFLAGS = -I$(top_builddir) +-libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la ++libtransitioner_la_CPPFLAGS = -I$(top_builddir) $(AM_CPPFLAGS) ++ ++libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la ++libtransitioner_la_SOURCES = unpack.c graph.c utils.c + + clean-generic: + rm -f *~ +diff --git a/lrmd/Makefile.am b/lrmd/Makefile.am +index 556d48a..64df105 100644 +--- a/lrmd/Makefile.am ++++ b/lrmd/Makefile.am +@@ -19,45 +19,43 @@ include $(top_srcdir)/Makefile.common + testdir = $(datadir)/$(PACKAGE)/tests/lrmd + test_SCRIPTS = regression.py + +-lrmdlibdir = $(CRM_DAEMON_DIR) +-lrmdlib_PROGRAMS = lrmd lrmd_test lrmd_internal_ctl ++lrmdlibdir = $(CRM_DAEMON_DIR) ++lrmdlib_PROGRAMS = lrmd lrmd_test lrmd_internal_ctl + +-initdir = $(INITDIR) +-init_SCRIPTS = pacemaker_remote +-sbin_PROGRAMS = pacemaker_remoted ++initdir = $(INITDIR) ++init_SCRIPTS = pacemaker_remote ++sbin_PROGRAMS = pacemaker_remoted + + if BUILD_SYSTEMD +-systemdunit_DATA = pacemaker_remote.service ++systemdunit_DATA = pacemaker_remote.service + endif + +-lrmd_SOURCES = main.c lrmd.c + lrmd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ +- $(top_builddir)/lib/services/libcrmservice.la \ +- $(top_builddir)/lib/lrmd/liblrmd.la \ ++ $(top_builddir)/lib/services/libcrmservice.la \ ++ $(top_builddir)/lib/lrmd/liblrmd.la \ + $(top_builddir)/lib/fencing/libstonithd.la ${COMPAT_LIBS} ++lrmd_SOURCES = main.c lrmd.c + ++pacemaker_remoted_CPPFLAGS = -DSUPPORT_REMOTE $(AM_CPPFLAGS) + +-pacemaker_remoted_SOURCES = main.c lrmd.c tls_backend.c ipc_proxy.c +-pacemaker_remoted_CFLAGS = -DSUPPORT_REMOTE + pacemaker_remoted_LDADD = $(lrmd_LDADD) ++pacemaker_remoted_SOURCES = main.c lrmd.c tls_backend.c ipc_proxy.c + +- ++lrmd_internal_ctl_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ ++ $(top_builddir)/lib/lrmd/liblrmd.la \ ++ $(top_builddir)/lib/cib/libcib.la \ ++ $(top_builddir)/lib/services/libcrmservice.la \ ++ $(top_builddir)/lib/pengine/libpe_status.la \ ++ $(top_builddir)/pengine/libpengine.la + lrmd_internal_ctl_SOURCES = remote_ctl.c +-lrmd_internal_ctl_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ +- $(top_builddir)/lib/lrmd/liblrmd.la \ +- $(top_builddir)/lib/cib/libcib.la \ +- $(top_builddir)/lib/services/libcrmservice.la \ +- $(top_builddir)/lib/pengine/libpe_status.la \ +- $(top_builddir)/pengine/libpengine.la + +- +-lrmd_test_SOURCES = test.c + lrmd_test_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ +- $(top_builddir)/lib/lrmd/liblrmd.la \ +- $(top_builddir)/lib/cib/libcib.la \ +- $(top_builddir)/lib/services/libcrmservice.la \ +- $(top_builddir)/lib/pengine/libpe_status.la \ ++ $(top_builddir)/lib/lrmd/liblrmd.la \ ++ $(top_builddir)/lib/cib/libcib.la \ ++ $(top_builddir)/lib/services/libcrmservice.la \ ++ $(top_builddir)/lib/pengine/libpe_status.la \ + $(top_builddir)/pengine/libpengine.la ++lrmd_test_SOURCES = test.c + + noinst_HEADERS = lrmd_private.h + +diff --git a/mcp/Makefile.am b/mcp/Makefile.am +index 1b3720a..195530a 100644 +--- a/mcp/Makefile.am ++++ b/mcp/Makefile.am +@@ -24,16 +24,16 @@ init_SCRIPTS = pacemaker + sbin_PROGRAMS = pacemakerd + + if BUILD_SYSTEMD +-systemdunit_DATA = pacemaker.service ++systemdunit_DATA = pacemaker.service + endif + + ## SOURCES + + noinst_HEADERS = pacemaker.h + +-pacemakerd_SOURCES = pacemaker.c corosync.c + pacemakerd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la $(top_builddir)/lib/common/libcrmcommon.la + pacemakerd_LDADD += $(CLUSTERLIBS) ++pacemakerd_SOURCES = pacemaker.c corosync.c + + endif + +diff --git a/pengine/Makefile.am b/pengine/Makefile.am +index 170b728..96c914f 100644 +--- a/pengine/Makefile.am ++++ b/pengine/Makefile.am +@@ -17,7 +17,7 @@ + # + include $(top_srcdir)/Makefile.common + +-AM_CPPFLAGS += -I$(top_builddir) -I$(top_srcdir) ++AM_CPPFLAGS += -I$(top_builddir) -I$(top_srcdir) + + halibdir = $(CRM_DAEMON_DIR) + +@@ -30,9 +30,8 @@ test_DATA = regression.core.sh + test10dir = $(datadir)/$(PACKAGE)/tests/pengine/test10 + test10_DATA = $(PE_TESTS) $(PE_TESTS:%.scores=%.xml) $(PE_TESTS:%.scores=%.exp) $(PE_TESTS:%.scores=%.dot) $(PE_TESTS:%.scores=%.summary) $(wildcard test10/*.stderr) + +-COMMONLIBS = \ +- $(top_builddir)/lib/common/libcrmcommon.la \ +- $(top_builddir)/lib/pengine/libpe_status.la \ ++COMMONLIBS = $(top_builddir)/lib/common/libcrmcommon.la \ ++ $(top_builddir)/lib/pengine/libpe_status.la \ + libpengine.la $(CURSESLIBS) $(CLUSTERLIBS) + + beekhof: +@@ -62,17 +61,16 @@ endif + noinst_HEADERS = allocate.h utils.h pengine.h + + libpengine_la_LDFLAGS = -version-info 11:0:1 ++libpengine_la_LIBADD = $(top_builddir)/lib/pengine/libpe_status.la \ ++ $(top_builddir)/lib/cib/libcib.la + # -L$(top_builddir)/lib/pils -lpils -export-dynamic -module -avoid-version + libpengine_la_SOURCES = pengine.c allocate.c utils.c constraints.c +-libpengine_la_SOURCES += native.c group.c clone.c master.c graph.c utilization.c ++libpengine_la_SOURCES += native.c group.c clone.c master.c graph.c utilization.c + +-libpengine_la_LIBADD = $(top_builddir)/lib/pengine/libpe_status.la \ +- $(top_builddir)/lib/cib/libcib.la +- +-pengine_SOURCES = main.c + pengine_LDADD = $(top_builddir)/lib/cib/libcib.la $(COMMONLIBS) + # libcib for get_object_root() + # $(top_builddir)/lib/hbclient/libhbclient.la ++pengine_SOURCES = main.c + + install-exec-local: + $(mkinstalldirs) $(DESTDIR)/$(PE_STATE_DIR) +-- +1.8.3.1 + diff --git a/003-harden-toolchain.patch b/003-harden-toolchain.patch new file mode 100644 index 0000000..5f5153a --- /dev/null +++ b/003-harden-toolchain.patch @@ -0,0 +1,603 @@ +From 658fff9445711b8402029bc2916fccbc5d6fd8fc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Tue, 21 Jun 2016 19:16:43 +0200 +Subject: [PATCH 1/2] Feature: conditional hardening, especially for daemons + + libraries + +So far the build system has not been concerned with run-time hardening +measures the typical toolchains provide (beside unconditional enforcing +of -fstack-protector-all). Hence make a step in that direction, +enabling following if available and anticipating more to come: + +[$LD -z relro] +- daemons incl. libs +- make some parts of Global Offset Table (GOT) read-only + +[$CC -fPIE + ld -pie] +- daemons +- benefit from Address Space Layout Randomization (ASLR) for code + areas + +[$LD -z now] +- daemons incl. libs, only when the former two features are supported +- all symbols are resolved initially to that complete GOT is read-only + +[$CC -fstack-protector-strong/-fstack-protector-all/-fstack-protector] +- universal +- extra run-time checks for buffer overflows +- NOTE: + in case -fstack-protector-strong is supported, this is effectively + a weakening of previously enforced -fstack-protector-all, but note + that this variant comes with not entirely negligible performance + penalty [1], making "strong" variant a reasonable tradeoff for + something that is not in the prime line of possible attacks + +For details on how to instruct configure script to do the right +thing (for when the default won't cut it), see detailed comment +in configure.ac under "Hardening flags" section. + +[1] http://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.1860.pdf +--- + acinclude.m4 | 25 +++++++++ + attrd/Makefile.am | 3 + + cib/Makefile.am | 3 + + configure.ac | 135 +++++++++++++++++++++++++++++++++++++++++++-- + crmd/Makefile.am | 3 + + fencing/Makefile.am | 3 + + lib/cib/Makefile.am | 3 + + lib/cluster/Makefile.am | 4 ++ + lib/common/Makefile.am | 4 ++ + lib/fencing/Makefile.am | 4 ++ + lib/lrmd/Makefile.am | 4 ++ + lib/pengine/Makefile.am | 8 +++ + lib/services/Makefile.am | 3 + + lib/transition/Makefile.am | 3 + + lrmd/Makefile.am | 6 ++ + mcp/Makefile.am | 3 + + pacemaker.spec.in | 17 ++++++ + pengine/Makefile.am | 6 ++ + 18 files changed, 231 insertions(+), 6 deletions(-) + create mode 100644 acinclude.m4 + +diff --git a/acinclude.m4 b/acinclude.m4 +new file mode 100644 +index 0000000..ecaa1dd +--- /dev/null ++++ b/acinclude.m4 +@@ -0,0 +1,25 @@ ++dnl ++dnl local autoconf/automake macros for pacemaker ++dnl ++ ++dnl Check if the flag is supported by linker (cacheable) ++dnl CC_CHECK_LDFLAGS([FLAG], [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND]) ++dnl ++dnl Origin (declared license: GPLv2+ with less restrictive exception): ++dnl https://git.gnome.org/browse/glib/tree/m4macros/attributes.m4?h=2.49.1 ++dnl (AC_LANG_PROGRAM substituted by Jan Pokorny ) ++ ++AC_DEFUN([CC_CHECK_LDFLAGS], [ ++ AC_CACHE_CHECK([if $CC supports $1 flag], ++ AS_TR_SH([cc_cv_ldflags_$1]), ++ [ac_save_LDFLAGS="$LDFLAGS" ++ LDFLAGS="$LDFLAGS $1" ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])], ++ [eval "AS_TR_SH([cc_cv_ldflags_$1])='yes'"], ++ [eval "AS_TR_SH([cc_cv_ldflags_$1])="]) ++ LDFLAGS="$ac_save_LDFLAGS" ++ ]) ++ ++ AS_IF([eval test x$]AS_TR_SH([cc_cv_ldflags_$1])[ = xyes], ++ [$2], [$3]) ++]) +diff --git a/attrd/Makefile.am b/attrd/Makefile.am +index a116e0e..6eaaae2 100644 +--- a/attrd/Makefile.am ++++ b/attrd/Makefile.am +@@ -21,6 +21,9 @@ halibdir = $(CRM_DAEMON_DIR) + halib_PROGRAMS = attrd + ## SOURCES + ++attrd_CFLAGS = $(CFLAGS_HARDENED_EXE) ++attrd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) ++ + attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ + $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/cib/libcib.la \ +diff --git a/cib/Makefile.am b/cib/Makefile.am +index fcb8ce9..4273191 100644 +--- a/cib/Makefile.am ++++ b/cib/Makefile.am +@@ -32,6 +32,9 @@ halib_PROGRAMS = cib cibmon + ## SOURCES + noinst_HEADERS = callbacks.h cibio.h cibmessages.h common.h notify.h + ++cib_CFLAGS = $(CFLAGS_HARDENED_EXE) ++cib_LDFLAGS = $(LDFLAGS_HARDENED_EXE) ++ + cib_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \ + $(COMMONLIBS) $(CRYPTOLIB) $(CLUSTERLIBS) + +diff --git a/configure.ac b/configure.ac +index c5b30dc..edf6a91 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -196,6 +196,13 @@ AC_ARG_ENABLE([systemd], + [ --enable-systemd + Do not build support for the Systemd init system [default=yes]]) + ++AC_ARG_ENABLE(hardening, ++ [ --with-hardening ++ Harden the resulting executables/libraries (best effort by default)], ++ [ HARDENING="${enableval}" ], ++ [ HARDENING=try ], ++) ++ + AC_ARG_WITH(ais, + [ --with-ais + Support the Corosync messaging and membership layer ], +@@ -1710,6 +1717,12 @@ if export | fgrep " CFLAGS=" > /dev/null; then + unset SAVED_CFLAGS + fi + ++AC_ARG_VAR([CFLAGS_HARDENED_LIB], [extra C compiler flags for hardened libraries]) ++AC_ARG_VAR([LDFLAGS_HARDENED_LIB], [extra linker flags for hardened libraries]) ++ ++AC_ARG_VAR([CFLAGS_HARDENED_EXE], [extra C compiler flags for hardened executables]) ++AC_ARG_VAR([LDFLAGS_HARDENED_EXE], [extra linker flags for hardened executables]) ++ + CC_EXTRAS="" + + if test "$GCC" != yes; then +@@ -1785,12 +1798,6 @@ dnl otherwise none of both + # Additional warnings it might be nice to enable one day + # -Wshadow + # -Wunreachable-code +- case "$host_os" in +- *solaris*) ;; +- *) EXTRA_FLAGS="$EXTRA_FLAGS +- -fstack-protector-all" +- ;; +- esac + for j in $EXTRA_FLAGS + do + if +@@ -1829,6 +1836,118 @@ dnl System specific options + AC_MSG_NOTICE(Activated additional gcc flags: ${CC_EXTRAS}) + fi + ++dnl ++dnl Hardening flags ++dnl ++dnl The prime control of whether to apply (targeted) hardening build flags and ++dnl which ones is --{enable,disable}-hardening option passed to ./configure: ++dnl ++dnl --enable-hardening=try (default): ++dnl depending on whether any of CFLAGS_HARDENED_EXE, LDFLAGS_HARDENED_EXE, ++dnl CFLAGS_HARDENED_LIB or LDFLAGS_HARDENED_LIB environment variables ++dnl (see below) is set and non-null, all these custom flags (even if not ++dnl set) are used as are, otherwise the best effort is made to offer ++dnl reasonably strong hardening in several categories (RELRO, PIE, ++dnl "bind now", stack protector) according to what the selected toolchain ++dnl can offer ++dnl ++dnl --enable-hardening: ++dnl same effect as --enable-hardening=try when the environment variables ++dnl in question are suppressed ++dnl ++dnl --disable-hardening: ++dnl do not apply any targeted hardening measures at all ++dnl ++dnl The user-injected environment variables that regulate the hardening in ++dnl default case are as follows: ++dnl ++dnl * CFLAGS_HARDENED_EXE, LDFLAGS_HARDENED_EXE ++dnl compiler and linker flags (respectively) for daemon programs ++dnl (attrd, cib, crmd, lrmd, stonithd, pacemakerd, pacemaker_remoted, ++dnl pengine) ++dnl ++dnl * CFLAGS_HARDENED_LIB, LDFLAGS_HARDENED_LIB ++dnl compiler and linker flags (respectively) for libraries linked ++dnl with the daemon programs ++dnl ++dnl Note that these are purposedly targeted variables (addressing particular ++dnl targets all over the scattered Makefiles) and have no effect outside of ++dnl the predestined scope (e.g., CLI utilities). For a global reach, ++dnl use CFLAGS, LDFLAGS, etc. as usual. ++dnl ++dnl For guidance on the suitable flags consult, for instance: ++dnl https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description ++dnl https://owasp.org/index.php/C-Based_Toolchain_Hardening#GCC.2FBinutils ++dnl ++ ++if test "x${HARDENING}" != "xtry"; then ++ unset CFLAGS_HARDENED_EXE ++ unset CFLAGS_HARDENED_LIB ++ unset LDFLAGS_HARDENED_EXE ++ unset LDFLAGS_HARDENED_LIB ++fi ++if test "x${HARDENING}" = "xno"; then ++ AC_MSG_NOTICE([Hardening: explicitly disabled]) ++elif test "x${HARDENING}" = "xyes" \ ++ || test "$(env | grep -Ec '^(C|LD)FLAGS_HARDENED_(EXE|LIB)=.')" = 0; then ++ dnl We'll figure out on our own... ++ CFLAGS_HARDENED_EXE= ++ CFLAGS_HARDENED_LIB= ++ LDFLAGS_HARDENED_EXE= ++ LDFLAGS_HARDENED_LIB= ++ relro=0 ++ pie=0 ++ bindnow=0 ++ # daemons incl. libs: partial RELRO ++ flag="-Wl,-z,relro" ++ CC_CHECK_LDFLAGS(["${flag}"], ++ [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; ++ LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}"; ++ relro=1] ++ ) ++ # daemons: PIE for both CFLAGS and LDFLAGS ++ if cc_supports_flag -fPIE; then ++ flag="-pie" ++ CC_CHECK_LDFLAGS(["${flag}"], ++ [CFLAGS_HARDENED_EXE="${CFLAGS_HARDENED_EXE} -fPIE"; ++ LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; ++ pie=1] ++ ) ++ fi ++ # daemons incl. libs: full RELRO if sensible ++ if test "${relro}" = 1 && test "${pie}" = 1; then ++ flag="-Wl,-z,now" ++ CC_CHECK_LDFLAGS(["${flag}"], ++ [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; ++ LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}"; ++ bindnow=1] ++ ) ++ fi ++ # universal: prefer strong > all > default stack protector if possible ++ flag= ++ if cc_supports_flag -fstack-protector-strong; then ++ flag="-fstack-protector-strong" ++ elif cc_supports_flag -fstack-protector-all; then ++ flag="-fstack-protector-all" ++ elif cc_supports_flag -fstack-protector; then ++ flag="-fstack-protector" ++ fi ++ if test -n "${flag}"; then ++ CC_EXTRAS="${CC_EXTRAS} ${flag}" ++ stackprot=1 ++ fi ++ if test "${relro}" = 1 \ ++ || test "${pie}" = 1 \ ++ || test "${stackprot}" = 1; then ++ AC_MSG_NOTICE( ++ [Hardening: relro=${relro} pie=${pie} bindnow=${bindnow} stackprot=${flag}]) ++ else ++ AC_MSG_WARN([Hardening: no suitable features in the toolchain detected]) ++ fi ++else ++ AC_MSG_NOTICE([Hardening: using custom flags]) ++fi ++ + CFLAGS="$CFLAGS $CC_EXTRAS" + + NON_FATAL_CFLAGS="$CFLAGS" +@@ -1978,5 +2097,9 @@ AC_MSG_RESULT([ HA group name = ${CRM_DAEMON_GROUP}]) + AC_MSG_RESULT([ HA user name = ${CRM_DAEMON_USER}]) + AC_MSG_RESULT([]) + AC_MSG_RESULT([ CFLAGS = ${CFLAGS}]) ++AC_MSG_RESULT([ CFLAGS_HARDENED_EXE = ${CFLAGS_HARDENED_EXE}]) ++AC_MSG_RESULT([ CFLAGS_HARDENED_LIB = ${CFLAGS_HARDENED_LIB}]) ++AC_MSG_RESULT([ LDFLAGS_HARDENED_EXE = ${LDFLAGS_HARDENED_EXE}]) ++AC_MSG_RESULT([ LDFLAGS_HARDENED_LIB = ${LDFLAGS_HARDENED_LIB}]) + AC_MSG_RESULT([ Libraries = ${LIBS}]) + AC_MSG_RESULT([ Stack Libraries = ${CLUSTERLIBS}]) +diff --git a/crmd/Makefile.am b/crmd/Makefile.am +index 979e266..6d5ee9a 100644 +--- a/crmd/Makefile.am ++++ b/crmd/Makefile.am +@@ -28,6 +28,9 @@ noinst_HEADERS = crmd.h crmd_fsa.h crmd_messages.h fsa_defines.h \ + fsa_matrix.h fsa_proto.h crmd_utils.h crmd_callbacks.h \ + crmd_lrm.h te_callbacks.h tengine.h + ++crmd_CFLAGS = $(CFLAGS_HARDENED_EXE) ++crmd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) ++ + crmd_LDADD = $(top_builddir)/lib/fencing/libstonithd.la \ + $(top_builddir)/lib/transition/libtransitioner.la \ + $(top_builddir)/lib/pengine/libpe_rules.la \ +diff --git a/fencing/Makefile.am b/fencing/Makefile.am +index 1d591fc..c53ead6 100644 +--- a/fencing/Makefile.am ++++ b/fencing/Makefile.am +@@ -52,6 +52,9 @@ stonith_admin_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ + stonithd_CPPFLAGS = -I$(top_srcdir)/pengine $(AM_CPPFLAGS) + stonithd_YFLAGS = -d + ++stonithd_CFLAGS = $(CFLAGS_HARDENED_EXE) ++stonithd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) ++ + stonithd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/cluster/libcrmcluster.la \ + $(top_builddir)/lib/fencing/libstonithd.la \ +diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am +index e414a7f..637ea8c 100644 +--- a/lib/cib/Makefile.am ++++ b/lib/cib/Makefile.am +@@ -27,6 +27,9 @@ libcib_la_SOURCES += cib_file.c cib_remote.c + libcib_la_LDFLAGS = -version-info 5:1:1 + libcib_la_CPPFLAGS = -I$(top_srcdir) $(AM_CPPFLAGS) + ++libcib_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libcib_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la + + clean-generic: +diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am +index 06d7066..9a57bbb 100644 +--- a/lib/cluster/Makefile.am ++++ b/lib/cluster/Makefile.am +@@ -21,6 +21,10 @@ include $(top_srcdir)/Makefile.common + lib_LTLIBRARIES = libcrmcluster.la + + libcrmcluster_la_LDFLAGS = -version-info 6:0:2 ++ ++libcrmcluster_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libcrmcluster_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libcrmcluster_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la $(CLUSTERLIBS) + + libcrmcluster_la_SOURCES = election.c cluster.c membership.c +diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am +index 7550ec1..0e1ad29 100644 +--- a/lib/common/Makefile.am ++++ b/lib/common/Makefile.am +@@ -32,6 +32,10 @@ lib_LTLIBRARIES = libcrmcommon.la + CFLAGS = $(CFLAGS_COPY:-Wcast-qual=) -fPIC + + libcrmcommon_la_LDFLAGS = -version-info 9:0:6 ++ ++libcrmcommon_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libcrmcommon_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libcrmcommon_la_LIBADD = @LIBADD_DL@ $(GNUTLSLIBS) -lm + + libcrmcommon_la_SOURCES = compat.c digest.c ipc.c io.c procfs.c utils.c xml.c \ +diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am +index 85ae40a..dc15799 100644 +--- a/lib/fencing/Makefile.am ++++ b/lib/fencing/Makefile.am +@@ -21,5 +21,9 @@ include $(top_srcdir)/Makefile.common + lib_LTLIBRARIES = libstonithd.la + + libstonithd_la_LDFLAGS = -version-info 4:1:2 ++ ++libstonithd_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libstonithd_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la + libstonithd_la_SOURCES = st_client.c +diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am +index 25f3d55..611675e 100644 +--- a/lib/lrmd/Makefile.am ++++ b/lib/lrmd/Makefile.am +@@ -19,6 +19,10 @@ include $(top_srcdir)/Makefile.common + lib_LTLIBRARIES = liblrmd.la + + liblrmd_la_LDFLAGS = -version-info 4:0:3 ++ ++liblrmd_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++liblrmd_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/services/libcrmservice.la \ + $(top_builddir)/lib/fencing/libstonithd.la +diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am +index de760c3..ad5c5c3 100644 +--- a/lib/pengine/Makefile.am ++++ b/lib/pengine/Makefile.am +@@ -24,10 +24,18 @@ lib_LTLIBRARIES = libpe_rules.la libpe_status.la + noinst_HEADERS = unpack.h variant.h + + libpe_rules_la_LDFLAGS = -version-info 2:6:0 ++ ++libpe_rules_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libpe_rules_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libpe_rules_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la + libpe_rules_la_SOURCES = rules.c common.c + + libpe_status_la_LDFLAGS = -version-info 11:0:1 ++ ++libpe_status_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libpe_status_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.la + libpe_status_la_SOURCES = status.c unpack.c utils.c complex.c native.c \ + group.c clone.c rules.c common.c remote.c +diff --git a/lib/services/Makefile.am b/lib/services/Makefile.am +index c789fbd..b3208c2 100644 +--- a/lib/services/Makefile.am ++++ b/lib/services/Makefile.am +@@ -27,6 +27,9 @@ libcrmservice_la_LDFLAGS = -version-info 4:1:1 + libcrmservice_la_CPPFLAGS = -DOCF_ROOT_DIR=\"@OCF_ROOT_DIR@\" $(AM_CPPFLAGS) + libcrmservice_la_CFLAGS = $(GIO_CFLAGS) + ++libcrmservice_la_CFLAGS += $(CFLAGS_HARDENED_LIB) ++libcrmservice_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libcrmservice_la_LIBADD = $(GIO_LIBS) $(top_builddir)/lib/common/libcrmcommon.la $(DBUS_LIBS) + + libcrmservice_la_SOURCES = services.c services_linux.c +diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am +index 9bc039e..4d6cd23 100644 +--- a/lib/transition/Makefile.am ++++ b/lib/transition/Makefile.am +@@ -25,6 +25,9 @@ lib_LTLIBRARIES = libtransitioner.la + libtransitioner_la_LDFLAGS = -version-info 2:5:0 + libtransitioner_la_CPPFLAGS = -I$(top_builddir) $(AM_CPPFLAGS) + ++libtransitioner_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libtransitioner_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la + libtransitioner_la_SOURCES = unpack.c graph.c utils.c + +diff --git a/lrmd/Makefile.am b/lrmd/Makefile.am +index 64df105..5846503 100644 +--- a/lrmd/Makefile.am ++++ b/lrmd/Makefile.am +@@ -30,6 +30,9 @@ if BUILD_SYSTEMD + systemdunit_DATA = pacemaker_remote.service + endif + ++lrmd_CFLAGS = $(CFLAGS_HARDENED_EXE) ++lrmd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) ++ + lrmd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \ + $(top_builddir)/lib/services/libcrmservice.la \ + $(top_builddir)/lib/lrmd/liblrmd.la \ +@@ -38,6 +41,9 @@ lrmd_SOURCES = main.c lrmd.c + + pacemaker_remoted_CPPFLAGS = -DSUPPORT_REMOTE $(AM_CPPFLAGS) + ++pacemaker_remoted_CFLAGS = $(CFLAGS_HARDENED_EXE) ++pacemaker_remoted_LDFLAGS = $(LDFLAGS_HARDENED_EXE) ++ + pacemaker_remoted_LDADD = $(lrmd_LDADD) + pacemaker_remoted_SOURCES = main.c lrmd.c tls_backend.c ipc_proxy.c + +diff --git a/mcp/Makefile.am b/mcp/Makefile.am +index 195530a..074d251 100644 +--- a/mcp/Makefile.am ++++ b/mcp/Makefile.am +@@ -31,6 +31,9 @@ endif + + noinst_HEADERS = pacemaker.h + ++pacemakerd_CFLAGS = $(CFLAGS_HARDENED_EXE) ++pacemakerd_LDFLAGS = $(LDFLAGS_HARDENED_EXE) ++ + pacemakerd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la $(top_builddir)/lib/common/libcrmcommon.la + pacemakerd_LDADD += $(CLUSTERLIBS) + pacemakerd_SOURCES = pacemaker.c corosync.c +diff --git a/pacemaker.spec.in b/pacemaker.spec.in +index 6024514..a607588 100644 +--- a/pacemaker.spec.in ++++ b/pacemaker.spec.in +@@ -63,6 +63,9 @@ + # Turn off cman support on platforms that normally ship with it + %bcond_without cman + ++# Turn off hardening of libraries and daemon executables ++%bcond_without hardening ++ + %if %{with profiling} + # This disables -debuginfo package creation and also the stripping binaries/libraries + # Useful if you want sane profiling data +@@ -168,6 +171,7 @@ resource health. + + Available rpmbuild rebuild options: + --with(out) : cman stonithd doc coverage profiling pre_release upstart_job ++ hardening + + %package cli + License: GPLv2+ and LGPLv2+ +@@ -301,6 +305,18 @@ find . -exec touch \{\} \; + # Early versions of autotools (e.g. RHEL <= 5) do not support --docdir + export docdir=%{pcmk_docdir} + ++%if %{with hardening} ++# prefer distro-provided hardening flags in case they are defined ++# through _hardening_{c,ld}flags macros, configure script will ++# use its own defaults otherwise; if such hardenings are completely ++# undesired, rpmbuild using "--without hardening" ++# (or "--define '_without_hardening 1'") ++export CFLAGS_HARDENED_EXE="%{?_hardening_cflags}" ++export CFLAGS_HARDENED_LIB="%{?_hardening_cflags}" ++export LDFLAGS_HARDENED_EXE="%{?_hardening_ldflags}" ++export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}" ++%endif ++ + ./autogen.sh + + %{configure} \ +@@ -309,6 +325,7 @@ export docdir=%{pcmk_docdir} + %{!?with_cman: --without-cman} \ + --without-heartbeat \ + %{!?with_doc: --with-brand=} \ ++ %{!?with_hardening: --disable-hardening} \ + --with-initdir=%{_initrddir} \ + --localstatedir=%{_var} \ + --with-version=%{version}-%{release} +diff --git a/pengine/Makefile.am b/pengine/Makefile.am +index 96c914f..d4dbfb9 100644 +--- a/pengine/Makefile.am ++++ b/pengine/Makefile.am +@@ -61,12 +61,18 @@ endif + noinst_HEADERS = allocate.h utils.h pengine.h + + libpengine_la_LDFLAGS = -version-info 11:0:1 ++ ++libpengine_la_CFLAGS = $(CFLAGS_HARDENED_LIB) ++libpengine_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB) ++ + libpengine_la_LIBADD = $(top_builddir)/lib/pengine/libpe_status.la \ + $(top_builddir)/lib/cib/libcib.la + # -L$(top_builddir)/lib/pils -lpils -export-dynamic -module -avoid-version + libpengine_la_SOURCES = pengine.c allocate.c utils.c constraints.c + libpengine_la_SOURCES += native.c group.c clone.c master.c graph.c utilization.c + ++pengine_CFLAGS = $(CFLAGS_HARDENED_EXE) ++pengine_LDFLAGS = $(LDFLAGS_HARDENED_EXE) + pengine_LDADD = $(top_builddir)/lib/cib/libcib.la $(COMMONLIBS) + # libcib for get_object_root() + # $(top_builddir)/lib/hbclient/libhbclient.la +-- +1.8.3.1 + + +From 35ec27112452f2bd06ae8b395d8543db935e2b05 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Wed, 22 Jun 2016 15:18:00 +0200 +Subject: [PATCH 2/2] Build: configure.ac: prefer as-needed linking in case of + "-z now" + +Slight optimization of a default toolchain-flags-based hardening. +--- + configure.ac | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index edf6a91..4beb877 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1914,7 +1914,10 @@ elif test "x${HARDENING}" = "xyes" \ + pie=1] + ) + fi +- # daemons incl. libs: full RELRO if sensible ++ # daemons incl. libs: full RELRO if sensible + as-needed linking ++ # so as to possibly mitigate startup performance ++ # hit caused by excessive linking with unneeded ++ # libraries + if test "${relro}" = 1 && test "${pie}" = 1; then + flag="-Wl,-z,now" + CC_CHECK_LDFLAGS(["${flag}"], +@@ -1923,6 +1926,13 @@ elif test "x${HARDENING}" = "xyes" \ + bindnow=1] + ) + fi ++ if test "${bindnow}" = 1; then ++ flag="-Wl,--as-needed" ++ CC_CHECK_LDFLAGS(["${flag}"], ++ [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}"; ++ LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}"] ++ ) ++ fi + # universal: prefer strong > all > default stack protector if possible + flag= + if cc_supports_flag -fstack-protector-strong; then +-- +1.8.3.1 + diff --git a/pacemaker.spec b/pacemaker.spec index 6eb41f8..8729105 100644 --- a/pacemaker.spec +++ b/pacemaker.spec @@ -2,7 +2,7 @@ %global uname hacluster %global pcmk_docdir %{_docdir}/%{name} -%global specversion 1 +%global specversion 2 %global pcmkversion 1.1.15 # set following to the actual commit or, for final release, concatenate # "pcmkversion" macro to "Pacemaker-" (will yield a tag per the convention) @@ -52,6 +52,9 @@ # Ship an Upstart job file %bcond_with upstart_job +# Turn off hardening of libraries and daemon executables +%bcond_without hardening + %if %{with profiling} # This disables -debuginfo package creation and also the stripping binaries/libraries # Useful if you want sane profiling data @@ -82,6 +85,9 @@ Group: System Environment/Daemons Source0: https://github.com/%{github_owner}/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: https://github.com/%{github_owner}/%{nagios_name}/archive/%{nagios_hash}/%{nagios_name}-%{nagios_hash}.tar.gz +Patch1: 001-makefile-cleanup.patch +Patch2: 002-build-cleanup.patch +Patch3: 003-harden-toolchain.patch # --- # keep following commented out for now #Patch100: bz1179335-system-wide-crypto-policies.patch @@ -133,6 +139,9 @@ BuildRequires: publican inkscape asciidoc %endif +# git-style patch application +BuildRequires: git + %description Pacemaker is an advanced, scalable High-Availability cluster resource manager for Corosync, CMAN and/or Linux-HA. @@ -145,7 +154,7 @@ when related resources fail and can be configured to periodically check resource health. Available rpmbuild rebuild options: - --with(out) : doc coverage profiling upstart_job + --with(out) : doc coverage profiling upstart_job pre_release hardening %package cli License: GPLv2+ and LGPLv2+ @@ -267,6 +276,8 @@ monitor resources. %prep %setup -q -a 1 -n %{name}-%{commit} +%global __scm git +%__scm_setup_git %autopatch -p1 # Force the local time @@ -282,12 +293,25 @@ find . -exec touch \{\} \; # Early versions of autotools (e.g. RHEL <= 5) do not support --docdir export docdir=%{pcmk_docdir} +%if %{with hardening} +# prefer distro-provided hardening flags in case they are defined +# through _hardening_{c,ld}flags macros, configure script will +# use its own defaults otherwise; if such hardenings are completely +# undesired, rpmbuild using "--without hardening" +# (or "--define '_without_hardening 1'") +export CFLAGS_HARDENED_EXE="%{?_hardening_cflags}" +export CFLAGS_HARDENED_LIB="%{?_hardening_cflags}" +export LDFLAGS_HARDENED_EXE="%{?_hardening_ldflags}" +export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}" +%endif + ./autogen.sh %{configure} \ %{?with_profiling: --with-profiling} \ %{?with_coverage: --with-coverage} \ %{!?with_doc: --with-brand=} \ + %{!?with_hardening: --disable-hardening} \ --with-initdir=%{_initrddir} \ --localstatedir=%{_var} \ --with-version=%{version}-%{release} \ @@ -608,6 +632,13 @@ exit 0 %attr(0644,root,root) %{_datadir}/pacemaker/nagios/plugins-metadata/* %changelog +* Thu Jul 07 2016 Jan Pokorný - 1.1.15-2 +- Stop building with -fstack-protector-all using the upstream patches + overhauling toolchain hardening (Fedora natively uses + -fstack-protector-strong so this effectively relaxed stack protection + is the only effect as hardened flags are already used by default: + https://fedoraproject.org/wiki/Changes/Harden_All_Packages) + * Wed Jun 22 2016 Jan Pokorný - 1.1.15-1 - Update for new upstream tarball: Pacemaker-1.1.15, for full details, see included ChangeLog file or