!46 回合上游patch: storage-mon: Add logging to daemon mode.

From: @bixiaoyan1 
Reviewed-by: @xiangbudaomz 
Signed-off-by: @xiangbudaomz

AWS-agents-use-curl_retry.patch

@@ -0,0 +1,291 @@
+From 80d330557319bdae9e45aad1279e435fc481d4e7 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 6 Feb 2024 13:28:25 +0100
+Subject: [PATCH 3/3] AWS agents: use curl_retry()
+
+---
+ heartbeat/aws-vpc-move-ip    | 35 ++++++++++++++++++++++++++---------
+ heartbeat/aws-vpc-route53.in | 27 +++++++++++++++++++++++++--
+ heartbeat/awseip             | 36 +++++++++++++++++++++++++++++++-----
+ heartbeat/awsvip             | 32 ++++++++++++++++++++++++++++----
+ 4 files changed, 110 insertions(+), 20 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index 54806f6e..6115e5ba 100755
+--- a/heartbeat/aws-vpc-move-ip
++++ b/heartbeat/aws-vpc-move-ip
+@@ -47,6 +47,8 @@ OCF_RESKEY_interface_default="eth0"
+ OCF_RESKEY_iflabel_default=""
+ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
++OCF_RESKEY_curl_retries_default="3"
++OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -60,6 +62,8 @@ OCF_RESKEY_lookup_type_default="InstanceId"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
++: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
++: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ #######################################################################
+ 
+ 
+@@ -194,6 +198,22 @@ Name of resource type to lookup in route table.
+ <content type="string" default="${OCF_RESKEY_lookup_type_default}" />
+ </parameter>
+ 
++<parameter name="curl_retries" unique="0">
++<longdesc lang="en">
++curl retries before failing
++</longdesc>
++<shortdesc lang="en">curl retries</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
++</parameter>
++
++<parameter name="curl_sleep" unique="0">
++<longdesc lang="en">
++curl sleep between tries
++</longdesc>
++<shortdesc lang="en">curl sleep</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
++</parameter>
++
+ </parameters>
+ 
+ <actions>
+@@ -250,8 +270,10 @@ ec2ip_validate() {
+ 		fi
+ 	fi
+ 
+-	TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-	EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
++	TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++	EC2_INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
++	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ 	if [ -z "${EC2_INSTANCE_ID}" ]; then
+ 		ocf_exit_reason "Instance ID not found. Is this a EC2 instance?"
+@@ -365,14 +387,9 @@ ec2ip_get_instance_eni() {
+ 	fi
+ 	ocf_log debug "MAC address associated with interface ${OCF_RESKEY_interface}: ${MAC_ADDR}"
+ 
+-	cmd="curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id -H \"X-aws-ec2-metadata-token: $TOKEN\""
+-	ocf_log debug "executing command: $cmd"
++	cmd="curl_retry \"$OCF_RESKEY_curl_retries\" \"$OCF_RESKEY_curl_sleep\" \"--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'\" \"http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDR}/interface-id\""
+ 	EC2_NETWORK_INTERFACE_ID="$(eval $cmd)"
+-	rc=$?
+-	if [ $rc != 0 ]; then
+-		ocf_log warn "command failed, rc: $rc"
+-		return $OCF_ERR_GENERIC
+-	fi
++	[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 	ocf_log debug "network interface id associated MAC address ${MAC_ADDR}: ${EC2_NETWORK_INTERFACE_ID}"
+ 	echo $EC2_NETWORK_INTERFACE_ID
+ }
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index 18ab157e..eba2ed95 100644
+--- a/heartbeat/aws-vpc-route53.in
++++ b/heartbeat/aws-vpc-route53.in
+@@ -53,6 +53,8 @@ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
++OCF_RESKEY_curl_retries_default="3"
++OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+@@ -62,6 +64,8 @@ OCF_RESKEY_ttl_default=10
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
++: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
++: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ usage() {
+ 	cat <<-EOT
+@@ -185,6 +189,22 @@ Time to live for Route53 ARECORD
+ <shortdesc lang="en">ARECORD TTL</shortdesc>
+ <content type="string" default="${OCF_RESKEY_ttl_default}" />
+ </parameter>
++
++<parameter name="curl_retries" unique="0">
++<longdesc lang="en">
++curl retries before failing
++</longdesc>
++<shortdesc lang="en">curl retries</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
++</parameter>
++
++<parameter name="curl_sleep" unique="0">
++<longdesc lang="en">
++curl sleep between tries
++</longdesc>
++<shortdesc lang="en">curl sleep</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
++</parameter>
+ </parameters>
+ 
+ <actions>
+@@ -357,8 +377,11 @@ r53_monitor() {
+ _get_ip() {
+ 	case $OCF_RESKEY_ip in
+ 		local|public)
+-			TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-			IPADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4 -H "X-aws-ec2-metadata-token: $TOKEN");;
++			TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++			IPADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/${OCF_RESKEY_ip}-ipv4")
++			[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++			;;
+ 		*.*.*.*)
+ 			IPADDRESS="${OCF_RESKEY_ip}";;
+ 	esac
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index 49b0ca61..ffb6223a 100755
+--- a/heartbeat/awseip
++++ b/heartbeat/awseip
+@@ -49,12 +49,16 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
++OCF_RESKEY_curl_retries_default="3"
++OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
++: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
++: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+@@ -141,6 +145,22 @@ a short delay between API calls, to avoid sending API too quick
+ <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
+ </parameter>
+ 
++<parameter name="curl_retries" unique="0">
++<longdesc lang="en">
++curl retries before failing
++</longdesc>
++<shortdesc lang="en">curl retries</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
++</parameter>
++
++<parameter name="curl_sleep" unique="0">
++<longdesc lang="en">
++curl sleep between tries
++</longdesc>
++<shortdesc lang="en">curl sleep</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
++</parameter>
++
+ </parameters>
+ 
+ <actions>
+@@ -171,14 +191,18 @@ awseip_start() {
+     awseip_monitor && return $OCF_SUCCESS
+ 
+     if [ -n "${PRIVATE_IP_ADDRESS}" ]; then
+-        NETWORK_INTERFACES_MACS=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -H "X-aws-ec2-metadata-token: $TOKEN")
++        NETWORK_INTERFACES_MACS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/")
+         for MAC in ${NETWORK_INTERFACES_MACS}; do
+-            curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/local-ipv4s -H "X-aws-ec2-metadata-token: $TOKEN" |
++            curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/local-ipv4s" |
+                 grep -q "^${PRIVATE_IP_ADDRESS}$"
+             if [ $? -eq 0 ]; then
+-                NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
++                NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "-s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC%/*}/interface-id")
+             fi
+         done
++        if [ -z "$NETWORK_ID" ]; then
++            ocf_exit_reason "Could not find network interface for private_ip_address: $PRIVATE_IP_ADDRESS"
++            exit $OCF_ERR_GENERIC
++        fi
+         $AWSCLI_CMD ec2 associate-address  \
+             --network-interface-id ${NETWORK_ID} \
+             --allocation-id ${ALLOCATION_ID} \
+@@ -282,8 +306,10 @@ fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+-TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
++TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
++[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ case $__OCF_ACTION in
+     start)
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index bdb4d68d..f2b238a0 100755
+--- a/heartbeat/awsvip
++++ b/heartbeat/awsvip
+@@ -48,12 +48,16 @@ OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
++OCF_RESKEY_curl_retries_default="3"
++OCF_RESKEY_curl_sleep_default="1"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
+ : ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
++: ${OCF_RESKEY_curl_retries=${OCF_RESKEY_curl_retries_default}}
++: ${OCF_RESKEY_curl_sleep=${OCF_RESKEY_curl_sleep_default}}
+ 
+ meta_data() {
+     cat <<END
+@@ -124,6 +128,22 @@ a short delay between API calls, to avoid sending API too quick
+ <content type="integer" default="${OCF_RESKEY_api_delay_default}" />
+ </parameter>
+ 
++<parameter name="curl_retries" unique="0">
++<longdesc lang="en">
++curl retries before failing
++</longdesc>
++<shortdesc lang="en">curl retries</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_retries_default}" />
++</parameter>
++
++<parameter name="curl_sleep" unique="0">
++<longdesc lang="en">
++curl sleep between tries
++</longdesc>
++<shortdesc lang="en">curl sleep</shortdesc>
++<content type="integer" default="${OCF_RESKEY_curl_sleep_default}" />
++</parameter>
++
+ </parameters>
+ 
+ <actions>
+@@ -246,10 +266,14 @@ if [ -n "${OCF_RESKEY_region}" ]; then
+ 	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
+ fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+-TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+-MAC_ADDRESS=$(curl -s http://169.254.169.254/latest/meta-data/mac -H "X-aws-ec2-metadata-token: $TOKEN")
+-NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
++TOKEN=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600'" "http://169.254.169.254/latest/api/token")
++[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++INSTANCE_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/instance-id")
++[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++MAC_ADDRESS=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/mac")
++[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
++NETWORK_ID=$(curl_retry "$OCF_RESKEY_curl_retries" "$OCF_RESKEY_curl_sleep" "--show-error -s -H 'X-aws-ec2-metadata-token: $TOKEN'" "http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC_ADDRESS}/interface-id")
++[ $? -ne 0 ] && exit $OCF_ERR_GENERIC
+ 
+ case $__OCF_ACTION in
+     start)
+-- 
+2.33.0
+

Filesystem-fail-when-incorrect-device-mounted-on-mou.patch

@@ -0,0 +1,113 @@
+From 66a5308d2e8f61093716a076f4386416dc18045c Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 22 Apr 2024 11:26:09 +0200
+Subject: [PATCH] Filesystem: fail when incorrect device mounted on mountpoint,
+ and dont unmount the mountpoint in this case, or if mountpoint set to "/"
+
+---
+ heartbeat/Filesystem | 71 ++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 58 insertions(+), 13 deletions(-)
+
+diff --git a/heartbeat/Filesystem b/heartbeat/Filesystem
+index e1378f78..cec71f1a 100755
+--- a/heartbeat/Filesystem
++++ b/heartbeat/Filesystem
+@@ -582,10 +582,16 @@ Filesystem_start()
+ 	fi
+ 
+ 	# See if the device is already mounted.
+-	if Filesystem_status >/dev/null 2>&1 ; then
+-		ocf_log info "Filesystem $MOUNTPOINT is already mounted."
+-		return $OCF_SUCCESS
+-	fi
++	Filesystem_status
++	case "$?" in
++		$OCF_SUCCESS)
++			ocf_log info "Filesystem $MOUNTPOINT is already mounted."
++			return $OCF_SUCCESS
++			;;
++		$OCF_ERR_CONFIGURED)
++			return $OCF_ERR_CONFIGURED
++			;;
++	esac
+ 
+ 	fstype_supported || exit $OCF_ERR_INSTALLED
+ 
+@@ -801,10 +807,42 @@ Filesystem_stop()
+ #
+ Filesystem_status()
+ {
+-	match_string="${TAB}${CANONICALIZED_MOUNTPOINT}${TAB}"
+-	if list_mounts | grep "$match_string" >/dev/null 2>&1; then
+-		rc=$OCF_SUCCESS
+-		msg="$MOUNTPOINT is mounted (running)"
++	local match_string="${TAB}${CANONICALIZED_MOUNTPOINT}${TAB}"
++	local mounted_device=$(list_mounts | grep "$match_string" | awk '{print $1}')
++
++	if [ -n "$mounted_device" ]; then
++		if [ "X$blockdevice" = "Xyes" ]; then
++			if [ -e "$DEVICE" ] ; then
++				local canonicalized_device="$(readlink -f "$DEVICE")"
++				if [ $? -ne 0 ]; then
++					ocf_exit_reason "Could not canonicalize $DEVICE because readlink failed"
++					exit $OCF_ERR_GENERIC
++				fi
++			else
++				local canonicalized_device="$DEVICE"
++			fi
++			if [ -e "$mounted_device" ] ; then
++				local canonicalized_mounted_device="$(readlink -f "$mounted_device")"
++				if [ $? -ne 0 ]; then
++					ocf_exit_reason "Could not canonicalize $mounted_device because readlink failed"
++					exit $OCF_ERR_GENERIC
++				fi
++			else
++				local canonicalized_mounted_device="$mounted_device"
++			fi
++			if [ "$canonicalized_device" != "$canonicalized_mounted_device" ]; then
++				if ocf_is_probe || [ "$__OCF_ACTION" = "stop" ]; then
++					ocf_log debug "Another device ($mounted_device) is already mounted on $MOUNTPOINT"
++					rc=$OCF_NOT_RUNNING
++				else
++					ocf_exit_reason "Another device ($mounted_device) is already mounted on $MOUNTPOINT"
++					rc=$OCF_ERR_CONFIGURED
++				fi
++			fi
++		else
++			rc=$OCF_SUCCESS
++			msg="$MOUNTPOINT is mounted (running)"
++		fi
+ 	else
+ 		rc=$OCF_NOT_RUNNING
+ 		msg="$MOUNTPOINT is unmounted (stopped)"
+@@ -1041,9 +1079,18 @@ else
+ 	else
+ 		CANONICALIZED_MOUNTPOINT="$MOUNTPOINT"
+ 	fi
+-	# At this stage, $MOUNTPOINT does not contain trailing "/" unless it is "/"
+-	# TODO: / mounted via Filesystem sounds dangerous. On stop, we'll
+-	# kill the whole system. Is that a good idea?
++
++	if echo "$CANONICALIZED_MOUNTPOINT" | grep -q "^\s*/\s*$"; then
++		if ocf_is_probe; then
++			ocf_log debug "/ cannot be managed in a cluster"
++			exit $OCF_NOT_RUNNING
++		elif [ "$__OCF_ACTION" = "start" ] || [ "$__OCF_ACTION" = "monitor" ] || [ "$__OCF_ACTION" = "status" ]; then
++			ocf_exit_reason "/ cannot be managed in a cluster"
++			exit $OCF_ERR_CONFIGURED
++		elif [ "$__OCF_ACTION" = "stop" ]; then
++			exit $OCF_SUCCESS
++		fi
++	fi
+ fi
+ 
+ # Check to make sure the utilites are found
+@@ -1124,5 +1171,3 @@ case $OP in
+ 		;;
+ 	esac
+ exit $?
+-
+-
+-- 
+2.25.1
+

aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-add-au.patch

@@ -0,0 +1,558 @@
+From f45f76600a7e02c860566db7d1350dc3b09449c2 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 6 Nov 2023 15:49:44 +0100
+Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
+ parameter and AWS Policy based authentication type
+
+---
+ heartbeat/aws-vpc-move-ip    | 43 +++++++++++++++++++----
+ heartbeat/aws-vpc-route53.in | 47 ++++++++++++++++++++-----
+ heartbeat/awseip             | 68 +++++++++++++++++++++++++++---------
+ heartbeat/awsvip             | 60 ++++++++++++++++++++++++-------
+ 4 files changed, 173 insertions(+), 45 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index dee04030..54806f6e 100755
+--- a/heartbeat/aws-vpc-move-ip
++++ b/heartbeat/aws-vpc-move-ip
+@@ -36,6 +36,7 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_ip_default=""
+@@ -48,6 +49,7 @@ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
+@@ -58,8 +60,6 @@ OCF_RESKEY_lookup_type_default="InstanceId"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+-
+-[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
+ #######################################################################
+ 
+ 
+@@ -83,6 +83,10 @@ cat <<END
+ <longdesc lang="en">
+ Resource Agent to move IP addresses within a VPC of the Amazon Webservices EC2
+ by changing an entry in an specific routing table
++
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
++
++See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+ <shortdesc lang="en">Move IP within a VPC of the AWS EC2</shortdesc>
+ 
+@@ -95,6 +99,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -198,7 +211,7 @@ END
+ execute_cmd_as_role(){
+ 	cmd=$1
+ 	role=$2
+-	output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
++	output="$($AWSCLI_CMD sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --output=text)"
+ 	export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
+ 	export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
+ 	export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
+@@ -220,11 +233,11 @@ ec2ip_set_address_param_compat(){
+ }
+ 
+ ec2ip_validate() {
+-	for cmd in $OCF_RESKEY_awscli ip curl; do
++	for cmd in "$OCF_RESKEY_awscli" ip curl; do
+ 		check_binary "$cmd"
+ 	done
+ 
+-	if [ -z "$OCF_RESKEY_profile" ]; then
++	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+ 		ocf_exit_reason "profile parameter not set"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+@@ -262,7 +275,7 @@ ec2ip_monitor() {
+ 		for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 			ocf_log info "monitor: check routing table (API call) - $rtb"
+ 			if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-				cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
++				cmd="$AWSCLI_CMD --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+ 				ocf_log debug "executing command: $cmd"
+ 				ROUTE_TO_INSTANCE="$($cmd)"
+ 			else
+@@ -368,7 +381,7 @@ ec2ip_get_and_configure() {
+ 	EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
+ 	for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 		if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
++			cmd="$AWSCLI_CMD --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+ 			ocf_log debug "executing command: $cmd"
+ 			$cmd
+ 		else
+@@ -475,6 +488,22 @@ if ! ocf_is_root; then
+ 	exit $OCF_ERR_PERM
+ fi
+ 
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
++
+ ec2ip_set_address_param_compat
+ 
+ ec2ip_validate
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index 22cbb358..18ab157e 100644
+--- a/heartbeat/aws-vpc-route53.in
++++ b/heartbeat/aws-vpc-route53.in
+@@ -46,24 +46,22 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+-#######################################################################
+-
+-
+-AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
+-#######################################################################
+-
+ 
+ usage() {
+ 	cat <<-EOT
+@@ -123,6 +121,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ The name of the AWS CLI profile of the root account. This
+@@ -196,7 +203,7 @@ r53_validate() {
+ 
+ 	# Check for required binaries
+ 	ocf_log debug "Checking for required binaries"
+-	for command in curl dig; do
++	for command in "${OCF_RESKEY_awscli}" curl dig; do
+ 		check_binary "$command"
+ 	done
+ 
+@@ -216,7 +223,10 @@ r53_validate() {
+ 	esac
+ 
+ 	# profile
+-	[[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
++	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
++		ocf_exit_reason "profile parameter not set"
++		return $OCF_ERR_CONFIGURED
++	fi
+ 
+ 	# TTL
+ 	[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
+@@ -417,7 +427,6 @@ _update_record() {
+ }
+ 
+ ###############################################################################
+-
+ case $__OCF_ACTION in
+ 	usage|help)
+ 		usage
+@@ -427,6 +436,26 @@ case $__OCF_ACTION in
+ 		metadata
+ 		exit $OCF_SUCCESS
+ 		;;
++esac
++
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
++AWSCLI_CMD="$AWSCLI_CMD --cli-connect-timeout 10"
++
++case $__OCF_ACTION in
+ 	start)
+ 		r53_validate || exit $?
+ 		r53_start
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index dc48460c..49b0ca61 100755
+--- a/heartbeat/awseip
++++ b/heartbeat/awseip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
++#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
++#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availability
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -44,11 +45,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -63,7 +68,7 @@ Resource Agent for Amazon AWS Elastic IP Addresses.
+ 
+ It manages AWS Elastic IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -79,6 +84,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -111,6 +125,14 @@ predefined private ip address for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
++<parameter name="region" required="0">
++<longdesc lang="en">
++Region for AWS resource (required for role-based authentication)
++</longdesc>
++<shortdesc lang="en">Region</shortdesc>
++<content type="string" default="${OCF_RESKEY_region_default}" />
++</parameter>
++
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -157,13 +179,13 @@ awseip_start() {
+                 NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+             fi
+         done
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
++        $AWSCLI_CMD ec2 associate-address  \
+             --network-interface-id ${NETWORK_ID} \
+             --allocation-id ${ALLOCATION_ID} \
+             --private-ip-address ${PRIVATE_IP_ADDRESS}
+         RET=$?
+     else
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
++        $AWSCLI_CMD ec2 associate-address  \
+             --instance-id ${INSTANCE_ID} \
+             --allocation-id ${ALLOCATION_ID}
+         RET=$?
+@@ -183,7 +205,7 @@ awseip_start() {
+ awseip_stop() {
+     awseip_monitor || return $OCF_SUCCESS
+ 
+-    ASSOCIATION_ID=$($AWSCLI --profile $OCF_RESKEY_profile --output json ec2 describe-addresses \
++    ASSOCIATION_ID=$($AWSCLI_CMD --output json ec2 describe-addresses \
+                          --allocation-id ${ALLOCATION_ID} | grep -m 1 "AssociationId" | awk -F'"' '{print$4}')
+ 
+     if [ -z "${ASSOCIATION_ID}" ]; then
+@@ -191,9 +213,7 @@ awseip_stop() {
+         return $OCF_NOT_RUNNING
+     fi
+ 
+-    $AWSCLI --profile ${OCF_RESKEY_profile} \
+-        ec2 disassociate-address \
+-        --association-id ${ASSOCIATION_ID}
++    $AWSCLI_CMD ec2 disassociate-address --association-id ${ASSOCIATION_ID}
+     RET=$?
+ 
+     # delay to avoid sending request too fast
+@@ -208,7 +228,7 @@ awseip_stop() {
+ }
+ 
+ awseip_monitor() {
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
++    $AWSCLI_CMD ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
+     RET=$?
+ 
+     if [ $RET -ne 0 ]; then
+@@ -218,9 +238,9 @@ awseip_monitor() {
+ }
+ 
+ awseip_validate() {
+-    check_binary ${AWSCLI}
++    check_binary "${OCF_RESKEY_awscli}"
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
++    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -238,9 +258,27 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
+-esac 
++    usage|help)
++        awseip_usage
++        exit $OCF_SUCCESS
++        ;;
++esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+@@ -272,10 +310,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awseip_validate
+         ;;
+-    usage|help)
+-        awseip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awseip_usage
+         exit $OCF_ERR_UNIMPLEMENTED
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index 037278e2..bdb4d68d 100755
+--- a/heartbeat/awsvip
++++ b/heartbeat/awsvip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
++#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
++#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availablity
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -43,11 +44,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -62,7 +67,7 @@ Resource Agent for Amazon AWS Secondary Private IP Addresses.
+ 
+ It manages AWS Secondary Private IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -78,6 +83,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -94,6 +108,14 @@ reserved secondary private ip for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
++<parameter name="region" required="0">
++<longdesc lang="en">
++Region for AWS resource (required for role-based authentication)
++</longdesc>
++<shortdesc lang="en">Region</shortdesc>
++<content type="string" default="${OCF_RESKEY_region_default}" />
++</parameter>
++
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -131,7 +153,7 @@ END
+ awsvip_start() {
+     awsvip_monitor && return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 assign-private-ip-addresses \
++    $AWSCLI_CMD ec2 assign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP} \
+         --allow-reassignment
+@@ -151,7 +173,7 @@ awsvip_start() {
+ awsvip_stop() {
+     awsvip_monitor || return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 unassign-private-ip-addresses \
++    $AWSCLI_CMD ec2 unassign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP}
+     RET=$?
+@@ -168,7 +190,7 @@ awsvip_stop() {
+ }
+ 
+ awsvip_monitor() {
+-    $AWSCLI --profile ${OCF_RESKEY_profile} ec2 describe-instances \
++    $AWSCLI_CMD ec2 describe-instances \
+             --instance-id "${INSTANCE_ID}" \
+             --query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
+             --output text | \
+@@ -182,9 +204,9 @@ awsvip_monitor() {
+ }
+ 
+ awsvip_validate() {
+-    check_binary ${AWSCLI}
++    check_binary "${OCF_RESKEY_awscli}"
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
++    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -202,9 +224,27 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
++    usage|help)
++        awsvip_usage
++        exit $OCF_SUCCESS
++        ;;
+ esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
++AWSCLI_CMD="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+ TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+ INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+@@ -236,10 +276,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awsvip_validate
+         ;;
+-    usage|help)
+-        awsvip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awsvip_usage
+         exit $OCF_ERR_UNIMPLEMENTED
+-- 
+2.33.0
+

backport-Mid-storage-mon-Add-logging-to-daemon-mode.patch

@@ -0,0 +1,34 @@
+From 9032181967ea9c5c985e346c51bca6b9997d7287 Mon Sep 17 00:00:00 2001
+From: Hideo Yamauchi <renayama19661014@ybb.ne.jp>
+Date: Mon, 27 May 2024 18:12:01 +0900
+Subject: [PATCH] Mid: storage-mon: Add logging to daemon mode.
+
+---
+ tools/storage_mon.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/storage_mon.c b/tools/storage_mon.c
+index a9227ef9..f94268f6 100644
+--- a/tools/storage_mon.c
++++ b/tools/storage_mon.c
+@@ -308,6 +308,8 @@ static int32_t sigchld_handler(int32_t sig, void *data)
+ 						/* so add the final_score from the exit code of the terminated child process. 	*/
+ 						if (qb_loop_timer_is_running(storage_mon_poll_handle, expire_handle)) { 
+ 							if (WEXITSTATUS(status) !=0) {
++								syslog(LOG_ERR, "Error reading from device %s", devices[index]);
++
+ 								final_score += scores[index];
+ 
+ 								/* Update response values immediately in preparation for inquiries from clients. */
+@@ -403,6 +405,8 @@ static void child_timeout_handler(void *data)
+ 	if (is_child_runnning()) {
+ 		for (i=0; i<device_count; i++) {
+ 			if (test_forks[i] > 0) {
++				syslog(LOG_ERR, "Reading from device %s did not complete in %d seconds timeout", devices[i], timeout);
++
+ 				/* If timeout occurs before SIGCHLD, add child process failure score to final_score. */
+ 				final_score += scores[i];
+ 
+-- 
+2.25.1
+

ocf-shellfuncs-add-curl_retry.patch

@@ -0,0 +1,57 @@
+From fc0657b936f6a58f741e33f851b22f82bc68bffa Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 6 Feb 2024 13:28:12 +0100
+Subject: [PATCH 1/3] ocf-shellfuncs: add curl_retry()
+
+---
+ heartbeat/ocf-shellfuncs.in | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/heartbeat/ocf-shellfuncs.in b/heartbeat/ocf-shellfuncs.in
+index c5edb6f5..a69a9743 100644
+--- a/heartbeat/ocf-shellfuncs.in
++++ b/heartbeat/ocf-shellfuncs.in
+@@ -672,6 +672,40 @@ EOF
+ 	systemctl daemon-reload
+ }
+ 
++# usage: curl_retry RETRIES SLEEP ARGS URL
++#
++# Use --show-error in ARGS to log HTTP error code
++#
++# returns:
++#    0  success
++# exit:
++#    1  fail
++curl_retry()
++{
++	local retries=$1 sleep=$2 opts=$3 url=$4
++	local tries=$(($retries + 1))
++	local args="--fail $opts $url"
++	local result rc
++
++	for try in $(seq $tries); do
++		ocf_log debug "curl $args try $try of $tries"
++		result=$(echo "$args" | xargs curl 2>&1)
++		rc=$?
++
++		ocf_log debug "result: $result"
++		[ $rc -eq 0 ] && break
++		sleep $sleep
++	done
++
++	if [ $rc -ne 0 ]; then
++		ocf_exit_reason "curl $args failed $tries tries"
++		exit $OCF_ERR_GENERIC
++	fi
++
++	echo "$result"
++	return $rc
++}
++
+ # move process to root cgroup if realtime scheduling is enabled
+ ocf_move_to_root_cgroup_if_rt_enabled()
+ {
+-- 
+2.33.0
+

resource-agents.spec

@@ -1,7 +1,7 @@
 Name:                resource-agents
 Summary:             Open Source HA Reusable Cluster Resource Scripts
 Version:             4.13.0
-Release:             20
+Release:             25
 License:             GPLv2+ and LGPLv2+
 URL:                 https://github.com/ClusterLabs/resource-agents
 Source0:             https://github.com/ClusterLabs/resource-agents/archive/v%{version}.tar.gz
@@ -25,6 +25,12 @@ Patch0016:	     fix-OCF_SUCESS-name-in-db2_notify.patch
 Patch0017:           docs-writing-python-agents-update-required-Python-ve.patch
 Patch0018:           galera-allow-joiner-to-report-non-Primary-during-ini.patch
 Patch0019:           doc-writing-python-agents-add-description-of-is_prob.patch
+Patch0020:           Filesystem-fail-when-incorrect-device-mounted-on-mou.patch
+Patch0021:           ocf-shellfuncs-add-curl_retry.patch 
+Patch0022:           aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-add-au.patch
+Patch0023:           AWS-agents-use-curl_retry.patch
+Patch0024:           backport-Mid-storage-mon-Add-logging-to-daemon-mode.patch
+
 Obsoletes:           heartbeat-resources <= %{version}
 Provides:            heartbeat-resources = %{version}
 BuildRequires:       automake autoconf pkgconfig gcc perl-interpreter perl-generators python3-devel
@@ -122,10 +128,25 @@ export CFLAGS="$(echo '%{optflags}')"
 %{_mandir}/man8/{ocf-tester.8*,ldirectord.8*}
 
 %changelog
+* Fri May 31 2024 bixiaoyan <bixiaoyan@kylinos.cn> - 4.13.0-25
+- Mid: storage-mon: Add logging to daemon mode.
+
+* Tue May 07 2024 bizhiyuan <bizhiyuan@kylinos.cn> - 4.13.0-24
+- AWS agents: use curl_retry()
+
+* Tue May 07 2024 bizhiyuan <bizhiyuan@kylinos.cn> - 4.13.0-23
+- aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter and AWS Policy based authentication type
+
+* Tue May 07 2024 bizhiyuan <bizhiyuan@kylinos.cn> - 4.13.0-22
+- ocf shellfuncs add curl_retry
+ 
+* Mon May 06 2024 zouzhimin <zouzhimin@kylinos.cn> - 4.13.0-21
+- Filesystem: fail when incorrect device mounted on mountpoint
+
 * Thu Apr 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 4.13.0-20
 - doc: writing-python-agents: add description of is_probe() and distro()
 
-* Tue Apr 22 2024 bixiaoyan <bixiaoyan@kylinos.cn> - 4.13.0-19
+* Mon Apr 22 2024 bixiaoyan <bixiaoyan@kylinos.cn> - 4.13.0-19
 - galera: allow joiner to report non-Primary during initial IST
 
 * Mon Apr 22 2024 zouzhimin <zouzhimin@kylinos.cn> - 4.13.0-18