samba.git/ctdb/server, branch master Unnamed repository; edit this file 'description' to name the repository. ctdb-daemon: Remove helper variable CTDB_DEBUG_LOCKS 2026-02-25T12:33:39+00:00 Martin Schwenke mschwenke@ddn.com 2025-10-31T03:48:23+00:00 80f4f47293f426defb10e029b1364d30d9bb2ffc Replace with a lock_debug_script member in ctdb_context. Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Replace with a lock_debug_script member in ctdb_context.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
 ctdb-daemon: Remove helper variable CTDB_CLUSTER_MUTEX_HELPER 2026-02-25T12:33:39+00:00 Martin Schwenke mschwenke@ddn.com 2025-10-30T11:30:27+00:00 1d7e083e55148878bef53698c681d2134862d6f9 Use path_helperdir() to help construct the path and then cache the result in the existing static buffer (with length adjusted because POSIX says the +1 is not necessary). Given the way this is used by cluster_mutex_test, there is no (other) sane place to cache it. path_helperdir_append() could be used to construct the path, but then there would be an unnecessary talloc() result to free. The flexibility in unit test cluster_mutex_003.sh was never used, so remove this test. If other cluster mutex helpers are added then they can be tested by separate tests. Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Use path_helperdir() to help construct the path and then cache the
result in the existing static buffer (with length adjusted because
POSIX says the +1 is not necessary).  Given the way this is used by
cluster_mutex_test, there is no (other) sane place to cache it.
path_helperdir_append() could be used to construct the path, but then
there would be an unnecessary talloc() result to free.

The flexibility in unit test cluster_mutex_003.sh was never used, so
remove this test.  If other cluster mutex helpers are added then they
can be tested by separate tests.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
 ctdb-daemon: Remove helper variable CTDB_LOCK_HELPER 2026-02-25T12:33:39+00:00 Martin Schwenke mschwenke@ddn.com 2025-10-30T10:55:50+00:00 7a251cf2d623bebd943dd4aac0d0b84aa8175c8b Replace with a lock_helper member in ctdb_context, set using path_helperdir_append(). Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Replace with a lock_helper member in ctdb_context, set using
path_helperdir_append().

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
 ctdb-daemon: Remove helper variable CTDB_EVENTD 2026-02-25T12:33:39+00:00 Martin Schwenke mschwenke@ddn.com 2025-10-29T10:20:55+00:00 6a9d6600ec92cb76d90cb1e52c44d9edaa1e6f0b Simplify the initialisation of the path to eventd in eventd_context using path_helperdir_append(). Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Simplify the initialisation of the path to eventd in eventd_context
using path_helperdir_append().

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
 ctdb-recoverd: Remove some helper variables 2026-02-25T12:33:39+00:00 Martin Schwenke mschwenke@ddn.com 2025-10-29T10:09:48+00:00 ff9fe88905e74ff6f9a662436687cf9b7edb16a2 Remove CTDB_RECOVERY_HELPER, CTDB_TAKEOVER_HELPER. Add new struct members in ctdb_recoverd to contain the paths, set via path_helperdir_append(). Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Remove CTDB_RECOVERY_HELPER, CTDB_TAKEOVER_HELPER.  Add new struct
members in ctdb_recoverd to contain the paths, set via
path_helperdir_append().

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
 ctdb-daemon: Hex encode key before logging 2026-02-09T12:21:08+00:00 Martin Schwenke mschwenke@ddn.com 2026-02-08T23:03:04+00:00 38b2428d3765a468004265b5732cbcadfe503bb9 This currently causes binary data to be logged. Instead, conditionally hex encode the key in a similar style to the way it is done in dbwrap_ctdb.c:fetch_locked_internal(). In this case, the key is truncated if the debug level is less than 10.` Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Feb 9 12:21:08 UTC 2026 on atb-devel-224 
This currently causes binary data to be logged.

Instead, conditionally hex encode the key in a similar style to the
way it is done in dbwrap_ctdb.c:fetch_locked_internal().  In this
case, the key is truncated if the debug level is less than 10.`

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb  9 12:21:08 UTC 2026 on atb-devel-224
ctdb: Fix ctdb startup with inconsistent cluster lock settings 2025-11-19T03:04:13+00:00 Volker Lendecke vl@samba.org 2025-11-18T09:31:01+00:00 66ebdb917054f4841f583ee21f910a1869712b53 ctdb_shutdown_sequence() normally exits. When we end up here, it is because we have received a reclock callback twice. We can't handle that, we have already removed "state", which would be referenced deep in run_start_recovery_event() returning here another time. The bug is triggered since b84fbd7b3fedc998 introduced a nested event loop, making ctdb_shutdown_sequence() return into start_recovery_reclock_callback() due to multiple reclock checks being triggered somehow (not sure exactly how, but we should not crash under any circumstance). Reproducer: Run one ctdb daemon with cluster lock set, try to start another one without cluster lock set. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15950 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Autobuild-User(master): Martin Schwenke <martins@samba.org> Autobuild-Date(master): Wed Nov 19 03:04:13 UTC 2025 on atb-devel-224 
ctdb_shutdown_sequence() normally exits. When we end up here, it is
because we have received a reclock callback twice. We can't handle
that, we have already removed "state", which would be referenced deep
in run_start_recovery_event() returning here another time.

The bug is triggered since b84fbd7b3fedc998 introduced a nested event
loop, making ctdb_shutdown_sequence() return into
start_recovery_reclock_callback() due to multiple reclock checks being
triggered somehow (not sure exactly how, but we should not crash under
any circumstance).

Reproducer: Run one ctdb daemon with cluster lock set, try to start
another one without cluster lock set.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15950
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Nov 19 03:04:13 UTC 2025 on atb-devel-224
ctdb-daemon: Fix a crash due to a failed updateip 2025-10-17T05:25:33+00:00 Martin Schwenke mschwenke@ddn.com 2025-10-15T21:17:44+00:00 d08f9ebd2755671d30c73a4e979029d353848828 This should really be a takeip. However, CTDB's weak check of the IP address state (using bind(2)) incorrectly indicates that the IP address is assigned to an interface so it is converted to an updateip. After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves IP address state checking), this will almost certainly not occur on platforms with getifaddrs(3) (e.g. Linux). This means it is only likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15935 Reported-by: Bailey Allison <ballison@45drives.com> Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org> 
This should really be a takeip.  However, CTDB's weak check of the IP
address state (using bind(2)) incorrectly indicates that the IP
address is assigned to an interface so it is converted to an updateip.

After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux).  This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15935

Reported-by: Bailey Allison <ballison@45drives.com>
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
ctdb-common: Only respect CTDB_SOCKET in CTDB_TEST_MODE 2025-09-25T09:02:06+00:00 Martin Schwenke mschwenke@ddn.com 2025-08-15T05:01:58+00:00 7e2358fcf7be177d6e5de6e26f9d7c5af4acbb0c At the moment CTDB_SOCKET can be used outside of test mode even though nobody should do this. So, no longer allow this. This means ensuring CTDB_TEST_MODE is set in the in the "clusteredmember" selftest environment, so that CTDB_SOCKET is respected there.. Details... The associated use of chown(2) and chmod(2), used to secure the socket in ctdb_daemon.c:ux_socket_bind(), potentially enables a symlink race attack. However, the chown(2) is currently not done in test mode, so restricting the use of CTDB_SOCKET to test mode solves the potential security issue. Also, sprinkle warnings about use of CTDB_TEST_MODE in appropriate places, just to attempt to limit unwanted behaviour. An alternative could be to use the socket file descriptor with fchown(2) and fchmod(2). However, these system calls are not well defined on sockets. Still, this was previously done in CTDB's early days (using the poorly documented method where they are allowed in Linux (only?) before calling bind(2)). It was removed (due to portability issues, via commits cf1056df94943ddcc3d547d4533b4bc04f57f265 and 2da3fe1b175a468fdff4aa4f65627facd2c28394) and replaced with the current post-bind chown(2) and chmod(2). I would like to remove the CTDB_SOCKET environment variable entirely, since setting CTDB_TEST_MODE and CTDB_BASE covers all reasonable test environments. However, I have a feeling that people use it for interactive testing, and that can still be done in CTDB_TEST_MODE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15921 Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reported-by: *GUIAR OQBA * <techokba@gmail.com> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Sep 25 09:02:06 UTC 2025 on atb-devel-224 
At the moment CTDB_SOCKET can be used outside of test mode even though
nobody should do this.  So, no longer allow this.

This means ensuring CTDB_TEST_MODE is set in the in the
"clusteredmember" selftest environment, so that CTDB_SOCKET is
respected there..

Details...

The associated use of chown(2) and chmod(2), used to secure the socket
in ctdb_daemon.c:ux_socket_bind(), potentially enables a symlink race
attack.  However, the chown(2) is currently not done in test mode, so
restricting the use of CTDB_SOCKET to test mode solves the potential
security issue.

Also, sprinkle warnings about use of CTDB_TEST_MODE in appropriate
places, just to attempt to limit unwanted behaviour.

An alternative could be to use the socket file descriptor with
fchown(2) and fchmod(2).  However, these system calls are not well
defined on sockets.  Still, this was previously done in CTDB's early
days (using the poorly documented method where they are allowed in
Linux (only?) before calling bind(2)).  It was removed (due to
portability issues, via commits
cf1056df94943ddcc3d547d4533b4bc04f57f265 and
2da3fe1b175a468fdff4aa4f65627facd2c28394) and replaced with the
current post-bind chown(2) and chmod(2).

I would like to remove the CTDB_SOCKET environment variable entirely,
since setting CTDB_TEST_MODE and CTDB_BASE covers all reasonable test
environments.  However, I have a feeling that people use it for
interactive testing, and that can still be done in CTDB_TEST_MODE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15921

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reported-by: *GUIAR OQBA * <techokba@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 25 09:02:06 UTC 2025 on atb-devel-224
ctdb: Fix a stuck cluster lock holder after a delayed leader bcast 2025-08-07T02:59:20+00:00 Volker Lendecke vl@samba.org 2025-08-06T13:28:29+00:00 1a7cfd93432a227a972b34e1eb844134173be7b0 If a delayed broadcast by a previous cluster lock holder arrives, the new legitimate leader will accept this without questioning in leader_handler(). Without this patch rec->leader will never be overwritten, and because rec->pnn != rec->leader we'll also never send out fresh leader broadcasts. And because we hold the cluster lock, nobody else can step up. Fix this in the next round of leader broadcast timeout. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15892 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Autobuild-User(master): Martin Schwenke <martins@samba.org> Autobuild-Date(master): Thu Aug 7 02:59:20 UTC 2025 on atb-devel-224 
If a delayed broadcast by a previous cluster lock holder arrives, the
new legitimate leader will accept this without questioning in
leader_handler(). Without this patch rec->leader will never be
overwritten, and because rec->pnn != rec->leader we'll also never send
out fresh leader broadcasts. And because we hold the cluster lock,
nobody else can step up.

Fix this in the next round of leader broadcast timeout.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15892
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Aug  7 02:59:20 UTC 2025 on atb-devel-224