]> git.proxmox.com Git - pve-cluster.git/blame - data/PVE/Cluster.pm
projects / pve-cluster.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
correctly handle renames
[pve-cluster.git] / data / PVE / Cluster.pm
CommitLineData
fe000966
DM		 1package PVE::Cluster;
2
3use strict;
4use POSIX;
5use File::stat qw();
6use Socket;
7use Storable qw(dclone);
8use IO::File;
9use MIME::Base64;
10use Digest::HMAC_SHA1;
11use PVE::Tools;
12use PVE::INotify;
13use PVE::IPCC;
14use PVE::SafeSyslog;
15use JSON;
16use RRDs;
17use Encode;
18use base 'Exporter';
19
20our @EXPORT_OK = qw(
21cfs_read_file
22cfs_write_file
23cfs_register_file
24cfs_lock_file);
25
26use Data::Dumper; # fixme: remove
27
28# x509 certificate utils
29
30my $basedir = "/etc/pve";
31my $authdir = "$basedir/priv";
32my $lockdir = "/etc/pve/priv/lock";
33
34my $authprivkeyfn = "$authdir/authkey.key";
35my $authpubkeyfn = "$basedir/authkey.pub";
36my $pveca_key_fn = "$authdir/pve-root-ca.key";
37my $pveca_srl_fn = "$authdir/pve-root-ca.srl";
38my $pveca_cert_fn = "$basedir/pve-root-ca.pem";
39# this is just a secret accessable by the web browser
40# and is used for CSRF prevention
41my $pvewww_key_fn = "$basedir/pve-www.key";
42
43# ssh related files
44my $ssh_rsa_id_priv = "/root/.ssh/id_rsa";
45my $ssh_rsa_id = "/root/.ssh/id_rsa.pub";
46my $ssh_host_rsa_id = "/etc/ssh/ssh_host_rsa_key.pub";
47my $sshglobalknownhosts = "/etc/ssh/ssh_known_hosts";
48my $sshknownhosts = "/etc/pve/priv/known_hosts";
49my $sshauthkeys = "/etc/pve/priv/authorized_keys";
50my $rootsshauthkeys = "/root/.ssh/authorized_keys";
51
52my $observed = {
53 'storage.cfg' => 1,
54 'datacenter.cfg' => 1,
55 'cluster.cfg' => 1,
56 'user.cfg' => 1,
57 'domains.cfg' => 1,
58 'priv/shadow.cfg' => 1,
59 '/qemu-server/' => 1,
60};
61
62# only write output if something fails
63sub run_silent_cmd {
64 my ($cmd) = @_;
65
66 my $outbuf = '';
67
68 my $record_output = sub {
69 $outbuf .= shift;
70 $outbuf .= "\n";
71 };
72
73 eval {
74 PVE::Tools::run_command($cmd, outfunc => $record_output,
75 errfunc => $record_output);
76 };
77
78 my $err = $@;
79
80 if ($err) {
81 print STDERR $outbuf;
82 die $err;
83 }
84}
85
86sub check_cfs_quorum {
01dddfb9
DM		 87 my ($noerr) = @_;
88
fe000966
DM		 89 # note: -w filename always return 1 for root, so wee need
90 # to use File::lstat here
91 my $st = File::stat::lstat("$basedir/local");
01dddfb9
DM		 92 my $quorate = ($st && (($st->mode & 0200) != 0));
93
94 die "cluster not ready - no quorum?\n" if !$quorate && !$noerr;
95
96 return $quorate;
fe000966
DM		 97}
98
99sub check_cfs_is_mounted {
100 my ($noerr) = @_;
101
102 my $res = -l "$basedir/local";
103
104 die "pve configuration filesystem not mounted\n"
105 if !$res && !$noerr;
106
107 return $res;
108}
109
110sub gen_local_dirs {
111 my ($nodename) = @_;
112
113 check_cfs_is_mounted();
114
115 my @required_dirs = (
116 "$basedir/priv",
117 "$basedir/nodes",
118 "$basedir/nodes/$nodename",
a1c08cfa
DM		 119 "$basedir/nodes/$nodename/qemu-server",
120 "$basedir/nodes/$nodename/openvz",
fe000966
DM		 121 "$basedir/nodes/$nodename/priv");
122
123 foreach my $dir (@required_dirs) {
124 if (! -d $dir) {
125 mkdir($dir) || die "unable to create directory '$dir' - $!\n";
126 }
127 }
128}
129
130sub gen_auth_key {
131
132 return if -f "$authprivkeyfn";
133
134 check_cfs_is_mounted();
135
136 mkdir $authdir || die "unable to create dir '$authdir' - $!\n";
137
138 my $cmd = "openssl genrsa -out '$authprivkeyfn' 2048";
139 run_silent_cmd($cmd);
140
141 $cmd = "openssl rsa -in '$authprivkeyfn' -pubout -out '$authpubkeyfn'";
142 run_silent_cmd($cmd)
143}
144
145sub gen_pveca_key {
146
147 return if -f $pveca_key_fn;
148
149 eval {
150 run_silent_cmd(['openssl', 'genrsa', '-out', $pveca_key_fn, '2048']);
151 };
152
153 die "unable to generate pve ca key:\n$@" if $@;
154}
155
156sub gen_pveca_cert {
157
158 if (-f $pveca_key_fn && -f $pveca_cert_fn) {
159 return 0;
160 }
161
162 gen_pveca_key();
163
164 # we try to generate an unique 'subject' to avoid browser problems
165 # (reused serial numbers, ..)
166 my $nid = (split (/\s/, `md5sum '$pveca_key_fn'`))[0] || time();
167
168 eval {
169 run_silent_cmd(['openssl', 'req', '-batch', '-days', '3650', '-new',
170 '-x509', '-nodes', '-key',
171 $pveca_key_fn, '-out', $pveca_cert_fn, '-subj',
172 "/CN=Proxmox Virtual Environment/OU=$nid/O=PVE Cluster Manager CA/"]);
173 };
174
175 die "generating pve root certificate failed:\n$@" if $@;
176
177 return 1;
178}
179
180sub gen_pve_ssl_key {
181 my ($nodename) = @_;
182
183 die "no node name specified" if !$nodename;
184
185 my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
186
187 return if -f $pvessl_key_fn;
188
189 eval {
190 run_silent_cmd(['openssl', 'genrsa', '-out', $pvessl_key_fn, '2048']);
191 };
192
193 die "unable to generate pve ssl key for node '$nodename':\n$@" if $@;
194}
195
196sub gen_pve_www_key {
197
198 return if -f $pvewww_key_fn;
199
200 eval {
201 run_silent_cmd(['openssl', 'genrsa', '-out', $pvewww_key_fn, '2048']);
202 };
203
204 die "unable to generate pve www key:\n$@" if $@;
205}
206
207sub update_serial {
208 my ($serial) = @_;
209
210 PVE::Tools::file_set_contents($pveca_srl_fn, $serial);
211}
212
213sub gen_pve_ssl_cert {
214 my ($force, $nodename, $ip) = @_;
215
216 die "no node name specified" if !$nodename;
217 die "no IP specified" if !$ip;
218
219 my $pvessl_cert_fn = "$basedir/nodes/$nodename/pve-ssl.pem";
220
221 return if !$force && -f $pvessl_cert_fn;
222
223 my $names = "IP:127.0.0.1,DNS:localhost";
224
225 my $rc = PVE::INotify::read_file('resolvconf');
226
227 $names .= ",IP:$ip";
228
229 my $fqdn = $nodename;
230
231 $names .= ",DNS:$nodename";
232
233 if ($rc && $rc->{search}) {
234 $fqdn = $nodename . "." . $rc->{search};
235 $names .= ",DNS:$fqdn";
236 }
237
238 my $sslconf = <<__EOD;
239RANDFILE = /root/.rnd
240extensions = v3_req
241
242[ req ]
243default_bits = 2048
244distinguished_name = req_distinguished_name
245req_extensions = v3_req
246prompt = no
247string_mask = nombstr
248
249[ req_distinguished_name ]
250organizationalUnitName = PVE Cluster Node
251organizationName = Proxmox Virtual Environment
252commonName = $fqdn
253
254[ v3_req ]
255basicConstraints = CA:FALSE
256nsCertType = server
257keyUsage = nonRepudiation, digitalSignature, keyEncipherment
258subjectAltName = $names
259__EOD
260
261 my $cfgfn = "/tmp/pvesslconf-$$.tmp";
262 my $fh = IO::File->new ($cfgfn, "w");
263 print $fh $sslconf;
264 close ($fh);
265
266 my $reqfn = "/tmp/pvecertreq-$$.tmp";
267 unlink $reqfn;
268
269 my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
270 eval {
271 run_silent_cmd(['openssl', 'req', '-batch', '-new', '-config', $cfgfn,
272 '-key', $pvessl_key_fn, '-out', $reqfn]);
273 };
274
275 if (my $err = $@) {
276 unlink $reqfn;
277 unlink $cfgfn;
278 die "unable to generate pve certificate request:\n$err";
279 }
280
281 update_serial("0000000000000000") if ! -f $pveca_srl_fn;
282
283 eval {
284 run_silent_cmd(['openssl', 'x509', '-req', '-in', $reqfn, '-days', '3650',
285 '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn,
286 '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
287 '-extfile', $cfgfn]);
288 };
289
290 if (my $err = $@) {
291 unlink $reqfn;
292 unlink $cfgfn;
293 die "unable to generate pve ssl certificate:\n$err";
294 }
295
296 unlink $cfgfn;
297 unlink $reqfn;
298}
299
300sub gen_pve_node_files {
301 my ($nodename, $ip, $opt_force) = @_;
302
303 gen_local_dirs($nodename);
304
305 gen_auth_key();
306
307 # make sure we have a (cluster wide) secret
308 # for CSRFR prevention
309 gen_pve_www_key();
310
311 # make sure we have a (per node) private key
312 gen_pve_ssl_key($nodename);
313
314 # make sure we have a CA
315 my $force = gen_pveca_cert();
316
317 $force = 1 if $opt_force;
318
319 gen_pve_ssl_cert($force, $nodename, $ip);
320}
321
322my $versions = {};
323my $vmlist = {};
324my $clinfo = {};
325
326my $ipcc_send_rec = sub {
327 my ($msgid, $data) = @_;
328
329 my $res = PVE::IPCC::ipcc_send_rec($msgid, $data);
330
331 die "ipcc_send_rec failed: $!\n" if !defined($res) && ($! != 0);
332
333 return $res;
334};
335
336my $ipcc_send_rec_json = sub {
337 my ($msgid, $data) = @_;
338
339 my $res = PVE::IPCC::ipcc_send_rec($msgid, $data);
340
341 die "ipcc_send_rec failed: $!\n" if !defined($res) && ($! != 0);
342
343 return decode_json($res);
344};
345
346my $ipcc_get_config = sub {
347 my ($path) = @_;
348
349 my $bindata = pack "Z*", $path;
350 return PVE::IPCC::ipcc_send_rec(6, $bindata);
351};
352
353my $ipcc_get_status = sub {
354 my ($name, $nodename) = @_;
355
356 my $bindata = pack "Z[256]Z[256]", $name, ($nodename || "");
357 return PVE::IPCC::ipcc_send_rec(5, $bindata);
358};
359
360my $ipcc_update_status = sub {
361 my ($name, $data) = @_;
362
363 my $raw = ref($data) ? encode_json($data) : $data;
364 # update status
365 my $bindata = pack "Z[256]Z*", $name, $raw;
366
367 return &$ipcc_send_rec(4, $bindata);
368};
369
370my $ipcc_log = sub {
371 my ($priority, $ident, $tag, $msg) = @_;
372
373 my $bindata = pack "CCCZ*Z*Z*", $priority, bytes::length($ident) + 1,
374 bytes::length($tag) + 1, $ident, $tag, $msg;
375
376 return &$ipcc_send_rec(7, $bindata);
377};
378
379my $ipcc_get_cluster_log = sub {
380 my ($user, $max) = @_;
381
382 $max = 0 if !defined($max);
383
384 my $bindata = pack "VVVVZ*", $max, 0, 0, 0, ($user || "");
385 return &$ipcc_send_rec(8, $bindata);
386};
387
388my $ccache = {};
389
390sub cfs_update {
391 eval {
392 my $res = &$ipcc_send_rec_json(1);
393 #warn "GOT1: " . Dumper($res);
394 die "no starttime\n" if !$res->{starttime};
395
396 if (!$res->{starttime} || !$versions->{starttime} ||
397 $res->{starttime} != $versions->{starttime}) {
398 #print "detected changed starttime\n";
399 $vmlist = {};
400 $clinfo = {};
401 $ccache = {};
402 }
403
404 $versions = $res;
405 };
406 my $err = $@;
407 if ($err) {
408 $versions = {};
409 $vmlist = {};
410 $clinfo = {};
411 $ccache = {};
412 warn $err;
413 }
414
415 eval {
416 if (!$clinfo->{version} || $clinfo->{version} != $versions->{clinfo}) {
417 #warn "detected new clinfo\n";
418 $clinfo = &$ipcc_send_rec_json(2);
419 }
420 };
421 $err = $@;
422 if ($err) {
423 $clinfo = {};
424 warn $err;
425 }
426
427 eval {
428 if (!$vmlist->{version} || $vmlist->{version} != $versions->{vmlist}) {
429 #warn "detected new vmlist1\n";
430 $vmlist = &$ipcc_send_rec_json(3);
431 }
432 };
433 $err = $@;
434 if ($err) {
435 $vmlist = {};
436 warn $err;
437 }
438}
439
440sub get_vmlist {
441 return $vmlist;
442}
443
444sub get_clinfo {
445 return $clinfo;
446}
447
9ddd4ae9
DM		 448sub get_members {
449 return $clinfo->{nodelist};
450}
451
fe000966
DM		 452sub get_nodelist {
453
454 my $nodelist = $clinfo->{nodelist};
455
456 my $result = [];
457
458 my $nodename = PVE::INotify::nodename();
459
460 if (!$nodelist || !$nodelist->{$nodename}) {
461 return [ $nodename ];
462 }
463
464 return [ keys %$nodelist ];
465}
466
467sub broadcast_tasklist {
468 my ($data) = @_;
469
470 eval {
471 &$ipcc_update_status("tasklist", $data);
472 };
473
474 warn $@ if $@;
475}
476
477my $tasklistcache = {};
478
479sub get_tasklist {
480 my ($nodename) = @_;
481
482 my $kvstore = $versions->{kvstore} || {};
483
484 my $nodelist = get_nodelist();
485
486 my $res = [];
487 foreach my $node (@$nodelist) {
488 next if $nodename && ($nodename ne $node);
489 eval {
490 my $ver = $kvstore->{$node}->{tasklist} if $kvstore->{$node};
491 my $cd = $tasklistcache->{$node};
492 if (!$cd || !$ver || ($cd->{version} != $ver)) {
493 my $raw = &$ipcc_get_status("tasklist", $node) || '[]';
494 my $data = decode_json($raw);
495 push @$res, @$data;
496 $cd = $tasklistcache->{$node} = {
497 data => $data,
498 version => $ver,
499 };
500 } elsif ($cd && $cd->{data}) {
501 push @$res, @{$cd->{data}};
502 }
503 };
504 my $err = $@;
505 syslog('err', $err) if $err;
506 }
507
508 return $res;
509}
510
511sub broadcast_rrd {
512 my ($rrdid, $data) = @_;
513
514 eval {
515 &$ipcc_update_status("rrd/$rrdid", $data);
516 };
517 my $err = $@;
518
519 warn $err if $err;
520}
521
522my $last_rrd_dump = 0;
523my $last_rrd_data = "";
524
525sub rrd_dump {
526
527 my $ctime = time();
528
529 my $diff = $ctime - $last_rrd_dump;
530 if ($diff < 2) {
531 return $last_rrd_data;
532 }
533
534 my $raw;
535 eval {
536 $raw = &$ipcc_send_rec(10);
537 };
538 my $err = $@;
539
540 if ($err) {
541 warn $err;
542 return {};
543 }
544
545 my $res = {};
546
547 while ($raw =~ s/^(.*)\n//) {
548 my ($key, @ela) = split(/:/, $1);
549 next if !$key;
550 next if !(scalar(@ela) > 1);
551 $res->{$key} = \@ela;
552 }
553
554 $last_rrd_dump = $ctime;
555 $last_rrd_data = $res;
556
557 return $res;
558}
559
560sub create_rrd_data {
561 my ($rrdname, $timeframe, $cf) = @_;
562
563 my $rrddir = "/var/lib/rrdcached/db";
564
565 my $rrd = "$rrddir/$rrdname";
566
567 my $setup = {
568 hour => [ 60, 70 ],
569 day => [ 60*30, 70 ],
570 week => [ 60*180, 70 ],
571 month => [ 60*720, 70 ],
572 year => [ 60*10080, 70 ],
573 };
574
575 my ($reso, $count) = @{$setup->{$timeframe}};
576 my $ctime = $reso*int(time()/$reso);
577 my $req_start = $ctime - $reso*$count;
578
579 $cf = "AVERAGE" if !$cf;
580
581 my @args = (
582 "-s" => $req_start,
583 "-e" => $ctime - 1,
584 "-r" => $reso,
585 );
586
587 my $socket = "/var/run/rrdcached.sock";
588 push @args, "--daemon" => "unix:$socket" if -S $socket;
589
590 my ($start, $step, $names, $data) = RRDs::fetch($rrd, $cf, @args);
591
592 my $err = RRDs::error;
593 die "RRD error: $err\n" if $err;
594
595 die "got wrong time resolution ($step != $reso)\n"
596 if $step != $reso;
597
598 my $res = [];
599 my $fields = scalar(@$names);
600 for my $line (@$data) {
601 my $entry = { 'time' => $start };
602 $start += $step;
603 my $found_undefs;
604 for (my $i = 0; $i < $fields; $i++) {
605 my $name = $names->[$i];
606 if (defined(my $val = $line->[$i])) {
607 $entry->{$name} = $val;
608 } else {
609 # we only add entryies with all data defined
610 # extjs chart has problems with undefined values
611 $found_undefs = 1;
612 }
613 }
614 push @$res, $entry if !$found_undefs;
615 }
616
617 return $res;
618}
619
620sub create_rrd_graph {
621 my ($rrdname, $timeframe, $ds, $cf) = @_;
622
623 # Using RRD graph is clumsy - maybe it
624 # is better to simply fetch the data, and do all display
625 # related things with javascript (new extjs html5 graph library).
626
627 my $rrddir = "/var/lib/rrdcached/db";
628
629 my $rrd = "$rrddir/$rrdname";
630
631 my $filename = "$rrd.png";
632
633 my $setup = {
634 hour => [ 60, 60 ],
635 day => [ 60*30, 70 ],
636 week => [ 60*180, 70 ],
637 month => [ 60*720, 70 ],
638 year => [ 60*10080, 70 ],
639 };
640
641 my ($reso, $count) = @{$setup->{$timeframe}};
642
643 my @args = (
644 "--imgformat" => "PNG",
645 "--border" => 0,
646 "--height" => 200,
647 "--width" => 800,
648 "--start" => - $reso*$count,
649 "--end" => 'now' ,
650 );
651
652 my $socket = "/var/run/rrdcached.sock";
653 push @args, "--daemon" => "unix:$socket" if -S $socket;
654
655 my @ids = PVE::Tools::split_list($ds);
656
657 my @coldef = ('#00ddff', '#ff0000');
658
659 $cf = "AVERAGE" if !$cf;
660
661 my $i = 0;
662 foreach my $id (@ids) {
663 my $col = $coldef[$i++] || die "fixme: no color definition";
664 push @args, "DEF:${id}=$rrd:${id}:$cf";
665 my $dataid = $id;
666 if ($id eq 'cpu' || $id eq 'iowait') {
667 push @args, "CDEF:${id}_per=${id},100,*";
668 $dataid = "${id}_per";
669 }
670 push @args, "LINE2:${dataid}${col}:${id}";
671 }
672
673 RRDs::graph($filename, @args);
674
675 my $err = RRDs::error;
676 die "RRD error: $err\n" if $err;
677
678 return { filename => $filename };
679}
680
681# a fast way to read files (avoid fuse overhead)
682sub get_config {
683 my ($path) = @_;
684
685 return &$ipcc_get_config($path);
686}
687
688sub get_cluster_log {
689 my ($user, $max) = @_;
690
691 return &$ipcc_get_cluster_log($user, $max);
692}
693
694my $file_info = {};
695
696sub cfs_register_file {
697 my ($filename, $parser, $writer) = @_;
698
699 $observed->{$filename} || die "unknown file '$filename'";
700
701 die "file '$filename' already registered" if $file_info->{$filename};
702
703 $file_info->{$filename} = {
704 parser => $parser,
705 writer => $writer,
706 };
707}
708
709my $ccache_read = sub {
710 my ($filename, $parser, $version) = @_;
711
712 $ccache->{$filename} = {} if !$ccache->{$filename};
713
714 my $ci = $ccache->{$filename};
715
716 if (!$ci->{version} || $ci->{version} != $version) {
717
718 my $data = get_config($filename);
719
720 $ci->{data} = &$parser("/etc/pve/$filename", $data);
721 $ci->{version} = $version;
722 }
723
724 my $res = ref($ci->{data}) ? dclone($ci->{data}) : $ci->{data};
725
726 return $res;
727};
728
729sub cfs_file_version {
730 my ($filename) = @_;
731
732 my $version;
733 my $infotag;
734 if ($filename =~ m|^nodes/[^/]+/qemu-server/(\d+)\.conf$|) {
735 my $vmid = $1;
736 if ($vmlist && $vmlist->{ids} && $vmlist->{ids}->{$vmid}) {
737 $version = $vmlist->{ids}->{$vmid}->{version};
738 }
739 $infotag = "/qemu-server/";
740 } else {
741 $infotag = $filename;
742 $version = $versions->{$filename};
743 }
744
745 my $info = $file_info->{$infotag} ||
746 die "unknown file type '$filename'\n";
747
748 return wantarray ? ($version, $info) : $version;
749}
750
751sub cfs_read_file {
752 my ($filename) = @_;
753
754 my ($version, $info) = cfs_file_version($filename);
755 my $parser = $info->{parser};
756
757 return &$ccache_read($filename, $parser, $version);
758}
759
760sub cfs_write_file {
761 my ($filename, $data) = @_;
762
763 my $info = $file_info->{$filename} || die "unknown file '$filename'";
764
765 my $writer = $info->{writer} || die "no writer defined";
766
767 my $fsname = "/etc/pve/$filename";
768
769 my $raw = &$writer($fsname, $data);
770
771 if (my $ci = $ccache->{$filename}) {
772 $ci->{version} = undef;
773 }
774
775 PVE::Tools::file_set_contents($fsname, $raw);
776}
777
778my $cfs_lock = sub {
779 my ($lockid, $timeout, $code, @param) = @_;
780
781 my $res;
782
783 # this timeout is for aquire the lock
784 $timeout = 10 if !$timeout;
785
786 my $filename = "$lockdir/$lockid";
787
788 my $msg = "can't aquire cfs lock '$lockid'";
789
790 eval {
791
792 mkdir $lockdir;
793
794 if (! -d $lockdir) {
795 die "$msg: pve cluster filesystem not online.\n";
796 }
797
798 local $SIG{ALRM} = sub { die "got lock request timeout\n"; };
799
800 alarm ($timeout);
801
802 if (!(mkdir $filename)) {
803 print STDERR "trying to aquire cfs lock '$lockid' ...";
804 while (1) {
805 if (!(mkdir $filename)) {
806 (utime 0, 0, $filename); # cfs unlock request
807 } else {
808 print STDERR " OK\n";
809 last;
810 }
811 sleep(1);
812 }
813 }
814
815 # fixed command timeout: cfs locks have a timeout of 120
816 # using 60 gives us another 60 seconds to abort the task
817 alarm(60);
818 local $SIG{ALRM} = sub { die "got lock timeout - aborting command\n"; };
819
820 $res = &$code(@param);
821
822 alarm(0);
823 };
824
825 my $err = $@;
826
827 alarm(0);
828
829 if ($err && ($err eq "got lock request timeout\n") &&
830 !check_cfs_quorum()){
831 $err = "$msg: no quorum!\n";
832 }
833
834 if (!$err || $err !~ /^got lock timeout -/) {
835 rmdir $filename; # cfs unlock
836 }
837
838 if ($err) {
839 $@ = $err;
840 return undef;
841 }
842
843 $@ = undef;
844
845 return $res;
846};
847
848sub cfs_lock_file {
849 my ($filename, $timeout, $code, @param) = @_;
850
851 my $info = $observed->{$filename} || die "unknown file '$filename'";
852
853 my $lockid = "file-$filename";
854 $lockid =~ s/[.\/]/_/g;
855
856 &$cfs_lock($lockid, $timeout, $code, @param);
857}
858
859sub cfs_lock_storage {
860 my ($storeid, $timeout, $code, @param) = @_;
861
862 my $lockid = "storage-$storeid";
863
864 &$cfs_lock($lockid, $timeout, $code, @param);
865}
866
867my $log_levels = {
868 "emerg" => 0,
869 "alert" => 1,
870 "crit" => 2,
871 "critical" => 2,
872 "err" => 3,
873 "error" => 3,
874 "warn" => 4,
875 "warning" => 4,
876 "notice" => 5,
877 "info" => 6,
878 "debug" => 7,
879};
880
881sub log_msg {
882 my ($priority, $ident, $msg) = @_;
883
884 if (my $tmp = $log_levels->{$priority}) {
885 $priority = $tmp;
886 }
887
888 die "need numeric log priority" if $priority !~ /^\d+$/;
889
890 my $tag = PVE::SafeSyslog::tag();
891
892 $msg = "empty message" if !$msg;
893
894 $ident = "" if !$ident;
895 $ident = encode("ascii", decode_utf8($ident),
896 sub { sprintf "\\u%04x", shift });
897
898 my $utf8 = decode_utf8($msg);
899
900 my $ascii = encode("ascii", $utf8, sub { sprintf "\\u%04x", shift });
901
902 if ($ident) {
903 syslog($priority, "<%s> %s", $ident, $ascii);
904 } else {
905 syslog($priority, "%s", $ascii);
906 }
907
908 eval { &$ipcc_log($priority, $ident, $tag, $ascii); };
909
910 syslog("err", "writing cluster log failed: $@") if $@;
911}
912
65ff467f
DM		 913sub check_node_exists {
914 my ($nodename, $noerr) = @_;
915
916 my $nodelist = $clinfo->{nodelist};
917 return 1 if $nodelist && $nodelist->{$nodename};
918
919 return undef if $noerr;
920
921 die "no such cluster node '$nodename'\n";
922}
923
fe000966
DM		 924# this is also used to get the IP of the local node
925sub remote_node_ip {
926 my ($nodename, $noerr) = @_;
927
928 my $nodelist = $clinfo->{nodelist};
929 if ($nodelist && $nodelist->{$nodename}) {
930 if (my $ip = $nodelist->{$nodename}->{ip}) {
931 return $ip;
932 }
933 }
934
935 # fallback: try to get IP by other means
936 my $packed_ip = gethostbyname($nodename);
937 if (defined $packed_ip) {
938 my $ip = inet_ntoa($packed_ip);
939
940 if ($ip =~ m/^127\./) {
941 die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
942 return undef;
943 }
944
945 return $ip;
946 }
947
948 die "unable to get IP for node '$nodename' - node offline?\n" if !$noerr;
949
950 return undef;
951}
952
953# ssh related utility functions
954
955sub ssh_merge_keys {
956 # remove duplicate keys in $sshauthkeys
957 # ssh-copy-id simply add keys, so the file can grow to large
958
959 my $data = '';
960 if (-f $sshauthkeys) {
961 $data = PVE::Tools::file_get_contents($sshauthkeys, 128*1024);
962 chomp($data);
963 }
964
965 # always add ourself
966 if (-f $ssh_rsa_id) {
967 my $pub = PVE::Tools::file_get_contents($ssh_rsa_id);
968 chomp($pub);
969 $data .= "\n$pub\n";
970 }
971
972 my $newdata = "";
973 my $vhash = {};
974 while ($data && $data =~ s/^((.*?)(\n|$))//) {
975 my $line = "$2\n";
976 if ($line =~ m/^ssh-rsa\s+\S+\s+(\S+)$/) {
977 $vhash->{$1} = $line;
978 } else {
979 $newdata .= $line;
980 }
981 }
982
983 $newdata .= join("", values(%$vhash));
984
985 PVE::Tools::file_set_contents($sshauthkeys, $newdata, 0600);
986}
987
988sub setup_ssh_keys {
989
990 # create ssh key if it does not exist
991 if (! -f $ssh_rsa_id) {
992 mkdir '/root/.ssh/';
993 system ("echo|ssh-keygen -t rsa -N '' -b 2048 -f ${ssh_rsa_id_priv}");
994 }
995
996 mkdir $authdir;
997
998 if (! -f $sshauthkeys) {
999 if (my $fh = IO::File->new ($sshauthkeys, O_CREAT|O_WRONLY|O_EXCL, 0400)) {
1000 close($fh);
1001 }
1002 }
1003
1004 warn "can't create shared ssh key database '$sshauthkeys'\n"
1005 if ! -f $sshauthkeys;
1006
1007 if (-f $rootsshauthkeys) {
1008 system("mv '$rootsshauthkeys' '$rootsshauthkeys.org'");
1009 }
1010
1011 if (! -l $rootsshauthkeys) {
1012 symlink $sshauthkeys, $rootsshauthkeys;
1013 }
1014 warn "can't create symlink for ssh keys '$rootsshauthkeys' -> '$sshauthkeys'\n"
1015 if ! -l $rootsshauthkeys;
1016
1017}
1018
1019sub ssh_unmerge_known_hosts {
1020 return if ! -l $sshglobalknownhosts;
1021
1022 my $old = '';
1023 $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024)
1024 if -f $sshknownhosts;
1025
1026 PVE::Tools::file_set_contents($sshglobalknownhosts, $old);
1027}
1028
1029sub ssh_merge_known_hosts {
1030 my ($nodename, $ip_address, $createLink) = @_;
1031
1032 die "no node name specified" if !$nodename;
1033 die "no ip address specified" if !$ip_address;
1034
1035 mkdir $authdir;
1036
1037 if (! -f $sshknownhosts) {
1038 if (my $fh = IO::File->new($sshknownhosts, O_CREAT|O_WRONLY|O_EXCL, 0600)) {
1039 close($fh);
1040 }
1041 }
1042
1043 my $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024);
1044
1045 my $new = '';
1046
1047 if ((! -l $sshglobalknownhosts) && (-f $sshglobalknownhosts)) {
1048 $new = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024);
1049 }
1050
1051 my $hostkey = PVE::Tools::file_get_contents($ssh_host_rsa_id);
1052 die "can't parse $ssh_rsa_id" if $hostkey !~ m/^(ssh-rsa\s\S+)(\s.*)?$/;
1053 $hostkey = $1;
1054
1055 my $data = '';
1056 my $vhash = {};
1057
1058 my $found_nodename;
1059 my $found_local_ip;
1060
1061 my $merge_line = sub {
1062 my ($line, $all) = @_;
1063
1064 if ($line =~ m/^(\S+)\s(ssh-rsa\s\S+)(\s.*)?$/) {
1065 my $key = $1;
1066 my $rsakey = $2;
1067 if (!$vhash->{$key}) {
1068 $vhash->{$key} = 1;
1069 if ($key =~ m/\|1\|([^\|\s]+)\|([^\|\s]+)$/) {
1070 my $salt = decode_base64($1);
1071 my $digest = $2;
1072 my $hmac = Digest::HMAC_SHA1->new($salt);
1073 $hmac->add($nodename);
1074 my $hd = $hmac->b64digest . '=';
1075 if ($digest eq $hd) {
1076 if ($rsakey eq $hostkey) {
1077 $found_nodename = 1;
1078 $data .= $line;
1079 }
1080 return;
1081 }
1082 $hmac = Digest::HMAC_SHA1->new($salt);
1083 $hmac->add($ip_address);
1084 $hd = $hmac->b64digest . '=';
1085 if ($digest eq $hd) {
1086 if ($rsakey eq $hostkey) {
1087 $found_local_ip = 1;
1088 $data .= $line;
1089 }
1090 return;
1091 }
1092 }
1093 $data .= $line;
1094 }
1095 } elsif ($all) {
1096 $data .= $line;
1097 }
1098 };
1099
1100 while ($old && $old =~ s/^((.*?)(\n|$))//) {
1101 my $line = "$2\n";
1102 next if $line =~ m/^\s*$/; # skip empty lines
1103 next if $line =~ m/^#/; # skip comments
1104 &$merge_line($line, 1);
1105 }
1106
1107 while ($new && $new =~ s/^((.*?)(\n|$))//) {
1108 my $line = "$2\n";
1109 next if $line =~ m/^\s*$/; # skip empty lines
1110 next if $line =~ m/^#/; # skip comments
1111 &$merge_line($line);
1112 }
1113
1114 my $addIndex = $$;
1115 my $add_known_hosts_entry = sub {
1116 my ($name, $hostkey) = @_;
1117 $addIndex++;
1118 my $hmac = Digest::HMAC_SHA1->new("$addIndex" . time());
1119 my $b64salt = $hmac->b64digest . '=';
1120 $hmac = Digest::HMAC_SHA1->new(decode_base64($b64salt));
1121 $hmac->add($name);
1122 my $digest = $hmac->b64digest . '=';
1123 $data .= "|1|$b64salt|$digest $hostkey\n";
1124 };
1125
1126 if (!$found_nodename || !$found_local_ip) {
1127 &$add_known_hosts_entry($nodename, $hostkey) if !$found_nodename;
1128 &$add_known_hosts_entry($ip_address, $hostkey) if !$found_local_ip;
1129 }
1130
1131 PVE::Tools::file_set_contents($sshknownhosts, $data);
1132
1133 return if !$createLink;
1134
1135 unlink $sshglobalknownhosts;
1136 symlink $sshknownhosts, $sshglobalknownhosts;
1137
1138 warn "can't create symlink for ssh known hosts '$sshglobalknownhosts' -> '$sshknownhosts'\n"
1139 if ! -l $sshglobalknownhosts;
1140
1141}
1142
1143my $keymaphash = PVE::Tools::kvmkeymaps();
1144my $datacenter_schema = {
1145 type => "object",
1146 additionalProperties => 0,
1147 properties => {
1148 keyboard => {
1149 optional => 1,
1150 type => 'string',
1151 description => "Default keybord layout for vnc server.",
1152 enum => [ keys %$keymaphash ],
1153 },
1154 language => {
1155 optional => 1,
1156 type => 'string',
1157 description => "Default GUI language.",
1158 enum => [ 'en', 'de' ],
1159 },
1160 http_proxy => {
1161 optional => 1,
1162 type => 'string',
1163 description => "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
1164 pattern => "http://.*",
1165 },
1166 },
1167};
1168
1169# make schema accessible from outside (for documentation)
1170sub get_datacenter_schema { return $datacenter_schema };
1171
1172sub parse_datacenter_config {
1173 my ($filename, $raw) = @_;
1174
1175 return PVE::JSONSchema::parse_config($datacenter_schema, $filename, $raw);
1176}
1177
1178sub write_datacenter_config {
1179 my ($filename, $cfg) = @_;
1180
1181 return PVE::JSONSchema::dump_config($datacenter_schema, $filename, $cfg);
1182}
1183
1184cfs_register_file('datacenter.cfg',
1185 \&parse_datacenter_config,
1186 \&write_datacenter_config);
Cluster FS and Tools