]> git.proxmox.com Git - pve-cluster.git/blame - data/PVE/Cluster.pm
projects / pve-cluster.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
another fix for duplicate VM check
[pve-cluster.git] / data / PVE / Cluster.pm
CommitLineData
fe000966
DM		 1package PVE::Cluster;
2
3use strict;
4use POSIX;
5use File::stat qw();
6use Socket;
7use Storable qw(dclone);
8use IO::File;
9use MIME::Base64;
10use Digest::HMAC_SHA1;
11use PVE::Tools;
12use PVE::INotify;
13use PVE::IPCC;
14use PVE::SafeSyslog;
15use JSON;
16use RRDs;
17use Encode;
18use base 'Exporter';
19
20our @EXPORT_OK = qw(
21cfs_read_file
22cfs_write_file
23cfs_register_file
24cfs_lock_file);
25
26use Data::Dumper; # fixme: remove
27
28# x509 certificate utils
29
30my $basedir = "/etc/pve";
31my $authdir = "$basedir/priv";
32my $lockdir = "/etc/pve/priv/lock";
33
34my $authprivkeyfn = "$authdir/authkey.key";
35my $authpubkeyfn = "$basedir/authkey.pub";
36my $pveca_key_fn = "$authdir/pve-root-ca.key";
37my $pveca_srl_fn = "$authdir/pve-root-ca.srl";
38my $pveca_cert_fn = "$basedir/pve-root-ca.pem";
39# this is just a secret accessable by the web browser
40# and is used for CSRF prevention
41my $pvewww_key_fn = "$basedir/pve-www.key";
42
43# ssh related files
44my $ssh_rsa_id_priv = "/root/.ssh/id_rsa";
45my $ssh_rsa_id = "/root/.ssh/id_rsa.pub";
46my $ssh_host_rsa_id = "/etc/ssh/ssh_host_rsa_key.pub";
47my $sshglobalknownhosts = "/etc/ssh/ssh_known_hosts";
48my $sshknownhosts = "/etc/pve/priv/known_hosts";
49my $sshauthkeys = "/etc/pve/priv/authorized_keys";
50my $rootsshauthkeys = "/root/.ssh/authorized_keys";
51
52my $observed = {
53 'storage.cfg' => 1,
54 'datacenter.cfg' => 1,
55 'cluster.cfg' => 1,
56 'user.cfg' => 1,
57 'domains.cfg' => 1,
58 'priv/shadow.cfg' => 1,
59 '/qemu-server/' => 1,
f71eee41 60 '/openvz/' => 1,
fe000966
DM		 61};
62
63# only write output if something fails
64sub run_silent_cmd {
65 my ($cmd) = @_;
66
67 my $outbuf = '';
68
69 my $record_output = sub {
70 $outbuf .= shift;
71 $outbuf .= "\n";
72 };
73
74 eval {
75 PVE::Tools::run_command($cmd, outfunc => $record_output,
76 errfunc => $record_output);
77 };
78
79 my $err = $@;
80
81 if ($err) {
82 print STDERR $outbuf;
83 die $err;
84 }
85}
86
87sub check_cfs_quorum {
01dddfb9
DM		 88 my ($noerr) = @_;
89
fe000966
DM		 90 # note: -w filename always return 1 for root, so wee need
91 # to use File::lstat here
92 my $st = File::stat::lstat("$basedir/local");
01dddfb9
DM		 93 my $quorate = ($st && (($st->mode & 0200) != 0));
94
95 die "cluster not ready - no quorum?\n" if !$quorate && !$noerr;
96
97 return $quorate;
fe000966
DM		 98}
99
100sub check_cfs_is_mounted {
101 my ($noerr) = @_;
102
103 my $res = -l "$basedir/local";
104
105 die "pve configuration filesystem not mounted\n"
106 if !$res && !$noerr;
107
108 return $res;
109}
110
111sub gen_local_dirs {
112 my ($nodename) = @_;
113
114 check_cfs_is_mounted();
115
116 my @required_dirs = (
117 "$basedir/priv",
118 "$basedir/nodes",
119 "$basedir/nodes/$nodename",
a1c08cfa
DM		 120 "$basedir/nodes/$nodename/qemu-server",
121 "$basedir/nodes/$nodename/openvz",
fe000966
DM		 122 "$basedir/nodes/$nodename/priv");
123
124 foreach my $dir (@required_dirs) {
125 if (! -d $dir) {
126 mkdir($dir) || die "unable to create directory '$dir' - $!\n";
127 }
128 }
129}
130
131sub gen_auth_key {
132
133 return if -f "$authprivkeyfn";
134
135 check_cfs_is_mounted();
136
137 mkdir $authdir || die "unable to create dir '$authdir' - $!\n";
138
139 my $cmd = "openssl genrsa -out '$authprivkeyfn' 2048";
140 run_silent_cmd($cmd);
141
142 $cmd = "openssl rsa -in '$authprivkeyfn' -pubout -out '$authpubkeyfn'";
143 run_silent_cmd($cmd)
144}
145
146sub gen_pveca_key {
147
148 return if -f $pveca_key_fn;
149
150 eval {
151 run_silent_cmd(['openssl', 'genrsa', '-out', $pveca_key_fn, '2048']);
152 };
153
154 die "unable to generate pve ca key:\n$@" if $@;
155}
156
157sub gen_pveca_cert {
158
159 if (-f $pveca_key_fn && -f $pveca_cert_fn) {
160 return 0;
161 }
162
163 gen_pveca_key();
164
165 # we try to generate an unique 'subject' to avoid browser problems
166 # (reused serial numbers, ..)
167 my $nid = (split (/\s/, `md5sum '$pveca_key_fn'`))[0] || time();
168
169 eval {
170 run_silent_cmd(['openssl', 'req', '-batch', '-days', '3650', '-new',
171 '-x509', '-nodes', '-key',
172 $pveca_key_fn, '-out', $pveca_cert_fn, '-subj',
173 "/CN=Proxmox Virtual Environment/OU=$nid/O=PVE Cluster Manager CA/"]);
174 };
175
176 die "generating pve root certificate failed:\n$@" if $@;
177
178 return 1;
179}
180
181sub gen_pve_ssl_key {
182 my ($nodename) = @_;
183
184 die "no node name specified" if !$nodename;
185
186 my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
187
188 return if -f $pvessl_key_fn;
189
190 eval {
191 run_silent_cmd(['openssl', 'genrsa', '-out', $pvessl_key_fn, '2048']);
192 };
193
194 die "unable to generate pve ssl key for node '$nodename':\n$@" if $@;
195}
196
197sub gen_pve_www_key {
198
199 return if -f $pvewww_key_fn;
200
201 eval {
202 run_silent_cmd(['openssl', 'genrsa', '-out', $pvewww_key_fn, '2048']);
203 };
204
205 die "unable to generate pve www key:\n$@" if $@;
206}
207
208sub update_serial {
209 my ($serial) = @_;
210
211 PVE::Tools::file_set_contents($pveca_srl_fn, $serial);
212}
213
214sub gen_pve_ssl_cert {
215 my ($force, $nodename, $ip) = @_;
216
217 die "no node name specified" if !$nodename;
218 die "no IP specified" if !$ip;
219
220 my $pvessl_cert_fn = "$basedir/nodes/$nodename/pve-ssl.pem";
221
222 return if !$force && -f $pvessl_cert_fn;
223
224 my $names = "IP:127.0.0.1,DNS:localhost";
225
226 my $rc = PVE::INotify::read_file('resolvconf');
227
228 $names .= ",IP:$ip";
229
230 my $fqdn = $nodename;
231
232 $names .= ",DNS:$nodename";
233
234 if ($rc && $rc->{search}) {
235 $fqdn = $nodename . "." . $rc->{search};
236 $names .= ",DNS:$fqdn";
237 }
238
239 my $sslconf = <<__EOD;
240RANDFILE = /root/.rnd
241extensions = v3_req
242
243[ req ]
244default_bits = 2048
245distinguished_name = req_distinguished_name
246req_extensions = v3_req
247prompt = no
248string_mask = nombstr
249
250[ req_distinguished_name ]
251organizationalUnitName = PVE Cluster Node
252organizationName = Proxmox Virtual Environment
253commonName = $fqdn
254
255[ v3_req ]
256basicConstraints = CA:FALSE
257nsCertType = server
258keyUsage = nonRepudiation, digitalSignature, keyEncipherment
259subjectAltName = $names
260__EOD
261
262 my $cfgfn = "/tmp/pvesslconf-$$.tmp";
263 my $fh = IO::File->new ($cfgfn, "w");
264 print $fh $sslconf;
265 close ($fh);
266
267 my $reqfn = "/tmp/pvecertreq-$$.tmp";
268 unlink $reqfn;
269
270 my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
271 eval {
272 run_silent_cmd(['openssl', 'req', '-batch', '-new', '-config', $cfgfn,
273 '-key', $pvessl_key_fn, '-out', $reqfn]);
274 };
275
276 if (my $err = $@) {
277 unlink $reqfn;
278 unlink $cfgfn;
279 die "unable to generate pve certificate request:\n$err";
280 }
281
282 update_serial("0000000000000000") if ! -f $pveca_srl_fn;
283
284 eval {
285 run_silent_cmd(['openssl', 'x509', '-req', '-in', $reqfn, '-days', '3650',
286 '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn,
287 '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
288 '-extfile', $cfgfn]);
289 };
290
291 if (my $err = $@) {
292 unlink $reqfn;
293 unlink $cfgfn;
294 die "unable to generate pve ssl certificate:\n$err";
295 }
296
297 unlink $cfgfn;
298 unlink $reqfn;
299}
300
301sub gen_pve_node_files {
302 my ($nodename, $ip, $opt_force) = @_;
303
304 gen_local_dirs($nodename);
305
306 gen_auth_key();
307
308 # make sure we have a (cluster wide) secret
309 # for CSRFR prevention
310 gen_pve_www_key();
311
312 # make sure we have a (per node) private key
313 gen_pve_ssl_key($nodename);
314
315 # make sure we have a CA
316 my $force = gen_pveca_cert();
317
318 $force = 1 if $opt_force;
319
320 gen_pve_ssl_cert($force, $nodename, $ip);
321}
322
323my $versions = {};
324my $vmlist = {};
325my $clinfo = {};
326
327my $ipcc_send_rec = sub {
328 my ($msgid, $data) = @_;
329
330 my $res = PVE::IPCC::ipcc_send_rec($msgid, $data);
331
332 die "ipcc_send_rec failed: $!\n" if !defined($res) && ($! != 0);
333
334 return $res;
335};
336
337my $ipcc_send_rec_json = sub {
338 my ($msgid, $data) = @_;
339
340 my $res = PVE::IPCC::ipcc_send_rec($msgid, $data);
341
342 die "ipcc_send_rec failed: $!\n" if !defined($res) && ($! != 0);
343
344 return decode_json($res);
345};
346
347my $ipcc_get_config = sub {
348 my ($path) = @_;
349
350 my $bindata = pack "Z*", $path;
351 return PVE::IPCC::ipcc_send_rec(6, $bindata);
352};
353
354my $ipcc_get_status = sub {
355 my ($name, $nodename) = @_;
356
357 my $bindata = pack "Z[256]Z[256]", $name, ($nodename || "");
358 return PVE::IPCC::ipcc_send_rec(5, $bindata);
359};
360
361my $ipcc_update_status = sub {
362 my ($name, $data) = @_;
363
364 my $raw = ref($data) ? encode_json($data) : $data;
365 # update status
366 my $bindata = pack "Z[256]Z*", $name, $raw;
367
368 return &$ipcc_send_rec(4, $bindata);
369};
370
371my $ipcc_log = sub {
372 my ($priority, $ident, $tag, $msg) = @_;
373
374 my $bindata = pack "CCCZ*Z*Z*", $priority, bytes::length($ident) + 1,
375 bytes::length($tag) + 1, $ident, $tag, $msg;
376
377 return &$ipcc_send_rec(7, $bindata);
378};
379
380my $ipcc_get_cluster_log = sub {
381 my ($user, $max) = @_;
382
383 $max = 0 if !defined($max);
384
385 my $bindata = pack "VVVVZ*", $max, 0, 0, 0, ($user || "");
386 return &$ipcc_send_rec(8, $bindata);
387};
388
389my $ccache = {};
390
391sub cfs_update {
392 eval {
393 my $res = &$ipcc_send_rec_json(1);
394 #warn "GOT1: " . Dumper($res);
395 die "no starttime\n" if !$res->{starttime};
396
397 if (!$res->{starttime} || !$versions->{starttime} ||
398 $res->{starttime} != $versions->{starttime}) {
399 #print "detected changed starttime\n";
400 $vmlist = {};
401 $clinfo = {};
402 $ccache = {};
403 }
404
405 $versions = $res;
406 };
407 my $err = $@;
408 if ($err) {
409 $versions = {};
410 $vmlist = {};
411 $clinfo = {};
412 $ccache = {};
413 warn $err;
414 }
415
416 eval {
417 if (!$clinfo->{version} || $clinfo->{version} != $versions->{clinfo}) {
418 #warn "detected new clinfo\n";
419 $clinfo = &$ipcc_send_rec_json(2);
420 }
421 };
422 $err = $@;
423 if ($err) {
424 $clinfo = {};
425 warn $err;
426 }
427
428 eval {
429 if (!$vmlist->{version} || $vmlist->{version} != $versions->{vmlist}) {
430 #warn "detected new vmlist1\n";
431 $vmlist = &$ipcc_send_rec_json(3);
432 }
433 };
434 $err = $@;
435 if ($err) {
436 $vmlist = {};
437 warn $err;
438 }
439}
440
441sub get_vmlist {
442 return $vmlist;
443}
444
445sub get_clinfo {
446 return $clinfo;
447}
448
9ddd4ae9
DM		 449sub get_members {
450 return $clinfo->{nodelist};
451}
452
fe000966
DM		 453sub get_nodelist {
454
455 my $nodelist = $clinfo->{nodelist};
456
457 my $result = [];
458
459 my $nodename = PVE::INotify::nodename();
460
461 if (!$nodelist || !$nodelist->{$nodename}) {
462 return [ $nodename ];
463 }
464
465 return [ keys %$nodelist ];
466}
467
468sub broadcast_tasklist {
469 my ($data) = @_;
470
471 eval {
472 &$ipcc_update_status("tasklist", $data);
473 };
474
475 warn $@ if $@;
476}
477
478my $tasklistcache = {};
479
480sub get_tasklist {
481 my ($nodename) = @_;
482
483 my $kvstore = $versions->{kvstore} || {};
484
485 my $nodelist = get_nodelist();
486
487 my $res = [];
488 foreach my $node (@$nodelist) {
489 next if $nodename && ($nodename ne $node);
490 eval {
491 my $ver = $kvstore->{$node}->{tasklist} if $kvstore->{$node};
492 my $cd = $tasklistcache->{$node};
493 if (!$cd || !$ver || ($cd->{version} != $ver)) {
494 my $raw = &$ipcc_get_status("tasklist", $node) || '[]';
495 my $data = decode_json($raw);
496 push @$res, @$data;
497 $cd = $tasklistcache->{$node} = {
498 data => $data,
499 version => $ver,
500 };
501 } elsif ($cd && $cd->{data}) {
502 push @$res, @{$cd->{data}};
503 }
504 };
505 my $err = $@;
506 syslog('err', $err) if $err;
507 }
508
509 return $res;
510}
511
512sub broadcast_rrd {
513 my ($rrdid, $data) = @_;
514
515 eval {
516 &$ipcc_update_status("rrd/$rrdid", $data);
517 };
518 my $err = $@;
519
520 warn $err if $err;
521}
522
523my $last_rrd_dump = 0;
524my $last_rrd_data = "";
525
526sub rrd_dump {
527
528 my $ctime = time();
529
530 my $diff = $ctime - $last_rrd_dump;
531 if ($diff < 2) {
532 return $last_rrd_data;
533 }
534
535 my $raw;
536 eval {
537 $raw = &$ipcc_send_rec(10);
538 };
539 my $err = $@;
540
541 if ($err) {
542 warn $err;
543 return {};
544 }
545
546 my $res = {};
547
548 while ($raw =~ s/^(.*)\n//) {
549 my ($key, @ela) = split(/:/, $1);
550 next if !$key;
551 next if !(scalar(@ela) > 1);
552 $res->{$key} = \@ela;
553 }
554
555 $last_rrd_dump = $ctime;
556 $last_rrd_data = $res;
557
558 return $res;
559}
560
561sub create_rrd_data {
562 my ($rrdname, $timeframe, $cf) = @_;
563
564 my $rrddir = "/var/lib/rrdcached/db";
565
566 my $rrd = "$rrddir/$rrdname";
567
568 my $setup = {
569 hour => [ 60, 70 ],
570 day => [ 60*30, 70 ],
571 week => [ 60*180, 70 ],
572 month => [ 60*720, 70 ],
573 year => [ 60*10080, 70 ],
574 };
575
576 my ($reso, $count) = @{$setup->{$timeframe}};
577 my $ctime = $reso*int(time()/$reso);
578 my $req_start = $ctime - $reso*$count;
579
580 $cf = "AVERAGE" if !$cf;
581
582 my @args = (
583 "-s" => $req_start,
584 "-e" => $ctime - 1,
585 "-r" => $reso,
586 );
587
588 my $socket = "/var/run/rrdcached.sock";
589 push @args, "--daemon" => "unix:$socket" if -S $socket;
590
591 my ($start, $step, $names, $data) = RRDs::fetch($rrd, $cf, @args);
592
593 my $err = RRDs::error;
594 die "RRD error: $err\n" if $err;
595
596 die "got wrong time resolution ($step != $reso)\n"
597 if $step != $reso;
598
599 my $res = [];
600 my $fields = scalar(@$names);
601 for my $line (@$data) {
602 my $entry = { 'time' => $start };
603 $start += $step;
604 my $found_undefs;
605 for (my $i = 0; $i < $fields; $i++) {
606 my $name = $names->[$i];
607 if (defined(my $val = $line->[$i])) {
608 $entry->{$name} = $val;
609 } else {
610 # we only add entryies with all data defined
611 # extjs chart has problems with undefined values
612 $found_undefs = 1;
613 }
614 }
615 push @$res, $entry if !$found_undefs;
616 }
617
618 return $res;
619}
620
621sub create_rrd_graph {
622 my ($rrdname, $timeframe, $ds, $cf) = @_;
623
624 # Using RRD graph is clumsy - maybe it
625 # is better to simply fetch the data, and do all display
626 # related things with javascript (new extjs html5 graph library).
627
628 my $rrddir = "/var/lib/rrdcached/db";
629
630 my $rrd = "$rrddir/$rrdname";
631
632 my $filename = "$rrd.png";
633
634 my $setup = {
635 hour => [ 60, 60 ],
636 day => [ 60*30, 70 ],
637 week => [ 60*180, 70 ],
638 month => [ 60*720, 70 ],
639 year => [ 60*10080, 70 ],
640 };
641
642 my ($reso, $count) = @{$setup->{$timeframe}};
643
644 my @args = (
645 "--imgformat" => "PNG",
646 "--border" => 0,
647 "--height" => 200,
648 "--width" => 800,
649 "--start" => - $reso*$count,
650 "--end" => 'now' ,
651 );
652
653 my $socket = "/var/run/rrdcached.sock";
654 push @args, "--daemon" => "unix:$socket" if -S $socket;
655
656 my @ids = PVE::Tools::split_list($ds);
657
658 my @coldef = ('#00ddff', '#ff0000');
659
660 $cf = "AVERAGE" if !$cf;
661
662 my $i = 0;
663 foreach my $id (@ids) {
664 my $col = $coldef[$i++] || die "fixme: no color definition";
665 push @args, "DEF:${id}=$rrd:${id}:$cf";
666 my $dataid = $id;
667 if ($id eq 'cpu' || $id eq 'iowait') {
668 push @args, "CDEF:${id}_per=${id},100,*";
669 $dataid = "${id}_per";
670 }
671 push @args, "LINE2:${dataid}${col}:${id}";
672 }
673
674 RRDs::graph($filename, @args);
675
676 my $err = RRDs::error;
677 die "RRD error: $err\n" if $err;
678
679 return { filename => $filename };
680}
681
682# a fast way to read files (avoid fuse overhead)
683sub get_config {
684 my ($path) = @_;
685
686 return &$ipcc_get_config($path);
687}
688
689sub get_cluster_log {
690 my ($user, $max) = @_;
691
692 return &$ipcc_get_cluster_log($user, $max);
693}
694
695my $file_info = {};
696
697sub cfs_register_file {
698 my ($filename, $parser, $writer) = @_;
699
700 $observed->{$filename} || die "unknown file '$filename'";
701
702 die "file '$filename' already registered" if $file_info->{$filename};
703
704 $file_info->{$filename} = {
705 parser => $parser,
706 writer => $writer,
707 };
708}
709
710my $ccache_read = sub {
711 my ($filename, $parser, $version) = @_;
712
713 $ccache->{$filename} = {} if !$ccache->{$filename};
714
715 my $ci = $ccache->{$filename};
716
717 if (!$ci->{version} || $ci->{version} != $version) {
718
719 my $data = get_config($filename);
720
721 $ci->{data} = &$parser("/etc/pve/$filename", $data);
722 $ci->{version} = $version;
723 }
724
725 my $res = ref($ci->{data}) ? dclone($ci->{data}) : $ci->{data};
726
727 return $res;
728};
729
730sub cfs_file_version {
731 my ($filename) = @_;
732
733 my $version;
734 my $infotag;
f71eee41
DM		 735 if ($filename =~ m!^nodes/[^/]+/(openvz|qemu-server)/(\d+)\.conf$!) {
736 my ($type, $vmid) = ($1, $2);
fe000966
DM		 737 if ($vmlist && $vmlist->{ids} && $vmlist->{ids}->{$vmid}) {
738 $version = $vmlist->{ids}->{$vmid}->{version};
739 }
f71eee41 740 $infotag = "/$type/";
fe000966
DM		 741 } else {
742 $infotag = $filename;
743 $version = $versions->{$filename};
744 }
745
746 my $info = $file_info->{$infotag} ||
747 die "unknown file type '$filename'\n";
748
749 return wantarray ? ($version, $info) : $version;
750}
751
752sub cfs_read_file {
753 my ($filename) = @_;
754
755 my ($version, $info) = cfs_file_version($filename);
756 my $parser = $info->{parser};
757
758 return &$ccache_read($filename, $parser, $version);
759}
760
761sub cfs_write_file {
762 my ($filename, $data) = @_;
763
764 my $info = $file_info->{$filename} || die "unknown file '$filename'";
765
766 my $writer = $info->{writer} || die "no writer defined";
767
768 my $fsname = "/etc/pve/$filename";
769
770 my $raw = &$writer($fsname, $data);
771
772 if (my $ci = $ccache->{$filename}) {
773 $ci->{version} = undef;
774 }
775
776 PVE::Tools::file_set_contents($fsname, $raw);
777}
778
779my $cfs_lock = sub {
780 my ($lockid, $timeout, $code, @param) = @_;
781
782 my $res;
783
784 # this timeout is for aquire the lock
785 $timeout = 10 if !$timeout;
786
787 my $filename = "$lockdir/$lockid";
788
789 my $msg = "can't aquire cfs lock '$lockid'";
790
791 eval {
792
793 mkdir $lockdir;
794
795 if (! -d $lockdir) {
796 die "$msg: pve cluster filesystem not online.\n";
797 }
798
799 local $SIG{ALRM} = sub { die "got lock request timeout\n"; };
800
801 alarm ($timeout);
802
803 if (!(mkdir $filename)) {
804 print STDERR "trying to aquire cfs lock '$lockid' ...";
805 while (1) {
806 if (!(mkdir $filename)) {
807 (utime 0, 0, $filename); # cfs unlock request
808 } else {
809 print STDERR " OK\n";
810 last;
811 }
812 sleep(1);
813 }
814 }
815
816 # fixed command timeout: cfs locks have a timeout of 120
817 # using 60 gives us another 60 seconds to abort the task
818 alarm(60);
819 local $SIG{ALRM} = sub { die "got lock timeout - aborting command\n"; };
820
821 $res = &$code(@param);
822
823 alarm(0);
824 };
825
826 my $err = $@;
827
828 alarm(0);
829
830 if ($err && ($err eq "got lock request timeout\n") &&
831 !check_cfs_quorum()){
832 $err = "$msg: no quorum!\n";
833 }
834
835 if (!$err || $err !~ /^got lock timeout -/) {
836 rmdir $filename; # cfs unlock
837 }
838
839 if ($err) {
840 $@ = $err;
841 return undef;
842 }
843
844 $@ = undef;
845
846 return $res;
847};
848
849sub cfs_lock_file {
850 my ($filename, $timeout, $code, @param) = @_;
851
852 my $info = $observed->{$filename} || die "unknown file '$filename'";
853
854 my $lockid = "file-$filename";
855 $lockid =~ s/[.\/]/_/g;
856
857 &$cfs_lock($lockid, $timeout, $code, @param);
858}
859
860sub cfs_lock_storage {
861 my ($storeid, $timeout, $code, @param) = @_;
862
863 my $lockid = "storage-$storeid";
864
865 &$cfs_lock($lockid, $timeout, $code, @param);
866}
867
868my $log_levels = {
869 "emerg" => 0,
870 "alert" => 1,
871 "crit" => 2,
872 "critical" => 2,
873 "err" => 3,
874 "error" => 3,
875 "warn" => 4,
876 "warning" => 4,
877 "notice" => 5,
878 "info" => 6,
879 "debug" => 7,
880};
881
882sub log_msg {
883 my ($priority, $ident, $msg) = @_;
884
885 if (my $tmp = $log_levels->{$priority}) {
886 $priority = $tmp;
887 }
888
889 die "need numeric log priority" if $priority !~ /^\d+$/;
890
891 my $tag = PVE::SafeSyslog::tag();
892
893 $msg = "empty message" if !$msg;
894
895 $ident = "" if !$ident;
896 $ident = encode("ascii", decode_utf8($ident),
897 sub { sprintf "\\u%04x", shift });
898
899 my $utf8 = decode_utf8($msg);
900
901 my $ascii = encode("ascii", $utf8, sub { sprintf "\\u%04x", shift });
902
903 if ($ident) {
904 syslog($priority, "<%s> %s", $ident, $ascii);
905 } else {
906 syslog($priority, "%s", $ascii);
907 }
908
909 eval { &$ipcc_log($priority, $ident, $tag, $ascii); };
910
911 syslog("err", "writing cluster log failed: $@") if $@;
912}
913
65ff467f
DM		 914sub check_node_exists {
915 my ($nodename, $noerr) = @_;
916
917 my $nodelist = $clinfo->{nodelist};
918 return 1 if $nodelist && $nodelist->{$nodename};
919
920 return undef if $noerr;
921
922 die "no such cluster node '$nodename'\n";
923}
924
fe000966
DM		 925# this is also used to get the IP of the local node
926sub remote_node_ip {
927 my ($nodename, $noerr) = @_;
928
929 my $nodelist = $clinfo->{nodelist};
930 if ($nodelist && $nodelist->{$nodename}) {
931 if (my $ip = $nodelist->{$nodename}->{ip}) {
932 return $ip;
933 }
934 }
935
936 # fallback: try to get IP by other means
937 my $packed_ip = gethostbyname($nodename);
938 if (defined $packed_ip) {
939 my $ip = inet_ntoa($packed_ip);
940
941 if ($ip =~ m/^127\./) {
942 die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
943 return undef;
944 }
945
946 return $ip;
947 }
948
949 die "unable to get IP for node '$nodename' - node offline?\n" if !$noerr;
950
951 return undef;
952}
953
954# ssh related utility functions
955
956sub ssh_merge_keys {
957 # remove duplicate keys in $sshauthkeys
958 # ssh-copy-id simply add keys, so the file can grow to large
959
960 my $data = '';
961 if (-f $sshauthkeys) {
962 $data = PVE::Tools::file_get_contents($sshauthkeys, 128*1024);
963 chomp($data);
964 }
965
966 # always add ourself
967 if (-f $ssh_rsa_id) {
968 my $pub = PVE::Tools::file_get_contents($ssh_rsa_id);
969 chomp($pub);
970 $data .= "\n$pub\n";
971 }
972
973 my $newdata = "";
974 my $vhash = {};
975 while ($data && $data =~ s/^((.*?)(\n|$))//) {
976 my $line = "$2\n";
977 if ($line =~ m/^ssh-rsa\s+\S+\s+(\S+)$/) {
978 $vhash->{$1} = $line;
979 } else {
980 $newdata .= $line;
981 }
982 }
983
984 $newdata .= join("", values(%$vhash));
985
986 PVE::Tools::file_set_contents($sshauthkeys, $newdata, 0600);
987}
988
989sub setup_ssh_keys {
990
991 # create ssh key if it does not exist
992 if (! -f $ssh_rsa_id) {
993 mkdir '/root/.ssh/';
994 system ("echo|ssh-keygen -t rsa -N '' -b 2048 -f ${ssh_rsa_id_priv}");
995 }
996
997 mkdir $authdir;
998
999 if (! -f $sshauthkeys) {
1000 if (my $fh = IO::File->new ($sshauthkeys, O_CREAT|O_WRONLY|O_EXCL, 0400)) {
1001 close($fh);
1002 }
1003 }
1004
1005 warn "can't create shared ssh key database '$sshauthkeys'\n"
1006 if ! -f $sshauthkeys;
1007
1008 if (-f $rootsshauthkeys) {
1009 system("mv '$rootsshauthkeys' '$rootsshauthkeys.org'");
1010 }
1011
1012 if (! -l $rootsshauthkeys) {
1013 symlink $sshauthkeys, $rootsshauthkeys;
1014 }
1015 warn "can't create symlink for ssh keys '$rootsshauthkeys' -> '$sshauthkeys'\n"
1016 if ! -l $rootsshauthkeys;
1017
1018}
1019
1020sub ssh_unmerge_known_hosts {
1021 return if ! -l $sshglobalknownhosts;
1022
1023 my $old = '';
1024 $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024)
1025 if -f $sshknownhosts;
1026
1027 PVE::Tools::file_set_contents($sshglobalknownhosts, $old);
1028}
1029
1030sub ssh_merge_known_hosts {
1031 my ($nodename, $ip_address, $createLink) = @_;
1032
1033 die "no node name specified" if !$nodename;
1034 die "no ip address specified" if !$ip_address;
1035
1036 mkdir $authdir;
1037
1038 if (! -f $sshknownhosts) {
1039 if (my $fh = IO::File->new($sshknownhosts, O_CREAT|O_WRONLY|O_EXCL, 0600)) {
1040 close($fh);
1041 }
1042 }
1043
1044 my $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024);
1045
1046 my $new = '';
1047
1048 if ((! -l $sshglobalknownhosts) && (-f $sshglobalknownhosts)) {
1049 $new = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024);
1050 }
1051
1052 my $hostkey = PVE::Tools::file_get_contents($ssh_host_rsa_id);
1053 die "can't parse $ssh_rsa_id" if $hostkey !~ m/^(ssh-rsa\s\S+)(\s.*)?$/;
1054 $hostkey = $1;
1055
1056 my $data = '';
1057 my $vhash = {};
1058
1059 my $found_nodename;
1060 my $found_local_ip;
1061
1062 my $merge_line = sub {
1063 my ($line, $all) = @_;
1064
1065 if ($line =~ m/^(\S+)\s(ssh-rsa\s\S+)(\s.*)?$/) {
1066 my $key = $1;
1067 my $rsakey = $2;
1068 if (!$vhash->{$key}) {
1069 $vhash->{$key} = 1;
1070 if ($key =~ m/\|1\|([^\|\s]+)\|([^\|\s]+)$/) {
1071 my $salt = decode_base64($1);
1072 my $digest = $2;
1073 my $hmac = Digest::HMAC_SHA1->new($salt);
1074 $hmac->add($nodename);
1075 my $hd = $hmac->b64digest . '=';
1076 if ($digest eq $hd) {
1077 if ($rsakey eq $hostkey) {
1078 $found_nodename = 1;
1079 $data .= $line;
1080 }
1081 return;
1082 }
1083 $hmac = Digest::HMAC_SHA1->new($salt);
1084 $hmac->add($ip_address);
1085 $hd = $hmac->b64digest . '=';
1086 if ($digest eq $hd) {
1087 if ($rsakey eq $hostkey) {
1088 $found_local_ip = 1;
1089 $data .= $line;
1090 }
1091 return;
1092 }
1093 }
1094 $data .= $line;
1095 }
1096 } elsif ($all) {
1097 $data .= $line;
1098 }
1099 };
1100
1101 while ($old && $old =~ s/^((.*?)(\n|$))//) {
1102 my $line = "$2\n";
1103 next if $line =~ m/^\s*$/; # skip empty lines
1104 next if $line =~ m/^#/; # skip comments
1105 &$merge_line($line, 1);
1106 }
1107
1108 while ($new && $new =~ s/^((.*?)(\n|$))//) {
1109 my $line = "$2\n";
1110 next if $line =~ m/^\s*$/; # skip empty lines
1111 next if $line =~ m/^#/; # skip comments
1112 &$merge_line($line);
1113 }
1114
1115 my $addIndex = $$;
1116 my $add_known_hosts_entry = sub {
1117 my ($name, $hostkey) = @_;
1118 $addIndex++;
1119 my $hmac = Digest::HMAC_SHA1->new("$addIndex" . time());
1120 my $b64salt = $hmac->b64digest . '=';
1121 $hmac = Digest::HMAC_SHA1->new(decode_base64($b64salt));
1122 $hmac->add($name);
1123 my $digest = $hmac->b64digest . '=';
1124 $data .= "|1|$b64salt|$digest $hostkey\n";
1125 };
1126
1127 if (!$found_nodename || !$found_local_ip) {
1128 &$add_known_hosts_entry($nodename, $hostkey) if !$found_nodename;
1129 &$add_known_hosts_entry($ip_address, $hostkey) if !$found_local_ip;
1130 }
1131
1132 PVE::Tools::file_set_contents($sshknownhosts, $data);
1133
1134 return if !$createLink;
1135
1136 unlink $sshglobalknownhosts;
1137 symlink $sshknownhosts, $sshglobalknownhosts;
1138
1139 warn "can't create symlink for ssh known hosts '$sshglobalknownhosts' -> '$sshknownhosts'\n"
1140 if ! -l $sshglobalknownhosts;
1141
1142}
1143
1144my $keymaphash = PVE::Tools::kvmkeymaps();
1145my $datacenter_schema = {
1146 type => "object",
1147 additionalProperties => 0,
1148 properties => {
1149 keyboard => {
1150 optional => 1,
1151 type => 'string',
1152 description => "Default keybord layout for vnc server.",
1153 enum => [ keys %$keymaphash ],
1154 },
1155 language => {
1156 optional => 1,
1157 type => 'string',
1158 description => "Default GUI language.",
1159 enum => [ 'en', 'de' ],
1160 },
1161 http_proxy => {
1162 optional => 1,
1163 type => 'string',
1164 description => "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
1165 pattern => "http://.*",
1166 },
1167 },
1168};
1169
1170# make schema accessible from outside (for documentation)
1171sub get_datacenter_schema { return $datacenter_schema };
1172
1173sub parse_datacenter_config {
1174 my ($filename, $raw) = @_;
1175
1176 return PVE::JSONSchema::parse_config($datacenter_schema, $filename, $raw);
1177}
1178
1179sub write_datacenter_config {
1180 my ($filename, $cfg) = @_;
1181
1182 return PVE::JSONSchema::dump_config($datacenter_schema, $filename, $cfg);
1183}
1184
1185cfs_register_file('datacenter.cfg',
1186 \&parse_datacenter_config,
1187 \&write_datacenter_config);
Cluster FS and Tools