[pve-docs.git] / pmxcfs.adoc

ifdef::manvolnum[]
PVE({manvolnum})
================
include::attributes.txt[]

NAME
----

pmxcfs - Proxmox Cluster File System

SYNOPSYS
--------

include::pmxcfs.8-cli.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
Proxmox Cluster File System (pmxcfs)
====================================
include::attributes.txt[]
endif::manvolnum[]

The Proxmox Cluster file system (``pmxcfs'') is a database-driven file
system for storing configuration files, replicated in real time to all
cluster nodes using `corosync`. We use this to store all PVE related
configuration files.

Although the file system stores all data inside a persistent database
on disk, a copy of the data resides in RAM. That imposes restriction
on the maximal size, which is currently 30MB. This is still enough to
store the configuration of several thousand virtual machines.

This system provides the following advantages:

* seamless replication of all configuration to all nodes in real time
* provides strong consistency checks to avoid duplicate VM IDs
* read-only when a node loses quorum
* automatic updates of the corosync cluster configuration to all nodes
* includes a distributed locking mechanism

POSIX Compatibility
-------------------

The file system is based on FUSE, so the behavior is POSIX like. But
some feature are simply not implemented, because we do not need them:

* you can just generate normal files and directories, but no symbolic
  links, ...

* you can't rename non-empty directories (because this makes it easier
  to guarantee that VMIDs are unique).

* you can't change file permissions (permissions are based on path)

* `O_EXCL` creates were not atomic (like old NFS)

* `O_TRUNC` creates are not atomic (FUSE restriction)


File access rights
------------------

All files and directories are owned by user `root` and have group
`www-data`. Only root has write permissions, but group `www-data` can
read most files. Files below the following paths:

 /etc/pve/priv/
 /etc/pve/nodes/${NAME}/priv/

are only accessible by root.


Technology
----------

We use the http://www.corosync.org[Corosync Cluster Engine] for
cluster communication, and http://www.sqlite.org[SQlite] for the
database file. The filesystem is implemented in user space using
http://fuse.sourceforge.net[FUSE].

File system layout
------------------

The file system is mounted at:

 /etc/pve

Files
~~~~~

[width="100%",cols="m,d"]
|=======
|`corosync.conf`                        | Corosync cluster configuration file (previous to {pve} 4.x this file was called cluster.conf)
|`storage.cfg`                          | {pve} storage configuration
|`datacenter.cfg`                       | {pve} datacenter wide configuration (keyboard layout, proxy, ...)
|`user.cfg`                             | {pve} access control configuration (users/groups/...)
|`domains.cfg`                          | {pve} authentication domains
|`authkey.pub`                          | Public key used by ticket system
|`pve-root-ca.pem`                      | Public certificate of cluster CA
|`priv/shadow.cfg`                      | Shadow password file
|`priv/authkey.key`                     | Private key used by ticket system
|`priv/pve-root-ca.key`                 | Private key of cluster CA
|`nodes/<NAME>/pve-ssl.pem`             | Public SSL certificate for web server (signed by cluster CA)
|`nodes/<NAME>/pve-ssl.key`             | Private SSL key for `pve-ssl.pem`
|`nodes/<NAME>/pveproxy-ssl.pem`        | Public SSL certificate (chain) for web server (optional override for `pve-ssl.pem`)
|`nodes/<NAME>/pveproxy-ssl.key`        | Private SSL key for `pveproxy-ssl.pem` (optional)
|`nodes/<NAME>/qemu-server/<VMID>.conf` | VM configuration data for KVM VMs
|`nodes/<NAME>/lxc/<VMID>.conf`         | VM configuration data for LXC containers
|`firewall/cluster.fw`                  | Firewall configuration applied to all nodes
|`firewall/<NAME>.fw`                   | Firewall configuration for individual nodes
|`firewall/<VMID>.fw`                   | Firewall configuration for VMs and Containers
|=======

Symbolic links
~~~~~~~~~~~~~~

[width="100%",cols="m,m"]
|=======
|`local`         | `nodes/<LOCAL_HOST_NAME>`
|`qemu-server`   | `nodes/<LOCAL_HOST_NAME>/qemu-server/`
|`lxc`           | `nodes/<LOCAL_HOST_NAME>/lxc/`
|=======

Special status files for debugging (JSON)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[width="100%",cols="m,d"]
|=======
|`.version`    |File versions (to detect file modifications)
|`.members`    |Info about cluster members
|`.vmlist`     |List of all VMs
|`.clusterlog` |Cluster log (last 50 entries)
|`.rrd`        |RRD data (most recent entries)
|=======

Enable/Disable debugging
~~~~~~~~~~~~~~~~~~~~~~~~

You can enable verbose syslog messages with:

 echo "1" >/etc/pve/.debug 

And disable verbose syslog messages with:

 echo "0" >/etc/pve/.debug 


Recovery
--------

If you have major problems with your Proxmox VE host, e.g. hardware
issues, it could be helpful to just copy the pmxcfs database file
`/var/lib/pve-cluster/config.db` and move it to a new Proxmox VE
host. On the new host (with nothing running), you need to stop the
`pve-cluster` service and replace the `config.db` file (needed permissions
`0600`). Second, adapt `/etc/hostname` and `/etc/hosts` according to the
lost Proxmox VE host, then reboot and check. (And don't forget your
VM/CT data)

Remove Cluster configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The recommended way is to reinstall the node after you removed it from
your cluster. This makes sure that all secret cluster/ssh keys and any
shared configuration data is destroyed.

In some cases, you might prefer to put a node back to local mode
without reinstall, which is described here:

* stop the cluster file system in `/etc/pve/`

 # systemctl stop pve-cluster

* start it again but forcing local mode

 # pmxcfs -l

* remove the cluster config

 # rm /etc/pve/cluster.conf
 # rm /etc/cluster/cluster.conf
 # rm /var/lib/pve-cluster/corosync.authkey

* stop the cluster file system again

 # systemctl stop pve-cluster

* restart pve services (or reboot)

 # systemctl start pve-cluster
 # systemctl restart pvedaemon
 # systemctl restart pveproxy
 # systemctl restart pvestatd


ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
bd88f9d9 DM	1	ifdef::manvolnum[]
	2	PVE({manvolnum})
	3	================
	4	include::attributes.txt[]
	5
	6	NAME
	7	----
	8
	9	pmxcfs - Proxmox Cluster File System
	10
	11	SYNOPSYS
	12	--------
	13
	14	include::pmxcfs.8-cli.adoc[]
	15
	16	DESCRIPTION
	17	-----------
	18	endif::manvolnum[]
	19
	20	ifndef::manvolnum[]
	21	Proxmox Cluster File System (pmxcfs)
ac1e3896	22	====================================
bd88f9d9 DM	23	include::attributes.txt[]
bd88f9d9 DM	24	endif::manvolnum[]
ac1e3896	25
8c1189b6	26	The Proxmox Cluster file system (``pmxcfs'') is a database-driven file
ac1e3896	27	system for storing configuration files, replicated in real time to all
8c1189b6	28	cluster nodes using `corosync`. We use this to store all PVE related
ac1e3896 DM	29	configuration files.
	30
	31	Although the file system stores all data inside a persistent database
	32	on disk, a copy of the data resides in RAM. That imposes restriction
	33	on the maximal size, which is currently 30MB. This is still enough to
	34	store the configuration of several thousand virtual machines.
	35
960f6344	36	This system provides the following advantages:
ac1e3896 DM	37
	38	* seamless replication of all configuration to all nodes in real time
	39	* provides strong consistency checks to avoid duplicate VM IDs
a8e99754	40	* read-only when a node loses quorum
ac1e3896 DM	41	* automatic updates of the corosync cluster configuration to all nodes
	42	* includes a distributed locking mechanism
	43
	44	POSIX Compatibility
960f6344	45	-------------------
ac1e3896 DM	46
	47	The file system is based on FUSE, so the behavior is POSIX like. But
	48	some feature are simply not implemented, because we do not need them:
	49
	50	* you can just generate normal files and directories, but no symbolic
	51	links, ...
	52
	53	* you can't rename non-empty directories (because this makes it easier
	54	to guarantee that VMIDs are unique).
	55
	56	* you can't change file permissions (permissions are based on path)
	57
	58	* `O_EXCL` creates were not atomic (like old NFS)
	59
	60	* `O_TRUNC` creates are not atomic (FUSE restriction)
	61
	62
	63	File access rights
960f6344	64	------------------
ac1e3896	65
8c1189b6 FG	66	All files and directories are owned by user `root` and have group
8c1189b6 FG	67	`www-data`. Only root has write permissions, but group `www-data` can
ac1e3896 DM	68	read most files. Files below the following paths:
	69
	70	/etc/pve/priv/
	71	/etc/pve/nodes/${NAME}/priv/
	72
	73	are only accessible by root.
	74
960f6344	75
ac1e3896 DM	76	Technology
	77	----------
	78
	79	We use the http://www.corosync.org[Corosync Cluster Engine] for
	80	cluster communication, and http://www.sqlite.org[SQlite] for the
	81	database file. The filesystem is implemented in user space using
	82	http://fuse.sourceforge.net[FUSE].
	83
	84	File system layout
	85	------------------
	86
	87	The file system is mounted at:
	88
	89	/etc/pve
	90
	91	Files
	92	~~~~~
	93
	94	[width="100%",cols="m,d"]
	95	\|=======
8c1189b6 FG	96	\|`corosync.conf` \| Corosync cluster configuration file (previous to {pve} 4.x this file was called cluster.conf)
	97	\|`storage.cfg` \| {pve} storage configuration
	98	\|`datacenter.cfg` \| {pve} datacenter wide configuration (keyboard layout, proxy, ...)
	99	\|`user.cfg` \| {pve} access control configuration (users/groups/...)
	100	\|`domains.cfg` \| {pve} authentication domains
	101	\|`authkey.pub` \| Public key used by ticket system
	102	\|`pve-root-ca.pem` \| Public certificate of cluster CA
	103	\|`priv/shadow.cfg` \| Shadow password file
	104	\|`priv/authkey.key` \| Private key used by ticket system
	105	\|`priv/pve-root-ca.key` \| Private key of cluster CA
	106	\|`nodes/<NAME>/pve-ssl.pem` \| Public SSL certificate for web server (signed by cluster CA)
	107	\|`nodes/<NAME>/pve-ssl.key` \| Private SSL key for `pve-ssl.pem`
	108	\|`nodes/<NAME>/pveproxy-ssl.pem` \| Public SSL certificate (chain) for web server (optional override for `pve-ssl.pem`)
	109	\|`nodes/<NAME>/pveproxy-ssl.key` \| Private SSL key for `pveproxy-ssl.pem` (optional)
	110	\|`nodes/<NAME>/qemu-server/<VMID>.conf` \| VM configuration data for KVM VMs
	111	\|`nodes/<NAME>/lxc/<VMID>.conf` \| VM configuration data for LXC containers
	112	\|`firewall/cluster.fw` \| Firewall configuration applied to all nodes
	113	\|`firewall/<NAME>.fw` \| Firewall configuration for individual nodes
	114	\|`firewall/<VMID>.fw` \| Firewall configuration for VMs and Containers
ac1e3896 DM	115	\|=======
	116
	117	Symbolic links
	118	~~~~~~~~~~~~~~
	119
	120	[width="100%",cols="m,m"]
	121	\|=======
8c1189b6 FG	122	\|`local` \| `nodes/<LOCAL_HOST_NAME>`
	123	\|`qemu-server` \| `nodes/<LOCAL_HOST_NAME>/qemu-server/`
	124	\|`lxc` \| `nodes/<LOCAL_HOST_NAME>/lxc/`
ac1e3896 DM	125	\|=======
	126
	127	Special status files for debugging (JSON)
	128	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	129
	130	[width="100%",cols="m,d"]
	131	\|=======
8c1189b6 FG	132	\|`.version` \|File versions (to detect file modifications)
	133	\|`.members` \|Info about cluster members
	134	\|`.vmlist` \|List of all VMs
	135	\|`.clusterlog` \|Cluster log (last 50 entries)
	136	\|`.rrd` \|RRD data (most recent entries)
ac1e3896 DM	137	\|=======
	138
	139	Enable/Disable debugging
	140	~~~~~~~~~~~~~~~~~~~~~~~~
	141
	142	You can enable verbose syslog messages with:
	143
	144	echo "1" >/etc/pve/.debug
	145
	146	And disable verbose syslog messages with:
	147
	148	echo "0" >/etc/pve/.debug
	149
	150
	151	Recovery
	152	--------
	153
	154	If you have major problems with your Proxmox VE host, e.g. hardware
	155	issues, it could be helpful to just copy the pmxcfs database file
8c1189b6	156	`/var/lib/pve-cluster/config.db` and move it to a new Proxmox VE
ac1e3896	157	host. On the new host (with nothing running), you need to stop the
8c1189b6 FG	158	`pve-cluster` service and replace the `config.db` file (needed permissions
	159	`0600`). Second, adapt `/etc/hostname` and `/etc/hosts` according to the
	160	lost Proxmox VE host, then reboot and check. (And don't forget your
ac1e3896 DM	161	VM/CT data)
	162
	163	Remove Cluster configuration
	164	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	165
	166	The recommended way is to reinstall the node after you removed it from
	167	your cluster. This makes sure that all secret cluster/ssh keys and any
	168	shared configuration data is destroyed.
	169
	170	In some cases, you might prefer to put a node back to local mode
	171	without reinstall, which is described here:
	172
8c1189b6	173	* stop the cluster file system in `/etc/pve/`
ac1e3896 DM	174
	175	# systemctl stop pve-cluster
	176
	177	* start it again but forcing local mode
	178
	179	# pmxcfs -l
	180
	181	* remove the cluster config
	182
	183	# rm /etc/pve/cluster.conf
	184	# rm /etc/cluster/cluster.conf
	185	# rm /var/lib/pve-cluster/corosync.authkey
	186
	187	* stop the cluster file system again
	188
960f6344	189	# systemctl stop pve-cluster
ac1e3896 DM	190
	191	* restart pve services (or reboot)
	192
960f6344 DM	193	# systemctl start pve-cluster
	194	# systemctl restart pvedaemon
	195	# systemctl restart pveproxy
	196	# systemctl restart pvestatd
ac1e3896	197
bd88f9d9 DM	198
	199	ifdef::manvolnum[]
	200	include::pve-copyright.adoc[]
	201	endif::manvolnum[]