]>
git.proxmox.com Git - pmg-api.git/blob - PMG/Cluster.pm
10 # this is also used to get the IP of the local node
12 my ($nodename, $noerr) = @_;
14 my ($family, $packed_ip);
17 my @res = PVE
::Tools
::getaddrinfo_all
($nodename);
18 $family = $res[0]->{family
};
19 $packed_ip = (PVE
::Tools
::unpack_sockaddr_in46
($res[0]->{addr
}))[2];
23 die "hostname lookup failed:\n$@" if !$noerr;
27 my $ip = Socket
::inet_ntop
($family, $packed_ip);
28 if ($ip =~ m/^127\.|^::1$/) {
29 die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
33 return wantarray ?
($ip, $family) : $ip;
37 my ($nodename, $noerr) = @_;
39 my $cinfo = PVE
::INotify
::read_file
("cluster.conf");
41 foreach my $entry (@{$cinfo->{nodes
}}) {
42 if ($entry->{name
} eq $nodename) {
43 my $ip = $entry->{ip
};
44 return $ip if !wantarray;
45 my $family = PVE
::Tools
::get_host_address_family
($ip);
46 return ($ip, $family);
50 # fallback: try to get IP by other means
51 return lookup_node_ip
($nodename, $noerr);
57 $cinfo //= PVE
::INotify
::read_file
("cluster.conf");
59 return $cinfo->{master
}->{name
} if defined($cinfo->{master
});
64 # X509 Certificate cache helper
66 my $cert_cache_nodes = {};
67 my $cert_cache_timestamp = time();
68 my $cert_cache_fingerprints = {};
70 sub update_cert_cache
{
71 my ($update_node, $clear) = @_;
73 syslog
('info', "Clearing outdated entries from certificate cache")
76 $cert_cache_timestamp = time() if !defined($update_node);
78 my $node_list = defined($update_node) ?
79 [ $update_node ] : [ keys %$cert_cache_nodes ];
81 my $clear_node = sub {
83 if (my $old_fp = $cert_cache_nodes->{$node}) {
84 # distrust old fingerprint
85 delete $cert_cache_fingerprints->{$old_fp};
86 # ensure reload on next proxied request
87 delete $cert_cache_nodes->{$node};
91 my $nodename = PVE
::INotify
::nodename
();
93 foreach my $node (@$node_list) {
95 if ($node ne $nodename) {
96 &$clear_node($node) if $clear;
100 my $cert_path = "/etc/proxmox/pmg-api.pem";
104 my $bio = Net
::SSLeay
::BIO_new_file
($cert_path, 'r');
105 $cert = Net
::SSLeay
::PEM_read_bio_X509
($bio);
106 Net
::SSLeay
::BIO_free
($bio);
109 if ($err || !defined($cert)) {
110 &$clear_node($node) if $clear;
116 $fp = Net
::SSLeay
::X509_get_fingerprint
($cert, 'sha256');
119 if ($err || !defined($fp) || $fp eq '') {
120 &$clear_node($node) if $clear;
124 my $old_fp = $cert_cache_nodes->{$node};
125 $cert_cache_fingerprints->{$fp} = 1;
126 $cert_cache_nodes->{$node} = $fp;
128 if (defined($old_fp) && $fp ne $old_fp) {
129 delete $cert_cache_fingerprints->{$old_fp};
134 # load and cache cert fingerprint once
135 sub initialize_cert_cache
{
138 update_cert_cache
($node)
139 if defined($node) && !defined($cert_cache_nodes->{$node});
142 sub check_cert_fingerprint
{
145 # clear cache every 30 minutes at least
146 update_cert_cache
(undef, 1) if time() - $cert_cache_timestamp >= 60*30;
148 # get fingerprint of server certificate
151 $fp = Net
::SSLeay
::X509_get_fingerprint
($cert, 'sha256');
153 return 0 if $@ || !defined($fp) || $fp eq ''; # error
156 for my $expected (keys %$cert_cache_fingerprints) {
157 return 1 if $fp eq $expected;
162 return 1 if &$check();
164 # clear cache and retry at most once every minute
165 if (time() - $cert_cache_timestamp >= 60) {
166 syslog
('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
174 sub read_cluster_conf
{
175 my ($filename, $fh) = @_;
177 my $localname = PVE
::INotify
::nodename
();
178 my $localip = lookup_node_ip
($localname);
185 $cinfo->{nodes
} = [];
186 $cinfo->{remnodes
} = [];
197 # fixme: add test is local node is part of node list
200 $cinfo->{exists} = 1; # cluster configuratin file exists and is readable
202 while (defined(my $line = <$fh>)) {
205 next if $line =~ m/^\s*$/; # skip empty lines
207 if ($line =~ m/^maxcid\s+(\d+)\s*$/i) {
208 $maxcid = $1 > $maxcid ?
$1 : $maxcid;
212 if ($line =~ m/^(master|node)\s+(\d+)\s+\{\s*$/i) {
214 my ($t, $cid) = (lc($1), $2);
216 $maxcid = $cid > $maxcid ?
$cid : $maxcid;
219 role => $t eq 'master' ?
'M' : 'N',
223 while (defined($line = <$fh>)) {
225 next if $line =~ m/^\s*$/; # skip empty lines
226 if ($line =~ m/^\}\s*$/) {
231 if ($line =~ m/^\s*(\S+)\s*:\s*(\S+)\s*$/) {
232 my ($n, $v) = (lc $1, $2);
234 # fixme: do syntax checks
237 } elsif ($n eq 'name') {
239 } elsif ($n eq 'hostrsapubkey') {
241 } elsif ($n eq 'rootrsapubkey') {
244 die "syntax error in configuration file\n";
247 die "syntax error in configuration file\n";
251 die "missing ip address for node '$cid'\n" if !$res->{ip
};
252 die "missing name for node '$cid'\n" if !$res->{name
};
253 #die "missing host RSA key for node '$cid'\n" if !$res->{hostrsapubkey};
254 #die "missing user RSA key for node '$cid'\n" if !$res->{rootrsapubkey};
256 push @{$cinfo->{nodes
}}, $res;
258 if ($res->{role} eq 'M') {
259 $cinfo->{master
} = $res;
262 if ($res->{ip
} eq $localname) {
263 $cinfo->{local} = $res;
266 die "syntax error in configuration file\n";
271 die "syntax error in configuration file\n" if $level;
273 $cinfo->{maxcid
} = $maxcid;
276 foreach my $ni (@{$cinfo->{nodes
}}) {
277 next if $cinfo->{local}->{cid
} == $ni->{cid
}; # skip local CID
278 push @cidlist, $ni->{cid
};
283 foreach my $cid (sort @cidlist) {
284 $portid->{$cid} = $ind;
288 foreach my $ni (@{$cinfo->{nodes
}}) {
289 # fixme: do we still need those ports?
290 $ni->{configport
} = $ni->{cid
} == $cinfo->{local}->{cid
} ?
83 : 50000 + $portid->{$ni->{cid
}};
291 $ni->{dbport
} = $ni->{cid
} == $cinfo->{local}->{cid
} ?
5432 : 50100 + $portid->{$ni->{cid
}};
294 foreach my $ni (@{$cinfo->{nodes
}}) {
295 next if $ni->{cid
} == $cinfo->{local}->{cid
};
296 push @{$cinfo->{remnodes
}}, $ni->{cid
};
302 sub write_cluster_conf
{
303 my ($filename, $fh, $cinfo) = @_;
305 my $raw = "maxcid $cinfo->{maxcid}\n\n";
307 foreach my $ni (@{$cinfo->{nodes
}}) {
309 if ($ni->{role} eq 'M') {
310 $raw .= "master $ni->{cid} {\n";
311 $raw .= " IP: $ni->{ip}\n";
312 $raw .= " NAME: $ni->{name}\n";
313 $raw .= " HOSTRSAPUBKEY: $ni->{hostrsapubkey}\n";
314 $raw .= " ROOTRSAPUBKEY: $ni->{rootrsapubkey}\n";
316 } elsif ($ni->{role} eq 'N') {
317 $raw .= "node $ni->{cid} {\n";
318 $raw .= " IP: $ni->{ip}\n";
319 $raw .= " NAME: $ni->{name}\n";
320 $raw .= " HOSTRSAPUBKEY: $ni->{hostrsapubkey}\n";
321 $raw .= " ROOTRSAPUBKEY: $ni->{rootrsapubkey}\n";
326 PVE
::Tools
::safe_print
($filename, $fh, $raw);
329 PVE
::INotify
::register_file
('cluster.conf', "/etc/proxmox/cluster.conf",
331 \
&write_cluster_conf
,
333 always_call_parser
=> 1);