fix #904: wrap openssl with faketime

[pve-cluster.git] / data / PVE / Cluster.pm

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 5575e153a538e083b6931a4ff58ffd39ff84741c..88662173c29b99d95a1572e0bad781568b5bb61a 100644 (file)
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -72,6 +72,7 @@ my $observed = {
     'ha/manager_status' => 1,
     'ha/resources.cfg' => 1,
     'ha/groups.cfg' => 1,
+    'ha/fence.cfg' => 1,
     'status.cfg' => 1,
 };
 
@@ -164,7 +165,7 @@ sub gen_pveca_key {
     return if -f $pveca_key_fn;
 
     eval {
-       run_silent_cmd(['openssl', 'genrsa', '-out', $pveca_key_fn, '2048']);
+       run_silent_cmd(['openssl', 'genrsa', '-out', $pveca_key_fn, '4096']);
     };
 
     die "unable to generate pve ca key:\n$@" if $@;
@@ -183,8 +184,9 @@ sub gen_pveca_cert {
     my $nid = (split (/\s/, `md5sum '$pveca_key_fn'`))[0] || time();
 
     eval {
-       run_silent_cmd(['openssl', 'req', '-batch', '-days', '3650', '-new',
-                       '-x509', '-nodes', '-key',
+       # wrap openssl with faketime to prevent bug #904
+       run_silent_cmd(['faketime', 'yesterday', 'openssl', 'req', '-batch',
+                       '-days', '3650', '-new', '-x509', '-nodes', '-key',
                        $pveca_key_fn, '-out', $pveca_cert_fn, '-subj',
                        "/CN=Proxmox Virtual Environment/OU=$nid/O=PVE Cluster Manager CA/"]);
     };
@@ -270,8 +272,7 @@ commonName = $fqdn
 
 [ v3_req ]
 basicConstraints = CA:FALSE
-nsCertType = server
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
 subjectAltName = $names
 __EOD
 
@@ -298,10 +299,11 @@ __EOD
     update_serial("0000000000000000") if ! -f $pveca_srl_fn;
 
     eval {
-       run_silent_cmd(['openssl', 'x509', '-req', '-in', $reqfn, '-days', '3650',
-                       '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn,
-                       '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
-                       '-extfile', $cfgfn]);
+       # wrap openssl with faketime to prevent bug #904
+       run_silent_cmd(['faketime', 'yesterday', 'openssl', 'x509', '-req',
+                       '-in', $reqfn, '-days', '3650', '-out', $pvessl_cert_fn,
+                       '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn,
+                       '-CAserial', $pveca_srl_fn, '-extfile', $cfgfn]);
     };
 
     if (my $err = $@) {
@@ -707,6 +709,7 @@ sub create_rrd_graph {
        "--width" => 800,
        "--start" => - $reso*$count,
        "--end" => 'now' ,
+       "--lower-limit" => 0,
        );
 
     my $socket = "/var/run/rrdcached.sock";
@@ -1327,6 +1330,23 @@ my $datacenter_schema = {
            format => 'email-opt',
            description => "Specify email address to send notification from (default is root@\$hostname)",
        },
+       max_workers => {
+           optional => 1,
+           type => 'integer',
+           minimum => 1,
+           description => "Defines how many workers (per node) are maximal started ".
+             " on actions like 'stopall VMs' or task from the ha-manager.",
+       },
+       fencing => {
+           optional => 1,
+           type => 'string',
+           default => 'watchdog',
+           enum => [ 'watchdog', 'hardware', 'both' ],
+           description => "Set the fencing mode of the HA cluster. Hardware mode " .
+             "needs a valid configuration of fence devices in /etc/pve/ha/fence.cfg." .
+             " With both all two modes are used. " .
+             " NOTE: 'hardware' and 'both' are EXPERIMENTAL & WIP",
+       },
     },
 };