]> git.proxmox.com Git - pve-cluster.git/blame - data/PVE/Cluster.pm
projects / pve-cluster.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
start clvm
[pve-cluster.git] / data / PVE / Cluster.pm
CommitLineData
fe000966
DM		 1package PVE::Cluster;
2
3use strict;
4use POSIX;
5use File::stat qw();
6use Socket;
7use Storable qw(dclone);
8use IO::File;
9use MIME::Base64;
10use Digest::HMAC_SHA1;
11use PVE::Tools;
12use PVE::INotify;
13use PVE::IPCC;
14use PVE::SafeSyslog;
15use JSON;
16use RRDs;
17use Encode;
18use base 'Exporter';
19
20our @EXPORT_OK = qw(
21cfs_read_file
22cfs_write_file
23cfs_register_file
24cfs_lock_file);
25
26use Data::Dumper; # fixme: remove
27
28# x509 certificate utils
29
30my $basedir = "/etc/pve";
31my $authdir = "$basedir/priv";
32my $lockdir = "/etc/pve/priv/lock";
33
34my $authprivkeyfn = "$authdir/authkey.key";
35my $authpubkeyfn = "$basedir/authkey.pub";
36my $pveca_key_fn = "$authdir/pve-root-ca.key";
37my $pveca_srl_fn = "$authdir/pve-root-ca.srl";
38my $pveca_cert_fn = "$basedir/pve-root-ca.pem";
39# this is just a secret accessable by the web browser
40# and is used for CSRF prevention
41my $pvewww_key_fn = "$basedir/pve-www.key";
42
43# ssh related files
44my $ssh_rsa_id_priv = "/root/.ssh/id_rsa";
45my $ssh_rsa_id = "/root/.ssh/id_rsa.pub";
46my $ssh_host_rsa_id = "/etc/ssh/ssh_host_rsa_key.pub";
47my $sshglobalknownhosts = "/etc/ssh/ssh_known_hosts";
48my $sshknownhosts = "/etc/pve/priv/known_hosts";
49my $sshauthkeys = "/etc/pve/priv/authorized_keys";
50my $rootsshauthkeys = "/root/.ssh/authorized_keys";
51
52my $observed = {
53 'storage.cfg' => 1,
54 'datacenter.cfg' => 1,
55 'cluster.cfg' => 1,
56 'user.cfg' => 1,
57 'domains.cfg' => 1,
58 'priv/shadow.cfg' => 1,
59 '/qemu-server/' => 1,
60};
61
62# only write output if something fails
63sub run_silent_cmd {
64 my ($cmd) = @_;
65
66 my $outbuf = '';
67
68 my $record_output = sub {
69 $outbuf .= shift;
70 $outbuf .= "\n";
71 };
72
73 eval {
74 PVE::Tools::run_command($cmd, outfunc => $record_output,
75 errfunc => $record_output);
76 };
77
78 my $err = $@;
79
80 if ($err) {
81 print STDERR $outbuf;
82 die $err;
83 }
84}
85
86sub check_cfs_quorum {
01dddfb9
DM		 87 my ($noerr) = @_;
88
fe000966
DM		 89 # note: -w filename always return 1 for root, so wee need
90 # to use File::lstat here
91 my $st = File::stat::lstat("$basedir/local");
01dddfb9
DM		 92 my $quorate = ($st && (($st->mode & 0200) != 0));
93
94 die "cluster not ready - no quorum?\n" if !$quorate && !$noerr;
95
96 return $quorate;
fe000966
DM		 97}
98
99sub check_cfs_is_mounted {
100 my ($noerr) = @_;
101
102 my $res = -l "$basedir/local";
103
104 die "pve configuration filesystem not mounted\n"
105 if !$res && !$noerr;
106
107 return $res;
108}
109
110sub gen_local_dirs {
111 my ($nodename) = @_;
112
113 check_cfs_is_mounted();
114
115 my @required_dirs = (
116 "$basedir/priv",
117 "$basedir/nodes",
118 "$basedir/nodes/$nodename",
119 "$basedir/nodes/$nodename/priv");
120
121 foreach my $dir (@required_dirs) {
122 if (! -d $dir) {
123 mkdir($dir) || die "unable to create directory '$dir' - $!\n";
124 }
125 }
126}
127
128sub gen_auth_key {
129
130 return if -f "$authprivkeyfn";
131
132 check_cfs_is_mounted();
133
134 mkdir $authdir || die "unable to create dir '$authdir' - $!\n";
135
136 my $cmd = "openssl genrsa -out '$authprivkeyfn' 2048";
137 run_silent_cmd($cmd);
138
139 $cmd = "openssl rsa -in '$authprivkeyfn' -pubout -out '$authpubkeyfn'";
140 run_silent_cmd($cmd)
141}
142
143sub gen_pveca_key {
144
145 return if -f $pveca_key_fn;
146
147 eval {
148 run_silent_cmd(['openssl', 'genrsa', '-out', $pveca_key_fn, '2048']);
149 };
150
151 die "unable to generate pve ca key:\n$@" if $@;
152}
153
154sub gen_pveca_cert {
155
156 if (-f $pveca_key_fn && -f $pveca_cert_fn) {
157 return 0;
158 }
159
160 gen_pveca_key();
161
162 # we try to generate an unique 'subject' to avoid browser problems
163 # (reused serial numbers, ..)
164 my $nid = (split (/\s/, `md5sum '$pveca_key_fn'`))[0] || time();
165
166 eval {
167 run_silent_cmd(['openssl', 'req', '-batch', '-days', '3650', '-new',
168 '-x509', '-nodes', '-key',
169 $pveca_key_fn, '-out', $pveca_cert_fn, '-subj',
170 "/CN=Proxmox Virtual Environment/OU=$nid/O=PVE Cluster Manager CA/"]);
171 };
172
173 die "generating pve root certificate failed:\n$@" if $@;
174
175 return 1;
176}
177
178sub gen_pve_ssl_key {
179 my ($nodename) = @_;
180
181 die "no node name specified" if !$nodename;
182
183 my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
184
185 return if -f $pvessl_key_fn;
186
187 eval {
188 run_silent_cmd(['openssl', 'genrsa', '-out', $pvessl_key_fn, '2048']);
189 };
190
191 die "unable to generate pve ssl key for node '$nodename':\n$@" if $@;
192}
193
194sub gen_pve_www_key {
195
196 return if -f $pvewww_key_fn;
197
198 eval {
199 run_silent_cmd(['openssl', 'genrsa', '-out', $pvewww_key_fn, '2048']);
200 };
201
202 die "unable to generate pve www key:\n$@" if $@;
203}
204
205sub update_serial {
206 my ($serial) = @_;
207
208 PVE::Tools::file_set_contents($pveca_srl_fn, $serial);
209}
210
211sub gen_pve_ssl_cert {
212 my ($force, $nodename, $ip) = @_;
213
214 die "no node name specified" if !$nodename;
215 die "no IP specified" if !$ip;
216
217 my $pvessl_cert_fn = "$basedir/nodes/$nodename/pve-ssl.pem";
218
219 return if !$force && -f $pvessl_cert_fn;
220
221 my $names = "IP:127.0.0.1,DNS:localhost";
222
223 my $rc = PVE::INotify::read_file('resolvconf');
224
225 $names .= ",IP:$ip";
226
227 my $fqdn = $nodename;
228
229 $names .= ",DNS:$nodename";
230
231 if ($rc && $rc->{search}) {
232 $fqdn = $nodename . "." . $rc->{search};
233 $names .= ",DNS:$fqdn";
234 }
235
236 my $sslconf = <<__EOD;
237RANDFILE = /root/.rnd
238extensions = v3_req
239
240[ req ]
241default_bits = 2048
242distinguished_name = req_distinguished_name
243req_extensions = v3_req
244prompt = no
245string_mask = nombstr
246
247[ req_distinguished_name ]
248organizationalUnitName = PVE Cluster Node
249organizationName = Proxmox Virtual Environment
250commonName = $fqdn
251
252[ v3_req ]
253basicConstraints = CA:FALSE
254nsCertType = server
255keyUsage = nonRepudiation, digitalSignature, keyEncipherment
256subjectAltName = $names
257__EOD
258
259 my $cfgfn = "/tmp/pvesslconf-$$.tmp";
260 my $fh = IO::File->new ($cfgfn, "w");
261 print $fh $sslconf;
262 close ($fh);
263
264 my $reqfn = "/tmp/pvecertreq-$$.tmp";
265 unlink $reqfn;
266
267 my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
268 eval {
269 run_silent_cmd(['openssl', 'req', '-batch', '-new', '-config', $cfgfn,
270 '-key', $pvessl_key_fn, '-out', $reqfn]);
271 };
272
273 if (my $err = $@) {
274 unlink $reqfn;
275 unlink $cfgfn;
276 die "unable to generate pve certificate request:\n$err";
277 }
278
279 update_serial("0000000000000000") if ! -f $pveca_srl_fn;
280
281 eval {
282 run_silent_cmd(['openssl', 'x509', '-req', '-in', $reqfn, '-days', '3650',
283 '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn,
284 '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
285 '-extfile', $cfgfn]);
286 };
287
288 if (my $err = $@) {
289 unlink $reqfn;
290 unlink $cfgfn;
291 die "unable to generate pve ssl certificate:\n$err";
292 }
293
294 unlink $cfgfn;
295 unlink $reqfn;
296}
297
298sub gen_pve_node_files {
299 my ($nodename, $ip, $opt_force) = @_;
300
301 gen_local_dirs($nodename);
302
303 gen_auth_key();
304
305 # make sure we have a (cluster wide) secret
306 # for CSRFR prevention
307 gen_pve_www_key();
308
309 # make sure we have a (per node) private key
310 gen_pve_ssl_key($nodename);
311
312 # make sure we have a CA
313 my $force = gen_pveca_cert();
314
315 $force = 1 if $opt_force;
316
317 gen_pve_ssl_cert($force, $nodename, $ip);
318}
319
320my $versions = {};
321my $vmlist = {};
322my $clinfo = {};
323
324my $ipcc_send_rec = sub {
325 my ($msgid, $data) = @_;
326
327 my $res = PVE::IPCC::ipcc_send_rec($msgid, $data);
328
329 die "ipcc_send_rec failed: $!\n" if !defined($res) && ($! != 0);
330
331 return $res;
332};
333
334my $ipcc_send_rec_json = sub {
335 my ($msgid, $data) = @_;
336
337 my $res = PVE::IPCC::ipcc_send_rec($msgid, $data);
338
339 die "ipcc_send_rec failed: $!\n" if !defined($res) && ($! != 0);
340
341 return decode_json($res);
342};
343
344my $ipcc_get_config = sub {
345 my ($path) = @_;
346
347 my $bindata = pack "Z*", $path;
348 return PVE::IPCC::ipcc_send_rec(6, $bindata);
349};
350
351my $ipcc_get_status = sub {
352 my ($name, $nodename) = @_;
353
354 my $bindata = pack "Z[256]Z[256]", $name, ($nodename || "");
355 return PVE::IPCC::ipcc_send_rec(5, $bindata);
356};
357
358my $ipcc_update_status = sub {
359 my ($name, $data) = @_;
360
361 my $raw = ref($data) ? encode_json($data) : $data;
362 # update status
363 my $bindata = pack "Z[256]Z*", $name, $raw;
364
365 return &$ipcc_send_rec(4, $bindata);
366};
367
368my $ipcc_log = sub {
369 my ($priority, $ident, $tag, $msg) = @_;
370
371 my $bindata = pack "CCCZ*Z*Z*", $priority, bytes::length($ident) + 1,
372 bytes::length($tag) + 1, $ident, $tag, $msg;
373
374 return &$ipcc_send_rec(7, $bindata);
375};
376
377my $ipcc_get_cluster_log = sub {
378 my ($user, $max) = @_;
379
380 $max = 0 if !defined($max);
381
382 my $bindata = pack "VVVVZ*", $max, 0, 0, 0, ($user || "");
383 return &$ipcc_send_rec(8, $bindata);
384};
385
386my $ccache = {};
387
388sub cfs_update {
389 eval {
390 my $res = &$ipcc_send_rec_json(1);
391 #warn "GOT1: " . Dumper($res);
392 die "no starttime\n" if !$res->{starttime};
393
394 if (!$res->{starttime} || !$versions->{starttime} ||
395 $res->{starttime} != $versions->{starttime}) {
396 #print "detected changed starttime\n";
397 $vmlist = {};
398 $clinfo = {};
399 $ccache = {};
400 }
401
402 $versions = $res;
403 };
404 my $err = $@;
405 if ($err) {
406 $versions = {};
407 $vmlist = {};
408 $clinfo = {};
409 $ccache = {};
410 warn $err;
411 }
412
413 eval {
414 if (!$clinfo->{version} || $clinfo->{version} != $versions->{clinfo}) {
415 #warn "detected new clinfo\n";
416 $clinfo = &$ipcc_send_rec_json(2);
417 }
418 };
419 $err = $@;
420 if ($err) {
421 $clinfo = {};
422 warn $err;
423 }
424
425 eval {
426 if (!$vmlist->{version} || $vmlist->{version} != $versions->{vmlist}) {
427 #warn "detected new vmlist1\n";
428 $vmlist = &$ipcc_send_rec_json(3);
429 }
430 };
431 $err = $@;
432 if ($err) {
433 $vmlist = {};
434 warn $err;
435 }
436}
437
438sub get_vmlist {
439 return $vmlist;
440}
441
442sub get_clinfo {
443 return $clinfo;
444}
445
9ddd4ae9
DM		 446sub get_members {
447 return $clinfo->{nodelist};
448}
449
fe000966
DM		 450sub get_nodelist {
451
452 my $nodelist = $clinfo->{nodelist};
453
454 my $result = [];
455
456 my $nodename = PVE::INotify::nodename();
457
458 if (!$nodelist || !$nodelist->{$nodename}) {
459 return [ $nodename ];
460 }
461
462 return [ keys %$nodelist ];
463}
464
465sub broadcast_tasklist {
466 my ($data) = @_;
467
468 eval {
469 &$ipcc_update_status("tasklist", $data);
470 };
471
472 warn $@ if $@;
473}
474
475my $tasklistcache = {};
476
477sub get_tasklist {
478 my ($nodename) = @_;
479
480 my $kvstore = $versions->{kvstore} || {};
481
482 my $nodelist = get_nodelist();
483
484 my $res = [];
485 foreach my $node (@$nodelist) {
486 next if $nodename && ($nodename ne $node);
487 eval {
488 my $ver = $kvstore->{$node}->{tasklist} if $kvstore->{$node};
489 my $cd = $tasklistcache->{$node};
490 if (!$cd || !$ver || ($cd->{version} != $ver)) {
491 my $raw = &$ipcc_get_status("tasklist", $node) || '[]';
492 my $data = decode_json($raw);
493 push @$res, @$data;
494 $cd = $tasklistcache->{$node} = {
495 data => $data,
496 version => $ver,
497 };
498 } elsif ($cd && $cd->{data}) {
499 push @$res, @{$cd->{data}};
500 }
501 };
502 my $err = $@;
503 syslog('err', $err) if $err;
504 }
505
506 return $res;
507}
508
509sub broadcast_rrd {
510 my ($rrdid, $data) = @_;
511
512 eval {
513 &$ipcc_update_status("rrd/$rrdid", $data);
514 };
515 my $err = $@;
516
517 warn $err if $err;
518}
519
520my $last_rrd_dump = 0;
521my $last_rrd_data = "";
522
523sub rrd_dump {
524
525 my $ctime = time();
526
527 my $diff = $ctime - $last_rrd_dump;
528 if ($diff < 2) {
529 return $last_rrd_data;
530 }
531
532 my $raw;
533 eval {
534 $raw = &$ipcc_send_rec(10);
535 };
536 my $err = $@;
537
538 if ($err) {
539 warn $err;
540 return {};
541 }
542
543 my $res = {};
544
545 while ($raw =~ s/^(.*)\n//) {
546 my ($key, @ela) = split(/:/, $1);
547 next if !$key;
548 next if !(scalar(@ela) > 1);
549 $res->{$key} = \@ela;
550 }
551
552 $last_rrd_dump = $ctime;
553 $last_rrd_data = $res;
554
555 return $res;
556}
557
558sub create_rrd_data {
559 my ($rrdname, $timeframe, $cf) = @_;
560
561 my $rrddir = "/var/lib/rrdcached/db";
562
563 my $rrd = "$rrddir/$rrdname";
564
565 my $setup = {
566 hour => [ 60, 70 ],
567 day => [ 60*30, 70 ],
568 week => [ 60*180, 70 ],
569 month => [ 60*720, 70 ],
570 year => [ 60*10080, 70 ],
571 };
572
573 my ($reso, $count) = @{$setup->{$timeframe}};
574 my $ctime = $reso*int(time()/$reso);
575 my $req_start = $ctime - $reso*$count;
576
577 $cf = "AVERAGE" if !$cf;
578
579 my @args = (
580 "-s" => $req_start,
581 "-e" => $ctime - 1,
582 "-r" => $reso,
583 );
584
585 my $socket = "/var/run/rrdcached.sock";
586 push @args, "--daemon" => "unix:$socket" if -S $socket;
587
588 my ($start, $step, $names, $data) = RRDs::fetch($rrd, $cf, @args);
589
590 my $err = RRDs::error;
591 die "RRD error: $err\n" if $err;
592
593 die "got wrong time resolution ($step != $reso)\n"
594 if $step != $reso;
595
596 my $res = [];
597 my $fields = scalar(@$names);
598 for my $line (@$data) {
599 my $entry = { 'time' => $start };
600 $start += $step;
601 my $found_undefs;
602 for (my $i = 0; $i < $fields; $i++) {
603 my $name = $names->[$i];
604 if (defined(my $val = $line->[$i])) {
605 $entry->{$name} = $val;
606 } else {
607 # we only add entryies with all data defined
608 # extjs chart has problems with undefined values
609 $found_undefs = 1;
610 }
611 }
612 push @$res, $entry if !$found_undefs;
613 }
614
615 return $res;
616}
617
618sub create_rrd_graph {
619 my ($rrdname, $timeframe, $ds, $cf) = @_;
620
621 # Using RRD graph is clumsy - maybe it
622 # is better to simply fetch the data, and do all display
623 # related things with javascript (new extjs html5 graph library).
624
625 my $rrddir = "/var/lib/rrdcached/db";
626
627 my $rrd = "$rrddir/$rrdname";
628
629 my $filename = "$rrd.png";
630
631 my $setup = {
632 hour => [ 60, 60 ],
633 day => [ 60*30, 70 ],
634 week => [ 60*180, 70 ],
635 month => [ 60*720, 70 ],
636 year => [ 60*10080, 70 ],
637 };
638
639 my ($reso, $count) = @{$setup->{$timeframe}};
640
641 my @args = (
642 "--imgformat" => "PNG",
643 "--border" => 0,
644 "--height" => 200,
645 "--width" => 800,
646 "--start" => - $reso*$count,
647 "--end" => 'now' ,
648 );
649
650 my $socket = "/var/run/rrdcached.sock";
651 push @args, "--daemon" => "unix:$socket" if -S $socket;
652
653 my @ids = PVE::Tools::split_list($ds);
654
655 my @coldef = ('#00ddff', '#ff0000');
656
657 $cf = "AVERAGE" if !$cf;
658
659 my $i = 0;
660 foreach my $id (@ids) {
661 my $col = $coldef[$i++] || die "fixme: no color definition";
662 push @args, "DEF:${id}=$rrd:${id}:$cf";
663 my $dataid = $id;
664 if ($id eq 'cpu' || $id eq 'iowait') {
665 push @args, "CDEF:${id}_per=${id},100,*";
666 $dataid = "${id}_per";
667 }
668 push @args, "LINE2:${dataid}${col}:${id}";
669 }
670
671 RRDs::graph($filename, @args);
672
673 my $err = RRDs::error;
674 die "RRD error: $err\n" if $err;
675
676 return { filename => $filename };
677}
678
679# a fast way to read files (avoid fuse overhead)
680sub get_config {
681 my ($path) = @_;
682
683 return &$ipcc_get_config($path);
684}
685
686sub get_cluster_log {
687 my ($user, $max) = @_;
688
689 return &$ipcc_get_cluster_log($user, $max);
690}
691
692my $file_info = {};
693
694sub cfs_register_file {
695 my ($filename, $parser, $writer) = @_;
696
697 $observed->{$filename} || die "unknown file '$filename'";
698
699 die "file '$filename' already registered" if $file_info->{$filename};
700
701 $file_info->{$filename} = {
702 parser => $parser,
703 writer => $writer,
704 };
705}
706
707my $ccache_read = sub {
708 my ($filename, $parser, $version) = @_;
709
710 $ccache->{$filename} = {} if !$ccache->{$filename};
711
712 my $ci = $ccache->{$filename};
713
714 if (!$ci->{version} || $ci->{version} != $version) {
715
716 my $data = get_config($filename);
717
718 $ci->{data} = &$parser("/etc/pve/$filename", $data);
719 $ci->{version} = $version;
720 }
721
722 my $res = ref($ci->{data}) ? dclone($ci->{data}) : $ci->{data};
723
724 return $res;
725};
726
727sub cfs_file_version {
728 my ($filename) = @_;
729
730 my $version;
731 my $infotag;
732 if ($filename =~ m|^nodes/[^/]+/qemu-server/(\d+)\.conf$|) {
733 my $vmid = $1;
734 if ($vmlist && $vmlist->{ids} && $vmlist->{ids}->{$vmid}) {
735 $version = $vmlist->{ids}->{$vmid}->{version};
736 }
737 $infotag = "/qemu-server/";
738 } else {
739 $infotag = $filename;
740 $version = $versions->{$filename};
741 }
742
743 my $info = $file_info->{$infotag} ||
744 die "unknown file type '$filename'\n";
745
746 return wantarray ? ($version, $info) : $version;
747}
748
749sub cfs_read_file {
750 my ($filename) = @_;
751
752 my ($version, $info) = cfs_file_version($filename);
753 my $parser = $info->{parser};
754
755 return &$ccache_read($filename, $parser, $version);
756}
757
758sub cfs_write_file {
759 my ($filename, $data) = @_;
760
761 my $info = $file_info->{$filename} || die "unknown file '$filename'";
762
763 my $writer = $info->{writer} || die "no writer defined";
764
765 my $fsname = "/etc/pve/$filename";
766
767 my $raw = &$writer($fsname, $data);
768
769 if (my $ci = $ccache->{$filename}) {
770 $ci->{version} = undef;
771 }
772
773 PVE::Tools::file_set_contents($fsname, $raw);
774}
775
776my $cfs_lock = sub {
777 my ($lockid, $timeout, $code, @param) = @_;
778
779 my $res;
780
781 # this timeout is for aquire the lock
782 $timeout = 10 if !$timeout;
783
784 my $filename = "$lockdir/$lockid";
785
786 my $msg = "can't aquire cfs lock '$lockid'";
787
788 eval {
789
790 mkdir $lockdir;
791
792 if (! -d $lockdir) {
793 die "$msg: pve cluster filesystem not online.\n";
794 }
795
796 local $SIG{ALRM} = sub { die "got lock request timeout\n"; };
797
798 alarm ($timeout);
799
800 if (!(mkdir $filename)) {
801 print STDERR "trying to aquire cfs lock '$lockid' ...";
802 while (1) {
803 if (!(mkdir $filename)) {
804 (utime 0, 0, $filename); # cfs unlock request
805 } else {
806 print STDERR " OK\n";
807 last;
808 }
809 sleep(1);
810 }
811 }
812
813 # fixed command timeout: cfs locks have a timeout of 120
814 # using 60 gives us another 60 seconds to abort the task
815 alarm(60);
816 local $SIG{ALRM} = sub { die "got lock timeout - aborting command\n"; };
817
818 $res = &$code(@param);
819
820 alarm(0);
821 };
822
823 my $err = $@;
824
825 alarm(0);
826
827 if ($err && ($err eq "got lock request timeout\n") &&
828 !check_cfs_quorum()){
829 $err = "$msg: no quorum!\n";
830 }
831
832 if (!$err || $err !~ /^got lock timeout -/) {
833 rmdir $filename; # cfs unlock
834 }
835
836 if ($err) {
837 $@ = $err;
838 return undef;
839 }
840
841 $@ = undef;
842
843 return $res;
844};
845
846sub cfs_lock_file {
847 my ($filename, $timeout, $code, @param) = @_;
848
849 my $info = $observed->{$filename} || die "unknown file '$filename'";
850
851 my $lockid = "file-$filename";
852 $lockid =~ s/[.\/]/_/g;
853
854 &$cfs_lock($lockid, $timeout, $code, @param);
855}
856
857sub cfs_lock_storage {
858 my ($storeid, $timeout, $code, @param) = @_;
859
860 my $lockid = "storage-$storeid";
861
862 &$cfs_lock($lockid, $timeout, $code, @param);
863}
864
865my $log_levels = {
866 "emerg" => 0,
867 "alert" => 1,
868 "crit" => 2,
869 "critical" => 2,
870 "err" => 3,
871 "error" => 3,
872 "warn" => 4,
873 "warning" => 4,
874 "notice" => 5,
875 "info" => 6,
876 "debug" => 7,
877};
878
879sub log_msg {
880 my ($priority, $ident, $msg) = @_;
881
882 if (my $tmp = $log_levels->{$priority}) {
883 $priority = $tmp;
884 }
885
886 die "need numeric log priority" if $priority !~ /^\d+$/;
887
888 my $tag = PVE::SafeSyslog::tag();
889
890 $msg = "empty message" if !$msg;
891
892 $ident = "" if !$ident;
893 $ident = encode("ascii", decode_utf8($ident),
894 sub { sprintf "\\u%04x", shift });
895
896 my $utf8 = decode_utf8($msg);
897
898 my $ascii = encode("ascii", $utf8, sub { sprintf "\\u%04x", shift });
899
900 if ($ident) {
901 syslog($priority, "<%s> %s", $ident, $ascii);
902 } else {
903 syslog($priority, "%s", $ascii);
904 }
905
906 eval { &$ipcc_log($priority, $ident, $tag, $ascii); };
907
908 syslog("err", "writing cluster log failed: $@") if $@;
909}
910
65ff467f
DM		 911sub check_node_exists {
912 my ($nodename, $noerr) = @_;
913
914 my $nodelist = $clinfo->{nodelist};
915 return 1 if $nodelist && $nodelist->{$nodename};
916
917 return undef if $noerr;
918
919 die "no such cluster node '$nodename'\n";
920}
921
fe000966
DM		 922# this is also used to get the IP of the local node
923sub remote_node_ip {
924 my ($nodename, $noerr) = @_;
925
926 my $nodelist = $clinfo->{nodelist};
927 if ($nodelist && $nodelist->{$nodename}) {
928 if (my $ip = $nodelist->{$nodename}->{ip}) {
929 return $ip;
930 }
931 }
932
933 # fallback: try to get IP by other means
934 my $packed_ip = gethostbyname($nodename);
935 if (defined $packed_ip) {
936 my $ip = inet_ntoa($packed_ip);
937
938 if ($ip =~ m/^127\./) {
939 die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
940 return undef;
941 }
942
943 return $ip;
944 }
945
946 die "unable to get IP for node '$nodename' - node offline?\n" if !$noerr;
947
948 return undef;
949}
950
951# ssh related utility functions
952
953sub ssh_merge_keys {
954 # remove duplicate keys in $sshauthkeys
955 # ssh-copy-id simply add keys, so the file can grow to large
956
957 my $data = '';
958 if (-f $sshauthkeys) {
959 $data = PVE::Tools::file_get_contents($sshauthkeys, 128*1024);
960 chomp($data);
961 }
962
963 # always add ourself
964 if (-f $ssh_rsa_id) {
965 my $pub = PVE::Tools::file_get_contents($ssh_rsa_id);
966 chomp($pub);
967 $data .= "\n$pub\n";
968 }
969
970 my $newdata = "";
971 my $vhash = {};
972 while ($data && $data =~ s/^((.*?)(\n|$))//) {
973 my $line = "$2\n";
974 if ($line =~ m/^ssh-rsa\s+\S+\s+(\S+)$/) {
975 $vhash->{$1} = $line;
976 } else {
977 $newdata .= $line;
978 }
979 }
980
981 $newdata .= join("", values(%$vhash));
982
983 PVE::Tools::file_set_contents($sshauthkeys, $newdata, 0600);
984}
985
986sub setup_ssh_keys {
987
988 # create ssh key if it does not exist
989 if (! -f $ssh_rsa_id) {
990 mkdir '/root/.ssh/';
991 system ("echo|ssh-keygen -t rsa -N '' -b 2048 -f ${ssh_rsa_id_priv}");
992 }
993
994 mkdir $authdir;
995
996 if (! -f $sshauthkeys) {
997 if (my $fh = IO::File->new ($sshauthkeys, O_CREAT|O_WRONLY|O_EXCL, 0400)) {
998 close($fh);
999 }
1000 }
1001
1002 warn "can't create shared ssh key database '$sshauthkeys'\n"
1003 if ! -f $sshauthkeys;
1004
1005 if (-f $rootsshauthkeys) {
1006 system("mv '$rootsshauthkeys' '$rootsshauthkeys.org'");
1007 }
1008
1009 if (! -l $rootsshauthkeys) {
1010 symlink $sshauthkeys, $rootsshauthkeys;
1011 }
1012 warn "can't create symlink for ssh keys '$rootsshauthkeys' -> '$sshauthkeys'\n"
1013 if ! -l $rootsshauthkeys;
1014
1015}
1016
1017sub ssh_unmerge_known_hosts {
1018 return if ! -l $sshglobalknownhosts;
1019
1020 my $old = '';
1021 $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024)
1022 if -f $sshknownhosts;
1023
1024 PVE::Tools::file_set_contents($sshglobalknownhosts, $old);
1025}
1026
1027sub ssh_merge_known_hosts {
1028 my ($nodename, $ip_address, $createLink) = @_;
1029
1030 die "no node name specified" if !$nodename;
1031 die "no ip address specified" if !$ip_address;
1032
1033 mkdir $authdir;
1034
1035 if (! -f $sshknownhosts) {
1036 if (my $fh = IO::File->new($sshknownhosts, O_CREAT|O_WRONLY|O_EXCL, 0600)) {
1037 close($fh);
1038 }
1039 }
1040
1041 my $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024);
1042
1043 my $new = '';
1044
1045 if ((! -l $sshglobalknownhosts) && (-f $sshglobalknownhosts)) {
1046 $new = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024);
1047 }
1048
1049 my $hostkey = PVE::Tools::file_get_contents($ssh_host_rsa_id);
1050 die "can't parse $ssh_rsa_id" if $hostkey !~ m/^(ssh-rsa\s\S+)(\s.*)?$/;
1051 $hostkey = $1;
1052
1053 my $data = '';
1054 my $vhash = {};
1055
1056 my $found_nodename;
1057 my $found_local_ip;
1058
1059 my $merge_line = sub {
1060 my ($line, $all) = @_;
1061
1062 if ($line =~ m/^(\S+)\s(ssh-rsa\s\S+)(\s.*)?$/) {
1063 my $key = $1;
1064 my $rsakey = $2;
1065 if (!$vhash->{$key}) {
1066 $vhash->{$key} = 1;
1067 if ($key =~ m/\|1\|([^\|\s]+)\|([^\|\s]+)$/) {
1068 my $salt = decode_base64($1);
1069 my $digest = $2;
1070 my $hmac = Digest::HMAC_SHA1->new($salt);
1071 $hmac->add($nodename);
1072 my $hd = $hmac->b64digest . '=';
1073 if ($digest eq $hd) {
1074 if ($rsakey eq $hostkey) {
1075 $found_nodename = 1;
1076 $data .= $line;
1077 }
1078 return;
1079 }
1080 $hmac = Digest::HMAC_SHA1->new($salt);
1081 $hmac->add($ip_address);
1082 $hd = $hmac->b64digest . '=';
1083 if ($digest eq $hd) {
1084 if ($rsakey eq $hostkey) {
1085 $found_local_ip = 1;
1086 $data .= $line;
1087 }
1088 return;
1089 }
1090 }
1091 $data .= $line;
1092 }
1093 } elsif ($all) {
1094 $data .= $line;
1095 }
1096 };
1097
1098 while ($old && $old =~ s/^((.*?)(\n|$))//) {
1099 my $line = "$2\n";
1100 next if $line =~ m/^\s*$/; # skip empty lines
1101 next if $line =~ m/^#/; # skip comments
1102 &$merge_line($line, 1);
1103 }
1104
1105 while ($new && $new =~ s/^((.*?)(\n|$))//) {
1106 my $line = "$2\n";
1107 next if $line =~ m/^\s*$/; # skip empty lines
1108 next if $line =~ m/^#/; # skip comments
1109 &$merge_line($line);
1110 }
1111
1112 my $addIndex = $$;
1113 my $add_known_hosts_entry = sub {
1114 my ($name, $hostkey) = @_;
1115 $addIndex++;
1116 my $hmac = Digest::HMAC_SHA1->new("$addIndex" . time());
1117 my $b64salt = $hmac->b64digest . '=';
1118 $hmac = Digest::HMAC_SHA1->new(decode_base64($b64salt));
1119 $hmac->add($name);
1120 my $digest = $hmac->b64digest . '=';
1121 $data .= "|1|$b64salt|$digest $hostkey\n";
1122 };
1123
1124 if (!$found_nodename || !$found_local_ip) {
1125 &$add_known_hosts_entry($nodename, $hostkey) if !$found_nodename;
1126 &$add_known_hosts_entry($ip_address, $hostkey) if !$found_local_ip;
1127 }
1128
1129 PVE::Tools::file_set_contents($sshknownhosts, $data);
1130
1131 return if !$createLink;
1132
1133 unlink $sshglobalknownhosts;
1134 symlink $sshknownhosts, $sshglobalknownhosts;
1135
1136 warn "can't create symlink for ssh known hosts '$sshglobalknownhosts' -> '$sshknownhosts'\n"
1137 if ! -l $sshglobalknownhosts;
1138
1139}
1140
1141my $keymaphash = PVE::Tools::kvmkeymaps();
1142my $datacenter_schema = {
1143 type => "object",
1144 additionalProperties => 0,
1145 properties => {
1146 keyboard => {
1147 optional => 1,
1148 type => 'string',
1149 description => "Default keybord layout for vnc server.",
1150 enum => [ keys %$keymaphash ],
1151 },
1152 language => {
1153 optional => 1,
1154 type => 'string',
1155 description => "Default GUI language.",
1156 enum => [ 'en', 'de' ],
1157 },
1158 http_proxy => {
1159 optional => 1,
1160 type => 'string',
1161 description => "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
1162 pattern => "http://.*",
1163 },
1164 },
1165};
1166
1167# make schema accessible from outside (for documentation)
1168sub get_datacenter_schema { return $datacenter_schema };
1169
1170sub parse_datacenter_config {
1171 my ($filename, $raw) = @_;
1172
1173 return PVE::JSONSchema::parse_config($datacenter_schema, $filename, $raw);
1174}
1175
1176sub write_datacenter_config {
1177 my ($filename, $cfg) = @_;
1178
1179 return PVE::JSONSchema::dump_config($datacenter_schema, $filename, $cfg);
1180}
1181
1182cfs_register_file('datacenter.cfg',
1183 \&parse_datacenter_config,
1184 \&write_datacenter_config);
Cluster FS and Tools