]>
git.proxmox.com Git - pve-cluster.git/blob - data/PVE/CLI/pvecm.pm
0a20af3a26dda73dbf815d54ad5368821e0f5364
1 package PVE
::CLI
::pvecm
;
8 use PVE
::Tools
qw(run_command);
11 use PVE
::JSONSchema
qw(get_standard_option);
12 use PVE
::RPCEnvironment
;
15 use PVE
::API2
::ClusterConfig
;
18 use base
qw(PVE::CLIHandler);
20 $ENV{HOME
} = '/root'; # for ssh-copy-id
22 my $basedir = "/etc/pve";
23 my $clusterconf = "$basedir/corosync.conf";
24 my $libdir = "/var/lib/pve-cluster";
25 my $authfile = "/etc/corosync/authkey";
28 sub setup_environment
{
29 PVE
::RPCEnvironment-
>setup_default_cli_env();
32 __PACKAGE__-
>register_method ({
36 description
=> "Generate new cryptographic key for corosync.",
38 additionalProperties
=> 0,
42 description
=> "Output file name"
46 returns
=> { type
=> 'null' },
51 my $filename = $param->{filename
};
54 $> == 0 || die "Error: Authorization key must be generated as root user.\n";
55 my $dirname = dirname
($filename);
57 die "key file '$filename' already exists\n" if -e
$filename;
59 File
::Path
::make_path
($dirname) if $dirname;
61 run_command
(['corosync-keygen', '-l', '-k', $filename]);
66 my $foreach_member = sub {
67 my ($code, $noerr) = @_;
69 my $members = PVE
::Cluster
::get_members
();
70 foreach my $node (sort keys %$members) {
71 if (my $ip = $members->{$node}->{ip
}) {
74 die "cannot get the cluster IP for node '$node'.\n" if !$noerr;
75 warn "cannot get the cluster IP for node '$node'.\n";
81 __PACKAGE__-
>register_method ({
82 name
=> 'setup_qdevice',
83 path
=> 'setup_qdevice',
85 description
=> "Setup the use of a QDevice",
87 additionalProperties
=> 0,
90 type
=> 'string', format
=> 'ip',
91 description
=> "Specifies the network address of an external corosync QDevice" ,
96 description
=> 'The network which should be used to connect to the external qdevice',
101 description
=> "Do not throw error on possible dangerous operations.",
106 returns
=> { type
=> 'null' },
111 die "Node not in a cluster. Aborting.\n"
112 if !PVE
::Corosync
::check_conf_exists
(1);
114 my $members = PVE
::Cluster
::get_members
();
115 foreach my $node (sort keys %$members) {
116 die "All nodes must be online! Node $node is offline, aborting.\n"
117 if !$members->{$node}->{online
};
120 my $conf = PVE
::Cluster
::cfs_read_file
("corosync.conf");
122 die "QDevice already configured!\n"
123 if defined($conf->{main
}->{quorum
}->{device
}) && !$param->{force
};
125 my $network = $param->{network
};
128 my $algorithm = 'ffsplit';
129 if (scalar($members) & 1) {
130 if ($param->{force
}) {
133 die "Clusters with an odd node count are not officially supported!\n";
137 my $qnetd_addr = $param->{address
};
138 my $base_dir = "/etc/corosync/qdevice/net";
139 my $db_dir_qnetd = "/etc/corosync/qnetd/nssdb";
140 my $db_dir_node = "$base_dir/nssdb";
141 my $ca_export_base = "qnetd-cacert.crt";
142 my $ca_export_file = "$db_dir_qnetd/$ca_export_base";
143 my $crq_file_base = "qdevice-net-node.crq";
144 my $p12_file_base = "qdevice-net-node.p12";
145 my $qdevice_certutil = "corosync-qdevice-net-certutil";
146 my $qnetd_certutil= "corosync-qnetd-certutil";
147 my $clustername = $conf->{main
}->{totem
}->{cluster_name
};
149 run_command
(['ssh-copy-id', '-i', '/root/.ssh/id_rsa', "root\@$qnetd_addr"]);
151 if (-d
$db_dir_node) {
152 # FIXME: check on all nodes?!
153 if ($param->{force
}) {
156 die "QDevice certificate store already initialised, set force to delete!\n";
160 my $ssh_cmd = ['ssh', '-o', 'BatchMode=yes', '-lroot'];
161 my $scp_cmd = ['scp', '-o', 'BatchMode=yes'];
163 print "\nINFO: initializing qnetd server\n";
165 [@$ssh_cmd, $qnetd_addr, $qnetd_certutil, "-i"],
169 print "\nINFO: copying CA cert and initializing on all nodes\n";
170 run_command
([@$scp_cmd, "root\@\[$qnetd_addr\]:$ca_export_file", "/etc/pve/$ca_export_base"]);
171 $foreach_member->(sub {
172 my ($node, $ip) = @_;
173 my $outsub = sub { print "\nnode '$node': " . shift };
175 [@$ssh_cmd, $ip, $qdevice_certutil, "-i", "-c", "/etc/pve/$ca_export_base"],
176 noerr
=> 1, outfunc
=> \
&$outsub
179 unlink "/etc/pve/$ca_export_base";
181 print "\nINFO: generating cert request\n";
182 run_command
([$qdevice_certutil, "-r", "-n", $clustername]);
184 print "\nINFO: copying exported cert request to qnetd server\n";
185 run_command
([@$scp_cmd, "$db_dir_node/$crq_file_base", "root\@\[$qnetd_addr\]:/tmp"]);
187 print "\nINFO: sign and export cluster cert\n";
189 @$ssh_cmd, $qnetd_addr, $qnetd_certutil, "-s", "-c",
190 "/tmp/$crq_file_base", "-n", "$clustername"
193 print "\nINFO: copy exported CRT\n";
195 @$scp_cmd, "root\@\[$qnetd_addr\]:$db_dir_qnetd/cluster-$clustername.crt",
199 print "\nINFO: import certificate\n";
200 run_command
(["$qdevice_certutil", "-M", "-c", "$db_dir_node/cluster-$clustername.crt"]);
202 print "\nINFO: copy and import pk12 cert to all nodes\n";
203 run_command
([@$scp_cmd, "$db_dir_node/$p12_file_base", "/etc/pve/"]);
204 $foreach_member->(sub {
205 my ($node, $ip) = @_;
206 my $outsub = sub { print "\nnode '$node': " . shift };
208 @$ssh_cmd, $ip, "$qdevice_certutil", "-m", "-c",
209 "/etc/pve/$p12_file_base"], outfunc
=> \
&$outsub
212 unlink "/etc/pve/$p12_file_base";
216 my $conf = PVE
::Cluster
::cfs_read_file
("corosync.conf");
217 my $quorum_section = $conf->{main
}->{quorum
};
219 die "Qdevice already configured, must be removed before setting up new one!\n"
220 if defined($quorum_section->{device
}); # must not be forced!
227 algorithm
=> $algorithm,
230 $qdev_section->{votes
} = 1 if $algorithm eq 'ffsplit';
232 $quorum_section->{device
} = $qdev_section;
234 PVE
::Corosync
::atomic_write_conf
($conf);
237 print "\nINFO: add QDevice to cluster configuration\n";
238 PVE
::Cluster
::cfs_lock_file
('corosync.conf', 10, $code);
241 $foreach_member->(sub {
242 my ($node, $ip) = @_;
243 my $outsub = sub { print "\nnode '$node': " . shift };
244 print "\nINFO: start and enable corosync qdevice daemon on node '$node'...\n";
245 run_command
([@$ssh_cmd, $ip, 'systemctl', 'start', 'corosync-qdevice'], outfunc
=> \
&$outsub);
246 run_command
([@$ssh_cmd, $ip, 'systemctl', 'enable', 'corosync-qdevice'], outfunc
=> \
&$outsub);
249 run_command
(['corosync-cfgtool', '-R']); # do cluster wide config reload
254 __PACKAGE__-
>register_method ({
255 name
=> 'remove_qdevice',
256 path
=> 'remove_qdevice',
258 description
=> "Remove a configured QDevice",
260 additionalProperties
=> 0,
263 returns
=> { type
=> 'null' },
268 die "Node not in a cluster. Aborting.\n"
269 if !PVE
::Corosync
::check_conf_exists
(1);
271 my $members = PVE
::Cluster
::get_members
();
272 foreach my $node (sort keys %$members) {
273 die "All nodes must be online! Node $node is offline, aborting.\n"
274 if !$members->{$node}->{online
};
277 my $ssh_cmd = ['ssh', '-o', 'BatchMode=yes', '-lroot'];
280 my $conf = PVE
::Cluster
::cfs_read_file
("corosync.conf");
281 my $quorum_section = $conf->{main
}->{quorum
};
283 die "No QDevice configured!\n" if !defined($quorum_section->{device
});
285 delete $quorum_section->{device
};
287 PVE
::Corosync
::atomic_write_conf
($conf);
289 # cleanup qdev state (cert storage)
290 my $qdev_state_dir = "/etc/corosync/qdevice";
291 $foreach_member->(sub {
292 my (undef, $ip) = @_;
293 run_command
([@$ssh_cmd, $ip, '--', 'rm', '-rf', $qdev_state_dir]);
297 PVE
::Cluster
::cfs_lock_file
('corosync.conf', 10, $code);
300 $foreach_member->(sub {
301 my (undef, $ip) = @_;
302 run_command
([@$ssh_cmd, $ip, 'systemctl', 'stop', 'corosync-qdevice']);
303 run_command
([@$ssh_cmd, $ip, 'systemctl', 'disable', 'corosync-qdevice']);
306 run_command
(['corosync-cfgtool', '-R']);
308 print "\nRemoved Qdevice.\n";
313 __PACKAGE__-
>register_method ({
317 description
=> "Adds the current node to an existing cluster.",
319 additionalProperties
=> 0,
323 description
=> "Hostname (or IP) of an existing cluster member."
325 nodeid
=> get_standard_option
('corosync-nodeid'),
328 description
=> "Number of votes for this node",
334 description
=> "Do not throw error if node already exists.",
337 link0
=> get_standard_option
('corosync-link'),
338 link1
=> get_standard_option
('corosync-link'),
339 fingerprint
=> get_standard_option
('fingerprint-sha256', {
344 description
=> "Always use SSH to join, even if peer may do it over API.",
349 returns
=> { type
=> 'null' },
354 my $nodename = PVE
::INotify
::nodename
();
356 my $host = $param->{hostname
};
357 my $local_ip_address = PVE
::Cluster
::remote_node_ip
($nodename);
359 my $link0 = PVE
::Cluster
::parse_corosync_link
($param->{link0
});
360 my $link1 = PVE
::Cluster
::parse_corosync_link
($param->{link1
});
362 PVE
::Cluster
::assert_joinable
($local_ip_address, $link0, $link1, $param->{force
});
366 if (!$param->{use_ssh
}) {
367 print "Please enter superuser (root) password for '$host':\n";
368 my $password = PVE
::PTY
::read_password
("Password for root\@$host: ");
370 delete $param->{use_ssh
};
371 $param->{password
} = $password;
373 my $local_cluster_lock = "/var/lock/pvecm.lock";
374 PVE
::Tools
::lock_file
($local_cluster_lock, 10, \
&PVE
::Cluster
::join, $param);
377 if (ref($err) eq 'PVE::APIClient::Exception' && defined($err->{code
}) && $err->{code
} == 501) {
378 $err = "Remote side is not able to use API for Cluster join!\n" .
379 "Pass the 'use_ssh' switch or update the remote side.\n";
383 return; # all OK, the API join endpoint successfully set us up
386 # allow fallback to old ssh only join if wished or needed
388 PVE
::Cluster
::setup_sshd_config
();
389 PVE
::Cluster
::setup_rootsshconfig
();
390 PVE
::Cluster
::setup_ssh_keys
();
392 # make sure known_hosts is on local filesystem
393 PVE
::Cluster
::ssh_unmerge_known_hosts
();
395 my $cmd = ['ssh-copy-id', '-i', '/root/.ssh/id_rsa', "root\@$host"];
396 run_command
($cmd, 'outfunc' => sub {}, 'errfunc' => sub {},
397 'errmsg' => "unable to copy ssh ID");
399 $cmd = ['ssh', $host, '-o', 'BatchMode=yes',
400 'pvecm', 'addnode', $nodename, '--force', 1];
402 push @$cmd, '--nodeid', $param->{nodeid
} if $param->{nodeid
};
403 push @$cmd, '--votes', $param->{votes
} if defined($param->{votes
});
404 # just pass the un-parsed string through, or as we've address as
405 # the default_key, we can just pass the fallback directly too
406 push @$cmd, '--link0', $param->{link0
} // $local_ip_address;
407 push @$cmd, '--link1', $param->{link1
} if defined($param->{link1
});
409 if (system (@$cmd) != 0) {
410 my $cmdtxt = join (' ', @$cmd);
411 die "unable to add node: command failed ($cmdtxt)\n";
414 my $tmpdir = "$libdir/.pvecm_add.tmp.$$";
418 print "copy corosync auth key\n";
419 $cmd = ['rsync', '--rsh=ssh -l root -o BatchMode=yes', '-lpgoq',
420 "[$host]:$authfile $clusterconf", $tmpdir];
422 system(@$cmd) == 0 || die "can't rsync data from host '$host'\n";
424 my $corosync_conf = PVE
::Tools
::file_get_contents
("$tmpdir/corosync.conf");
425 my $corosync_authkey = PVE
::Tools
::file_get_contents
("$tmpdir/authkey");
427 PVE
::Cluster
::finish_join
($host, $corosync_conf, $corosync_authkey);
436 # use a synced worker so we get a nice task log when joining through CLI
437 my $rpcenv = PVE
::RPCEnvironment
::get
();
438 my $authuser = $rpcenv->get_user();
440 $rpcenv->fork_worker('clusterjoin', '', $authuser, $worker);
445 __PACKAGE__-
>register_method ({
449 description
=> "Displays the local view of the cluster status.",
451 additionalProperties
=> 0,
454 returns
=> { type
=> 'null' },
459 PVE
::Corosync
::check_conf_exists
();
461 my $cmd = ['corosync-quorumtool', '-siH'];
465 exit (-1); # should not be reached
468 __PACKAGE__-
>register_method ({
472 description
=> "Displays the local view of the cluster nodes.",
474 additionalProperties
=> 0,
477 returns
=> { type
=> 'null' },
482 PVE
::Corosync
::check_conf_exists
();
484 my $cmd = ['corosync-quorumtool', '-l'];
488 exit (-1); # should not be reached
491 __PACKAGE__-
>register_method ({
495 description
=> "Tells corosync a new value of expected votes.",
497 additionalProperties
=> 0,
501 description
=> "Expected votes",
506 returns
=> { type
=> 'null' },
511 PVE
::Corosync
::check_conf_exists
();
513 my $cmd = ['corosync-quorumtool', '-e', $param->{expected
}];
517 exit (-1); # should not be reached
521 __PACKAGE__-
>register_method ({
522 name
=> 'updatecerts',
523 path
=> 'updatecerts',
525 description
=> "Update node certificates (and generate all needed files/directories).",
527 additionalProperties
=> 0,
530 description
=> "Force generation of new SSL certifate.",
535 description
=> "Ignore errors (i.e. when cluster has no quorum).",
541 returns
=> { type
=> 'null' },
545 # we get called by the pve-cluster.service ExecStartPost and as we do
546 # IO (on /etc/pve) which can hang (uninterruptedly D state). That'd be
547 # no-good for ExecStartPost as it fails the whole service in this case
548 PVE
::Tools
::run_fork_with_timeout
(30, sub {
549 PVE
::Cluster
::updatecerts_and_ssh
($param->@{qw(force silent)});
556 keygen
=> [ __PACKAGE__
, 'keygen', ['filename']],
557 create
=> [ 'PVE::API2::ClusterConfig', 'create', ['clustername']],
558 add
=> [ __PACKAGE__
, 'add', ['hostname']],
559 addnode
=> [ 'PVE::API2::ClusterConfig', 'addnode', ['node']],
560 delnode
=> [ 'PVE::API2::ClusterConfig', 'delnode', ['node']],
561 status
=> [ __PACKAGE__
, 'status' ],
562 nodes
=> [ __PACKAGE__
, 'nodes' ],
563 expected
=> [ __PACKAGE__
, 'expected', ['expected']],
564 updatecerts
=> [ __PACKAGE__
, 'updatecerts', []],
566 setup
=> [ __PACKAGE__
, 'setup_qdevice', ['address']],
567 remove
=> [ __PACKAGE__
, 'remove_qdevice', []],