8 use File
::Path
qw(make_path);
13 use Storable
qw(dclone);
21 use PVE
::Tools
qw(run_command);
23 use PVE
::Cluster
::IPCConst
;
33 # x509 certificate utils
35 my $basedir = "/etc/pve";
36 my $authdir = "$basedir/priv";
37 my $lockdir = "/etc/pve/priv/lock";
39 # cfs and corosync files
40 my $dbfile = "/var/lib/pve-cluster/config.db";
41 my $dbbackupdir = "/var/lib/pve-cluster/backup";
43 # this is just a readonly copy, the relevant one is in status.c from pmxcfs
44 # observed files are the one we can get directly through IPCC, they are cached
45 # using a computed version and only those can be used by the cfs_*_file methods
49 'datacenter.cfg' => 1,
50 'replication.cfg' => 1,
52 'corosync.conf.new' => 1,
55 'priv/shadow.cfg' => 1,
57 'priv/token.cfg' => 1,
58 'priv/acme/plugins.cfg' => 1,
63 'ha/crm_commands' => 1,
64 'ha/manager_status' => 1,
65 'ha/resources.cfg' => 1,
72 'sdn/controllers.cfg' => 1,
73 'sdn/subnets.cfg' => 1,
76 'sdn/.running-config' => 1,
77 'virtual-guest/cpu-models.conf' => 1,
80 sub prepare_observed_file_basedirs
{
82 if (!check_cfs_is_mounted
(1)) {
83 warn "pmxcfs isn't mounted (/etc/pve), chickening out..\n";
87 for my $f (sort keys %$observed) {
88 next if $f !~ m!^(.*)/[^/]+$!;
89 my $dir = "$basedir/$1";
90 next if -e
$dir; # can also be a link, so just use -e xist check
91 print "creating directory '$dir' for observerd files\n";
104 sub check_cfs_quorum
{
107 # note: -w filename always return 1 for root, so wee need
108 # to use File::lstat here
109 my $st = File
::stat::lstat("$basedir/local");
110 my $quorate = ($st && (($st->mode & 0200) != 0));
112 die "cluster not ready - no quorum?\n" if !$quorate && !$noerr;
117 sub check_cfs_is_mounted
{
120 my $res = -l
"$basedir/local";
122 die "pve configuration filesystem not mounted\n"
132 my $ipcc_send_rec = sub {
133 my ($msgid, $data) = @_;
135 my $res = PVE
::IPCC
::ipcc_send_rec
($msgid, $data);
137 die "ipcc_send_rec[$msgid] failed: $!\n" if !defined($res) && ($! != 0);
142 my $ipcc_send_rec_json = sub {
143 my ($msgid, $data) = @_;
145 my $res = PVE
::IPCC
::ipcc_send_rec
($msgid, $data);
147 die "ipcc_send_rec[$msgid] failed: $!\n" if !defined($res) && ($! != 0);
149 return decode_json
($res);
152 my $ipcc_get_config = sub {
155 my $bindata = pack "Z*", $path;
156 my $res = PVE
::IPCC
::ipcc_send_rec
(CFS_IPC_GET_CONFIG
, $bindata);
157 if (!defined($res)) {
159 return undef if $! == ENOENT
;
168 my $ipcc_get_status = sub {
169 my ($name, $nodename) = @_;
171 my $bindata = pack "Z[256]Z[256]", $name, ($nodename || "");
172 return PVE
::IPCC
::ipcc_send_rec
(CFS_IPC_GET_STATUS
, $bindata);
175 my $ipcc_remove_status = sub {
177 # we just omit the data payload, pmxcfs takes this as hint and removes this
178 # key from the status hashtable
179 my $bindata = pack "Z[256]", $name;
180 return &$ipcc_send_rec(CFS_IPC_SET_STATUS
, $bindata);
183 my $ipcc_update_status = sub {
184 my ($name, $data) = @_;
186 my $raw = ref($data) ? encode_json
($data) : $data;
188 my $bindata = pack "Z[256]Z*", $name, $raw;
190 return &$ipcc_send_rec(CFS_IPC_SET_STATUS
, $bindata);
194 my ($priority, $ident, $tag, $msg) = @_;
196 my $bindata = pack "CCCZ*Z*Z*", $priority, bytes
::length($ident) + 1,
197 bytes
::length($tag) + 1, $ident, $tag, $msg;
199 return &$ipcc_send_rec(CFS_IPC_LOG_CLUSTER_MSG
, $bindata);
202 my $ipcc_get_cluster_log = sub {
203 my ($user, $max) = @_;
205 $max = 0 if !defined($max);
207 my $bindata = pack "VVVVZ*", $max, 0, 0, 0, ($user || "");
208 return &$ipcc_send_rec(CFS_IPC_GET_CLUSTER_LOG
, $bindata);
211 my $ipcc_verify_token = sub {
212 my ($full_token) = @_;
214 my $bindata = pack "Z*", $full_token;
215 my $res = PVE
::IPCC
::ipcc_send_rec
(CFS_IPC_VERIFY_TOKEN
, $bindata);
218 return 0 if $! == ENOENT
;
228 my $res = &$ipcc_send_rec_json(CFS_IPC_GET_FS_VERSION
);
229 die "no starttime\n" if !$res->{starttime
};
231 if (!$res->{starttime
} || !$versions->{starttime
} ||
232 $res->{starttime
} != $versions->{starttime
}) {
233 #print "detected changed starttime\n";
252 if (!$clinfo->{version
} || $clinfo->{version
} != $versions->{clinfo
}) {
253 #warn "detected new clinfo\n";
254 $clinfo = &$ipcc_send_rec_json(CFS_IPC_GET_CLUSTER_INFO
);
265 if (!$vmlist->{version
} || $vmlist->{version
} != $versions->{vmlist
}) {
266 #warn "detected new vmlist1\n";
267 $vmlist = &$ipcc_send_rec_json(CFS_IPC_GET_GUEST_LIST
);
287 return $clinfo->{nodelist
};
291 my $nodelist = $clinfo->{nodelist
};
293 my $nodename = PVE
::INotify
::nodename
();
295 if (!$nodelist || !$nodelist->{$nodename}) {
296 return [ $nodename ];
299 return [ keys %$nodelist ];
302 # only stored in a in-memory hashtable inside pmxcfs, local data is gone after
303 # a restart (of pmxcfs or the node), peer data is still available then
304 # best used for status data, like running (ceph) services, package versions, ...
305 sub broadcast_node_kv
{
306 my ($key, $data) = @_;
308 if (!defined($data)) {
310 $ipcc_remove_status->("kv/$key");
313 die "cannot send a reference\n" if ref($data);
314 my $size = length($data);
315 die "data for '$key' too big\n" if $size >= (32 * 1024); # limit from pmxfs
318 $ipcc_update_status->("kv/$key", $data);
325 # nodename is optional
327 my ($key, $nodename) = @_;
330 my $get_node_data = sub {
332 my $raw = $ipcc_get_status->("kv/$key", $node);
333 $res->{$node} = unpack("Z*", $raw) if $raw;
337 $get_node_data->($nodename);
339 my $nodelist = get_nodelist
();
341 foreach my $node (@$nodelist) {
342 $get_node_data->($node);
349 # property: a config property you want to get, e.g., this is perfect to get
350 # the 'lock' entry of a guest _fast_ (>100 faster than manual parsing here)
351 # vmid: optipnal, if a valid is passed we only check that one, else return all
352 # NOTE: does *not* searches snapshot and PENDING entries sections!
353 sub get_guest_config_property
{
354 my ($property, $vmid) = @_;
356 die "property is required" if !defined($property);
358 my $bindata = pack "VZ*", $vmid // 0, $property;
359 my $res = $ipcc_send_rec_json->(CFS_IPC_GET_GUEST_CONFIG_PROPERTY
, $bindata);
364 # $data must be a chronological descending ordered array of tasks
365 sub broadcast_tasklist
{
368 # the serialized list may not get bigger than 32kb (CFS_MAX_STATUS_SIZE
369 # from pmxcfs) - drop older items until we satisfy this constraint
370 my $size = length(encode_json
($data));
371 while ($size >= (32 * 1024)) {
373 $size = length(encode_json
($data));
377 &$ipcc_update_status("tasklist", $data);
383 my $tasklistcache = {};
388 my $kvstore = $versions->{kvstore
} || {};
390 my $nodelist = get_nodelist
();
393 foreach my $node (@$nodelist) {
394 next if $nodename && ($nodename ne $node);
396 my $ver = $kvstore->{$node}->{tasklist
} if $kvstore->{$node};
397 my $cache = $tasklistcache->{$node};
398 if (!$cache || !$ver || !$cache->{version
} || ($cache->{version
} != $ver)) {
400 if (my $raw = $ipcc_get_status->("tasklist", $node)) {
401 my $json_str = unpack("Z*", $raw);
402 $tasks = decode_json
($json_str);
405 $tasklistcache->{$node} = {
409 } elsif ($cache && $cache->{data
}) {
410 push @$res, $cache->{data
}->@*;
414 syslog
('err', $err) if $err;
421 my ($rrdid, $data) = @_;
424 &$ipcc_update_status("rrd/$rrdid", $data);
431 my $last_rrd_dump = 0;
432 my $last_rrd_data = "";
438 my $diff = $ctime - $last_rrd_dump;
440 return $last_rrd_data;
445 $raw = &$ipcc_send_rec(CFS_IPC_GET_RRD_DUMP
);
457 while ($raw =~ s/^(.*)\n//) {
458 my ($key, @ela) = split(/:/, $1);
460 next if !(scalar(@ela) > 1);
461 $res->{$key} = [ map { $_ eq 'U' ?
undef : $_ } @ela ];
465 $last_rrd_dump = $ctime;
466 $last_rrd_data = $res;
472 # a fast way to read files (avoid fuse overhead)
476 return &$ipcc_get_config($path);
479 sub get_cluster_log
{
480 my ($user, $max) = @_;
482 return &$ipcc_get_cluster_log($user, $max);
486 my ($userid, $token) = @_;
488 return &$ipcc_verify_token("$userid $token");
493 sub cfs_register_file
{
494 my ($filename, $parser, $writer) = @_;
496 $observed->{$filename} || die "unknown file '$filename'";
498 die "file '$filename' already registered" if $file_info->{$filename};
500 $file_info->{$filename} = {
506 my $ccache_read = sub {
507 my ($filename, $parser, $version) = @_;
509 $ccache->{$filename} = {} if !$ccache->{$filename};
511 my $ci = $ccache->{$filename};
513 if (!$ci->{version
} || !$version || $ci->{version
} != $version) {
514 # we always call the parser, even when the file does not exist
515 # (in that case $data is undef)
516 my $data = get_config
($filename);
517 $ci->{data
} = &$parser("/etc/pve/$filename", $data);
518 $ci->{version
} = $version;
521 my $res = ref($ci->{data
}) ? dclone
($ci->{data
}) : $ci->{data
};
526 sub cfs_file_version
{
531 if ($filename =~ m!^nodes/[^/]+/(openvz|lxc|qemu-server)/(\d+)\.conf$!) {
532 my ($type, $vmid) = ($1, $2);
533 if ($vmlist && $vmlist->{ids
} && $vmlist->{ids
}->{$vmid}) {
534 $version = $vmlist->{ids
}->{$vmid}->{version
};
536 $infotag = "/$type/";
538 $infotag = $filename;
539 $version = $versions->{$filename};
542 my $info = $file_info->{$infotag} ||
543 die "unknown file type '$filename'\n";
545 return wantarray ?
($version, $info) : $version;
551 my ($version, $info) = cfs_file_version
($filename);
552 my $parser = $info->{parser
};
554 return &$ccache_read($filename, $parser, $version);
558 my ($filename, $data) = @_;
560 my ($version, $info) = cfs_file_version
($filename);
562 my $writer = $info->{writer
} || die "no writer defined";
564 my $fsname = "/etc/pve/$filename";
566 my $raw = &$writer($fsname, $data);
568 if (my $ci = $ccache->{$filename}) {
569 $ci->{version
} = undef;
572 PVE
::Tools
::file_set_contents
($fsname, $raw);
576 my ($lockid, $timeout, $code, @param) = @_;
578 my $prev_alarm = alarm(0); # suspend outer alarm early
583 # this timeout is for acquire the lock
584 $timeout = 10 if !$timeout;
586 my $filename = "$lockdir/$lockid";
594 die "pve cluster filesystem not online.\n";
597 my $timeout_err = sub { die "got lock request timeout\n"; };
598 local $SIG{ALRM
} = $timeout_err;
602 $got_lock = mkdir($filename);
603 $timeout = alarm(0) - 1; # we'll sleep for 1s, see down below
607 $timeout_err->() if $timeout <= 0;
609 print STDERR
"trying to acquire cfs lock '$lockid' ...\n";
610 utime (0, 0, $filename); # cfs unlock request
614 # fixed command timeout: cfs locks have a timeout of 120
615 # using 60 gives us another 60 seconds to abort the task
616 local $SIG{ALRM
} = sub { die "'$lockid'-locked command timed out - aborting\n"; };
619 cfs_update
(); # make sure we read latest versions inside code()
621 $is_code_err = 1; # allows to differ between locking and actual-work errors
623 $res = &$code(@param);
630 $err = "no quorum!\n" if !$got_lock && !check_cfs_quorum
(1);
632 rmdir $filename if $got_lock; # if we held the lock always unlock again
637 if (ref($err) eq 'PVE::Exception' || $is_code_err) {
638 # re-raise defined exceptions
641 # add lock info for plain errors comming from the locking itself
642 $@ = "cfs-lock '$lockid' error: $err";
653 my ($filename, $timeout, $code, @param) = @_;
655 my $info = $observed->{$filename} || die "unknown file '$filename'";
657 my $lockid = "file-$filename";
658 $lockid =~ s/[.\/]/_
/g
;
660 &$cfs_lock($lockid, $timeout, $code, @param);
663 sub cfs_lock_storage
{
664 my ($storeid, $timeout, $code, @param) = @_;
666 my $lockid = "storage-$storeid";
668 &$cfs_lock($lockid, $timeout, $code, @param);
671 sub cfs_lock_domain
{
672 my ($domainname, $timeout, $code, @param) = @_;
674 my $lockid = "domain-$domainname";
676 &$cfs_lock($lockid, $timeout, $code, @param);
680 my ($account, $timeout, $code, @param) = @_;
682 my $lockid = "acme-$account";
684 &$cfs_lock($lockid, $timeout, $code, @param);
687 sub cfs_lock_authkey
{
688 my ($timeout, $code, @param) = @_;
690 $cfs_lock->('authkey', $timeout, $code, @param);
693 sub cfs_lock_firewall
{
694 my ($scope, $timeout, $code, @param) = @_;
696 my $lockid = "firewall-$scope";
698 $cfs_lock->($lockid, $timeout, $code, @param);
716 my ($priority, $ident, $msg) = @_;
718 if (my $tmp = $log_levels->{$priority}) {
722 die "need numeric log priority" if $priority !~ /^\d+$/;
724 my $tag = PVE
::SafeSyslog
::tag
();
726 $msg = "empty message" if !$msg;
728 $ident = "" if !$ident;
729 $ident = encode
("ascii", $ident,
730 sub { sprintf "\\u%04x", shift });
732 my $ascii = encode
("ascii", $msg, sub { sprintf "\\u%04x", shift });
735 syslog
($priority, "<%s> %s", $ident, $ascii);
737 syslog
($priority, "%s", $ascii);
740 eval { &$ipcc_log($priority, $ident, $tag, $ascii); };
742 syslog
("err", "writing cluster log failed: $@") if $@;
745 sub check_vmid_unused
{
746 my ($vmid, $noerr) = @_;
748 my $vmlist = get_vmlist
();
750 my $d = $vmlist->{ids
}->{$vmid};
751 return 1 if !defined($d);
753 return undef if $noerr;
755 my $vmtypestr = $d->{type
} eq 'qemu' ?
'VM' : 'CT';
756 die "$vmtypestr $vmid already exists on node '$d->{node}'\n";
759 sub check_node_exists
{
760 my ($nodename, $noerr) = @_;
762 my $nodelist = $clinfo->{nodelist
};
763 return 1 if $nodelist && $nodelist->{$nodename};
765 return undef if $noerr;
767 die "no such cluster node '$nodename'\n";
770 # this is also used to get the IP of the local node
772 my ($nodename, $noerr) = @_;
774 my $nodelist = $clinfo->{nodelist
};
775 if ($nodelist && $nodelist->{$nodename}) {
776 if (my $ip = $nodelist->{$nodename}->{ip
}) {
777 return $ip if !wantarray;
778 my $family = $nodelist->{$nodename}->{address_family
};
780 $nodelist->{$nodename}->{address_family
} =
782 PVE
::Tools
::get_host_address_family
($ip);
784 return wantarray ?
($ip, $family) : $ip;
788 # fallback: try to get IP by other means
789 return PVE
::Network
::get_ip_from_hostname
($nodename, $noerr);
792 sub get_node_fingerprint
{
795 my $cert_path = "/etc/pve/nodes/$node/pve-ssl.pem";
796 my $custom_cert_path = "/etc/pve/nodes/$node/pveproxy-ssl.pem";
798 $cert_path = $custom_cert_path if -f
$custom_cert_path;
800 return PVE
::Certificate
::get_certificate_fingerprint
($cert_path);
803 # bash completion helpers
805 sub complete_next_vmid
{
807 my $vmlist = get_vmlist
() || {};
808 my $idlist = $vmlist->{ids
} || {};
810 for (my $i = 100; $i < 10000; $i++) {
811 return [$i] if !defined($idlist->{$i});
819 my $vmlist = get_vmlist
();
820 my $ids = $vmlist->{ids
} || {};
822 return [ keys %$ids ];
825 sub complete_local_vmid
{
827 my $vmlist = get_vmlist
();
828 my $ids = $vmlist->{ids
} || {};
830 my $nodename = PVE
::INotify
::nodename
();
833 foreach my $vmid (keys %$ids) {
834 my $d = $ids->{$vmid};
835 next if !$d->{node
} || $d->{node
} ne $nodename;
842 sub complete_migration_target
{
846 my $nodename = PVE
::INotify
::nodename
();
848 my $nodelist = get_nodelist
();
849 foreach my $node (@$nodelist) {
850 next if $node eq $nodename;
858 # NOTE: filesystem must be offline here, no DB changes allowed
859 sub cfs_backup_database
{
863 my $backup_fn = "$dbbackupdir/config-$ctime.sql.gz";
865 print "backup old database to '$backup_fn'\n";
867 my $cmd = [ ['sqlite3', $dbfile, '.dump'], ['gzip', '-', \
">${backup_fn}"] ];
868 run_command
($cmd, 'errmsg' => "cannot backup old database\n");
870 my $maxfiles = 10; # purge older backup
871 my $backups = [ sort { $b cmp $a } <$dbbackupdir/config-*.sql
.gz
> ];
873 if ((my $count = scalar(@$backups)) > $maxfiles) {
874 foreach my $f (@$backups[$maxfiles..$count-1]) {
875 next if $f !~ m/^(\S+)$/; # untaint
876 print "delete old backup '$1'\n";