use strict;
use warnings;
-use POSIX qw(EEXIST ENOENT);
+
+use Digest::HMAC_SHA1;
+use Digest::SHA;
+use Encode;
use File::stat qw();
-use Socket;
-use Storable qw(dclone);
use IO::File;
+use JSON;
use MIME::Base64;
-use Digest::SHA;
-use Digest::HMAC_SHA1;
use Net::SSLeay;
-use PVE::Tools qw(run_command);
+use POSIX qw(EEXIST ENOENT);
+use RRDs;
+use Socket;
+use Storable qw(dclone);
+use UUID;
+
use PVE::INotify;
use PVE::IPCC;
-use PVE::SafeSyslog;
use PVE::JSONSchema;
use PVE::Network;
+use PVE::SafeSyslog;
+use PVE::Tools qw(run_command);
+
use PVE::Cluster::IPCConst;
-use JSON;
-use RRDs;
-use Encode;
-use UUID;
+
use base 'Exporter';
our @EXPORT_OK = qw(
my $rootsshauthkeysbackup = "${rootsshauthkeys}.org";
my $rootsshconfig = "/root/.ssh/config";
+# this is just a readonly copy, the relevant one is in status.c from pmxcfs
+# observed files are the one we can get directly through IPCC, they are cached
+# using a computed version and only those can be used by the cfs_*_file methods
my $observed = {
'vzdump.cron' => 1,
'storage.cfg' => 1,
'user.cfg' => 1,
'domains.cfg' => 1,
'priv/shadow.cfg' => 1,
+ 'priv/tfa.cfg' => 1,
'/qemu-server/' => 1,
'/openvz/' => 1,
'/lxc/' => 1,
'ha/groups.cfg' => 1,
'ha/fence.cfg' => 1,
'status.cfg' => 1,
+ 'ceph.conf' => 1,
};
# only write output if something fails
my ($cmd) = @_;
my $outbuf = '';
+ my $record = sub { $outbuf .= shift . "\n"; };
- my $record_output = sub {
- $outbuf .= shift;
- $outbuf .= "\n";
- };
-
- eval {
- PVE::Tools::run_command($cmd, outfunc => $record_output,
- errfunc => $record_output);
- };
-
- my $err = $@;
+ eval { run_command($cmd, outfunc => $record, errfunc => $record) };
- if ($err) {
+ if (my $err = $@) {
print STDERR $outbuf;
die $err;
}
check_cfs_is_mounted();
- mkdir $authdir || $! == EEXIST || die "unable to create dir '$authdir' - $!\n";
+ cfs_lock_authkey(undef, sub {
+ mkdir $authdir || $! == EEXIST || die "unable to create dir '$authdir' - $!\n";
+
+ run_silent_cmd(['openssl', 'genrsa', '-out', $authprivkeyfn, '2048']);
- run_silent_cmd(['openssl', 'genrsa', '-out', $authprivkeyfn, '2048']);
+ run_silent_cmd(['openssl', 'rsa', '-in', $authprivkeyfn, '-pubout', '-out', $authpubkeyfn]);
+ });
- run_silent_cmd(['openssl', 'rsa', '-in', $authprivkeyfn, '-pubout', '-out', $authpubkeyfn]);
+ die "$@\n" if $@;
}
sub gen_pveca_key {
}
sub get_nodelist {
-
my $nodelist = $clinfo->{nodelist};
- my $result = [];
-
my $nodename = PVE::INotify::nodename();
if (!$nodelist || !$nodelist->{$nodename}) {
&$cfs_lock($lockid, $timeout, $code, @param);
}
+sub cfs_lock_authkey {
+ my ($timeout, $code, @param) = @_;
+
+ $cfs_lock->('authkey', $timeout, $code, @param);
+}
+
my $log_levels = {
"emerg" => 0,
"alert" => 1,
},
};
+my $ha_format = {
+ shutdown_policy => {
+ type => 'string',
+ enum => ['freeze', 'failover', 'conditional'],
+ description => "The policy for HA services on node shutdown. 'freeze' disables auto-recovery, 'failover' ensures recovery, 'conditional' recovers on poweroff and freezes on reboot. Running HA Services will always get stopped first on shutdown.",
+ verbose_description => "Describes the policy for handling HA services on poweroff or reboot of a node. Freeze will always freeze services which are still located on the node on shutdown, those services won't be recovered by the HA manager. Failover will not mark the services as frozen and thus the services will get recovered to other nodes, if the shutdown node does not come up again quickly (< 1min). 'conditional' chooses automatically depending on the type of shutdown, i.e., on a reboot the service will be frozen but on a poweroff the service will stay as is, and thus get recovered after about 2 minutes.",
+ default => 'conditional',
+ }
+};
+
+PVE::JSONSchema::register_format('mac-prefix', \&pve_verify_mac_prefix);
+sub pve_verify_mac_prefix {
+ my ($mac_prefix, $noerr) = @_;
+
+ if ($mac_prefix !~ m/^[a-f0-9][02468ace](?::[a-f0-9]{2}){0,2}:?$/i) {
+ return undef if $noerr;
+ die "value is not a valid unicast MAC address prefix\n";
+ }
+ return $mac_prefix;
+}
+
+our $u2f_format = {
+ appid => {
+ type => 'string',
+ description => "U2F AppId URL override. Defaults to the origin.",
+ format_description => 'APPID',
+ optional => 1,
+ },
+ origin => {
+ type => 'string',
+ description => "U2F Origin override. Mostly useful for single nodes with a single URL.",
+ format_description => 'URL',
+ optional => 1,
+ },
+};
+
my $datacenter_schema = {
type => "object",
additionalProperties => 0,
optional => 1,
type => 'string',
description => "Default GUI language.",
- enum => [ 'en', 'de' ],
+ enum => [
+ 'zh_CN',
+ 'zh_TW',
+ 'ca',
+ 'en',
+ 'eu',
+ 'fr',
+ 'de',
+ 'it',
+ 'es',
+ 'ja',
+ 'nb',
+ 'nn',
+ 'fa',
+ 'pl',
+ 'pt_BR',
+ 'ru',
+ 'sl',
+ 'sv',
+ 'tr',
+ ],
},
http_proxy => {
optional => 1,
" With both all two modes are used." .
"\n\nWARNING: 'hardware' and 'both' are EXPERIMENTAL & WIP",
},
+ ha => {
+ optional => 1,
+ type => 'string', format => $ha_format,
+ description => "Cluster wide HA settings.",
+ },
mac_prefix => {
optional => 1,
type => 'string',
- pattern => qr/[a-f0-9]{2}(?::[a-f0-9]{2}){0,2}:?/i,
+ format => 'mac-prefix',
description => 'Prefix for autogenerated MAC addresses.',
},
bwlimit => PVE::JSONSchema::get_standard_option('bwlimit'),
+ u2f => {
+ optional => 1,
+ type => 'string',
+ format => $u2f_format,
+ description => 'u2f',
+ },
},
};
$res->{migration} = PVE::JSONSchema::parse_property_string($migration_format, $migration);
}
+ if (my $ha = $res->{ha}) {
+ $res->{ha} = PVE::JSONSchema::parse_property_string($ha_format, $ha);
+ }
+
# for backwards compatibility only, new migration property has precedence
if (defined($res->{migration_unsecure})) {
if (defined($res->{migration}->{type})) {
$cfg->{console} = 'html5';
}
- if (my $migration = $cfg->{migration}) {
+ if (ref($cfg->{migration})) {
+ my $migration = $cfg->{migration};
$cfg->{migration} = PVE::JSONSchema::print_property_string($migration, $migration_format);
}
+ if (ref($cfg->{ha})) {
+ my $ha = $cfg->{ha};
+ $cfg->{ha} = PVE::JSONSchema::print_property_string($ha, $ha_format);
+ }
+
return PVE::JSONSchema::dump_config($datacenter_schema, $filename, $cfg);
}