[pve-devel] r6432 - in pve-cluster/trunk/data: . PVE
svn-commits at proxmox.com
svn-commits at proxmox.com
Mon Aug 8 11:22:30 CEST 2011
Author: dietmar
Date: 2011-08-08 11:22:30 +0200 (Mon, 08 Aug 2011)
New Revision: 6432
Modified:
pve-cluster/trunk/data/ChangeLog
pve-cluster/trunk/data/PVE/Cluster.pm
pve-cluster/trunk/data/PVE/pvecert
pve-cluster/trunk/data/PVE/pvecm
Log:
* PVE/pvecm: try to create all files/dirs in 'addnode', because that
node has quorum. (create) Add id_rsa.pub to authorized_keys.
Modified: pve-cluster/trunk/data/ChangeLog
===================================================================
--- pve-cluster/trunk/data/ChangeLog 2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/ChangeLog 2011-08-08 09:22:30 UTC (rev 6432)
@@ -1,5 +1,8 @@
2011-08-08 Proxmox Support Team <support at proxmox.com>
+ * PVE/pvecm: try to create all files/dirs in 'addnode', because that
+ node has quorum. (create) Add id_rsa.pub to authorized_keys.
+
* src/cfs-plug-func.c (cfs_plug_func_new): add write callback (to
trigger actions).
Modified: pve-cluster/trunk/data/PVE/Cluster.pm
===================================================================
--- pve-cluster/trunk/data/PVE/Cluster.pm 2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/PVE/Cluster.pm 2011-08-08 09:22:30 UTC (rev 6432)
@@ -35,8 +35,6 @@
my $pveca_key_fn = "$authdir/pve-root-ca.key";
my $pveca_srl_fn = "$authdir/pve-root-ca.srl";
my $pveca_cert_fn = "$basedir/pve-root-ca.pem";
-my $pvessl_key_fn = "$basedir/local/pve-ssl.key";
-my $pvessl_cert_fn = "$basedir/local/pve-ssl.pem";
# this is just a secret accessable by the web browser
# and is used for CSRF prevention
my $pvewww_key_fn = "$basedir/pve-www.key";
@@ -161,14 +159,19 @@
}
sub gen_pve_ssl_key {
+ my ($nodename) = @_;
+ die "no node name specified" if !$nodename;
+
+ my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
+
return if -f $pvessl_key_fn;
eval {
run_silent_cmd(['openssl', 'genrsa', '-out', $pvessl_key_fn, '2048']);
};
- die "unable to generate pve ssl key:\n$@" if $@;
+ die "unable to generate pve ssl key for node '$nodename':\n$@" if $@;
}
sub gen_pve_www_key {
@@ -189,28 +192,30 @@
}
sub gen_pve_ssl_cert {
- my ($force, $nodename) = @_;
+ my ($force, $nodename, $ip) = @_;
+ die "no node name specified" if !$nodename;
+ die "no IP specified" if !$ip;
+
+ my $pvessl_cert_fn = "$basedir/nodes/$nodename/pve-ssl.pem";
+
return if !$force && -f $pvessl_cert_fn;
my $names = "IP:127.0.0.1,DNS:localhost";
- my $rc = PVE::INotify::read_file ('resolvconf');
+ my $rc = PVE::INotify::read_file('resolvconf');
- if (my $ip = remote_node_ip($nodename, 1)) {
- $names .= ",IP:" . $ip;
- }
-
+ $names .= ",IP:$ip";
+
my $fqdn = $nodename;
- $names .= ",DNS:" . $nodename;
+ $names .= ",DNS:$nodename";
if ($rc && $rc->{search}) {
$fqdn = $nodename . "." . $rc->{search};
$names .= ",DNS:$fqdn";
}
-
my $sslconf = <<__EOD;
RANDFILE = /root/.rnd
extensions = v3_req
@@ -242,6 +247,7 @@
my $reqfn = "/tmp/pvecertreq-$$.tmp";
unlink $reqfn;
+ my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
eval {
run_silent_cmd(['openssl', 'req', '-batch', '-new', '-config', $cfgfn,
'-key', $pvessl_key_fn, '-out', $reqfn]);
@@ -272,7 +278,28 @@
unlink $reqfn;
}
+sub gen_pve_node_files {
+ my ($nodename, $ip, $opt_force) = @_;
+ gen_local_dirs($nodename);
+
+ gen_auth_key();
+
+ # make sure we have a (cluster wide) secret
+ # for CSRFR prevention
+ gen_pve_www_key();
+
+ # make sure we have a (per node) private key
+ gen_pve_ssl_key($nodename);
+
+ # make sure we have a CA
+ my $force = gen_pveca_cert();
+
+ $force = 1 if $opt_force;
+
+ gen_pve_ssl_cert($force, $nodename, $ip);
+}
+
my $versions = {};
my $vmlist = {};
my $clinfo = {};
@@ -867,6 +894,12 @@
my $packed_ip = gethostbyname($nodename);
if (defined $packed_ip) {
my $ip = inet_ntoa($packed_ip);
+
+ if ($ip =~ m/^127\./) {
+ die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
+ return undef;
+ }
+
return $ip;
}
Modified: pve-cluster/trunk/data/PVE/pvecert
===================================================================
--- pve-cluster/trunk/data/PVE/pvecert 2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/PVE/pvecert 2011-08-08 09:22:30 UTC (rev 6432)
@@ -9,8 +9,6 @@
die "please run as root\n" if $> != 0;
-my $nodename = PVE::INotify::nodename();
-
my $opt_force;
if (!GetOptions ('force' => \$opt_force)) {
@@ -18,22 +16,9 @@
exit (-1);
}
-PVE::Cluster::gen_local_dirs($nodename);
+my $nodename = PVE::INotify::nodename();
+my $ip = PVE::Cluster::remote_node_ip($nodename);
-# make sure we have a (cluster wide) secret
-# for CSRFR prevention
-PVE::Cluster::gen_pve_www_key();
+PVE::Cluster::gen_pve_node_files($nodename, $ip, $opt_force);
-# make sure we have a (per node) private key
-PVE::Cluster::gen_pve_ssl_key();
-
-# make sure we have a CA
-my $force = PVE::Cluster::gen_pveca_cert();
-
-$force = 1 if $opt_force;
-
-PVE::Cluster::gen_pve_ssl_cert ($force, $nodename);
-
-PVE::Cluster::gen_auth_key();
-
exit (0);
Modified: pve-cluster/trunk/data/PVE/pvecm
===================================================================
--- pve-cluster/trunk/data/PVE/pvecm 2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/PVE/pvecm 2011-08-08 09:22:30 UTC (rev 6432)
@@ -10,7 +10,7 @@
use PVE::Tools;
use PVE::Cluster;
use PVE::INotify;
-
+use PVE::JSONSchema;
use PVE::CLIHandler;
use base qw(PVE::CLIHandler);
@@ -20,6 +20,8 @@
die "please run as root\n" if $> != 0;
my $nodename = PVE::INotify::nodename();
+# trigger check that we have resolvable name
+my $local_ip_address = PVE::Cluster::remote_node_ip($nodename);
my $basedir = "/etc/pve";
my $ssh_rsa_id_priv = "/root/.ssh/id_rsa";
@@ -32,16 +34,6 @@
my $dbfile = "$libdir/config.db";
my $authfile = "$libdir/corosync.authkey";
-sub lookup_ip {
- my $ip_address = "127.0.0.1";
-
- my $packed_ip = gethostbyname($nodename);
- if (defined $packed_ip) {
- $ip_address = inet_ntoa($packed_ip);
- }
- return $ip_address;
-}
-
sub ssh_remove_duplicate_keys {
# remove duplicate keys in $sshauthkeys
# ssh-copy-id simply add keys, so the file can grow to large
@@ -262,6 +254,12 @@
;
PVE::Tools::file_set_contents($clusterconf, $config);
+ # add ourself to authorized keys (use by other nodes)
+ my $pub = PVE::Tools::file_get_contents($ssh_rsa_id);
+ PVE::Tools::file_set_contents($sshauthkeys, $pub);
+
+ PVE::Cluster::gen_pve_node_files($nodename, $local_ip_address);
+
PVE::Tools::run_command('/etc/init.d/pve-cluster restart'); # restart
# that cman init script returns strange values - simply ignore for now
@@ -278,15 +276,17 @@
parameters => {
additionalProperties => 0,
properties => {
- node => {
- type => 'string', format => 'pve-node',
- },
+ node => PVE::JSONSchema::get_standard_option('pve-node'),
nodeid => {
type => 'integer',
description => "Node id for this node.",
minimum => 1,
optional => 1,
},
+ ip => {
+ description => "Node IP address (only used to generate ssl certs).",
+ type => 'string', format => 'ipv4',
+ },
votes => {
type => 'integer',
description => "Number of votes for this node",
@@ -351,7 +351,7 @@
$param->{votes} = 1 if !defined($param->{votes});
- PVE::Cluster::gen_local_dirs($name);
+ PVE::Cluster::gen_pve_node_files($name, $param->{ip});
$cmd = ['ccs_tool', 'addnode', '-c', $clusterconf];
@@ -376,9 +376,7 @@
parameters => {
additionalProperties => 0,
properties => {
- node => {
- type => 'string', format => 'pve-node',
- },
+ node => PVE::JSONSchema::get_standard_option('pve-node'),
},
},
returns => { type => 'null' },
@@ -456,7 +454,7 @@
die "unable to copy ssh ID\n";
$cmd = ['ssh', $host, '-o', 'BatchMode=yes',
- 'pvecm', 'addnode', $nodename, '--force', 1];
+ 'pvecm', 'addnode', $nodename, $local_ip_address, '--force', 1];
push @$cmd, '-n', $param->{nodeid} if $param->{nodeid};
@@ -612,7 +610,7 @@
keygen => [ __PACKAGE__, 'keygen', ['filename']],
create => [ __PACKAGE__, 'create', ['clustername']],
add => [ __PACKAGE__, 'add', ['hostname']],
- addnode => [ __PACKAGE__, 'addnode', ['node']],
+ addnode => [ __PACKAGE__, 'addnode', ['node', 'ip']],
delnode => [ __PACKAGE__, 'delnode', ['node']],
status => [ __PACKAGE__, 'status' ],
nodes => [ __PACKAGE__, 'nodes' ],
@@ -625,12 +623,7 @@
PVE::RESTHandler::validate_method_schemas();
exit 0;
}
-
-my $ip_address = lookup_ip();
-if ($ip_address =~ m/^127\./) {
- die "hostname lookup failed - got local IP address ($nodename = ${ip_address})\n";
-}
-
+
PVE::Cluster::check_cfs_is_mounted();
setup_ssh_keys();
More information about the pve-devel
mailing list