[pve-devel] r6432 - in pve-cluster/trunk/data: . PVE

svn-commits at proxmox.com svn-commits at proxmox.com
Mon Aug 8 11:22:30 CEST 2011


Author: dietmar
Date: 2011-08-08 11:22:30 +0200 (Mon, 08 Aug 2011)
New Revision: 6432

Modified:
   pve-cluster/trunk/data/ChangeLog
   pve-cluster/trunk/data/PVE/Cluster.pm
   pve-cluster/trunk/data/PVE/pvecert
   pve-cluster/trunk/data/PVE/pvecm
Log:
	* PVE/pvecm: try to create all files/dirs in 'addnode', because that
	node has quorum. (create) Add id_rsa.pub to authorized_keys.



Modified: pve-cluster/trunk/data/ChangeLog
===================================================================
--- pve-cluster/trunk/data/ChangeLog	2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/ChangeLog	2011-08-08 09:22:30 UTC (rev 6432)
@@ -1,5 +1,8 @@
 2011-08-08  Proxmox Support Team  <support at proxmox.com>
 
+	* PVE/pvecm: try to create all files/dirs in 'addnode', because that
+	node has quorum. (create) Add id_rsa.pub to authorized_keys.
+
 	* src/cfs-plug-func.c (cfs_plug_func_new): add write callback (to
 	trigger actions).
 

Modified: pve-cluster/trunk/data/PVE/Cluster.pm
===================================================================
--- pve-cluster/trunk/data/PVE/Cluster.pm	2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/PVE/Cluster.pm	2011-08-08 09:22:30 UTC (rev 6432)
@@ -35,8 +35,6 @@
 my $pveca_key_fn = "$authdir/pve-root-ca.key";
 my $pveca_srl_fn = "$authdir/pve-root-ca.srl";
 my $pveca_cert_fn = "$basedir/pve-root-ca.pem";
-my $pvessl_key_fn = "$basedir/local/pve-ssl.key";
-my $pvessl_cert_fn = "$basedir/local/pve-ssl.pem";
 # this is just a secret accessable by the web browser
 # and is used for CSRF prevention
 my $pvewww_key_fn = "$basedir/pve-www.key";
@@ -161,14 +159,19 @@
 }
 
 sub gen_pve_ssl_key {
+    my ($nodename) = @_;
 
+    die "no node name specified" if !$nodename;
+
+    my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
+
     return if -f $pvessl_key_fn;
 
     eval {
 	run_silent_cmd(['openssl', 'genrsa', '-out', $pvessl_key_fn, '2048']);
     };
 
-    die "unable to generate pve ssl key:\n$@" if $@;
+    die "unable to generate pve ssl key for node '$nodename':\n$@" if $@;
 }
 
 sub gen_pve_www_key {
@@ -189,28 +192,30 @@
 }
 
 sub gen_pve_ssl_cert {
-    my ($force, $nodename) = @_;
+    my ($force, $nodename, $ip) = @_;
 
+    die "no node name specified" if !$nodename;
+    die "no IP specified" if !$ip;
+
+    my $pvessl_cert_fn = "$basedir/nodes/$nodename/pve-ssl.pem";
+
     return if !$force && -f $pvessl_cert_fn;
 
     my $names = "IP:127.0.0.1,DNS:localhost";
 
-    my $rc = PVE::INotify::read_file ('resolvconf');
+    my $rc = PVE::INotify::read_file('resolvconf');
 
-    if (my $ip = remote_node_ip($nodename, 1)) {
-	$names .= ",IP:" . $ip;
-    }
-
+    $names .= ",IP:$ip";
+  
     my $fqdn = $nodename;
 
-    $names .= ",DNS:" . $nodename;
+    $names .= ",DNS:$nodename";
 
     if ($rc && $rc->{search}) {
 	$fqdn = $nodename . "." . $rc->{search};
 	$names .= ",DNS:$fqdn";
     }
 
-
     my $sslconf = <<__EOD;
 RANDFILE = /root/.rnd
 extensions = v3_req
@@ -242,6 +247,7 @@
     my $reqfn = "/tmp/pvecertreq-$$.tmp";
     unlink $reqfn;
 
+    my $pvessl_key_fn = "$basedir/nodes/$nodename/pve-ssl.key";
     eval {
 	run_silent_cmd(['openssl', 'req', '-batch', '-new', '-config', $cfgfn,
 			'-key', $pvessl_key_fn, '-out', $reqfn]);
@@ -272,7 +278,28 @@
     unlink $reqfn;
 }
 
+sub gen_pve_node_files {
+    my ($nodename, $ip, $opt_force) = @_;
 
+    gen_local_dirs($nodename);
+
+    gen_auth_key();
+
+    # make sure we have a (cluster wide) secret
+    # for CSRFR prevention
+    gen_pve_www_key();
+
+    # make sure we have a (per node) private key
+    gen_pve_ssl_key($nodename);
+
+    # make sure we have a CA
+    my $force = gen_pveca_cert();
+
+    $force = 1 if $opt_force;
+
+    gen_pve_ssl_cert($force, $nodename, $ip);
+}
+
 my $versions = {};
 my $vmlist = {};
 my $clinfo = {};
@@ -867,6 +894,12 @@
     my $packed_ip = gethostbyname($nodename);
     if (defined $packed_ip) {
         my $ip = inet_ntoa($packed_ip);
+
+	if ($ip =~ m/^127\./) {
+	    die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
+	    return undef;
+	}
+
 	return $ip;
     }
 

Modified: pve-cluster/trunk/data/PVE/pvecert
===================================================================
--- pve-cluster/trunk/data/PVE/pvecert	2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/PVE/pvecert	2011-08-08 09:22:30 UTC (rev 6432)
@@ -9,8 +9,6 @@
 
 die "please run as root\n" if $> != 0;
 
-my $nodename = PVE::INotify::nodename();
-
 my $opt_force;
 
 if (!GetOptions ('force' => \$opt_force)) {
@@ -18,22 +16,9 @@
     exit (-1);
 }
 
-PVE::Cluster::gen_local_dirs($nodename);
+my $nodename = PVE::INotify::nodename();
+my $ip = PVE::Cluster::remote_node_ip($nodename);
 
-# make sure we have a (cluster wide) secret
-# for CSRFR prevention
-PVE::Cluster::gen_pve_www_key();
+PVE::Cluster::gen_pve_node_files($nodename, $ip, $opt_force);
 
-# make sure we have a (per node) private key
-PVE::Cluster::gen_pve_ssl_key();
-
-# make sure we have a CA
-my $force = PVE::Cluster::gen_pveca_cert();
-
-$force = 1 if $opt_force;
-
-PVE::Cluster::gen_pve_ssl_cert ($force, $nodename);
-
-PVE::Cluster::gen_auth_key();
-
 exit (0);

Modified: pve-cluster/trunk/data/PVE/pvecm
===================================================================
--- pve-cluster/trunk/data/PVE/pvecm	2011-08-08 06:54:28 UTC (rev 6431)
+++ pve-cluster/trunk/data/PVE/pvecm	2011-08-08 09:22:30 UTC (rev 6432)
@@ -10,7 +10,7 @@
 use PVE::Tools;
 use PVE::Cluster;
 use PVE::INotify;
-
+use PVE::JSONSchema;
 use PVE::CLIHandler;
 
 use base qw(PVE::CLIHandler);
@@ -20,6 +20,8 @@
 die "please run as root\n" if $> != 0;
 
 my $nodename = PVE::INotify::nodename();
+# trigger check that we have resolvable name
+my $local_ip_address = PVE::Cluster::remote_node_ip($nodename);
 
 my $basedir = "/etc/pve";
 my $ssh_rsa_id_priv = "/root/.ssh/id_rsa";
@@ -32,16 +34,6 @@
 my $dbfile = "$libdir/config.db";
 my $authfile = "$libdir/corosync.authkey";
 
-sub lookup_ip {
-    my $ip_address = "127.0.0.1";
-
-    my $packed_ip = gethostbyname($nodename);
-    if (defined $packed_ip) {
-	$ip_address = inet_ntoa($packed_ip);
-    }
-    return $ip_address;
-}
-
 sub ssh_remove_duplicate_keys {
     # remove duplicate keys in $sshauthkeys
     # ssh-copy-id simply add keys, so the file can grow to large
@@ -262,6 +254,12 @@
 ;
 	PVE::Tools::file_set_contents($clusterconf, $config);
 
+	# add ourself to authorized keys (use by other nodes)
+	my $pub = PVE::Tools::file_get_contents($ssh_rsa_id);
+	PVE::Tools::file_set_contents($sshauthkeys, $pub);
+
+	PVE::Cluster::gen_pve_node_files($nodename, $local_ip_address);
+
 	PVE::Tools::run_command('/etc/init.d/pve-cluster restart'); # restart
 
 	# that cman init script returns strange values - simply ignore for now
@@ -278,15 +276,17 @@
     parameters => {
     	additionalProperties => 0,
 	properties => {
-	    node => {
-		type => 'string', format => 'pve-node',
-	    },
+	    node => PVE::JSONSchema::get_standard_option('pve-node'),
 	    nodeid => {
 		type => 'integer',
 		description => "Node id for this node.",
 		minimum => 1,
 		optional => 1,
 	    },
+	    ip => {
+		description => "Node IP address (only used to generate ssl certs).",
+		type => 'string', format => 'ipv4',
+	    },
 	    votes => {
 		type => 'integer',
 		description => "Number of votes for this node",
@@ -351,7 +351,7 @@
 
 	$param->{votes} = 1 if !defined($param->{votes});
 
-	PVE::Cluster::gen_local_dirs($name);
+	PVE::Cluster::gen_pve_node_files($name, $param->{ip}); 
 
 	$cmd = ['ccs_tool', 'addnode', '-c', $clusterconf];
 
@@ -376,9 +376,7 @@
     parameters => {
     	additionalProperties => 0,
 	properties => {
-	    node => {
-		type => 'string', format => 'pve-node',
-	    },
+	    node => PVE::JSONSchema::get_standard_option('pve-node'),
 	},
     },
     returns => { type => 'null' },
@@ -456,7 +454,7 @@
 	    die "unable to copy ssh ID\n";
 
 	$cmd = ['ssh', $host, '-o', 'BatchMode=yes',
-		'pvecm', 'addnode', $nodename, '--force', 1];
+		'pvecm', 'addnode', $nodename, $local_ip_address, '--force', 1];
 
 	push @$cmd, '-n', $param->{nodeid} if $param->{nodeid};
 
@@ -612,7 +610,7 @@
     keygen => [ __PACKAGE__, 'keygen', ['filename']],
     create => [ __PACKAGE__, 'create', ['clustername']],
     add => [ __PACKAGE__, 'add', ['hostname']],
-    addnode => [ __PACKAGE__, 'addnode', ['node']],
+    addnode => [ __PACKAGE__, 'addnode', ['node', 'ip']],
     delnode => [ __PACKAGE__, 'delnode', ['node']],
     status => [ __PACKAGE__, 'status' ],
     nodes => [ __PACKAGE__, 'nodes' ],
@@ -625,12 +623,7 @@
     PVE::RESTHandler::validate_method_schemas();
     exit 0;
 }
-
-my $ip_address = lookup_ip();
-if ($ip_address =~ m/^127\./) {
-    die "hostname lookup failed - got local IP address ($nodename = ${ip_address})\n"; 
-}
-
+ 
 PVE::Cluster::check_cfs_is_mounted();
 
 setup_ssh_keys();



More information about the pve-devel mailing list