[pve-devel] r6438 - in pve-cluster/trunk: . data/PVE debian

svn-commits at proxmox.com svn-commits at proxmox.com
Tue Aug 9 14:32:46 CEST 2011


Author: dietmar
Date: 2011-08-09 14:32:46 +0200 (Tue, 09 Aug 2011)
New Revision: 6438

Modified:
   pve-cluster/trunk/Makefile
   pve-cluster/trunk/data/PVE/Cluster.pm
   pve-cluster/trunk/data/PVE/pvecm
   pve-cluster/trunk/debian/changelog
   pve-cluster/trunk/debian/control
Log:
  * fix known_hosts handling (use /etc/ssh/ssh_known_hosts)



Modified: pve-cluster/trunk/Makefile
===================================================================
--- pve-cluster/trunk/Makefile	2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/Makefile	2011-08-09 12:32:46 UTC (rev 6438)
@@ -2,7 +2,7 @@
 
 PACKAGE=pve-cluster
 PKGVER=1.0
-PKGREL=4
+PKGREL=5
 
 ARCH:=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
 

Modified: pve-cluster/trunk/data/PVE/Cluster.pm
===================================================================
--- pve-cluster/trunk/data/PVE/Cluster.pm	2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/data/PVE/Cluster.pm	2011-08-09 12:32:46 UTC (rev 6438)
@@ -6,6 +6,8 @@
 use Socket;
 use Storable qw(dclone);
 use IO::File;
+use MIME::Base64;
+use Digest::HMAC_SHA1;
 use PVE::Tools;
 use PVE::INotify;
 use PVE::IPCC;
@@ -42,8 +44,9 @@
 # ssh related files
 my $ssh_rsa_id_priv = "/root/.ssh/id_rsa";
 my $ssh_rsa_id = "/root/.ssh/id_rsa.pub";
-my $sshrootknownhosts = "/root/.ssh/known_hosts";
-my $sshknownhosts = "/etc/pve/priv/known_host";
+my $ssh_host_rsa_id = "/etc/ssh/ssh_host_rsa_key.pub";
+my $sshglobalknownhosts = "/etc/ssh/ssh_known_hosts";
+my $sshknownhosts = "/etc/pve/priv/known_hosts";
 my $sshauthkeys = "/etc/pve/priv/authorized_keys";
 my $rootsshauthkeys = "/root/.ssh/authorized_keys";
 
@@ -307,8 +310,6 @@
     $force = 1 if $opt_force;
 
     gen_pve_ssl_cert($force, $nodename, $ip);
-
-    ssh_merge_known_hosts();
 }
 
 my $versions = {};
@@ -961,8 +962,9 @@
     mkdir $authdir;
 
     if (! -f $sshauthkeys) {
-	my $fh = IO::File->new ($sshauthkeys, O_CREAT|O_WRONLY|O_EXCL, 0400);
-	close($fh);
+	if (my $fh = IO::File->new ($sshauthkeys, O_CREAT|O_WRONLY|O_EXCL, 0400)) {
+	    close($fh);
+	}
     }
 
     warn "can't create shared ssh key database '$sshauthkeys'\n" 
@@ -980,10 +982,22 @@
 
 }
 
+sub ssh_unmerge_known_hosts {
+    return if ! -l $sshglobalknownhosts;
+
+    my $old = '';
+    $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024)
+	if -f $sshknownhosts;
+
+    PVE::Tools::file_set_contents($sshglobalknownhosts, $old);
+}
+
 sub ssh_merge_known_hosts {
+    my ($nodename, $ip_address) = @_;
 
-    return if -l $sshrootknownhosts;
-
+    die "no node name specified" if !$nodename;
+    die "no ip address specified" if !$ip_address;
+   
     mkdir $authdir;
 
     if (! -f $sshknownhosts) {
@@ -995,46 +1009,83 @@
     my $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024); 
     
     my $new = '';
+    
+    if ((! -l $sshglobalknownhosts) && (-f $sshglobalknownhosts)) {
+	$new = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024);
+    }
 
-    $new = PVE::Tools::file_get_contents($sshrootknownhosts, 128*1024)
-	if -f $sshrootknownhosts;
-
     my $data = '';
+    my $vhash = {};
 
-    my $vhash = {};
-    while ($old && $old =~ s/^((.*?)(\n|$))//) {
-	my $line = "$2\n";
-	next if $line =~ m/^\s*$/; # skip empty lines
-	next if $line =~ m/^#/; # skip comments
+    my $found_nodename;
+    my $found_local_ip;
+
+    my $merge_line = sub {
+	my ($line, $all) = @_;
+
 	if ($line =~ m/^(\S+)\sssh-rsa\s.*$/) {
-	    if (!$vhash->{$1}) {
-		$vhash->{$1} = 1;
+	    my $key = $1;
+	    if (!$vhash->{$key}) {
+		$vhash->{$key} = 1;
 		$data .= $line;
+		if ($key =~ m/\|1\|([^\|\s]+)\|([^\|\s]+)$/) {
+		    my $salt = decode_base64($1);
+		    my $digest = $2;
+		    my $hmac = Digest::HMAC_SHA1->new($salt);
+		    $hmac->add($nodename);
+		    my $hd = $hmac->b64digest . '=';
+		    $found_nodename = 1 if $digest eq $hd;
+		    $hmac = Digest::HMAC_SHA1->new($salt);
+		    $hmac->add($ip_address);
+		    $hd = $hmac->b64digest . '=';
+		    $found_local_ip = 1 if $digest eq $hd;
+		}
 	    }
-	} else {
+	} elsif ($all) {
 	    $data .= $line;
 	}
+    };
+
+    while ($old && $old =~ s/^((.*?)(\n|$))//) {
+	my $line = "$2\n";
+	next if $line =~ m/^\s*$/; # skip empty lines
+	next if $line =~ m/^#/; # skip comments
+	&$merge_line($line, 1);
     }
 
     while ($new && $new =~ s/^((.*?)(\n|$))//) {
 	my $line = "$2\n";
 	next if $line =~ m/^\s*$/; # skip empty lines
 	next if $line =~ m/^#/; # skip comments
+	&$merge_line($line);
+    }
 
-	if ($line =~ m/^(\S+)\sssh-rsa\s.*$/) {
-	    if (!$vhash->{$1}) {
-		$vhash->{$1} = 1;
-		$data .= $line;
-	    }
-	}
+    my $addIndex = $$;
+    my $add_known_hosts_entry  = sub {
+	my ($name, $pub) = @_;
+	$addIndex++;
+	my $hmac = Digest::HMAC_SHA1->new("$addIndex" . time());
+	my $b64salt = $hmac->b64digest . '=';
+	$hmac = Digest::HMAC_SHA1->new(decode_base64($b64salt));
+	$hmac->add($name);
+	my $digest = $hmac->b64digest . '=';
+	$data .= "|1|$b64salt|$digest $pub\n";
+    };
+
+    if (!$found_nodename || !$found_local_ip) {
+	my $pub = PVE::Tools::file_get_contents($ssh_host_rsa_id);
+	die "can't parse $ssh_rsa_id" if $pub !~ m/^(ssh-rsa\s\S+)(\s.*)$/;
+	$pub = $1;
+	&$add_known_hosts_entry($nodename, $pub) if !$found_nodename;
+	&$add_known_hosts_entry($ip_address, $pub) if !$found_local_ip;
     }
 
     PVE::Tools::file_set_contents($sshknownhosts, $data);
 
-    unlink $sshrootknownhosts;
-    symlink $sshknownhosts, $sshrootknownhosts;
+    unlink $sshglobalknownhosts;
+    symlink $sshknownhosts, $sshglobalknownhosts;
  
-    warn "can't create symlink for ssh known hosts '$sshrootknownhosts' -> '$sshknownhosts'\n" 
-	if ! -l $sshrootknownhosts;
+    warn "can't create symlink for ssh known hosts '$sshglobalknownhosts' -> '$sshknownhosts'\n" 
+	if ! -l $sshglobalknownhosts;
 
 }

Modified: pve-cluster/trunk/data/PVE/pvecm
===================================================================
--- pve-cluster/trunk/data/PVE/pvecm	2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/data/PVE/pvecm	2011-08-09 12:32:46 UTC (rev 6438)
@@ -203,6 +203,8 @@
 
 	PVE::Cluster::gen_pve_node_files($nodename, $local_ip_address);
 
+	PVE::Cluster::ssh_merge_known_hosts($nodename, $local_ip_address);
+
 	PVE::Tools::run_command('/etc/init.d/pve-cluster restart'); # restart
 
 	# that cman init script returns strange values - simply ignore for now
@@ -245,12 +247,11 @@
 	my ($param) = @_;
 
 	print "Test if we have quorum on host '$nodename'\n";
-	my $cmd = ['cman_tool', 'wait', '-q', '-t', 1];
-	if (system(@$cmd) != 0) {
-	    die "cluster not ready - no quorum?\n";
-	}
 
-	eval { ssh_merge_keys(); };
+	die "cluster not ready - no quorum?\n"
+	    if !PVE::Cluster::check_cfs_quorum();
+
+	eval { 	PVE::Cluster::ssh_merge_keys(); };
 	warn $@ if $@;
 
 	my $lst = lsnode();
@@ -292,7 +293,7 @@
 
 	PVE::Cluster::gen_local_dirs($name);
 
-	$cmd = ['ccs_tool', 'addnode', '-c', $clusterconf];
+	my $cmd = ['ccs_tool', 'addnode', '-c', $clusterconf];
 
 	# NOTE: cman does not like votes="0"
 	if ($param->{votes}) {
@@ -388,6 +389,9 @@
 	    }
 	}
 
+	# make sure known_hosts is on local filesystem
+	PVE::Cluster::ssh_unmerge_known_hosts();
+
 	my $cmd = "ssh-copy-id 'root\@$host' >/dev/null 2>&1";
 	system ($cmd) == 0 ||
 	    die "unable to copy ssh ID\n";
@@ -454,6 +458,9 @@
 	    print "generating node certificates\n";
 	    PVE::Cluster::gen_pve_node_files($nodename, $local_ip_address); 
 
+	    print "merge known_hosts file\n";
+	    PVE::Cluster::ssh_merge_known_hosts($nodename, $local_ip_address);
+
 	    print "restart services\n";
 	    # restart apache (changed certs)
 	    system("/etc/init.d/apache2 restart");

Modified: pve-cluster/trunk/debian/changelog
===================================================================
--- pve-cluster/trunk/debian/changelog	2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/debian/changelog	2011-08-09 12:32:46 UTC (rev 6438)
@@ -1,3 +1,9 @@
+pve-cluster (1.0-5) unstable; urgency=low
+
+  * fix known_hosts handling (use /etc/ssh/ssh_known_hosts)
+
+ -- Proxmox Support Team <support at proxmox.com>  Tue, 09 Aug 2011 14:32:20 +0200
+
 pve-cluster (1.0-4) unstable; urgency=low
 
   * also handle ssh known_hosts file

Modified: pve-cluster/trunk/debian/control
===================================================================
--- pve-cluster/trunk/debian/control	2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/debian/control	2011-08-09 12:32:46 UTC (rev 6438)
@@ -2,7 +2,7 @@
 Section: unknown
 Priority: extra
 Maintainer: Proxmox Support Team <support at proxmox.com>
-Build-Depends: debhelper (>= 7), autotools-dev, libsqlite3-dev, sqlite3, libfuse-dev, libcorosync-pve-dev, libqb-dev, libpve-common-perl, libglib2.0-dev, librrd-dev, librrds-perl, rrdcached, check 
+Build-Depends: debhelper (>= 7), autotools-dev, libsqlite3-dev, sqlite3, libfuse-dev, libcorosync-pve-dev, libqb-dev, libpve-common-perl, libglib2.0-dev, librrd-dev, librrds-perl, rrdcached, check, libdigest-hmac-perl
 Standards-Version: 3.7.3
 
 Package: pve-cluster




More information about the pve-devel mailing list