[pve-devel] r6438 - in pve-cluster/trunk: . data/PVE debian
svn-commits at proxmox.com
svn-commits at proxmox.com
Tue Aug 9 14:32:46 CEST 2011
Author: dietmar
Date: 2011-08-09 14:32:46 +0200 (Tue, 09 Aug 2011)
New Revision: 6438
Modified:
pve-cluster/trunk/Makefile
pve-cluster/trunk/data/PVE/Cluster.pm
pve-cluster/trunk/data/PVE/pvecm
pve-cluster/trunk/debian/changelog
pve-cluster/trunk/debian/control
Log:
* fix known_hosts handling (use /etc/ssh/ssh_known_hosts)
Modified: pve-cluster/trunk/Makefile
===================================================================
--- pve-cluster/trunk/Makefile 2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/Makefile 2011-08-09 12:32:46 UTC (rev 6438)
@@ -2,7 +2,7 @@
PACKAGE=pve-cluster
PKGVER=1.0
-PKGREL=4
+PKGREL=5
ARCH:=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
Modified: pve-cluster/trunk/data/PVE/Cluster.pm
===================================================================
--- pve-cluster/trunk/data/PVE/Cluster.pm 2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/data/PVE/Cluster.pm 2011-08-09 12:32:46 UTC (rev 6438)
@@ -6,6 +6,8 @@
use Socket;
use Storable qw(dclone);
use IO::File;
+use MIME::Base64;
+use Digest::HMAC_SHA1;
use PVE::Tools;
use PVE::INotify;
use PVE::IPCC;
@@ -42,8 +44,9 @@
# ssh related files
my $ssh_rsa_id_priv = "/root/.ssh/id_rsa";
my $ssh_rsa_id = "/root/.ssh/id_rsa.pub";
-my $sshrootknownhosts = "/root/.ssh/known_hosts";
-my $sshknownhosts = "/etc/pve/priv/known_host";
+my $ssh_host_rsa_id = "/etc/ssh/ssh_host_rsa_key.pub";
+my $sshglobalknownhosts = "/etc/ssh/ssh_known_hosts";
+my $sshknownhosts = "/etc/pve/priv/known_hosts";
my $sshauthkeys = "/etc/pve/priv/authorized_keys";
my $rootsshauthkeys = "/root/.ssh/authorized_keys";
@@ -307,8 +310,6 @@
$force = 1 if $opt_force;
gen_pve_ssl_cert($force, $nodename, $ip);
-
- ssh_merge_known_hosts();
}
my $versions = {};
@@ -961,8 +962,9 @@
mkdir $authdir;
if (! -f $sshauthkeys) {
- my $fh = IO::File->new ($sshauthkeys, O_CREAT|O_WRONLY|O_EXCL, 0400);
- close($fh);
+ if (my $fh = IO::File->new ($sshauthkeys, O_CREAT|O_WRONLY|O_EXCL, 0400)) {
+ close($fh);
+ }
}
warn "can't create shared ssh key database '$sshauthkeys'\n"
@@ -980,10 +982,22 @@
}
+sub ssh_unmerge_known_hosts {
+ return if ! -l $sshglobalknownhosts;
+
+ my $old = '';
+ $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024)
+ if -f $sshknownhosts;
+
+ PVE::Tools::file_set_contents($sshglobalknownhosts, $old);
+}
+
sub ssh_merge_known_hosts {
+ my ($nodename, $ip_address) = @_;
- return if -l $sshrootknownhosts;
-
+ die "no node name specified" if !$nodename;
+ die "no ip address specified" if !$ip_address;
+
mkdir $authdir;
if (! -f $sshknownhosts) {
@@ -995,46 +1009,83 @@
my $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024);
my $new = '';
+
+ if ((! -l $sshglobalknownhosts) && (-f $sshglobalknownhosts)) {
+ $new = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024);
+ }
- $new = PVE::Tools::file_get_contents($sshrootknownhosts, 128*1024)
- if -f $sshrootknownhosts;
-
my $data = '';
+ my $vhash = {};
- my $vhash = {};
- while ($old && $old =~ s/^((.*?)(\n|$))//) {
- my $line = "$2\n";
- next if $line =~ m/^\s*$/; # skip empty lines
- next if $line =~ m/^#/; # skip comments
+ my $found_nodename;
+ my $found_local_ip;
+
+ my $merge_line = sub {
+ my ($line, $all) = @_;
+
if ($line =~ m/^(\S+)\sssh-rsa\s.*$/) {
- if (!$vhash->{$1}) {
- $vhash->{$1} = 1;
+ my $key = $1;
+ if (!$vhash->{$key}) {
+ $vhash->{$key} = 1;
$data .= $line;
+ if ($key =~ m/\|1\|([^\|\s]+)\|([^\|\s]+)$/) {
+ my $salt = decode_base64($1);
+ my $digest = $2;
+ my $hmac = Digest::HMAC_SHA1->new($salt);
+ $hmac->add($nodename);
+ my $hd = $hmac->b64digest . '=';
+ $found_nodename = 1 if $digest eq $hd;
+ $hmac = Digest::HMAC_SHA1->new($salt);
+ $hmac->add($ip_address);
+ $hd = $hmac->b64digest . '=';
+ $found_local_ip = 1 if $digest eq $hd;
+ }
}
- } else {
+ } elsif ($all) {
$data .= $line;
}
+ };
+
+ while ($old && $old =~ s/^((.*?)(\n|$))//) {
+ my $line = "$2\n";
+ next if $line =~ m/^\s*$/; # skip empty lines
+ next if $line =~ m/^#/; # skip comments
+ &$merge_line($line, 1);
}
while ($new && $new =~ s/^((.*?)(\n|$))//) {
my $line = "$2\n";
next if $line =~ m/^\s*$/; # skip empty lines
next if $line =~ m/^#/; # skip comments
+ &$merge_line($line);
+ }
- if ($line =~ m/^(\S+)\sssh-rsa\s.*$/) {
- if (!$vhash->{$1}) {
- $vhash->{$1} = 1;
- $data .= $line;
- }
- }
+ my $addIndex = $$;
+ my $add_known_hosts_entry = sub {
+ my ($name, $pub) = @_;
+ $addIndex++;
+ my $hmac = Digest::HMAC_SHA1->new("$addIndex" . time());
+ my $b64salt = $hmac->b64digest . '=';
+ $hmac = Digest::HMAC_SHA1->new(decode_base64($b64salt));
+ $hmac->add($name);
+ my $digest = $hmac->b64digest . '=';
+ $data .= "|1|$b64salt|$digest $pub\n";
+ };
+
+ if (!$found_nodename || !$found_local_ip) {
+ my $pub = PVE::Tools::file_get_contents($ssh_host_rsa_id);
+ die "can't parse $ssh_rsa_id" if $pub !~ m/^(ssh-rsa\s\S+)(\s.*)$/;
+ $pub = $1;
+ &$add_known_hosts_entry($nodename, $pub) if !$found_nodename;
+ &$add_known_hosts_entry($ip_address, $pub) if !$found_local_ip;
}
PVE::Tools::file_set_contents($sshknownhosts, $data);
- unlink $sshrootknownhosts;
- symlink $sshknownhosts, $sshrootknownhosts;
+ unlink $sshglobalknownhosts;
+ symlink $sshknownhosts, $sshglobalknownhosts;
- warn "can't create symlink for ssh known hosts '$sshrootknownhosts' -> '$sshknownhosts'\n"
- if ! -l $sshrootknownhosts;
+ warn "can't create symlink for ssh known hosts '$sshglobalknownhosts' -> '$sshknownhosts'\n"
+ if ! -l $sshglobalknownhosts;
}
Modified: pve-cluster/trunk/data/PVE/pvecm
===================================================================
--- pve-cluster/trunk/data/PVE/pvecm 2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/data/PVE/pvecm 2011-08-09 12:32:46 UTC (rev 6438)
@@ -203,6 +203,8 @@
PVE::Cluster::gen_pve_node_files($nodename, $local_ip_address);
+ PVE::Cluster::ssh_merge_known_hosts($nodename, $local_ip_address);
+
PVE::Tools::run_command('/etc/init.d/pve-cluster restart'); # restart
# that cman init script returns strange values - simply ignore for now
@@ -245,12 +247,11 @@
my ($param) = @_;
print "Test if we have quorum on host '$nodename'\n";
- my $cmd = ['cman_tool', 'wait', '-q', '-t', 1];
- if (system(@$cmd) != 0) {
- die "cluster not ready - no quorum?\n";
- }
- eval { ssh_merge_keys(); };
+ die "cluster not ready - no quorum?\n"
+ if !PVE::Cluster::check_cfs_quorum();
+
+ eval { PVE::Cluster::ssh_merge_keys(); };
warn $@ if $@;
my $lst = lsnode();
@@ -292,7 +293,7 @@
PVE::Cluster::gen_local_dirs($name);
- $cmd = ['ccs_tool', 'addnode', '-c', $clusterconf];
+ my $cmd = ['ccs_tool', 'addnode', '-c', $clusterconf];
# NOTE: cman does not like votes="0"
if ($param->{votes}) {
@@ -388,6 +389,9 @@
}
}
+ # make sure known_hosts is on local filesystem
+ PVE::Cluster::ssh_unmerge_known_hosts();
+
my $cmd = "ssh-copy-id 'root\@$host' >/dev/null 2>&1";
system ($cmd) == 0 ||
die "unable to copy ssh ID\n";
@@ -454,6 +458,9 @@
print "generating node certificates\n";
PVE::Cluster::gen_pve_node_files($nodename, $local_ip_address);
+ print "merge known_hosts file\n";
+ PVE::Cluster::ssh_merge_known_hosts($nodename, $local_ip_address);
+
print "restart services\n";
# restart apache (changed certs)
system("/etc/init.d/apache2 restart");
Modified: pve-cluster/trunk/debian/changelog
===================================================================
--- pve-cluster/trunk/debian/changelog 2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/debian/changelog 2011-08-09 12:32:46 UTC (rev 6438)
@@ -1,3 +1,9 @@
+pve-cluster (1.0-5) unstable; urgency=low
+
+ * fix known_hosts handling (use /etc/ssh/ssh_known_hosts)
+
+ -- Proxmox Support Team <support at proxmox.com> Tue, 09 Aug 2011 14:32:20 +0200
+
pve-cluster (1.0-4) unstable; urgency=low
* also handle ssh known_hosts file
Modified: pve-cluster/trunk/debian/control
===================================================================
--- pve-cluster/trunk/debian/control 2011-08-09 07:18:25 UTC (rev 6437)
+++ pve-cluster/trunk/debian/control 2011-08-09 12:32:46 UTC (rev 6438)
@@ -2,7 +2,7 @@
Section: unknown
Priority: extra
Maintainer: Proxmox Support Team <support at proxmox.com>
-Build-Depends: debhelper (>= 7), autotools-dev, libsqlite3-dev, sqlite3, libfuse-dev, libcorosync-pve-dev, libqb-dev, libpve-common-perl, libglib2.0-dev, librrd-dev, librrds-perl, rrdcached, check
+Build-Depends: debhelper (>= 7), autotools-dev, libsqlite3-dev, sqlite3, libfuse-dev, libcorosync-pve-dev, libqb-dev, libpve-common-perl, libglib2.0-dev, librrd-dev, librrds-perl, rrdcached, check, libdigest-hmac-perl
Standards-Version: 3.7.3
Package: pve-cluster
More information about the pve-devel
mailing list