History | View | Annotate | Download (26.5 kB)
Add os api v20 and related fields to the OS object
Signed-off-by: Iustin Pop <iustin@google.com>Reviewed-by: Guido Trotter <ultrotter@google.com>
Introduce an RPC call for OS parameters validation
While we only support the 'parameters' check today, the RPC call isgeneric enough that will be able to support other checks in the future.The backend function will both validate the parameters list (so as to...
Add "adopt" to the allowed disk parameters
"adopt" was missing from bd061c3, thus breaking disk adoption.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>Signed-off-by: Iustin Pop <iustin@google.com>Reviewed-by: Iustin Pop <iustin@google.com>
Bump RPC protocol version to 40
Many RPC calls have changed in Ganeti 2.2, hence bumping the RPC protocolversion.
Signed-off-by: Michael Hanselmann <hansmi@google.com>Reviewed-by: Guido Trotter <ultrotter@google.com>
Merge branch 'devel-2.1' into master
Signed-off-by: Iustin Pop <iustin@google.com>Reviewed-by: Balazs Lecz <leczb@google.com>
Disallow DES for SSL connections
Older OpenSSL versions include DES-CBC3-* ciphers when specifying theHIGH group of ciphers. Removing potentially weak ciphers from the listof allowed ciphers ensures only strong ciphers are considered for SSLconnections....
import/export daemon: Add support for a magic prefix
This “magic” value will be used to ensure that we don't accidentiallyconnect to the wrong daemon (e.g. due to a bug), comparable to DRBD'sper-disk secret. Just depending on the SSL certificate isn't enough...
Cache a few bits of status in jqueue
Currently each time we submit a job we check the job queue size, and thedrained file. With this change we keep these pieces of information inmemory and don't read them from the filesystem each time.
Significant changes include:...
Enforce consistency in disks and nics input dicts
With this change unknown disk and nic parameters will be refused, ratherthan silently ignored, so that one can't pass them in by mistake and notrealize what went wrong.
Signed-off-by: Guido Trotter <ultrotter@google.com>...
import/export: Allow script to predict size
Once we have a size for an export (in the context of theimport/export daemon), we can provide the user with apercentage and ETA.
Let ganeti-rapi run under a different user/group
Signed-off-by: René Nussbaumer <rn@google.com>Reviewed-by: Michael Hanselmann <hansmi@google.com>
Add KVM chroot feature
This patch adds a new boolean hypervisor parameter to the KVM hypervisor,named 'use_chroot'.If it's turned on for an instance, than KVM is started in "chroot mode":Ganeti creates an empty directory for the instance and passes the path...
Merge branch 'devel-2.1'
KVM: Migration bandwidth and downtime control
Introduce 2 new hypervisor options, migration_bandwidth and migration_downtimeand implement KVM migration bandwidth and downtime control.
migration_bandwidth controls KVM's maximal bandwidth during migration, in...
import-export daemon: Allow changing compression method
For example, exports on the same node shouldn't be compressed.
Implement opcode changes for remote-import
Signed-off-by: Michael Hanselmann <hansmi@google.com>Reviewed-by: Iustin Pop <iustin@google.com>
Implement opcode changes for remote-export
Add opcode to prepare export
To prepare a remote export, the X509 key and certificate need to be generated.A handshake value is also returned for an easier check whether both clustersshare the same cluster domain secret.
Signed-off-by: Michael Hanselmann <hansmi@google.com>...
Conflicts: lib/luxi.py - trivial
Signed-off-by: Guido Trotter <ultrotter@google.com>Reviewed-by: Iustin Pop <iustin@google.com>
Abstract the LUXI eom into a constant
Currently the EOM terminator is hardcoded on the server side, and iscustomizable in the Transport object (with the default being the same asthe value found in the server), but not in the luxi client.
With this patch we move the value to constants, and remove the "fake"...
KVM: vhost net acceleration support
This will only work on patched or newer (>= 2.6.34) kernels and with apatched version of qemu-kvm.
Add checks for master IP in cluster verify
This also updates a comment in the unittest for utils.py. We unittestthe new function for two things: correct reporting on real case (forlocalhost), and correct reporting with a mocked-out TcpPing that returns...
Conflicts: daemons/ganeti-noded lib/daemon.py lib/rapi/baserlib.py lib/rapi/rlib2.py lib/utils.py
Signed-off-by: Luca Bigliardi <shammash@google.com>Reviewed-by: Michael Hanselmann <hansmi@google.com>
Add /dev/console constant
ssh.GetUserFiles: move to EnsureDirs
We also create a generic SECURE_DIR_MODE constant, rather thanhardcoding 0700 in the code.
Signed-off-by: Guido Trotter <ultrotter@google.com>Reviewed-by: Balazs Lecz <leczb@google.com>
jstore: use EnsureDirs, and add more constants
Remove "ssconf.CheckMasterCandidate"
This function is not used anymore, so there's no point in keeping itaround.
This reverts commit 3f71b464ad5cdd1f1b53f2a31a4eef4e2a5550cc, apart froma one empty line conflict in ssconf.py
cmdlib: Add utility for instance data import/export
Interpreting the backend's import/export daemon status is a bit tricky.This utility code keeps track of multiple transfers at the same time.Users can supply callback functions to react to events.
Timeouts are currently hardcoded. Intra-cluster instance moves will likely...
Conflicts: doc/security.rst trivial lib/cli.py trivial
Signed-off-by: Balazs Lecz <leczb@google.com>Reviewed-by: Michael Hanselmann <hansmi@google.com>
Add RPC calls to import and export instance data
These RPC calls can be used to start, monitor and stop the instance dataimport/export daemon.
Add daemon for instance import and export
This backend daemon for instance import and export will be used totransfer instance data to other machines. It is implemented in a genericway to support different ways of data input and output. The third-partyprogram “socat”, which is already used by the KVM hypervisor abstraction,...
Manage the assignment of uids from the uid pool
Signed-off-by: Balazs Lecz <leczb@google.com>Reviewed-by: Guido Trotter <ultrotter@google.com>
Add uid_pool to ssconf
Add lib/uidpool.py module
Merge remote branch 'devel-2.1'
Export more instance parameters in instance export
Currently the backend parameters are not exported automatically, butonly a few directly in the '[instance]' section. Hypervisor type andhypervisor parameters are not exported at all.
This patch creates two separate sections for the be and hv parameters,...
Export the maintain_node_health option in ssconf
kvm_flag hypervisor parameter
Allow file storage to be grown
Distribute list of enabled hypervisors in ssconf
This can be used by nodes to know which hypervisors they are supposed tosupport.
Signed-off-by: Iustin Pop <iustin@google.com>Reviewed-by: René Nussbaumer <rn@google.com>
Fix burnin error when trying to grow a file volume
Abstract the growable disk types in a ganeti constants, and only rundisk grow, from burnin, on them.
Add RPC calls to create and remove X509 certificates
Certificates and keys generated using these functions will be used forinter-cluster instance moves. As per design, the private key should neverleave the node.
utils: Add functions to sign and verify X509 certs using HMAC
Certificates exchanged via an untrusted third party should besigned to ensure they haven't been modified.
Add cluster domain secret
Information exchanged between different clusters via untrustedthird parties (e.g. for remote instance import/export) must besigned with a secret shared between all involved clusters toensure the third party doesn't modify the information....
Merge remote branch 'origin/devel-2.1'
Conflicts: lib/bootstrap.py: Trivial lib/constants.py: Trivial
Rename SSL_CERT_FILE to NODED_CERT_FILE
To be consistent with RAPI_CERT_FILE, the rather generic named“SSL_CERT_FILE” constant is renamed to “NODED_CERT_FILE”. The actual filename is not changed.
Rightname confd's HMAC key
Currently, the ganeti-confd's HMAC key is called “cluster HMAC key” orsimply “HMAC key” everywhere. With the implementation of inter-clusterinstance moves, another HMAC key will be introduced for signing criticaldata. They can not be the same, so this patch clarifies the purpose of the...
Verify cluster certificates in LUVerifyCluster
When using pyOpenSSL 0.7 or above, LUClusterVerify will start to show awarning 30 days before a certificate expires. 7 days before thecertificate expires, the warning becomes an error. Once expired,LUVerifyCluster will always report an error. The latter is also supported...
Add constant with cluster X509 certificates
KVM: add security model and domain parameters
Initially we only support the "user" model (in which the user runningthe virtual machine can be specified as an additional parameter).
We use usernames rather than uids in this mode, because the kvm -runasflag doesn't support uids anyway, and we check the passed username for...
KVM security: add global constants
These constants add two new kvm hypervisor parameters, specifying thesecurity model (user/pool) and the security domain, within that model.
Implement disabling of file-based storage
Rationale: the file-based storage backend can add/remove files under acertain directory. However, the master node is also controlling thesetting of the file-based root directory, so basically it means we can'tprevent arbitrary modifications by the master of the node's filesystem....
Make SSH_CONFIG_DIR customizable
This patch adds ability to customize ssh config directory with --with-ssh-config-dir(instead of hardcoded /etc/ssh value). This is useful in Linux distributions withcustom ssh config directories (/etc/openssh in ALTLinux, for example)....
Merge branch 'stable-2.1' into devel-2.1
Add NLD constants to Ganeti
This avoids the need for them to be injected in the nbma repository.
Add watcher hooks
These hooks are run on all nodes, after the "base" daemons are started.
Signed-off-by: Guido Trotter <ultrotter@google.com>Reviewed-by: Michael Hanselmann <hansmi@google.com>
Implement utils.RunParts and use it for hooks
This function is a generic pythonic version of runparts. We currentlyuse it in the backend HooksRunner, but we'll use it for runningdifferent directories as well.
Implement IAllocator multi-evacuate mode
This is a new mode that request a solution for the evacuation ofmultiple nodes. The external script will be fed a list of names, and isexpected to return a list of [instance, new_node(s)] lists, detailingthe evacuation path of each instance....
Use OpenSSL module instead of binary to generate certs
This saves us one dependency and saves us from complicated handling ofexternal files if we need key and certificate separated from each other.
At the same time, the number of bits used for RSA keys is increased from...
Bump RPC protocol version to 30
Find OpenSSL program at configure time
Otherwise we depend on PATH at runtime.
Add capability to use syslog for logging
This patch adds a configure-time parameter that will set the defaultsused by all programs, and command-line parameters in the daemons thatallow overriding it.
Syslog 'yes' enables syslog in addition to file-based logging, 'only'...
Add a crude disable for DRBD barriers
Ideally we want to/will have per-device DRBD controls of disk/metadataflushes. In the meantime, we want at least a disable of the barrierfunctionality for cases where one has battery-backed caches.
Background: DRBD has four mechanism of handling ordered disk-writes....
Merge branch 'stable-2.0' into stable-2.1
Move the hooks file mask into constants.py
This will allow reuse of the same mask for multiple validations.
Signed-off-by: Iustin Pop <iustin@google.com>Reviewed-by: Michael Hanselmann <hansmi@google.com>
Add disk cache control parameter for KVM
This patch adds the 'cache' parameter for KVM; currently this is onlycustomisable at the hypervisor level, so it's the same for all drives(except any CDROM image, which gets the default).
Signed-off-by: Iustin Pop <iustin@google.com>...
ClusterMasterQuery: add primary ip field
By allowing also the primary ip field to be fetched directly, we avoidone more confd lookup, or dns request, to find out which address themaster node lives at.
Signed-off-by: Guido Trotter <ultrotter@google.com>
confd ClusterMasterQuery: allow fields request
Change the ClusterMasterQuery to allow a query, and if present accept alist of fields to be returned. Currently only name and ip are accepted.
This feature will be used by NLD to route the cluster ip over the nbma....
daemon.GenericMain: Don't use dict for SSL paths, improve CLI options
Pass SSL certificate and key paths from ganeti-* instead of using a dict. Thepatch also improves the --ssl-{key,cert} options by giving the default in--help output and changes the validation a bit....
daemon.GenericMain: Don't use list of multithreaded daemons
Passing it in as a parameter seems more logical.
A few style updates
gnt-cluster verify: Warn if node time diverges too far
The warning will be generated if the clocks diverge by morethan 150 seconds. Due to the way the RPC system works, wecannot get exact time differences, e.g. if one of thequeried nodes is broken. The comparision is done using a...
Fix and simplify socat escape detection
- Program paths should not be --with-… options (see Autoconf docs)- Simplify checks for escape functionality- Make SOCAT_USE_ESCAPE variable a bool
Use “daemon-util” to reload SSH keys
Add use_localtime parameter for xen-hvm and kvm
Currently xen-hvm and kvm use different real time clock by default. Toreduce confusion, this patch adds an optional use_localtime parameter.
If the real time clock on the instance is set to local time, the...
Introduce 'global hypervisor parameters' support
This patch adds support for global hypervisor parameters in instancecreation, instance modification, instance query and at instance loadtime.
We basically prevent any query on these parameters, discard them at load...
Remove the KVM_MIGRATION_PORT configure.ac param
Since this is easily configurable at run-time, we remove theconfigure-time parameter. If anyone is building custom packages, thenthe default can be tweaked by a one-line patch to constants.py.
Note that this also fixes the type of parameter, the default from...
Add new “daemon-util” script to start/stop Ganeti daemons
Until now, Ganeti started and stopped its own daemons using custom functions.To start, the daemon was just executed and then sent the appropriate signals tostop it again. Init scripts would have to pay attention to the PID file and...
kvm console: use socat raw mode with escape
If this is enabled at configure time, we pass in different parameters tothe socat console, making it a lot more manageable.
hypervisors: switch to using HV_MIGRATION_PORT
This changes KVM to use HV_MIGRATION_PORT instead of KVM_MIGRATION_PORTand enables passing the port for Xen migrations.
Since KVM_MIGRATION_PORT is not used anymore, we stop exporting it fromconstants.py....
Introduce HV_MIGRATION_PORT hypervisor parameter
This parameter will replace the direct use of KVM_MIGRATION_PORT and theimplicit use of the Xen migration port.
While it doesn't make sense to change this at instance level, we don'thave any other infrastructure for cluster-wide hypervisor parameters, so...
Revert "kvm console: use socat raw mode with escape"
This reverts commit ce0eb6694e3fb2510035501539c7acc92a0f174e, since it dependson 37fc2cf5ba8919cef407199ee540aad4b1a9a2b6 which will be reverted too.
Implement cluster verify checks for wrong PV names
Since ':' is not a valid character in PV names (for the way Ganeti usesLVM), we need to check this and warn the user. This patch adds a newNV_PVLIST cluster verify check and verifies the PV names returned from...
Unify the query fields for the storage framework
This patch unifies the query fields in the storage framework for alltypes. Note that the information is still computed on-demand, so if e.g.the used disk space is not requested for the ‘file’ type, it won't be...