Revision 7742b03c
b/Makefile.am | ||
---|---|---|
360 | 360 |
doc/design-linuxha.rst \ |
361 | 361 |
doc/design-multi-reloc.rst \ |
362 | 362 |
doc/design-network.rst \ |
363 |
doc/design-node-add.rst \ |
|
363 | 364 |
doc/design-oob.rst \ |
364 | 365 |
doc/design-ovf-support.rst \ |
365 | 366 |
doc/design-partitioned.rst \ |
... | ... | |
368 | 369 |
doc/design-remote-commands.rst \ |
369 | 370 |
doc/design-resource-model.rst \ |
370 | 371 |
doc/design-shared-storage.rst \ |
371 |
doc/design-ssh-setup.rst \ |
|
372 | 372 |
doc/design-monitoring-agent.rst \ |
373 | 373 |
doc/design-virtual-clusters.rst \ |
374 | 374 |
doc/design-x509-ca.rst \ |
b/doc/design-draft.rst | ||
---|---|---|
14 | 14 |
design-query-splitting.rst |
15 | 15 |
design-autorepair.rst |
16 | 16 |
design-partitioned.rst |
17 |
design-ssh-setup.rst
|
|
17 |
design-node-add.rst
|
|
18 | 18 |
design-monitoring-agent.rst |
19 | 19 |
design-remote-commands.rst |
20 | 20 |
design-linuxha.rst |
b/doc/design-node-add.rst | ||
---|---|---|
1 |
Design for adding a node to a cluster |
|
2 |
===================================== |
|
3 |
|
|
4 |
.. contents:: :depth: 3 |
|
5 |
|
|
6 |
|
|
7 |
Current state and shortcomings |
|
8 |
------------------------------ |
|
9 |
|
|
10 |
Before a node can be added to a cluster, its SSH daemon must be |
|
11 |
re-configured to use the cluster-wide SSH host key. Ganeti 2.3.0 changed |
|
12 |
the way this is done by moving all related code to a separate script, |
|
13 |
``tools/setup-ssh``, using Paramiko. Before all such configuration was |
|
14 |
done from ``lib/bootstrap.py`` using the system's own SSH client and a |
|
15 |
shell script given to said client through parameters. |
|
16 |
|
|
17 |
Both solutions controlled all actions on the connecting machine; the |
|
18 |
newly added node was merely executing commands. This implies and |
|
19 |
requires a tight coupling and equality between nodes (e.g. paths to |
|
20 |
files being the same). Most of the logic and error handling is also done |
|
21 |
on the connecting machine. |
|
22 |
|
|
23 |
|
|
24 |
Proposed changes |
|
25 |
---------------- |
|
26 |
|
|
27 |
The main goal is to move more logic to the newly added node. Instead of |
|
28 |
having a relatively large script executed on the master node, most of it |
|
29 |
is moved over to the added node. |
|
30 |
|
|
31 |
A new script named ``prepare-node-join`` is added. It receives a JSON |
|
32 |
data structure (defined :ref:`below <prepare-node-join-json>`) on its |
|
33 |
standard input. Once the data has been successfully decoded, it proceeds |
|
34 |
to configure the local node's SSH daemon and root's SSH settings, after |
|
35 |
which the SSH daemon is restarted. |
|
36 |
|
|
37 |
All the master node has to do to add a new node is to gather all |
|
38 |
required data, build the data structure, and invoke the script on the |
|
39 |
node to be added. This will enable us to once again use the system's own |
|
40 |
SSH client and to drop the dependency on Paramiko for Ganeti itself |
|
41 |
(``ganeti-listrunner`` is going to continue using Paramiko). |
|
42 |
|
|
43 |
Eventually ``setup-ssh`` can be removed. |
|
44 |
|
|
45 |
.. _prepare-node-join-json: |
|
46 |
|
|
47 |
JSON structure |
|
48 |
~~~~~~~~~~~~~~ |
|
49 |
|
|
50 |
The data is given in an object containing the keys described below. |
|
51 |
Unless specified otherwise, all entries are optional. |
|
52 |
|
|
53 |
``cluster_name`` |
|
54 |
Required string with the cluster name. If a local cluster name is |
|
55 |
found, the join process is aborted unless the passed cluster name |
|
56 |
matches the local name. |
|
57 |
``node_daemon_certificate`` |
|
58 |
Public part of cluster's node daemon certificate in PEM format. If a |
|
59 |
local node certificate and key is found, the join process is aborted |
|
60 |
unless this passed public part can be verified with the local key. |
|
61 |
``ssh_host_key`` |
|
62 |
List containing public and private parts of SSH host key. See below |
|
63 |
for definition. |
|
64 |
``ssh_root_key`` |
|
65 |
List containing public and private parts of root's key for SSH |
|
66 |
authorization. See below for definition. |
|
67 |
|
|
68 |
Lists of SSH keys use a tuple with three values. The first describes the |
|
69 |
key variant (``rsa`` or ``dsa``). The second and third are the private |
|
70 |
and public part of the key. Example: |
|
71 |
|
|
72 |
.. highlight:: javascript |
|
73 |
|
|
74 |
:: |
|
75 |
|
|
76 |
[ |
|
77 |
("rsa", "-----BEGIN RSA PRIVATE KEY-----...", "ssh-rss AAAA..."), |
|
78 |
("dsa", "-----BEGIN DSA PRIVATE KEY-----...", "ssh-dss AAAA..."), |
|
79 |
] |
|
80 |
|
|
81 |
.. vim: set textwidth=72 : |
|
82 |
.. Local Variables: |
|
83 |
.. mode: rst |
|
84 |
.. fill-column: 72 |
|
85 |
.. End: |
/dev/null | ||
---|---|---|
1 |
Design for setting up SSH |
|
2 |
===================================== |
|
3 |
|
|
4 |
.. contents:: :depth: 3 |
|
5 |
|
|
6 |
|
|
7 |
Current state and shortcomings |
|
8 |
------------------------------ |
|
9 |
|
|
10 |
Before a node can be added to a cluster, its SSH daemon must be |
|
11 |
re-configured to use the cluster-wide SSH host key. Ganeti 2.3.0 changed |
|
12 |
the way this is done by moving all related code to a separate script, |
|
13 |
``tools/setup-ssh``, using Paramiko. Before all such configuration was |
|
14 |
done from ``lib/bootstrap.py`` using the system's own SSH client and a |
|
15 |
shell script given to said client through parameters. |
|
16 |
|
|
17 |
Both solutions controlled all actions on the connecting machine; the |
|
18 |
newly added node was merely executing commands. This implies and |
|
19 |
requires a tight coupling and equality between nodes (e.g. paths to |
|
20 |
files being the same). Most of the logic and error handling is also done |
|
21 |
on the connecting machine. |
|
22 |
|
|
23 |
|
|
24 |
Proposed changes |
|
25 |
---------------- |
|
26 |
|
|
27 |
The main goal is to move more logic to the newly added node. Instead of |
|
28 |
having a relatively large script executed on the master node, most of it |
|
29 |
is moved over to the added node. |
|
30 |
|
|
31 |
A new script named ``prepare-node-join`` is added. It receives a JSON |
|
32 |
data structure (defined :ref:`below <prepare-node-join-json>`) on its |
|
33 |
standard input. Once the data has been successfully decoded, it proceeds |
|
34 |
to configure the local node's SSH daemon and root's SSH settings, after |
|
35 |
which the SSH daemon is restarted. |
|
36 |
|
|
37 |
All the master node has to do to add a new node is to gather all |
|
38 |
required data, build the data structure, and invoke the script on the |
|
39 |
node to be added. This will enable us to once again use the system's own |
|
40 |
SSH client and to drop the dependency on Paramiko for Ganeti itself |
|
41 |
(``ganeti-listrunner`` is going to continue using Paramiko). |
|
42 |
|
|
43 |
Eventually ``setup-ssh`` can be removed. |
|
44 |
|
|
45 |
.. _prepare-node-join-json: |
|
46 |
|
|
47 |
JSON structure |
|
48 |
~~~~~~~~~~~~~~ |
|
49 |
|
|
50 |
The data is given in an object containing the keys described below. |
|
51 |
Unless specified otherwise, all entries are optional. |
|
52 |
|
|
53 |
``cluster_name`` |
|
54 |
Required string with the cluster name. If a local cluster name is |
|
55 |
found, the join process is aborted unless the passed cluster name |
|
56 |
matches the local name. |
|
57 |
``node_daemon_certificate`` |
|
58 |
Public part of cluster's node daemon certificate in PEM format. If a |
|
59 |
local node certificate and key is found, the join process is aborted |
|
60 |
unless this passed public part can be verified with the local key. |
|
61 |
``ssh_host_key`` |
|
62 |
List containing public and private parts of SSH host key. See below |
|
63 |
for definition. |
|
64 |
``ssh_root_key`` |
|
65 |
List containing public and private parts of root's key for SSH |
|
66 |
authorization. See below for definition. |
|
67 |
|
|
68 |
Lists of SSH keys use a tuple with three values. The first describes the |
|
69 |
key variant (``rsa`` or ``dsa``). The second and third are the private |
|
70 |
and public part of the key. Example: |
|
71 |
|
|
72 |
.. highlight:: javascript |
|
73 |
|
|
74 |
:: |
|
75 |
|
|
76 |
[ |
|
77 |
("rsa", "-----BEGIN RSA PRIVATE KEY-----...", "ssh-rss AAAA..."), |
|
78 |
("dsa", "-----BEGIN DSA PRIVATE KEY-----...", "ssh-dss AAAA..."), |
|
79 |
] |
|
80 |
|
|
81 |
.. vim: set textwidth=72 : |
|
82 |
.. Local Variables: |
|
83 |
.. mode: rst |
|
84 |
.. fill-column: 72 |
|
85 |
.. End: |
Also available in: Unified diff