Fix permission errors for split users
Correctly set ownership and permissions for daemon log files, correctthe name of the luxid logfile and set the ownership of the query socketcorrectly.
Signed-off-by: Thomas Thrainer <thomasth@google.com>Reviewed-by: Michele Tartara <mtartara@google.com>
Rename queryd to luxid
As queryd will, in the future, handle all LUXI request, queue jobs andmost likely perform various other tasks, it is renamed to luxid already.This will safe some headache when upgrading Ganeti installations, as wedon't have to deal with a daemon rename....
Add queryd daemon (split from confd)
queryd is added as a new daemon which handles configuration queries overLUXI. This functionality was removed from confd, which now only queriesover the network.
The queryd user is added to the master group such that it can access...
Merge branch 'stable-2.7' into stable-2.8
Fix permissions of the queue archive dir
The permissions were set to 0740, but of course being a directory thecorrect permissions are 0750.
Signed-off-by: Guido Trotter <ultrotter@google.com>Reviewed-by: Michele Tartara <mtartara@google.com>
Conflicts: doc/iallocator.rst...
Ensure the queue socket has the right permissions
RAPI needs to be able to perform queries as well.
Signed-off-by: Guido Trotter <ultrotter@google.com>Reviewed-by: Helga Velroyen <helgav@google.com>
Stash Xen config file after a failed startup
This is a fix for a minor bug.Currently, a failed Xen VM start results in a stale config file leftbehind on the filesystem.This change introduces a new log directory, where the Xen VM configfile is moved after a failed startup....
Fix owner of the OS log dir
The OS log dir is used by noded, not masterd.
Signed-off-by: Balazs Lecz <leczb@google.com>Reviewed-by: Guido Trotter <ultrotter@google.com>
Start the monitoring and node daemons together
Add the monitoring daemon to the command starting the node daemon, given thatthey both have to be started on all nodes.
Note that daemon-util only supports starting one daemon at the time, so theactual command has to be composed as a sequence of two different daemon-util...
Make burnin compatible with the reason trail
The burnin uses its own option list, different from the one of all othercommand line programs, and uses it as a parameter to a function that nowrequires the "--reason" option to be present.
This commit updates the burnin option list to be compatible with the reason...
Merge branch 'devel-2.7'
Fix job queue directory permission problems
If split users are used, the queue directory could only be accessedby masterd, but also confd needs to be able to read it, e.g. when itis queried as part of "gnt-job list"
This commit fixes the permissions in such a way to allow proper access rights....
Infrastructure for specifying instance status change reason
This patch introduces some infrastructural modifications that will be used bythe following commits to implement the support for specifying the reason forthe last status change of an instance....
burnin: Don't keep hypervisor class around
Just determine whether it can migrate and keep that value instead of thefull hypervisor class.
Signed-off-by: Michael Hanselmann <hansmi@google.com>Reviewed-by: Guido Trotter <ultrotter@google.com>
Move burnin to ganeti.tools.burnin
Similar to other scripts, “tools/burnin” just becomes a wrapper script.
Replace frozenset with compat.UniqueFrozenset
This is not a trivial s/frozenset/compat.UniqueFrozenset/, but ratheronly replaces “frozenset” where appropriate. Most of the places are“static” information that doesn't change after the module has beenloaded....
Improve test for tools.ensure_dirs
- Add more checks, some of them are deliberately redundant- Descriptive error messages- Add comment describing order to “tools.ensure_dirs”- Avoid copying a list in an assertion in “tools.ensure_dirs”
Signed-off-by: Michael Hanselmann <hansmi@google.com>...
Fix ordering of entries in tools.ensure_dirs
Commit ebd437a added two new entries to tools.ensure_dirs, but did so inthe wrong order. Patch forthcoming to improve the unittest's errormessage.
Signed-off-by: Michael Hanselmann <hansmi@google.com>Reviewed-by: Helga Velroyen <helgav@google.com>
Set owner on watcher pause and queue drain files
If the files were created by a user different, e.g. due to a switch fromrunning masterd as root to running it as a dedicated user, they couldn'tbe modified/removed anymore.
lib/tools/ensure_dirs.py: Code formatting
Wrap lines in a consistent manner (uid/gid on the second line) ifwrapping is necessary at all. “git diff --color-words” shows nodifference at all as only whitespace changed.
Add tool to clean up node
Sometimes a node is not removed properly from a cluster (especiallyduring development). This new tool stops all daemons and removes (aftermaking copies) the most critical files.
Add tool to configure node daemon
The design for this is in “doc/design-node-add.rst”. The tool receives aJSON data structure on stdin and configures the node's daemon afterverifying the received values.
Factorize code for checking node daemon certificate
This code is going to be used by a new utility for setting up the nodedaemon. Unit tests are updated/added.
Additionally, the certificate and key stored in “server.pem” areverified, too.
Factorize SSL context setup for certificate check
This code will also be used by the node daemon setup utility.
Add constant for node certificate mode
A new utility for configuring the node daemon will have to write thenode certificate as well. To not split information about the certificatefile even more, the constant is added to “pathutils”.
Move cluster verification out of prepare-node-join
A new tool for configuring the node daemon will also have to verify thecluster name, so it's better to have this function in a central place.In the process of moving it to ssconf it is also changed to use...
Factorize code to load and verify JSON
A new tool to configure the node daemon will also have to load andverify JSON data.
Factorize logging setup in tools
Most tools had their own “SetupLogging” function, but they were allessentially the same. This patch adds a generic version to “utils.log”and provides unit tests.
Fix permission for socket directory
The directory must we writable also by the confd daemon user.
Signed-off-by: Bernardo Dal Seno <bdalseno@google.com>Reviewed-by: Iustin Pop <iustin@google.com>
prepare-node-join: Use ssh.GetAllUserFiles
Instead of building the dictionary locally, the global version in“ssh.py” can be used.
Signed-off-by: Michael Hanselmann <hansmi@google.com>Reviewed-by: Iustin Pop <iustin@google.com>
prepare_node_join: Move daemon SSH files to constants
This dictionary will also be useful in “gnt-node add”.
prepare-node-join: Swap private and public keys
Other places, such as “ssh.GetUserFiles”, use a structure where theprivate key comes before the private key. Until now prepare-node-joindid the opposite, that is the public key came first. To avoid confusion...
prepare-node-join: Use public key directly for auth…_keys
A public key already includes the necessary prefix (“ssh-rsa” or“ssh-dss”), so there is no need to add it again.
Drop SSHS_FORCE constant
It is not actually used.
tools.prepare_node_join: Fix pep8 errors
Pep8 didn't agree with the indentation.
Add initial implementation of prepare-node-join
This is a new tool as per the design document “design-ssh-setup”. Itreceives a JSON data structure on its standard input and configures theSSH daemon and root's SSH keys accordingly. Unit tests are included....
Merge branch 'devel-2.6'
ensure-dirs: Don't accept arguments
Before they would just be silently ignored.
ensure-dirs: Fix program name on usage screen
No string replacements are used, so doubling of the percent sign is notnecessary.
Before: Usage: %ensure-dirs [--full-run]After: Usage: ensure-dirs [--full-run]
Conflicts: NEWS: Trivial lib/tools/ensure_dirs.py: constant moved to pathutils...
ensure-dirs: Fix permissions on master socket
A socket shouldn't have its executable bit set.
ganeti-cleaner: Separate queue cleaning code
This code does not need to run as root, therefore it's better to splitit out. It is now run with the same permissions as the master daemon.
ensure-dirs: Don't hardcode ssconf file group
Otherwise chown(2) will fail when noded doesn't run as root.
ensure-dirs: Don't convert list to tuple
Tuples are data structures, not containers.
Signed-off-by: Michael Hanselmann <hansmi@google.com>Reviewed-by: René Nussbaumer <rn@google.com>
Revert unintentional change of daemon log file names
Commit 3329f4dea6 unintentionally changed the filenames of all daemonlog files. This patch reverts part of those changes.
Migrate lib/tools/ensure_dirs.py to pathutils
File system paths moved from constants to pathutils.
constants: Move most paths to separate module
This is inpreparation for the implementation of virtual clusters. Manypaths will change based on an environment variable and are no longerconstant and should no longer be in “constants.py”. Since “constants.py”...
Merge branch 'devel-2.5'
ensure_dirs: Move some useful functions into utils.
With this change we can easily reuse this functionality where it makessense on other parts of Ganeti.
Signed-off-by: René Nussbaumer <rn@google.com>Reviewed-by: Michael Hanselmann <hansmi@google.com>
Ensure permission on the job queue version file
Signed-off-by: René Nussbaumer <rn@google.com>Reviewed-by: Iustin Pop <iustin@google.com>
Added SPICE TLS option and related cert paths
Signed-off-by: Andrea Spadaccini <spadaccio@google.com>Reviewed-by: Michael Hanselmann <hansmi@google.com>
Unify some file headers
Remove unnecessary commas, add empty lines where necessary to make themconsistent.
I'm working on a script to check this, but it's not yet ready.
ensure-dirs: Fix epydoc error
ensure-dirs: Check mode and owner before changing
This avoids many calls to chmod(2) and chown(2), and thereby ctimeupdates.
Since I had to update the unittests anyway I untangled the code a bit,split it into more separate functions and added some more tests....
ensure-dirs: Refine error handling on stat(2)
The “_stat_fn” function is renamed to “_lstat_fn” to reflect itsfunction. The try/except block just wraps calling lstat(2) and nothingelse.
ensure-dirs: Change wording of some messages
ensure-dirs: Implement debug logging
There was no logging at all.
ensure-dirs: Set permissions on job files in queue
This was a regression from 2.4.
ensure-dirs: Set permissions on queue lock file
ensure-dirs: Set correct permissions on ssconf files
The files should be 0444, not 0400. This was a regression from 2.4.
Rewrite of ensure-dirs in python
I provided unittest to test the important pieces of the infrastructure.The one remaining function (ResuriveEnsure) is not easy to unittestbut also not critical if it fails to operate correctly.
Signed-off-by: René Nussbaumer <rn@google.com>...