Commit 18bf3167 authored by Petr Pudlak's avatar Petr Pudlak

Merge branch 'stable-2.15' into master

* stable-2.15
  Sort 2.15 NEWS entries according to our standard practise

* stable-2.14
  Follow the name change of _CheckHostnameSane

* stable-2.13
  Full QuickCheck 2.7 compatibility
  QuickCheck 2.7 compatibility
  Bump revision number to 2.13.1
  Update NEWS file for the 2.13.1 release

* stable-2.12
  Update design doc with solution for Issue 1094
  Prevent multiple communication nics for one instance
  Remove outdated reference to ganeti-masterd
  Update ganeti-luxid man page
  Add a man page for ganeti-wconfd
  Make htools tolerate missing "dtotal" and "dfree" on luxi
  Get QuickCheck 2.7 compatibility
  TestCommon: Fix QuickCheck import warnings
  Full QuickCheck 2.7 compatibility
  Add a CPP macro for checking the version of QuickCheck
  QuickCheck 2.7 compatibility
  Fix name of filter-evaluation function
  Call the filter again with runtime data this time
  Fix user and group ordering in test

* stable-2.11
  Downgrade log-message for rereading job
  Dowgrade log-level for successful requests
Signed-off-by: default avatarPetr Pudlak <pudlak@google.com>
Reviewed-by: default avatarHelga Velroyen <helgav@google.com>
parents 9ee0e907 a9212819
......@@ -1639,6 +1639,7 @@ man_MANS = \
man/ganeti-extstorage-interface.7 \
man/ganeti-rapi.8 \
man/ganeti-watcher.8 \
man/ganeti-wconfd.8 \
man/ganeti.7 \
man/gnt-backup.8 \
man/gnt-cluster.8 \
......
......@@ -31,19 +31,6 @@ Version 2.15.0 rc1
*(Released Wed, 17 Jun 2015)*
Known issues:
~~~~~~~~~~~~~
- Issue 1094: differences in encodings in SSL certificates due to
different OpenSSL versions can result in rendering a cluster
uncommunicative after a master-failover.
Version 2.15.0 beta1
--------------------
*(Released Thu, 30 Apr 2015)*
Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -66,8 +53,21 @@ New dependencies
- The indirect dependency on Haskell package 'case-insensitive' is now
explicit.
Known issues
~~~~~~~~~~~~
Known issues:
~~~~~~~~~~~~~
- Issue 1094: differences in encodings in SSL certificates due to
different OpenSSL versions can result in rendering a cluster
uncommunicative after a master-failover.
Version 2.15.0 beta1
--------------------
*(Released Thu, 30 Apr 2015)*
This was the second beta release in the 2.15 series. All important changes
are listed in the latest 2.15 entry.
Version 2.14.0
......@@ -187,6 +187,46 @@ This was the first beta release of the 2.14 series. All important changes
are listed in the latest 2.14 entry.
Version 2.13.1
--------------
*(Released Tue, 16 Jun 2015)*
Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The SSH security changes reduced the number of nodes which can SSH into
other nodes. Unfortunately enough, the Ganeti implementation of migration
for the xl stack of Xen required SSH to be able to migrate the instance,
leading to a situation where full movement of an instance around the cluster
was not possible. This version fixes the issue by using socat to transfer
instance data. While socat is less secure than SSH, it is about as secure as
xm migrations, and occurs over the secondary network if present. As a
consequence of this change, Xen instance migrations using xl cannot occur
between nodes running 2.13.0 and 2.13.1.
Other fixes and known issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Inherited from 2.12:
- Fixed Issue #1082: RAPI is unresponsive after master-failover
- Fixed Issue #1083: Cluster verify reports existing instance disks on
non-default VGs as missing
- Fixed Issue #1101: Modifying the storage directory for the shared-file disk
template doesn't work
- Fixed a possible file descriptor leak when forking jobs
- Fixed missing private parameters in the environment for OS scripts
- Fixed a performance regression when handling configuration
(only upgrade it if it changes)
- Adapt for compilation with GHC7.8 (compiles with warnings;
cherrypicked from 2.14)
Known issues:
- Issue #1094: Mismatch in SSL encodings breaks RPC communication
- Issue #1104: Export fails: key is too small
Version 2.13.0
--------------
......
......@@ -388,10 +388,12 @@ in the design.
- Instead of using the same certificate for all nodes as both, server
and client certificate, we generate a common server certificate (and
the corresponding private key) for all nodes and a different client
certificate (and the corresponding private key) for each node. All
those certificates will be self-signed for now. The client
certificates will use the node UUID as serial number to ensure
uniqueness within the cluster.
certificate (and the corresponding private key) for each node. The
server certificate will be self-signed. The client certficate will
be signed by the server certificate. The client certificates will
use the node UUID as serial number to ensure uniqueness within the
cluster. They will use the host's hostname as the certificate
common name (CN).
- In addition, we store a mapping of
(node UUID, client certificate digest) in the cluster's configuration
and ssconf for hosts that are master or master candidate.
......@@ -450,9 +452,21 @@ Drawbacks of this design:
- Even though this proposal is an improvement towards the previous
situation in Ganeti, it still does not use the full power of SSL. For
further improvements, see Section "Related and future work".
- Signing the client certificates with the server certificate will
increase the complexity of the renew-crypto, as a renewal of the
server certificates requires the renewal (and signing) of all client
certificates as well.
Alternative proposals:
- The initial version of this document described a setup where the
client certificates were also self-signed. This led to a serious
problem (Issue 1094), which would only have been solvable by
distributing all client certificates to all nodes and load them
as trusted CAs. As this would have resulted in having to restart
noded on all nodes every time a node is added, removed, demoted
or promoted, this was not feasible and we switched to client
certficates which are signed by the server certificate.
- Instead of generating a client certificate per node, one could think
of just generating two different client certificates, one for normal
nodes and one for master candidates. Noded could then just check if
......@@ -535,6 +549,8 @@ Cluster verify will be extended by the following checks:
- Whether no node tries to use the certificate of another node. In
particular, it is important to check that no normal node tries to
use the certificate of a master candidate.
- Whether there are still self-signed client certificates in use (from
a pre 2.12.4 Ganeti version).
Crypto renewal
......@@ -554,6 +570,18 @@ due inconsistent updating after a demotion or offlining), the user can use
this option to renew the client certificates and update the candidate
certificate map.
Note that renewing the server certificate requires all client certificates
being renewed and signed by the new server certificate, because
otherwise their signature can not be verified by the server who only has
the new server certificate then.
As there was a different design in place in Ganeti 2.12.4 and previous
versions, we have to ensure that renew-crypto works on pre 2.12 versions and
2.12.1-4. Users that got hit by Issue 1094 will be encouraged to run
renew-crypto at least once after switching to 2.12.5. Those who did not
encounter this bug yet, will still get nagged friendly by gnt-cluster
verify.
Further considerations
----------------------
......@@ -614,26 +642,19 @@ As a trade-off wrt to complexity and implementation effort, we did not
implement them yet (as of version 2.11) but describe them here for
future reference.
- All SSL certificates that Ganeti uses so far are self-signed. It would
increase the security if they were signed by a common CA. There is
already a design doc for a Ganeti CA which was suggested in a
different context (related to import/export). This would also be a
benefit for the RPC calls. See design doc :doc:`design-impexp2` for
more information. Implementing a CA is rather complex, because it
would mean also to support renewing the CA certificate and providing
and supporting infrastructure to revoke compromised certificates.
- The server certificate is currently self-signed and the client certificates
are signed by the server certificate. It would increase the security if they
were signed by a common CA. There is already a design doc for a Ganeti CA
which was suggested in a different context (related to import/export).
This would also be a benefit for the RPC calls. See design doc
:doc:`design-impexp2` for more information. Implementing a CA is rather
complex, because it would mean also to support renewing the CA certificate and
providing and supporting infrastructure to revoke compromised certificates.
- An extension of the previous suggestion would be to even enable the
system administrator to use an external CA. Especially in bigger
setups, where already an SSL infrastructure exists, it would be useful
if Ganeti can simply be integrated with it, rather than forcing the
user to use the Ganeti CA.
- A lighter version of using a CA would be to use the server certificate
to sign the client certificate instead of using self-signed
certificates for both. The probleme here is that this would make
renewing the server certificate rather complicated, because all client
certificates would need to be resigned and redistributed as well,
which leads to interesting chicken-and-egg problems when this is done
via RPC calls.
- Ganeti RPC calls are currently done without checking if the hostname
of the node complies with the common name of the certificate. This
might be a desirable feature, but would increase the effort when a
......
......@@ -195,10 +195,23 @@ class LUInstanceCreate(LogicalUnit):
raise errors.OpPrereqError("Cannot do IP address check without a name"
" check", errors.ECODE_INVAL)
# instance name verification
if self.op.name_check:
self.hostname = CheckHostnameSane(self, self.op.instance_name)
self.op.instance_name = self.hostname.name
# used in CheckPrereq for ip ping check
self.check_ip = self.hostname.ip
else:
self.check_ip = None
# add NIC for instance communication
if self.op.instance_communication:
nic_name = ComputeInstanceCommunicationNIC(self.op.instance_name)
for nic in self.op.nics:
if nic.get(constants.INIC_NAME, None) == nic_name:
break
else:
self.op.nics.append({constants.INIC_NAME: nic_name,
constants.INIC_MAC: constants.VALUE_GENERATE,
constants.INIC_IP: constants.NIC_IP_POOL,
......@@ -223,15 +236,6 @@ class LUInstanceCreate(LogicalUnit):
self._CheckDiskArguments()
assert self.op.disk_template is not None
# instance name verification
if self.op.name_check:
self.hostname = CheckHostnameSane(self, self.op.instance_name)
self.op.instance_name = self.hostname.name
# used in CheckPrereq for ip ping check
self.check_ip = self.hostname.ip
else:
self.check_ip = None
# file storage checks
if (self.op.file_driver and
not self.op.file_driver in constants.FILE_DRIVER):
......
......@@ -21,7 +21,7 @@ commands), **gnt-debug**\(8) (debug commands).
Ganeti daemons: **ganeti-watcher**\(8) (automatic instance restarter),
**ganeti-cleaner**\(8) (job queue cleaner), **ganeti-noded**\(8) (node
daemon), **ganeti-masterd**\(8) (master daemon), **ganeti-rapi**\(8)
daemon), **ganeti-rapi**\(8)
(remote API daemon).
Ganeti htools: **htools**\(1) (generic binary), **hbal**\(1) (cluster
......
......@@ -16,7 +16,9 @@ DESCRIPTION
-----------
**ganeti-luxid** is a daemon used to answer queries related to the
configuration and the current live state of a Ganeti cluster.
configuration and the current live state of a Ganeti cluster. Additionally,
it is the autorative daemon for the Ganeti job queue. Jobs can be
submitted via this daemon and it schedules and starts them.
For testing purposes, you can give the ``-f`` option and the
program won't detach from the running terminal.
......@@ -28,9 +30,7 @@ passing in the ``--syslog`` option.
The **ganeti-luxid** daemon listens on a Unix socket
(``@LOCALSTATEDIR@/run/ganeti/socket/ganeti-query``) on which it exports
a ``Luxi`` endpoint, serving query operations only. Commands and tools
use this socket if the build-time option for split queries has been
enabled.
a ``Luxi`` endpoint supporting the full set of commands.
The daemon will refuse to start if the user and group do not match the
one defined at build time; this behaviour can be overridden by the
......@@ -43,13 +43,8 @@ allow failover in a two-node cluster, this can be overridden by the
option has to be given as well.
ROLE
~~~~
The role of the query daemon is to answer queries about the (live)
cluster state without going through the master daemon. Only queries
which don't require locks can be handles by the query daemon, which
might lead to slightly outdated results in some cases.
Only queries which don't require locks can be handled by the luxi daemon,
which might lead to slightly outdated results in some cases.
The config is reloaded from disk automatically when it changes, with a
rate limit of once per second.
......
ganeti-wconfd(8) Ganeti | Version @GANETI_VERSION@
==================================================
Name
----
ganeti-wconfd - Ganeti configuration writing daemon
Synopsis
--------
**ganeti-wcond** [-f] [-d] [--syslog] [--no-user-checks]
[--no-voting --yes-do-it] [--force-node]
DESCRIPTION
-----------
**ganeti-wconfd** is the daemon that has authoritative knowledge
about the configuration and is the only entity that can accept
changes to it. All jobs that need to modify the configuration will
do so by sending appropriate requests to this daemon.
For testing purposes, you can give the ``-f`` option and the
program won't detach from the running terminal.
Debug-level message can be activated by giving the ``-d`` option.
Logging to syslog, rather than its own log file, can be enabled by
passing in the ``--syslog`` option.
The **ganeti-wconfd** daemon listens on a Unix socket
(``@LOCALSTATEDIR@/run/ganeti/socket/ganeti-query``) on which it accepts all
requests in an internal protocol format, used by Ganeti jobs.
The daemon will refuse to start if the user and group do not match the
one defined at build time; this behaviour can be overridden by the
``--no-user-checks`` option.
The daemon will refuse to start if it cannot verify that the majority
of cluster nodes believes that it is running on the master node. To
allow failover in a two-node cluster, this can be overridden by the
``--no-voting`` option. As it this is dangerous, the ``--yes-do-it``
option has to be given as well. Also, if the option ``--force-node``
is given, it will accept to run on a non-master node; it should not
be necessary to give this option manually, but
``gnt-cluster masterfailover`` will use it internally to start
the daemon in order to update the master-node information in the
configuration.
......@@ -168,7 +168,7 @@ readJobStatus jWS@(JobWithStat {jStat=fstat, jJob=job}) = do
return Nothing
Just fstat' -> do
let jids = show $ fromJobId jid
logInfo $ "Rereading job " ++ jids
logDebug $ "Rereading job " ++ jids
readResult <- loadJobFromDisk qdir True jid
case readResult of
Bad s -> do
......
......@@ -230,11 +230,13 @@ genericQuery fieldsMap collector nameFn configFn getFn cfg
-- limit the objects that we'll contact for exports
fobjects <- toError $
filterM (\n -> evaluateQueryFilter cfg Nothing n cfilter) objects
-- Gather the runtime data
runtimes <- case collector of
-- Gather the runtime data and filter the results again,
-- based on the gathered data
runtimes <- (case collector of
CollectorSimple collFn -> lift $ collFn live' cfg fobjects
CollectorFieldAware collFn -> lift $ collFn live' cfg fields fobjects
-- Filter the results again, based on the gathered data
CollectorFieldAware collFn -> lift $ collFn live' cfg fields fobjects) >>=
(toError . filterM (\(obj, runtime) ->
evaluateQueryFilter cfg (Just runtime) obj cfilter))
let fdata = map (\(obj, runtime) ->
map (execGetter cfg runtime obj) fgetters)
runtimes
......
......@@ -400,7 +400,7 @@ logMsg handler req (Bad err) =
logMsg handler req (Ok result) = do
-- only log the first 2,000 chars of the result
logDebug $ "Result (truncated): " ++ take 2000 (J.encode result)
logInfo $ "Successfully handled " ++ hInputLogShort handler req
logDebug $ "Successfully handled " ++ hInputLogShort handler req
-- | Prepares an outgoing message.
prepareMsg
......
......@@ -89,23 +89,23 @@ case_UsersGroups = do
\from ganeti import serializer\n\
\import sys\n\
\users = [constants.MASTERD_USER,\n\
\ constants.METAD_USER,\n\
\ constants.NODED_USER,\n\
\ constants.RAPI_USER,\n\
\ constants.CONFD_USER,\n\
\ constants.WCONFD_USER,\n\
\ constants.KVMD_USER,\n\
\ constants.LUXID_USER,\n\
\ constants.METAD_USER,\n\
\ constants.MOND_USER,\n\
\ ]\n\
\groups = [constants.MASTERD_GROUP,\n\
\ constants.METAD_GROUP,\n\
\ constants.NODED_GROUP,\n\
\ constants.RAPI_GROUP,\n\
\ constants.CONFD_GROUP,\n\
\ constants.WCONFD_GROUP,\n\
\ constants.KVMD_GROUP,\n\
\ constants.LUXID_GROUP,\n\
\ constants.METAD_GROUP,\n\
\ constants.MOND_GROUP,\n\
\ constants.DAEMONS_GROUP,\n\
\ constants.ADMIN_GROUP,\n\
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment