1. 10 Jul, 2015 3 commits
  2. 09 Jul, 2015 8 commits
    • Petr Pudlak's avatar
      Merge branch 'stable-2.15' into master · 9031805d
      Petr Pudlak authored
      * stable-2.15
        (no changes)
      
      * stable-2.14
        Move _ValidateConfig to the verify.py submodule
        Fix building of shell command in export
        Add test showing a bug in location score calculation
        Bugfix for cluster location score calculation
      
      * stable-2.13
        Properly get rid of all watcher jobs
        Move stdout_of to qa_utils
        Describe --no-verify-disks option in watcher man page
        Make disk verification optional
      
      * stable-2.12
        Tell git to ignore tools/ssl-update
        Use 'exclude_daemons' option for master only
        Disable superfluous restarting of daemons
        Add tests exercising the "crashed" state handling
        Add proper handling of the "crashed" Xen state
        Handle SSL setup when downgrading
        Write SSH ports to ssconf files
        Noded: Consider certificate chain in callback
        Cluster-keys-replacement: update documentation
        Backend: Use timestamp as serial no for server cert
        UPGRADE: add note about 2.12.5
        NEWS: Mention issue 1094
        man: mention changes in renew-crypto
        Verify: warn about self-signed client certs
        Bootstrap: validate SSL setup before starting noded
        Clean up configuration of curl request
        Renew-crypto: remove superflous copying of node certs
        Renew-crypto: propagate verbose and debug option
        Noded: log the certificate and digest on noded startup
        QA: reload rapi cert after renew crypto
        Prepare-node-join: use common functions
        Renew-crypto: remove dead code
        Init: add master client certificate to configuration
        Renew-crypto: rebuild digest map of all nodes
        Noded: make "bootstrap" a constant
        node-daemon-setup: generate client certificate
        tools: Move (Re)GenerateClientCert to common
        Renew cluster and client certificates together
        Init: create the master's client cert in bootstrap
        Renew client certs using ssl_update tool
        Run functions while (some) daemons are stopped
        Back up old client.pem files
        Introduce ssl_update tool
        x509 function for creating signed certs
        Add tools/common.py from 2.13
        Consider ECDSA in SSH setup
        Update documentation of watcher and RAPI daemon
        Watcher: add option for setting RAPI IP
        When connecting to Metad fails, log the full stack trace
        Set up the Metad client with allow_non_master
        Set up the configuration client properly on non-masters
        Add the 'allow_non_master' option to the WConfd RPC client
        Add the option to disable master checks to the RPC client
        Add 'allow_non_master' to the Luxi test transport class too
        Add 'allow_non_master' to FdTransport for compatibility
        Properly document all constructor arguments of Transport
        Allow the Transport class to be used for non-master nodes
        Don't define the set of all daemons twice
      
      * stable-2.11
        Fix capitalization of TestCase
        Trigger renew-crypto on downgrade to 2.11
      
      Conflicts:
      	Makefile.am
      	lib/ssconf.py
      	src/Ganeti/Constants.hs
      	src/Ganeti/Ssconf.hs
      	test/hs/shelltests/htools-hbal.test
      
      Resolutions:
      	Makefile.am
      	  keep all the Haskell test data files
      	lib/ssconf.py
      	  keep the auto-generated list of valid keys from master
      	src/Ganeti/Constants.hs
      	  merge the ssconf entry for ssh ports to the list of valid keys
      	src/Ganeti/Ssconf.hs
      	  keep the generated list of constructors from master
      	test/hs/shelltests/htools-hbal.test
      	  keep all tests
      Signed-off-by: default avatarPetr Pudlak <pudlak@google.com>
      Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
      9031805d
    • Petr Pudlak's avatar
      Merge branch 'stable-2.14' into stable-2.15 · 7f850407
      Petr Pudlak authored
      * stable-2.14
        Move _ValidateConfig to the verify.py submodule
        Fix building of shell command in export
        Add test showing a bug in location score calculation
        Bugfix for cluster location score calculation
      
      * stable-2.13
        Properly get rid of all watcher jobs
        Move stdout_of to qa_utils
        Describe --no-verify-disks option in watcher man page
        Make disk verification optional
      
      * stable-2.12
        Tell git to ignore tools/ssl-update
        Use 'exclude_daemons' option for master only
        Disable superfluous restarting of daemons
        Add tests exercising the "crashed" state handling
        Add proper handling of the "crashed" Xen state
        Handle SSL setup when downgrading
        Write SSH ports to ssconf files
        Noded: Consider certificate chain in callback
        Cluster-keys-replacement: update documentation
        Backend: Use timestamp as serial no for server cert
        UPGRADE: add note about 2.12.5
        NEWS: Mention issue 1094
        man: mention changes in renew-crypto
        Verify: warn about self-signed client certs
        Bootstrap: validate SSL setup before starting noded
        Clean up configuration of curl request
        Renew-crypto: remove superflous copying of node certs
        Renew-crypto: propagate verbose and debug option
        Noded: log the certificate and digest on noded startup
        QA: reload rapi cert after renew crypto
        Prepare-node-join: use common functions
        Renew-crypto: remove dead code
        Init: add master client certificate to configuration
        Renew-crypto: rebuild digest map of all nodes
        Noded: make "bootstrap" a constant
        node-daemon-setup: generate client certificate
        tools: Move (Re)GenerateClientCert to common
        Renew cluster and client certificates together
        Init: create the master's client cert in bootstrap
        Renew client certs using ssl_update tool
        Run functions while (some) daemons are stopped
        Back up old client.pem files
        Introduce ssl_update tool
        x509 function for creating signed certs
        Add tools/common.py from 2.13
        Consider ECDSA in SSH setup
        Update documentation of watcher and RAPI daemon
        Watcher: add option for setting RAPI IP
        When connecting to Metad fails, log the full stack trace
        Set up the Metad client with allow_non_master
        Set up the configuration client properly on non-masters
        Add the 'allow_non_master' option to the WConfd RPC client
        Add the option to disable master checks to the RPC client
        Add 'allow_non_master' to the Luxi test transport class too
        Add 'allow_non_master' to FdTransport for compatibility
        Properly document all constructor arguments of Transport
        Allow the Transport class to be used for non-master nodes
        Don't define the set of all daemons twice
      
      * stable-2.11
        Fix capitalization of TestCase
        Trigger renew-crypto on downgrade to 2.11
      
      Conflicts:
      	lib/backend.py
      	src/Ganeti/HTools/Cluster.hs
      	test/hs/shelltests/htools-hbal.test
      
      Resolutions:
      	lib/backend.py
                keep the improved 2.15 communication mechanism with Metad
      	src/Ganeti/HTools/Cluster.hs
                propagate changes from [fb0c774b] to .../Cluster/Moves.hs
      	test/hs/shelltests/htools-hbal.test
                keep tests from both versions
      Signed-off-by: default avatarPetr Pudlak <pudlak@google.com>
      Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
      7f850407
    • Oleg Ponomarev's avatar
      Update hbal man page · d8e7d844
      Oleg Ponomarev authored
      Add description of the second common-failure location tag component
      to the hbal manpage.
      Signed-off-by: default avatarOleg Ponomarev <onponomarev@gmail.com>
      Signed-off-by: default avatarKlaus Aehlig <aehlig@google.com>
      Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
      d8e7d844
    • Oleg Ponomarev's avatar
      Add test for the common-failure exclusion tags · 3daaae2f
      Oleg Ponomarev authored
      Initial configuration contains the situation in which two DNS providers
      are located on the nodes sharing the same power source. Hbal should
      optimize this placement by simple failover.
      Signed-off-by: default avatarOleg Ponomarev <onponomarev@gmail.com>
      Signed-off-by: default avatarKlaus Aehlig <aehlig@google.com>
      Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
      3daaae2f
    • Oleg Ponomarev's avatar
      Implement common-failure exclusion tags · 607647bd
      Oleg Ponomarev authored
      According to the design-location document (Improving location awareness)
      cluster metric is extended by the component
      
      - The number of pairs of exclusion tags and common-failure tags where
        there exist at least two instances with the given exclusion tag with
        the primary node having the given common-failure tag.
      
      Also this patch fixes Statistics.hs test in order to work with new
      Statistics because the test is broken by the changes in Statistics.hs.
      Signed-off-by: default avatarOleg Ponomarev <onponomarev@gmail.com>
      Signed-off-by: default avatarKlaus Aehlig <aehlig@google.com>
      Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
      607647bd
    • Klaus Aehlig's avatar
      Merge branch 'stable-2.13' into stable-2.14 · 8610c47e
      Klaus Aehlig authored
      * stable-2.13
        Properly get rid of all watcher jobs
        Move stdout_of to qa_utils
      
      * stable-2.12
        Tell git to ignore tools/ssl-update
        Use 'exclude_daemons' option for master only
        Disable superfluous restarting of daemons
        Add tests exercising the "crashed" state handling
        Add proper handling of the "crashed" Xen state
      
      * stable-2.11
        Fix capitalization of TestCase
        Trigger renew-crypto on downgrade to 2.11
      Signed-off-by: default avatarKlaus Aehlig <aehlig@google.com>
      Reviewed-by: default avatarPetr Pudlak <pudlak@google.com>
      8610c47e
    • Petr Pudlak's avatar
      Move _ValidateConfig to the verify.py submodule · 9ac307a6
      Petr Pudlak authored
      .. in order to get the size of config/__init__ under 3600 lines again.
      Signed-off-by: default avatarPetr Pudlak <pudlak@google.com>
      Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
      9ac307a6
    • Petr Pudlak's avatar
      Merge branch 'stable-2.13' into stable-2.14 · 6d9446fa
      Petr Pudlak authored
      * stable-2.13
        Describe --no-verify-disks option in watcher man page
        Make disk verification optional
      
      * stable-2.12
        Handle SSL setup when downgrading
        Write SSH ports to ssconf files
        Noded: Consider certificate chain in callback
        Cluster-keys-replacement: update documentation
        Backend: Use timestamp as serial no for server cert
        UPGRADE: add note about 2.12.5
        NEWS: Mention issue 1094
        man: mention changes in renew-crypto
        Verify: warn about self-signed client certs
        Bootstrap: validate SSL setup before starting noded
        Clean up configuration of curl request
        Renew-crypto: remove superflous copying of node certs
        Renew-crypto: propagate verbose and debug option
        Noded: log the certificate and digest on noded startup
        QA: reload rapi cert after renew crypto
        Prepare-node-join: use common functions
        Renew-crypto: remove dead code
        Init: add master client certificate to configuration
        Renew-crypto: rebuild digest map of all nodes
        Noded: make "bootstrap" a constant
        node-daemon-setup: generate client certificate
        tools: Move (Re)GenerateClientCert to common
        Renew cluster and client certificates together
        Init: create the master's client cert in bootstrap
        Renew client certs using ssl_update tool
        Run functions while (some) daemons are stopped
        Back up old client.pem files
        Introduce ssl_update tool
        x509 function for creating signed certs
        Add tools/common.py from 2.13
        Consider ECDSA in SSH setup
        Update documentation of watcher and RAPI daemon
        Watcher: add option for setting RAPI IP
        When connecting to Metad fails, log the full stack trace
        Set up the Metad client with allow_non_master
        Set up the configuration client properly on non-masters
        Add the 'allow_non_master' option to the WConfd RPC client
        Add the option to disable master checks to the RPC client
        Add 'allow_non_master' to the Luxi test transport class too
        Add 'allow_non_master' to FdTransport for compatibility
        Properly document all constructor arguments of Transport
        Allow the Transport class to be used for non-master nodes
        Don't define the set of all daemons twice
      
      Conflicts:
      	Makefile.am
      	lib/cmdlib/cluster/verify.py
      	lib/config/__init__.py
      	tools/cfgupgrade
      
      Resolution:
      	Makefile.am
                - keep newly added files from both branches
      	lib/cmdlib/cluster/verify.py
                - propagate relevant changes from/lib/cmdlib/cluster.py to
                  lib/cmdlib/cluster/__init__.py
      	lib/config/__init__.py
                - include methods added in stable-2.13
                - temporarily disable the warning for too many lines
      	tools/cfgupgrade
                - propagate changes to lib/tools/cfgupgrade.py
      Signed-off-by: default avatarPetr Pudlak <pudlak@google.com>
      Reviewed-by: default avatarHelga Velroyen <helgav@google.com>
      6d9446fa
  3. 08 Jul, 2015 11 commits
  4. 07 Jul, 2015 13 commits
  5. 06 Jul, 2015 5 commits
    • Klaus Aehlig's avatar
      Describe --no-verify-disks option in watcher man page · 8e50042d
      Klaus Aehlig authored
      While there, also mention that it does more than checking
      for rebooted nodes.
      Signed-off-by: default avatarKlaus Aehlig <aehlig@google.com>
      Reviewed-by: default avatarPetr Pudlak <pudlak@google.com>
      8e50042d
    • Klaus Aehlig's avatar
      Make disk verification optional · 21086aa1
      Klaus Aehlig authored
      In some setups, verification of disks can take a long
      time, whereas it is still desirable to run the other
      watcher operations more regularly. Hence support this
      use case by providing an option to not run disk verification,
      allowing for more elaborate cron schedules. Fixes issue 1090.
      Signed-off-by: default avatarKlaus Aehlig <aehlig@google.com>
      Reviewed-by: default avatarPetr Pudlak <pudlak@google.com>
      21086aa1
    • Helga Velroyen's avatar
      Handle SSL setup when downgrading · d2050bd1
      Helga Velroyen authored
      This patch will handle the downgrade of the SSL setup
      from 2.12 to 2.11. Essentially, all client.pem and
      ssconf_master_candidates_certs files will be deleted.
      This will kick the cluster in a pre-2.11 mode wrt to
      SSL and result in a nagging message to re-run
      'gnt-cluster renew-crypto' when as output of 'gnt-cluster
      verify'.
      Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
      Reviewed-by: default avatarPetr Pudlak <pudlak@google.com>
      d2050bd1
    • Helga Velroyen's avatar
      Write SSH ports to ssconf files · d657fadc
      Helga Velroyen authored
      For the downgrading of the SSL setup from 2.12 to 2.11, we
      need to be able to SSH into machines while no daemons are
      running. Unfortunately currently the only way to obtain
      custom-configured SSH ports is by queries. In order to
      access this information with daemons being shutdown, this
      patch adds the SSH port information to an ssconf file.
      
      This will also be used to simplify some backend calls for
      the *SSH* handling in 2.13.
      Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
      Reviewed-by: default avatarPetr Pudlak <pudlak@google.com>
      d657fadc
    • Helga Velroyen's avatar
      Noded: Consider certificate chain in callback · 7e01704b
      Helga Velroyen authored
      This patch significantly changes the callback that is
      called upon receiving an incoming SSL connection. Since
      this callback is called not only with the certificate
      that the client sends, but also (in some implementations)
      with the entire certificate chain of the client
      certificate.
      
      In our case, the certficate chain contains
      the client certificate and the server certificate as
      the one that signed the client certificate. This means
      that we have to accept the server certificate, but only
      if we receive it with the 'depth' greater than 0, meaning
      that this is part of the chain and not the actual
      certificate. If the depth value is 0, we can be sure
      to have received the actual certficate and match it
      against the list of master candidate certificates as
      before.
      Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
      Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
      7e01704b