ganeti-github.git
5 years agoInit: add master client certificate to configuration
Helga Velroyen [Tue, 16 Jun 2015 14:17:27 +0000 (16:17 +0200)]
Init: add master client certificate to configuration

This patch adds a few steps to bootstrap.py. After the
creation of the server (cluster) certificate and the
master node's client certificate, the digest of that
client certificate is added to the configuration and
by an update of the configuraiton written to the
ssconf_master_candidates_certs file.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRenew-crypto: rebuild digest map of all nodes
Helga Velroyen [Tue, 16 Jun 2015 12:40:12 +0000 (14:40 +0200)]
Renew-crypto: rebuild digest map of all nodes

During a renew-crypto operation, all nodes will create
new client certificates. Afterwards, the fingerprints
(digests) of the master candidate nodes needs to be
collected and added to the configuration. This is done
by an RPC call, which will succeed as the master
node's certficate digest was propagated to the nodes
before.

This also removes two unittest which are no longer
necessary, because there will be no RPC call from
the master to itself anymore.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoNoded: make "bootstrap" a constant
Helga Velroyen [Tue, 16 Jun 2015 12:24:11 +0000 (14:24 +0200)]
Noded: make "bootstrap" a constant

Noded uses the constant "bootstrap" when starting
without client certificates. This patch moves the
constant to Constants.hs.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agonode-daemon-setup: generate client certificate
Helga Velroyen [Mon, 15 Jun 2015 14:43:24 +0000 (16:43 +0200)]
node-daemon-setup: generate client certificate

So far, the client certificate of a node that is added
to the cluster was created in LUNodeAdd using an RPC
call. This is now simplified by creating the certificate
already in tools/node_daemon_setup.py and only retrieving
its fingerprint by RPC to add it to the configuration.

This simplifies the backend function from only reading
the fingerprint instead of creating the certificate.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agotools: Move (Re)GenerateClientCert to common
Helga Velroyen [Mon, 15 Jun 2015 14:36:24 +0000 (16:36 +0200)]
tools: Move (Re)GenerateClientCert to common

So far the generation of client certificates was only
called from ssl_update.py used in when calling 'gnt-cluster
renew-crypto'. This patch moves the function from
ssl_update.py to tools/common.py, because it will also
be needed by prepare_node_join.py when adding nodes
(see next patch in the series).

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRenew cluster and client certificates together
Helga Velroyen [Wed, 10 Jun 2015 10:56:15 +0000 (12:56 +0200)]
Renew cluster and client certificates together

So far, the cluster certificate and the individual node
certificate could be renewed independent of each other.
This is no longer possible, because when renewing the
server certificate, all node certificates need to be
renewed as well, because they are signed by the server
certificate. This patch couples the two operations
together.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoInit: create the master's client cert in bootstrap
Helga Velroyen [Tue, 9 Jun 2015 15:56:09 +0000 (17:56 +0200)]
Init: create the master's client cert in bootstrap

This patch extends bootstrap.py to not only create
the cluster certificate but also the master node's
client certificate.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRenew client certs using ssl_update tool
Helga Velroyen [Tue, 9 Jun 2015 12:19:15 +0000 (14:19 +0200)]
Renew client certs using ssl_update tool

This patch integrates renewing the client certificate
of non-master nodes using the new ssl_update tool.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRun functions while (some) daemons are stopped
Helga Velroyen [Tue, 9 Jun 2015 09:10:04 +0000 (11:10 +0200)]
Run functions while (some) daemons are stopped

For the new renew-crypto operation, we need to run
functions while most of the daemons are stopped,
except for WConfd. This refactors our code a bit
and generalizes the method that runs functions
while *all* daemons are stopped to one that
accepts a list of daemons to not be stopped.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoBack up old client.pem files
Helga Velroyen [Mon, 8 Jun 2015 09:43:00 +0000 (11:43 +0200)]
Back up old client.pem files

For post-mortems, let's make a backup of the client
certificate before renewing them.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoIntroduce ssl_update tool
Helga Velroyen [Fri, 5 Jun 2015 13:45:00 +0000 (15:45 +0200)]
Introduce ssl_update tool

In order to renew client certificates via SSH (rather than
on the fly via SSL as it was before), we need a new tool
which can be called on remote nodes via SSH.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agox509 function for creating signed certs
Helga Velroyen [Fri, 5 Jun 2015 13:35:00 +0000 (15:35 +0200)]
x509 function for creating signed certs

So far, all our SSL certficates were self-signed. As from
this patch series on client certificates will be signed by
the cluster certificate, we need a utility function for
creation of not self-signed certificates.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoAdd tools/common.py from 2.13
Helga Velroyen [Wed, 3 Jun 2015 11:53:15 +0000 (13:53 +0200)]
Add tools/common.py from 2.13

We will need some functions from tools/common.py, which
are only present from 2.13 on. Unfortunately there were
not clear commits for that, so cherry-picking is not
an option. This patch simply copies the file and one
has to be careful with the next merge.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoConsider ECDSA in SSH setup
Helga Velroyen [Wed, 1 Jul 2015 12:24:11 +0000 (14:24 +0200)]
Consider ECDSA in SSH setup

So far, Ganeti did only care about DSA and RSA host
keys. With the rising popularity of ECDSA, we should
support this key type as well, as it is already
enabled by default in many common distributions.

This fixes Issue 1098.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoUpdate documentation of watcher and RAPI daemon
Helga Velroyen [Thu, 2 Jul 2015 12:10:24 +0000 (14:10 +0200)]
Update documentation of watcher and RAPI daemon

.. to reflect the relationship between the RAPI daemons'
-b option and the watchers --rapi-ip option.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoWatcher: add option for setting RAPI IP
Helga Velroyen [Thu, 2 Jul 2015 11:38:17 +0000 (13:38 +0200)]
Watcher: add option for setting RAPI IP

Per default, the RAPI daemon binds to 0.0.0.0 when being
started. This means it serves from any IP the machine is
configured for. This works well together with the watcher
which always polls the RAPI daemons on 127.0.0.1 and
restarts it when it is not reachable.

If a user decides to start the RAPI daemon with a particular
IP other than 127.0.0.1 (using the option -b, for example
set in /etc/default/ganeti), RAPI will only serve from that
IP and thus it will not be reachable from 127.0.0.1. Since
the watcher only polls on this IP, it will inevitably fail
to connect to the RAPI daemon and thus restart it every five
minutes.

To solve this, this patch adds an option --rapi-ip to the
watcher. Whenever -b of the RAPI daemon is set, the watcher
needs to be fed the same IP with --rapi-ip (which means
editing /etc/cron.d/ganeti for example). This is not optimal
regarding user experience (as it is easy to forget one of
the two places), but the alternative would be to make this
a ganeti configuration parameter which is fed to both, RAPI
daemon and watcher, but this would be significantly more
effort for this relatively rarely used feature.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoWhen connecting to Metad fails, log the full stack trace
Petr Pudlak [Thu, 2 Jul 2015 13:27:13 +0000 (15:27 +0200)]
When connecting to Metad fails, log the full stack trace

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoSet up the Metad client with allow_non_master
Petr Pudlak [Thu, 2 Jul 2015 13:11:00 +0000 (15:11 +0200)]
Set up the Metad client with allow_non_master

.. since the communication takes place on non-master nodes.

This ensures the client properly retries if there is a communication
failure.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoSet up the configuration client properly on non-masters
Petr Pudlak [Thu, 2 Jul 2015 09:29:28 +0000 (11:29 +0200)]
Set up the configuration client properly on non-masters

If the configuration client is opened in the 'accept_foreign' mode,
meaning it is running on a non-master node temporarily, the option
needs to be propagated to the RPC client as well.

This fixes issue #1115.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoAdd the 'allow_non_master' option to the WConfd RPC client
Petr Pudlak [Thu, 2 Jul 2015 09:28:41 +0000 (11:28 +0200)]
Add the 'allow_non_master' option to the WConfd RPC client

While at it, fix the call to the AbstractStubClient to properly pass the
keyword arguments.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoAdd the option to disable master checks to the RPC client
Petr Pudlak [Thu, 2 Jul 2015 09:26:18 +0000 (11:26 +0200)]
Add the option to disable master checks to the RPC client

The option is propagated to the Transport class and allows to disable
checks for the master node, if the client is run on a different node on
purpose.

While at it, fix the documentation for the arguments of the constructors
of the classes.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoAdd 'allow_non_master' to the Luxi test transport class too
Petr Pudlak [Thu, 2 Jul 2015 11:51:34 +0000 (13:51 +0200)]
Add 'allow_non_master' to the Luxi test transport class too

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoAdd 'allow_non_master' to FdTransport for compatibility
Petr Pudlak [Thu, 2 Jul 2015 09:27:13 +0000 (11:27 +0200)]
Add 'allow_non_master' to FdTransport for compatibility

Since it serves as an alternative to the Transport class, it should
support the same constructor options, even if it doesn't use them.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoProperly document all constructor arguments of Transport
Petr Pudlak [Thu, 2 Jul 2015 09:58:02 +0000 (11:58 +0200)]
Properly document all constructor arguments of Transport

.. while documenting allow_non_master.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoAllow the Transport class to be used for non-master nodes
Petr Pudlak [Fri, 5 Jun 2015 12:13:48 +0000 (14:13 +0200)]
Allow the Transport class to be used for non-master nodes

If a communication failure occurred and the caller was not running on
the master node, Transport assumed that this itself was the cause of
the error condition.

However, for communication with the metadata daemon we need to support
non-master nodes as well.

Add a parameter that allows to use the class on non-master nodes.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

Cherry-picked-from: ade70feb258a57ae0565395ba48ac2b3ef02b1c0
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoDon't define the set of all daemons twice
Klaus Aehlig [Tue, 30 Jun 2015 15:20:33 +0000 (17:20 +0200)]
Don't define the set of all daemons twice

Currently, we have two places where we define the
list of all Ganeti daemons: the type GanetiDaemon
in Ganeti.Runtime and the constant daemons
in Ganeti.Constants. Avoid this duplication by
using Bounded GanetiDaemons and Enum GanetiDaemons.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoMerge branch 'stable-2.11' into stable-2.12
Petr Pudlak [Mon, 29 Jun 2015 13:33:39 +0000 (15:33 +0200)]
Merge branch 'stable-2.11' into stable-2.12

* stable-2.11
  Downgrade log-message for rereading job
  Dowgrade log-level for successful requests

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoDowngrade log-message for rereading job
Klaus Aehlig [Mon, 29 Jun 2015 09:34:13 +0000 (11:34 +0200)]
Downgrade log-message for rereading job

The fact that luxid is rereading a job file because it has
changed on disk is mainly of internal interest for debugging.
Hence downgrade the log-level accordingly.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoDowgrade log-level for successful requests
Klaus Aehlig [Mon, 29 Jun 2015 09:30:13 +0000 (11:30 +0200)]
Dowgrade log-level for successful requests

Originally, only queries used the be served by haskell daemons
over domain sockets. As they were not too frequent, it was OK
to log each of them at INFO level. However, with requests as
frequent as WaitForJobChange served via luxid, logs fill up
to quickly. So log at debug level only.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoUpdate design doc with solution for Issue 1094
Helga Velroyen [Tue, 2 Jun 2015 11:52:25 +0000 (13:52 +0200)]
Update design doc with solution for Issue 1094

Fixing issue 1094 unfortunately will result in a bigger
change. This change is big enough to be documented in
the node-security design doc.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoPrevent multiple communication nics for one instance
Lisa Velden [Tue, 23 Jun 2015 15:16:42 +0000 (17:16 +0200)]
Prevent multiple communication nics for one instance

Check if a nic name is already in the list of all nics before adding it.
Expand the instance name before that check to ensure that we are always
checking for the correct name.

Signed-off-by: Lisa Velden <velden@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoRemove outdated reference to ganeti-masterd
Klaus Aehlig [Mon, 22 Jun 2015 16:24:38 +0000 (16:24 +0000)]
Remove outdated reference to ganeti-masterd

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoUpdate ganeti-luxid man page
Klaus Aehlig [Mon, 22 Jun 2015 16:21:52 +0000 (18:21 +0200)]
Update ganeti-luxid man page

The luxid has taken over more tasks than just queries. Also, remove
outdated references to masterd and split-queries.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoAdd a man page for ganeti-wconfd
Klaus Aehlig [Mon, 22 Jun 2015 15:50:43 +0000 (17:50 +0200)]
Add a man page for ganeti-wconfd

This daemon was added with the jobs-as-processes refactoring,
but a man page has not been added so far. Do this now.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoMake htools tolerate missing "dtotal" and "dfree" on luxi
Klaus Aehlig [Tue, 16 Jun 2015 09:15:48 +0000 (11:15 +0200)]
Make htools tolerate missing "dtotal" and "dfree" on luxi

If a cluster allows sharedfile as only disk template, the amount of
total and free disk space might not be available. This is perfectly
normal, hence make the luxi backend handle it gracefully and just report
0 available disk on 0 total disk.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

Cherry-picked-from: 49644203823562de0945de3feca5dfaa0cc2dc9c
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoGet QuickCheck 2.7 compatibility
Klaus Aehlig [Mon, 1 Jun 2015 11:00:29 +0000 (13:00 +0200)]
Get QuickCheck 2.7 compatibility

Replace deprecated `printTestCase` by its replacement `counterexample`.
Note that commit 077c415a added a CPP-guarded fallback for QuickCheck < 2.7.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

Cherry-picked-from: 693db8a9e7a3e3b855350b9f558251bce1718d07
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoTestCommon: Fix QuickCheck import warnings
Niklas Hambuechen [Tue, 2 Dec 2014 14:22:03 +0000 (15:22 +0100)]
TestCommon: Fix QuickCheck import warnings

This only appears on systems with QuickCheck >= 2.7.

For TestCommon, it happens because the QC qualified name is only used
in the conditional section.
Fixed by making the import conditional as well.

For Statistics, the `Test.Ganeti.TestCommon` import was not necessary
for QC 2.7 because there `Test.QuickCheck` already provides `counterexample`.
Fixed by giving an import list for `Test.QuickCheck`.

Signed-off-by: Niklas Hambuechen <niklash@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

Cherry-picked-from: 53bec60146dd49339e1315bfad7884ae89cd39d9
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoFull QuickCheck 2.7 compatibility
Niklas Hambuechen [Fri, 7 Nov 2014 23:51:34 +0000 (00:51 +0100)]
Full QuickCheck 2.7 compatibility

This renames the deprecated `printTestCase` to its replacement
`counterexample`, add provides a CPP-guarded fallback for QuickCheck < 2.7.

Signed-off-by: Niklas Hambuechen <niklash@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

Conflicts:
test/hs/Test/Ganeti/JQScheduler.hs
          - removed file not present in 2.12
test/hs/Test/Ganeti/SlotMap.hs
          - removed file not present in 2.12

Cherry-picked-from: 077c415a09f8c381ce788ebe6c065d8ccab60564
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoAdd a CPP macro for checking the version of QuickCheck
Petr Pudlak [Mon, 22 Jun 2015 12:41:07 +0000 (14:41 +0200)]
Add a CPP macro for checking the version of QuickCheck

.. to TestCommon as a preparation for cherry-picking changes that
need it.

The macro and the version detection will be removed in 2.14 where the
functionality is replaced with cabal.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoQuickCheck 2.7 compatibility
Niklas Hambuechen [Fri, 7 Nov 2014 22:48:46 +0000 (23:48 +0100)]
QuickCheck 2.7 compatibility

This makes our test compile with out errors with QuickCheck 2.7.
Warnings about the deprecation of printTestCase remain when using 2.7.

This change is backwards-compatible with all older versions of QuickCheck
that we support.

In 2.7, Property is no longer a monad, but remains a `Gen Prop` inside,
so that we only have to use combinations of `property` and `return`
to become compatible.

See
  https://hackage.haskell.org/package/QuickCheck-2.7.6/changelog

Further, in QuickCheck 2.7, Positive/NonZero/NonNegative are no longer
instances of `Integral` (NonNegative could likely still be one, see
https://github.com/nick8325/quickcheck/issues/31).
Consequently we cannot create them using `fromIntegral` any more,
and switch to `fromEnum` instead, which also is backwards-compatible.

Signed-off-by: Niklas Hambuechen <niklash@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

Conflicts:
test/hs/Test/Ganeti/JQScheduler.hs - removed file not present in
          2.12

Cherry-picked-from: 4320ba1dcfe49b659abbc46a6cf37e6a4db66f22
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoFix name of filter-evaluation function
Klaus Aehlig [Fri, 19 Jun 2015 11:13:39 +0000 (13:13 +0200)]
Fix name of filter-evaluation function

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoCall the filter again with runtime data this time
BSRK Aditya [Fri, 19 Jun 2015 10:19:52 +0000 (12:19 +0200)]
Call the filter again with runtime data this time

genericQuery filters objects without runtime data first.
We need to filter the objects again, this time with runtime data.

This fixes issue 1100.

Signed-off-by: BSRK Aditya <bsrk@google.com>
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoFix user and group ordering in test
Hrvoje Ribicic [Mon, 15 Jun 2015 16:45:18 +0000 (18:45 +0200)]
Fix user and group ordering in test

One of our Haskell tests asserts that the Python and Haskell user and
group constants match. This patch fixes the order in which the mock
Python code outputs the users and groups to match the order of the
Haskell-side enumeration.

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoFix tests for setting (shared) file storage directory
Petr Pudlak [Wed, 10 Jun 2015 09:10:01 +0000 (11:10 +0200)]
Fix tests for setting (shared) file storage directory

- Fix the test for setting file_storage_dir, which didn't check if the
  value was really set.
- Add tests for shared_file_storage_dir, which were missing completely.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoAdd missing call for setting shared file storage directory
Petr Pudlak [Wed, 10 Jun 2015 09:20:35 +0000 (11:20 +0200)]
Add missing call for setting shared file storage directory

With the call missing, it wasn't possible to change the directory after
cluster initialization. Fixes #1101.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoUpdate ganeti-luxid synopsis
Klaus Aehlig [Wed, 10 Jun 2015 09:31:31 +0000 (11:31 +0200)]
Update ganeti-luxid synopsis

The options --syslog, --no-user-checks, --no-voting,
and --yes-do-it were already described in the description.
Add them to the synopsis as well.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoUpdate ganeti-mond synopsis
Klaus Aehlig [Wed, 10 Jun 2015 09:23:42 +0000 (11:23 +0200)]
Update ganeti-mond synopsis

The -b option was already described in the description of the daemon,
add it to the synopsis as well. While there, sort the synopsis to
reflect the order in which the options are described; this is also
consistent with the argument order in the synopsis of other Ganeti
daemons.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoUpdate ganeti-confd synopsis
Klaus Aehlig [Wed, 10 Jun 2015 09:17:24 +0000 (11:17 +0200)]
Update ganeti-confd synopsis

The options -p, -b, --syslog, and --no-user-check were already described
in the description; add them to the synopsis as well.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoUpdate copyright statement
Klaus Aehlig [Tue, 2 Jun 2015 11:50:24 +0000 (13:50 +0200)]
Update copyright statement

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoMerge branch 'stable-2.11' into stable-2.12
Klaus Aehlig [Mon, 1 Jun 2015 08:47:09 +0000 (10:47 +0200)]
Merge branch 'stable-2.11' into stable-2.12

* stable-2.11
  (no changes)

* stable-2.10
  Substitute 'suffix' for 'revision'

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoMake WConfD's updateLocksWaiting safe
Klaus Aehlig [Thu, 28 May 2015 10:14:25 +0000 (12:14 +0200)]
Make WConfD's updateLocksWaiting safe

...so that the implicit retry on connection failure
is handled gracefully.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoTests specifying safeUpdateLocksWaiting
Klaus Aehlig [Fri, 29 May 2015 16:27:19 +0000 (18:27 +0200)]
Tests specifying safeUpdateLocksWaiting

Add tests that verify the defining properties of safeUpdateLocksWaiting.

1.) If the state contains no pending request by the requester, then
    updateLocksWaiting and safeUpdateLocksWaiting coincide.

2.) safeUpdateLocksWaiting is idempotent on all states.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoProvide a repeatable version of updateLocksWaiting
Klaus Aehlig [Thu, 28 May 2015 09:24:55 +0000 (11:24 +0200)]
Provide a repeatable version of updateLocksWaiting

With our timeouts on connections, we have to deal with connections
being interrupted at any time. Therefore, we provide a repeatable
version of updateLocksWaiting that gracefully ignores requests that
have already been recorded.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoVerify that updateLocks is idempotent
Klaus Aehlig [Fri, 29 May 2015 16:24:39 +0000 (18:24 +0200)]
Verify that updateLocks is idempotent

...so that it can be repeated, if necessary.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoAlways accept no-op requests
Klaus Aehlig [Thu, 28 May 2015 15:53:42 +0000 (17:53 +0200)]
Always accept no-op requests

In order to have update requests repeatable, always
accept requests that do not require any change to the
state. Note that this is not implied by the current
definition, as the request might ask for two locks at
different level, and thus the repetition would violate
lock order.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoAllow unconditional failovers off offline nodes
Klaus Aehlig [Fri, 29 May 2015 15:50:43 +0000 (17:50 +0200)]
Allow unconditional failovers off offline nodes

Normally, we should not place instances on nodes that do
not have enough disks. However, there is one exception: if
we failover an instance from an offline node, that node can
well be secondary of that instance---the fact that it is currently
primary proves it has enough disks space. The reason why we have
to handle that case special is that if a node is offline, we sometimes
cannot determine the amount of disk available, hence the conservative
estimation is 0.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoMerge branch 'stable-2.10' into stable-2.11
Hrvoje Ribicic [Fri, 29 May 2015 15:45:34 +0000 (17:45 +0200)]
Merge branch 'stable-2.10' into stable-2.11

* stable-2.10
  Substitute 'suffix' for 'revision'

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRemove now unused variable
Klaus Aehlig [Wed, 27 May 2015 16:31:16 +0000 (18:31 +0200)]
Remove now unused variable

Avoiding lint errors on the onehand, and code complexity
on the other.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoFix bug in ssconf comparison, disable it for vcluster
Helga Velroyen [Wed, 27 May 2015 12:49:16 +0000 (14:49 +0200)]
Fix bug in ssconf comparison, disable it for vcluster

This patch fixes a bug in the comparison of the
'ssconf_master_candidate_certs' and disables the test
for vcluster.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoQA: test renewing the cluster certificate only
Helga Velroyen [Fri, 22 May 2015 12:41:33 +0000 (14:41 +0200)]
QA: test renewing the cluster certificate only

Currently, there is not test for just running renew-crypto
to only renew the cluster certificate (and not the node
certificates). This patches adds the test.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoQA: Assert equality of ssconf_master_candidate_certs
Helga Velroyen [Fri, 22 May 2015 12:39:59 +0000 (14:39 +0200)]
QA: Assert equality of ssconf_master_candidate_certs

In order to hunt down some flakiness, this patch adds
and additional check to the QA of renew-crypto to ensure
the state of ssconf_master_candidate_certs.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoQA: Add more verify steps in renew crypto QA
Helga Velroyen [Fri, 22 May 2015 09:20:05 +0000 (11:20 +0200)]
QA: Add more verify steps in renew crypto QA

Currently the cluster is only verified after a series of
renew-crypto operations is carried out. This makes it hard
to trace errors back to originating call. This patch adds
a verifcation step after each renew-crypto call.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoSubstitute 'suffix' for 'revision'
Lisa Velden [Tue, 19 May 2015 11:36:54 +0000 (13:36 +0200)]
Substitute 'suffix' for 'revision'

Signed-off-by: Lisa Velden <velden@google.com>
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoAdd a unit test for the Gluster storage type
Dimitris Bliablias [Mon, 18 May 2015 13:01:52 +0000 (15:01 +0200)]
Add a unit test for the Gluster storage type

This patch, extends the 'ganeti.utils.storage_unittest.py' unit test
with a new test for the Gluster storage type. Also, the current unit
tests are updated accordingly to correspond to the latest changes.

Signed-off-by: Dimitris Bliablias <bl.dimitris@gmail.com>
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

Cherry-picked from 42fdf9d0d79fb84796ad40ff6eb8c95e3206263e

Signed-off-by: Lisa Velden <velden@google.com>
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoAdd missing Gluster storage verification checks
Dimitris Bliablias [Mon, 18 May 2015 13:01:47 +0000 (15:01 +0200)]
Add missing Gluster storage verification checks

This patch, extends the file-based storage type verification checks to
include the new Gluster storage type. Those modifications include a
missing check for the gluster storage directory at cluster
initialization time, and extends the 'gnt-cluster verify' command to
also verify the gluster file-storage path.

Signed-off-by: Dimitris Bliablias <bl.dimitris@gmail.com>
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

Cherry-picked from 604c8be2596195d94efcd96f286542f74912b2e5

Signed-off-by: Lisa Velden <velden@google.com>
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoAdd Gluster type to the node storage reporting set
Dimitris Bliablias [Mon, 18 May 2015 13:01:43 +0000 (15:01 +0200)]
Add Gluster type to the node storage reporting set

This patch, adds the 'gluster' storage type to the set of storage types
for which full node storage reporting is available. This set is used by
the 'LUNodeQueryStorage' logical unit for getting information on storage
units on node(s).

Signed-off-by: Dimitris Bliablias <bl.dimitris@gmail.com>
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

Cherry-picked from 7ec471851400cd878322712309ef996582df02f1

Signed-off-by: Lisa Velden <velden@google.com>
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoIntroduce the Gluster storage type
Dimitris Bliablias [Mon, 18 May 2015 13:01:36 +0000 (15:01 +0200)]
Introduce the Gluster storage type

Currently, the 'gluster' and 'sharedfile' disk templates are both mapped
to the Shared File storage type. This compromise causes the Gluster block
devices to be interpreted in the config as 'sharedfile' devices, instead
of 'gluster', and subsequently to be wrongly handled as Shared File
disks. This behavior, currently makes the 'gluster' disk template not
functional.

This patch, fixes this issue by introducing the Gluster storage type,
which will be exclusively used by the 'gluster' disk template.

Signed-off-by: Dimitris Bliablias <bl.dimitris@gmail.com>
Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

Cherry-picked from ba550291df12b129f843581c098b3896023e7d33

Signed-off-by: Lisa Velden <velden@google.com>
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoMerge branch 'stable-2.11' into stable-2.12
Klaus Aehlig [Mon, 18 May 2015 12:12:55 +0000 (14:12 +0200)]
Merge branch 'stable-2.11' into stable-2.12

* stable-2.11
  (no changes)

* stable-2.10
  Check for gnt-cluster before running gnt-cluster upgrade

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoMerge branch 'stable-2.10' into stable-2.11
Klaus Aehlig [Mon, 18 May 2015 08:09:13 +0000 (10:09 +0200)]
Merge branch 'stable-2.10' into stable-2.11

* stbale-2.10
  Check for gnt-cluster before running gnt-cluster upgrade

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoMake xend-config.sxp optional
Hrvoje Ribicic [Wed, 13 May 2015 12:24:42 +0000 (12:24 +0000)]
Make xend-config.sxp optional

With Ganeti imposing no requirement on Xen versions, the configuration
file that should be present varies greatly on the choice of toolstack
and Xen version. xend-config.sxp was considered obligatory, but in
higher versions and with xl, it is superseded by xl.conf and considered
deprecated. This patch makes it have the same status as xl.conf - Ganeti
will distribute it but not require its presence.

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoCheck for gnt-cluster before running gnt-cluster upgrade
Christos Trochalakis [Tue, 12 May 2015 19:24:10 +0000 (22:24 +0300)]
Check for gnt-cluster before running gnt-cluster upgrade

When ganeti is removed (not purged) `/etc/cron.d/ganeti` is not deleted,
thus after a reboot cron tries to execute gnt-cluster upgrade and fails.

The same pattern is used on all other cron entries.

Signed-off-by: Christos Trochalakis <christos@skroutz.gr>
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRevision bump to 2.12.4 v2.12.4
Petr Pudlak [Tue, 12 May 2015 11:19:18 +0000 (13:19 +0200)]
Revision bump to 2.12.4

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoUpdate NEWS for 2.12.4
Petr Pudlak [Tue, 12 May 2015 11:18:17 +0000 (13:18 +0200)]
Update NEWS for 2.12.4

..  with the latest bugfixes and known issues

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoIgnore *.dyn* files generated by GHC 7.8
Petr Pudlak [Tue, 12 May 2015 08:50:29 +0000 (10:50 +0200)]
Ignore *.dyn* files generated by GHC 7.8

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoReplace HFLAGS_NOPROF with HFLAGS_DYNAMIC in the Makefile
Petr Pudlak [Tue, 12 May 2015 08:48:52 +0000 (10:48 +0200)]
Replace HFLAGS_NOPROF with HFLAGS_DYNAMIC in the Makefile

After cherry-picking the changes needed for GHC7.8, the former isn't
used any more.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoExpand orphan volume test
Hrvoje Ribicic [Thu, 7 May 2015 15:35:38 +0000 (15:35 +0000)]
Expand orphan volume test

to ensure we are not reporting stray volumes on other VGs as orphans.

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRestrict Ganeti's orphan volume checks to the single VG
Hrvoje Ribicic [Wed, 6 May 2015 17:17:53 +0000 (17:17 +0000)]
Restrict Ganeti's orphan volume checks to the single VG

Prior to patch eeda588292, Ganeti checked all the LVs on nodes under
its control, and dutifuly declared any stray volumes as orphans in
warnings emitted during cluster-verify. After the patch, the nodes
returned information related only to the LV set as *the* Ganeti VG,
bypassing this problem.

Unfortunately, this led Ganeti to report the disks of instances created
on a different VG as non-existent. This patch fixes things by reverting
patch eeda588292 and making Ganeti warn about orphan volumes only if
they belong to the Ganeti-administered VG.

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoModify UDS server startup to set permissions for sockets
Hrvoje Ribicic [Wed, 6 May 2015 15:55:02 +0000 (15:55 +0000)]
Modify UDS server startup to set permissions for sockets

When opening domain sockets for communication, the Haskell daemons did
not set any permissions for the sockets, defaulting to 0700. This was
fine when all of them ran as root, but was bound to cause trouble in a
split-user setup. The first issue is RAPI access after master-failover,
where RAPI could not send make any inquiries until the watcher restored
the desired permissions of the socket.

This patch modifies Luxid to use a g+rw socket, and leaves other servers
to their default of 0600.

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoAdd wheezy chroot files to gitignore file
Lisa Velden [Thu, 7 May 2015 12:05:43 +0000 (14:05 +0200)]
Add wheezy chroot files to gitignore file

Signed-off-by: Lisa Velden <velden@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoMakefile.am: Don't use -dynamic-too for .hpc_o files
Niklas Hambuechen [Mon, 3 Nov 2014 18:35:39 +0000 (19:35 +0100)]
Makefile.am: Don't use -dynamic-too for .hpc_o files

It turns out that GHC 7.8's -dynamic-too is forbidden not only for
profiling builds object files, but also for those using HPC coverage.

This commit accordingly renames HFLAGS_NOPROF to HFLAGS_DYNAMIC
(since it now is not conditional on profiling any more),
and makes sure that it is not used for profiling or HPC.

This way we achieve that, for profiling+coverage builds
  - .dyn_o files are available for use in TH in the following 3 cases
  - .o files are for the normal binaries
  - .hpc_o files are for coverage-enabled test binaries
  - .prof_o files are for profiling binaries

We make .hpc_o files depend on the .o files because the creation of
the .o files will also create the .so files needed for TH.
This was already in place for .prof_o files.

This requires that HFLAGS now also contains `-itest/hs` since
the rule for .o files is now also responsible for building .o/.so files
in test/hs.

Signed-off-by: Niklas Hambuechen <niklash@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

Cherry-picked-from: 1ad14f3
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoMakefile.am: Don't use dots in -osuf
Niklas Hambuechen [Mon, 3 Nov 2014 15:18:42 +0000 (16:18 +0100)]
Makefile.am: Don't use dots in -osuf

This fixes
  ./configure --enable-haskell-tests && make hs-tests
builds on GHC 7.8.

It changes `-osuf .ext` to `-osuf ext`; the old form was allowed in
GHC <= 7.6, but GHC 7.8 seems to have problems with it:
  https://ghc.haskell.org/trac/ghc/ticket/9760

The form without dot works in all GHC versions, and we don't have
dots in other -osuf arguments in the same file either, so this
was probably an accident.

Signed-off-by: Niklas Hambuechen <niklash@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

Cherry-picked-from: 9664aff
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoFix compiler invocation for GHC >= 7.8
Niklas Hambuechen [Mon, 3 Nov 2014 11:14:09 +0000 (12:14 +0100)]
Fix compiler invocation for GHC >= 7.8

GHC 7.8 switched to dynamic linking being used for ghci, which requires
that .so file are being built for modules that are loaded for TH.

For this reason, GHC >= 7.8 has a -dynamic-too flag, which we now use.

However, -dynamic-too must not be enabled for profiling builds,
which is why this commit introduces a HFLAGS_NOPROF variable
(currently only containing -dynamic-too) that must be passed to
all GHC invocations that are not creating profiling output.

Signed-off-by: Niklas Hambuechen <niklash@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

Cherry-picked-from: 083776b
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoMakefile.am: Fix wrong -dep-suffix for GHC 7.8
Niklas Hambuechen [Fri, 31 Oct 2014 15:40:27 +0000 (16:40 +0100)]
Makefile.am: Fix wrong -dep-suffix for GHC 7.8

This works around https://ghc.haskell.org/trac/ghc/ticket/9749:

GHC 7.8 (undocumentedly) changed the way in which ghc -M generated
object file dependencies, lacking the underscore that older versions
added automatically to the file names.
It also requires a -dep-suffix for the plain object file (.o).

This commit detects GHC 7.6 and older (7.7 is development only, has no
release and is treated equal to 7.8), and adjusts the -M invocation
appropriately for newer GHC versions.

Signed-off-by: Niklas Hambuechen <niklash@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

Cherry-picked-from: b78a2c3
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoOnly upgrade configs not upgraded
Klaus Aehlig [Wed, 6 May 2015 10:16:53 +0000 (12:16 +0200)]
Only upgrade configs not upgraded

Whenever we set a configuration, we also upgrade it.
In particular, there is no need for an unconditional upgrade;
so avoid upgrading the configuration over and over again
if it did not change.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoOnly unlock config if we did lock it
Klaus Aehlig [Mon, 3 Nov 2014 19:27:45 +0000 (20:27 +0100)]
Only unlock config if we did lock it

We only acquired a config lock if it was not shared in order
to have lock-free reads. Hence, only release the config lock
if we actually acquired it.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Niklas Hambuechen <niklash@google.com>

Cherry-picked-from: 35056743
Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoMention preferred DRBD module settings when using Xen
Hrvoje Ribicic [Tue, 5 May 2015 09:18:29 +0000 (09:18 +0000)]
Mention preferred DRBD module settings when using Xen

Add a mention into the install file, and provide a link to the official
DRBD documentation.

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoAvoid assertIn
Klaus Aehlig [Tue, 5 May 2015 07:23:23 +0000 (09:23 +0200)]
Avoid assertIn

...as we still support python versions older than the introduction
of assertIn.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoTest presence of public and private parameters
Lisa Velden [Mon, 4 May 2015 15:32:27 +0000 (17:32 +0200)]
Test presence of public and private parameters

Make sure that there is an environment variable for each parameter
with the correct value.

Signed-off-by: Lisa Velden <velden@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoPut private parameters into the environment
Lisa Velden [Thu, 23 Apr 2015 14:49:22 +0000 (16:49 +0200)]
Put private parameters into the environment

and unobscure them

Signed-off-by: Lisa Velden <velden@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoAlways close pipe on job forking
Klaus Aehlig [Mon, 4 May 2015 12:54:29 +0000 (14:54 +0200)]
Always close pipe on job forking

...even if the initial hand shake succeeded.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoClean up pipes early on failed forks
Klaus Aehlig [Mon, 4 May 2015 12:43:52 +0000 (14:43 +0200)]
Clean up pipes early on failed forks

...so that we do not accumulate open file descriptors.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>

5 years agoRevision bump to 2.12.3 v2.12.3
Petr Pudlak [Tue, 28 Apr 2015 15:11:56 +0000 (17:11 +0200)]
Revision bump to 2.12.3

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoUpdate NEWS for 2.12.3
Petr Pudlak [Tue, 28 Apr 2015 15:09:15 +0000 (17:09 +0200)]
Update NEWS for 2.12.3

.. with the latest bugfixes and known issues.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoWhen assigning UUIDs to disks, do so recursively
Klaus Aehlig [Thu, 23 Apr 2015 11:31:27 +0000 (13:31 +0200)]
When assigning UUIDs to disks, do so recursively

Old versions of Ganeti (in particular, 2.5 and earlier) did not
have UUIDs assigned to objects. If we happen to find such an old
configuration, we assign UUIDs now, during the upgrade. However,
we must do this recursively, as disks might have children. Note
that before Ganeti 2.12 this didn't matter, as the UUIDs of the
children where never used or enforced. With the strict type checking
introduced by the switch to haskell, we have to care about those
little details.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoFix sample 2.11 configuration
Klaus Aehlig [Thu, 23 Apr 2015 12:21:47 +0000 (14:21 +0200)]
Fix sample 2.11 configuration

In 2.11, children disks have UUIDs, too.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Hrvoje Ribicic <riba@google.com>

5 years agoInclude hypervisor parameters in SSConf
Petr Pudlak [Wed, 22 Apr 2015 17:09:47 +0000 (19:09 +0200)]
Include hypervisor parameters in SSConf

This was omitted after the refactoring of SSConf to Haskell, now being
added. Fixes #1073.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoAdd SSConf keys for hypervisor parameters
Petr Pudlak [Wed, 22 Apr 2015 15:48:27 +0000 (17:48 +0200)]
Add SSConf keys for hypervisor parameters

.. and a function for converting hypervisor types to the keys.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoUse Hypervisor as the key in ClusterHvParams
Petr Pudlak [Wed, 22 Apr 2015 11:10:29 +0000 (13:10 +0200)]
Use Hypervisor as the key in ClusterHvParams

.. instead of String. This imposes a type-level restriction that the
keys of the map are just hypervisor names.

Note about 'Arbitrary GroupDiskParams': Since GroupDiskParams and
ClusterHvParams were both synonyms for 'Container (Container JSValue)',
the Arbitrary instance worked for both. After fixing the type of
ClousterHvParams, its instance become different from GroupDiskParams,
hence the latter needs the addition.

Signed-off-by: Petr Pudlak <pudlak@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

5 years agoRe-remove final config update in renew-crypto
Klaus Aehlig [Mon, 20 Apr 2015 14:43:38 +0000 (16:43 +0200)]
Re-remove final config update in renew-crypto

...as it was accidentally readded in the merge.

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

5 years agoMerge branch 'stable-2.11' into stable-2.12
Klaus Aehlig [Mon, 20 Apr 2015 13:10:48 +0000 (15:10 +0200)]
Merge branch 'stable-2.11' into stable-2.12

* stable-2.11
  Update configure file to version 2.11.7
  Update NEWS file for 2.11.7 release
  Add logging to RenewCrypto
  Fix format string for gnt-network info
  Replace textwrapper.wrap by a custom version for networks
  Add SSL improvements to NEWS file

* stable-2.10
  Update tag limitations
  Fix typos in doc/design-storagetypes.rst
  Make getFQDN prefer cluster protocol family
  Add version of getFQDN accepting preferences
  Make getFQDN honor vcluster

Conflicts:
NEWS: take all release entries
configure.ac: ignore revision bump
lib/cmdlib/cluster.py: manually apply 2.11 changes to 2.12
src/Ganeti/Daemon.hs: trivial

Signed-off-by: Klaus Aehlig <aehlig@google.com>
Reviewed-by: Petr Pudlak <pudlak@google.com>