238 lines
8.2 KiB
Plaintext
Raw Permalink Normal View History

#!/bin/sh
2011-08-23 07:40:22 +02:00
# Abort if any command returns an error value
2011-08-23 07:40:22 +02:00
set -e
# This script is called as the last step of the installation of the package.
# All the package's files are in place, dpkg has already done its automatic
# conffile handling, and all the packages we depend of are already fully
# installed and configured.
2011-08-23 07:40:22 +02:00
set_lvm_conf() {
local FORCE="$1"
LVM_CONF_MARKER="# added by pve-manager to avoid scanning"
# keep user changes afterwards provided marker is still there..
if grep -qLF "$LVM_CONF_MARKER" /etc/lvm/lvm.conf && test -z "$FORCE"; then
return 0 # only do these changes once
fi
export LVM_SUPPRESS_FD_WARNINGS=1
OLD_VALUE="$(lvmconfig --typeconfig diff devices/global_filter || true)"
NEW_VALUE='global_filter=["r|/dev/zd.*|","r|/dev/rbd.*|"]'
# update global_filter if:
# it is empty and there is no marker OR exactly the one we set before 8.1.4
if (! grep -qF "$LVM_CONF_MARKER" /etc/lvm/lvm.conf && test -z "$OLD_VALUE")\
|| (echo "$OLD_VALUE" | grep -qF '="r|/dev/zd.*|"');
then
SET_FILTER=1
BACKUP=1
# print warning if global_filter is set but not our old/new default
elif test -n "$OLD_VALUE"\
&& ! echo "$OLD_VALUE" | grep -qF '="r|/dev/zd.*|"'\
&& ! echo "$OLD_VALUE" | grep -qF "$NEW_VALUE";
then
echo "non-default 'global_filter' value '$OLD_VALUE' in /etc/lvm/lvm.conf, not setting '$NEW_VALUE' automatically"
echo "consider adapting your 'global_filter' manually."
fi
# should be the default since bullseye
if lvmconfig --typeconfig full devices/scan_lvs | grep -qv 'scan_lvs=0'; then
SET_SCAN_LVS=1
BACKUP=1
fi
if test -n "$BACKUP"; then
echo "Backing up lvm.conf before setting pve-manager specific settings.."
cp -vb /etc/lvm/lvm.conf /etc/lvm/lvm.conf.bak
fi
if test -n "$SET_FILTER"; then
echo "Setting 'global_filter' in /etc/lvm/lvm.conf to prevent zvols and rbds from being scanned:"
echo "$OLD_VALUE => $NEW_VALUE"
if test -n "$OLD_VALUE"; then
sed -i -e "s/$LVM_CONF_MARKER ZFS zvols/$LVM_CONF_MARKER ZFS zvols and Ceph rbds/" /etc/lvm/lvm.conf
sed -i -e "s!^\([[:space:]]*\)\(global_filter[[:space:]]*=.*\)\$!\1# \2\n\1$NEW_VALUE!" /etc/lvm/lvm.conf
else
cat >> /etc/lvm/lvm.conf <<EOF
devices {
$LVM_CONF_MARKER ZFS zvols and Ceph rbds
$NEW_VALUE
}
EOF
fi
fi
if test -n "$SET_SCAN_LVS"; then
echo "Adding scan_lvs=0 setting to /etc/lvm/lvm.conf to prevent LVs from being scanned."
# comment out existing setting
sed -i -e 's/^\([[:space:]]*scan_lvs[[:space:]]*=\)/#\1/' /etc/lvm/lvm.conf
# add new section with our setting
cat >> /etc/lvm/lvm.conf <<EOF
devices {
$LVM_CONF_MARKER LVM volumes
scan_lvs=0
}
EOF
fi
if ! lvmconfig --validate; then
echo "Invalid LVM config detected - restoring from /etc/lvm/lvm.conf.bak"
mv /etc/lvm/lvm.conf.bak /etc/lvm/lvm.conf
fi
}
update_ceph_conf() {
fix #4759: ceph: configure ceph-crash.service and its key Due to Ceph dropping privileges when running the 'ceph-crash' daemon [0], it is necessary to allow the daemon to authenticate with its cluster in a safe manner. In order to avoid exposing sensitive keyrings or somehow escalating its privileges again, 'ceph-crash' is therefore provided with its own keyring in the '/etc/pve/ceph' directory. This directory, due to being on 'pmxcfs', may be read by members of the 'www-data' group, which 'ceph-crash' is made part of [1]. Expected Configuration ---------------------- 1. A keyring file named '/etc/pve/ceph/ceph.client.crash.keyring' exists 2. A section named 'client.crash' exists in '/etc/pve/ceph.conf' 3. The 'client.crash' section has a key named 'keyring' which references the keyring file as '/etc/pve/ceph/$cluster.$name.keyring' 4. The 'client.crash' section has *no* key named 'key' New Clusters ------------ The keyring file is created and the conf file is updated after the first monitor has been created (when calling `pveceph mon create`). Existing Clusters ----------------- A new helper script creates and configures the 'client.crash' keyring in `postinst`, if: * Ceph is installed * Ceph is initialized ('/etc/pve/ceph.conf' and '/etc/pve/ceph' exist) * Connection to RADOS is successful If the above conditions are met, the helper script ensures that the existing configuration matches the expected configuration mentioned above. The configuration is not changed if it is already as expected. The helper script may be called again manually if the `postinst` hook fails. It is installed to '/usr/share/pve-manager/helpers/pve-init-ceph-crash'. Existing `client.crash` Key --------------------------- If a key named 'client.crash' already exists within the cluster, it is reused and not regenerated. [0]: https://github.com/ceph/ceph/pull/48713 [1]: https://git.proxmox.com/?p=ceph.git;a=commitdiff;h=f72c698a55905d93e9a0b7b95674616547deba8a Signed-off-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Friedrich Weber <f.weber@proxmox.com>
2024-04-02 16:55:22 +02:00
UNIT='ceph-crash.service'
# Don't fail in case user has "exotic" configuration where RADOS
# isn't available on all nodes for some reason
/usr/share/pve-manager/helpers/pve-init-ceph-crash || true
if systemctl -q is-enabled "$UNIT" 2> /dev/null; then
deb-systemd-invoke restart "$UNIT" || true
fi
}
migrate_apt_auth_conf() {
output=""
removed=""
match=0
while read -r l; do
if echo "$l" | grep -q "^machine enterprise.proxmox.com/debian/pve"; then
match=1
elif echo "$l" | grep -q "machine"; then
match=0
fi
if test "$match" = "1"; then
removed="$removed\n$l"
else
output="$output\n$l"
fi
done < /etc/apt/auth.conf
if test -n "$removed"; then
if test ! -e /etc/apt/auth.conf.d/pve.conf; then
echo "Migrating APT auth config for enterprise.proxmox.com to /etc/apt/auth.conf.d/pve.conf .."
echo "$removed" > /etc/apt/auth.conf.d/pve.conf
else
echo "Removing stale APT auth config from /etc/apt/auth.conf"
fi
echo "$output" > /etc/apt/auth.conf
fi
}
2011-08-23 07:40:22 +02:00
case "$1" in
triggered)
# We don't print a status message here, as dpkg already said
# "Processing triggers for ...".
# test if /etc/pve is mounted; else simple exit to avoid
# error during updates
test -f /etc/pve/local/pve-ssl.pem || exit 0;
2015-02-28 12:42:20 +01:00
test -e /proxmox_install_mode && exit 0;
# the ExecStartPre doesn't triggers on service reload, so just in case
pvecm updatecerts --silent || true
deb-systemd-invoke reload-or-try-restart pvedaemon.service || true
deb-systemd-invoke reload-or-try-restart pvestatd.service || true
deb-systemd-invoke reload-or-try-restart pveproxy.service || true
deb-systemd-invoke reload-or-try-restart spiceproxy.service || true
deb-systemd-invoke reload-or-try-restart pvescheduler.service || true
2011-08-23 07:40:22 +02:00
exit 0;;
configure)
# Configure this package. If the package must prompt the user for
# information, do it here.
mkdir /etc/pve 2>/dev/null || true
2012-02-21 12:15:10 +01:00
if test ! -e /var/lib/pve-manager/apl-info/download.proxmox.com; then
mkdir -p /var/lib/pve-manager/apl-info
cp /usr/share/doc/pve-manager/aplinfo.dat /var/lib/pve-manager/apl-info/download.proxmox.com
pveam update || true
2012-02-21 12:15:10 +01:00
fi
# Always try to clean old entry, even when proxmox-mail-forward entry is already present.
# This ensures it will still be cleaned after an upgrade following a downgrade.
if test -f /root/.forward; then
sed -i '\!|/usr/bin/pvemailforward!d' /root/.forward
fi
if ! test -f /root/.forward || ! grep -q '|/usr/bin/proxmox-mail-forward' /root/.forward; then
echo '|/usr/bin/proxmox-mail-forward' >>/root/.forward
fi
2015-02-28 12:42:20 +01:00
systemctl --system daemon-reload >/dev/null || true
# same as dh_systemd_enable (code copied)
replace systemd timer with pvescheduler daemon The whole thing is already prepared for this, the systemd timer was just a fixed periodic timer with a frequency of one minute. And we just introduced it as the assumption was made that less memory usage would be generated with this approach, AFAIK. But logging 4+ lines just about that the timer was started, even if it does nothing, and that 24/7 is not to cheap and a bit annoying. So in a first step add a simple daemon, which forks of a child for running jobs once a minute. This could be made still a bit more intelligent, i.e., look if we have jobs tor run before forking - as forking is not the cheapest syscall. Further, we could adapt the sleep interval to the next time we actually need to run a job (and sending a SIGUSR to the daemon if a job interval changes such, that this interval got narrower) We try to sync running on minute-change boundaries at start, this emulates systemd.timer behaviour, we had until now. Also user can configure jobs on minute precision, so they probably expect that those also start really close to a minute change event. Could be adapted to resync during running, to factor in time drift. But, as long as enough cpu cycles are available we run in correct monotonic intervalls, so this isn't a must, IMO. Another improvement could be locking a bit more fine grained, i.e. not on a per-all-local-job-runs basis, but per-job (per-guest?) basis, which would improve temporary starvement of small high-periodic jobs through big, less peridoci jobs. We argued that it's the user fault if such situations arise, but they can evolve over time without noticing, especially in compolexer setups. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-11-08 14:07:53 +01:00
UNITS="pvedaemon.service pveproxy.service spiceproxy.service pvestatd.service pvebanner.service pvescheduler.service pve-daily-update.timer"
NO_RESTART_UNITS="pvenetcommit.service pve-guests.service"
for unit in ${UNITS} ${NO_RESTART_UNITS}; do
deb-systemd-helper unmask "$unit" >/dev/null || true
# was-enabled defaults to true, so new installations run enable.
if deb-systemd-helper --quiet was-enabled "$unit"; then
# Enables the unit on first installation, creates new
# symlinks on upgrades if the unit file has changed.
deb-systemd-helper enable "$unit" >/dev/null || true
else
# Update the statefile to add new symlinks (if any), which need to be
# cleaned up on purge. Also remove old symlinks.
deb-systemd-helper update-state "$unit" >/dev/null || true
fi
2015-02-28 12:42:20 +01:00
done
# FIXME: remove after beta is over and add hunk to actively remove the repo
BETA_SOURCES="/etc/apt/sources.list.d/pvetest-for-beta.list"
if test -f "$BETA_SOURCES" && dpkg --compare-versions "$2" 'lt' '8.0.2' && dpkg --compare-versions "$2" 'gt' '8.0~'; then
echo "Removing the during beta added pvetest repository file again"
rm -v "$BETA_SOURCES" || true
fi
if test ! -e /proxmox_install_mode && test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.1.4~'; then
if test -e /etc/lvm/lvm.conf ; then
set_lvm_conf 1
fi
fi
set_lvm_conf
if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.1.11'; then
update_ceph_conf
fi
2015-02-28 12:42:20 +01:00
if test ! -e /proxmox_install_mode; then
# modeled after code generated by dh_start
for unit in ${UNITS}; do
if test -n "$2"; then
dh_action="reload-or-restart";
else
dh_action="start"
fi
if systemctl -q is-enabled "$unit"; then
deb-systemd-invoke $dh_action "$unit" || true
fi
done
2015-02-28 12:42:20 +01:00
fi
if test ! -e /proxmox_install_mode && test -n "$2" && dpkg --compare-versions "$2" 'lt' '7.2-11~'; then
if test -e /etc/apt/auth.conf ; then
migrate_apt_auth_conf
fi
fi
;;
2011-08-23 07:40:22 +02:00
abort-upgrade|abort-remove|abort-deconfigure)
2011-08-23 07:40:22 +02:00
;;
*) echo "$0: didn't understand being called with \`$1'" 1>&2
exit 0;;
esac
exit 0