IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
* F #1345: KVM support for persistent luks volmes
Support for attaching a persistent qemu luks encrypted disk, created as
per the libvirt/qemu documentation.
Private secret must be defined on the hypervisor for decryption and the
image should contain "LUKS_SECRET" attribute.
1) Create the image and import into datastore:
# qemu-img create --object secret,id=sec0,data=secretphrase -o key-secret=sec0 -f luks volume 1G
2) Create the secret on the hypervisor:
# virsh secret-define volume-secret.xml
# MYSECRET=`printf %s "secretphrase" | base64`
# virsh secret-set-value $MYUUID $MYSECRET
# virsh secret-dumpxml $MYUUID
<secret ephemeral='no' private='yes'>
<uuid>$MYUUID</uuid>
<description>luks key</description>
<usage type='volume'>
<volume>rbd:one/one-123</volume>
</usage>
</secret>
3) Set the UUID in the image attributes, ie:
# oneimage show 123 |grep LUKS
LUKS_SECRET="$MYUUID"
This should allow the disk attach to decryt the luks image and
use as a normal disk within the VM.
Co-authored-by: Laurence <laurencegill@users.noreply.github.com>
- set `opennebula_ssh_deploy_private_key` to make sure HVs can see each other.
- Add network hooks remote execution (clean)
- Rename Elastic.rb to elastic.rb
- Remove provision tag from provision templates
- Support to add existing datastores to a provision
- By default, datastore 0 is added to a provision
- Sanity checks for nil class
- Use VXLAN in public providers
- Configure BGP-EVPN with FRR
- Support for multiple RR
- Create VNTemplate to self-provision virtual networks
Co-authored-by: Ricardo Diaz <rdiaz@opennebula.io>
Enforce logrotate before the start of any opennebula's supervisor
service - as is done similarly in the systemd services.
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
Each supervisord service (where missing or usable) can use its own
config file which will be sourced. Thanks to this services do not rely
on properly populated environment with all needed variables.
Useful when supervisord is run like this:
% env -i /usr/bin/supervisord
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
* Public IP no longer uses NAT'ing
* Improved handle of host collections and indexes
* Update of ansible roles and playbooks
Co-authored-by: Ruben S. Montero <rsmontero@opennebula.org>
This commit solves issues with creating new VM images based on the
docker images inside a container environment.
If fuse2fs command is present then prefer its use instead of the default
mount command which will work only under root or otherwise privileged
user.
This commit solves the mounting issue inside the rootless container
environment.
Also add a new environment file to the oned supervisord service so we
can start oned process with some additional env. variables - notably
DOCKER_HOST.
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
All distros will now start to use qemu-kvm-one symlink generated upon
the opennebula-node package install via qemu-kvm-one-gen helper script.
The script will try to detect and use the proper qemu-kvm binary found
on that particular system.
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
- New supervisord service containerd
- New supervisord service docker
- Small fix in function.sh to pick up also socket files
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
By default supervisord waits only 10s before it sends SIGKILL to its
services. This commit raises this limit to 90s in all services -
matching the default in systemd (DefaultTimeoutStopSec).
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
The initial caching mechanism will be exteneded with:
- Cache remplacement policy
- Optimize recovery snapshot with qcow2 format
- Add support for automatic snapshot VM disks
co-authored-by: Jan Orel <jorel@opennebula.systems>
* M #-: Add supervisord services definition
Currently only for CentOS 8 but there should be needed only few changes
to make it work on other systems: crond, apache/httpd, mysql/mariadb...
The rest is pretty much system agnostic.
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
* M #-: Adjust supervisor directories
Co-authored-by: Vlastimil Holer <vholer@opennebula.io>
- Consistency set of FORMAT attribute for images, and volatile disks
- DRIVER does not be specified by the USER and it is derived from driver
configuration for the Datastore and TM driver
- CP action from DS_MAD now needs to return the image FORMAT
- FSTYPE is deprecated and no longer used
- FS new attribute to specify file system FS.
co-authored-by: Christian González <cgonzalez@opennebula.io>
- Support VM Templates as standalone entity
- VM Templates can reference multiple Images from Marketplace
- Service templates reference one or more VM Templates from
Marketplace to define roles
- Add CLI commands to import them into marketplace
- Add Ruby OCA extensions
co-authored-by: Alejandro Huertas <ahuertas@opennebula.io>
This commit fixes problem when host key is already added in SSH
`known_hosts` file but SSH fails to validate this host key.
NOTE:
This problem manifests only when simulating 'accept-new' feature of the
newer SSH (>v7.6) via 'Match' with 'ssh-keygen -F'.
The cause of this problem is the fact that hostname is stored always
in lowercase even if the hostname had an upcase character.
It means that the record in `known_hosts` file for hostname `ABC`
becomes something like 'abc,10.0.0.10' - which in turn is hashed...
Therefore SSH with `HashKnownHosts=yes` is comparing wrong hashes:
hash('ABC,10.0.0.10') vs hash('abc,10.0.0.10')
Most likely a bug or an oversight in SSH.
With this option disabled (`HashKnownHosts=no`) both upcased `ABC`
and lowercased `abc` work.
Example with *ENABLED* `HashKnownHosts=yes`:
[oneadmin@ABC ~] hostname
ABC
[oneadmin@ABC ~] rm -f ~/.ssh/known_hosts
[oneadmin@ABC ~] ssh-keyscan -H $(hostname) >> ~/.ssh/known_hosts
[oneadmin@ABC ~]$ ssh ABC # this fails
No ECDSA host key is known for abc and you have requested strict
checking.
Host key verification failed.
[oneadmin@ABC ~]$ ssh abc # this works
Warning: Permanently added 'abc,10.10.0.41' (ECDSA) to the list
of known hosts.
Last login: Mon Jun 15 04:32:38 2020 from ::1
[oneadmin@ABC ~]$ # success with lowercase hostname
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
* Add run and lock paths to self-contained
* Move oned lock to lock location
* vcenter monitor fifo is created in run location
* vcenter monitor lock is created in lock location
- distro's network scripts have no support for ipv6 metrics - no reason
then to provide ipv6 specific METRIC6 variable
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
* F #1473: Update SSH config and sockets
- install files via install.sh script
- replace crontab with systemd timer
- update opennebula.service dependency
- move ssh master sockets from ~oneadmin to /run/one/ssh-socks
- modify ssh wrapper to not use external programs but only bash builtins
- update ssh configs
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
* F #1473: Update SSH config and sockets
* F #1473: Update SSH config and sockets
* F #1473: Update SSH wrapper
- rename SSH_USE_MASTER_SOCK to SSH_OPT_CONTROL_MASTER
- change the logic of this directive to be a value of the SSH
'ControlMaster' option (default is 'auto')
- delete the SSH_USE_MASTER_SOCK from opennebula.service (not needed
anymore)
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
Co-authored-by: Vlastimil Holer <vholer@opennebula.io>
- add ssh wrapper which is used only on the fronted
- disable SSH master socket on the nodes
- add new PATH and SSH_USE_MASTER_SOCK into opennebula.service
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
- change /run/one to /var/run/one - /run/one is either bind-mount or
symlink and can be changed while /var/run/one is configured via
tmpfiles.d/opennebula*.conf - it is more consistent now
- add a dependency to SSH agent unit for remote-fs in the cases when
/var/lib/one (oneadmin's home) is on a network filesystem
- add SSH agent support to opennebula-hem service
Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
This strengthens the login with e.g. U2F/FIDO2 authentication keys.
Signed-off-by: Dennis Felsch <dennis.felsch@ruhr-uni-bochum.de>
(cherry picked from commit 487a6247a9)
Remove vendor_ruby and site_ruby directories from $LOAD_PATH, so
that distribution gems installed directly into loadable path
without need to use rubygems are not loaded by require.
* F #4292: DDC add support for multiple playbooks
* M #-: remove delete_suffix
* M #-: fix linting
* F #4292: run playbooks separately
* F #4292: add dummy playbook
* M #-: fix minor bug
* F #4292: Use raw task in dummy playbook
Co-authored-by: Vlastimil Holer <vholer@opennebula.io>
