Qemu fsfreeze hook

Tratto da https://kb.kurgan.org/PVE

Uso di Qemu-agent

Abilitando l’agent nella configurazione della VM, e installando l’agent dentro la VM, è possibile gestire alcune funzioni di comunicazione fra host e guest. Una delle funzioni più comode è quella del freeze del file system nel momento in cui viene fatto uno snapshot (per esempio per i backup) per avere dei backup il più possibile congruenti. Per il file system, il semplice fatto di avere l’agente installato e abilitato è sufficiente. Per un database, tuttavia, è opportuno configurare uno script apposta.

Il pacchetto Debian da installare nel guest si chiama qemu-guest-agent

Qemu-agent e Mysql su guest Debian

Per fare interagire Mysql (o Mariadb) con qemu-agent occorre:

  • Installare il pacchetto dell’agent

  • Modificare il file di init /etc/init.d/qemu-guest-agent aggiungendo il parametro “-F” nella variabile DAEMON_ARGS, in queso modo: DAEMON_ARGS="-F"

  • Riavviare qemu-guest-agent

  • Creare la directory /etc/qemu

  • Creare la directory /etc/qemu/fsfreeze-hook.d

  • Creare lo script /etc/qemu/fsfreeze-hook, contenente quanto segue: 

    #!/bin/bash

# This script is executed when a guest agent receives fsfreeze-freeze and
# fsfreeze-thaw command, if it is specified in --fsfreeze-hook (-F)
# option of qemu-ga or placed in default path (/etc/qemu/fsfreeze-hook).
# When the agent receives fsfreeze-freeze request, this script is issued with
# "freeze" argument before the filesystem is frozen. And for fsfreeze-thaw
# request, it is issued with "thaw" argument after filesystem is thawed.

LOGFILE=/var/log/qga-fsfreeze-hook.log
FSFREEZE_D=$(dirname -- "$0")/fsfreeze-hook.d

# Check whether file $1 is a backup or rpm-generated file and should be ignored
is_ignored_file() {
    case "$1" in
        *~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave | *.sample)
            return 0 ;;
    esac
    return 1
}

# Iterate executables in directory "fsfreeze-hook.d" with the specified args
[ ! -d "$FSFREEZE_D" ] && exit 0
for file in "$FSFREEZE_D"/* ; do
    is_ignored_file "$file" && continue
    [ -x "$file" ] || continue
    printf "$(date): execute $file $@\n" >>$LOGFILE
    "$file" "$@" >>$LOGFILE 2>&1
    STATUS=$?
    printf "$(date): $file finished with status=$STATUS\n" >>$LOGFILE
done

exit 0

  • Creare lo script /etc/qemu/fsfreeze-hook.d/mysql-flush.sh contenente quanto segue (nota se occorre o meno inserire il parametro per la password nella variabile MYSQL_OPTS): 

    #!/bin/bash

# Flush MySQL tables to the disk before the filesystem is frozen.
# At the same time, this keeps a read lock in order to avoid write accesses
# from the other clients until the filesystem is thawed.

MYSQL="/usr/bin/mysql"
MYSQL_OPTS="-uroot" #"-prootpassword"
FIFO=/var/run/mysql-flush.fifo

# Check mysql is installed and the server running
[ -x "$MYSQL" ] && "$MYSQL" $MYSQL_OPTS < /dev/null || exit 0

flush_and_wait() {
    printf "FLUSH TABLES WITH READ LOCK \\G\n"
    trap 'printf "$(date): $0 is killed\n">&2' HUP INT QUIT ALRM TERM
    read < $FIFO
    printf "UNLOCK TABLES \\G\n"
    rm -f $FIFO
}

case "$1" in
    freeze)
        mkfifo $FIFO || exit 1
        flush_and_wait | "$MYSQL" $MYSQL_OPTS &
        # wait until every block is flushed
        while [ "$(echo 'SHOW STATUS LIKE "Key_blocks_not_flushed"' |\
                 "$MYSQL" $MYSQL_OPTS | tail -1 | cut -f 2)" -gt 0 ]; do
            sleep 1
        done
        # for InnoDB, wait until every log is flushed
        INNODB_STATUS=$(mktemp /tmp/mysql-flush.XXXXXX)
        [ $? -ne 0 ] && exit 2
        trap "rm -f $INNODB_STATUS; exit 1" HUP INT QUIT ALRM TERM
        while :; do
            printf "SHOW ENGINE INNODB STATUS \\G" |\
                "$MYSQL" $MYSQL_OPTS > $INNODB_STATUS
            LOG_CURRENT=$(grep 'Log sequence number' $INNODB_STATUS |\
                          tr -s ' ' | cut -d' ' -f4)
            LOG_FLUSHED=$(grep 'Log flushed up to' $INNODB_STATUS |\
                          tr -s ' ' | cut -d' ' -f5)
            [ "$LOG_CURRENT" = "$LOG_FLUSHED" ] && break
            sleep 1
        done
        rm -f $INNODB_STATUS
        ;;

    thaw)
        [ ! -p $FIFO ] && exit 1
        echo > $FIFO
        ;;

    *)
        exit 1
        ;;
esac
  • Rendere eseguibili da root i due script appena creati

Fatto questo, quando si lancia un backup il DB verrà flushato e lockato in scrittura per un secondo circa, il tempo di creare lo snapshot per il backup, poi verrà immediatamente sbloccato. Il risultato, nel log del guest, è una cosa tipo: 

Jul 21 14:24:23 web1 qemu-ga: info: guest-fsfreeze called
Jul 21 14:24:23 web1 qemu-ga: info: executing fsfreeze hook with arg 'freeze'
Jul 21 14:24:23 web1 qemu-ga: info: executing fsfreeze hook with arg 'thaw'

andrea

Read more
No Comments

Autenticazione SSSD/LDAP su AD

/etc/portage/package.use

=sys-auth/sssd-1.16.3-r1 ssh sudo
&gt;=sys-libs/pam-1.3.0-r2 audit

emerge sssd

/etc/sshd/sssd.conf

[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = AD
#ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_id_mapping = true
ldap_uri = ldaps://,ldap://
ldap_default_bind_dn = ...
ldap_default_authtok = ...
ldap_default_authtok_type = password
#ldap_referrals = false
ldap_search_base = ...
#ldap_user_search_base = ...
ldap_user_search_base = ...
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_group_search_base = ...
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_tls_reqcert = never
#ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = true
override_shell = /bin/bash
cache_credentials = true
enumerate = true
#ldap_rfc2307_fallback_to_local_users = true
override_homedir = /home/%u
#min_id = 10000
#ldap_group_gid = 9999
#override_gid = 9999
#ad_gpo_access_control = disabled
access_provider = simple
simple_allow_groups = ..., ...
#access_provider = ldap
#ldap_access_order = filter
#ldap_group_member = member
#ldap_access_filter = (|(memberOf=CN=...)(memberOf=CN=...))

nsswitch.conf

passwd: compat
shadow: compat
group: compat
passwd: db files nis sss
shadow: db files nis sss
group: db files nis sss
#group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files sss
bootparams: files
sudoers: ldap files sss
automount: files
aliases: files

/etc/pam.d/system-auth

auth sufficient pam_sss.so forward_pass
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account required pam_unix.so
account optional pam_permit.so
password sufficient pam_sss.so use_authtok
password sufficient pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_tty_audit.so enable=*
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so

sshd_config



UsePAM yes




getent passwd


getent groups


andrea









            

                        

        

    
        

        Read more
    

    





    

    

    




    No Comments