Qemu fsfreeze hook
Tratto da https://kb.kurgan.org/PVE
Uso di Qemu-agent
Abilitando l’agent nella configurazione della VM, e installando l’agent dentro la VM, è possibile gestire alcune funzioni di comunicazione fra host e guest. Una delle funzioni più comode è quella del freeze del file system nel momento in cui viene fatto uno snapshot (per esempio per i backup) per avere dei backup il più possibile congruenti. Per il file system, il semplice fatto di avere l’agente installato e abilitato è sufficiente. Per un database, tuttavia, è opportuno configurare uno script apposta.
Il pacchetto Debian da installare nel guest si chiama qemu-guest-agent
Qemu-agent e Mysql su guest Debian
Per fare interagire Mysql (o Mariadb) con qemu-agent occorre:
- Installare il pacchetto dell’agent
-
Modificare il file di init /etc/init.d/qemu-guest-agent aggiungendo il parametro “-F” nella variabile DAEMON_ARGS, in queso modo: DAEMON_ARGS="-F"
- Riavviare qemu-guest-agent
-
Creare la directory /etc/qemu
-
Creare la directory /etc/qemu/fsfreeze-hook.d
-
Creare lo script /etc/qemu/fsfreeze-hook, contenente quanto segue:
#!/bin/bash # This script is executed when a guest agent receives fsfreeze-freeze and # fsfreeze-thaw command, if it is specified in --fsfreeze-hook (-F) # option of qemu-ga or placed in default path (/etc/qemu/fsfreeze-hook). # When the agent receives fsfreeze-freeze request, this script is issued with # "freeze" argument before the filesystem is frozen. And for fsfreeze-thaw # request, it is issued with "thaw" argument after filesystem is thawed. LOGFILE=/var/log/qga-fsfreeze-hook.log FSFREEZE_D=$(dirname -- "$0")/fsfreeze-hook.d # Check whether file $1 is a backup or rpm-generated file and should be ignored is_ignored_file() { case "$1" in *~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave | *.sample) return 0 ;; esac return 1 } # Iterate executables in directory "fsfreeze-hook.d" with the specified args [ ! -d "$FSFREEZE_D" ] && exit 0 for file in "$FSFREEZE_D"/* ; do is_ignored_file "$file" && continue [ -x "$file" ] || continue printf "$(date): execute $file $@\n" >>$LOGFILE "$file" "$@" >>$LOGFILE 2>&1 STATUS=$? printf "$(date): $file finished with status=$STATUS\n" >>$LOGFILE done exit 0
-
Creare lo script /etc/qemu/fsfreeze-hook.d/mysql-flush.sh contenente quanto segue (nota se occorre o meno inserire il parametro per la password nella variabile MYSQL_OPTS):
#!/bin/bash # Flush MySQL tables to the disk before the filesystem is frozen. # At the same time, this keeps a read lock in order to avoid write accesses # from the other clients until the filesystem is thawed. MYSQL="/usr/bin/mysql" MYSQL_OPTS="-uroot" #"-prootpassword" FIFO=/var/run/mysql-flush.fifo # Check mysql is installed and the server running [ -x "$MYSQL" ] && "$MYSQL" $MYSQL_OPTS < /dev/null || exit 0 flush_and_wait() { printf "FLUSH TABLES WITH READ LOCK \\G\n" trap 'printf "$(date): $0 is killed\n">&2' HUP INT QUIT ALRM TERM read < $FIFO printf "UNLOCK TABLES \\G\n" rm -f $FIFO } case "$1" in freeze) mkfifo $FIFO || exit 1 flush_and_wait | "$MYSQL" $MYSQL_OPTS & # wait until every block is flushed while [ "$(echo 'SHOW STATUS LIKE "Key_blocks_not_flushed"' |\ "$MYSQL" $MYSQL_OPTS | tail -1 | cut -f 2)" -gt 0 ]; do sleep 1 done # for InnoDB, wait until every log is flushed INNODB_STATUS=$(mktemp /tmp/mysql-flush.XXXXXX) [ $? -ne 0 ] && exit 2 trap "rm -f $INNODB_STATUS; exit 1" HUP INT QUIT ALRM TERM while :; do printf "SHOW ENGINE INNODB STATUS \\G" |\ "$MYSQL" $MYSQL_OPTS > $INNODB_STATUS LOG_CURRENT=$(grep 'Log sequence number' $INNODB_STATUS |\ tr -s ' ' | cut -d' ' -f4) LOG_FLUSHED=$(grep 'Log flushed up to' $INNODB_STATUS |\ tr -s ' ' | cut -d' ' -f5) [ "$LOG_CURRENT" = "$LOG_FLUSHED" ] && break sleep 1 done rm -f $INNODB_STATUS ;; thaw) [ ! -p $FIFO ] && exit 1 echo > $FIFO ;; *) exit 1 ;; esac
- Rendere eseguibili da root i due script appena creati
Fatto questo, quando si lancia un backup il DB verrà flushato e lockato in scrittura per un secondo circa, il tempo di creare lo snapshot per il backup, poi verrà immediatamente sbloccato. Il risultato, nel log del guest, è una cosa tipo:
Jul 21 14:24:23 web1 qemu-ga: info: guest-fsfreeze called Jul 21 14:24:23 web1 qemu-ga: info: executing fsfreeze hook with arg 'freeze' Jul 21 14:24:23 web1 qemu-ga: info: executing fsfreeze hook with arg 'thaw'
andrea
- Pubblicato il Sistemistica, Tips & Tricks, Virtualizzazione
Autenticazione SSSD/LDAP su AD
/etc/portage/package.use
=sys-auth/sssd-1.16.3-r1 ssh sudo >=sys-libs/pam-1.3.0-r2 audit
emerge sssd
/etc/sshd/sssd.conf
[pam] reconnection_retries = 3 [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = AD #ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_id_mapping = true ldap_uri = ldaps://,ldap:// ldap_default_bind_dn = ... ldap_default_authtok = ... ldap_default_authtok_type = password #ldap_referrals = false ldap_search_base = ... #ldap_user_search_base = ... ldap_user_search_base = ... ldap_user_object_class = user ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_fullname = displayName ldap_group_search_base = ... ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_tls_reqcert = never #ldap_tls_reqcert = hard ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_id_use_start_tls = true override_shell = /bin/bash cache_credentials = true enumerate = true #ldap_rfc2307_fallback_to_local_users = true override_homedir = /home/%u #min_id = 10000 #ldap_group_gid = 9999 #override_gid = 9999 #ad_gpo_access_control = disabled access_provider = simple simple_allow_groups = ..., ... #access_provider = ldap #ldap_access_order = filter #ldap_group_member = member #ldap_access_filter = (|(memberOf=CN=...)(memberOf=CN=...))
nsswitch.conf
passwd: compat shadow: compat group: compat passwd: db files nis sss shadow: db files nis sss group: db files nis sss #group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files sss bootparams: files sudoers: ldap files sss automount: files aliases: files
/etc/pam.d/system-auth
auth sufficient pam_sss.so forward_pass auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so account required pam_unix.so account optional pam_permit.so password sufficient pam_sss.so use_authtok password sufficient pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow password optional pam_permit.so session required pam_tty_audit.so enable=* session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so
sshd_config
UsePAM yes
getent passwd
getent groups
andrea
- Pubblicato il Sistemistica, Tips & Tricks