Qemu fsfreeze hook

Tratto da https://kb.kurgan.org/PVE

Uso di Qemu-agent

Abilitando l’agent nella configurazione della VM, e installando l’agent dentro la VM, è possibile gestire alcune funzioni di comunicazione fra host e guest. Una delle funzioni più comode è quella del freeze del file system nel momento in cui viene fatto uno snapshot (per esempio per i backup) per avere dei backup il più possibile congruenti. Per il file system, il semplice fatto di avere l’agente installato e abilitato è sufficiente. Per un database, tuttavia, è opportuno configurare uno script apposta.

Il pacchetto Debian da installare nel guest si chiama qemu-guest-agent

Qemu-agent e Mysql su guest Debian

Per fare interagire Mysql (o Mariadb) con qemu-agent occorre:

  • Installare il pacchetto dell’agent
  • Modificare il file di init /etc/init.d/qemu-guest-agent aggiungendo il parametro “-F” nella variabile DAEMON_ARGS, in queso modo: DAEMON_ARGS="-F"

  • Riavviare qemu-guest-agent
  • Creare la directory /etc/qemu

  • Creare la directory /etc/qemu/fsfreeze-hook.d

  • Creare lo script /etc/qemu/fsfreeze-hook, contenente quanto segue:

    #!/bin/bash
    
    # This script is executed when a guest agent receives fsfreeze-freeze and
    # fsfreeze-thaw command, if it is specified in --fsfreeze-hook (-F)
    # option of qemu-ga or placed in default path (/etc/qemu/fsfreeze-hook).
    # When the agent receives fsfreeze-freeze request, this script is issued with
    # "freeze" argument before the filesystem is frozen. And for fsfreeze-thaw
    # request, it is issued with "thaw" argument after filesystem is thawed.
    
    LOGFILE=/var/log/qga-fsfreeze-hook.log
    FSFREEZE_D=$(dirname -- "$0")/fsfreeze-hook.d
    
    # Check whether file $1 is a backup or rpm-generated file and should be ignored
    is_ignored_file() {
        case "$1" in
            *~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave | *.sample)
                return 0 ;;
        esac
        return 1
    }
    
    # Iterate executables in directory "fsfreeze-hook.d" with the specified args
    [ ! -d "$FSFREEZE_D" ] && exit 0
    for file in "$FSFREEZE_D"/* ; do
        is_ignored_file "$file" && continue
        [ -x "$file" ] || continue
        printf "$(date): execute $file $@\n" >>$LOGFILE
        "$file" "$@" >>$LOGFILE 2>&1
        STATUS=$?
        printf "$(date): $file finished with status=$STATUS\n" >>$LOGFILE
    done
    
    exit 0
    
  • Creare lo script /etc/qemu/fsfreeze-hook.d/mysql-flush.sh contenente quanto segue (nota se occorre o meno inserire il parametro per la password nella variabile MYSQL_OPTS):

    #!/bin/bash
    
    # Flush MySQL tables to the disk before the filesystem is frozen.
    # At the same time, this keeps a read lock in order to avoid write accesses
    # from the other clients until the filesystem is thawed.
    
    MYSQL="/usr/bin/mysql"
    MYSQL_OPTS="-uroot" #"-prootpassword"
    FIFO=/var/run/mysql-flush.fifo
    
    # Check mysql is installed and the server running
    [ -x "$MYSQL" ] && "$MYSQL" $MYSQL_OPTS < /dev/null || exit 0
    
    flush_and_wait() {
        printf "FLUSH TABLES WITH READ LOCK \\G\n"
        trap 'printf "$(date): $0 is killed\n">&2' HUP INT QUIT ALRM TERM
        read < $FIFO
        printf "UNLOCK TABLES \\G\n"
        rm -f $FIFO
    }
    
    case "$1" in
        freeze)
            mkfifo $FIFO || exit 1
            flush_and_wait | "$MYSQL" $MYSQL_OPTS &
            # wait until every block is flushed
            while [ "$(echo 'SHOW STATUS LIKE "Key_blocks_not_flushed"' |\
                     "$MYSQL" $MYSQL_OPTS | tail -1 | cut -f 2)" -gt 0 ]; do
                sleep 1
            done
            # for InnoDB, wait until every log is flushed
            INNODB_STATUS=$(mktemp /tmp/mysql-flush.XXXXXX)
            [ $? -ne 0 ] && exit 2
            trap "rm -f $INNODB_STATUS; exit 1" HUP INT QUIT ALRM TERM
            while :; do
                printf "SHOW ENGINE INNODB STATUS \\G" |\
                    "$MYSQL" $MYSQL_OPTS > $INNODB_STATUS
                LOG_CURRENT=$(grep 'Log sequence number' $INNODB_STATUS |\
                              tr -s ' ' | cut -d' ' -f4)
                LOG_FLUSHED=$(grep 'Log flushed up to' $INNODB_STATUS |\
                              tr -s ' ' | cut -d' ' -f5)
                [ "$LOG_CURRENT" = "$LOG_FLUSHED" ] && break
                sleep 1
            done
            rm -f $INNODB_STATUS
            ;;
    
        thaw)
            [ ! -p $FIFO ] && exit 1
            echo > $FIFO
            ;;
    
        *)
            exit 1
            ;;
    esac
  • Rendere eseguibili da root i due script appena creati

Fatto questo, quando si lancia un backup il DB verrà flushato e lockato in scrittura per un secondo circa, il tempo di creare lo snapshot per il backup, poi verrà immediatamente sbloccato. Il risultato, nel log del guest, è una cosa tipo:

Jul 21 14:24:23 web1 qemu-ga: info: guest-fsfreeze called
Jul 21 14:24:23 web1 qemu-ga: info: executing fsfreeze hook with arg 'freeze'
Jul 21 14:24:23 web1 qemu-ga: info: executing fsfreeze hook with arg 'thaw'

andrea

Autenticazione SSSD/LDAP su AD

/etc/portage/package.use

=sys-auth/sssd-1.16.3-r1 ssh sudo
&gt;=sys-libs/pam-1.3.0-r2 audit

emerge sssd

/etc/sshd/sssd.conf

[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = AD
#ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_id_mapping = true
ldap_uri = ldaps://,ldap://
ldap_default_bind_dn = ...
ldap_default_authtok = ...
ldap_default_authtok_type = password
#ldap_referrals = false
ldap_search_base = ...
#ldap_user_search_base = ...
ldap_user_search_base = ...
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_group_search_base = ...
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_tls_reqcert = never
#ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = true
override_shell = /bin/bash
cache_credentials = true
enumerate = true
#ldap_rfc2307_fallback_to_local_users = true
override_homedir = /home/%u
#min_id = 10000
#ldap_group_gid = 9999
#override_gid = 9999
#ad_gpo_access_control = disabled
access_provider = simple
simple_allow_groups = ..., ...
#access_provider = ldap
#ldap_access_order = filter
#ldap_group_member = member
#ldap_access_filter = (|(memberOf=CN=...)(memberOf=CN=...))

nsswitch.conf

passwd: compat
shadow: compat
group: compat
passwd: db files nis sss
shadow: db files nis sss
group: db files nis sss
#group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files sss
bootparams: files
sudoers: ldap files sss
automount: files
aliases: files

/etc/pam.d/system-auth

auth sufficient pam_sss.so forward_pass
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account required pam_unix.so
account optional pam_permit.so
password sufficient pam_sss.so use_authtok
password sufficient pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_tty_audit.so enable=*
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so

sshd_config


UsePAM yes


getent passwd

getent groups

andrea