On April 18, 2021 7:07 pm, Thomas Lamprecht wrote:
> On 13.04.21 14:16, Fabian Grünbichler wrote:
>> as a unified helper for talking to a remote node. if the requested node
>> has an entry in the remote config, the information from that entry is
>> used. else, the first locally defined node of the requested cluster is
>> used as proxy.
>>
>> Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
>> ---
>> data/PVE/RemoteConfig.pm | 55 ++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 55 insertions(+)
>>
>> diff --git a/data/PVE/RemoteConfig.pm b/data/PVE/RemoteConfig.pm
>> index 23274de..7c395ba 100644
>> --- a/data/PVE/RemoteConfig.pm
>> +++ b/data/PVE/RemoteConfig.pm
>> @@ -3,6 +3,7 @@ package PVE::RemoteConfig;
>> use strict;
>> use warnings;
>>
>> +use PVE::APIClient::LWP;
>> use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file
>> cfs_lock_file);
>> use PVE::JSONSchema qw(get_standard_option);
>> use PVE::Tools;
>> @@ -158,6 +159,60 @@ sub lock {
>> }
>> }
>>
>> +# will attempt to connect with node's locally defined endpoint if possible
>> +sub get_remote_info {
>> + my ($self, $cluster, $node, $network_cidr) = @_;
>> +
>> + my $cluster_info = $self->{ids}->{$cluster};
>> + die "Remote cluster '$cluster' is not defined!\n"
>> + if !defined($cluster_info) || $cluster_info->{type} ne 'pvecluster';
>> +
>> + my $host = $node;
>> +
>> + # fallback to random node/endpoint if $node is not locally defined
>> + if (!$cluster_info->{nodes}->{$node}) {
>> + my @defined_nodes = keys %{$cluster_info->{nodes}};
>> + $host = $defined_nodes[0];
>> + }
>> +
>> + my $api_node = $self->{ids}->{$host};
>> +
>> + my $api_token = $cluster_info->{token} // $api_node->{token};
>> +
>> + my $conn_args = {
>> + username => 'root@pam',
>> + protocol => 'https',
>> + host => $api_node->{endpoint},
>> + apitoken => $api_token,
>> + port => 8006,
>> + };
>> +
>> + if (my $fp = $api_node->{fingerprint}) {
>> + $conn_args->{cached_fingerprints} = { uc($fp) => 1 };
>> + } else {
>> + # FIXME add proper parameter to APIClient
>
> that should now work out of the box? I.e., if no FP is passed we default to
> verify_hostname = 1, and if verify_hostname is true we trust what openssl
> thinks
> about the validity of the connection.
I didn't test it (and the tunnel binary itself still lacks that
functionality for sure), but that comment is leftover (only slightly
moved/reworded) from last year's PoC, so it's possible that the LWP
client handles this well nowadays :)
>
>> + die "IMPLEMENT ME";
>> + my $ssl_opts = {
>> + verify_hostname => 1,
>> +# SSL_ca_path => '/etc/ssl/certs',
>> + SSL_verify_callback => 1,
>> + };
>> + }
>> +
>> + print "Establishing API connection with cluster '$cluster' node
>> '$host'\n";
>> +
>> + my $conn = PVE::APIClient::LWP->new(%$conn_args);
>> +
>> +
>> + my $args = {};
>> + $args->{cidr} = $network_cidr if $network_cidr;
>> +
>> + print "Request IP information of node '$node'\n";
>> + my $res = $conn->get("/nodes/$node/addr", $args);
>> +
>> + return ($res, $conn_args);
>> +}
>> +
>> package PVE::RemoteConfig::Cluster;
>>
>> use PVE::RemoteConfig;
>>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
