Documents Ganeti version 2.8
Contents
Ganeti supports a remote API for enable external tools to easily retrieve information about a cluster’s state. The remote API daemon, ganeti-rapi, is automatically started on the master node. By default it runs on TCP port 5080, but this can be changed either in .../constants.py or via the command line parameter -p. SSL mode, which is used by default, can also be disabled by passing command line parameters.
ganeti-rapi reads users and passwords from a file (usually /var/lib/ganeti/rapi/users) on startup. Changes to the file will be read automatically.
Lines starting with the hash sign (#) are treated as comments. Each line consists of two or three fields separated by whitespace. The first two fields are for username and password. The third field is optional and can be used to specify per-user options (separated by comma without spaces).
Passwords can either be written in clear text or as a hash. Clear text passwords may not start with an opening brace ({) or they must be prefixed with {cleartext}. To use the hashed form, get the MD5 hash of the string $username:Ganeti Remote API:$password (e.g. echo -n 'jack:Ganeti Remote API:abc123' | openssl md5) [1] and prefix it with {ha1}. Using the scheme prefix for all passwords is recommended. Scheme prefixes are case insensitive.
Options control a user’s access permissions. The section Access permissions lists the permissions required for each resource. If the --require-authentication command line option is given to the ganeti-rapi daemon, all requests require authentication. Available options:
Example:
# Give Jack and Fred read-only access
jack abc123
fred {cleartext}foo555
# Give write access to an imaginary instance creation script
autocreator xyz789 write
# Hashed password for Jessica
jessica {HA1}7046452df2cbb530877058712cf17bd4 write
# Monitoring can query for values
monitoring {HA1}ec018ffe72b8e75bb4d508ed5b6d079c read
# A user who can read and write (the former is implied by granting
# write access)
superuser {HA1}ec018ffe72b8e75bb4d508ed5b6d079c read,write
When using the RAPI, username and password can be sent to the server by using the standard HTTP basic access authentication. This means that for accessing the protected URL https://cluster.example.com/resource, the address https://username:password@cluster.example.com/resource should be used instead. Alternatively, the appropriate parameter of your HTTP client (such as -u for curl) can be used.
[1] | Using the MD5 hash of username, realm and password is described in RFC 2617 (“HTTP Authentication”), sections 3.2.2.2 and 3.3. The reason for using it over another algorithm is forward compatibility. If ganeti-rapi were to implement HTTP Digest authentication in the future, the same hash could be used. In the current version ganeti-rapi‘s realm, Ganeti Remote API, can only be changed by modifying the source code. |
The protocol used is JSON over HTTP designed after the REST principle. HTTP Basic authentication as per RFC 2617 is supported.
HTTP requests with a body (e.g. PUT or POST) require the request header Content-type be set to application/json (see RFC 2616 (HTTP/1.1), section 7.2.1).
JSON as used by Ganeti RAPI does not conform to the specification in RFC 4627. Section 2 defines a JSON text to be either an object ({"key": "value", …}) or an array ([1, 2, 3, …]). In violation of this RAPI uses plain strings ("master-candidate", "1234") for some requests or responses. Changing this now would likely break existing clients and cause a lot of trouble.
Unlike Python’s JSON encoder and decoder, other programming languages or libraries may only provide a strict implementation, not allowing plain values. For those, responses can usually be wrapped in an array whose first element is then used, e.g. the response "1234" becomes ["1234"]. This works equally well for more complex values. Example in Ruby:
require "json"
# Insert code to get response here
response = "\"1234\""
decoded = JSON.parse("[#{response}]").first
Short of modifying the encoder to allow encoding to a less strict format, requests will have to be formatted by hand. Newer RAPI requests already use a dictionary as their input data and shouldn’t cause any problems.
According to RFC 2616 the main difference between PUT and POST is that POST can create new resources but PUT can only create the resource the URI was pointing to on the PUT request.
Unfortunately, due to historic reasons, the Ganeti RAPI library is not consistent with this usage, so just use the methods as documented below for each resource.
For more details have a look in the source code at lib/rapi/rlib2.py.
A few generic refered parameter types and the values they allow.
A few parameter mean the same thing across all resources which implement it.
Bulk-mode means that for the resources which usually return just a list of child resources (e.g. /2/instances which returns just instance names), the output will instead contain detailed data for all these subresources. This is more efficient than query-ing the sub-resources themselves.
The boolean dry-run argument, if provided and set, signals to Ganeti that the job should not be executed, only the pre-execution checks will be done.
This is useful in trying to determine (without guarantees though, as in the meantime the cluster state could have changed) if the operation is likely to succeed or at least start executing.
Some parameters are not straight forward, so we describe them in details here.
The instance policy specification is a dict with the following fields:
A list of dictionaries, each with the following two fields:
A sub- dict with the following fields, which sets the limit of the instances:
You can access the API using your favorite programming language as long as it supports network connections.
Ganeti includes a standalone RAPI client, lib/rapi/client.py.
Using wget:
$ wget -q -O - https://CLUSTERNAME:5080/2/info
or curl:
$ curl https://CLUSTERNAME:5080/2/info
Note: with curl, the request method (GET, POST, PUT) can be specified using the -X command line option, and the username/password can be specified with the -u option. In case of POST requests with a body, the Content-Type can be set to JSON (as per the Protocol section) using the parameter -H "Content-Type: application/json".
Warning
While it’s possible to use JavaScript, it poses several potential problems, including browser blocking request due to non-standard ports or different domain names. Fetching the data on the webserver is easier.
var url = 'https://CLUSTERNAME:5080/2/info';
var info;
var xmlreq = new XMLHttpRequest();
xmlreq.onreadystatechange = function () {
if (xmlreq.readyState != 4) return;
if (xmlreq.status == 200) {
info = eval("(" + xmlreq.responseText + ")");
alert(info);
} else {
alert('Error fetching cluster info');
}
xmlreq = null;
};
xmlreq.open('GET', url, true);
xmlreq.send(null);
Cluster information resource.
Method | Required permissions |
---|---|
GET | (none) |
Returns cluster information.
Example:
{
"config_version": 2000000,
"name": "cluster",
"software_version": "2.0.0~beta2",
"os_api_version": 10,
"export_version": 0,
"candidate_pool_size": 10,
"enabled_hypervisors": [
"fake"
],
"hvparams": {
"fake": {}
},
"default_hypervisor": "fake",
"master": "node1.example.com",
"architecture": [
"64bit",
"x86_64"
],
"protocol_version": 20,
"beparams": {
"default": {
"auto_balance": true,
"vcpus": 1,
"memory": 128
}
},
…
}
Redistribute configuration to all nodes.
Method | Required permissions |
---|---|
PUT | write |
Method | Required permissions |
---|---|
GET | (none) |
Returns a list of features supported by the RAPI server. Available features:
Modifies cluster parameters.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
None
The groups resource.
Method | Required permissions |
---|---|
GET | (none) |
POST | write |
Returns a list of all existing node groups.
Example:
[
{
"name": "group1",
"uri": "\/2\/groups\/group1"
},
{
"name": "group2",
"uri": "\/2\/groups\/group2"
}
]
If the optional bool bulk argument is provided and set to a true value (i.e ?bulk=1), the output contains detailed information about node groups as a list.
Returned fields: alloc_policy, ctime, custom_diskparams, custom_ipolicy, custom_ndparams, diskparams, ipolicy, mtime, name, ndparams, node_cnt, node_list, serial_no, tags, uuid.
Example:
[
{
"name": "group1",
"node_cnt": 2,
"node_list": [
"node1.example.com",
"node2.example.com"
],
"uuid": "0d7d407c-262e-49af-881a-6a430034bf43",
…
},
{
"name": "group2",
"node_cnt": 1,
"node_list": [
"node3.example.com"
],
"uuid": "f5a277e7-68f9-44d3-a378-4b25ecb5df5c",
…
},
…
]
Creates a node group.
If the optional bool dry-run argument is provided, the job will not be actually executed, only the pre-execution checks will be done.
Returns: a job ID that can be used later for polling.
Body parameters:
Earlier versions used a parameter named name which, while still supported, has been renamed to group_name.
Job result:
None
Returns information about a node group.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
Modifies the parameters of a node group.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
List of ((Length 2) and (Item 0 is (NonEmptyString [name of changed parameter]), item 1 is (Anything [new value])))
Renames a node group.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
NonEmptyString [New group name]
Assigns nodes to a group.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID. It supports the dry-run and force arguments.
Body parameters:
Job result:
None
Manages per-nodegroup tags.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
PUT | write |
The networks resource.
Method | Required permissions |
---|---|
GET | (none) |
POST | write |
Returns a list of all existing networks.
Example:
[
{
"name": "network1",
"uri": "\/2\/networks\/network1"
},
{
"name": "network2",
"uri": "\/2\/networks\/network2"
}
]
If the optional bool bulk argument is provided and set to a true value (i.e ?bulk=1), the output contains detailed information about networks as a list.
Returned fields: ctime, external_reservations, free_count, gateway, gateway6, group_list, inst_list, mac_prefix, map, mtime, name, network, network6, reserved_count, serial_no, tags, uuid.
Example:
[
{
'external_reservations': '10.0.0.0, 10.0.0.1, 10.0.0.15',
'free_count': 13,
'gateway': '10.0.0.1',
'gateway6': None,
'group_list': ['default(bridged, prv0)'],
'inst_list': [],
'mac_prefix': None,
'map': 'XX.............X',
'name': 'nat',
'network': '10.0.0.0/28',
'network6': None,
'reserved_count': 3,
'tags': ['nfdhcpd'],
…
},
…
]
Creates a network.
If the optional bool dry-run argument is provided, the job will not be actually executed, only the pre-execution checks will be done.
Returns: a job ID that can be used later for polling.
Body parameters:
Job result:
None
Returns information about a network.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
Modifies the parameters of a network.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
None
Connects a network to a nodegroup.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID. It supports the dry-run arguments.
Body parameters:
Job result:
None
Disonnects a network from a nodegroup.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID. It supports the dry-run arguments.
Body parameters:
Job result:
None
Manages per-network tags.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
PUT | write |
Tries to allocate multiple instances.
Method | Required permissions |
---|---|
POST | write |
The parameters:
Job result:
Dictionary containing none but the required keys "allocatable" (value List of NonEmptyString), "jobs" (value List of ((Length 2) and (Item 0 is (Boolean [success]), item 1 is (String or JobId [Job ID if successful, error message otherwise]))) [List of submitted jobs])
The instances resource.
Method | Required permissions |
---|---|
GET | (none) |
POST | write |
Returns a list of all available instances.
Example:
[
{
"name": "web.example.com",
"uri": "\/instances\/web.example.com"
},
{
"name": "mail.example.com",
"uri": "\/instances\/mail.example.com"
}
]
If the optional bool bulk argument is provided and set to a true value (i.e ?bulk=1), the output contains detailed information about instances as a list.
Returned fields: admin_state, beparams, ctime, custom_beparams, custom_hvparams, custom_nicparams, disk.names, disk.sizes, disk.uuids, disk_template, disk_usage, hvparams, mtime, name, network_port, nic.bridges, nic.ips, nic.links, nic.macs, nic.modes, nic.names, nic.networks, nic.networks.names, nic.uuids, oper_ram, oper_state, oper_vcpus, os, pnode, serial_no, snodes, status, tags, uuid.
Example:
[
{
"status": "running",
"disk_usage": 20480,
"nic.bridges": [
"xen-br0"
],
"name": "web.example.com",
"tags": ["tag1", "tag2"],
"beparams": {
"vcpus": 2,
"memory": 512
},
"disk.sizes": [
20480
],
"pnode": "node1.example.com",
"nic.macs": ["01:23:45:67:89:01"],
"snodes": ["node2.example.com"],
"disk_template": "drbd",
"admin_state": true,
"os": "debian-etch",
"oper_state": true,
…
},
…
]
Creates an instance.
If the optional bool dry-run argument is provided, the job will not be actually executed, only the pre-execution checks will be done. Query-ing the job result will return, in both dry-run and normal case, the list of nodes selected for the instance.
Returns: a job ID that can be used later for polling.
Body parameters:
Earlier versions used parameters named name and os. These have been replaced by instance_name and os_type to match the underlying opcode. The old names can still be used.
Job result:
List of NonEmptyString [instance nodes]
Instance-specific resource.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
Returns information about an instance, similar to the bulk output from the instance list.
Returned fields: admin_state, beparams, ctime, custom_beparams, custom_hvparams, custom_nicparams, disk.names, disk.sizes, disk.uuids, disk_template, disk_usage, hvparams, mtime, name, network_port, nic.bridges, nic.ips, nic.links, nic.macs, nic.modes, nic.names, nic.networks, nic.networks.names, nic.uuids, oper_ram, oper_state, oper_vcpus, os, pnode, serial_no, snodes, status, tags, uuid.
Method | Required permissions |
---|---|
GET | (none) |
Requests detailed information about the instance. An optional parameter, static (bool), can be set to return only static information from the configuration without querying the instance’s nodes. The result will be a job id.
Job result:
Dictionary with keys of NonEmptyString and values of Dictionary
Reboots URI for an instance.
Method | Required permissions |
---|---|
POST | write |
Reboots the instance.
The URI takes optional type=soft|hard|full and ignore_secondaries=0|1 parameters.
type defines the reboot type. soft is just a normal reboot, without terminating the hypervisor. hard means full shutdown (including terminating the hypervisor process) and startup again. full is like hard but also recreates the configuration from ground up as if you would have done a gnt-instance shutdown and gnt-instance start on it.
ignore_secondaries is a bool argument indicating if we start the instance even if secondary disks are failing.
It supports the dry-run argument.
Job result:
None
Instance shutdown URI.
Method | Required permissions |
---|---|
PUT | write |
Shutdowns an instance.
It supports the dry-run argument.
Job result:
None
Installs the operating system again.
Method | Required permissions |
---|---|
POST | write |
Returns a job ID.
Body parameters:
For backwards compatbility, this resource also takes the query parameters os (OS template name) and nostartup (bool). New clients should use the body parameters.
Replaces disks on an instance.
Method | Required permissions |
---|---|
POST | write |
Returns a job ID.
Body parameters:
Ganeti 2.4 and below used query parameters. Those are deprecated and should no longer be used.
Job result:
None
Activate disks on an instance.
Method | Required permissions |
---|---|
PUT | write |
Deactivate disks on an instance.
Method | Required permissions |
---|---|
PUT | write |
Recreate disks of an instance.
Method | Required permissions |
---|---|
POST | write |
Returns a job ID.
Body parameters:
Job result:
None
Grows one disk of an instance.
Method | Required permissions |
---|---|
POST | write |
Returns a job ID.
Body parameters:
Job result:
None
Prepares an export of an instance.
Method | Required permissions |
---|---|
PUT | write |
Exports an instance.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
(Length 2) and (Item 0 is (Boolean [Finalizing status]), item 1 is (List of Boolean [Status for every exported disk]))
Migrates an instance.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
None
Does a failover of an instance.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
None
Renames an instance.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
NonEmptyString [New instance name]
Modifies an instance.
Method | Required permissions |
---|---|
PUT | write |
Returns a job ID.
Body parameters:
Job result:
List of ((Length 2) and (Item 0 is (NonEmptyString [name of changed parameter]), item 1 is (Anything [new value])))
Request information for connecting to instance’s console.
Method | Required permissions |
---|---|
GET | read, write |
Returns a dictionary containing information about the instance’s console. Contained keys:
Manages per-instance tags.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
PUT | write |
The /2/jobs resource.
Method | Required permissions |
---|---|
GET | (none) |
Returns a dictionary of jobs.
Returns: a dictionary with jobs id and uri.
If the optional bool bulk argument is provided and set to a true value (i.e. ?bulk=1), the output contains detailed information about jobs as a list.
Returned fields for bulk requests (unlike other bulk requests, these fields are not the same as for per-job requests): end_ts, id, ops, opstatus, received_ts, start_ts, status, summary.
Individual job URI.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
Returns a dictionary with job parameters, containing the fields end_ts, id, oplog, opresult, ops, opstatus, received_ts, start_ts, status, summary.
The result includes:
For a successful opcode, the opresult field corresponding to it will contain the raw result from its LogicalUnit. In case an opcode has failed, its element in the opresult list will be a list of two elements:
The error classification is most useful for the OpPrereqError error type - these errors happen before the OpCode has started executing, so it’s possible to retry the OpCode without side effects. But whether it make sense to retry depends on the error classification:
Note that in the above list, by entity we refer to a node or instance, while by a resource we refer to an instance’s disk, or NIC, etc.
Method | Required permissions |
---|---|
GET | write |
Waits for changes on a job. Takes the following body parameters in a dict:
Returns None if no changes have been detected and a dict with two keys, job_info and log_entries otherwise.
Nodes resource.
Method | Required permissions |
---|---|
GET | (none) |
Returns a list of all nodes.
Example:
[
{
"id": "node1.example.com",
"uri": "\/nodes\/node1.example.com"
},
{
"id": "node2.example.com",
"uri": "\/nodes\/node2.example.com"
}
]
If the optional bool bulk argument is provided and set to a true value (i.e ?bulk=1), the output contains detailed information about nodes as a list.
Returned fields: cnodes, csockets, ctime, ctotal, dfree, drained, dtotal, group.uuid, master_candidate, master_capable, mfree, mnode, mtime, mtotal, name, ndparams, offline, pinst_cnt, pinst_list, pip, role, serial_no, sinst_cnt, sinst_list, sip, tags, uuid, vm_capable.
Example:
[
{
"pinst_cnt": 1,
"mfree": 31280,
"mtotal": 32763,
"name": "www.example.com",
"tags": [],
"mnode": 512,
"dtotal": 5246208,
"sinst_cnt": 2,
"dfree": 5171712,
"offline": false,
…
},
…
]
Evacuates instances off a node.
Method | Required permissions |
---|---|
POST | write |
Returns a job ID. The result of the job will contain the IDs of the individual jobs submitted to evacuate the node.
Body parameters:
Up to and including Ganeti 2.4 query arguments were used. Those are no longer supported. The new request can be detected by the presence of the node-evac-res1 feature string.
Job result:
Dictionary containing none but the required key "jobs" (value List of ((Length 2) and (Item 0 is (Boolean [success]), item 1 is (String or JobId [Job ID if successful, error message otherwise]))) [List of submitted jobs])
Migrates all primary instances from a node.
Method | Required permissions |
---|---|
POST | write |
If no mode is explicitly specified, each instances’ hypervisor default migration mode will be used. Body parameters:
The query arguments used up to and including Ganeti 2.4 are deprecated and should no longer be used. The new request format can be detected by the presence of the node-migrate-reqv1 feature string.
Job result:
Dictionary containing none but the required key "jobs" (value List of ((Length 2) and (Item 0 is (Boolean [success]), item 1 is (String or JobId [Job ID if successful, error message otherwise]))) [List of submitted jobs])
Manages node role.
Method | Required permissions |
---|---|
GET | (none) |
PUT | write |
The role is always one of the following:
- drained
- master-candidate
- offline
- regular
Note that the ‘master’ role is a special, and currently it can’t be modified via RAPI, only via the command line (gnt-cluster master-failover).
Modifies the parameters of a node.
Method | Required permissions |
---|---|
POST | write |
Returns a job ID.
Body parameters:
Job result:
List of ((Length 2) and (Item 0 is (NonEmptyString [name of changed parameter]), item 1 is (Anything [new value])))
Manages storage units on the node.
Method | Required permissions |
---|---|
GET | write |
FIXME: enable ”.. pyassert::” again when all storage types are implemented:
constants.VALID_STORAGE_TYPES == set([constants.ST_FILE,
constants.ST_LVM_PV,
constants.ST_LVM_VG])
Requests a list of storage units on a node. Requires the parameters storage_type (one of file, lvm-pv or lvm-vg) and output_fields. The result will be a job id, using which the result can be retrieved.
Modifies storage units on the node.
Method | Required permissions |
---|---|
PUT | write |
Repairs a storage unit on the node.
Method | Required permissions |
---|---|
PUT | write |
Manages per-node tags.
Method | Required permissions |
---|---|
DELETE | write |
GET | (none) |
PUT | write |
Requests resource information. Available fields can be found in man pages and using /2/query/[resource]/fields. The resource is one of node, group, network, cluster, lock, instance, job, export, extstorage, os. See the query2 design document for more details.
Method | Required permissions |
---|---|
GET | read, write |
PUT | read, write |
Request list of available fields for a resource. The resource is one of node, group, network, cluster, lock, instance, job, export, extstorage, os. See the query2 design document for more details.
Method | Required permissions |
---|---|
GET | (none) |
The following list describes the access permissions required for each resource. See Users and passwords for more details.