News¶

Version 3.0.2¶

(Released Mon, 28 Feb 2022)

Changes since 3.0.1¶

This release contains the following bug- and compatibility fixes:

KVM: fix NIC hotplugging with vhost_net=True (#1651), use_chroot=True (#1644) and use_guest_agent=True (#1620).

KVM: fix asynchronous events breaking QMP handshakes (#1649)

KVM: handle disk_cache consistently between boot and hotplugging (#1645)

KVM: fix live migration with non-root / chrooted QEMU (dynamic auto-ro) (#1603)

KVM: fix unsupported keymap include in >=qemu-4.0 (#1612)

XEN: fix live migration of xen instances (#1582)

NET: relax VLAN check with veth devices (#1533)

LVM: fix lvcreate for newer lvm versions (#1586)

DRBD: warn users that altered DRBD parameters do not affect existing devices (#781)

Node-Add: byte/string comparison causes false-positive warning (#1635)

RAPI: return HTTP 400 on request parse error (#1610)

build: fix building docs on Debian Bullseye (#1602)

build: adjust for Pyparsing 3.0 (#1638)

build: adjust for TupE type change in Template Haskell 2.16 (#1613)

build: permit base64-bytestring 1.1 and QuickCheck 2.14 (#1613)

tools: fix 2to3 leftover for move-instance (#1616)

Docs: fix building on recent sphinx versions (#1602)

Version 3.0.1¶

(Released Thu, 4 Feb 2021)

Changes since 3.0.0¶

This release contains the following bug- and compatibility fixes:

Fix disk hotplugging with QEMU >=4.0 (#1556)

Correctly configure the aio, cache and discard disk parameters for hotplugged disks (#1561)

Configure the correct number of vectors for hotplugged MQ tap devices (#1568)

Properly detect MQ NIC support for newer KVM versions (#1569)

Significantly speed up disk verification jobs by caching LVM information (#1565)

Fix a potential issue when exchanging utf-8 data over plain HTTP RAPI (#1575)

Version 3.0.0¶

(Released Wed, 23 Dec 2020)

Changes since 3.0.0 rc1¶

3.0.0 includes only a handful of improvements and fixes since 3.0.0 rc1.

Automatic postcopy migration handling for KVM guests¶

Ganeti now supports switching a KVM live migration automatically over to postcopy mode if the instance’s migration_caps include the postcopy-ram capability and the live migration has already completed two full memory passes. Postcopy live migration support in Ganeti 3.0 is considered experimental; users are encouraged to test it and report bugs, but it should be used with care in production environments.

We recommend using postcopy migration with at least QEMU version 3.0; QEMU versions before 3.0 do not support limiting the bandwidth of a postcopy migration, which might saturate the network and cause interference with e.g. DRBD connections. For QEMU 3.0 and on, we apply the migration_bandwidth HV parameter that limits the regular live migration bandwidth to the postcopy phase as well.

Thanks to Sascha Lucas and Calum Calder for all the work related to postcopy migration.

Other changes¶

Bugfixes:

Fix multi-queue tap creation that was broken by the Python 3 migration (#1534)
Make sure we set KVM migration capabilities on both sides of the live migration and clear them once the migration is over (#1525)
Properly cleanup the dedicated spice connection used to set a KVM instance’s spice password; this avoids blocking the instance on boot (#1535, #1536)
Fix non-SSL operation for Python daemons, broken by the Python 3 migration. This should be only relevant for the RAPI daemon running behind a reverse proxy; noded requires SSL to function properly (#1508, #1538)

Compatibility fixes:

Correctly report the status of user-down KVM instances with QEMU >= 3.1 (#1440, #1537)

Version 3.0.0 rc1¶

(Released Sat, 19 Sep 2020)

Since releasing 3.0.0 beta1 in June no critical issues have surfaced. This release includes some feature and compability improvements but no breaking changes.

Upgrade notes¶

This release comes with the same restrictions as the previous one: to upgrade, you either need 2.16.2 or 3.0.0 beta1 installed. Upgrading directly from older versions or from the Ganeti-2.17 beta version is not supported. Please refer to the 3.0.0 beta1 upgrade notes for more information.

Important changes¶

GHC 8.0 through 8.8 compatibility¶

This release has been built/tested against GHC 8.0 through 8.8 which means it should work on most current and near-future distribution versions. Support for GHC versions < 8 has already been dropped with the previous Ganeti release. Along with this change we have also added compatibility to Cabal version 3.0.

Other notable changes¶

Bugfixes:

Fix distribution of hmac.key to new nodes - this has been pulled from the 2.17 tree #(1494)

Compatibility Improvements:

Open vSwitch: Do not fail to add node when the ovs_name or ovs_link already exists (#1495)
Improved support for DRBD >= 8.4 (#1496)
Relax QuickCheck version restriction (#1479)

Documentation Fixes:

Various typos have been fixed (#1483, #1487, #1489, #1501)
Documentation build has been improved (#1500, #1504)
Missing information has been added (#1490, #1505, #1517)

Build Environment:

We now have matrix / nightly builds using Github Actions (#1512)
We now have code analysis through Github CodeQL (#1514)

Misc:

Support other values than ‘none’ for ‘disk_cache’ when using RBD (#1516)
The OS install scripts can now query the configured disk size via a new environment variable ‘DISK_%N_SIZE’ (#1503)

Version 3.0.0 beta1¶

(Released Fri, 5 Jun 2020)

This is a major version pre-release, porting Ganeti to Python 3, fixing bugs and adding new features.

This is also the first major release to be created by community contributors exclusively. As of May 2020, Google transferred the maintenance of Ganeti to the community. We would like to thank Google for the support and resources it granted to the project and for allowing the community to carry it forward!

Upgrade notes¶

Ganeti versions earlier than 2.16.2 will refuse to upgrade to 3.0 using gnt-cluster upgrade. If you are using your distribution packages, chances are their maintainers will provide a smooth upgrade path from older versions, so check the package release notes. If you build Ganeti from source, please upgrade to 2.16.2 as an intermediate step before upgrading to 3.0, or consult Github issue #1423 for possible workarounds.

Note that at this time there is no supported upgrade path for users running Ganeti-2.17 (i.e. 2.17.0 beta1). Ganeti-2.17 was never released, so hopefully no one uses it. In case you are using it, the best option is to downgrade to 2.16 (either via a regular downgrade or manually). See Github issue #1346 for a bit more discussion on this topic.

Important changes¶

Python >=3.6 required¶

This release switches the whole Ganeti codebase over to Python 3. Python 2 has reached its end-of-life and is being removed from most distributions, so we opted to skip dual-version support completely and convert the code straight to Python 3-only, the only exception being the RAPI client which remains Python-2 compatible.

We have tested the code as well as we can, but there is still the possibility of breakage, as the conversion touches a big part of the codebase that cannot always be tested automatically. Please test this release if possible and report any bugs on GitHub.

Note that the minimum required Python version is 3.6.

GHC >= 8 required¶

This release removes support for ancient versions of GHC and now requires at least GHC 8.0 to build.

VLAN-aware bridging¶

This version adds support for VLAN-aware bridging. Traditionally setups using multiple VLANs had to create one Linux bridge per VLAN and assign instance NICs to the correct bridge. For large setups this usually incurred a fair amount of configuration that had to be kept in sync between nodes. An alternative was to use OpenVSwitch, for which Ganeti already included VLAN support.

Beginning with 3.0, Ganeti supports VLAN-aware bridging: it is now possible to have a single bridge handling traffic for multiple VLANs and have instance NICs assigned to one or more VLANs using the vlan NIC parameter with the same syntax as for OpenVSwitch (see the manpage for gnt-instance). Note that Ganeti expects VLAN support for the bridge to be enabled externally, using ip link set dev <bridge> type bridge vlan_filtering 1.

Other notable changes¶

Bugfixes:

Refactor LuxiD’s job forking code to make job process creation more reliable. This fixes sporadic failures when polling jobs for status changes, as well as randomly-appearing 30-second delays when enqueueing a new job (#1411).
Wait for a Luxi job to actually finish before archiving it. This prevents job file accumulation in master candidate queues (#1266).
Avoid accidentally backing up the export directory on cluster upgrade (#1337).
This release includes all fixes from 2.16.2 as well, please refer to the 2.16.2 changelog below.

Compatibility changes:

Orchestrate KVM live migrations using only QMP (and not the human monitor), ensuring compatibility with QEMU 4.2 (#1433).
Use iproute2 instead of brctl, removing the dependency on bridge-utils (#1394).
Enable AM_MAINTAINER_MODE, supporting read-only VPATH builds (#1391).
Port from Haskell Crypto (unmaintained) to cryptonite (#1405)
Enable compatibility with pyopenssl >=19.1.0 (#1446)

Version 2.16.2¶

(Released Fri, 22 May 2020)

This is a bugfix and compatibility release.

Important note¶

Due to the way the gnt-cluster upgrade mechanism is implemented, Ganeti versions earlier than 2.16.2 will refuse to upgrade to the upcoming 3.0 release. This release changes the upgrade logic to explicitly allow upgrades from 2.16.2 and later to 3.0.

See #1423 for more details and the relevant discussion.

Bugfixes¶

Fix node secondary instance count. Secondary instances were counted as many times as their disk count (#1399)

RPC: remove 1-second wait introduced by Expect: 100-Continue. This speeds up all RPC operations that pass through LuxiD (most notably queries like gnt-instance list) by 1 second.

Version 2.16.1¶

(Released Mon, 1 Apr 2019)

This is a bugfix and compatibility release.

Important changes¶

Updated X.509 certificate signing algorithm¶

Ganeti now uses the SHA-256 digest algorithm to sign all generated X.509 certificates used to secure the RPC communications between nodes. Previously, Ganeti was using SHA-1 which is seen as weak (but not broken) and has been deprecated by most vendors; most notably, OpenSSL — used by Ganeti on some setups — rejects SHA-1-signed certificates when configured to run on security level 2 and above.

Users are advised to re-generate Ganeti’s server and node certificates after installing 2.16.1 on all nodes using the following command:

gnt-cluster renew-crypto --new-cluster-certificate

On setups using RAPI and/or SPICE with Ganeti-generated certificates, --new-rapi-certificate and --new-spice-certificate should be appended to the command above.

QEMU 3.1 compatibility¶

Previous versions of Ganeti used QEMU command line options that were removed in QEMU 3.1, leading to an inability to start KVM instances with QEMU 3.1. This version restores compatibility with QEMU 3.1 by adapting to these changes. This was done in a backwards-compatible way, however there is one special case: Users using VNC with X.509 support enabled, will need to be running at least QEMU 2.5. See #1342 for details.

Newer GHC support¶

Ganeti 2.16.0 could only be built using GHC versions prior to 7.10, as GHC 7.10 and later versions introduced breaking API changes that made the build fail.

This release introduces support for building with newer GHC versions: Ganeti is now known to build with GHC 8.0, 8.2 and 8.4. Furthermore, Ganeti can now be built with snap-server 1.0 as well as hinotify 0.3.10 and later. Previously supported versions of GHC and of these libraries remain supported.

Misc changes¶

(Contributor names in parentheses where available)

Compatibility fixes:

Fix initscript operation on systems with dpkg >= 1.19.4 (#1322)
Support Sphinx versions later than 1.7 (#1333) (Robin Sonnabend)
Force KVM to use cache=none when aio=native is set; this is mandatory for QEMU versions later than 2.6 (#43) (Alexandros Kosiaris)
Handle the new output format of rbd showmapped introduced in Ceph Mimic (#1339) (Ansgar Jazdzewski)
Support current versions of python-psutil (George Diamantopoulos)
Fix distcheck-hook with automake versions >= 1.15 (Apollon Oikonomopoulos)
Fix cli tests with shelltestrunner versions >= 1.9 (Apollon Oikonomopoulos)

Bugfixes:

Allow IPv6 addresses in the vnc_bind_address KVM hypervisor parameter (#1257) (Brian Candler)
Fix iproute2 invocation to accept dev as a valid interface name (#26) (Arnd Hannemann)
Properly handle OpenVSwitch trunk ports without native VLANs (#1324) (George Diamantopoulos)
Fix virtio-net multiqueue support (#1268) (George Diamantopoulos)
Make the ganeti-kvm-poweroff example script work on systems with systemd/sysv integration (#1288)
Avoid triggering the CPU affinity code when the instance’s CPU mask is set to all, relaxing the runtime dependency on python-psutil (Calum Calder)

Performance improvements:

Speed up Haskell test execution (Iustin Pop)
Speed up Python test execution (Apollon Oikonomopoulos)

Documentation fixes:

Fix a couple of typos in the gnt-instance man page (#1279) (Phil Regnauld)
Fix a typo in doc/install.rst (Igor Vuk)

Enhancements:

KVM process logs are now obtained and saved under /var/log/ganeti/kvm (Yiannis Tsiouris)

Version 2.16.0¶

(Released Tue, 18 Sep 2018)

Changes since 2.16.0 rc2¶

Compatibility fixes:

Support python-mock versions later than about 1.1

Bugfixes:

RAPI: Check non-SSL exceptions in _CheckIfConnectionDropped

makefile: Preserve mode on copy

Change uidpool test to skip uid 0

Add retry behavior to detect SSConf read race in qa.qa_instance_utils

utils.livelock: use portable struct flock type

Misc changes:

Set default ssh connection timeout between nodes to 10s

Add unit tests for utils.livelock

Version 2.16.0 rc2¶

(Released Mon, 29 Jan 2018)

Changes since 2.16.0 rc1¶

New features: - Do not prompt when force-setting a node online - Consider state-of-the-record free memory in htools memory model (#35) - Add optStaticKvmNodeMemory to HTools and IAllocator (#34) - Add discard KVM option to bdev - StartInstance restores instance state if running - Allow migrate –cleanup to adopt an instance - Add ganeti-noded and ganeti-rapi –max-clients options - Add gnt-instance rename –force option - Allow master failover to ignore offline nodes - Adding a confirmation before gnt-node –offline no

Compatibility fixes: - kvm: use the current psutil CPU affinity API - Provide alternative to decompressWithErrors in zlib 6.0 - Ceph/RBD rbd showmapped -p is no longer supported - kvm: use_guest_agent: QEMU Guest Agent support - Fix LogicalVolume code to work with older /sbin/lvs

Performance optimizations: - Use fork instead of spawnv in the watcher - Make executeRpcCall only compute rpcCallData once - Special case WaitForJobChange to reduce heap use - Get haskell daemons to only compress files > 4kB - Use zlib compression level 3 in Haskell RPC code - Make the TH fieldsDictsKeys more efficient - Implement localized cache for lvs commands - Reduce load in NV_NODENETTEST and NV_MASTERIP

Bugfixes: - impexpd: fix certificate verification with new socat versions - impexpd: do not set socat SSL method - backend: fix key renewal on single-node clusters - hv_xen: generate correct type for paravirtualized nic (#57) - Force CleanupInstance always on InstanceShutdown (#53) - Cleanup blockdevs from target on migration failure (#50) - kvm: Add missing ‘driver’ in ‘hvinfo’ dict (#46) - Add cleanup of stale OS hvp data on cluster modify - Htools should use state-of-record instance size - Prohibit disk removal w/o hotplug on live instance - Fix tuple-unpacking from QueryInstances result - Fix index in RemoveDisks warning - Fix coexistence of location tags and non-DRBD instances - Fix backup export in case of ext disk template - Fix instance state detection in _Shutdowninstance - Fix for instance reinstall not updating config (issue #1193) - Fix optimisation: Correctly extract secondary node - Tune getNodeInstances DRBD secondary computation - Fix LogicalVolume Attach failure on missing path - Set USE_VERSION_FULL=no if –enable-versionfull=no - Don’t verify disks when all disk templates are ext

Misc changes: - Fixed several hlint and pylint styling errors - Reduced the verbosity of several debug messages - Fixed various typos in man pages and documentation - Improved various unit tests

Fixes inherited from 2.15 branch:

Update hv_kvm to handle output from qemu >= 1.6.0
Disable logging CallRPCMethod timings in non-debug configs
Give atomicWriteFile temp filenames a more distinct pattern
FIX: Refactor DiagnoseOS to use a loop, not an inner fn
FIX: Set INSTANCE_NICn_NETWORK_NAME only if net is defined
Fix invalid variable error for file-based disks
Fix gnt-instance console instance unpausing for xl toolstack
KVM: handle gracefully too old/too new psutil versions
Fixup compatibility with GHC 7.4/base 4.5
mcpu: Raise caught OpPrereqErrors with too few args
Make EnsureDirs print chmod mode on errors
Use socat method string compatible with <1.73 & >=1.73
Reduce heap when parsing & storing ConfigData 10%
Cancel RAPI job if the client drops the connection
Make JQScheduler queues more strict to avoid leaks
Fix ganeti-rapi/noded exit-under-load bug
Fix ClusterVerifyConfig() causing high mem usage
Use threaded runtime when linking Haskell unit tests
Give JQueue test dirs unique prefixes so they can’t conflict
Update install-quick DRBD requirements to include DRBD 8.4
Fix memory/perf bug in gnt-cluster verify
Improve luxid QueryInstances performance for large clusters
Optimize LXC hypervisor GetAllInstancesInfo
Bracket ConfigWriter writeConfigAndUnlock with debug logging
Bracket client LockConfig calls with debug logging
Get onInotify and onPollTimer to print filepath
Prevent InstanceShutdown from waiting on success

Fixes inherited from 2.14 branch:

Support userspace disk URIs for OS import/export scripts
iallocator: only adjust memory usage for up instances

Fixes inherited from 2.13 branch: - Bugfix: migrate needs HypervisorClass, not an instance

Version 2.16.0 rc1¶

(Released Thu, 18 Feb 2016)

Incompatible/important changes¶

The IAllocator protocol has been extended by a new allocate-secondary request type. Currently, this new request type is only used when in disk conversion to DRBD no secondary node is specified. As long as this new feature is not used, a third-party IAllocator not aware of this extension can be continued to be used.
htools now also take into account N+1 redundancy for plain and shared storage. To obtain the old behavior, add the --no-capacity-checks option.
hail now tries to keep the overall cluster balanced; in particular it now prefers more empty groups over groups that are internally more balanced.
The option --no-node-setup of gnt-node add is disabled. Instead, the cluster configuration parameter modify_ssh_setup is used to determine whether or not to manipulate the SSH setup of a new node.
Timeouts for communication with luxid have been increased. As a consequence, Ganeti tools communicating (directly or indirectly) with luxid also time out later. Please increase all timeouts for higher level tools interacting with Ganeti accordingly.

New features¶

hbal can now be made aware of common causes of failures (for nodes). Look at hbal man page’s LOCATION TAGS section for more details.
hbal can now be made aware of desired location for instances. Look at hbal man page’s DESIRED LOCATION TAGS section for more details.
Secret parameters are now readacted in job files

New dependencies¶

Using the metadata daemon now requires the presence of the ‘setcap’ utility. On Debian-based systems, it is available as a part of the ‘libcap2-bin’ package.

Changes since beta2¶

On group verify, only flush to group nodes

Version 2.16.0 beta2¶

(Released Tue, 2 Feb 2016)

This was the second beta release of the 2.16 series. All important changes are listed in the latest 2.16 entry.

Changes since beta1¶

Do not add a new Inotify watchers on timer
Set block buffering for UDSServer
Fix failover in case the source node is offline
Add a parameter to ignore groups in capacity checks
Make hspace correctly handle –independent-groups
Accept BoringSSL as a known good ssl library
Make CommitTemporaryIPs call out to WConfD
Fix requested instance desired location tags in IAllocator
monitor: Use hvinfo in QMP methods
KVM: Work around QEMU commit 48f364dd
KVM: Introduce scsi_controller_type and kvm_pci_reservations hvparams
Improvements in SSH key handling
Do not generate the ganeti_pub_keys file with –no-ssh-init
Support force option for deactivate disks on RAPI
Add a –dry-run option to htools
Extended logging to improve traceability
Many documentation improvements and cleanups
Performance optimizations on larger clusters
Various QA and testing improvements

Fixes inherited from 2.15 branch:

Metad: ignore instances that have no communication NIC
For queries, take the correct base address of an IP block
Fix computation in network blocks
Use bulk-adding of keys in renew-crypto
Introduce bulk-adding of SSH keys
Handle SSH key distribution on auto promotion
Do not remove authorized key of node itself
Support force option for deactivate disks on RAPI
renew-crypto: use bulk-removal of SSH keys
Bulk-removal of SSH keys
Catch IOError of SSH files when removing node
Fix renew-crypto on one-node-cluster
Increase timeout of RPC adding/removing keys
After TestNodeModify, fix the pool of master candidates

Fixes inherited from 2.14 branch:

bdev: Allow userspace-only disk templates
Export disk’s userspace URI to OS scripts
Fix instance failover in case of DTS_EXT_MIRROR
Set node tags in iallocator htools backend
Fix faulty iallocator type check
Allow disk attachment to diskless instances
Allow disk attachment with external storage

Fixes inherited from 2.13 branch:

Improve xl socat migrations
Renew-crypto: stop daemons on master node first
Extend timeout for gnt-cluster renew-crypto

Fixes inherited from 2.12 branch:

Accept timeout errors when luxi down
Fix disabling of user shutdown reporting
gnt-node add: password auth is only one method
Fix inconsistency in python and haskell objects
Increase default disk size of burnin to 1G
Only search for Python-2 interpreters
Handle Xen 4.3 states better
Return the correct error code in the post-upgrade script
Make openssl refrain from DH altogether
Fix upgrades of instances with missing creation time
Check for healthy majority on master failover with voting
Pass arguments to correct daemons during master-failover

Fixes inherited from 2.11 branch:

At IAlloc backend guess state from admin state
Fix default for –default-iallocator-params

Fixes inherited from 2.10 branch:

Make htools tolerate missing “dtotal” and “dfree” on luxi
KVM: explicitly configure routed NICs late

Fixes inherited from the 2.9 branch:

Security patch for CVE-2015-7944 RAPI Vulnerable to DoS via SSL renegotiation
Security patch for CVE-2015-7945 Leak DRBD secret via RAPI
replace-disks: fix –ignore-ipolicy

Version 2.16.0 beta1¶

(Released Tue, 28 Jul 2015)

This was the first beta release of the 2.16 series. All important changes are listed in the latest 2.16 entry.

Version 2.15.2¶

(Released Wed, 16 Dec 2015)

Important changes and security notes¶

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS implementation is vulnerable to DoS attacks via client-initiated SSL parameter renegotiation. While the interface is not meant to be exposed publicly, due to the fact that it binds to all interfaces, we believe some users might be exposing it unintentionally and are vulnerable. A DoS attack can consume resources meant for Ganeti daemons and instances running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing functionality needed to disable client-side renegotiation. Instead, we offer instructions on how to control RAPI’s exposure, along with info on how RAPI can be setup alongside an HTTPS proxy in case users still want or need to expose the RAPI interface. The instructions are outlined in Ganeti’s security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job results after an instance information job reveals the secret. With the DRBD secret, access to the local cluster network, and ARP poisoning, an attacker can impersonate a Ganeti node and clone the disks of a DRBD-based instance. While an attacker with access to the cluster network is already capable of accessing any data written as DRBD traffic is unencrypted, having the secret expedites the process and allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed via the RAPI. The DRBD secret can be changed by converting an instance to plain and back to DRBD, generating a new secret, but redundancy will be lost until the process completes. Since attackers with node access are capable of accessing some and potentially all data even without the secret, we do not recommend that the secret be changed for existing instances.

Minor changes¶

Allow disk aittachment to diskless instances
Reduce memory footprint: Compute lock allocation strictly
Calculate correct affected nodes set in InstanceChangeGroup (Issue 1144)
Reduce memory footprint: Don’t keep input for error messages
Use bulk-adding of keys in renew-crypto
Reduce memory footprint: Send answers strictly
Reduce memory footprint: Store keys as ByteStrings
Reduce memory footprint: Encode UUIDs as ByteStrings
Do not retry all requests after connection timeouts to prevent repeated job submission
Fix reason trails of expanding opcodes
Make lockConfig call retryable
Extend timeout for gnt-cluster renew-crypto
Return the correct error code in the post-upgrade script
Make OpenSSL refrain from DH altogether
Fix faulty iallocator type check
Improve cfgupgrade output in case of errors
Fix upgrades of instances with missing creation time
Support force option for deactivate disks on RAPI
Make htools tolerate missing “dtotal” and “dfree” on luxi
Fix default for –default-iallocator-params
Renew-crypto: stop daemons on master node first
Don’t warn about broken SSH setup of offline nodes (Issue 1131)
Fix computation in network blocks
At IAlloc backend guess state from admin state
Set node tags in iallocator htools backend
Only search for Python-2 interpreters
Handle Xen 4.3 states better
Improve xl socat migrations

Version 2.15.1¶

(Released Mon, 7 Sep 2015)

New features¶

The ext template now allows userspace-only disks to be used

Bugfixes¶

Fixed the silently broken ‘gnt-instance replace-disks –ignore-ipolicy’ command.
User shutdown reporting can now be disabled on Xen using the ‘–user-shutdown’ flag.
Remove falsely reported communication NIC error messages on instance start.
Fix ‘gnt-node migrate’ behavior when no instances are present on a node.
Fix the multi-allocation functionality for non-DRBD instances.

Version 2.15.0¶

(Released Wed, 29 Jul 2015)

Incompatible/important changes¶

In order to improve allocation efficiency when using DRBD, the cluster metric now takes the total reserved memory into account. A consequence of this change is that the best possible cluster metric is no longer 0. htools(1) interprets minimal cluster scores to be offsets of the theoretical lower bound, so only users interpreting the cluster score directly should be affected.
This release contains a fix for the problem that different encodings in SSL certificates can break RPC communication (issue 1094). The fix makes it necessary to rerun ‘gnt-cluster renew-crypto –new-node-certificates’ after the cluster is fully upgraded to 2.14.1

New features¶

On dedicated clusters, hail will now favour allocations filling up nodes efficiently over balanced allocations.

New dependencies¶

The indirect dependency on Haskell package ‘case-insensitive’ is now explicit.

Version 2.15.0 rc1¶

(Released Wed, 17 Jun 2015)

This was the first release candidate in the 2.15 series. All important changes are listed in the latest 2.15 entry.

Known issues:¶

Issue 1094: differences in encodings in SSL certificates due to different OpenSSL versions can result in rendering a cluster uncommunicative after a master-failover.

Version 2.15.0 beta1¶

(Released Thu, 30 Apr 2015)

This was the second beta release in the 2.15 series. All important changes are listed in the latest 2.15 entry.

Version 2.14.2¶

(Released Tue, 15 Dec 2015)

Important changes and security notes¶

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS implementation is vulnerable to DoS attacks via client-initiated SSL parameter renegotiation. While the interface is not meant to be exposed publicly, due to the fact that it binds to all interfaces, we believe some users might be exposing it unintentionally and are vulnerable. A DoS attack can consume resources meant for Ganeti daemons and instances running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing functionality needed to disable client-side renegotiation. Instead, we offer instructions on how to control RAPI’s exposure, along with info on how RAPI can be setup alongside an HTTPS proxy in case users still want or need to expose the RAPI interface. The instructions are outlined in Ganeti’s security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job results after an instance information job reveals the secret. With the DRBD secret, access to the local cluster network, and ARP poisoning, an attacker can impersonate a Ganeti node and clone the disks of a DRBD-based instance. While an attacker with access to the cluster network is already capable of accessing any data written as DRBD traffic is unencrypted, having the secret expedites the process and allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed via the RAPI. The DRBD secret can be changed by converting an instance to plain and back to DRBD, generating a new secret, but redundancy will be lost until the process completes. Since attackers with node access are capable of accessing some and potentially all data even without the secret, we do not recommend that the secret be changed for existing instances.

Minor changes¶

Allow disk attachment to diskless instances
Calculate correct affected nodes set in InstanceChangeGroup (Issue 1144)
Do not retry all requests after connection timeouts to prevent repeated job submission
Fix reason trails of expanding opcodes
Make lockConfig call retryable
Extend timeout for gnt-cluster renew-crypto
Return the correct error code in the post-upgrade script
Make OpenSSL refrain from DH altogether
Fix faulty iallocator type check
Improve cfgupgrade output in case of errors
Fix upgrades of instances with missing creation time
Make htools tolerate missing “dtotal” and “dfree” on luxi
Fix default for –default-iallocator-params
Renew-crypto: stop daemons on master node first
Don’t warn about broken SSH setup of offline nodes (Issue 1131)
At IAlloc backend guess state from admin state
Set node tags in iallocator htools backend
Only search for Python-2 interpreters
Handle Xen 4.3 states better
Improve xl socat migrations
replace-disks: fix –ignore-ipolicy
Fix disabling of user shutdown reporting
Allow userspace-only disk templates
Fix instance failover in case of DTS_EXT_MIRROR
Fix operations on empty nodes by accepting allocation of 0 jobs
Fix instance multi allocation for non-DRBD disks
Redistribute master key on downgrade
Allow more failover options when using the –no-disk-moves flag

Version 2.14.1¶

(Released Fri, 10 Jul 2015)

Incompatible/important changes¶

The SSH security changes reduced the number of nodes which can SSH into other nodes. Unfortunately enough, the Ganeti implementation of migration for the xl stack of Xen required SSH to be able to migrate the instance, leading to a situation where full movement of an instance around the cluster was not possible. This version fixes the issue by using socat to transfer instance data. While socat is less secure than SSH, it is about as secure as xm migrations, and occurs over the secondary network if present. As a consequence of this change, Xen instance migrations using xl cannot occur between nodes running 2.14.0 and 2.14.1.
This release contains a fix for the problem that different encodings in SSL certificates can break RPC communication (issue 1094). The fix makes it necessary to rerun ‘gnt-cluster renew-crypto –new-node-certificates’ after the cluster is fully upgraded to 2.14.1

Other Changes¶

The htools now properly work also on shared-storage clusters.
Instance moves now work properly also for the plain disk template.
Filter-evaluation for run-time data filter was fixed (issue 1100).
Various improvements to the documentation have been added.

Version 2.14.0¶

(Released Tue, 2 Jun 2015)

New features¶

The build system now enforces external Haskell dependencies to lie in a supported range as declared by our new ganeti.cabal file.
Basic support for instance reservations has been added. Instance addition supports a –forthcoming option telling Ganeti to only reserve the resources but not create the actual instance. The instance can later be created with by passing the –commit option to the instance addition command.
Node tags starting with htools:nlocation: now have a special meaning to htools(1). They control between which nodes migration is possible, e.g., during hypervisor upgrades. See hbal(1) for details.
The node-allocation lock as been removed for good, thus speeding up parallel instance allocation and creation.
The external storage interface has been extended by optional open and close scripts.

New dependencies¶

Building the Haskell part of Ganeti now requires Cabal and cabal-install.

Known issues¶

Under certain conditions instance doesn’t get unpaused after live migration (issue #1050)

Since 2.14.0 rc1¶

The call to the IAllocator in ‘gnt-node evacuate’ has been fixed.
In opportunistic locking, only ask for those node resource locks where the node lock is held.
Lock requests are repeatable now; this avoids failure of a job in a race condition with a signal sent to the job.
Various improvements to the QA.

Version 2.14.0 rc2¶

(Released Tue, 19 May 2015)

This was the second release candidate in the 2.14 series. All important changes are listed in the 2.14.0 entry.

Since 2.14.0 rc1¶

private parameters are now properly exported to instance create scripts
unnecessary config unlocks and upgrades have been removed, improving performance, in particular of cluster verification
some rarely occuring file-descriptor leaks have been fixed
The checks for orphan and lost volumes have been fixed to also work correctly when multiple volume groups are used.

Version 2.14.0 rc1¶

(Released Wed, 29 Apr 2015)

This was the first release candidate in the 2.14 series. All important changes are listed in the latest 2.14 entry.

Since 2.14.0 beta2¶

The following issue has been fixed:

A race condition where a badly timed kill of WConfD could lead to an incorrect configuration.

Fixes inherited from the 2.12 branch:

Upgrade from old versions (2.5 and 2.6) was failing (issues 1070, 1019).
gnt-network info outputs wrong external reservations (issue 1068)
Refuse to demote master from master capability (issue 1023)

Fixes inherited from the 2.13 branch:

bugs related to ssh-key handling of master candidate (issues 1045, 1046, 1047)

Version 2.14.0 beta2¶

(Released Thu, 26 Mar 2015)

This was the second beta release in the 2.14 series. All important changes are listed in the latest 2.14 entry.

Since 2.14.0 beta1¶

The following issues have been fixed:

Issue 1018: Cluster init (and possibly other jobs) occasionally fail to start

The extension of the external storage interface was not present in 2.14.0 beta1.

Version 2.14.0 beta1¶

(Released Fri, 13 Feb 2015)

This was the first beta release of the 2.14 series. All important changes are listed in the latest 2.14 entry.

Version 2.13.3¶

(Released Mon, 14 Dec 2015)

Important changes and security notes¶

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS implementation is vulnerable to DoS attacks via client-initiated SSL parameter renegotiation. While the interface is not meant to be exposed publicly, due to the fact that it binds to all interfaces, we believe some users might be exposing it unintentionally and are vulnerable. A DoS attack can consume resources meant for Ganeti daemons and instances running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing functionality needed to disable client-side renegotiation. Instead, we offer instructions on how to control RAPI’s exposure, along with info on how RAPI can be setup alongside an HTTPS proxy in case users still want or need to expose the RAPI interface. The instructions are outlined in Ganeti’s security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job results after an instance information job reveals the secret. With the DRBD secret, access to the local cluster network, and ARP poisoning, an attacker can impersonate a Ganeti node and clone the disks of a DRBD-based instance. While an attacker with access to the cluster network is already capable of accessing any data written as DRBD traffic is unencrypted, having the secret expedites the process and allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed via the RAPI. The DRBD secret can be changed by converting an instance to plain and back to DRBD, generating a new secret, but redundancy will be lost until the process completes. Since attackers with node access are capable of accessing some and potentially all data even without the secret, we do not recommend that the secret be changed for existing instances.

Minor changes¶

Calculate correct affected nodes set in InstanceChangeGroup (Issue 1144)
Do not retry all requests after connection timeouts to prevent repeated job submission
Fix reason trails of expanding opcodes
Make lockConfig call retryable
Extend timeout for gnt-cluster renew-crypto
Return the correct error code in the post-upgrade script
Make OpenSSL refrain from DH altogether
Fix upgrades of instances with missing creation time
Make htools tolerate missing “dtotal” and “dfree” on luxi
Fix default for –default-iallocator-params
Renew-crypto: stop daemons on master node first
Don’t warn about broken SSH setup of offline nodes (Issue 1131)
At IAlloc backend guess state from admin state
Only search for Python-2 interpreters
Handle Xen 4.3 states better
Improve xl socat migrations
replace-disks: fix –ignore-ipolicy
Fix disabling of user shutdown reporting
Fix operations on empty nodes by accepting allocation of 0 jobs
Fix instance multi allocation for non-DRBD disks
Redistribute master key on downgrade
Allow more failover options when using the –no-disk-moves flag

Version 2.13.2¶

(Released Mon, 13 Jul 2015)

Incompatible/important changes¶

This release contains a fix for the problem that different encodings in SSL certificates can break RPC communication (issue 1094). The fix makes it necessary to rerun ‘gnt-cluster renew-crypto –new-node-certificates’ after the cluster is fully upgraded to 2.13.2

Other fixes and known issues¶

Inherited from 2.12:

Fixed Issue #1115: Race between starting WConfD and updating the config
Fixed Issue #1114: Binding RAPI to a specific IP makes the watcher restart the RAPI
Fixed Issue #1100: Filter-evaluation for run-time data filter
Better handling of the “crashed” Xen state
The watcher can be instructed to skip disk verification
Reduce amount of logging on successful requests
Prevent multiple communication NICs being created for instances
The htools now properly work also on shared-storage clusters
Instance moves now work properly also for the plain disk template
Various improvements to the documentation have been added

Known issues: - Issue #1104: gnt-backup: dh key too small

Version 2.13.1¶

(Released Tue, 16 Jun 2015)

Incompatible/important changes¶

The SSH security changes reduced the number of nodes which can SSH into other nodes. Unfortunately enough, the Ganeti implementation of migration for the xl stack of Xen required SSH to be able to migrate the instance, leading to a situation where full movement of an instance around the cluster was not possible. This version fixes the issue by using socat to transfer instance data. While socat is less secure than SSH, it is about as secure as xm migrations, and occurs over the secondary network if present. As a consequence of this change, Xen instance migrations using xl cannot occur between nodes running 2.13.0 and 2.13.1.

Other fixes and known issues¶

Inherited from 2.12:

Fixed Issue #1082: RAPI is unresponsive after master-failover
Fixed Issue #1083: Cluster verify reports existing instance disks on non-default VGs as missing
Fixed Issue #1101: Modifying the storage directory for the shared-file disk template doesn’t work
Fixed a possible file descriptor leak when forking jobs
Fixed missing private parameters in the environment for OS scripts
Fixed a performance regression when handling configuration (only upgrade it if it changes)
Adapt for compilation with GHC7.8 (compiles with warnings; cherrypicked from 2.14)

Known issues: - Issue #1094: Mismatch in SSL encodings breaks RPC communication - Issue #1104: Export fails: key is too small

Version 2.13.0¶

(Released Tue, 28 Apr 2015)

Incompatible/important changes¶

Ganeti now internally retries the instance creation opcode if opportunistic locking did not acquire nodes with enough free resources. The internal retry will not use opportunistic locking. In particular, instance creation, even if opportunistic locking is set, will never fail with ECODE_TEMP_NORES.
The handling of SSH security had undergone a significant change. From this version on, each node has an individual SSH key pair instead of sharing one with all nodes of the cluster. From now on, we also restrict SSH access to master candidates. This means that only master candidates can ssh into other cluster nodes and all non-master-candidates cannot. Refer to the UPGRADE notes for further instructions on the creation and distribution of the keys.
Ganeti now checks hypervisor version compatibility before trying an instance migration. It errors out if the versions are not compatible. Add the option –ignore-hvversions to restore the old behavior of only warning.
Node tags starting with htools:migration: or htools:allowmigration: now have a special meaning to htools(1). See hbal(1) for details.
The LXC hypervisor code has been repaired and improved. Instances cannot be migrated and cannot have more than one disk, but should otherwise work as with other hypervisors. OS script changes should not be necessary. LXC version 1.0.0 or higher required.

New features¶

A new job filter rules system allows to define iptables-like rules for the job scheduler, making it easier to (soft-)drain the job queue, perform maintenance, and rate-limit selected job types. See gnt-filter(8) for details.
Ganeti jobs can now be ad-hoc rate limited via the reason trail. For a set of jobs queued with “–reason=rate-limit:n:label”, the job scheduler ensures that not more than n will be scheduled to run at the same time. See ganeti(7), section “Options”, for details.
The monitoring daemon has now variable sleep times for the data collectors. This currently means that the granularity of cpu-avg-load can be configured.
The ‘gnt-cluster verify’ command now has the option ‘–verify-ssh-clutter’, which verifies whether Ganeti (accidentally) cluttered up the ‘authorized_keys’ file.
Instance disks can now be converted from one disk template to another for many different template combinations. When available, more efficient conversions will be used, otherwise the disks are simply copied over.

New dependencies¶

The monitoring daemon uses the PSQueue library. Be sure to install it if you use Mond.
The formerly optional regex-pcre is now an unconditional dependency because the new job filter rules have regular expressions as a core feature.

Since 2.13.0 rc1¶

The following issues have been fixed:

Bugs related to ssh-key handling of master candidates (issues 1045, 1046, 1047)

Fixes inherited from the 2.12 branch:

Upgrade from old versions (2.5 and 2.6) was failing (issues 1070, 1019).
gnt-network info outputs wrong external reservations (issue 1068)
Refuse to demote master from master capability (issue 1023)

Version 2.13.0 rc1¶

(Released Wed, 25 Mar 2015)

This was the first release candidate of the 2.13 series. All important changes are listed in the latest 2.13 entry.

Since 2.13.0 beta1¶

The following issues have been fixed:

Issue 1018: Cluster init (and possibly other jobs) occasionally fail to start

Version 2.13.0 beta1¶

(Released Wed, 14 Jan 2015)

This was the first beta release of the 2.13 series. All important changes are listed in the latest 2.13 entry.

Version 2.12.6¶

(Released Mon, 14 Dec 2015)

Important changes and security notes¶

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS implementation is vulnerable to DoS attacks via client-initiated SSL parameter renegotiation. While the interface is not meant to be exposed publicly, due to the fact that it binds to all interfaces, we believe some users might be exposing it unintentionally and are vulnerable. A DoS attack can consume resources meant for Ganeti daemons and instances running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing functionality needed to disable client-side renegotiation. Instead, we offer instructions on how to control RAPI’s exposure, along with info on how RAPI can be setup alongside an HTTPS proxy in case users still want or need to expose the RAPI interface. The instructions are outlined in Ganeti’s security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job results after an instance information job reveals the secret. With the DRBD secret, access to the local cluster network, and ARP poisoning, an attacker can impersonate a Ganeti node and clone the disks of a DRBD-based instance. While an attacker with access to the cluster network is already capable of accessing any data written as DRBD traffic is unencrypted, having the secret expedites the process and allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed via the RAPI. The DRBD secret can be changed by converting an instance to plain and back to DRBD, generating a new secret, but redundancy will be lost until the process completes. Since attackers with node access are capable of accessing some and potentially all data even without the secret, we do not recommend that the secret be changed for existing instances.

Minor changes¶

Calculate correct affected nodes set in InstanceChangeGroup (Issue 1144)
Do not retry all requests after connection timeouts to prevent repeated job submission
Fix reason trails of expanding opcodes
Make lockConfig call retryable
Return the correct error code in the post-upgrade script
Make OpenSSL refrain from DH altogether
Fix upgrades of instances with missing creation time
Make htools tolerate missing “dtotal” and “dfree” on luxi
Fix default for –default-iallocator-params
At IAlloc backend guess state from admin state
Only search for Python-2 interpreters
Handle Xen 4.3 states better
replace-disks: fix –ignore-ipolicy
Fix disabling of user shutdown reporting
Fix operations on empty nodes by accepting allocation of 0 jobs
Fix instance multi allocation for non-DRBD disks
Allow more failover options when using the –no-disk-moves flag

Version 2.12.5¶

(Released Mon, 13 Jul 2015)

Incompatible/important changes¶

This release contains a fix for the problem that different encodings in SSL certificates can break RPC communication (issue 1094). The fix makes it necessary to rerun ‘gnt-cluster renew-crypto –new-node-certificates’ after the cluster is fully upgraded to 2.12.5.

Fixed and improvements¶

Fixed Issue #1030: GlusterFS support breaks at upgrade to 2.12 - switches back to shared-file
Fixed Issue #1094 (see the notice in Incompatible/important changes): Differences in encodings of SSL certificates can render a cluster uncommunicative after a master-failover
Fixed Issue #1098: Support for ECDSA SSH keys
Fixed Issue #1100: Filter-evaluation for run-time data filter
Fixed Issue #1101: Modifying the storage directory for the shared-file disk template doesn’t work
Fixed Issue #1108: Spurious “NIC name already used” errors during instance creation
Fixed Issue #1114: Binding RAPI to a specific IP makes the watcher restart the RAPI
Fixed Issue #1115: Race between starting WConfD and updating the config
Better handling of the “crashed” Xen state
The htools now properly work also on shared-storage clusters
Various improvements to the documentation have been added

Inherited from the 2.11 branch:

Fixed Issue #1113: Reduce amount of logging on successful requests

Known issues¶

Issue #1104: gnt-backup: dh key too small

Version 2.12.4¶

(Released Tue, 12 May 2015)

Fixed Issue #1082: RAPI is unresponsive after master-failover
Fixed Issue #1083: Cluster verify reports existing instance disks on non-default VGs as missing
Fixed a possible file descriptor leak when forking jobs
Fixed missing private parameters in the environment for OS scripts
Fixed a performance regression when handling configuration (only upgrade it if it changes)
Adapt for compilation with GHC7.8 (compiles with warnings; cherrypicked from 2.14)

Known issues¶

Pending since 2.12.2:

Under certain conditions instance doesn’t get unpaused after live migration (issue #1050)
GlusterFS support breaks at upgrade to 2.12 - switches back to shared-file (issue #1030)

Version 2.12.3¶

(Released Wed, 29 Apr 2015)

Fixed Issue #1019: upgrade from 2.6.2 to 2.12 fails. cfgupgrade doesn’t migrate the config.data file properly
Fixed Issue 1023: Master master-capable option bug
Fixed Issue 1068: gnt-network info outputs wrong external reservations
Fixed Issue 1070: Upgrade of Ganeti 2.5.2 to 2.12.0 fails due to missing UUIDs for disks
Fixed Issue 1073: ssconf_hvparams_* not distributed with ssconf

Inherited from the 2.11 branch:

Fixed Issue 1032: Renew-crypto –new-node-certificates sometimes does not complete. The operation ‘gnt-cluster renew-crypto –new-node-certificates’ is now more robust against intermitten reachability errors. Nodes that are temporarily not reachable, are contacted with several retries. Nodes which are marked as offline are omitted right away.

Inherited from the 2.10 branch:

Fixed Issue 1057: master-failover succeeds, but IP remains assigned to old master
Fixed Issue 1058: Python’s os.minor() does not support devices with high minor numbers
Fixed Issue 1059: Luxid fails if DNS returns an IPv6 address that does not reverse resolve

Known issues¶

Pending since 2.12.2:

GHC 7.8 introduced some incompatible changes, so currently Ganeti 2.12. doesn’t compile on GHC 7.8
Under certain conditions instance doesn’t get unpaused after live migration (issue #1050)
GlusterFS support breaks at upgrade to 2.12 - switches back to shared-file (issue #1030)

Version 2.12.2¶

(Released Wed, 25 Mar 2015)

Support for the lens Haskell library up to version 4.7 (issue #1028)
SSH keys are now distributed only to master and master candidates (issue #377)
Improved performance for operations that frequently read the cluster configuration
Improved robustness of spawning job processes that occasionally caused newly-started jobs to timeout
Fixed race condition during cluster verify which occasionally caused it to fail

Inherited from the 2.11 branch:

Fix failing automatic glusterfs mounts (issue #984)
Fix watcher failing to read its status file after an upgrade (issue #1022)
Improve Xen instance state handling, in particular of somewhat exotic transitional states

Inherited from the 2.10 branch:

Fix failing to change a diskless drbd instance to plain (issue #1036)
Fixed issues with auto-upgrades from pre-2.6 (hv_state_static and disk_state_static)
Fix memory leak in the monitoring daemon

Inherited from the 2.9 branch:

Fix file descriptor leak in Confd client

Known issues¶

GHC 7.8 introduced some incompatible changes, so currently Ganeti 2.12. doesn’t compile on GHC 7.8
Under certain conditions instance doesn’t get unpaused after live migration (issue #1050)
GlusterFS support breaks at upgrade to 2.12 - switches back to shared-file (issue #1030)

Version 2.12.1¶

(Released Wed, 14 Jan 2015)

Fix users under which the wconfd and metad daemons run (issue #976)
Clean up stale livelock files (issue #865)
Fix setting up the metadata daemon’s network interface for Xen
Make watcher identify itself on disk activation
Add “ignore-ipolicy” option to gnt-instance grow-disk
Check disk size ipolicy during “gnt-instance grow-disk” (issue #995)

Inherited from the 2.11 branch:

Fix counting votes when doing master failover (issue #962)
Fix broken haskell dependencies (issues #758 and #912)
Check if IPv6 is used directly when running SSH (issue #892)

Inherited from the 2.10 branch:

Fix typo in gnt_cluster output (issue #1015)
Use the Python path detected at configure time in the top-level Python scripts.
Fix check for sphinx-build from python2-sphinx
Properly check if an instance exists in ‘gnt-instance console’

Version 2.12.0¶

(Released Fri, 10 Oct 2014)

Incompatible/important changes¶

Ganeti is now distributed under the 2-clause BSD license. See the COPYING file.
Do not use debug mode in production. Certain daemons will issue warnings when launched in debug mode. Some debug logging violates some of the new invariants in the system (see “New features”). The logging has been kept as it aids diagnostics and development.

New features¶

OS install script parameters now come in public, private and secret varieties:
- Public parameters are like all other parameters in Ganeti.
- Ganeti will not log private and secret parameters, unless it is running in debug mode.
- Ganeti will not save secret parameters to configuration. Secret parameters must be supplied every time you install, or reinstall, an instance.
- Attempting to override public parameters with private or secret parameters results in an error. Similarly, you may not use secret parameters to override private parameters.
The move-instance tool can now attempt to allocate an instance by using opportunistic locking when an iallocator is used.
The build system creates sample systemd unit files, available under doc/examples/systemd. These unit files allow systemd to natively manage and supervise all Ganeti processes.
Different types of compression can be applied during instance moves, including user-specified ones.
Ganeti jobs now run as separate processes. The jobs are coordinated by a new daemon “WConfd” that manages cluster’s configuration and locks for individual jobs. A consequence is that more jobs can run in parallel; the number is run-time configurable, see “New features” entry of 2.11.0. To avoid luxid being overloaded with tracking running jobs, it backs of and only occasionally, in a sequential way, checks if jobs have finished and schedules new ones. In this way, luxid keeps responsive under high cluster load. The limit as when to start backing of is also run-time configurable.
The metadata daemon is now optionally available, as part of the partial implementation of the OS-installs design. It allows pass information to OS install scripts or to instances. It is also possible to run Ganeti without the daemon, if desired.
Detection of user shutdown of instances has been implemented for Xen as well.

New dependencies¶

The KVM CPU pinning no longer uses the affinity python package, but psutil instead. The package is still optional and needed only if the feature is to be used.

Incomplete features¶

The following issues are related to features which are not completely implemented in 2.12:

Issue 885: Network hotplugging on KVM sometimes makes an instance unresponsive
Issues 708 and 602: The secret parameters are currently still written to disk in the job queue.
Setting up the metadata network interface under Xen isn’t fully implemented yet.

Known issues¶

Wrong UDP checksums in DHCP network packets: If an instance communicates with the metadata daemon and uses DHCP to obtain its IP address on the provided virtual network interface, it can happen that UDP packets have a wrong checksum, due to a bug in virtio. See for example https://bugs.launchpad.net/bugs/930962

Ganeti works around this bug by disabling the UDP checksums on the way from a host to instances (only on the special metadata communication network interface) using the ethtool command. Therefore if using the metadata daemon the host nodes should have this tool available.
The metadata daemon is run as root in the split-user mode, to be able to bind to port 80. This should be improved in future versions, see issue #949.

Since 2.12.0 rc2¶

The following issues have been fixed:

Fixed passing additional parameters to RecreateInstanceDisks over RAPI.
Fixed the permissions of WConfd when running in the split-user mode. As WConfd takes over the previous master daemon to manage the configuration, it currently runs under the masterd user.
Fixed the permissions of the metadata daemon wn running in the split-user mode (see Known issues).
Watcher now properly adds a reason trail entry when initiating disk checks.
Fixed removing KVM parameters introduced in 2.12 when downgrading a cluster to 2.11: “migration_caps”, “disk_aio” and “virtio_net_queues”.
Improved retrying of RPC calls that fail due to network errors.

Version 2.12.0 rc2¶

(Released Mon, 22 Sep 2014)

This was the second release candidate of the 2.12 series. All important changes are listed in the latest 2.12 entry.

Since 2.12.0 rc1¶

The following issues have been fixed:

Watcher now checks if WConfd is running and functional.
Watcher now properly adds reason trail entries.
Fixed NIC options in Xen’s config files.

Inherited from the 2.10 branch:

Fixed handling of the –online option
Add warning against hvparam changes with live migrations, which might lead to dangerous situations for instances.
Only the LVs in the configured VG are checked during cluster verify.

Version 2.12.0 rc1¶

(Released Wed, 20 Aug 2014)

This was the first release candidate of the 2.12 series. All important changes are listed in the latest 2.12 entry.

Since 2.12.0 beta1¶

The following issues have been fixed:

Issue 881: Handle communication errors in mcpu
Issue 883: WConfd leaks memory for some long operations
Issue 884: Under heavy load the IAllocator fails with a “missing instance” error

Inherited from the 2.10 branch:

Improve the recognition of Xen domU states
Automatic upgrades: - Create the config backup archive in a safe way - On upgrades, check for upgrades to resume first - Pause watcher during upgrade
Allow instance disks to be added with –no-wait-for-sync

Version 2.12.0 beta1¶

(Released Mon, 21 Jul 2014)

This was the first beta release of the 2.12 series. All important changes are listed in the latest 2.12 entry.

Version 2.11.8¶

(Released Mon, 14 Dec 2015)

Important changes and security notes¶

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS implementation is vulnerable to DoS attacks via client-initiated SSL parameter renegotiation. While the interface is not meant to be exposed publicly, due to the fact that it binds to all interfaces, we believe some users might be exposing it unintentionally and are vulnerable. A DoS attack can consume resources meant for Ganeti daemons and instances running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing functionality needed to disable client-side renegotiation. Instead, we offer instructions on how to control RAPI’s exposure, along with info on how RAPI can be setup alongside an HTTPS proxy in case users still want or need to expose the RAPI interface. The instructions are outlined in Ganeti’s security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job results after an instance information job reveals the secret. With the DRBD secret, access to the local cluster network, and ARP poisoning, an attacker can impersonate a Ganeti node and clone the disks of a DRBD-based instance. While an attacker with access to the cluster network is already capable of accessing any data written as DRBD traffic is unencrypted, having the secret expedites the process and allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed via the RAPI. The DRBD secret can be changed by converting an instance to plain and back to DRBD, generating a new secret, but redundancy will be lost until the process completes. Since attackers with node access are capable of accessing some and potentially all data even without the secret, we do not recommend that the secret be changed for existing instances.

Minor changes¶

Make htools tolerate missing “dtotal” and “dfree” on luxi
Fix default for –default-iallocator-params
At IAlloc backend guess state from admin state
replace-disks: fix –ignore-ipolicy
Fix instance multi allocation for non-DRBD disks
Trigger renew-crypto on downgrade to 2.11
Downgrade log-message for rereading job
Downgrade log-level for successful requests
Check for gnt-cluster before running gnt-cluster upgrade

Version 2.11.7¶

(Released Fri, 17 Apr 2015)

The operation ‘gnt-cluster renew-crypto –new-node-certificates’ is now more robust against intermitten reachability errors. Nodes that are temporarily not reachable, are contacted with several retries. Nodes which are marked as offline are omitted right away.

Version 2.11.6¶

(Released Mon, 22 Sep 2014)

Ganeti is now distributed under the 2-clause BSD license. See the COPYING file.
Fix userspace access checks.
Various documentation fixes have been added.

Inherited from the 2.10 branch:

The –online option now works as documented.
The watcher is paused during cluster upgrades; also, upgrade checks for upgrades to resume first.
Instance disks can be added with –no-wait-for-sync.

Version 2.11.5¶

(Released Thu, 7 Aug 2014)

Inherited from the 2.10 branch:

Important security release. In 2.10.0, the ‘gnt-cluster upgrade’ command was introduced. Before performing an upgrade, the configuration directory of the cluster is backed up. Unfortunately, the archive was written with permissions that make it possible for non-privileged users to read the archive and thus have access to cluster and RAPI keys. After this release, the archive will be created with privileged access only.

We strongly advise you to restrict the permissions of previously created archives. The archives are found in /var/lib/ganeti*.tar (unless otherwise configured with –localstatedir or –with-backup-dir).

If you suspect that non-privileged users have accessed your archives already, we advise you to renew the cluster’s crypto keys using ‘gnt-cluster renew-crypto’ and to reset the RAPI credentials by editing /var/lib/ganeti/rapi_users (respectively under a different path if configured differently with –localstatedir).

Other changes included in this release:

Fix handling of Xen instance states.
Fix NIC configuration with absent NIC VLAN
Adapt relative path expansion in PATH to new environment
Exclude archived jobs from configuration backups
Fix RAPI for split query setup
Allow disk hot-remove even with chroot or SM

Inherited from the 2.9 branch:

Make htools tolerate missing ‘spfree’ on luxi

Version 2.11.4¶

(Released Thu, 31 Jul 2014)

Improved documentation of the instance shutdown behavior.

Inherited from the 2.10 branch:

KVM: fix NIC configuration with absent NIC VLAN (Issue 893)
Adapt relative path expansion in PATH to new environment
Exclude archived jobs from configuration backup
Expose early_release for ReplaceInstanceDisks
Add backup directory for configuration backups for upgrades
Fix BlockdevSnapshot in case of non lvm-based disk
Improve RAPI error handling for queries in non-existing items
Allow disk hot-remove even with chroot or SM
Remove superflous loop in instance queries (Issue 875)

Inherited from the 2.9 branch:

Make ganeti-cleaner switch to save working directory (Issue 880)

Version 2.11.3¶

(Released Wed, 9 Jul 2014)

Readd nodes to their previous node group
Remove old-style gnt-network connect

Inherited from the 2.10 branch:

Make network_vlan an optional OpParam
hspace: support –accept-existing-errors
Make hspace support –independent-groups
Add a modifier for a group’s allocation policy
Export VLAN nicparam to NIC configuration scripts
Fix gnt-network client to accept vlan info
Support disk hotplug with userspace access

Inherited from the 2.9 branch:

Make htools tolerate missing “spfree” on luxi
Move the design for query splitting to the implemented list
Add tests for DRBD setups with empty first resource

Inherited from the 2.8 branch:

DRBD parser: consume initial empty resource lines

Version 2.11.2¶

(Released Fri, 13 Jun 2014)

Improvements to KVM wrt to the kvmd and instance shutdown behavior. WARNING: In contrast to our standard policy, this bug fix update introduces new parameters to the configuration. This means in particular that after an upgrade from 2.11.0 or 2.11.1, ‘cfgupgrade’ needs to be run, either manually or explicitly by running ‘gnt-cluster upgrade –to 2.11.2’ (which requires that they had configured the cluster with –enable-versionfull). This also means, that it is not easily possible to downgrade from 2.11.2 to 2.11.1 or 2.11.0. The only way is to go back to 2.10 and back.

Inherited from the 2.10 branch:

Check for SSL encoding inconsistencies
Check drbd helper only in VM capable nodes
Improvements in statistics utils

Inherited from the 2.9 branch:

check-man-warnings: use C.UTF-8 and set LC_ALL

Version 2.11.1¶

(Released Wed, 14 May 2014)

Add design-node-security.rst to docinput
kvm: use a dedicated QMP socket for kvmd

Inherited from the 2.10 branch:

Set correct Ganeti version on setup commands
Add a utility to combine shell commands
Add design doc for performance tests
Fix failed DRBD disk creation cleanup
Hooking up verification for shared file storage
Fix –shared-file-storage-dir option of gnt-cluster modify
Clarify default setting of ‘metavg’
Fix invocation of GetCommandOutput in QA
Clean up RunWithLocks
Add an exception-trapping thread class
Wait for delay to provide interruption information
Add an expected block option to RunWithLocks
Track if a QA test was blocked by locks
Add a RunWithLocks QA utility function
Add restricted migration
Add an example for node evacuation
Add a test for parsing version strings
Tests for parallel job execution
Fail in replace-disks if attaching disks fails
Fix passing of ispecs in cluster init during QA
Move QAThreadGroup to qa_job_utils.py
Extract GetJobStatuses and use an unified version
Run disk template specific tests only if possible

Inherited from the 2.9 branch:

If Automake version > 1.11, force serial tests
KVM: set IFF_ONE_QUEUE on created tap interfaces
Add configure option to pass GHC flags

Version 2.11.0¶

(Released Fri, 25 Apr 2014)

Incompatible/important changes¶

gnt-node list no longer shows disk space information for shared file disk templates because it is not a node attribute. (For example, if you have both the file and shared file disk templates enabled, gnt-node list now only shows information about the file disk template.)
The shared file disk template is now in the new ‘sharedfile’ storage type. As a result, gnt-node list-storage -t file now only shows information about the file disk template and you may use gnt-node list-storage -t sharedfile to query storage information for the shared file disk template.
Over luxi, syntactially incorrect queries are now rejected as a whole; before, a ‘SumbmitManyJobs’ request was partially executed, if the outer structure of the request was syntactically correct. As the luxi protocol is internal (external applications are expected to use RAPI), the impact of this incompatible change should be limited.
Queries for nodes, instances, groups, backups and networks are now exclusively done via the luxi daemon. Legacy python code was removed, as well as the –enable-split-queries configuration option.
Orphan volumes errors are demoted to warnings and no longer affect the exit code of gnt-cluster verify.
RPC security got enhanced by using different client SSL certificates for each node. In this context ‘gnt-cluster renew-crypto’ got a new option ‘–new-node-certificates’, which renews the client certificates of all nodes. After a cluster upgrade from pre-2.11, run this to create client certificates and activate this feature.

New features¶

Instance moves, backups and imports can now use compression to transfer the instance data.
Node groups can be configured to use an SSH port different than the default 22.
Added experimental support for Gluster distributed file storage as the gluster disk template under the new sharedfile storage type through automatic management of per-node FUSE mount points. You can configure the mount point location at gnt-cluster init time by using the new --gluster-storage-dir switch.
Job scheduling is now handled by luxid, and the maximal number of jobs running in parallel is a run-time parameter of the cluster.
A new tool for planning dynamic power management, called hsqueeze, has been added. It suggests nodes to power up or down and corresponding instance moves.

New dependencies¶

The following new dependencies have been added:

For Haskell:

zlib library (http://hackage.haskell.org/package/base64-bytestring)
base64-bytestring library (http://hackage.haskell.org/package/zlib), at least version 1.0.0.0
lifted-base library (http://hackage.haskell.org/package/lifted-base)
lens library (http://hackage.haskell.org/package/lens)

Since 2.11.0 rc1¶

Fix Xen instance state

Inherited from the 2.10 branch:

Fix conflict between virtio + spice or soundhw
Fix bitarray ops wrt PCI slots
Allow releases scheduled 5 days in advance
Make watcher submit queries low priority
Fix specification of TIDiskParams
Add unittests for instance modify parameter renaming
Add renaming of instance custom params
Add RAPI symmetry tests for groups
Extend RAPI symmetry tests with RAPI-only aliases
Add test for group custom parameter renaming
Add renaming of group custom ndparams, ipolicy, diskparams
Add the RAPI symmetry test for nodes
Add aliases for nodes
Allow choice of HTTP method for modification
Add cluster RAPI symmetry test
Fix failing cluster query test
Add aliases for cluster parameters
Add support for value aliases to RAPI
Provide tests for GET/PUT symmetry
Sort imports
Also consider filter fields for deciding if using live data
Document the python-fdsend dependency
Verify configuration version number before parsing
KVM: use running HVPs to calc blockdev options
KVM: reserve a PCI slot for the SCSI controller
Check for LVM-based verification results only when enabled
Fix “existing” typos
Fix output of gnt-instance info after migration
Warn in UPGRADE about not tar’ing exported insts
Fix non-running test and remove custom_nicparams rename
Account for NODE_RES lock in opportunistic locking
Fix request flooding of noded during disk sync

Inherited from the 2.9 branch:

Make watcher submit queries low priority
Fix failing gnt-node list-drbd command
Update installation guide wrt to DRBD version
Fix list-drbd QA test
Add messages about skipped QA disk template tests
Allow QA asserts to produce more messages
Set exclusion tags correctly in requested instance
Export extractExTags and updateExclTags
Document spindles in the hbal man page
Sample logrotate conf breaks permissions with split users
Fix ‘gnt-cluster’ and ‘gnt-node list-storage’ outputs

Inherited from the 2.8 branch:

Add reason parameter to RAPI client functions
Include qa/patch in Makefile
Handle empty patches better
Move message formatting functions to separate file
Add optional ordering of QA patch files
Allow multiple QA patches
Refactor current patching code

Version 2.11.0 rc1¶

(Released Thu, 20 Mar 2014)

This was the first RC release of the 2.11 series. Since 2.11.0 beta1:

Convert int to float when checking config. consistency
Rename compression option in gnt-backup export

Inherited from the 2.9 branch:

Fix error introduced during merge
gnt-cluster copyfile: accept relative paths

Inherited from the 2.8 branch:

Improve RAPI detection of the watcher
Add patching QA configuration files on buildbots
Enable a timeout for instance shutdown
Allow KVM commands to have a timeout
Allow xen commands to have a timeout
Fix wrong docstring

Version 2.11.0 beta1¶

(Released Wed, 5 Mar 2014)

This was the first beta release of the 2.11 series. All important changes are listed in the latest 2.11 entry.

Version 2.10.8¶

(Released Fri, 11 Dec 2015)

Important changes and security notes¶

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS implementation is vulnerable to DoS attacks via client-initiated SSL parameter renegotiation. While the interface is not meant to be exposed publicly, due to the fact that it binds to all interfaces, we believe some users might be exposing it unintentionally and are vulnerable. A DoS attack can consume resources meant for Ganeti daemons and instances running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing functionality needed to disable client-side renegotiation. Instead, we offer instructions on how to control RAPI’s exposure, along with info on how RAPI can be setup alongside an HTTPS proxy in case users still want or need to expose the RAPI interface. The instructions are outlined in Ganeti’s security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job results after an instance information job reveals the secret. With the DRBD secret, access to the local cluster network, and ARP poisoning, an attacker can impersonate a Ganeti node and clone the disks of a DRBD-based instance. While an attacker with access to the cluster network is already capable of accessing any data written as DRBD traffic is unencrypted, having the secret expedites the process and allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed via the RAPI. The DRBD secret can be changed by converting an instance to plain and back to DRBD, generating a new secret, but redundancy will be lost until the process completes. Since attackers with node access are capable of accessing some and potentially all data even without the secret, we do not recommend that the secret be changed for existing instances.

Minor changes¶

Make htools tolerate missing “dtotal” and “dfree” on luxi
At IAlloc backend guess state from admin state
replace-disks: fix –ignore-ipolicy
Fix instance multi allocation for non-DRBD disks
Check for gnt-cluster before running gnt-cluster upgrade
Work around a Python os.minor bug
Add IP-related checks after master-failover
Pass correct backend params in move-instance
Allow plain/DRBD conversions regardless of lack of disks
Fix MonD collector thunk leak
Stop MonD when removing a node from a cluster
Finalize backup only if successful
Fix file descriptor leak in Confd Client
Auto-upgrade hv_state_static and disk_state_static
Do not hardcode the Python path in CLI tools
Use the Python interpreter from ENV
ganeti.daemon: fix daemon mode with GnuTLS >= 3.3 (Issues 961, 964)
Ganeti.Daemon: always install SIGHUP handler (Issue 755)
Fix DRBD version check for non VM capable nodes
Fix handling of the –online option
Add warning against hvparam changes with live migrations
Only verify LVs in configured VG during cluster verify
Fix network info in case of multi NIC instances
On upgrades, check for upgrades to resume first
Pause watcher during upgrade
Allow instance disks to be added with –no-wait-for-sync

Version 2.10.7¶

(Released Thu, 7 Aug 2014)

Important security release. In 2.10.0, the ‘gnt-cluster upgrade’ command was introduced. Before performing an upgrade, the configuration directory of the cluster is backed up. Unfortunately, the archive was written with permissions that make it possible for non-privileged users to read the archive and thus have access to cluster and RAPI keys. After this release, the archive will be created with privileged access only.

We strongly advise you to restrict the permissions of previously created archives. The archives are found in /var/lib/ganeti*.tar (unless otherwise configured with –localstatedir or –with-backup-dir).

If you suspect that non-privileged users have accessed your archives already, we advise you to renew the cluster’s crypto keys using ‘gnt-cluster renew-crypto’ and to reset the RAPI credentials by editing /var/lib/ganeti/rapi_users (respectively under a different path if configured differently with –localstatedir).

Other changes included in this release:

Fix handling of Xen instance states.
Fix NIC configuration with absent NIC VLAN
Adapt relative path expansion in PATH to new environment
Exclude archived jobs from configuration backups
Fix RAPI for split query setup
Allow disk hot-remove even with chroot or SM

Inherited from the 2.9 branch:

Make htools tolerate missing ‘spfree’ on luxi

Version 2.10.6¶

(Released Mon, 30 Jun 2014)

Make Ganeti tolerant towards different openssl library version on different nodes (issue 853).
Allow hspace to make useful predictions in multi-group clusters with one group overfull (isse 861).
Various gnt-network related fixes.
Fix disk hotplug with userspace access.
Various documentation errors fixed.

Version 2.10.5¶

(Released Mon, 2 Jun 2014)

Two new options have been added to gnt-group evacuate. The ‘sequential’ option forces all the evacuation steps to be carried out sequentially, thus avoiding congestion on a slow link between node groups. The ‘force-failover’ option disallows migrations and forces failovers to be used instead. In this way evacuation to a group with vastly differnet hypervisor is possible.
In tiered allocation, when looking for ways on how to shrink an instance, the canoncial path is tried first, i.e., in each step reduce on the resource most placements are blocked on. Only if no smaller fitting instance can be found shrinking a single resource till fit is tried.
For finding the placement of an instance, the duplicate computations in the computation of the various cluster scores are computed only once. This significantly improves the performance of hspace for DRBD on large clusters; for other clusters, a slight performance decrease might occur. Moreover, due to the changed order, floating point number inaccuracies accumulate differently, thus resulting in different cluster scores. It has been verified that the effect of these different roundings is less than 1e-12.
network queries fixed with respect to instances
relax too strict prerequisite in LUClusterSetParams for DRBD helpers
VArious improvements to QA and build-time tests

Version 2.10.4¶

(Released Thu, 15 May 2014)

Support restricted migration in hbal
Fix for the –shared-file-storage-dir of gnt-cluster modify (issue 811)
Fail in replace-disks if attaching disks fails (issue 814)
Set IFF_ONE_QUEUE on created tap interfaces for KVM
Small fixes and enhancements in the build system
Various documentation fixes (e.g. issue 810)

Version 2.10.3¶

(Released Wed, 16 Apr 2014)

Fix filtering of pending jobs with -o id (issue 778)
Make RAPI API calls more symmetric (issue 770)
Make parsing of old cluster configuration more robust (issue 783)
Fix wrong output of gnt-instance info after migrations
Fix reserved PCI slots for KVM hotplugging
Use runtime hypervisor parameters to calculate bockdevice options for KVM
Fix high node daemon load during disk sync if the sync is paused manually (issue 792)
Improve opportunistic locking during instance creation (issue 791)

Inherited from the 2.9 branch:

Make watcher submit queries low priority (issue 772)
Add reason parameter to RAPI client functions (issue 776)
Fix failing gnt-node list-drbd command (issue 777)
Properly display fake job locks in gnt-debug.
small fixes in documentation

Version 2.10.2¶

(Released Mon, 24 Mar 2014)

Fix conflict between virtio + spice or soundhw (issue 757)
accept relative paths in gnt-cluster copyfile (issue 754)
Introduce shutdown timeout for ‘xm shutdown’ command
Improve RAPI detection of the watcher (issue 752)

Version 2.10.1¶

(Released Wed, 5 Mar 2014)

Fix incorrect invocation of hooks on offline nodes (issue 742)
Fix incorrect exit code of gnt-cluster verify in certain circumstances (issue 744)

Inherited from the 2.9 branch:

Fix overflow problem in hbal that caused it to break when waiting for jobs for more than 10 minutes (issue 717)
Make hbal properly handle non-LVM storage
Properly export and import NIC parameters, and do so in a backwards compatible way (issue 716)
Fix net-common script in case of routed mode (issue 728)
Improve documentation (issues 724, 730)

Version 2.10.0¶

(Released Thu, 20 Feb 2014)

Incompatible/important changes¶

Adding disks with ‘gnt-instance modify’ now waits for the disks to sync per default. Specify –no-wait-for-sync to override this behavior.
The Ganeti python code now adheres to a private-module layout. In particular, the module ‘ganeti’ is no longer in the python search path.
On instance allocation, the iallocator now considers non-LVM storage properly. In particular, actual file storage space information is used when allocating space for a file/sharedfile instance.
When disabling disk templates cluster-wide, the cluster now first checks whether there are instances still using those templates.
‘gnt-node list-storage’ now also reports storage information about file-based storage types.
In case of non drbd instances, export *_SECONDARY environment variables as empty strings (and not “None”) during ‘instance-migrate’ related hooks.

New features¶

KVM hypervisors can now access RBD storage directly without having to go through a block device.
A new command ‘gnt-cluster upgrade’ was added that automates the upgrade procedure between two Ganeti versions that are both 2.10 or higher.
The move-instance command can now change disk templates when moving instances, and does not require any node placement options to be specified if the destination cluster has a default iallocator.
Users can now change the soundhw and cpuid settings for XEN hypervisors.
Hail and hbal now have the (optional) capability of accessing average CPU load information through the monitoring daemon, and to use it to dynamically adapt the allocation of instances.
Hotplug support. Introduce new option ‘–hotplug’ to gnt-instance modify so that disk and NIC modifications take effect without the need of actual reboot. There are a couple of constrains currently for this feature:
- only KVM hypervisor (versions >= 1.0) supports it,
- one can not (yet) hotplug a disk using userspace access mode for RBD
- in case of a downgrade instances should suffer a reboot in order to be migratable (due to core change of runtime files)
- python-fdsend is required for NIC hotplugging.

Misc changes¶

A new test framework for logical units was introduced and the test coverage for logical units was improved significantly.
Opcodes are entirely generated from Haskell using the tool ‘hs2py’ and the module ‘src/Ganeti/OpCodes.hs’.
Constants are also generated from Haskell using the tool ‘hs2py-constants’ and the module ‘src/Ganeti/Constants.hs’, with the exception of socket related constants, which require changing the cluster configuration file, and HVS related constants, because they are part of a port of instance queries to Haskell. As a result, these changes will be part of the next release of Ganeti.

New dependencies¶

The following new dependencies have been added/updated.

Python

The version requirements for python-mock have increased to at least version 1.0.1. It is still used for testing only.
python-fdsend (https://gitorious.org/python-fdsend) is optional but required for KVM NIC hotplugging to work.

Since 2.10.0 rc3¶

Fix integer overflow problem in hbal

Version 2.10.0 rc3¶

(Released Wed, 12 Feb 2014)

This was the third RC release of the 2.10 series. Since 2.10.0 rc2:

Improved hotplug robustness
Start Ganeti daemons after ensure-dirs during upgrade
Documentation improvements

Inherited from the 2.9 branch:

Fix the RAPI instances-multi-alloc call
assign unique filenames to file-based disks
gracefully handle degraded non-diskless instances with 0 disks (issue 697)
noded now runs with its specified group, which is the default group, defaulting to root (issue 707)
make using UUIDs to identify nodes in gnt-node consistently possible (issue 703)

Version 2.10.0 rc2¶

(Released Fri, 31 Jan 2014)

This was the second RC release of the 2.10 series. Since 2.10.0 rc1:

Documentation improvements
Run drbdsetup syncer only on network attach
Include target node in hooks nodes for migration
Fix configure dirs
Support post-upgrade hooks during cluster upgrades

Inherited from the 2.9 branch:

Ensure that all the hypervisors exist in the config file (Issue 640)
Correctly recognise the role as master node (Issue 687)
configure: allow detection of Sphinx 1.2+ (Issue 502)
gnt-instance now honors the KVM path correctly (Issue 691)

Inherited from the 2.8 branch:

Change the list separator for the usb_devices parameter from comma to space. Commas could not work because they are already the hypervisor option separator (Issue 649)
Add support for blktap2 file-driver (Issue 638)
Add network tag definitions to the haskell codebase (Issue 641)
Fix RAPI network tag handling
Add the network tags to the tags searched by gnt-cluster search-tags
Fix caching bug preventing jobs from being cancelled
Start-master/stop-master was always failing if ConfD was disabled. (Issue 685)

Version 2.10.0 rc1¶

(Released Tue, 17 Dec 2013)

This was the first RC release of the 2.10 series. Since 2.10.0 beta1:

All known issues in 2.10.0 beta1 have been resolved (see changes from the 2.8 branch).
Improve handling of KVM runtime files from earlier Ganeti versions
Documentation fixes

Inherited from the 2.9 branch:

use custom KVM path if set for version checking
SingleNotifyPipeCondition: don’t share pollers

Inherited from the 2.8 branch:

Fixed Luxi daemon socket permissions after master-failover
Improve IP version detection code directly checking for colons rather than passing the family from the cluster object
Fix NODE/NODE_RES locking in LUInstanceCreate by not acquiring NODE_RES locks opportunistically anymore (Issue 622)
Allow link local IPv6 gateways (Issue 624)
Fix error printing (Issue 616)
Fix a bug in InstanceSetParams concerning names: in case no name is passed in disk modifications, keep the old one. If name=none then set disk name to None.
Update build_chroot script to work with the latest hackage packages
Add a packet number limit to “fping” in master-ip-setup (Issue 630)
Fix evacuation out of drained node (Issue 615)
Add default file_driver if missing (Issue 571)
Fix job error message after unclean master shutdown (Issue 618)
Lock group(s) when creating instances (Issue 621)
SetDiskID() before accepting an instance (Issue 633)
Allow the ext template disks to receive arbitrary parameters, both at creation time and while being modified
Xen handle domain shutdown (future proofing cherry-pick)
Refactor reading live data in htools (future proofing cherry-pick)

Version 2.10.0 beta1¶

(Released Wed, 27 Nov 2013)

This was the first beta release of the 2.10 series. All important changes are listed in the latest 2.10 entry.

Known issues¶

The following issues are known to be present in the beta and will be fixed before rc1.

Issue 477: Wrong permissions for confd LUXI socket
Issue 621: Instance related opcodes do not aquire network/group locks
Issue 622: Assertion Error: Node locks differ from node resource locks
Issue 623: IPv6 Masterd <-> Luxid communication error

Version 2.9.7¶

(Released Fri, 11 Dec 2015)

Important changes and security notes¶

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS implementation is vulnerable to DoS attacks via client-initiated SSL parameter renegotiation. While the interface is not meant to be exposed publicly, due to the fact that it binds to all interfaces, we believe some users might be exposing it unintentionally and are vulnerable. A DoS attack can consume resources meant for Ganeti daemons and instances running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing functionality needed to disable client-side renegotiation. Instead, we offer instructions on how to control RAPI’s exposure, along with info on how RAPI can be setup alongside an HTTPS proxy in case users still want or need to expose the RAPI interface. The instructions are outlined in Ganeti’s security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job results after an instance information job reveals the secret. With the DRBD secret, access to the local cluster network, and ARP poisoning, an attacker can impersonate a Ganeti node and clone the disks of a DRBD-based instance. While an attacker with access to the cluster network is already capable of accessing any data written as DRBD traffic is unencrypted, having the secret expedites the process and allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed via the RAPI. The DRBD secret can be changed by converting an instance to plain and back to DRBD, generating a new secret, but redundancy will be lost until the process completes. Since attackers with node access are capable of accessing some and potentially all data even without the secret, we do not recommend that the secret be changed for existing instances.

Minor changes¶

gnt-instance replace-disks no longer crashes when –ignore-policy is passed to it
Stop MonD when removing a node from a cluster
Fix file descriptor leak in Confd client
Always install SIGHUP handler for Haskell daemons (Issue 755)
Make ganeti-cleaner switch to a safe working directory (Issue 880)
Make htools tolerate missing “spfree” on Luxi
DRBD parser: consume initial empty resource lines (Issue 869)
KVM: set IFF_ONE_QUEUE on created tap interfaces
Set exclusion tags correctly in requested instance

Version 2.9.6¶

(Released Mon, 7 Apr 2014)

Improve RAPI detection of the watcher (Issue 752)
gnt-cluster copyfile: accept relative paths (Issue 754)
Make watcher submit queries low priority (Issue 772)
Add reason parameter to RAPI client functions (Issue 776)
Fix failing gnt-node list-drbd command (Issue 777)
Properly display fake job locks in gnt-debug.
Enable timeout for instance shutdown
small fixes in documentation

Version 2.9.5¶

(Released Tue, 25 Feb 2014)

Fix overflow problem in hbal that caused it to break when waiting for jobs for more than 10 minutes (issue 717)
Make hbal properly handle non-LVM storage
Properly export and import NIC parameters, and do so in a backwards compatible way (issue 716)
Fix net-common script in case of routed mode (issue 728)
Improve documentation (issues 724, 730)

Version 2.9.4¶

(Released Mon, 10 Feb 2014)

Fix the RAPI instances-multi-alloc call
assign unique filenames to file-based disks
gracefully handle degraded non-diskless instances with 0 disks (issue 697)
noded now runs with its specified group, which is the default group, defaulting to root (issue 707)
make using UUIDs to identify nodes in gnt-node consistently possible (issue 703)

Version 2.9.3¶

(Released Mon, 27 Jan 2014)

Ensure that all the hypervisors exist in the config file (Issue 640)
Correctly recognise the role as master node (Issue 687)
configure: allow detection of Sphinx 1.2+ (Issue 502)
gnt-instance now honors the KVM path correctly (Issue 691)

Inherited from the 2.8 branch:

Change the list separator for the usb_devices parameter from comma to space. Commas could not work because they are already the hypervisor option separator (Issue 649)
Add support for blktap2 file-driver (Issue 638)
Add network tag definitions to the haskell codebase (Issue 641)
Fix RAPI network tag handling
Add the network tags to the tags searched by gnt-cluster search-tags
Fix caching bug preventing jobs from being cancelled
Start-master/stop-master was always failing if ConfD was disabled. (Issue 685)

Version 2.9.2¶

(Released Fri, 13 Dec 2013)

use custom KVM path if set for version checking
SingleNotifyPipeCondition: don’t share pollers

Inherited from the 2.8 branch:

Fixed Luxi daemon socket permissions after master-failover
Improve IP version detection code directly checking for colons rather than passing the family from the cluster object
Fix NODE/NODE_RES locking in LUInstanceCreate by not acquiring NODE_RES locks opportunistically anymore (Issue 622)
Allow link local IPv6 gateways (Issue 624)
Fix error printing (Issue 616)
Fix a bug in InstanceSetParams concerning names: in case no name is passed in disk modifications, keep the old one. If name=none then set disk name to None.
Update build_chroot script to work with the latest hackage packages
Add a packet number limit to “fping” in master-ip-setup (Issue 630)
Fix evacuation out of drained node (Issue 615)
Add default file_driver if missing (Issue 571)
Fix job error message after unclean master shutdown (Issue 618)
Lock group(s) when creating instances (Issue 621)
SetDiskID() before accepting an instance (Issue 633)
Allow the ext template disks to receive arbitrary parameters, both at creation time and while being modified
Xen handle domain shutdown (future proofing cherry-pick)
Refactor reading live data in htools (future proofing cherry-pick)

Version 2.9.1¶

(Released Wed, 13 Nov 2013)

fix bug, that kept nodes offline when readding
when verifying DRBD versions, ignore unavailable nodes
fix bug that made the console unavailable on kvm in split-user setup (issue 608)
DRBD: ensure peers are UpToDate for dual-primary (inherited 2.8.2)

Version 2.9.0¶

(Released Tue, 5 Nov 2013)

Incompatible/important changes¶

hroller now also plans for capacity to move non-redundant instances off any node to be rebooted; the old behavior of completely ignoring any non-redundant instances can be restored by adding the –ignore-non-redundant option.
The cluster option ‘–no-lvm-storage’ was removed in favor of the new option ‘–enabled-disk-templates’.
On instance creation, disk templates no longer need to be specified with ‘-t’. The default disk template will be taken from the list of enabled disk templates.
The monitoring daemon is now running as root, in order to be able to collect information only available to root (such as the state of Xen instances).
The ConfD client is now IPv6 compatible.
File and shared file storage is no longer dis/enabled at configure time, but using the option ‘–enabled-disk-templates’ at cluster initialization and modification.
The default directories for file and shared file storage are not anymore specified at configure time, but taken from the cluster’s configuration. They can be set at cluster initialization and modification with ‘–file-storage-dir’ and ‘–shared-file-storage-dir’.
Cluster verification now includes stricter checks regarding the default file and shared file storage directories. It now checks that the directories are explicitly allowed in the ‘file-storage-paths’ file and that the directories exist on all nodes.
The list of allowed disk templates in the instance policy and the list of cluster-wide enabled disk templates is now checked for consistency on cluster or group modification. On cluster initialization, the ipolicy disk templates are ensured to be a subset of the cluster-wide enabled disk templates.

New features¶

DRBD 8.4 support. Depending on the installed DRBD version, Ganeti now uses the correct command syntax. It is possible to use different DRBD versions on different nodes as long as they are compatible to each other. This enables rolling upgrades of DRBD with no downtime. As permanent operation of different DRBD versions within a node group is discouraged, gnt-cluster verify will emit a warning if it detects such a situation.
New “inst-status-xen” data collector for the monitoring daemon, providing information about the state of the xen instances on the nodes.
New “lv” data collector for the monitoring daemon, collecting data about the logical volumes on the nodes, and pairing them with the name of the instances they belong to.
New “diskstats” data collector, collecting the data from /proc/diskstats and presenting them over the monitoring daemon interface.
The ConfD client is now IPv6 compatible.

New dependencies¶

The following new dependencies have been added.

Python

python-mock (http://www.voidspace.org.uk/python/mock/) is now a required for the unit tests (and only used for testing).

Haskell

hslogger (http://software.complete.org/hslogger) is now always required, even if confd is not enabled.

Since 2.9.0 rc3¶

Correctly start/stop luxid during gnt-cluster master-failover (inherited from stable-2.8)
Improved error messsages (inherited from stable-2.8)

Version 2.9.0 rc3¶

(Released Tue, 15 Oct 2013)

The third release candidate in the 2.9 series. Since 2.9.0 rc2:

in implicit configuration upgrade, match ipolicy with enabled disk templates
improved harep documentation (inherited from stable-2.8)

Version 2.9.0 rc2¶

(Released Wed, 9 Oct 2013)

The second release candidate in the 2.9 series. Since 2.9.0 rc1:

Fix bug in cfgupgrade that led to failure when upgrading from 2.8 with at least one DRBD instance.
Fix bug in cfgupgrade that led to an invalid 2.8 configuration after downgrading.

Version 2.9.0 rc1¶

(Released Tue, 1 Oct 2013)

The first release candidate in the 2.9 series. Since 2.9.0 beta1:

various bug fixes
update of the documentation, in particular installation instructions
merging of LD_* constants into DT_* constants
python style changes to be compatible with newer versions of pylint

Version 2.9.0 beta1¶

(Released Thu, 29 Aug 2013)

This was the first beta release of the 2.9 series. All important changes are listed in the latest 2.9 entry.

Version 2.8.4¶

(Released Thu, 23 Jan 2014)

Change the list separator for the usb_devices parameter from comma to space. Commas could not work because they are already the hypervisor option separator (Issue 649)
Add support for blktap2 file-driver (Issue 638)
Add network tag definitions to the haskell codebase (Issue 641)
Fix RAPI network tag handling
Add the network tags to the tags searched by gnt-cluster search-tags
Fix caching bug preventing jobs from being cancelled
Start-master/stop-master was always failing if ConfD was disabled. (Issue 685)

Version 2.8.3¶

(Released Thu, 12 Dec 2013)

Fixed Luxi daemon socket permissions after master-failover
Improve IP version detection code directly checking for colons rather than passing the family from the cluster object
Fix NODE/NODE_RES locking in LUInstanceCreate by not acquiring NODE_RES locks opportunistically anymore (Issue 622)
Allow link local IPv6 gateways (Issue 624)
Fix error printing (Issue 616)
Fix a bug in InstanceSetParams concerning names: in case no name is passed in disk modifications, keep the old one. If name=none then set disk name to None.
Update build_chroot script to work with the latest hackage packages
Add a packet number limit to “fping” in master-ip-setup (Issue 630)
Fix evacuation out of drained node (Issue 615)
Add default file_driver if missing (Issue 571)
Fix job error message after unclean master shutdown (Issue 618)
Lock group(s) when creating instances (Issue 621)
SetDiskID() before accepting an instance (Issue 633)
Allow the ext template disks to receive arbitrary parameters, both at creation time and while being modified
Xen handle domain shutdown (future proofing cherry-pick)
Refactor reading live data in htools (future proofing cherry-pick)

Version 2.8.2¶

(Released Thu, 07 Nov 2013)

DRBD: ensure peers are UpToDate for dual-primary
Improve error message for replace-disks
More dependency checks at configure time
Placate warnings on ganeti.outils_unittest.py

Version 2.8.1¶

(Released Thu, 17 Oct 2013)

Correctly start/stop luxid during gnt-cluster master-failover
Don’t attempt IPv6 ssh in case of IPv4 cluster (Issue 595)
Fix path for the job queue serial file
Improved harep man page
Minor documentation improvements

Version 2.8.0¶

(Released Mon, 30 Sep 2013)

Incompatible/important changes¶

Instance policy can contain multiple instance specs, as described in the “Constrained instance sizes” section of Partitioned Ganeti. As a consequence, it’s not possible to partially change or override instance specs. Bounding specs (min and max) can be specified as a whole using the new option --ipolicy-bounds-specs, while standard specs use the new option --ipolicy-std-specs.
The output of the info command of gnt-cluster, gnt-group, gnt-node, gnt-instance is a valid YAML object.
hail now honors network restrictions when allocating nodes. This led to an update of the IAllocator protocol. See the IAllocator documentation for details.
confd now only answers static configuration request over the network. luxid was extracted, listens on the local LUXI socket and responds to live queries. This allows finer grained permissions if using separate users.

New features¶

The Remote API daemon now supports a command line flag to always require authentication, --require-authentication. It can be specified in $sysconfdir/default/ganeti.
A new cluster attribute ‘enabled_disk_templates’ is introduced. It will be used to manage the disk templates to be used by instances in the cluster. Initially, it will be set to a list that includes plain, drbd, if they were enabled by specifying a volume group name, and file and sharedfile, if those were enabled at configure time. Additionally, it will include all disk templates that are currently used by instances. The order of disk templates will be based on Ganeti’s history of supporting them. In the future, the first entry of the list will be used as a default disk template on instance creation.
cfgupgrade now supports a --downgrade option to bring the configuration back to the previous stable version.
Disk templates in group ipolicy can be restored to the default value.
Initial support for diskless instances and virtual clusters in QA.
More QA and unit tests for instance policies.
Every opcode now contains a reason trail (visible through gnt-job info) describing why the opcode itself was executed.
The monitoring daemon is now available. It allows users to query the cluster for obtaining information about the status of the system. The daemon is only responsible for providing the information over the network: the actual data gathering is performed by data collectors (currently, only the DRBD status collector is available).
In order to help developers work on Ganeti, a new script (devel/build_chroot) is provided, for building a chroot that contains all the required development libraries and tools for compiling Ganeti on a Debian Squeeze system.
A new tool, harep, for performing self-repair and recreation of instances in Ganeti has been added.
Split queries are enabled for tags, network, exports, cluster info, groups, jobs, nodes.
New command show-ispecs-cmd for gnt-cluster and gnt-group. It prints the command line to set the current policies, to ease changing them.
Add the vnet_hdr HV parameter for KVM, to control whether the tap devices for KVM virtio-net interfaces will get created with VNET_HDR (IFF_VNET_HDR) support. If set to false, it disables offloading on the virtio-net interfaces, which prevents host kernel tainting and log flooding, when dealing with broken or malicious virtio-net drivers. It’s set to true by default.
Instance failover now supports a --cleanup parameter for fixing previous failures.
Support ‘viridian’ parameter in Xen HVM
Support DSA SSH keys in bootstrap
To simplify the work of packaging frameworks that want to add the needed users and groups in a split-user setup themselves, at build time three files in doc/users will be generated. The groups files contains, one per line, the groups to be generated, the users file contains, one per line, the users to be generated, optionally followed by their primary group, where important. The groupmemberships file contains, one per line, additional user-group membership relations that need to be established. The syntax of these files will remain stable in all future versions.

New dependencies¶

The following new dependencies have been added:

For Haskell: - The curl library is not optional anymore for compiling the Haskell code. - snap-server library (if monitoring is enabled).

For Python: - The minimum Python version needed to run Ganeti is now 2.6. - yaml library (only for running the QA).

Since 2.8.0 rc3¶

Perform proper cleanup on termination of Haskell daemons
Fix corner-case in handling of remaining retry time

Version 2.8.0 rc3¶

(Released Tue, 17 Sep 2013)

To simplify the work of packaging frameworks that want to add the needed users and groups in a split-user setup themselves, at build time three files in doc/users will be generated. The groups files contains, one per line, the groups to be generated, the users file contains, one per line, the users to be generated, optionally followed by their primary group, where important. The groupmemberships file contains, one per line, additional user-group membership relations that need to be established. The syntax of these files will remain stable in all future versions.
Add a default to file-driver when unspecified over RAPI (Issue 571)
Mark the DSA host pubkey as optional, and remove it during config downgrade (Issue 560)
Some documentation fixes

Version 2.8.0 rc2¶

(Released Tue, 27 Aug 2013)

The second release candidate of the 2.8 series. Since 2.8.0. rc1:

Support ‘viridian’ parameter in Xen HVM (Issue 233)
Include VCS version in gnt-cluster version
Support DSA SSH keys in bootstrap (Issue 338)
Fix batch creation of instances
Use FQDN to check master node status (Issue 551)
Make the DRBD collector more failure-resilient

Version 2.8.0 rc1¶

(Released Fri, 2 Aug 2013)

The first release candidate of the 2.8 series. Since 2.8.0 beta1:

Fix upgrading/downgrading from 2.7
Increase maximum RAPI message size
Documentation updates
Split confd between luxid and confd
Merge 2.7 series up to the 2.7.1 release
Allow the modify_etc_hosts option to be changed
Add better debugging for luxid queries
Expose bulk parameter for GetJobs in RAPI client
Expose missing network fields in RAPI
Add some cluster verify tests
Some unittest fixes
Fix a malfunction in hspace’s tiered allocation
Fix query compatibility between haskell and python implementations
Add the vnet_hdr HV parameter for KVM
Add --cleanup to instance failover
Change the connected groups format in gnt-network info output; it was previously displayed as a raw list by mistake. (Merged from 2.7)

Version 2.8.0 beta1¶

(Released Mon, 24 Jun 2013)

This was the first beta release of the 2.8 series. All important changes are listed in the latest 2.8 entry.

Version 2.7.2¶

(Released Thu, 26 Sep 2013)

Change the connected groups format in gnt-network info output; it was previously displayed as a raw list by mistake
Check disk template in right dict when copying
Support multi-instance allocs without iallocator
Fix some errors in the documentation
Fix formatting of tuple in an error message

Version 2.7.1¶

(Released Thu, 25 Jul 2013)

Add logrotate functionality in daemon-util
Add logrotate example file
Add missing fields to network queries over rapi
Fix network object timestamps
Add support for querying network timestamps
Fix a typo in the example crontab
Fix a documentation typo

Version 2.7.0¶

(Released Thu, 04 Jul 2013)

Incompatible/important changes¶

Instance policies for disk size were documented to be on a per-disk basis, but hail applied them to the sum of all disks. This has been fixed.
hbal will now exit with status 0 if, during job execution over LUXI, early exit has been requested and all jobs are successful; before, exit status 1 was used, which cannot be differentiated from “job error” case
Compatibility with newer versions of rbd has been fixed
gnt-instance batch-create has been changed to use the bulk create opcode from Ganeti. This lead to incompatible changes in the format of the JSON file. It’s now not a custom dict anymore but a dict compatible with the OpInstanceCreate opcode.
Parent directories for file storage need to be listed in $sysconfdir/ganeti/file-storage-paths now. cfgupgrade will write the file automatically based on old configuration values, but it can not distribute it across all nodes and the file contents should be verified. Use gnt-cluster copyfile $sysconfdir/ganeti/file-storage-paths once the cluster has been upgraded. The reason for requiring this list of paths now is that before it would have been possible to inject new paths via RPC, allowing files to be created in arbitrary locations. The RPC protocol is protected using SSL/X.509 certificates, but as a design principle Ganeti does not permit arbitrary paths to be passed.
The parsing of the variants file for OSes (see ganeti-os-interface(7)) has been slightly changed: now empty lines and comment lines (starting with #) are ignored for better readability.
The setup-ssh tool added in Ganeti 2.2 has been replaced and is no longer available. gnt-node add now invokes a new tool on the destination node, named prepare-node-join, to configure the SSH daemon. Paramiko is no longer necessary to configure nodes’ SSH daemons via gnt-node add.
Draining (gnt-cluster queue drain) and un-draining the job queue (gnt-cluster queue undrain) now affects all nodes in a cluster and the flag is not reset after a master failover.
Python 2.4 has not been tested with this release. Using 2.6 or above is recommended. 2.6 will be mandatory from the 2.8 series.

New features¶

New network management functionality to support automatic allocation of IP addresses and managing of network parameters. See gnt-network(8) for more details.
New external storage backend, to allow managing arbitrary storage systems external to the cluster. See ganeti-extstorage-interface(7).
New exclusive-storage node parameter added, restricted to nodegroup level. When it’s set to true, physical disks are assigned in an exclusive fashion to instances, as documented in Partitioned Ganeti. Currently, only instances using the plain disk template are supported.
The KVM hypervisor has been updated with many new hypervisor parameters, including a generic one for passing arbitrary command line values. See a complete list in gnt-instance(8). It is now compatible up to qemu 1.4.
A new tool, called mon-collector, is the stand-alone executor of the data collectors for a monitoring system. As of this version, it just includes the DRBD data collector, that can be executed by calling mon-collector using the drbd parameter. See mon-collector(7).
A new user option, read, has been added for RAPI users. It allows granting permissions to query for information to a specific user without giving write permissions.
A new tool named node-cleanup has been added. It cleans remains of a cluster from a machine by stopping all daemons, removing certificates and ssconf files. Unless the --no-backup option is given, copies of the certificates are made.
Instance creations now support the use of opportunistic locking, potentially speeding up the (parallel) creation of multiple instances. This feature is currently only available via the RAPI interface and when an instance allocator is used. If the opportunistic_locking parameter is set the opcode will try to acquire as many locks as possible, but will not wait for any locks held by other opcodes. If not enough resources can be found to allocate the instance, the temporary error code temp_insufficient_resources is returned. The operation can be retried thereafter, with or without opportunistic locking.
New experimental linux-ha resource scripts.
Restricted-commands support: ganeti can now be asked (via command line or rapi) to perform commands on a node. These are passed via ganeti RPC rather than ssh. This functionality is restricted to commands specified on the $sysconfdir/ganeti/restricted-commands for security reasons. The file is not copied automatically.

Misc changes¶

Diskless instances are now externally mirrored (Issue 237). This for now has only been tested in conjunction with explicit target nodes for migration/failover.
Queries not needing locks or RPC access to the node can now be performed by the confd daemon, making them independent from jobs, and thus faster to execute. This is selectable at configure time.
The functionality for allocating multiple instances at once has been overhauled and is now also available through RAPI.

There are no significant changes from version 2.7.0~rc3.

Version 2.7.0 rc3¶

(Released Tue, 25 Jun 2013)

Fix permissions on the confd query socket (Issue 477)
Fix permissions on the job archive dir (Issue 498)
Fix handling of an internal exception in replace-disks (Issue 472)
Fix gnt-node info handling of shortened names (Issue 497)
Fix gnt-instance grow-disk when wiping is enabled
Documentation improvements, and support for newer pandoc
Fix hspace honoring ipolicy for disks (Issue 484)
Improve handling of the kvm_extra HV parameter

Version 2.7.0 rc2¶

(Released Fri, 24 May 2013)

devel/upload now works when /var/run on the target nodes is a symlink.
Disks added through gnt-instance modify or created through gnt-instance recreate-disks are wiped, if the prealloc_wipe_disks flag is set.
If wiping newly created disks fails, the disks are removed. Also, partial failures in creating disks through gnt-instance modify triggers a cleanup of the partially-created disks.
Removing the master IP address doesn’t fail if the address has been already removed.
Fix ownership of the OS log dir
Workaround missing SO_PEERCRED constant (Issue 191)

Version 2.7.0 rc1¶

(Released Fri, 3 May 2013)

This was the first release candidate of the 2.7 series. Since beta3:

Fix kvm compatibility with qemu 1.4 (Issue 389)
Documentation updates (admin guide, upgrade notes, install instructions) (Issue 372)
Fix gnt-group list nodes and instances count (Issue 436)
Fix compilation without non-mandatory libraries (Issue 441)
Fix xen-hvm hypervisor forcing nics to type ‘ioemu’ (Issue 247)
Make confd logging more verbose at INFO level (Issue 435)
Improve “networks” documentation in gnt-instance(8)
Fix failure path for instance storage type conversion (Issue 229)
Update htools text backend documentation
Improve the renew-crypto section of gnt-cluster(8)
Disable inter-cluster instance move for file-based instances, because it is dependant on instance export, which is not supported for file-based instances. (Issue 414)
Fix gnt-job crashes on non-ascii characters (Issue 427)
Fix volume group checks on non-vm-capable nodes (Issue 432)

Version 2.7.0 beta3¶

(Released Mon, 22 Apr 2013)

This was the third beta release of the 2.7 series. Since beta2:

Fix hail to verify disk instance policies on a per-disk basis (Issue 418).
Fix data loss on wrong usage of gnt-instance move
Properly export errors in confd-based job queries
Add users-setup tool
Fix iallocator protocol to report 0 as a disk size for diskless instances. This avoids hail breaking when a diskless instance is present.
Fix job queue directory permission problem that made confd job queries fail. This requires running an ensure-dirs --full-run on upgrade for access to archived jobs (Issue 406).
Limit the sizes of networks supported by gnt-network to something between a /16 and a /30 to prevent memory bloat and crashes.
Fix bugs in instance disk template conversion
Fix GHC 7 compatibility
Fix burnin install path (Issue 426).
Allow very small disk grows (Issue 347).
Fix a ganeti-noded memory bloat introduced in 2.5, by making sure that noded doesn’t import masterd code (Issue 419).
Make sure the default metavg at cluster init is the same as the vg, if unspecified (Issue 358).
Fix cleanup of partially created disks (part of Issue 416)

Version 2.7.0 beta2¶

(Released Tue, 2 Apr 2013)

This was the second beta release of the 2.7 series. Since beta1:

Networks no longer have a “type” slot, since this information was unused in Ganeti: instead of it tags should be used.
The rapi client now has a target_node option to MigrateInstance.
Fix early exit return code for hbal (Issue 386).
Fix gnt-instance migrate/failover -n (Issue 396).
Fix rbd showmapped output parsing (Issue 312).
Networks are now referenced indexed by UUID, rather than name. This will require running cfgupgrade, from 2.7.0beta1, if networks are in use.
The OS environment now includes network information.
Deleting of a network is now disallowed if any instance nic is using it, to prevent dangling references.
External storage is now documented in man pages.
The exclusive_storage flag can now only be set at nodegroup level.
Hbal can now submit an explicit priority with its jobs.
Many network related locking fixes.
Bump up the required pylint version to 0.25.1.
Fix the no_remember option in RAPI client.
Many ipolicy related tests, qa, and fixes.
Many documentation improvements and fixes.
Fix building with --disable-file-storage.
Fix -q option in htools, which was broken if passed more than once.
Some haskell/python interaction improvements and fixes.
Fix iallocator in case of missing LVM storage.
Fix confd config load in case of --no-lvm-storage.
The confd/query functionality is now mentioned in the security documentation.

Version 2.7.0 beta1¶

(Released Wed, 6 Feb 2013)

This was the first beta release of the 2.7 series. All important changes are listed in the latest 2.7 entry.

Version 2.6.2¶

(Released Fri, 21 Dec 2012)

Important behaviour change: hbal won’t rebalance anymore instances which have the auto_balance attribute set to false. This was the intention all along, but until now it only skipped those from the N+1 memory reservation (DRBD-specific).

A significant number of bug fixes in this release:

Fixed disk adoption interaction with ipolicy checks.
Fixed networking issues when instances are started, stopped or migrated, by forcing the tap device’s MAC prefix to “fe” (issue 217).
Fixed the warning in cluster verify for shared storage instances not being redundant.
Fixed removal of storage directory on shared file storage (issue 262).
Fixed validation of LVM volume group name in OpClusterSetParams (gnt-cluster modify) (issue 285).
Fixed runtime memory increases (gnt-instance modify -m).
Fixed live migration under Xen’s xl mode.
Fixed gnt-instance console with xl.
Fixed building with newer Haskell compiler/libraries.
Fixed PID file writing in Haskell daemons (confd); this prevents restart issues if confd was launched manually (outside of daemon-util) while another copy of it was running
Fixed a type error when doing live migrations with KVM (issue 297) and the error messages for failing migrations have been improved.
Fixed opcode validation for the out-of-band commands (gnt-node power).
Fixed a type error when unsetting OS hypervisor parameters (issue 311); now it’s possible to unset all OS-specific hypervisor parameters.
Fixed the dry-run mode for many operations: verification of results was over-zealous but didn’t take into account the dry-run operation, resulting in “wrong” failures.
Fixed bash completion in gnt-job list when the job queue has hundreds of entries; especially with older bash versions, this results in significant CPU usage.

And lastly, a few other improvements have been made:

Added option to force master-failover without voting (issue 282).
Clarified error message on lock conflict (issue 287).
Logging of newly submitted jobs has been improved (issue 290).
Hostname checks have been made uniform between instance rename and create (issue 291).
The --submit option is now supported by gnt-debug delay.
Shutting down the master daemon by sending SIGTERM now stops it from processing jobs waiting for locks; instead, those jobs will be started once again after the master daemon is started the next time (issue 296).
Support for Xen’s xl program has been improved (besides the fixes above).
Reduced logging noise in the Haskell confd daemon (only show one log entry for each config reload, instead of two).
Several man page updates and typo fixes.

Version 2.6.1¶

(Released Fri, 12 Oct 2012)

A small bugfix release. Among the bugs fixed:

Fixed double use of PRIORITY_OPT in gnt-node migrate, that made the command unusable.
Commands that issue many jobs don’t fail anymore just because some jobs take so long that other jobs are archived.
Failures during gnt-instance reinstall are reflected by the exit status.
Issue 190 fixed. Check for DRBD in cluster verify is enabled only when DRBD is enabled.
When always_failover is set, --allow-failover is not required in migrate commands anymore.
bash_completion works even if extglob is disabled.
Fixed bug with locks that made failover for RDB-based instances fail.
Fixed bug in non-mirrored instance allocation that made Ganeti choose a random node instead of one based on the allocator metric.
Support for newer versions of pylint and pep8.
Hail doesn’t fail anymore when trying to add an instance of type file, sharedfile or rbd.
Added new Makefile target to rebuild the whole distribution, so that all files are included.

Version 2.6.0¶

(Released Fri, 27 Jul 2012)

Attention

The LUXI protocol has been made more consistent regarding its handling of command arguments. This, however, leads to incompatibility issues with previous versions. Please ensure that you restart Ganeti daemons soon after the upgrade, otherwise most LUXI calls (job submission, setting/resetting the drain flag, pausing/resuming the watcher, cancelling and archiving jobs, querying the cluster configuration) will fail.

New features¶

Instance run status¶

The current admin_up field, which used to denote whether an instance should be running or not, has been removed. Instead, admin_state is introduced, with 3 possible values – up, down and offline.

The rational behind this is that an instance being “down” can have different meanings:

it could be down during a reboot
it could be temporarily be down for a reinstall
or it could be down because it is deprecated and kept just for its disk

The previous Boolean state was making it difficult to do capacity calculations: should Ganeti reserve memory for a down instance? Now, the tri-state field makes it clear:

in up and down state, all resources are reserved for the instance, and it can be at any time brought up if it is down
in offline state, only disk space is reserved for it, but not memory or CPUs

The field can have an extra use: since the transition between up and down and vice-versus is done via gnt-instance start/stop, but transition between offline and down is done via gnt-instance modify, it is possible to given different rights to users. For example, owners of an instance could be allowed to start/stop it, but not transition it out of the offline state.

Instance policies and specs¶

In previous Ganeti versions, an instance creation request was not limited on the minimum size and on the maximum size just by the cluster resources. As such, any policy could be implemented only in third-party clients (RAPI clients, or shell wrappers over gnt-* tools). Furthermore, calculating cluster capacity via hspace again required external input with regards to instance sizes.

In order to improve these workflows and to allow for example better per-node group differentiation, we introduced instance specs, which allow declaring:

minimum instance disk size, disk count, memory size, cpu count
maximum values for the above metrics
and “standard” values (used in hspace to calculate the standard sized instances)

The minimum/maximum values can be also customised at node-group level, for example allowing more powerful hardware to support bigger instance memory sizes.

Beside the instance specs, there are a few other settings belonging to the instance policy framework. It is possible now to customise, per cluster and node-group:

the list of allowed disk templates
the maximum ratio of VCPUs per PCPUs (to control CPU oversubscription)
the maximum ratio of instance to spindles (see below for more information) for local storage

All these together should allow all tools that talk to Ganeti to know what are the ranges of allowed values for instances and the over-subscription that is allowed.

For the VCPU/PCPU ratio, we already have the VCPU configuration from the instance configuration, and the physical CPU configuration from the node. For the spindle ratios however, we didn’t track before these values, so new parameters have been added:

a new node parameter spindle_count, defaults to 1, customisable at node group or node level
at new backend parameter (for instances), spindle_use defaults to 1

Note that spindles in this context doesn’t need to mean actual mechanical hard-drives; it’s just a relative number for both the node I/O capacity and instance I/O consumption.

Instance migration behaviour¶

While live-migration is in general desirable over failover, it is possible that for some workloads it is actually worse, due to the variable time of the “suspend” phase during live migration.

To allow the tools to work consistently over such instances (without having to hard-code instance names), a new backend parameter always_failover has been added to control the migration/failover behaviour. When set to True, all migration requests for an instance will instead fall-back to failover.

Instance memory ballooning¶

Initial support for memory ballooning has been added. The memory for an instance is no longer fixed (backend parameter memory), but instead can vary between minimum and maximum values (backend parameters minmem and maxmem). Currently we only change an instance’s memory when:

live migrating or failing over and instance and the target node doesn’t have enough memory
user requests changing the memory via gnt-instance modify --runtime-memory

Instance CPU pinning¶

In order to control the use of specific CPUs by instance, support for controlling CPU pinning has been added for the Xen, HVM and LXC hypervisors. This is controlled by a new hypervisor parameter cpu_mask; details about possible values for this are in the gnt-instance(8). Note that use of the most specific (precise VCPU-to-CPU mapping) form will work well only when all nodes in your cluster have the same amount of CPUs.

Disk parameters¶

Another area in which Ganeti was not customisable were the parameters used for storage configuration, e.g. how many stripes to use for LVM, DRBD resync configuration, etc.

To improve this area, we’ve added disks parameters, which are customisable at cluster and node group level, and which allow to specify various parameters for disks (DRBD has the most parameters currently), for example:

DRBD resync algorithm and parameters (e.g. speed)
the default VG for meta-data volumes for DRBD
number of stripes for LVM (plain disk template)
the RBD pool

These parameters can be modified via gnt-cluster modify -D … and gnt-group modify -D …, and are used at either instance creation (in case of LVM stripes, for example) or at disk “activation” time (e.g. resync speed).

Rados block device support¶

A Rados (http://ceph.com/wiki/Rbd) storage backend has been added, denoted by the rbd disk template type. This is considered experimental, feedback is welcome. For details on configuring it, see the Ganeti installation tutorial document and the gnt-cluster(8) man page.

Master IP setup¶

The existing master IP functionality works well only in simple setups (a single network shared by all nodes); however, if nodes belong to different networks, then the /32 setup and lack of routing information is not enough.

To allow the master IP to function well in more complex cases, the system was reworked as follows:

a master IP netmask setting has been added
the master IP activation/turn-down code was moved from the node daemon to a separate script
whether to run the Ganeti-supplied master IP script or a user-supplied on is a gnt-cluster init setting

Details about the location of the standard and custom setup scripts are in the man page gnt-cluster(8); for information about the setup script protocol, look at the Ganeti-supplied script.

SPICE support¶

The SPICE support has been improved.

It is now possible to use TLS-protected connections, and when renewing or changing the cluster certificates (via gnt-cluster renew-crypto, it is now possible to specify spice or spice CA certificates. Also, it is possible to configure a password for SPICE sessions via the hypervisor parameter spice_password_file.

There are also new parameters to control the compression and streaming options (e.g. spice_image_compression, spice_streaming_video, etc.). For details, see the man page gnt-instance(8) and look for the spice parameters.

Lastly, it is now possible to see the SPICE connection information via gnt-instance console.

OVF converter¶

A new tool (tools/ovfconverter) has been added that supports conversion between Ganeti and the Open Virtualization Format (both to and from).

This relies on the qemu-img tool to convert the disk formats, so the actual compatibility with other virtualization solutions depends on it.

Confd daemon changes¶

The configuration query daemon (ganeti-confd) is now optional, and has been rewritten in Haskell; whether to use the daemon at all, use the Python (default) or the Haskell version is selectable at configure time via the --enable-confd parameter, which can take one of the haskell, python or no values. If not used, disabling the daemon will result in a smaller footprint; for larger systems, we welcome feedback on the Haskell version which might become the default in future versions.

If you want to use gnt-node list-drbd you need to have the Haskell daemon running. The Python version doesn’t implement the new call.

User interface changes¶

We have replaced the --disks option of gnt-instance replace-disks with a more flexible --disk option, which allows adding and removing disks at arbitrary indices (Issue 188). Furthermore, disk size and mode can be changed upon recreation (via gnt-instance recreate-disks, which accepts the same --disk option).

As many people are used to a show command, we have added that as an alias to info on all gnt-* commands.

The gnt-instance grow-disk command has a new mode in which it can accept the target size of the disk, instead of the delta; this can be more safe since two runs in absolute mode will be idempotent, and sometimes it’s also easier to specify the desired size directly.

Also the handling of instances with regard to offline secondaries has been improved. Instance operations should not fail because one of it’s secondary nodes is offline, even though it’s safe to proceed.

A new command list-drbd has been added to the gnt-node script to support debugging of DRBD issues on nodes. It provides a mapping of DRBD minors to instance name.

API changes¶

RAPI coverage has improved, with (for example) new resources for recreate-disks, node power-cycle, etc.

Compatibility¶

There is partial support for xl in the Xen hypervisor; feedback is welcome.

Python 2.7 is better supported, and after Ganeti 2.6 we will investigate whether to still support Python 2.4 or move to Python 2.6 as minimum required version.

Support for Fedora has been slightly improved; the provided example init.d script should work better on it and the INSTALL file should document the needed dependencies.

Internal changes¶

The deprecated QueryLocks LUXI request has been removed. Use Query(what=QR_LOCK, ...) instead.

The LUXI requests QueryJobs, QueryInstances, QueryNodes, QueryGroups, QueryExports and QueryTags are deprecated and will be removed in a future version. Query should be used instead.

RAPI client: CertificateError now derives from GanetiApiError. This should make it more easy to handle Ganeti errors.

Deprecation warnings due to PyCrypto/paramiko import in tools/setup-ssh have been silenced, as usually they are safe; please make sure to run an up-to-date paramiko version, if you use this tool.

The QA scripts now depend on Python 2.5 or above (the main code base still works with Python 2.4).

The configuration file (config.data) is now written without indentation for performance reasons; if you want to edit it, it can be re-formatted via tools/fmtjson.

A number of bugs has been fixed in the cluster merge tool.

x509 certification verification (used in import-export) has been changed to allow the same clock skew as permitted by the cluster verification. This will remove some rare but hard to diagnose errors in import-export.

Version 2.6.0 rc4¶

(Released Thu, 19 Jul 2012)

Very few changes from rc4 to the final release, only bugfixes:

integrated fixes from release 2.5.2 (fix general boot flag for KVM instance, fix CDROM booting for KVM instances)
fixed node group modification of node parameters
fixed issue in LUClusterVerifyGroup with multi-group clusters
fixed generation of bash completion to ensure a stable ordering
fixed a few typos

Version 2.6.0 rc3¶

(Released Fri, 13 Jul 2012)

Third release candidate for 2.6. The following changes were done from rc3 to rc4:

Fixed UpgradeConfig w.r.t. to disk parameters on disk objects.
Fixed an inconsistency in the LUXI protocol with the provided arguments (NOT backwards compatible)
Fixed a bug with node groups ipolicy where min was greater than the cluster std value
Implemented a new gnt-node list-drbd call to list DRBD minors for easier instance debugging on nodes (requires hconfd to work)

Version 2.6.0 rc2¶

(Released Tue, 03 Jul 2012)

Second release candidate for 2.6. The following changes were done from rc2 to rc3:

Fixed gnt-cluster verify regarding master-ip-script on non master candidates
Fixed a RAPI regression on missing beparams/memory
Fixed redistribution of files on offline nodes
Added possibility to run activate-disks even though secondaries are offline. With this change it relaxes also the strictness on some other commands which use activate disks internally: * gnt-instance start|reboot|rename|backup|export
Made it possible to remove safely an instance if its secondaries are offline
Made it possible to reinstall even though secondaries are offline

Version 2.6.0 rc1¶

(Released Mon, 25 Jun 2012)

First release candidate for 2.6. The following changes were done from rc1 to rc2:

Fixed bugs with disk parameters and rbd templates as well as instance_os_add
Made gnt-instance modify more consistent regarding new NIC/Disk behaviour. It supports now the modify operation
hcheck implemented to analyze cluster health and possibility of improving health by rebalance
hbal has been improved in dealing with split instances

Version 2.6.0 beta2¶

(Released Mon, 11 Jun 2012)

Second beta release of 2.6. The following changes were done from beta2 to rc1:

Fixed daemon-util with non-root user models
Fixed creation of plain instances with --no-wait-for-sync
Fix wrong iv_names when running cfgupgrade
Export more information in RAPI group queries
Fixed bug when changing instance network interfaces
Extended burnin to do NIC changes
query: Added <, >, <=, >= comparison operators
Changed default for DRBD barriers
Fixed DRBD error reporting for syncer rate
Verify the options on disk parameters

And of course various fixes to documentation and improved unittests and QA.

Version 2.6.0 beta1¶

(Released Wed, 23 May 2012)

First beta release of 2.6. The following changes were done from beta1 to beta2:

integrated patch for distributions without start-stop-daemon
adapted example init.d script to work on Fedora
fixed log handling in Haskell daemons
adapted checks in the watcher for pycurl linked against libnss
add partial support for xl instead of xm for Xen
fixed a type issue in cluster verification
fixed ssconf handling in the Haskell code (was breaking confd in IPv6 clusters)

Plus integrated fixes from the 2.5 branch:

fixed kvm-ifup to use /bin/bash
fixed parallel build failures
KVM live migration when using a custom keymap

Version 2.5.2¶

(Released Tue, 24 Jul 2012)

A small bugfix release, with no new features:

fixed bash-isms in kvm-ifup, for compatibility with systems which use a different default shell (e.g. Debian, Ubuntu)
fixed KVM startup and live migration with a custom keymap (fixes Issue 243 and Debian bug #650664)
fixed compatibility with KVM versions that don’t support multiple boot devices (fixes Issue 230 and Debian bug #624256)

Additionally, a few fixes were done to the build system (fixed parallel build failures) and to the unittests (fixed race condition in test for FileID functions, and the default enable/disable mode for QA test is now customisable).

Version 2.5.1¶

(Released Fri, 11 May 2012)

A small bugfix release.

The main issues solved are on the topic of compatibility with newer LVM releases:

fixed parsing of lv_attr field
adapted to new vgreduce --removemissing behaviour where sometimes the --force flag is needed

Also on the topic of compatibility, tools/lvmstrap has been changed to accept kernel 3.x too (was hardcoded to 2.6.*).

A regression present in 2.5.0 that broke handling (in the gnt-* scripts) of hook results and that also made display of other errors suboptimal was fixed; the code behaves now like 2.4 and earlier.

Another change in 2.5, the cleanup of the OS scripts environment, is too aggressive: it removed even the PATH variable, which requires the OS scripts to always need to export it. Since this is a bit too strict, we now export a minimal PATH, the same that we export for hooks.

The fix for issue 201 (Preserve bridge MTU in KVM ifup script) was integrated into this release.

Finally, a few other miscellaneous changes were done (no new features, just small improvements):

Fix gnt-group --help display
Fix hardcoded Xen kernel path
Fix grow-disk handling of invalid units
Update synopsis for gnt-cluster repair-disk-sizes
Accept both PUT and POST in noded (makes future upgrade to 2.6 easier)

Version 2.5.0¶

(Released Thu, 12 Apr 2012)

Incompatible/important changes and bugfixes¶

The default of the /2/instances/[instance_name]/rename RAPI resource’s ip_check parameter changed from True to False to match the underlying LUXI interface.
The /2/nodes/[node_name]/evacuate RAPI resource was changed to use body parameters, see RAPI documentation. The server does not maintain backwards-compatibility as the underlying operation changed in an incompatible way. The RAPI client can talk to old servers, but it needs to be told so as the return value changed.
When creating file-based instances via RAPI, the file_driver parameter no longer defaults to loop and must be specified.
The deprecated bridge NIC parameter is no longer supported. Use link instead.
Support for the undocumented and deprecated RAPI instance creation request format version 0 has been dropped. Use version 1, supported since Ganeti 2.1.3 and documented, instead.
Pyparsing 1.4.6 or above is required, see installation documentation.
The “cluster-verify” hooks are now executed per group by the OP_CLUSTER_VERIFY_GROUP opcode. This maintains the same behavior if you just run gnt-cluster verify, which generates one opcode per group.
The environment as passed to the OS scripts is cleared, and thus no environment variables defined in the node daemon’s environment will be inherited by the scripts.
The iallocator mode multi-evacuate has been deprecated.
New iallocator modes have been added to support operations involving multiple node groups.
Offline nodes are ignored when failing over an instance.
Support for KVM version 1.0, which changed the version reporting format from 3 to 2 digits.
TCP/IP ports used by DRBD disks are returned to a pool upon instance removal.
Makefile is now compatible with Automake 1.11.2
Includes all bugfixes made in the 2.4 series

New features¶

The ganeti-htools project has been merged into the ganeti-core source tree and will be built as part of Ganeti (see Ganeti quick installation guide).
Implemented support for shared storage.
Add support for disks larger than 2 TB in lvmstrap by supporting GPT-style partition tables (requires parted).
Added support for floppy drive and 2nd CD-ROM drive in KVM hypervisor.
Allowed adding tags on instance creation.
Export instance tags to hooks (INSTANCE_TAGS, see Ganeti customisation using hooks)
Allow instances to be started in a paused state, enabling the user to see the complete console output on boot using the console.
Added new hypervisor flag to control default reboot behaviour (reboot_behavior).
Added support for KVM keymaps (hypervisor parameter keymap).
Improved out-of-band management support:
- Added gnt-node health command reporting the health status of nodes.
- Added gnt-node power command to manage power status of nodes.
- Added command for emergency power-off (EPO), gnt-cluster epo.
Instance migration can fall back to failover if instance is not running.
Filters can be used when listing nodes, instances, groups and locks; see ganeti(7) manpage.
Added post-execution status as variables to hooks environment.
Instance tags are exported/imported together with the instance.
When given an explicit job ID, gnt-job info will work for archived jobs.
Jobs can define dependencies on other jobs (not yet supported via RAPI or command line, but used by internal commands and usable via LUXI).
- Lock monitor (gnt-debug locks) shows jobs waiting for dependencies.
Instance failover is now available as a RAPI resource (/2/instances/[instance_name]/failover).
gnt-instance info defaults to static information if primary node is offline.
Opcodes have a new comment attribute.
Added basic SPICE support to KVM hypervisor.
tools/ganeti-listrunner allows passing of arguments to executable.

Node group improvements¶

gnt-cluster verify has been modified to check groups separately, thereby improving performance.
Node group support has been added to gnt-cluster verify-disks, which now operates per node group.
Watcher has been changed to work better with node groups.
- One process and state file per node group.
- Slow watcher in one group doesn’t block other group’s watcher.
Added new command, gnt-group evacuate, to move all instances in a node group to other groups.
Added gnt-instance change-group to move an instance to another node group.
gnt-cluster command and gnt-cluster copyfile now support per-group operations.
Node groups can be tagged.
Some operations switch from an exclusive to a shared lock as soon as possible.
Instance’s primary and secondary nodes’ groups are now available as query fields (pnode.group, pnode.group.uuid, snodes.group and snodes.group.uuid).

Misc¶

Numerous updates to documentation and manpages.
- RAPI documentation now has detailed parameter descriptions.
- Some opcode/job results are now also documented, see RAPI.
A lockset’s internal lock is now also visible in lock monitor.
Log messages from job queue workers now contain information about the opcode they’re processing.
gnt-instance console no longer requires the instance lock.
A short delay when waiting for job changes reduces the number of LUXI requests significantly.
DRBD metadata volumes are overwritten with zeros during disk creation.
Out-of-band commands no longer acquire the cluster lock in exclusive mode.
devel/upload now uses correct permissions for directories.

Version 2.5.0 rc6¶

(Released Fri, 23 Mar 2012)

This was the sixth release candidate of the 2.5 series.

Version 2.5.0 rc5¶

(Released Mon, 9 Jan 2012)

This was the fifth release candidate of the 2.5 series.

Version 2.5.0 rc4¶

(Released Thu, 27 Oct 2011)

This was the fourth release candidate of the 2.5 series.

Version 2.5.0 rc3¶

(Released Wed, 26 Oct 2011)

This was the third release candidate of the 2.5 series.

Version 2.5.0 rc2¶

(Released Tue, 18 Oct 2011)

This was the second release candidate of the 2.5 series.

Version 2.5.0 rc1¶

(Released Tue, 4 Oct 2011)

This was the first release candidate of the 2.5 series.

Version 2.5.0 beta3¶

(Released Wed, 31 Aug 2011)

This was the third beta release of the 2.5 series.

Version 2.5.0 beta2¶

(Released Mon, 22 Aug 2011)

This was the second beta release of the 2.5 series.

Version 2.5.0 beta1¶

(Released Fri, 12 Aug 2011)

This was the first beta release of the 2.5 series.

Version 2.4.5¶

(Released Thu, 27 Oct 2011)

Fixed bug when parsing command line parameter values ending in backslash
Fixed assertion error after unclean master shutdown
Disable HTTP client pool for RPC, significantly reducing memory usage of master daemon
Fixed queue archive creation with wrong permissions

Version 2.4.4¶

(Released Tue, 23 Aug 2011)

Small bug-fixes:

Fixed documentation for importing with --src-dir option
Fixed a bug in ensure-dirs with queue/archive permissions
Fixed a parsing issue with DRBD 8.3.11 in the Linux kernel

Version 2.4.3¶

(Released Fri, 5 Aug 2011)

Many bug-fixes and a few small features:

Fixed argument order in ReserveLV and ReserveMAC which caused issues when you tried to add an instance with two MAC addresses in one request
KVM: fixed per-instance stored UID value
KVM: configure bridged NICs at migration start
KVM: Fix a bug where instance will not start with never KVM versions (>= 0.14)
Added OS search path to gnt-cluster info
Fixed an issue with file_storage_dir where you were forced to provide an absolute path, but the documentation states it is a relative path, the documentation was right
Added a new parameter to instance stop/start called --no-remember that will make the state change to not be remembered
Implemented no_remember at RAPI level
Improved the documentation
Node evacuation: don’t call IAllocator if node is already empty
Fixed bug in DRBD8 replace disks on current nodes
Fixed bug in recreate-disks for DRBD instances
Moved assertion checking locks in gnt-instance replace-disks causing it to abort with not owning the right locks for some situation
Job queue: Fixed potential race condition when cancelling queued jobs
Fixed off-by-one bug in job serial generation
gnt-node volumes: Fix instance names
Fixed aliases in bash completion
Fixed a bug in reopening log files after being sent a SIGHUP
Added a flag to burnin to allow specifying VCPU count
Bugfixes to non-root Ganeti configuration

Version 2.4.2¶

(Released Thu, 12 May 2011)

Many bug-fixes and a few new small features:

Fixed a bug related to log opening failures
Fixed a bug in instance listing with orphan instances
Fixed a bug which prevented resetting the cluster-level node parameter oob_program to the default
Many fixes related to the cluster-merge tool
Fixed a race condition in the lock monitor, which caused failures during (at least) creation of many instances in parallel
Improved output for gnt-job info
Removed the quiet flag on some ssh calls which prevented debugging failures
Improved the N+1 failure messages in cluster verify by actually showing the memory values (needed and available)
Increased lock attempt timeouts so that when executing long operations (e.g. DRBD replace-disks) other jobs do not enter ‘blocking acquire’ too early and thus prevent the use of the ‘fair’ mechanism
Changed instance query data (gnt-instance info) to not acquire locks unless needed, thus allowing its use on locked instance if only static information is asked for
Improved behaviour with filesystems that do not support rename on an opened file
Fixed the behaviour of prealloc_wipe_disks cluster parameter which kept locks on all nodes during the wipe, which is unneeded
Fixed gnt-watcher handling of errors during hooks execution
Fixed bug in prealloc_wipe_disks with small disk sizes (less than 10GiB) which caused the wipe to fail right at the end in some cases
Fixed master IP activation when doing master failover with no-voting
Fixed bug in gnt-node add --readd which allowed the re-adding of the master node itself
Fixed potential data-loss in under disk full conditions, where Ganeti wouldn’t check correctly the return code and would consider partially-written files ‘correct’
Fixed bug related to multiple VGs and DRBD disk replacing
Added new disk parameter metavg that allows placement of the meta device for DRBD in a different volume group
Fixed error handling in the node daemon when the system libc doesn’t have major number 6 (i.e. if libc.so.6 is not the actual libc)
Fixed lock release during replace-disks, which kept cluster-wide locks when doing disk replaces with an iallocator script
Added check for missing bridges in cluster verify
Handle EPIPE errors while writing to the terminal better, so that piping the output to e.g. less doesn’t cause a backtrace
Fixed rare case where a ^C during Luxi calls could have been interpreted as server errors, instead of simply terminating
Fixed a race condition in LUGroupAssignNodes (gnt-group assign-nodes)
Added a few more parameters to the KVM hypervisor, allowing a second CDROM, custom disk type for CDROMs and a floppy image
Removed redundant message in instance rename when the name is given already as a FQDN
Added option to gnt-instance recreate-disks to allow creating the disks on new nodes, allowing recreation when the original instance nodes are completely gone
Added option when converting disk templates to DRBD to skip waiting for the resync, in order to make the instance available sooner
Added two new variables to the OS scripts environment (containing the instance’s nodes)
Made the root_path and optional parameter for the xen-pvm hypervisor, to allow use of pvgrub as bootloader
Changed the instance memory modifications to only check out-of-memory conditions on memory increases, and turned the secondary node warnings into errors (they can still be overridden via --force)
Fixed the handling of a corner case when the Python installation gets corrupted (e.g. a bad disk) while ganeti-noded is running and we try to execute a command that doesn’t exist
Fixed a bug in gnt-instance move (LUInstanceMove) when the primary node of the instance returned failures during instance shutdown; this adds the option --ignore-consistency to gnt-instance move

And as usual, various improvements to the error messages, documentation and man pages.

Version 2.4.1¶

(Released Wed, 09 Mar 2011)

Emergency bug-fix release. tools/cfgupgrade was broken and overwrote the RAPI users file if run twice (even with --dry-run).

The release fixes that bug (nothing else changed).

Version 2.4.0¶

(Released Mon, 07 Mar 2011)

Final 2.4.0 release. Just a few small fixes:

Fixed RAPI node evacuate
Fixed the kvm-ifup script
Fixed internal error handling for special job cases
Updated man page to specify the escaping feature for options

Version 2.4.0 rc3¶

(Released Mon, 28 Feb 2011)

A critical fix for the prealloc_wipe_disks feature: it is possible that this feature wiped the disks of the wrong instance, leading to loss of data.

Other changes:

Fixed title of query field containing instance name
Expanded the glossary in the documentation
Fixed one unittest (internal issue)

Version 2.4.0 rc2¶

(Released Mon, 21 Feb 2011)

A number of bug fixes plus just a couple functionality changes.

On the user-visible side, the gnt-* list command output has changed with respect to “special” field states. The current rc1 style of display can be re-enabled by passing a new --verbose (-v) flag, but in the default output mode special fields states are displayed as follows:

Offline resource: *
Unavailable/not applicable: -
Data missing (RPC failure): ?
Unknown field: ??

Another user-visible change is the addition of --force-join to gnt-node add.

As for bug fixes:

tools/cluster-merge has seen many fixes and is now enabled again
Fixed regression in RAPI/instance reinstall where all parameters were required (instead of optional)
Fixed gnt-cluster repair-disk-sizes, was broken since Ganeti 2.2
Fixed iallocator usage (offline nodes were not considered offline)
Fixed gnt-node list with respect to non-vm_capable nodes
Fixed hypervisor and OS parameter validation with respect to non-vm_capable nodes
Fixed gnt-cluster verify with respect to offline nodes (mostly cosmetic)
Fixed tools/listrunner with respect to agent-based usage

Version 2.4.0 rc1¶

(Released Fri, 4 Feb 2011)

Many changes and fixes since the beta1 release. While there were some internal changes, the code has been mostly stabilised for the RC release.

Note: the dumb allocator was removed in this release, as it was not kept up-to-date with the IAllocator protocol changes. It is recommended to use the hail command from the ganeti-htools package.

Note: the 2.4 and up versions of Ganeti are not compatible with the 0.2.x branch of ganeti-htools. You need to upgrade to ganeti-htools-0.3.0 (or later).

Regressions fixed from 2.3¶

Fixed the gnt-cluster verify-disks command
Made gnt-cluster verify-disks work in parallel (as opposed to serially on nodes)
Fixed disk adoption breakage
Fixed wrong headers in instance listing for field aliases

Other bugs fixed¶

Fixed corner case in KVM handling of NICs
Fixed many cases of wrong handling of non-vm_capable nodes
Fixed a bug where a missing instance symlink was not possible to recreate with any gnt-* command (now gnt-instance activate-disks does it)
Fixed the volume group name as reported by gnt-cluster verify-disks
Increased timeouts for the import-export code, hopefully leading to fewer aborts due network or instance timeouts
Fixed bug in gnt-node list-storage
Fixed bug where not all daemons were started on cluster initialisation, but only at the first watcher run
Fixed many bugs in the OOB implementation
Fixed watcher behaviour in presence of instances with offline secondaries
Fixed instance list output for instances running on the wrong node
a few fixes to the cluster-merge tool, but it still cannot merge multi-node groups (currently it is not recommended to use this tool)

Improvements¶

Improved network configuration for the KVM hypervisor
Added e1000 as a supported NIC for Xen-HVM
Improved the lvmstrap tool to also be able to use partitions, as opposed to full disks
Improved speed of disk wiping (the cluster parameter prealloc_wipe_disks, so that it has a low impact on the total time of instance creations
Added documentation for the OS parameters
Changed gnt-instance deactivate-disks so that it can work if the hypervisor is not responding
Added display of blacklisted and hidden OS information in gnt-cluster info
Extended gnt-cluster verify to also validate hypervisor, backend, NIC and node parameters, which might create problems with currently invalid (but undetected) configuration files, but prevents validation failures when unrelated parameters are modified
Changed cluster initialisation to wait for the master daemon to become available
Expanded the RAPI interface:
- Added config redistribution resource
- Added activation/deactivation of instance disks
- Added export of console information
Implemented log file reopening on SIGHUP, which allows using logrotate(8) for the Ganeti log files
Added a basic OOB helper script as an example

Version 2.4.0 beta1¶

(Released Fri, 14 Jan 2011)

User-visible¶

Fixed timezone issues when formatting timestamps
Added support for node groups, available via gnt-group and other commands
Added out-of-band framework and management, see design document
Removed support for roman numbers from gnt-node list and gnt-instance list.
Allowed modification of master network interface via gnt-cluster modify --master-netdev
Accept offline secondaries while shutting down instance disks
Added blockdev_prefix parameter to Xen PVM and HVM hypervisors
Added support for multiple LVM volume groups
Avoid sorting nodes for gnt-node list if specific nodes are requested
Added commands to list available fields:
- gnt-node list-fields
- gnt-group list-fields
- gnt-instance list-fields
Updated documentation and man pages

Integration¶

Moved rapi_users file into separate directory, now named .../ganeti/rapi/users, cfgupgrade moves the file and creates a symlink
Added new tool for running commands on many machines, tools/ganeti-listrunner
Implemented more verbose result in OpInstanceConsole opcode, also improving the gnt-instance console output
Allowed customisation of disk index separator at configure time
Export node group allocation policy to iallocator
Added support for non-partitioned md disks in lvmstrap
Added script to gracefully power off KVM instances
Split utils module into smaller parts
Changed query operations to return more detailed information, e.g. whether an information is unavailable due to an offline node. To use this new functionality, the LUXI call Query must be used. Field information is now stored by the master daemon and can be retrieved using QueryFields. Instances, nodes and groups can also be queried using the new opcodes OpQuery and OpQueryFields (not yet exposed via RAPI). The following commands make use of this infrastructure change:
- gnt-group list
- gnt-group list-fields
- gnt-node list
- gnt-node list-fields
- gnt-instance list
- gnt-instance list-fields
- gnt-debug locks

Remote API¶

New RAPI resources (see Ganeti remote API):
- /2/modify
- /2/groups
- /2/groups/[group_name]
- /2/groups/[group_name]/assign-nodes
- /2/groups/[group_name]/modify
- /2/groups/[group_name]/rename
- /2/instances/[instance_name]/disk/[disk_index]/grow
RAPI changes:
- Implemented no_install for instance creation
- Implemented OS parameters for instance reinstallation, allowing use of special settings on reinstallation (e.g. for preserving data)

Misc¶

Added IPv6 support in import/export
Pause DRBD synchronization while wiping disks on instance creation
Updated unittests and QA scripts
Improved network parameters passed to KVM
Converted man pages from docbook to reStructuredText

Version 2.3.1¶

(Released Mon, 20 Dec 2010)

Released version 2.3.1~rc1 without any changes.

Version 2.3.1 rc1¶

(Released Wed, 1 Dec 2010)

impexpd: Disable OpenSSL compression in socat if possible (backport from master, commit e90739d625b, see installation guide for details)
Changed unittest coverage report to exclude test scripts
Added script to check version format

Version 2.3.0¶

(Released Wed, 1 Dec 2010)

Released version 2.3.0~rc1 without any changes.

Version 2.3.0 rc1¶

(Released Fri, 19 Nov 2010)

A number of bugfixes and documentation updates:

Update ganeti-os-interface documentation
Fixed a bug related to duplicate MACs or similar items which should be unique
Fix breakage in OS state modify
Reinstall instance: disallow offline secondaries (fixes bug related to OS changing but reinstall failing)
plus all the other fixes between 2.2.1 and 2.2.2

Version 2.3.0 rc0¶

(Released Tue, 2 Nov 2010)

Fixed clearing of the default iallocator using gnt-cluster modify
Fixed master failover race with watcher
Fixed a bug in gnt-node modify which could lead to an inconsistent configuration
Accept previously stopped instance for export with instance removal
Simplify and extend the environment variables for instance OS scripts
Added new node flags, master_capable and vm_capable
Added optional instance disk wiping prior during allocation. This is a cluster-wide option and can be set/modified using gnt-cluster {init,modify} --prealloc-wipe-disks.
Added IPv6 support, see design document and Ganeti quick installation guide
Added a new watcher option (--ignore-pause)
Added option to ignore offline node on instance start/stop (--ignore-offline)
Allow overriding OS parameters with gnt-instance reinstall
Added ability to change node’s secondary IP address using gnt-node modify
Implemented privilege separation for all daemons except ganeti-noded, see configure options
Complain if an instance’s disk is marked faulty in gnt-cluster verify
Implemented job priorities (see ganeti(7) manpage)
Ignore failures while shutting down instances during failover from offline node
Exit daemon’s bootstrap process only once daemon is ready
Export more information via LUInstanceQuery/remote API
Improved documentation, QA and unittests
RAPI daemon now watches rapi_users all the time and doesn’t need a restart if the file was created or changed
Added LUXI protocol version sent with each request and response, allowing detection of server/client mismatches
Moved the Python scripts among gnt-* and ganeti-* into modules
Moved all code related to setting up SSH to an external script, setup-ssh
Infrastructure changes for node group support in future versions

Version 2.2.2¶

(Released Fri, 19 Nov 2010)

A few small bugs fixed, and some improvements to the build system:

Fix documentation regarding conversion to drbd
Fix validation of parameters in cluster modify (gnt-cluster modify -B)
Fix error handling in node modify with multiple changes
Allow remote imports without checked names

Version 2.2.1¶

(Released Tue, 19 Oct 2010)

Disable SSL session ID cache in RPC client

Version 2.2.1 rc1¶

(Released Thu, 14 Oct 2010)

Fix interaction between Curl/GnuTLS and the Python’s HTTP server (thanks Apollon Oikonomopoulos!), finally allowing the use of Curl with GnuTLS
Fix problems with interaction between Curl and Python’s HTTP server, resulting in increased speed in many RPC calls
Improve our release script to prevent breakage with older aclocal and Python 2.6

Version 2.2.1 rc0¶

(Released Thu, 7 Oct 2010)

Fixed issue 125, replace hardcoded “xenvg” in gnt-cluster with value retrieved from master
Added support for blacklisted or hidden OS definitions
Added simple lock monitor (accessible via (gnt-debug locks)
Added support for -mem-path in KVM hypervisor abstraction layer
Allow overriding instance parameters in tool for inter-cluster instance moves (tools/move-instance)
Improved opcode summaries (e.g. in gnt-job list)
Improve consistency of OS listing by sorting it
Documentation updates

Version 2.2.0.1¶

(Released Fri, 8 Oct 2010)

Rebuild with a newer autotools version, to fix python 2.6 compatibility

Version 2.2.0¶

(Released Mon, 4 Oct 2010)

Fixed regression in gnt-instance rename

Version 2.2.0 rc2¶

(Released Wed, 22 Sep 2010)

Fixed OS_VARIANT variable for OS scripts
Fixed cluster tag operations via RAPI
Made setup-ssh exit with non-zero code if an error occurred
Disabled RAPI CA checks in watcher

Version 2.2.0 rc1¶

(Released Mon, 23 Aug 2010)

Support DRBD versions of the format “a.b.c.d”
Updated manpages
Re-introduce support for usage from multiple threads in RAPI client
Instance renames and modify via RAPI
Work around race condition between processing and archival in job queue
Mark opcodes following failed one as failed, too
Job field lock_status was removed due to difficulties making it work with the changed job queue in Ganeti 2.2; a better way to monitor locks is expected for a later 2.2.x release
Fixed dry-run behaviour with many commands
Support ssh-agent again when adding nodes
Many additional bugfixes

Version 2.2.0 rc0¶

(Released Fri, 30 Jul 2010)

Important change: the internal RPC mechanism between Ganeti nodes has changed from using a home-grown http library (based on the Python base libraries) to use the PycURL library. This requires that PycURL is installed on nodes. Please note that on Debian/Ubuntu, PycURL is linked against GnuTLS by default. cURL’s support for GnuTLS had known issues before cURL 7.21.0 and we recommend using the latest cURL release or linking against OpenSSL. Most other distributions already link PycURL and cURL against OpenSSL. The command:

python -c 'import pycurl; print pycurl.version'

can be used to determine the libraries PycURL and cURL are linked against.

Other significant changes:

Rewrote much of the internals of the job queue, in order to achieve better parallelism; this decouples job query operations from the job processing, and it should allow much nicer behaviour of the master daemon under load, and it also has uncovered some long-standing bugs related to the job serialisation (now fixed)
Added a default iallocator setting to the cluster parameters, eliminating the need to always pass nodes or an iallocator for operations that require selection of new node(s)
Added experimental support for the LXC virtualization method
Added support for OS parameters, which allows the installation of instances to pass parameter to OS scripts in order to customise the instance
Added a hypervisor parameter controlling the migration type (live or non-live), since hypervisors have various levels of reliability; this has renamed the ‘live’ parameter to ‘mode’
Added a cluster parameter reserved_lvs that denotes reserved logical volumes, meaning that cluster verify will ignore them and not flag their presence as errors
The watcher will now reset the error count for failed instances after 8 hours, thus allowing self-healing if the problem that caused the instances to be down/fail to start has cleared in the meantime
Added a cluster parameter drbd_usermode_helper that makes Ganeti check for, and warn, if the drbd module parameter usermode_helper is not consistent with the cluster-wide setting; this is needed to make diagnose easier of failed drbd creations
Started adding base IPv6 support, but this is not yet enabled/available for use
Rename operations (cluster, instance) will now return the new name, which is especially useful if a short name was passed in
Added support for instance migration in RAPI
Added a tool to pre-configure nodes for the SSH setup, before joining them to the cluster; this will allow in the future a simplified model for node joining (but not yet fully enabled in 2.2); this needs the paramiko python library
Fixed handling of name-resolving errors
Fixed consistency of job results on the error path
Fixed master-failover race condition when executed multiple times in sequence
Fixed many bugs related to the job queue (mostly introduced during the 2.2 development cycle, so not all are impacting 2.1)
Fixed instance migration with missing disk symlinks
Fixed handling of unknown jobs in gnt-job archive
And many other small fixes/improvements

Internal changes:

Enhanced both the unittest and the QA coverage
Switched the opcode validation to a generic model, and extended the validation to all opcode parameters
Changed more parts of the code that write shell scripts to use the same class for this
Switched the master daemon to use the asyncore library for the Luxi server endpoint

Version 2.2.0 beta0¶

(Released Thu, 17 Jun 2010)

Added tool (move-instance) and infrastructure to move instances between separate clusters (see separate documentation and design document)
Added per-request RPC timeout
RAPI now requires a Content-Type header for requests with a body (e.g. PUT or POST) which must be set to application/json (see RFC 2616 (HTTP/1.1), section 7.2.1)
ganeti-watcher attempts to restart ganeti-rapi if RAPI is not reachable
Implemented initial support for running Ganeti daemons as separate users, see configure-time flags --with-user-prefix and --with-group-prefix (only ganeti-rapi is supported at this time)
Instances can be removed after export (gnt-backup export --remove-instance)
Self-signed certificates generated by Ganeti now use a 2048 bit RSA key (instead of 1024 bit)
Added new cluster configuration file for cluster domain secret
Import/export now use SSL instead of SSH
Added support for showing estimated time when exporting an instance, see the ganeti-os-interface(7) manpage and look for EXP_SIZE_FD

Version 2.1.8¶

(Released Tue, 16 Nov 2010)

Some more bugfixes. Unless critical bugs occur, this will be the last 2.1 release:

Fix case of MAC special-values
Fix mac checker regex
backend: Fix typo causing “out of range” error
Add missing –units in gnt-instance list man page

Version 2.1.7¶

(Released Tue, 24 Aug 2010)

Bugfixes only:

Don’t ignore secondary node silently on non-mirrored disk templates (issue 113)
Fix –master-netdev arg name in gnt-cluster(8) (issue 114)
Fix usb_mouse parameter breaking with vnc_console (issue 109)
Properly document the usb_mouse parameter
Fix path in ganeti-rapi(8) (issue 116)
Adjust error message when the ganeti user’s .ssh directory is missing
Add same-node-check when changing the disk template to drbd

Version 2.1.6¶

(Released Fri, 16 Jul 2010)

Bugfixes only:

Add an option to only select some reboot types during qa/burnin. (on some hypervisors consequent reboots are not supported)
Fix infrequent race condition in master failover. Sometimes the old master ip address would be still detected as up for a short time after it was removed, causing failover to fail.
Decrease mlockall warnings when the ctypes module is missing. On Python 2.4 we support running even if no ctypes module is installed, but we were too verbose about this issue.
Fix building on old distributions, on which man doesn’t have a –warnings option.
Fix RAPI not to ignore the MAC address on instance creation
Implement the old instance creation format in the RAPI client.

Version 2.1.5¶

(Released Thu, 01 Jul 2010)

A small bugfix release:

Fix disk adoption: broken by strict –disk option checking in 2.1.4
Fix batch-create: broken in the whole 2.1 series due to a lookup on a non-existing option
Fix instance create: the –force-variant option was ignored
Improve pylint 0.21 compatibility and warnings with Python 2.6
Fix modify node storage with non-FQDN arguments
Fix RAPI client to authenticate under Python 2.6 when used for more than 5 requests needing authentication
Fix gnt-instance modify -t (storage) giving a wrong error message when converting a non-shutdown drbd instance to plain

Version 2.1.4¶

(Released Fri, 18 Jun 2010)

A small bugfix release:

Fix live migration of KVM instances started with older Ganeti versions which had fewer hypervisor parameters

Fix gnt-instance grow-disk on down instances

Fix an error-reporting bug during instance migration

Better checking of the --net and --disk values, to avoid silently ignoring broken ones

Fix an RPC error reporting bug affecting, for example, RAPI client users

Fix bug triggered by different API version os-es on different nodes

Fix a bug in instance startup with custom hvparams: OS level parameters would fail to be applied.

Fix the RAPI client under Python 2.6 (but more work is needed to make it work completely well with OpenSSL)

Fix handling of errors when resolving names from DNS

Version 2.1.3¶

(Released Thu, 3 Jun 2010)

A medium sized development cycle. Some new features, and some fixes/small improvements/cleanups.

Significant features¶

The node daemon now tries to mlock itself into memory, unless the --no-mlock flag is passed. It also doesn’t fail if it can’t write its logs, and falls back to console logging. This allows emergency features such as gnt-node powercycle to work even in the event of a broken node disk (tested offlining the disk hosting the node’s filesystem and dropping its memory caches; don’t try this at home)

KVM: add vhost-net acceleration support. It can be tested with a new enough version of the kernel and of qemu-kvm.

KVM: Add instance chrooting feature. If you use privilege dropping for your VMs you can also now force them to chroot to an empty directory, before starting the emulated guest.

KVM: Add maximum migration bandwith and maximum downtime tweaking support (requires a new-enough version of qemu-kvm).

Cluster verify will now warn if the master node doesn’t have the master ip configured on it.

Add a new (incompatible) instance creation request format to RAPI which supports all parameters (previously only a subset was supported, and it wasn’t possible to extend the old format to accomodate all the new features. The old format is still supported, and a client can check for this feature, before using it, by checking for its presence in the features RAPI resource.

Now with ancient latin support. Try it passing the --roman option to gnt-instance info, gnt-cluster info or gnt-node list (requires the python-roman module to be installed, in order to work).

Other changes¶

As usual many internal code refactorings, documentation updates, and such. Among others:

Lots of improvements and cleanups to the experimental Remote API (RAPI) client library.

A new unit test suite for the core daemon libraries.

A fix to creating missing directories makes sure the umask is not applied anymore. This enforces the same directory permissions everywhere.

Better handling terminating daemons with ctrl+c (used when running them in debugging mode).

Fix a race condition in live migrating a KVM instance, when stat() on the old proc status file returned EINVAL, which is an unexpected value.

Fixed manpage checking with newer man and utf-8 charachters. But now you need the en_US.UTF-8 locale enabled to build Ganeti from git.

Version 2.1.2.1¶

(Released Fri, 7 May 2010)

Fix a bug which prevented untagged KVM instances from starting.

Version 2.1.2¶

(Released Fri, 7 May 2010)

Another release with a long development cycle, during which many different features were added.

Significant features¶

The KVM hypervisor now can run the individual instances as non-root, to reduce the impact of a VM being hijacked due to bugs in the hypervisor. It is possible to run all instances as a single (non-root) user, to manually specify a user for each instance, or to dynamically allocate a user out of a cluster-wide pool to each instance, with the guarantee that no two instances will run under the same user ID on any given node.

An experimental RAPI client library, that can be used standalone (without the other Ganeti libraries), is provided in the source tree as lib/rapi/client.py. Note this client might change its interface in the future, as we iterate on its capabilities.

A new command, gnt-cluster renew-crypto has been added to easily replace the cluster’s certificates and crypto keys. This might help in case they have been compromised, or have simply expired.

A new disk option for instance creation has been added that allows one to “adopt” currently existing logical volumes, with data preservation. This should allow easier migration to Ganeti from unmanaged (or managed via other software) instances.

Another disk improvement is the possibility to convert between redundant (DRBD) and plain (LVM) disk configuration for an instance. This should allow better scalability (starting with one node and growing the cluster, or shrinking a two-node cluster to one node).

A new feature that could help with automated node failovers has been implemented: if a node sees itself as offline (by querying the master candidates), it will try to shutdown (hard) all instances and any active DRBD devices. This reduces the risk of duplicate instances if an external script automatically failovers the instances on such nodes. To enable this, the cluster parameter maintain_node_health should be enabled; in the future this option (per the name) will enable other automatic maintenance features.

Instance export/import now will reuse the original instance specifications for all parameters; that means exporting an instance, deleting it and the importing it back should give an almost identical instance. Note that the default import behaviour has changed from before, where it created only one NIC; now it recreates the original number of NICs.

Cluster verify has added a few new checks: SSL certificates validity, /etc/hosts consistency across the cluster, etc.

Other changes¶

As usual, many internal changes were done, documentation fixes, etc. Among others:

Fixed cluster initialization with disabled cluster storage (regression introduced in 2.1.1)
File-based storage supports growing the disks
Fixed behaviour of node role changes
Fixed cluster verify for some corner cases, plus a general rewrite of cluster verify to allow future extension with more checks
Fixed log spamming by watcher and node daemon (regression introduced in 2.1.1)
Fixed possible validation issues when changing the list of enabled hypervisors
Fixed cleanup of /etc/hosts during node removal
Fixed RAPI response for invalid methods
Fixed bug with hashed passwords in ganeti-rapi daemon
Multiple small improvements to the KVM hypervisor (VNC usage, booting from ide disks, etc.)
Allow OS changes without re-installation (to record a changed OS outside of Ganeti, or to allow OS renames)
Allow instance creation without OS installation (useful for example if the OS will be installed manually, or restored from a backup not in Ganeti format)
Implemented option to make cluster copyfile use the replication network
Added list of enabled hypervisors to ssconf (possibly useful for external scripts)
Added a new tool (tools/cfgupgrade12) that allows upgrading from 1.2 clusters
A partial form of node re-IP is possible via node readd, which now allows changed node primary IP
Command line utilities now show an informational message if the job is waiting for a lock
The logs of the master daemon now show the PID/UID/GID of the connected client

Version 2.1.1¶

(Released Fri, 12 Mar 2010)

During the 2.1.0 long release candidate cycle, a lot of improvements and changes have accumulated with were released later as 2.1.1.

Major changes¶

The node evacuate command (gnt-node evacuate) was significantly rewritten, and as such the IAllocator protocol was changed - a new request type has been added. This unfortunate change during a stable series is designed to improve performance of node evacuations; on clusters with more than about five nodes and which are well-balanced, evacuation should proceed in parallel for all instances of the node being evacuated. As such, any existing IAllocator scripts need to be updated, otherwise the above command will fail due to the unknown request. The provided “dumb” allocator has not been updated; but the ganeti-htools package supports the new protocol since version 0.2.4.

Another important change is increased validation of node and instance names. This might create problems in special cases, if invalid host names are being used.

Also, a new layer of hypervisor parameters has been added, that sits at OS level between the cluster defaults and the instance ones. This allows customisation of virtualization parameters depending on the installed OS. For example instances with OS ‘X’ may have a different KVM kernel (or any other parameter) than the cluster defaults. This is intended to help managing a multiple OSes on the same cluster, without manual modification of each instance’s parameters.

A tool for merging clusters, cluster-merge, has been added in the tools sub-directory.

Bug fixes¶

Improved the int/float conversions that should make the code more robust in face of errors from the node daemons
Fixed the remove node code in case of internal configuration errors
Fixed the node daemon behaviour in face of inconsistent queue directory (e.g. read-only file-system where we can’t open the files read-write, etc.)
Fixed the behaviour of gnt-node modify for master candidate demotion; now it either aborts cleanly or, if given the new “auto_promote” parameter, will automatically promote other nodes as needed
Fixed compatibility with (unreleased yet) Python 2.6.5 that would completely prevent Ganeti from working
Fixed bug for instance export when not all disks were successfully exported
Fixed behaviour of node add when the new node is slow in starting up the node daemon
Fixed handling of signals in the LUXI client, which should improve behaviour of command-line scripts
Added checks for invalid node/instance names in the configuration (now flagged during cluster verify)
Fixed watcher behaviour for disk activation errors
Fixed two potentially endless loops in http library, which led to the RAPI daemon hanging and consuming 100% CPU in some cases
Fixed bug in RAPI daemon related to hashed passwords
Fixed bug for unintended qemu-level bridging of multi-NIC KVM instances
Enhanced compatibility with non-Debian OSes, but not using absolute path in some commands and allowing customisation of the ssh configuration directory
Fixed possible future issue with new Python versions by abiding to the proper use of __slots__ attribute on classes
Added checks that should prevent directory traversal attacks
Many documentation fixes based on feedback from users

New features¶

Added an “early_release” more for instance replace disks and node evacuate, where we release locks earlier and thus allow higher parallelism within the cluster
Added watcher hooks, intended to allow the watcher to restart other daemons (e.g. from the ganeti-nbma project), but they can be used of course for any other purpose
Added a compile-time disable for DRBD barriers, to increase performance if the administrator trusts the power supply or the storage system to not lose writes
Added the option of using syslog for logging instead of, or in addition to, Ganeti’s own log files
Removed boot restriction for paravirtual NICs for KVM, recent versions can indeed boot from a paravirtual NIC
Added a generic debug level for many operations; while this is not used widely yet, it allows one to pass the debug value all the way to the OS scripts
Enhanced the hooks environment for instance moves (failovers, migrations) where the primary/secondary nodes changed during the operation, by adding {NEW,OLD}_{PRIMARY,SECONDARY} vars
Enhanced data validations for many user-supplied values; one important item is the restrictions imposed on instance and node names, which might reject some (invalid) host names
Add a configure-time option to disable file-based storage, if it’s not needed; this allows greater security separation between the master node and the other nodes from the point of view of the inter-node RPC protocol
Added user notification in interactive tools if job is waiting in the job queue or trying to acquire locks
Added log messages when a job is waiting for locks
Added filtering by node tags in instance operations which admit multiple instances (start, stop, reboot, reinstall)
Added a new tool for cluster mergers, cluster-merge
Parameters from command line which are of the form a=b,c=d can now use backslash escapes to pass in values which contain commas, e.g. a=b\\c,d=e where the ‘a’ parameter would get the value b,c
For KVM, the instance name is the first parameter passed to KVM, so that it’s more visible in the process list

Version 2.1.0¶

(Released Tue, 2 Mar 2010)

Ganeti 2.1 brings many improvements with it. Major changes:

Added infrastructure to ease automated disk repairs
Added new daemon to export configuration data in a cheaper way than using the remote API
Instance NICs can now be routed instead of being associated with a networking bridge
Improved job locking logic to reduce impact of jobs acquiring multiple locks waiting for other long-running jobs

In-depth implementation details can be found in the Ganeti 2.1 design document.

Details¶

Added chroot hypervisor
Added more options to xen-hvm hypervisor (kernel_path and device_model)
Added more options to xen-pvm hypervisor (use_bootloader, bootloader_path and bootloader_args)
Added the use_localtime option for the xen-hvm and kvm hypervisors, and the default value for this has changed to false (in 2.0 xen-hvm always enabled it)
Added luxi call to submit multiple jobs in one go
Added cluster initialization option to not modify /etc/hosts file on nodes
Added network interface parameters
Added dry run mode to some LUs
Added RAPI resources:
- /2/instances/[instance_name]/info
- /2/instances/[instance_name]/replace-disks
- /2/nodes/[node_name]/evacuate
- /2/nodes/[node_name]/migrate
- /2/nodes/[node_name]/role
- /2/nodes/[node_name]/storage
- /2/nodes/[node_name]/storage/modify
- /2/nodes/[node_name]/storage/repair
Added OpCodes to evacuate or migrate all instances on a node
Added new command to list storage elements on nodes (gnt-node list-storage) and modify them (gnt-node modify-storage)
Added new ssconf files with master candidate IP address (ssconf_master_candidates_ips), node primary IP address (ssconf_node_primary_ips) and node secondary IP address (ssconf_node_secondary_ips)
Added ganeti-confd and a client library to query the Ganeti configuration via UDP
Added ability to run hooks after cluster initialization and before cluster destruction
Added automatic mode for disk replace (gnt-instance replace-disks --auto)
Added gnt-instance recreate-disks to re-create (empty) disks after catastrophic data-loss
Added gnt-node repair-storage command to repair damaged LVM volume groups
Added gnt-instance move command to move instances
Added gnt-cluster watcher command to control watcher
Added gnt-node powercycle command to powercycle nodes
Added new job status field lock_status
Added parseable error codes to cluster verification (gnt-cluster verify --error-codes) and made output less verbose (use --verbose to restore previous behaviour)
Added UUIDs to the main config entities (cluster, nodes, instances)
Added support for OS variants
Added support for hashed passwords in the Ganeti remote API users file (rapi_users)
Added option to specify maximum timeout on instance shutdown
Added --no-ssh-init option to gnt-cluster init
Added new helper script to start and stop Ganeti daemons (daemon-util), with the intent to reduce the work necessary to adjust Ganeti for non-Debian distributions and to start/stop daemons from one place
Added more unittests
Fixed critical bug in ganeti-masterd startup
Removed the configure-time kvm-migration-port parameter, this is now customisable at the cluster level for both the KVM and Xen hypervisors using the new migration_port parameter
Pass INSTANCE_REINSTALL variable to OS installation script when reinstalling an instance
Allowed @ in tag names
Migrated to Sphinx (http://sphinx.pocoo.org/) for documentation
Many documentation updates
Distribute hypervisor files on gnt-cluster redist-conf
gnt-instance reinstall can now reinstall multiple instances
Updated many command line parameters
Introduced new OS API version 15
No longer support a default hypervisor
Treat virtual LVs as inexistent
Improved job locking logic to reduce lock contention
Match instance and node names case insensitively
Reimplemented bash completion script to be more complete
Improved burnin

Version 2.0.6¶

(Released Thu, 4 Feb 2010)

Fix cleaner behaviour on nodes not in a cluster (Debian bug 568105)
Fix a string formatting bug
Improve safety of the code in some error paths
Improve data validation in the master of values returned from nodes

Version 2.0.5¶

(Released Thu, 17 Dec 2009)

Fix security issue due to missing validation of iallocator names; this allows local and remote execution of arbitrary executables
Fix failure of gnt-node list during instance removal
Ship the RAPI documentation in the archive

Version 2.0.4¶

(Released Wed, 30 Sep 2009)

Fixed many wrong messages
Fixed a few bugs related to the locking library
Fixed MAC checking at instance creation time
Fixed a DRBD parsing bug related to gaps in /proc/drbd
Fixed a few issues related to signal handling in both daemons and scripts
Fixed the example startup script provided
Fixed insserv dependencies in the example startup script (patch from Debian)
Fixed handling of drained nodes in the iallocator framework
Fixed handling of KERNEL_PATH parameter for xen-hvm (Debian bug #528618)
Fixed error related to invalid job IDs in job polling
Fixed job/opcode persistence on unclean master shutdown
Fixed handling of partial job processing after unclean master shutdown
Fixed error reporting from LUs, previously all errors were converted into execution errors
Fixed error reporting from burnin
Decreased significantly the memory usage of the job queue
Optimised slightly multi-job submission
Optimised slightly opcode loading
Backported the multi-job submit framework from the development branch; multi-instance start and stop should be faster
Added script to clean archived jobs after 21 days; this will reduce the size of the queue directory
Added some extra checks in disk size tracking
Added an example ethers hook script
Added a cluster parameter that prevents Ganeti from modifying of /etc/hosts
Added more node information to RAPI responses
Added a gnt-job watch command that allows following the ouput of a job
Added a bind-address option to ganeti-rapi
Added more checks to the configuration verify
Enhanced the burnin script such that some operations can be retried automatically
Converted instance reinstall to multi-instance model

Version 2.0.3¶

(Released Fri, 7 Aug 2009)

Added --ignore-size to the gnt-instance activate-disks command to allow using the pre-2.0.2 behaviour in activation, if any existing instances have mismatched disk sizes in the configuration
Added gnt-cluster repair-disk-sizes command to check and update any configuration mismatches for disk sizes
Added gnt-master cluste-failover --no-voting to allow master failover to work on two-node clusters
Fixed the --net option of gnt-backup import, which was unusable
Fixed detection of OS script errors in gnt-backup export
Fixed exit code of gnt-backup export

Version 2.0.2¶

(Released Fri, 17 Jul 2009)

Added experimental support for stripped logical volumes; this should enhance performance but comes with a higher complexity in the block device handling; stripping is only enabled when passing --with-lvm-stripecount=N to configure, but codepaths are affected even in the non-stripped mode
Improved resiliency against transient failures at the end of DRBD resyncs, and in general of DRBD resync checks
Fixed a couple of issues with exports and snapshot errors
Fixed a couple of issues in instance listing
Added display of the disk size in gnt-instance info
Fixed checking for valid OSes in instance creation
Fixed handling of the “vcpus” parameter in instance listing and in general of invalid parameters
Fixed http server library, and thus RAPI, to handle invalid username/password combinations correctly; this means that now they report unauthorized for queries too, not only for modifications, allowing earlier detect of configuration problems
Added a new “role” node list field, equivalent to the master/master candidate/drained/offline flags combinations
Fixed cluster modify and changes of candidate pool size
Fixed cluster verify error messages for wrong files on regular nodes
Fixed a couple of issues with node demotion from master candidate role
Fixed node readd issues
Added non-interactive mode for ganeti-masterd --no-voting startup
Added a new --no-voting option for masterfailover to fix failover on two-nodes clusters when the former master node is unreachable
Added instance reinstall over RAPI

Version 2.0.1¶

(Released Tue, 16 Jun 2009)

added -H/-B startup parameters to gnt-instance, which will allow re-adding the start in single-user option (regression from 1.2)
the watcher writes the instance status to a file, to allow monitoring to report the instance status (from the master) based on cached results of the watcher’s queries; while this can get stale if the watcher is being locked due to other work on the cluster, this is still an improvement
the watcher now also restarts the node daemon and the rapi daemon if they died
fixed the watcher to handle full and drained queue cases
hooks export more instance data in the environment, which helps if hook scripts need to take action based on the instance’s properties (no longer need to query back into ganeti)
instance failovers when the instance is stopped do not check for free RAM, so that failing over a stopped instance is possible in low memory situations
rapi uses queries for tags instead of jobs (for less job traffic), and for cluster tags it won’t talk to masterd at all but read them from ssconf
a couple of error handling fixes in RAPI
drbd handling: improved the error handling of inconsistent disks after resync to reduce the frequency of “there are some degraded disks for this instance” messages
fixed a bug in live migration when DRBD doesn’t want to reconnect (the error handling path called a wrong function name)

Version 2.0.0¶

(Released Wed, 27 May 2009)

no changes from rc5

Version 2.0 rc5¶

(Released Wed, 20 May 2009)

fix a couple of bugs (validation, argument checks)
fix gnt-cluster getmaster on non-master nodes (regression)
some small improvements to RAPI and IAllocator
make watcher automatically start the master daemon if down

Version 2.0 rc4¶

(Released Mon, 27 Apr 2009)

change the OS list to not require locks; this helps with big clusters
fix gnt-cluster verify and gnt-cluster verify-disks when the volume group is broken
gnt-instance info, without any arguments, doesn’t run for all instances anymore; either pass --all or pass the desired instances; this helps against mistakes on big clusters where listing the information for all instances takes a long time
miscellaneous doc and man pages fixes

Version 2.0 rc3¶

(Released Wed, 8 Apr 2009)

Change the internal locking model of some gnt-node commands, in order to reduce contention (and blocking of master daemon) when batching many creation/reinstall jobs
Fixes to Xen soft reboot
No longer build documentation at build time, instead distribute it in the archive, in order to reduce the need for the whole docbook/rst toolchains

Version 2.0 rc2¶

(Released Fri, 27 Mar 2009)

Now the cfgupgrade scripts works and can upgrade 1.2.7 clusters to 2.0
Fix watcher startup sequence, improves the behaviour of busy clusters
Some other fixes in gnt-cluster verify, gnt-instance replace-disks, gnt-instance add, gnt-cluster queue, KVM VNC bind address and other places
Some documentation fixes and updates

Version 2.0 rc1¶

(Released Mon, 2 Mar 2009)

More documentation updates, now all docs should be more-or-less up-to-date
A couple of small fixes (mixed hypervisor clusters, offline nodes, etc.)
Added a customizable HV_KERNEL_ARGS hypervisor parameter (for Xen PVM and KVM)
Fix an issue related to $libdir/run/ganeti and cluster creation

Version 2.0 beta2¶

(Released Thu, 19 Feb 2009)

Xen PVM and KVM have switched the default value for the instance root disk to the first partition on the first drive, instead of the whole drive; this means that the OS installation scripts must be changed accordingly
Man pages have been updated
RAPI has been switched by default to HTTPS, and the exported functions should all work correctly
RAPI v1 has been removed
Many improvements to the KVM hypervisor
Block device errors are now better reported
Many other bugfixes and small improvements

Version 2.0 beta1¶

(Released Mon, 26 Jan 2009)

Version 2 is a general rewrite of the code and therefore the differences are too many to list, see the design document for 2.0 in the doc/ subdirectory for more details
In this beta version there is not yet a migration path from 1.2 (there will be one in the final 2.0 release)
A few significant changes are:
- all commands are executed by a daemon (ganeti-masterd) and the various gnt-* commands are just front-ends to it
- all the commands are entered into, and executed from a job queue, see the gnt-job(8) manpage
- the RAPI daemon supports read-write operations, secured by basic HTTP authentication on top of HTTPS
- DRBD version 0.7 support has been removed, DRBD 8 is the only supported version (when migrating from Ganeti 1.2 to 2.0, you need to migrate to DRBD 8 first while still running Ganeti 1.2)
- DRBD devices are using statically allocated minor numbers, which will be assigned to existing instances during the migration process
- there is support for both Xen PVM and Xen HVM instances running on the same cluster
- KVM virtualization is supported too
- file-based storage has been implemented, which means that it is possible to run the cluster without LVM and DRBD storage, for example using a shared filesystem exported from shared storage (and still have live migration)

Version 1.2.7¶

(Released Tue, 13 Jan 2009)

Change the default reboot type in gnt-instance reboot to “hard”
Reuse the old instance mac address by default on instance import, if the instance name is the same.
Handle situations in which the node info rpc returns incomplete results (issue 46)
Add checks for tcp/udp ports collisions in gnt-cluster verify
Improved version of batcher:
- state file support
- instance mac address support
- support for HVM clusters/instances
Add an option to show the number of cpu sockets and nodes in gnt-node list
Support OSes that handle more than one version of the OS api (but do not change the current API in any other way)
Fix gnt-node migrate
gnt-debug man page
Fixes various more typos and small issues
Increase disk resync maximum speed to 60MB/s (from 30MB/s)

Version 1.2.6¶

(Released Wed, 24 Sep 2008)

new --hvm-nic-type and --hvm-disk-type flags to control the type of disk exported to fully virtualized instances.
provide access to the serial console of HVM instances
instance auto_balance flag, set by default. If turned off it will avoid warnings on cluster verify if there is not enough memory to fail over an instance. in the future it will prevent automatically failing it over when we will support that.
batcher tool for instance creation, see tools/README.batcher
gnt-instance reinstall --select-os to interactively select a new operating system when reinstalling an instance.
when changing the memory amount on instance modify a check has been added that the instance will be able to start. also warnings are emitted if the instance will not be able to fail over, if auto_balance is true.
documentation fixes
sync fields between gnt-instance list/modify/add/import
fix a race condition in drbd when the sync speed was set after giving the device a remote peer.

Version 1.2.5¶

(Released Tue, 22 Jul 2008)

note: the allowed size and number of tags per object were reduced
fix a bug in gnt-cluster verify with inconsistent volume groups
fixed twisted 8.x compatibility
fixed gnt-instance replace-disks with iallocator
add TCP keepalives on twisted connections to detect restarted nodes
disk increase support, see gnt-instance grow-disk
implement bulk node/instance query for RAPI
add tags in node/instance listing (optional)
experimental migration (and live migration) support, read the man page for gnt-instance migrate
the ganeti-watcher logs are now timestamped, and the watcher also has some small improvements in handling its state file

Version 1.2.4¶

(Released Fri, 13 Jun 2008)

Experimental readonly, REST-based remote API implementation; automatically started on master node, TCP port 5080, if enabled by --enable-rapi parameter to configure script.
Instance allocator support. Add and import instance accept a --iallocator parameter, and call that instance allocator to decide which node to use for the instance. The iallocator document describes what’s expected from an allocator script.
gnt-cluster verify N+1 memory redundancy checks: Unless passed the --no-nplus1-mem option gnt-cluster verify now checks that if a node is lost there is still enough memory to fail over the instances that reside on it.
gnt-cluster verify hooks: it is now possible to add post-hooks to gnt-cluster verify, to check for site-specific compliance. All the hooks will run, and their output, if any, will be displayed. Any failing hook will make the verification return an error value.
gnt-cluster verify now checks that its peers are reachable on the primary and secondary interfaces
gnt-node add now supports the --readd option, to readd a node that is still declared as part of the cluster and has failed.
gnt-* list commands now accept a new -o +field way of specifying output fields, that just adds the chosen fields to the default ones.
gnt-backup now has a new remove command to delete an existing export from the filesystem.
New per-instance parameters hvm_acpi, hvm_pae and hvm_cdrom_image_path have been added. Using them you can enable/disable acpi and pae support, and specify a path for a cd image to be exported to the instance. These parameters as the name suggest only work on HVM clusters.
When upgrading an HVM cluster to Ganeti 1.2.4, the values for ACPI and PAE support will be set to the previously hardcoded values, but the (previously hardcoded) path to the CDROM ISO image will be unset and if required, needs to be set manually with gnt-instance modify after the upgrade.
The address to which an instance’s VNC console is bound is now selectable per-instance, rather than being cluster wide. Of course this only applies to instances controlled via VNC, so currently just applies to HVM clusters.

Version 1.2.3¶

(Released Mon, 18 Feb 2008)

more tweaks to the disk activation code (especially helpful for DRBD)
change the default gnt-instance list output format, now there is one combined status field (see the manpage for the exact values this field will have)
some more fixes for the mac export to hooks change
make Ganeti not break with DRBD 8.2.x (which changed the version format in /proc/drbd) (issue 24)
add an upgrade tool from “remote_raid1” disk template to “drbd” disk template, allowing migration from DRBD0.7+MD to DRBD8

Version 1.2.2¶

(Released Wed, 30 Jan 2008)

fix gnt-instance modify breakage introduced in 1.2.1 with the HVM support (issue 23)
add command aliases infrastructure and a few aliases
allow listing of VCPUs in the gnt-instance list and improve the man pages and the --help option of gnt-node list/gnt-instance list
fix gnt-backup list with down nodes (issue 21)
change the tools location (move from $pkgdatadir to $pkglibdir/tools)
fix the dist archive and add a check for including svn/git files in the future
some developer-related changes: improve the burnin and the QA suite, add an upload script for testing during development

Version 1.2.1¶

(Released Wed, 16 Jan 2008)

experimental HVM support, read the install document, section “Initializing the cluster”
allow for the PVM hypervisor per-instance kernel and initrd paths
add a new command gnt-cluster verify-disks which uses a new algorithm to improve the reconnection of the DRBD pairs if the device on the secondary node has gone away
make logical volume code auto-activate LVs at disk activation time
slightly improve the speed of activating disks
allow specification of the MAC address at instance creation time, and changing it later via gnt-instance modify
fix handling of external commands that generate lots of output on stderr
update documentation with regard to minimum version of DRBD8 supported

Version 1.2.0¶

(Released Tue, 4 Dec 2007)

Log the xm create output to the node daemon log on failure (to help diagnosing the error)
In debug mode, log all external commands output if failed to the logs
Change parsing of lvm commands to ignore stderr

Version 1.2 beta3¶

(Released Wed, 28 Nov 2007)

Another round of updates to the DRBD 8 code to deal with more failures in the replace secondary node operation
Some more logging of failures in disk operations (lvm, drbd)
A few documentation updates
QA updates

Version 1.2 beta2¶

(Released Tue, 13 Nov 2007)

Change configuration file format from Python’s Pickle to JSON. Upgrading is possible using the cfgupgrade utility.
Add support for DRBD 8.0 (new disk template drbd) which allows for faster replace disks and is more stable (DRBD 8 has many improvements compared to DRBD 0.7)
Added command line tags support (see man pages for gnt-instance, gnt-node, gnt-cluster)
Added instance rename support
Added multi-instance startup/shutdown
Added cluster rename support
Added gnt-node evacuate to simplify some node operations
Added instance reboot operation that can speedup reboot as compared to stop and start
Soften the requirement that hostnames are in FQDN format
The ganeti-watcher now activates drbd pairs after secondary node reboots
Removed dependency on debian’s patched fping that uses the non-standard -S option
Now the OS definitions are searched for in multiple, configurable paths (easier for distros to package)
Some changes to the hooks infrastructure (especially the new post-configuration update hook)
Other small bugfixes