Qdevice: Add more man pages

Signed-off-by: Jan Friesse <jfriesse@redhat.com>

corosync.spec.in

@@ -428,6 +428,7 @@ fi
 %{_initrddir}/corosync-qdevice
 %endif
 %{_mandir}/man8/corosync-qdevice-tool.8*
+%{_mandir}/man8/corosync-qdevice-net-certutil.8*
 %endif
 
 # optional qnetd
@@ -498,6 +499,7 @@ fi
 %endif
 %{_mandir}/man8/corosync-qnetd-tool.8*
 %{_mandir}/man8/corosync-qnetd-certutil.8*
+%{_mandir}/man8/corosync-qnetd.8*
 %endif
 
 %changelog

man/Makefile.am

@@ -144,11 +144,13 @@ endif
 
 if BUILD_QNETD
 dist_man_MANS		+= corosync-qnetd-tool.8 \
-                           corosync-qnetd-certutil.8
+                           corosync-qnetd-certutil.8 \
+                           corosync-qnetd.8
 endif
 
 if BUILD_QDEVICES
-dist_man_MANS		+= corosync-qdevice-tool.8
+dist_man_MANS		+= corosync-qdevice-tool.8 \
+                           corosync-qdevice-net-certutil.8
 endif
 
 HTML_DOCS 		= $(dist_man_MANS:%=%.html) $(man_MANS:%=%.html)

man/corosync-qdevice-net-certutil.8

@@ -0,0 +1,84 @@
+.\"/*
+.\" * Copyright (C) 2016 Red Hat, Inc.
+.\" *
+.\" * All rights reserved.
+.\" *
+.\" * Author: Jan Friesse <jfriesse@redhat.com>
+.\" *
+.\" * This software licensed under BSD license, the text of which follows:
+.\" *
+.\" * Redistribution and use in source and binary forms, with or without
+.\" * modification, are permitted provided that the following conditions are met:
+.\" *
+.\" * - Redistributions of source code must retain the above copyright notice,
+.\" *   this list of conditions and the following disclaimer.
+.\" * - Redistributions in binary form must reproduce the above copyright notice,
+.\" *   this list of conditions and the following disclaimer in the documentation
+.\" *   and/or other materials provided with the distribution.
+.\" * - Neither the name of Red Hat, Inc. nor the names of its
+.\" *   contributors may be used to endorse or promote products derived from this
+.\" *   software without specific prior written permission.
+.\" *
+.\" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+.\" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+.\" * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+.\" * THE POSSIBILITY OF SUCH DAMAGE.
+.\" */
+.TH COROSYNC-QDEVICE-NET-CERTUTIL 8 2016-06-28
+.SH NAME
+corosync-qdevice-net-certutil - tool to generate qdevice model net TLS certificates
+.SH SYNOPSIS
+.B "corosync-qdevice-net-certutil [-i|-m|-M|-r|-s|-Q] [-c certificate] [-n cluster_name]"
+.SH DESCRIPTION
+.B corosync-qdevice-net-certutil
+is frontend for NSS certutil used for generating client certificate for net model of
+qdevice.
+.SH OPTIONS
+.TP
+.B -i
+Initialize QDevice Net NSS certificate database.
+Default directory with database is /etc/corosync/qdevice/net/. This directory
+has to be writable by current user. It needs QNetd CA certificate passed as
+.B -c
+parameter. Certificate can be found on server running QNetd in file
+/etc/corosync/qnetd/nssdb/qnetd-cacert.crt.
+.TP
+.B -m
+Import cluster certificate and key from pk12 file.
+.TP
+.B -r
+Generate certificate request. Certificate request is exported into
+/etc/corosync/qdevice/net/qdevice-net-node.crq file. It's required to
+pass cluster name
+.B -n
+parameter. Cluster name has to match one defined in /etc/corosync/corosync.conf.
+.TP
+.B -M
+Import signed certificate and export certificate with private key into
+pk12 file.
+.TP
+.B -Q
+Use ssh/scp to properly set both
+.B corosync-qnetd
+and
+.B corosync-qdevice
+certificates on all nodes. It's highly recommended to use ssh agent,
+otherwise ssh/scp will keep you asking for password roughly 8 times number of nodes.
+.B -c
+File with certificate to load.
+.TP
+.B -n
+Name of the cluster.
+.SH SEE ALSO
+.BR corosync-qnetd (8)
+.BR corosync-qdevice (8)
+.SH AUTHOR
+Jan Friesse
+.PP

man/corosync-qnetd-certutil.8

@@ -31,7 +31,7 @@
 .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 .\" * THE POSSIBILITY OF SUCH DAMAGE.
 .\" */
-.TH COROSYNC-QNETD-CERTUTIL 8 2016-06-23
+.TH COROSYNC-QNETD-CERTUTIL 8 2016-06-28
 .SH NAME
 corosync-qnetd-certutil - tool to generate qnetd TLS certificates
 .SH SYNOPSIS
@@ -60,6 +60,11 @@ Certificate request file to sign.
 .TP
 .B -n
 Name of the cluster.
+.SH NOTES
+If qnetd is executed by non root user, /etc/corosync/qnetd and it's subdirectories has to have
+set owner (and/or group) to given user. If
+.B corosync-qnetd-certutil
+is executed as root it tries to copy owner and group of /etc/corosync/qnetd to all its created files.
 .SH SEE ALSO
 .BR corosync-qnetd (8)
 .BR corosync-qdevice (8)

man/corosync-qnetd.8

@@ -0,0 +1,223 @@
+.\"/*
+.\" * Copyright (C) 2016 Red Hat, Inc.
+.\" *
+.\" * All rights reserved.
+.\" *
+.\" * Author: Jan Friesse <jfriesse@redhat.com>
+.\" *
+.\" * This software licensed under BSD license, the text of which follows:
+.\" *
+.\" * Redistribution and use in source and binary forms, with or without
+.\" * modification, are permitted provided that the following conditions are met:
+.\" *
+.\" * - Redistributions of source code must retain the above copyright notice,
+.\" *   this list of conditions and the following disclaimer.
+.\" * - Redistributions in binary form must reproduce the above copyright notice,
+.\" *   this list of conditions and the following disclaimer in the documentation
+.\" *   and/or other materials provided with the distribution.
+.\" * - Neither the name of Red Hat, Inc. nor the names of its
+.\" *   contributors may be used to endorse or promote products derived from this
+.\" *   software without specific prior written permission.
+.\" *
+.\" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+.\" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+.\" * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+.\" * THE POSSIBILITY OF SUCH DAMAGE.
+.\" */
+.TH COROSYNC-QNETD 8 2016-06-28
+.SH NAME
+corosync-qnetd \- QNet daemon
+.SH SYNOPSIS
+.B "corosync-qnetd [-46dfhv] [-l listen_addr] [-p listen_port] [-s tls]
+.B [-c client_cert_required] [-m max_clients] [-S option=value[,option2=value2,...]]"
+
+.SH DESCRIPTION
+.B corosync-qnetd
+is daemon running outside of cluster and being able to provide vote to
+.B corosync-qdevice
+model net. It's designed to support multiple clusters and be almost configuration
+and state free. New clusters are handled dynamically and no configuration file exists.
+It's also able to (recommended) run as non root user. Connection between
+.B corosync-qdevice
+model net client can be optionally TLS with client certificate checking. Communication
+protocol between server and client is designed to be very simple and allow backward
+compatibility.
+.SH OPTIONS
+.TP
+.B -4
+and it's counterpart
+.B -6
+are used to force to use only IPv4 or IPv6. Default is to listen on both addresses.
+.TP
+.B -d
+Turn on debug information. By default priority of messages forwarded into syslog
+is not bumped so for most of deployments debug messages are simply thrown. To bump
+up priority use
+.B -d
+parameter twice.
+.TP
+.B -h
+Show short help
+.TP
+.B -v
+Show version and supported communication protocol messages/options.
+.TP
+.B -l
+IP address to listen on. By default daemon listen on any address (wildcard).
+.TP
+.B -p
+TCP port to listen on. Default port is 5403.
+.TP
+.B -s
+Determines if TLS should be used and can be one of
+.I on/off/required
+values (default is
+.I on
+).
+.I on
+means TLS is enabled but client is not required to start TLS,
+.I off
+means TLS is completely disabled, and
+.I required
+means TLS is required.
+.I on
+and
+.I required
+requires NSS database to be properly initialized by running a
+.B corosync-qnetd-certutil
+command.
+.TP
+.B -c
+can be set to
+.I on/off
+value. Option make sense only if TLS is enabled. When
+.B -c
+is
+.I on
+client is required to send it's client certificate (default).
+.TP
+.B -m
+Maximum simultaneous clients. Default is 0 what means no limit.
+.TP
+.B -S
+Set advanced settings described in it's own section. This option
+shouldn't be generally used because most of the options are
+not safe to change.
+.SH UNPRIVILEGED USER CONFIGURATION
+It's generally recommended to be running
+.B corosync-qnetd
+as non root user. If you get package from distribution it's highly
+possible packager made hard work for you. If installation is performed
+from source code, few steps has to be taken.
+
+First it's needed to create unprivileged user/group. Following commands
+can be used (execute as root):
+
+.nf
+# groupadd -r coroqnetd
+# useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd
+.fi
+
+Next step is to set correct owner to /etc/corosync/qnetd and /var/run/corosync-qnetd
+directories.
+
+.nf
+# chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd
+.fi
+
+Some systems has /var/run directory on tmpfs file system which gets discarded after
+reboot. Solution is to use initscript which takes care of /var/run/corosync-qnetd
+creating and set correct owner and permissions or for systems with systemd, it's possible
+to use tmpfile.d configuration file (installed by default if systemd is enabled during
+corosync compilation).
+
+Last step is to make sure
+.B corosync-qnetd
+is really executed as unpriviliged user. For initscript it's enough to set
+line COROSYNC_QNETD_RUNAS in /etc/(sysconfig|default)/corosync-qnetd file. If file
+is not already installed, use one provided in corosync source code
+(init/corosync-qnetd.sysconfig.example). For systemd overwrite/copy
+corosync-qnetd.service unit file and uncomment/change "User=" directive.
+
+.SH TLS CONFIGURATION
+For TLS to work it's required to create NSS database.
+.B corosync-qnetd-certutil
+is tool to perform required actions automatically. Just execute:
+
+.nf
+# corosync-qnetd-certutil -i
+.fi
+
+If TLS is not required just edit /etc/(sysconfig|default)/corosync-qnetd or
+systemd unit file and add parameter
+.B -s
+.I off
+proper place.
+
+.SH ADVANCED SETTINGS
+Set by using
+.B -S
+option. At the end of description in braces is default value.
+.TP
+.B listen_backlog
+Parameter passed to listen syscall. (10)
+.TP
+.B max_client_send_buffers
+Maximum number of send buffers for one client. (32)
+.TP
+.B max_client_send_size
+Maximum size of one send buffer (message) to be send to client. (32768)
+.TP
+.B max_client_receive_size
+Maximum size of receive buffer for client message (maximum
+allowed message size received by client). (32768)
+.TP
+.B nss_db_dir
+NSS database directory. (/etc/corosync/qnetd/nssdb)
+.TP
+.B cert_nickname
+NSS nickname of qnetd server certificate. (QNetd Cert)
+.TP
+.B heartbeat_interval_min
+Minimal heartbeat timeout accepted by server in ms. (1000)
+.TP
+.B heartbeat_interval_max
+Maximal heartbeat timeout accepted by server in ms. (120000)
+.TP
+.B dpd_enabled
+Dead peer detection enabled. (on)
+.TP
+.B dpd_interval
+How often DPD algorithm detects dead peers in ms. (10000)
+.TP
+.B lock_file
+Lock file location. (/var/run/corosync-qnetd/corosync-qnetd.pid)
+.TP
+.B local_socket_file
+Internal IPC socket file location. (/var/run/corosync-qnetd/corosync-qnetd.sock)
+.TP
+.B local_socket_backlog
+Parameter passed to listen syscall. (10)
+.TP
+.B ipc_max_clients
+Maximum allowed simultaneous IPC clients. (10)
+.TP
+.B ipc_max_receive_size
+Maximum size of message received by IPC client. (4096)
+.TP
+.B ipc_max_send_size
+Maximum size of message allowed to send to IPC client. (10485760)
+.SH SEE ALSO
+.BR corosync-qnetd-tool (8)
+.BR corosync-qnetd-certutil (8)
+.BR corosync-qdevice (8)
+.SH AUTHOR
+Jan Friesse
+.PP

qdevices/qnetd-advanced-settings.c

@@ -204,13 +204,6 @@ qnetd_advanced_settings_set(struct qnetd_advanced_settings *settings,
 			return (-2);
 		}
 
-		settings->ipc_max_send_size = (size_t)tmpll;
-	} else if (strcasecmp(option, "ipc_max_send_size") == 0) {
-		tmpll = strtoll(value, &ep, 10);
-		if (tmpll < QNETD_MIN_IPC_RECEIVE_SEND_SIZE || errno != 0 || *ep != '\0') {
-			return (-2);
-		}
-
 		settings->ipc_max_send_size = (size_t)tmpll;
 	} else {
 		return (-1);