Re: [PVE-User] pve-firewall and NAT

2016-03-10 Thread Yannick Palanque 
Hello,

À 2016-03-10T11:15:09+0100,
Jonas Borgström  écrivit :

> The only workaround I've found so far(from some proxmox forum) is:
> $ iptables -t raw -A PREROUTING -i fwbr+ -j CT --zone 1
> 
> But that only works if I manually run it _after_ the firewall and the
> container has been started, it does not work if I add it as a post-up
> command to /etc/network/interfaces.

I have this very iptables rule in interface's post-up rules and it
works... but I have issues with ARP as I told on
.
I use this ugly hack (static ARP for GW) and it seems to work well...

HTH
___
pve-user mailing list
pve-user@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] V4.1: "Move Disk" function leads to file system corruption

2016-03-10 Thread Claudiu Popescu 
> Hi Stefan
> 
> SQL Server is known to be picky about the filesystem.
> 
> Is the problem repeatable if you use the qemu-img command as it
> displayed above ?
> 
> If Yes can you try it again by using the switch -t writethrough instead
> of writeback ?
> This should be slower but safer.
> 
> It might be that by using writeback, some blocks are still in the Linux
> kernel page cache, and the filesystem inside the VM is not consistent if
> you start the VM before the kernel has flushed the cache.
> 
> Emmanuel


If that is the cause of this issue, isn't sync an option?
Adding an option which flushes all buffers to disk prior to disk move in web ui?
Even if it might cause the node to be under load, in some cases it is worth it.
___
pve-user mailing list
pve-user@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] ceph.conf permissions

2016-03-10 Thread Albert Dengg 
On Thu, Mar 10, 2016 at 10:49:06AM +, James Bailey wrote:
...
> 
> You could use extended ACLs to allow the ceph user read access to that file
> only.
> 
> https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux
have you tried it in this case?b

i'm not shure if the filesystem used for /etc/pve (pmxcfs) supports
posix acls...

as with putting the user in the www-data group:
at least on my machines the keyrings used for ceph are only readable
by root. this means that most likely, you are going to run into the
next problem there.

regards,
albert


signature.asc
Description: PGP signature
___
pve-user mailing list
pve-user@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] ceph.conf permissions

2016-03-10 Thread James Bailey 

On 2016-03-10 10:30, Florent B wrote:

On 03/10/2016 11:25 AM, Alessandro Briosi wrote:

Il 10/03/2016 11:11, Florent B ha scritto:

Hi everyone,

I think there's a little problem with ceph.conf permissions on 
Proxmox.


With Infernalis release, all ceph processes are running under 
"ceph" user.


root user starts processes, then changes user to ceph. All is fine.

But problem occur when a ceph process needs to respawn itself after 
some

time. ceph user is respawning and cannot read ceph.conf anymore.
That's the case for MDS processes for example.

Permissions of ceph.conf file are

# ls -alh /etc/pve/ceph.conf
-rw-r- 1 root www-data 3.6K Mar  8 12:35 /etc/pve/ceph.conf

And cannot change that

# chmod o+r /etc/pve/ceph.conf
chmod: changing permissions of ‘/etc/pve/ceph.conf’: Function not
implemented

How can Proxmox handle this situation ?

Why not simply add ceph user to www-data group.

Or can it be in some way a security issue?

Alessandro



Hi Alessandro,

Yes that's one of the solutions, I just wanted to know if someone had
other ideas :)
I don't think that could be a great security issue..


You could use extended ACLs to allow the ceph user read access to that 
file only.


https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux

Regards Jim
___
pve-user mailing list
pve-user@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] ceph.conf permissions

2016-03-10 Thread Alessandro Briosi 
Il 10/03/2016 11:11, Florent B ha scritto:
> Hi everyone,
>
> I think there's a little problem with ceph.conf permissions on Proxmox.
>
> With Infernalis release, all ceph processes are running under "ceph" user.
>
> root user starts processes, then changes user to ceph. All is fine.
>
> But problem occur when a ceph process needs to respawn itself after some
> time. ceph user is respawning and cannot read ceph.conf anymore.
> That's the case for MDS processes for example.
>
> Permissions of ceph.conf file are
>
> # ls -alh /etc/pve/ceph.conf
> -rw-r- 1 root www-data 3.6K Mar  8 12:35 /etc/pve/ceph.conf
>
> And cannot change that
>
> # chmod o+r /etc/pve/ceph.conf
> chmod: changing permissions of ‘/etc/pve/ceph.conf’: Function not
> implemented
>
> How can Proxmox handle this situation ?

Why not simply add ceph user to www-data group.

Or can it be in some way a security issue?

Alessandro



___
pve-user mailing list
pve-user@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

[PVE-User] pve-firewall and NAT

2016-03-10 Thread Jonas Borgström 
Hi,

I'm trying to figure out if pve-firewall and NAT is a supported
configuration or not.

The pve-firewall wiki [1] page does not mention NAT.

The NAT section of the Network model wiki page [2] does not mention
anything about pve-firewall.

I've been testing proxmox 4.1 with the following network configuration
and an LXC container running on vmbr1.
But as soon as I enable the firewall the network dies. Using tcpdump on
eth0 I see that once the firewall is enabled the NAT stops working and
untranslated 10.7.0.x addresses are sent out from eth0.

The only workaround I've found so far(from some proxmox forum) is:
$ iptables -t raw -A PREROUTING -i fwbr+ -j CT --zone 1

But that only works if I manually run it _after_ the firewall and the
container has been started, it does not work if I add it as a post-up
command to /etc/network/interfaces.

Has anyone else managed to get pve-firewall and NAT to work well together?

/ Jonas


auto eth0
iface eth0 inet static
address  x.y.z.151
netmask  255.255.255.255
gateway  x.y.z.129
pointopoint x.y.z.129

auto vmbr0
iface vmbr0 inet static
address  x.y.z.151
netmask  255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_maxwait 0
up ip route add x.y.z.174/32 dev vmbr0
up ip route add x.y.z.175/32 dev vmbr0

auto vmbr1
iface vmbr1 inet static
address  10.7.0.1
netmask  255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.7.0.0/24' -o eth0 -j
MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.7.0.0/24' -o eth0 -j
MASQUERADE





1: https://pve.proxmox.com/wiki/Proxmox_VE_Firewall
2: http://pve.proxmox.com/wiki/Network_Model
___
pve-user mailing list
pve-user@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] V4.1: "Move Disk" function leads to file system corruption

2016-03-10 Thread Emmanuel Kasper 


On 03/09/2016 07:14 PM, Stefan Plattner wrote:
> Hello everyone!
> 
> I used the "Move Disk" function in the "Hardware" tab of a
> stopped/offline Windows-VM. After the process was finished, I re-started
> the VM and the Guest greeted me with the following, in this cas
> SQLServer related, (fatal) error message:
> 
> "Could not open error log file Operating system error = 1392"
> 
> Running a chkdsk inside the VM revealed several files system errors but
> even after "chkdsk /f", SQLServer still fails to start with "sql server
> error 9004"...
> 
> Switching back to the original disk (raw format), resolves all this
> filesystem problems and SQLServer starts fine. No disk problems reported
> with chkdsk (in the guest).
> 
> Examining what is happening when executing a "Move disk", ps revealed
> the following command line:
> 
> "/usr/bin/qemu-img convert -t writeback -p -n -f raw -O raw
> /var/lib/vz/images/501/vm-501-disk-3.raw
> /mnt/pve/prox02-ssd-lv/images/501/vm-501-disk-2.raw"
> 
> So what seems to happen, is not a simple fs move/copy, but a conversion
> from raw to raw...
> The resulting file is also different from the original:
> "cmp /mnt/pve/prox02-ssd-lv/images/501/vm-501-disk-2.raw vm-501-disk-3.raw
> vm-501-disk-2.raw vm-501-disk-3.raw differ: byte 1228841, line 737"
> 
> I don't understand why a "convert" is happening at all (same image
> format) but the at the moment the result is a binary different image
> which is causing fatal filesystem errors in the (Windows) guest.


Hi Stefan

SQL Server is known to be picky about the filesystem.

Is the problem repeatable if you use the qemu-img command as it
displayed above ?

If Yes can you try it again by using the switch -t writethrough instead
of writeback ?
This should be slower but safer.

It might be that by using writeback, some blocks are still in the Linux
kernel page cache, and the filesystem inside the VM is not consistent if
you start the VM before the kernel has flushed the cache.

Emmanuel





___
pve-user mailing list
pve-user@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user