Re: [pve-devel] [PATCH pve-manager] sdn: adapt edit panels for new API endpoints
For the record, two things inline
Am 22/11/2023 um 18:41 schrieb Stefan Hanreich:
> diff --git a/www/manager6/sdn/zones/Base.js b/www/manager6/sdn/zones/Base.js
> index db9b47b18..2eecb101a 100644
> --- a/www/manager6/sdn/zones/Base.js
> +++ b/www/manager6/sdn/zones/Base.js
> @@ -34,9 +34,9 @@ Ext.define('PVE.panel.SDNZoneBase', {
> minValue: 100,
> maxValue: 65000,
> fieldLabel: 'MTU',
> -skipEmptyText: true,
> allowBlank: true,
> emptyText: 'auto',
> + deleteEmpty: !me.isCreate,
FYI: CBind doesn't works here because the items are set in initComponents, but
the CBind mixin is configured to run before that (see its `mixinConfig`)
If you'd have switched all to a fully declarative implementation it would have
worked.
Maybe we could detect that explicitly (delete done cbinds in the current hook
and warn if any new is found on a newly introduced after-initComponent one)
> },
> {
> xtype: 'pveNodeSelector',
> diff --git a/www/manager6/sdn/zones/EvpnEdit.js
> b/www/manager6/sdn/zones/EvpnEdit.js
> index cac1ef4d5..a08faef2d 100644
> --- a/www/manager6/sdn/zones/EvpnEdit.js
> +++ b/www/manager6/sdn/zones/EvpnEdit.js
> @@ -8,30 +8,8 @@ Ext.define('PVE.sdn.zones.EvpnInputPanel', {
> + uncheckedValue: null,
> + deleteEmpty: !me.isCreate,
Same here w.r.t. cbind was not working, but what I actually asked myself why
we do not couple the deleteEmpty to uncheckedValue=null, as that makes no
sense otherwise.
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [TurnKey Linux] Looking to update our signing key... Advice?
Thanks for your quick and comprehensive response! You guys rock! :) On 22/11/23 19:19, Thomas Lamprecht wrote: It's fine here, thanks for reaching out. :) As a housekeeping matter, we're looking to update our GPG signing key - that we sign the index file we provide for downloading our LXC templates via the PVE UI (which includes hashes of our templates). That would be indeed great, we switched to generating a new key for every new major release quite a bit ago. Ok great, thanks. The current key recently expired (caught us a bit unawares). We updated the expiry to keep it alive. And it doesn't seem to have caused any issues (at least not in my local PVE servers). However, the key is quite old and doesn't have current best practice size (RSA-4098 AFAIK?). So I'd like to rotate it. Yes, our release keys use RSA 4096 (not 6 not 8 at the end): Oops. That's what I meant... ;) Currently the public keys we use are tracked in the pve-manager repo, inside the aplinfo directory: https://git.proxmox.com/?p=pve-manager.git;a=tree;f=aplinfo;h=9dbe1f31f712bb537168bf11e052d5117c62e1f6;hb=ad1278fae8e6e678219a702eea960c746551c635 The build-system then concatenates all the trusted keys, i.e., our ans your current (old) one to a joined keyring that we use on checking the appliance index. So, you would just need to send us your new public key in a secure manner and we'd add that key to the keyring. Secure manner here would be to have it available on a TLS secured domain of your via HTTP and send it to us via email with a signature from the old (current) key. Ok, brilliant The one question is how you plan the upgrade, i.e., it might be nice to not have a hard switch between index signed with old to index signed with new key. For example, since doing a new GPG key per-release we also use a index that can be associated with the release, e.g. see: http://download.proxmox.com/images/ For example, the plain & compressed indexes, and the signature of the plain one, used for the Proxmox VE 8 series are: aplinfo-pve-8.dat aplinfo-pve-8.dat.asc aplinfo-pve-8.dat.gz Thanks for sharing that info. That's really useful. It could be also good for TurnKey to provide the new templates under a new index so that older installation can still use them. Even if you want to consciously break support for systems using the old key, it might be more pleasant to do a phased switch even then. Especially as one could test the new index URL and signature without impacting production systems, you could still drop the signature with the ancient key in a few weeks or so. That makes tons of sense. Any how, I'm asking the latter because that might need some extra adaption in our code, but not much, and if you give us the new URL to the new index we could integrate that too. But if you want to sent patches, then we'd also be happy about that, most of the code is also in pve-manager, in the PVE::APLInfo module (PVE/APLInfo.pm file). For how to contribute patches to our project see: https://pve.proxmox.com/wiki/Developer_Documentation I'll digest all this a little more and confer with my colleague Alon and we'll decide exactly how we approach this. Also if there are any specific PVE recommendations/requirements re the new GPG keypair to generate, that would also be great. Nothing technical, RSA 4096-bit key with a identity (mail email) that matches your org would be the baseline. Having a expiry of about 10y could be nice too, but not to hard-feelings there. That sound fair to me. Thanks again for your comprehensive guidance and advice. Considering that we're already a bit overwhelmed with a backlog a mile long and xmas/new year just around the corner, I'm not sure we'll get this done this year or not. But hopefully sooner rather than later. Regardless, I'll be back at some point with patches and/or further questions and/or ... once we have some progress on our end. Please don't hesitate to reach out if you're wondering where we're up to... Take care and thanks again. Cheers, Jeremy OpenPGP_signature.asc Description: OpenPGP digital signature ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH] ui: iso selector: fix layout, stretch items again to full space
Signed-off-by: Thomas Lamprecht
---
fixes the recent refactoring into its own component
www/manager6/form/IsoSelector.js | 5 +
1 file changed, 5 insertions(+)
diff --git a/www/manager6/form/IsoSelector.js b/www/manager6/form/IsoSelector.js
index 632ee7f0..0bc6346c 100644
--- a/www/manager6/form/IsoSelector.js
+++ b/www/manager6/form/IsoSelector.js
@@ -6,6 +6,11 @@ Ext.define('PVE.form.IsoSelector', {
'Proxmox.Mixin.CBind',
],
+layout: {
+ type: 'vbox',
+ align: 'stretch',
+},
+
nodename: undefined,
insideWizard: false,
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-network] dnsmasq: check for existence of dnsmasq binary
Am 22/11/2023 um 19:33 schrieb Stefan Hanreich: > Signed-off-by: Stefan Hanreich > --- > src/PVE/Network/SDN/Dhcp/Dnsmasq.pm | 8 > 1 file changed, 8 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-network] Fix #4917: evpn: forbid vlan-aware bridge
Am 27/10/2023 um 13:53 schrieb Alexandre Derumier: > Do it on vnet update instead throwing a warning at config generation. > > Signed-off-by: Alexandre Derumier > --- > src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-manager] sdn: zone: fix edit for dns zone
Am 22/11/2023 um 19:05 schrieb Stefan Hanreich: > Signed-off-by: Stefan Hanreich > --- > www/manager6/sdn/zones/Base.js | 1 + > 1 file changed, 1 insertion(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-manager] sdn: adapt edit panels for new API endpoints
Am 22/11/2023 um 18:41 schrieb Stefan Hanreich: > PUT endpoints have changed so they work like the other SectionConfig > endpoints. Reflect those changes in the UI. > > Signed-off-by: Stefan Hanreich > --- > www/manager6/sdn/SubnetEdit.js | 23 ++--- > www/manager6/sdn/VnetEdit.js | 18 +- > www/manager6/sdn/zones/Base.js | 2 +- > www/manager6/sdn/zones/EvpnEdit.js | 37 > www/manager6/sdn/zones/SimpleEdit.js | 3 ++- > 5 files changed, 39 insertions(+), 44 deletions(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-network] dnsmasq: check for existence of dnsmasq binary
Signed-off-by: Stefan Hanreich
---
src/PVE/Network/SDN/Dhcp/Dnsmasq.pm | 8
1 file changed, 8 insertions(+)
diff --git a/src/PVE/Network/SDN/Dhcp/Dnsmasq.pm
b/src/PVE/Network/SDN/Dhcp/Dnsmasq.pm
index 654f9e4..ed930cf 100644
--- a/src/PVE/Network/SDN/Dhcp/Dnsmasq.pm
+++ b/src/PVE/Network/SDN/Dhcp/Dnsmasq.pm
@@ -11,6 +11,8 @@ use PVE::Tools qw(file_set_contents run_command lock_file);
use File::Copy;
use Net::DBus;
+use PVE::RESTEnvironment qw(log_warn);
+
my $DNSMASQ_CONFIG_ROOT = '/etc/dnsmasq.d';
my $DNSMASQ_DEFAULT_ROOT = '/etc/default';
my $DNSMASQ_LEASE_ROOT = '/var/lib/misc';
@@ -236,6 +238,12 @@ sub after_configure {
sub before_regenerate {
my ($class) = @_;
+my $bin_path = "/usr/sbin/dnsmasq";
+if (!-e $bin_path) {
+ log_warn("Please install dnsmasq in order to use the DHCP feature!");
+ die;
+}
+
PVE::Tools::run_command(['systemctl', 'stop', "dnsmasq@*"]);
PVE::Tools::run_command(['systemctl', 'disable', 'dnsmasq@']);
}
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH docs] system-booting: add note about weird uefi behaviour
Am 22/11/2023 um 18:45 schrieb Christoph Heiss: > Signed-off-by: Christoph Heiss > --- > This is essentially what Fabian and Aaron discovered earlier today. Just > let users know that if that happens, it's not something we can do much > about on our end. > > system-booting.adoc | 6 ++ > 1 file changed, 6 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-manager] sdn: zone: fix edit for dns zone
Signed-off-by: Stefan Hanreich
---
www/manager6/sdn/zones/Base.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/www/manager6/sdn/zones/Base.js b/www/manager6/sdn/zones/Base.js
index db9b47b18..cabb7d21a 100644
--- a/www/manager6/sdn/zones/Base.js
+++ b/www/manager6/sdn/zones/Base.js
@@ -78,6 +78,7 @@ Ext.define('PVE.panel.SDNZoneBase', {
skipEmptyText: true,
fieldLabel: gettext('DNS Zone'),
allowBlank: true,
+ deleteEmpty: !me.isCreate,
},
);
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH pve-network] Fix #4917: evpn: forbid vlan-aware bridge
Hi,
Could it be possible to apply this small pve-network patch ?
Message initial
De: Alexandre Derumier
Répondre à: Proxmox VE development discussion
À: pve-devel@lists.proxmox.com
Objet: [pve-devel] [PATCH pve-network] Fix #4917: evpn: forbid vlan-
aware bridge
Date: 27/10/2023 13:53:28
Do it on vnet update instead throwing a warning at config generation.
Signed-off-by: Alexandre Derumier
---
src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index 5e9f8ec..655a9f0 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -117,7 +117,6 @@ sub generate_sdn_config {
die "missing vxlan tag" if !$tag;
die "missing controller" if !$controller;
- warn "vlan-aware vnet can't be enabled with evpn plugin" if $vnet-
>{vlanaware};
my @peers = PVE::Tools::split_list($controller->{'peers'});
@@ -309,6 +308,7 @@ sub vnet_update_hook {
raise_param_exc({ tag => "missing vxlan tag"}) if !defined($tag);
raise_param_exc({ tag => "vxlan tag max value is 16777216"}) if
$tag > 16777216;
+ raise_param_exc({ 'vlan-aware' => "vlan-aware option can't be
enabled with evpn"}) if $vnet->{vlanaware};
# verify that tag is not already defined globally (vxlan-id are
unique)
foreach my $id (keys %{$vnet_cfg->{ids}}) {
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] system-booting: add note about weird uefi behaviour
Signed-off-by: Christoph Heiss --- This is essentially what Fabian and Aaron discovered earlier today. Just let users know that if that happens, it's not something we can do much about on our end. system-booting.adoc | 6 ++ 1 file changed, 6 insertions(+) diff --git a/system-booting.adoc b/system-booting.adoc index 1a10393..cd0 100644 --- a/system-booting.adoc +++ b/system-booting.adoc @@ -483,6 +483,12 @@ If, for any reason, no `proxmox` entry can be found in the UEFI boot menu, you can try adding it manually (if supported by the firmware), by adding the file `\EFI\proxmox\shimx64.efi` as a custom boot entry. +NOTE: Some UEFI firmwares are known to drop the `proxmox` boot option on reboot. +This can happen if the `proxmox` boot entry is pointing to a Grub installation +on a disk, where the disk itself not a boot option. If possible, try adding the +disk as a boot option in the UEFI firmware setup utility and run +`proxmox-boot-tool` again. + TIP: To enroll custom keys, see the accompanying https://pve.proxmox.com/wiki/Secure_Boot_Setup#Setup_instructions_for_db_key_variant[Secure Boot wiki page]. -- 2.42.0 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-manager] sdn: adapt edit panels for new API endpoints
PUT endpoints have changed so they work like the other SectionConfig
endpoints. Reflect those changes in the UI.
Signed-off-by: Stefan Hanreich
---
www/manager6/sdn/SubnetEdit.js | 23 ++---
www/manager6/sdn/VnetEdit.js | 18 +-
www/manager6/sdn/zones/Base.js | 2 +-
www/manager6/sdn/zones/EvpnEdit.js | 37
www/manager6/sdn/zones/SimpleEdit.js | 3 ++-
5 files changed, 39 insertions(+), 44 deletions(-)
diff --git a/www/manager6/sdn/SubnetEdit.js b/www/manager6/sdn/SubnetEdit.js
index 8851b013a..8fc3f52b0 100644
--- a/www/manager6/sdn/SubnetEdit.js
+++ b/www/manager6/sdn/SubnetEdit.js
@@ -11,13 +11,6 @@ Ext.define('PVE.sdn.SubnetInputPanel', {
delete values.cidr;
}
- if (!values.gateway) {
- delete values.gateway;
- }
- if (!values.snat) {
- delete values.snat;
- }
-
return values;
},
@@ -33,18 +26,25 @@ Ext.define('PVE.sdn.SubnetInputPanel', {
fieldLabel: gettext('Subnet'),
},
{
- xtype: 'textfield',
+ xtype: 'proxmoxtextfield',
name: 'gateway',
vtype: 'IP64Address',
fieldLabel: gettext('Gateway'),
allowBlank: true,
+ skipEmptyText: true,
+ cbind: {
+ deleteEmpty: "{!isCreate}",
+ },
},
{
xtype: 'proxmoxcheckbox',
name: 'snat',
- uncheckedValue: 0,
+ uncheckedValue: null,
checked: false,
fieldLabel: 'SNAT',
+ cbind: {
+ deleteEmpty: "{!isCreate}",
+ },
},
{
xtype: 'proxmoxtextfield',
@@ -52,6 +52,9 @@ Ext.define('PVE.sdn.SubnetInputPanel', {
skipEmptyText: true,
fieldLabel: gettext('DNS Zone Prefix'),
allowBlank: true,
+ cbind: {
+ deleteEmpty: "{!isCreate}",
+ },
},
],
});
@@ -101,6 +104,8 @@ Ext.define('PVE.sdn.SubnetDhcpRangePanel', {
if (value.length) {
data[me.getName()] = value;
+ } else if (!me.isCreate) {
+ data.delete = me.getName();
}
return data;
diff --git a/www/manager6/sdn/VnetEdit.js b/www/manager6/sdn/VnetEdit.js
index 0f55595f8..cdd83ed40 100644
--- a/www/manager6/sdn/VnetEdit.js
+++ b/www/manager6/sdn/VnetEdit.js
@@ -9,10 +9,6 @@ Ext.define('PVE.sdn.VnetInputPanel', {
values.type = 'vnet';
}
- if (!values.vlanaware) {
- delete values.vlanaware;
- }
-
return values;
},
@@ -29,10 +25,14 @@ Ext.define('PVE.sdn.VnetInputPanel', {
fieldLabel: gettext('Name'),
},
{
- xtype: 'textfield',
+ xtype: 'proxmoxtextfield',
name: 'alias',
fieldLabel: gettext('Alias'),
allowBlank: true,
+ skipEmptyText: true,
+ cbind: {
+ deleteEmpty: "{!isCreate}",
+ },
},
{
xtype: 'pveSDNZoneSelector',
@@ -48,13 +48,19 @@ Ext.define('PVE.sdn.VnetInputPanel', {
maxValue: 16777216,
fieldLabel: gettext('Tag'),
allowBlank: true,
+ cbind: {
+ deleteEmpty: "{!isCreate}",
+ },
},
{
xtype: 'proxmoxcheckbox',
name: 'vlanaware',
- uncheckedValue: 0,
+ uncheckedValue: null,
checked: false,
fieldLabel: gettext('VLAN Aware'),
+ cbind: {
+ deleteEmpty: "{!isCreate}",
+ },
},
],
});
diff --git a/www/manager6/sdn/zones/Base.js b/www/manager6/sdn/zones/Base.js
index db9b47b18..2eecb101a 100644
--- a/www/manager6/sdn/zones/Base.js
+++ b/www/manager6/sdn/zones/Base.js
@@ -34,9 +34,9 @@ Ext.define('PVE.panel.SDNZoneBase', {
minValue: 100,
maxValue: 65000,
fieldLabel: 'MTU',
-skipEmptyText: true,
allowBlank: true,
emptyText: 'auto',
+ deleteEmpty: !me.isCreate,
},
{
xtype: 'pveNodeSelector',
diff --git a/www/manager6/sdn/zones/EvpnEdit.js
b/www/manager6/sdn/zones/EvpnEdit.js
index cac1ef4d5..a08faef2d 100644
--- a/www/manager6/sdn/zones/EvpnEdit.js
+++ b/www/manager6/sdn/zones/EvpnEdit.js
@@ -8,30 +8,8 @@ Ext.define('PVE.sdn.zones.EvpnInputPanel', {
if (me.isCreate) {
values.type = me.type;
- } else {
- delete values.zone;
}
-if (!values.mac) {
-delete values.mac;
-}
-
-if (values['advertise-subnets'] === 0) {
-delete values['advertise-subnets'];
-}
-
-if (values['exitnodes-local-routing'] === 0) {
-delete values['exitnodes-local-routing'];
-}
-
-if (values['di
[pve-devel] applied: [PATCH docs] system-booting: add instructions to switch install to secure boot
Am 22/11/2023 um 18:07 schrieb Christoph Heiss: > As this procedure could *potentially* lead to data loss (however > unlikely if followed correctly), put a big warning on top, for safety. > > Signed-off-by: Christoph Heiss > --- > Tested both (GRUB on ext4, system-boot with ZFS-on-root) scenarios by > installing a clean PVE 8.0, upgrading, rebooting and then following the > instructions. > > I will add an additional subsection about removing systemd-boot from the > system in the future. It is not something immediately needed, as it does > not have any impact on booting through Grub - it even acts as a nice > fallback. So it would really be just for "cleanliness" reasons. > > system-booting.adoc | 95 + > 1 file changed, 95 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH i18n] update German translation
Am 22/11/2023 um 16:27 schrieb Alexander Zeidler: > Signed-off-by: Alexander Zeidler > --- > de.po | 183 ++ > 1 file changed, 81 insertions(+), 102 deletions(-) > > applied, with s/Datenträger/Laufwerk/ for the virtio-driver convenience feature and Hannes' reasonable suggestion applied as follow-ups, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] system-booting: add instructions to switch install to secure boot
As this procedure could *potentially* lead to data loss (however
unlikely if followed correctly), put a big warning on top, for safety.
Signed-off-by: Christoph Heiss
---
Tested both (GRUB on ext4, system-boot with ZFS-on-root) scenarios by
installing a clean PVE 8.0, upgrading, rebooting and then following the
instructions.
I will add an additional subsection about removing systemd-boot from the
system in the future. It is not something immediately needed, as it does
not have any impact on booting through Grub - it even acts as a nice
fallback. So it would really be just for "cleanliness" reasons.
system-booting.adoc | 95 +
1 file changed, 95 insertions(+)
diff --git a/system-booting.adoc b/system-booting.adoc
index 7c2b026..41f4a8d 100644
--- a/system-booting.adoc
+++ b/system-booting.adoc
@@ -391,3 +391,98 @@ automatically have all of the above packages included.
More details about how Secure Boot works, and how to customize the setup, are
available in https://pve.proxmox.com/wiki/Secure_Boot_Setup[our wiki].
+
+Switching an existing installation to Secure Boot
+^
+
+WARNING: This can lead to unbootable installation in some cases if not done
+correctly. Reinstalling the host will setup Secure Boot automatically if
+available, without any extra interactions. **Make sure you have a working and
+well-tested backup of your {pve} host!**
+
+An existing UEFI installation can be switched over to Secure Boot if desired,
+without having to reinstall {pve} from scratch.
+
+First, ensure all your system is up-to-date. Next, install all the required
+pre-signed packages as listed above. Grub automatically creates the needed EFI
+boot entry for booting via the default shim.
+
+.systemd-boot
+
+If `systemd-boot` is used as a bootloader (see
+xref:sysboot_determine_bootloader_used[Determine which Bootloader is used]),
+some additional setup is needed. This is only the case if {pve} was installed
+with ZFS-on-root.
+
+To check the latter, run:
+
+# findmnt /
+
+
+If the host is indeed running using ZFS as root filesystem, the `FSTYPE` column
+should contain `zfs`:
+
+TARGET SOURCE FSTYPE OPTIONS
+/ rpool/ROOT/pve-1 zfsrw,relatime,xattr,noacl,casesensitive
+
+
+Next, a suitable potential ESP (EFI system partition) must be found. This can
be
+done using the `lsblk` command as following:
+
+# lsblk -o +FSTYPE
+
+
+The output should look something like this:
+
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS FSTYPE
+sda 8:00 32G 0 disk
+├─sda1 8:10 1007K 0 part
+├─sda2 8:20 512M 0 part vfat
+└─sda3 8:30 31.5G 0 part zfs_member
+sdb 8:16 0 32G 0 disk
+├─sdb1 8:17 0 1007K 0 part
+├─sdb2 8:18 0 512M 0 part vfat
+└─sdb3 8:19 0 31.5G 0 part zfs_member
+
+
+In this case, the partitions `sda2` and `sdb2` are the targets. They can be
+identified by the their size of 512M and their `FSTYPE` being `vfat`, in this
+case on a ZFS RAID-1 installation.
+
+These partitions must be properly set up for booting through Grub using
+`proxmox-boot-tool`. This command (using `sda2` as an example) must be run
+separately for each individual ESP:
+
+# proxmox-boot-tool init /dev/sda2 grub
+
+
+Afterwards, you can sanity-check the setup by running the following command:
+
+# efibootmgr -v
+
+
+This list should contain an entry looking similar to this:
+
+[..]
+Boot0009* proxmox
HD(2,GPT,..,0x800,0x10)/File(\EFI\proxmox\shimx64.efi)
+[..]
+
+
+NOTE: The old `systemd-boot` bootloader will be kept, but Grub will be
+preferred. This way, if booting using Grub in Secure Boot mode does not work
for
+any reason, the system can still be booted using `systemd-boot` with Secure
Boot
+turned off.
+
+Now the host can be rebooted and Secure Boot enabled in the UEFI firmware setup
+utility.
+
+On reboot, a new entry named `proxmox` should be selectable in the UEFI
firmware
+boot menu, which boots using the pre-signed EFI shim.
+
+If, for any reason, no `proxmox` entry can be found in the UEFI boot menu, you
+can try adding it manually (if supported by the firmware), by adding the file
+`\EFI\proxmox\shimx64.efi` as a custom boot entry.
+
+TIP: To enroll custom keys, see the accompanying
+https://pve.proxmox.com/wiki/Secure_Boot_Setup#Setup_instructions_for_db_key_variant[Secure
+Boot wiki page].
--
2.42.0
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH i18n] update German translation
On Wed, 2023-11-22 at 16:27 +0100, Alexander Zeidler wrote: > Signed-off-by: Alexander Zeidler > --- > de.po | 183 Hannes Duerr mentioned: 1. that my sent translation "Severität" for Severity/Severities is maybe not as appropriate as "Schweregrad". "Schwere" is so far used once in de.po 2. "Benachrichtigungsziele" could also be used instead of "Benachrichtigungs-Endpunkte". ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] applied: [pbs-devel] [PATCH pve-network] sdn: validate dhcp-range in API
Hi, I think it could be improve with checking that we don't have overlapping ranges in a subnet, like range=start=192.168.0.10,end=192.168.0.20 range=start=192.168.0.15,end=192.168.0.25 I'm 100% sure it'll break with netbox ipam. Message initial De: Thomas Lamprecht Répondre à: Proxmox VE development discussion À: Stefan Lendl , PVE development discussion Cc: Proxmox Backup Server development discussion Objet: [pve-devel] applied: [pbs-devel] [PATCH pve-network] sdn: validate dhcp-range in API Date: 22/11/2023 14:39:20 Am 22/11/2023 um 14:00 schrieb Stefan Lendl: > * start- and end-addresses must be valid IPs > * must both be in the subnet's CIDR > * and start needs to smaller (or equal) to end > > Signed-off-by: Stefan Lendl > --- > src/PVE/Network/SDN/SubnetPlugin.pm | 28 > > 1 file changed, 28 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://antiphishing.cetsi.fr/proxy/v3?i=WjB4M1dJWGJJMnNGTHV5MuAPDwEdQk o7KGyaWIIeme0&r=Skk2OVhvdXl2cm1uOWJtRKZXDrAi7oKVS1onnLf- _Wczd58Jf89GqHNsiUfzdlXTIlsgAbazPx- o0Y0wd8PLxg&f=M2FwZHlGNnU1aUlkc09ZNNuAtV8OGeBQmVUOSCMxZYi0WAdbSPQQhYaGw WCxSpDL_rpYEExEcQs0YHFUT9yrXQ&u=https%3A//lists.proxmox.com/cgi- bin/mailman/listinfo/pve-devel&k=CXOq ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH zfsonlinux 1/2] update submodule and patches for 2.2.1
Signed-off-by: Stoiko Ivanov
---
...-move-manpage-arcstat-1-to-arcstat-8.patch | 2 +-
...-guard-access-to-l2arc-MFU-MRU-stats.patch | 2 +-
...uncate_shares-without-etc-exports.d.patch} | 0
...ol-Remove-broken-blk-mq-optimization.patch | 99 -
...evert-zvol-Temporally-disable-blk-mq.patch | 123 ---
...ten-bounds-for-noalloc-stat-availab.patch} | 0
...und-UBSAN-errors-for-variable-arrays.patch | 72 ---
...g-between-unencrypted-and-encrypted-.patch | 44
...Add-a-tunable-to-disable-BRT-support.patch | 201 --
...2.1-Disable-block-cloning-by-default.patch | 42
debian/patches/series | 10 +-
upstream | 2 +-
12 files changed, 5 insertions(+), 592 deletions(-)
rename
debian/patches/{0012-Fix-nfs_truncate_shares-without-etc-exports.d.patch =>
0010-Fix-nfs_truncate_shares-without-etc-exports.d.patch} (100%)
delete mode 100644
debian/patches/0010-zvol-Remove-broken-blk-mq-optimization.patch
delete mode 100644
debian/patches/0011-Revert-zvol-Temporally-disable-blk-mq.patch
rename
debian/patches/{0014-zpool-status-tighten-bounds-for-noalloc-stat-availab.patch
=> 0011-zpool-status-tighten-bounds-for-noalloc-stat-availab.patch} (100%)
delete mode 100644
debian/patches/0013-Workaround-UBSAN-errors-for-variable-arrays.patch
delete mode 100644
debian/patches/0015-Fix-block-cloning-between-unencrypted-and-encrypted-.patch
delete mode 100644
debian/patches/0016-Add-a-tunable-to-disable-BRT-support.patch
delete mode 100644
debian/patches/0017-zfs-2.2.1-Disable-block-cloning-by-default.patch
diff --git
a/debian/patches/0008-Patch-move-manpage-arcstat-1-to-arcstat-8.patch
b/debian/patches/0008-Patch-move-manpage-arcstat-1-to-arcstat-8.patch
index b21a301f..c11c1ae8 100644
--- a/debian/patches/0008-Patch-move-manpage-arcstat-1-to-arcstat-8.patch
+++ b/debian/patches/0008-Patch-move-manpage-arcstat-1-to-arcstat-8.patch
@@ -15,7 +15,7 @@ Signed-off-by: Thomas Lamprecht
rename man/{man1/arcstat.1 => man8/arcstat.8} (99%)
diff --git a/man/Makefile.am b/man/Makefile.am
-index 36c1aede1..94fd96e58 100644
+index 45156571e..3713e9371 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -2,7 +2,6 @@ dist_noinst_man_MANS = \
diff --git
a/debian/patches/0009-arc-stat-summary-guard-access-to-l2arc-MFU-MRU-stats.patch
b/debian/patches/0009-arc-stat-summary-guard-access-to-l2arc-MFU-MRU-stats.patch
index fde0529a..f8cb3539 100644
---
a/debian/patches/0009-arc-stat-summary-guard-access-to-l2arc-MFU-MRU-stats.patch
+++
b/debian/patches/0009-arc-stat-summary-guard-access-to-l2arc-MFU-MRU-stats.patch
@@ -27,7 +27,7 @@ Signed-off-by: Thomas Lamprecht
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/cmd/arc_summary b/cmd/arc_summary
-index 426e02070..9de198150 100755
+index 9c69ec4f8..edf94ea2a 100755
--- a/cmd/arc_summary
+++ b/cmd/arc_summary
@@ -655,13 +655,13 @@ def section_arc(kstats_dict):
diff --git
a/debian/patches/0012-Fix-nfs_truncate_shares-without-etc-exports.d.patch
b/debian/patches/0010-Fix-nfs_truncate_shares-without-etc-exports.d.patch
similarity index 100%
rename from
debian/patches/0012-Fix-nfs_truncate_shares-without-etc-exports.d.patch
rename to
debian/patches/0010-Fix-nfs_truncate_shares-without-etc-exports.d.patch
diff --git a/debian/patches/0010-zvol-Remove-broken-blk-mq-optimization.patch
b/debian/patches/0010-zvol-Remove-broken-blk-mq-optimization.patch
deleted file mode 100644
index 178e68ee..
--- a/debian/patches/0010-zvol-Remove-broken-blk-mq-optimization.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From Mon Sep 17 00:00:00 2001
-From: Tony Hutter
-Date: Mon, 23 Oct 2023 14:45:06 -0700
-Subject: [PATCH] zvol: Remove broken blk-mq optimization
-
-This fix removes a dubious optimization in zfs_uiomove_bvec_rq()
-that saved the iterator contents of a rq_for_each_segment(). This
-optimization allowed restoring the "saved state" from a previous
-rq_for_each_segment() call on the same uio so that you wouldn't
-need to iterate though each bvec on every zfs_uiomove_bvec_rq() call.
-However, if the kernel is manipulating the requests/bios/bvecs under
-the covers between zfs_uiomove_bvec_rq() calls, then it could result
-in corruption from using the "saved state". This optimization
-results in an unbootable system after installing an OS on a zvol
-with blk-mq enabled.
-
-Reviewed-by: Brian Behlendorf
-Signed-off-by: Tony Hutter
-Closes #15351
-(cherry picked from commit 7c9b6fed16ed5034fd1cdfdaedfad93dc97b1557)
-Signed-off-by: Stoiko Ivanov
- include/os/linux/spl/sys/uio.h | 8
- module/os/linux/zfs/zfs_uio.c | 29 -
- 2 files changed, 37 deletions(-)
-
-diff --git a/include/os/linux/spl/sys/uio.h b/include/os/linux/spl/sys/uio.h
-index cce097e16..a4b64 100644
a/include/os/linux/spl/sys/uio.h
-+++ b/include/os/linux/spl/sys/uio.h
-@@ -73,13
[pve-devel] [PATCH zfsonlinux 0/2] update to 2.2.1
zfs-2.2.1 was released yesterday.
We've already picked all critical patches (potentially involving dataloss)
and a few cosmetic ones.
quickly skimming through the changelog adds - nothing stands out that
sounds particularly scary w.r.t. regressions, but also nothing that we
missed until now. Some performance improvments are still missin in our
current version.
minimially tested on 2 VMs with a few containers with replication.
Stoiko Ivanov (2):
update submodule and patches for 2.2.1
d/zfsutils-linux.install: add zfs_prepare_disk and manpage
...-move-manpage-arcstat-1-to-arcstat-8.patch | 2 +-
...-guard-access-to-l2arc-MFU-MRU-stats.patch | 2 +-
...uncate_shares-without-etc-exports.d.patch} | 0
...ol-Remove-broken-blk-mq-optimization.patch | 99 -
...evert-zvol-Temporally-disable-blk-mq.patch | 123 ---
...ten-bounds-for-noalloc-stat-availab.patch} | 0
...und-UBSAN-errors-for-variable-arrays.patch | 72 ---
...g-between-unencrypted-and-encrypted-.patch | 44
...Add-a-tunable-to-disable-BRT-support.patch | 201 --
...2.1-Disable-block-cloning-by-default.patch | 42
debian/patches/series | 10 +-
debian/zfsutils-linux.install | 2 +
upstream | 2 +-
13 files changed, 7 insertions(+), 592 deletions(-)
rename
debian/patches/{0012-Fix-nfs_truncate_shares-without-etc-exports.d.patch =>
0010-Fix-nfs_truncate_shares-without-etc-exports.d.patch} (100%)
delete mode 100644
debian/patches/0010-zvol-Remove-broken-blk-mq-optimization.patch
delete mode 100644
debian/patches/0011-Revert-zvol-Temporally-disable-blk-mq.patch
rename
debian/patches/{0014-zpool-status-tighten-bounds-for-noalloc-stat-availab.patch
=> 0011-zpool-status-tighten-bounds-for-noalloc-stat-availab.patch} (100%)
delete mode 100644
debian/patches/0013-Workaround-UBSAN-errors-for-variable-arrays.patch
delete mode 100644
debian/patches/0015-Fix-block-cloning-between-unencrypted-and-encrypted-.patch
delete mode 100644
debian/patches/0016-Add-a-tunable-to-disable-BRT-support.patch
delete mode 100644
debian/patches/0017-zfs-2.2.1-Disable-block-cloning-by-default.patch
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH zfsonlinux 2/2] d/zfsutils-linux.install: add zfs_prepare_disk and manpage
Signed-off-by: Stoiko Ivanov --- debian/zfsutils-linux.install | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/zfsutils-linux.install b/debian/zfsutils-linux.install index e788e27c..2fd7aefe 100644 --- a/debian/zfsutils-linux.install +++ b/debian/zfsutils-linux.install @@ -35,6 +35,7 @@ sbin/zstreamdump usr/bin/zvol_wait usr/bin/zilstat usr/lib/modules-load.d/ lib/ +usr/lib/zfs-linux/zfs_prepare_disk usr/lib/zfs-linux/zpool.d/ usr/lib/zfs-linux/zpool_influxdb usr/sbin/arc_summary @@ -72,6 +73,7 @@ usr/share/man/man8/zfs-list.8 usr/share/man/man8/zfs-load-key.8 usr/share/man/man8/zfs-mount-generator.8 usr/share/man/man8/zfs-mount.8 +usr/share/man/man8/zfs_prepare_disk.8 usr/share/man/man8/zfs-program.8 usr/share/man/man8/zfs-project.8 usr/share/man/man8/zfs-projectspace.8 -- 2.39.2 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH i18n] update German translation
Signed-off-by: Alexander Zeidler
---
de.po | 183 ++
1 file changed, 81 insertions(+), 102 deletions(-)
diff --git a/de.po b/de.po
index 5bc5e42..ceadce6 100644
--- a/de.po
+++ b/de.po
@@ -8,7 +8,7 @@ msgstr ""
"Project-Id-Version: proxmox translations\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: Tue Nov 21 21:17:40 2023\n"
-"PO-Revision-Date: 2022-11-21 11:54+0100\n"
+"PO-Revision-Date: 2023-11-22 16:10+0100\n"
"Last-Translator: Proxmox Support Team \n"
"Language-Team: German\n"
"Language: de\n"
@@ -16,7 +16,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 2.4.2\n"
+"X-Generator: Poedit 3.2.2\n"
#: pve-manager/www/manager6/qemu/Options.js:95
msgid "(No boot device selected)"
@@ -60,6 +60,8 @@ msgid ""
"A selected device is not in a separate IOMMU group, make sure this is "
"intended."
msgstr ""
+"Ein ausgewähltes Gerät befindet sich in keiner eigenen IOMMU-Gruppe, ist das "
+"so gewollt?"
#: proxmox-widget-toolkit/src/window/AuthEditLDAP.js:361
#: proxmox-widget-toolkit/src/window/SyncWindow.js:110
@@ -98,7 +100,6 @@ msgid "API Data"
msgstr "API-Daten"
#: pve-manager/www/manager6/sdn/dns/PowerdnsEdit.js:39
-#, fuzzy
msgid "API Key"
msgstr "API-Token"
@@ -367,7 +368,7 @@ msgstr "Yubico-OTP-Schlüssel hinzufügen"
#: pve-manager/www/manager6/qemu/OSTypeEdit.js:157
msgid "Add additional drive for VirtIO drivers"
-msgstr ""
+msgstr "Zusätzlichen Datenträger für VirtIO-Treiber hinzufügen"
#: pve-manager/www/manager6/window/GuestDiskReassign.js:192
msgid "Add as"
@@ -397,7 +398,7 @@ msgstr "Neues RBD Pool als Storage im Cluster hinzufügen."
#: proxmox-widget-toolkit/src/panel/EmailRecipientPanel.js:70
msgid "Additional Recipient(s)"
-msgstr ""
+msgstr "Zusätzliche Empfänger"
#: pve-manager/www/manager6/ceph/CephInstallWizard.js:487
msgid ""
@@ -439,9 +440,8 @@ msgid "Advanced"
msgstr "Erweitert"
#: pve-manager/www/manager6/sdn/zones/EvpnEdit.js:91
-#, fuzzy
msgid "Advertise Subnets"
-msgstr "Subnetze bekanntmachen"
+msgstr "Subnetze propagieren"
#: proxmox-backup/www/tape/DriveStatus.js:397
msgid "Alert Flags"
@@ -523,7 +523,7 @@ msgstr "Alle fehlgeschlagen"
#: proxmox-widget-toolkit/src/window/NotificationMatcherEdit.js:998
msgid "All rules match"
-msgstr ""
+msgstr "alle Regeln zutreffen"
#: pve-manager/www/manager6/node/ZFS.js:240 proxmox-backup/www/ZFSList.js:77
msgid "Allocated"
@@ -578,11 +578,11 @@ msgstr "Anonyme Suche"
#: proxmox-widget-toolkit/src/window/NotificationMatcherEdit.js:620
msgid "Any"
-msgstr ""
+msgstr "Irgendeine"
#: proxmox-widget-toolkit/src/window/NotificationMatcherEdit.js:999
msgid "Any rule matches"
-msgstr ""
+msgstr "mindestens eine Regel zutrifft"
#: pve-manager/www/manager6/dc/OptionView.js:465
msgid "Applies to new edits"
@@ -635,7 +635,7 @@ msgstr "Möchten Sie die Subskription wirklich entfernen?"
#: pve-manager/www/manager6/lxc/Resources.js:231
#: pve-manager/www/manager6/qemu/HardwareView.js:478
msgid "Are you sure you want to detach entry {0}"
-msgstr "Möchten Sie Eintrag {0} wirklich aushängen?"
+msgstr "Möchten Sie den Eintrag {0} wirklich aushängen?"
#: pmg-gui/js/PBSSnapshotView.js:224
msgid "Are you sure you want to forget snapshot {0}"
@@ -663,9 +663,8 @@ msgid "Are you sure you want to remove '{0}' on '{1}' for
'{2}'"
msgstr "Möchten Sie wirklich '{0}' auf '{1}' aus '{2}' entfernen?"
#: pve-manager/www/manager6/tree/DhcpTree.js:100
-#, fuzzy
msgid "Are you sure you want to remove DHCP mapping {0}"
-msgstr "Möchten Sie Eintrag {0} wirklich entfernen?"
+msgstr "Soll das DHCP-Mapping {0} wirklich entfernt werden?"
#: proxmox-widget-toolkit/src/button/Button.js:136 pmg-gui/js/RuleInfo.js:41
#: pmg-gui/js/UserBlackWhiteList.js:178
@@ -677,7 +676,7 @@ msgstr "Möchten Sie Eintrag {0} wirklich entfernen?"
#: pve-manager/www/manager6/qemu/HardwareView.js:476
#: pve-manager/www/manager6/tree/SnapshotTree.js:290
msgid "Are you sure you want to remove entry {0}"
-msgstr "Möchten Sie Eintrag {0} wirklich entfernen?"
+msgstr "Möchten Sie den Eintrag {0} wirklich entfernen?"
#: proxmox-backup/www/datastore/Content.js:635
msgid "Are you sure you want to remove snapshot {0}"
@@ -689,7 +688,7 @@ msgstr "Möchten Sie das {0} Zertifikat wirklich entfernen?"
#: pmg-gui/js/PBSSnapshotView.js:152
msgid "Are you sure you want to remove the schedule for {0}"
-msgstr "Möchten Sie Eintrag {0} wirklich entfernen?"
+msgstr "Möchten Sie den Zeitplan {0} wirklich entfernen?"
#: pve-manager/www/manager6/node/Subscription.js:175
#: proxmox-backup/www/Subscription.js:169
@@ -729,9 +728,8 @@ msgid "Async IO"
msgstr "Asynchrone IO"
#: proxmox-widget-toolkit/src/window/NotificationMatcherEdit.js:1000
-#, fuzzy
msgid "At least one rule does not match"
-msgstr "Kennwörter stimmen nicht überein"
+msgstr "mindestens eine Rege
[pve-devel] applied: [PATCH pve-network] sdn: allow deletion of empty subnet with gateway
applied, thanks ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-docs] pvesdn: Fix heading for NetBox IPAM plugin section
Am 22/11/2023 um 15:09 schrieb Christian Ebner: > Signed-off-by: Christian Ebner > --- > pvesdn.adoc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-manager] ui: sdn: use all upper case for acronyms
Am 22/11/2023 um 15:22 schrieb Christian Ebner: > Signed-off-by: Christian Ebner > --- > www/manager6/sdn/ZoneView.js | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-manager] ui: sdn: use all upper case for acronyms
Signed-off-by: Christian Ebner
---
www/manager6/sdn/ZoneView.js | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/www/manager6/sdn/ZoneView.js b/www/manager6/sdn/ZoneView.js
index 71890dd3..67e86e16 100644
--- a/www/manager6/sdn/ZoneView.js
+++ b/www/manager6/sdn/ZoneView.js
@@ -137,7 +137,7 @@ Ext.define('PVE.sdn.ZoneView', {
},
},
{
- header: 'Ipam',
+ header: 'IPAM',
flex: 3,
dataIndex: 'ipam',
renderer: function(value, metaData, rec) {
@@ -153,7 +153,7 @@ Ext.define('PVE.sdn.ZoneView', {
},
},
{
- header: gettext('Dns'),
+ header: gettext('DNS'),
flex: 3,
dataIndex: 'dns',
renderer: function(value, metaData, rec) {
@@ -161,7 +161,7 @@ Ext.define('PVE.sdn.ZoneView', {
},
},
{
- header: gettext('Reverse dns'),
+ header: gettext('Reverse DNS'),
flex: 3,
dataIndex: 'reversedns',
renderer: function(value, metaData, rec) {
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-docs] pvesdn: Fix heading for NetBox IPAM plugin section
Signed-off-by: Christian Ebner --- pvesdn.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pvesdn.adoc b/pvesdn.adoc index f362da4..fdc6ea7 100644 --- a/pvesdn.adoc +++ b/pvesdn.adoc @@ -538,7 +538,7 @@ stack of the guest or rebooting it. [[pvesdn_ipam_plugin_netbox]] NetBox IPAM Plugin -~ +~~ link:https://github.com/netbox-community/netbox[NetBox] is an open-source IP Address Management (IPAM) and datacenter infrastructure management (DCIM) tool. -- 2.39.2 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-docs] pvesdn: remove double occurrence of 'external'
Am 22/11/2023 um 14:52 schrieb Christian Ebner: > Signed-off-by: Christian Ebner > --- > pvesdn.adoc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-docs] pvesdn: remove double occurrence of 'external'
Signed-off-by: Christian Ebner --- pvesdn.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pvesdn.adoc b/pvesdn.adoc index 5d87d09..f362da4 100644 --- a/pvesdn.adoc +++ b/pvesdn.adoc @@ -423,7 +423,7 @@ Controllers --- Some zones implement a separated control and data plane that require an external -external controller to manage the VNet's control plane. +controller to manage the VNet's control plane. Currently, only the `EVPN` zone requires an external controller. -- 2.39.2 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH pve-network] ipam: improve update / delete behavior
I tested this with multiple Subnets:
It works if MAC is 1x in IPv4 subnet and 1x in IPv6 subnet.
- updating either IPv4 or IPv6
- other one persists
- update IPv4 to be in another subnet
- auto-selects the new subnet
Encountered issues:
- change IPv4 to IPv6 (and vice versa)
> can't find any subnet for ip at /usr/share/perl5/PVE/Network/SDN/Subnets.pm
> line 114. (500)
- When manually creating a mapping, there is no way to set a VMID (but works)
- consecutive updating the mapping does not work
> vmid: type check ('integer') failed - got ''
- Updates to the IPAM mapping do not propagate to dnsmasq's ethers file
- also not after Reload
- In comparison `qm set 109 --net1 model=virtio,bridge=dhcpnat3` will
update ethers immediately
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH v2 container 0/4] Bugfixes for DHCP
Am 20/11/2023 um 20:19 schrieb Stefan Hanreich: > When editing a NIC there was a possibility of duplicate IPAM entries being > generated. This should be fixed with this patch series. > > Additionally when creating vNICs for a container there were multiple warnings > in the log due to the LXC module trying to use the QemuServer module for > parsing net lines in the container configuration. > > > > pve-container: > > Stefan Hanreich (4): > hotplug network: Only change IPAM when MAC or bridge changes > network: Do not always reserve new IP in IPAM > config: Use LXC Config instead of QemuServer for parsing net > create: Do not call create_ifaces_ipams_ips > > src/PVE/API2/LXC.pm | 1 - > src/PVE/LXC.pm| 28 +--- > src/PVE/LXC/Config.pm | 6 -- > 3 files changed, 21 insertions(+), 14 deletions(-) > > > Summary over all repositories: > 3 files changed, 21 insertions(+), 14 deletions(-) > for the record: these patches got already applied by Wolfgang: https://git.proxmox.com/?p=pve-container.git;a=commit;h=32de2c46c892f08c81e3cf801835a2c136ea1103 https://git.proxmox.com/?p=pve-container.git;a=commit;h=89d74337349de9e7cd48b428360a9f7ad72edbba https://git.proxmox.com/?p=pve-container.git;a=commit;h=0b06b9fbfbc85e4c921af24cf83cf3e5e54faac3 https://git.proxmox.com/?p=pve-container.git;a=commit;h=68a3a4257904be3f7e48490f659fd903385542a8 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [pbs-devel] [PATCH pve-network] sdn: validate dhcp-range in API
Am 22/11/2023 um 14:00 schrieb Stefan Lendl: > * start- and end-addresses must be valid IPs > * must both be in the subnet's CIDR > * and start needs to smaller (or equal) to end > > Signed-off-by: Stefan Lendl > --- > src/PVE/Network/SDN/SubnetPlugin.pm | 28 > 1 file changed, 28 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-manager] ipam: send ip to delete endpoint
Am 22/11/2023 um 13:29 schrieb Stefan Hanreich: > The ip parameter has been added to the delete endpoint, so only a > specific mapping gets deleted instead of all mappings for that mac > address. Reflect this change in the UI. > > Signed-off-by: Stefan Hanreich > --- > www/manager6/tree/DhcpTree.js | 1 + > 1 file changed, 1 insertion(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-network] ipam: improve update / delete behavior
Am 22/11/2023 um 14:22 schrieb Stefan Hanreich: >> is this really related? > > somewhat. add_ip never added a cache entry in macs.db which didn't cause > any issues when we added gateways via add_ip. But now that we use it in > update as well we need to create the entries in this function as well > since otherwise they wont get picked up by the DHCP server. OK then, applied thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH v2 qemu] add fix for vnc clipboard
Am 22/11/2023 um 13:41 schrieb Fiona Ebner: > This fixes the host->guest direction with noNVC as a client (and > likely others). > > Reported-by: Friedrich Weber > Signed-off-by: Fiona Ebner > --- > ...-ui-vnc-clipboard-fix-inflate_buffer.patch | 34 +++ > debian/patches/series | 1 + > 2 files changed, 35 insertions(+) > create mode 100644 > debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch > applied, with Friedrich's T-b, thanks! > +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c > +index c759be3438..124b6fbd9c 100644 > +--- a/ui/vnc-clipboard.c > b/ui/vnc-clipboard.c > +@@ -69,6 +69,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t > in_len, uint32_t *size) > + } > + } > + could be a bit nicer to have a "stream_end" label here that you goto from the Z_STREAM_END case too, making it slightly clearer how those two cases interact (i.e., are handled exactly the same). But not much into QEMU code (style) currently, so lets upstream handle the review on that one, it works in any case. > ++*size = stream.total_out; > ++inflateEnd(&stream); > ++ > ++return out; ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH pve-network] ipam: improve update / delete behavior
Am 22/11/2023 um 13:29 schrieb Stefan Hanreich:
> Currently when updating or deleting a mapping in the IPAM we would
> delete all existing entries in the IPAM with that mac address. Now we
> only delete the specific entry we are updating / deleting.
>
> Signed-off-by: Stefan Hanreich
> ---
> src/PVE/API2/Network/SDN/Ips.pm | 20 +---
> src/PVE/Network/SDN/Subnets.pm | 3 +++
> 2 files changed, 16 insertions(+), 7 deletions(-)
>
> diff --git a/src/PVE/API2/Network/SDN/Ips.pm b/src/PVE/API2/Network/SDN/Ips.pm
> index 6989b9b..0003b2a 100644
> --- a/src/PVE/API2/Network/SDN/Ips.pm
> +++ b/src/PVE/API2/Network/SDN/Ips.pm
> @@ -28,6 +28,11 @@ __PACKAGE__->register_method ({
> zone => get_standard_option('pve-sdn-zone-id'),
> vnet => get_standard_option('pve-sdn-vnet-id'),
> mac => get_standard_option('mac-addr'),
> + ip => {
> + type => 'string',
> + format => 'ip',
> + description => 'The IP address to delete',
> + },
> },
> },
> returns => { type => 'null' },
> @@ -36,13 +41,12 @@ __PACKAGE__->register_method ({
>
> my $vnet = extract_param($param, 'vnet');
> my $mac = extract_param($param, 'mac');
> + my $ip = extract_param($param, 'ip');
>
> eval {
> - PVE::Network::SDN::Vnets::del_ips_from_mac($vnet, $mac);
> + PVE::Network::SDN::Vnets::del_ip($vnet, $ip, '', $mac);
> };
> - my $error = $@;
> -
> - die "$error\n" if $error;
> + die "$@\n" if $@;
why bother with the eval then? or does something set $@ manually in the
called method?
>
> return undef;
> },
> @@ -117,7 +121,10 @@ __PACKAGE__->register_method ({
> my $vmid = extract_param($param, 'vmid');
> my $ip = extract_param($param, 'ip');
>
> - my ($old_ip4, $old_ip6) =
> PVE::Network::SDN::Vnets::del_ips_from_mac($vnet, $mac, '');
> + my ($old_ip4, $old_ip6) =
> PVE::Network::SDN::Vnets::get_ips_from_mac($vnet, $mac);
> + my $old_ip = (Net::IP::ip_get_version($ip) == 4) ? $old_ip4 : $old_ip6;
> +
> + PVE::Network::SDN::Vnets::del_ip($vnet, $old_ip, '', $mac);
>
> eval {
> PVE::Network::SDN::Vnets::add_ip($vnet, $ip, '', $mac, $vmid);
> @@ -125,8 +132,7 @@ __PACKAGE__->register_method ({
> my $error = $@;
>
> if ($error) {
> - PVE::Network::SDN::Vnets::add_ip($vnet, $old_ip4, '', $mac, $vmid)
> if $old_ip4;
> - PVE::Network::SDN::Vnets::add_ip($vnet, $old_ip6, '', $mac, $vmid)
> if $old_ip6;
> + PVE::Network::SDN::Vnets::add_ip($vnet, $old_ip, '', $mac, $vmid);
> }
>
> die "$error\n" if $error;
> diff --git a/src/PVE/Network/SDN/Subnets.pm b/src/PVE/Network/SDN/Subnets.pm
> index 8e2a6aa..8f113b4 100644
> --- a/src/PVE/Network/SDN/Subnets.pm
> +++ b/src/PVE/Network/SDN/Subnets.pm
> @@ -305,6 +305,9 @@ sub add_ip {
> $plugin->add_ip($plugin_config, $subnetid, $subnet, $ip, $hostname,
> $mac, $vmid, $is_gateway);
> };
> die $@ if $@;
> +
> + eval { PVE::Network::SDN::Ipams::add_cache_mac_ip($mac, $ip) if $mac; };
> + warn $@ if $@;
is this really related?
> }
>
> eval {
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-network] subnets: only delete macs.db entries if mac is available
applied, thanks ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH v2 qemu] add fix for vnc clipboard
Am 22.11.23 um 13:41 schrieb Fiona Ebner: > This fixes the host->guest direction with noNVC as a client (and > likely others). > > Reported-by: Friedrich Weber > Signed-off-by: Fiona Ebner Patch also sent upstream now: https://lists.nongnu.org/archive/html/qemu-devel/2023-11/msg04845.html ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH v2 qemu] add fix for vnc clipboard
Am 22/11/2023 um 13:45 schrieb Friedrich Weber: > Would be great if we could get this in, as the VNC clipboard is > half-broken without it. not configurable via the UI though, hmm.. ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH v2 qemu] add fix for vnc clipboard
Installed a patched pve-qemu-kvm package provided by Fiona and can
confirm that the host->guest clipboard direction works now.
More specifically: Entering something in the noVNC clipboard textbox,
trying to paste in a text editor running inside a Debian Bullseye+XFCE
VM with spice-vdagent 0.20.0-2. Without the patch, the editor froze for
a few seconds and nothing was pasted. With the patch, pasting works again.
Would be great if we could get this in, as the VNC clipboard is
half-broken without it.
Tested-by: Friedrich Weber
On 22/11/2023 13:41, Fiona Ebner wrote:
> This fixes the host->guest direction with noNVC as a client (and
> likely others).
>
> Reported-by: Friedrich Weber
> Signed-off-by: Fiona Ebner
> ---
> ...-ui-vnc-clipboard-fix-inflate_buffer.patch | 34 +++
> debian/patches/series | 1 +
> 2 files changed, 35 insertions(+)
> create mode 100644
> debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
>
> diff --git
> a/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
> b/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
> new file mode 100644
> index 000..4711fa0
> --- /dev/null
> +++ b/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
> @@ -0,0 +1,34 @@
> +From Mon Sep 17 00:00:00 2001
> +From: Fiona Ebner
> +Date: Wed, 22 Nov 2023 13:17:25 +0100
> +Subject: [PATCH] ui/vnc-clipboard: fix inflate_buffer
> +
> +Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in
> +inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still
> +required, because it can happen that stream.avail_in becomes zero
> +before coming across a return value of Z_STREAM_END.
> +
> +This fixes the host->guest direction with noNVC.
> +
> +Reported-by: Friedrich Weber
> +Signed-off-by: Fiona Ebner
> +---
> + ui/vnc-clipboard.c | 5 +
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
> +index c759be3438..124b6fbd9c 100644
> +--- a/ui/vnc-clipboard.c
> b/ui/vnc-clipboard.c
> +@@ -69,6 +69,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
> in_len, uint32_t *size)
> + }
> + }
> +
> ++*size = stream.total_out;
> ++inflateEnd(&stream);
> ++
> ++return out;
> ++
> + err_end:
> + inflateEnd(&stream);
> + err:
> diff --git a/debian/patches/series b/debian/patches/series
> index 992299c..9938b8e 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -7,6 +7,7 @@
> extra/0006-Revert-Revert-graph-lock-Disable-locking-for-now.patch
> extra/0007-migration-states-workaround-snapshot-performance-reg.patch
> extra/0008-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
> extra/0009-hw-ide-ahci-fix-legacy-software-reset.patch
> +extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
> bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
> bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
> bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH qemu] add fix for vnc clipboard
Am 22.11.23 um 13:36 schrieb Fiona Ebner: > This fixes the host->guest direction with noNVC as a client (and > likely others). > > Signed-off-by: Fiona Ebner Sorry, completely forgot to add Friedrich's Reported-by's. Sent a v2. ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v2 qemu] add fix for vnc clipboard
This fixes the host->guest direction with noNVC as a client (and
likely others).
Reported-by: Friedrich Weber
Signed-off-by: Fiona Ebner
---
...-ui-vnc-clipboard-fix-inflate_buffer.patch | 34 +++
debian/patches/series | 1 +
2 files changed, 35 insertions(+)
create mode 100644
debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
diff --git
a/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
b/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
new file mode 100644
index 000..4711fa0
--- /dev/null
+++ b/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
@@ -0,0 +1,34 @@
+From Mon Sep 17 00:00:00 2001
+From: Fiona Ebner
+Date: Wed, 22 Nov 2023 13:17:25 +0100
+Subject: [PATCH] ui/vnc-clipboard: fix inflate_buffer
+
+Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in
+inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still
+required, because it can happen that stream.avail_in becomes zero
+before coming across a return value of Z_STREAM_END.
+
+This fixes the host->guest direction with noNVC.
+
+Reported-by: Friedrich Weber
+Signed-off-by: Fiona Ebner
+---
+ ui/vnc-clipboard.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
+index c759be3438..124b6fbd9c 100644
+--- a/ui/vnc-clipboard.c
b/ui/vnc-clipboard.c
+@@ -69,6 +69,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
in_len, uint32_t *size)
+ }
+ }
+
++*size = stream.total_out;
++inflateEnd(&stream);
++
++return out;
++
+ err_end:
+ inflateEnd(&stream);
+ err:
diff --git a/debian/patches/series b/debian/patches/series
index 992299c..9938b8e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,6 +7,7 @@
extra/0006-Revert-Revert-graph-lock-Disable-locking-for-now.patch
extra/0007-migration-states-workaround-snapshot-performance-reg.patch
extra/0008-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
extra/0009-hw-ide-ahci-fix-legacy-software-reset.patch
+extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu] add fix for vnc clipboard
This fixes the host->guest direction with noNVC as a client (and
likely others).
Signed-off-by: Fiona Ebner
---
...-ui-vnc-clipboard-fix-inflate_buffer.patch | 33 +++
debian/patches/series | 1 +
2 files changed, 34 insertions(+)
create mode 100644
debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
diff --git
a/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
b/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
new file mode 100644
index 000..1a361d5
--- /dev/null
+++ b/debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
@@ -0,0 +1,33 @@
+From Mon Sep 17 00:00:00 2001
+From: Fiona Ebner
+Date: Wed, 22 Nov 2023 13:17:25 +0100
+Subject: [PATCH] ui/vnc-clipboard: fix inflate_buffer
+
+Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in
+inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still
+required, because it can happen that stream.avail_in becomes zero
+before coming across a return value of Z_STREAM_END.
+
+This fixes the host->guest direction with noNVC.
+
+Signed-off-by: Fiona Ebner
+---
+ ui/vnc-clipboard.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
+index c759be3438..124b6fbd9c 100644
+--- a/ui/vnc-clipboard.c
b/ui/vnc-clipboard.c
+@@ -69,6 +69,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
in_len, uint32_t *size)
+ }
+ }
+
++*size = stream.total_out;
++inflateEnd(&stream);
++
++return out;
++
+ err_end:
+ inflateEnd(&stream);
+ err:
diff --git a/debian/patches/series b/debian/patches/series
index 992299c..9938b8e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,6 +7,7 @@
extra/0006-Revert-Revert-graph-lock-Disable-locking-for-now.patch
extra/0007-migration-states-workaround-snapshot-performance-reg.patch
extra/0008-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
extra/0009-hw-ide-ahci-fix-legacy-software-reset.patch
+extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH installer] grub: install all efi binaries in fallback/default dir
Am 22/11/2023 um 13:19 schrieb Fabian Grünbichler: > else this fails with secureboot, where the entry point must be shim and not > grub. > > Signed-off-by: Fabian Grünbichler > --- > tested by using the "Hard Disk" boot option, instead of the (higher priority) > 'proxmox' one when booting a freshly installed system using LVM and Secure > Boot > > Proxmox/Install.pm | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-network] ipam: improve update / delete behavior
Currently when updating or deleting a mapping in the IPAM we would
delete all existing entries in the IPAM with that mac address. Now we
only delete the specific entry we are updating / deleting.
Signed-off-by: Stefan Hanreich
---
src/PVE/API2/Network/SDN/Ips.pm | 20 +---
src/PVE/Network/SDN/Subnets.pm | 3 +++
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/src/PVE/API2/Network/SDN/Ips.pm b/src/PVE/API2/Network/SDN/Ips.pm
index 6989b9b..0003b2a 100644
--- a/src/PVE/API2/Network/SDN/Ips.pm
+++ b/src/PVE/API2/Network/SDN/Ips.pm
@@ -28,6 +28,11 @@ __PACKAGE__->register_method ({
zone => get_standard_option('pve-sdn-zone-id'),
vnet => get_standard_option('pve-sdn-vnet-id'),
mac => get_standard_option('mac-addr'),
+ ip => {
+ type => 'string',
+ format => 'ip',
+ description => 'The IP address to delete',
+ },
},
},
returns => { type => 'null' },
@@ -36,13 +41,12 @@ __PACKAGE__->register_method ({
my $vnet = extract_param($param, 'vnet');
my $mac = extract_param($param, 'mac');
+ my $ip = extract_param($param, 'ip');
eval {
- PVE::Network::SDN::Vnets::del_ips_from_mac($vnet, $mac);
+ PVE::Network::SDN::Vnets::del_ip($vnet, $ip, '', $mac);
};
- my $error = $@;
-
- die "$error\n" if $error;
+ die "$@\n" if $@;
return undef;
},
@@ -117,7 +121,10 @@ __PACKAGE__->register_method ({
my $vmid = extract_param($param, 'vmid');
my $ip = extract_param($param, 'ip');
- my ($old_ip4, $old_ip6) =
PVE::Network::SDN::Vnets::del_ips_from_mac($vnet, $mac, '');
+ my ($old_ip4, $old_ip6) =
PVE::Network::SDN::Vnets::get_ips_from_mac($vnet, $mac);
+ my $old_ip = (Net::IP::ip_get_version($ip) == 4) ? $old_ip4 : $old_ip6;
+
+ PVE::Network::SDN::Vnets::del_ip($vnet, $old_ip, '', $mac);
eval {
PVE::Network::SDN::Vnets::add_ip($vnet, $ip, '', $mac, $vmid);
@@ -125,8 +132,7 @@ __PACKAGE__->register_method ({
my $error = $@;
if ($error) {
- PVE::Network::SDN::Vnets::add_ip($vnet, $old_ip4, '', $mac, $vmid)
if $old_ip4;
- PVE::Network::SDN::Vnets::add_ip($vnet, $old_ip6, '', $mac, $vmid)
if $old_ip6;
+ PVE::Network::SDN::Vnets::add_ip($vnet, $old_ip, '', $mac, $vmid);
}
die "$error\n" if $error;
diff --git a/src/PVE/Network/SDN/Subnets.pm b/src/PVE/Network/SDN/Subnets.pm
index 8e2a6aa..8f113b4 100644
--- a/src/PVE/Network/SDN/Subnets.pm
+++ b/src/PVE/Network/SDN/Subnets.pm
@@ -305,6 +305,9 @@ sub add_ip {
$plugin->add_ip($plugin_config, $subnetid, $subnet, $ip, $hostname,
$mac, $vmid, $is_gateway);
};
die $@ if $@;
+
+ eval { PVE::Network::SDN::Ipams::add_cache_mac_ip($mac, $ip) if $mac; };
+ warn $@ if $@;
}
eval {
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-manager] ipam: send ip to delete endpoint
The ip parameter has been added to the delete endpoint, so only a
specific mapping gets deleted instead of all mappings for that mac
address. Reflect this change in the UI.
Signed-off-by: Stefan Hanreich
---
www/manager6/tree/DhcpTree.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/www/manager6/tree/DhcpTree.js b/www/manager6/tree/DhcpTree.js
index b7baba606..b5fbafe03 100644
--- a/www/manager6/tree/DhcpTree.js
+++ b/www/manager6/tree/DhcpTree.js
@@ -108,6 +108,7 @@ Ext.define('PVE.sdn.DhcpTree', {
let params = {
zone: data.zone,
mac: data.mac,
+ ip: data.ip,
};
let encodedParams = Ext.Object.toQueryString(params);
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-network] validation: add support for arrays to change tracking
This is needed so dhcp-ranges are properly displayed as changed in the
web UI.
Also took the chance to properly indent the encode_value function with
our indentation scheme.
Signed-off-by: Stefan Hanreich
---
src/PVE/Network/SDN.pm | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/PVE/Network/SDN.pm b/src/PVE/Network/SDN.pm
index c306527..3af09b5 100644
--- a/src/PVE/Network/SDN.pm
+++ b/src/PVE/Network/SDN.pm
@@ -241,12 +241,14 @@ sub generate_dhcp_config {
sub encode_value {
my ($type, $key, $value) = @_;
-if ($key eq 'nodes' || $key eq 'exitnodes') {
-if(ref($value) eq 'HASH') {
-return join(',', sort keys(%$value));
-} else {
-return $value;
-}
+if ($key eq 'nodes' || $key eq 'exitnodes' || $key eq 'dhcp-range') {
+ if (ref($value) eq 'HASH') {
+ return join(',', sort keys(%$value));
+ } elsif (ref($value) eq 'ARRAY') {
+ return join(',', sort @$value);
+ } else {
+ return $value;
+ }
}
return $value;
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-network] subnets: only delete macs.db entries if mac is available
When removing a gateway do not attempt to delete its entry from
macs.db since we do not have anything cached for the gateway anyway.
Reported-By: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
src/PVE/Network/SDN/Subnets.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Network/SDN/Subnets.pm b/src/PVE/Network/SDN/Subnets.pm
index 8e2a6aa..05d2de2 100644
--- a/src/PVE/Network/SDN/Subnets.pm
+++ b/src/PVE/Network/SDN/Subnets.pm
@@ -399,7 +399,7 @@ sub del_ip {
my $plugin =
PVE::Network::SDN::Ipams::Plugin->lookup($plugin_config->{type});
$plugin->del_ip($plugin_config, $subnetid, $subnet, $ip);
- eval { PVE::Network::SDN::Ipams::del_cache_mac_ip($mac, $ip); };
+ eval { PVE::Network::SDN::Ipams::del_cache_mac_ip($mac, $ip) if $mac; };
warn $@ if $@;
}
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] applied-series: [PATCH network 0/7] PUT API endpoint changes
On 11/22/23 12:53, Wolfgang Bumiller wrote: > This is a breaking API change for zones, vnets and subnets! > > These previously expected the *complete* config, which is not how our > usual SectionConfigs work. > > Further, they advertised a 'delete' API parameter which was simply > passed through as a config property which of course failed validation. > > Instead, they now merge the provided changes the way we normally do, and > handle the 'delete' parameter. Will have to check now whether this affects the UI in any way. I fear it does. Will try to provide respective pve-manager patches ASAP. ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH installer] grub: install all efi binaries in fallback/default dir
else this fails with secureboot, where the entry point must be shim and not
grub.
Signed-off-by: Fabian Grünbichler
---
tested by using the "Hard Disk" boot option, instead of the (higher priority)
'proxmox' one when booting a freshly installed system using LVM and Secure Boot
Proxmox/Install.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
index 8825699..c99748c 100644
--- a/Proxmox/Install.pm
+++ b/Proxmox/Install.pm
@@ -605,8 +605,10 @@ sub prepare_grub_efi_boot_esp {
}
# also install fallback boot file (OVMF does not boot without)
mkdir("$targetdir/boot/efi/EFI/BOOT");
- syscmd("cp $targetdir/boot/efi/EFI/proxmox/grubx64.efi
$targetdir/boot/efi/EFI/BOOT/BOOTx64.EFI") == 0 ||
+ syscmd("cp $targetdir/boot/efi/EFI/proxmox/*.efi
$targetdir/boot/efi/EFI/BOOT/") == 0 ||
die "unable to copy efi boot loader\n";
+ syscmd("mv $targetdir/boot/efi/EFI/BOOT/shimx64.efi
$targetdir/boot/efi/EFI/BOOT/BOOTx64.efi") == 0 ||
+ die "unable to setup default efi boot loader\n";
};
my $err = $@;
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH docs] boot: add Secure Boot information
Am 22/11/2023 um 09:54 schrieb Fabian Grünbichler: > and refer to the (updated) wiki article for more in-depth explanations. > > Signed-off-by: Fabian Grünbichler > --- > local-zfs.adoc | 6 +- > system-booting.adoc | 42 +- > 2 files changed, 42 insertions(+), 6 deletions(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-network] fix dhcpv6 router advertisement
Am 22/11/2023 um 08:58 schrieb Alexandre Derumier: > - don't listen to ip address, but use interface= instead > - generate 1 config file by vnet instead 1 by subnet > - enable-ra is global to server, enable it in default conf > > Signed-off-by: Alexandre Derumier > --- > src/PVE/Network/SDN/Dhcp.pm | 33 +- > src/PVE/Network/SDN/Dhcp/Dnsmasq.pm | 36 +++-- > src/PVE/Network/SDN/Dhcp/Plugin.pm | 9 ++-- > 3 files changed, 48 insertions(+), 30 deletions(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH network 5/7] api: handle delete parameter when updating ipams
this is for completeness, currently no plugin has optional
properties...
Signed-off-by: Wolfgang Bumiller
---
src/PVE/API2/Network/SDN/Ipams.pm | 7 +++
1 file changed, 7 insertions(+)
diff --git a/src/PVE/API2/Network/SDN/Ipams.pm
b/src/PVE/API2/Network/SDN/Ipams.pm
index d6e0bc8..27ead02 100644
--- a/src/PVE/API2/Network/SDN/Ipams.pm
+++ b/src/PVE/API2/Network/SDN/Ipams.pm
@@ -180,6 +180,7 @@ __PACKAGE__->register_method ({
my $id = extract_param($param, 'ipam');
my $digest = extract_param($param, 'digest');
+ my $delete = extract_param($param, 'delete');
PVE::Network::SDN::lock_sdn_config(
sub {
@@ -193,6 +194,12 @@ __PACKAGE__->register_method ({
my $plugin =
PVE::Network::SDN::Ipams::Plugin->lookup($scfg->{type});
my $opts = $plugin->check_config($id, $param, 0, 1);
+ if ($delete) {
+ $delete = [ PVE::Tools::split_list($delete) ];
+ my $options = $plugin->private()->{options}->{$scfg->{type}};
+ PVE::SectionConfig::delete_from_config($scfg, $options, $opts,
$delete);
+ }
+
foreach my $k (%$opts) {
$scfg->{$k} = $opts->{$k};
}
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH network 6/7] api: handle delete parameter when updating dns entries
Signed-off-by: Wolfgang Bumiller
---
src/PVE/API2/Network/SDN/Dns.pm | 7 +++
1 file changed, 7 insertions(+)
diff --git a/src/PVE/API2/Network/SDN/Dns.pm b/src/PVE/API2/Network/SDN/Dns.pm
index 3d08552..826d111 100644
--- a/src/PVE/API2/Network/SDN/Dns.pm
+++ b/src/PVE/API2/Network/SDN/Dns.pm
@@ -173,6 +173,7 @@ __PACKAGE__->register_method ({
my $id = extract_param($param, 'dns');
my $digest = extract_param($param, 'digest');
+ my $delete = extract_param($param, 'delete');
PVE::Network::SDN::lock_sdn_config(
sub {
@@ -186,6 +187,12 @@ __PACKAGE__->register_method ({
my $plugin = PVE::Network::SDN::Dns::Plugin->lookup($scfg->{type});
my $opts = $plugin->check_config($id, $param, 0, 1);
+ if ($delete) {
+ $delete = [ PVE::Tools::split_list($delete) ];
+ my $options = $plugin->private()->{options}->{$scfg->{type}};
+ PVE::SectionConfig::delete_from_config($scfg, $options, $opts,
$delete);
+ }
+
foreach my $k (%$opts) {
$scfg->{$k} = $opts->{$k};
}
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH network 1/7] Revert "sdn: require ipam in simple plugin for dhcp"
This reverts commit 53ab1495621f46c8af4dc560905f7e501bee75a7.
This also affects the updateSchema which is not intentional, since the
update API calls are supposed to take changes, not full replacements.
Signed-off-by: Wolfgang Bumiller
---
src/PVE/Network/SDN/Zones/SimplePlugin.pm | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/PVE/Network/SDN/Zones/SimplePlugin.pm
b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
index 7cb65c2..c996bf3 100644
--- a/src/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -32,7 +32,6 @@ sub properties {
description => 'Type of the DHCP backend for this zone',
type => 'string',
enum => PVE::Network::SDN::Dhcp::Plugin->lookup_types(),
- requires => 'ipam',
},
};
}
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH network 3/7] api: take partial configs for PUT /cluster/sdn/vnets/
Handle 'delete' parameter and partial updates.
See previous commit for explanation.
Cc: Alexandre Derumier
Signed-off-by: Wolfgang Bumiller
---
src/PVE/API2/Network/SDN/Vnets.pm | 24
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/Network/SDN/Vnets.pm
b/src/PVE/API2/Network/SDN/Vnets.pm
index a32df8c..57de295 100644
--- a/src/PVE/API2/Network/SDN/Vnets.pm
+++ b/src/PVE/API2/Network/SDN/Vnets.pm
@@ -244,21 +244,37 @@ __PACKAGE__->register_method ({
my $id = extract_param($param, 'vnet');
my $digest = extract_param($param, 'digest');
+ my $delete = extract_param($param, 'delete');
my $privs = [ 'SDN.Allocate' ];
&$check_vnet_access($id, $privs);
+ if ($delete) {
+ $delete = [ PVE::Tools::split_list($delete) ];
+ }
+
PVE::Network::SDN::lock_sdn_config(sub {
my $cfg = PVE::Network::SDN::Vnets::config();
PVE::SectionConfig::assert_if_modified($cfg, $digest);
my $opts = PVE::Network::SDN::VnetPlugin->check_config($id, $param,
0, 1);
- raise_param_exc({ zone => "missing zone"}) if !$opts->{zone};
- my $subnets = PVE::Network::SDN::Vnets::get_subnets($id);
- raise_param_exc({ zone => "can't change zone if subnets exists"})
if($subnets && $opts->{zone} ne $cfg->{ids}->{$id}->{zone});
- $cfg->{ids}->{$id} = $opts;
+ my $data = $cfg->{ids}->{$id};
+ my $old_zone = $data->{zone};
+
+ if ($delete) {
+ my $options =
PVE::Network::SDN::VnetPlugin->private()->{options}->{$data->{type}};
+ PVE::SectionConfig::delete_from_config($data, $options, $opts,
$delete);
+ }
+
+ $data->{$_} = $opts->{$_} for keys $opts->%*;
+
+ my $new_zone = $data->{zone};
+ raise_param_exc({ zone => "cannot delete zone"}) if !$new_zone;
+ my $subnets = PVE::Network::SDN::Vnets::get_subnets($id);
+ raise_param_exc({ zone => "can't change zone if subnets exist"})
+ if $subnets && $old_zone ne $new_zone;
my $zone_cfg = PVE::Network::SDN::Zones::config();
my $zoneid = $cfg->{ids}->{$id}->{zone};
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied-series: [PATCH network 0/7] PUT API endpoint changes
This is a breaking API change for zones, vnets and subnets! These previously expected the *complete* config, which is not how our usual SectionConfigs work. Further, they advertised a 'delete' API parameter which was simply passed through as a config property which of course failed validation. Instead, they now merge the provided changes the way we normally do, and handle the 'delete' parameter. This affects: - /cluster/sdn/zones/ - /cluster/sdn/vnets/ - /cluster/sdn/vnets//subnets/ Additionally, these already took partial updates, but ignored the 'delete' parameter, which is fixed in this series: - /cluster/sdn/ipams/ - /cluster/sdn/dns/ - /cluster/sdn/controllers/ Wolfgang Bumiller (7): Revert "sdn: require ipam in simple plugin for dhcp" api: take partial configs for PUT /cluster/sdn/zones/ api: take partial configs for PUT /cluster/sdn/vnets/ api: take partial configs for PUT /cluster/sdn/vnets//subnets/ api: handle delete parameter when updating ipams api: handle delete parameter when updating dns entries api: handle delete parameter when updating controllers src/PVE/API2/Network/SDN/Controllers.pm | 7 +++ src/PVE/API2/Network/SDN/Dns.pm | 7 +++ src/PVE/API2/Network/SDN/Ipams.pm | 7 +++ src/PVE/API2/Network/SDN/Subnets.pm | 12 ++-- src/PVE/API2/Network/SDN/Vnets.pm | 24 +++ src/PVE/API2/Network/SDN/Zones.pm | 18 ++--- src/PVE/Network/SDN/Zones/SimplePlugin.pm | 1 - 7 files changed, 66 insertions(+), 10 deletions(-) -- 2.39.2 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH network 7/7] api: handle delete parameter when updating controllers
Signed-off-by: Wolfgang Bumiller
---
src/PVE/API2/Network/SDN/Controllers.pm | 7 +++
1 file changed, 7 insertions(+)
diff --git a/src/PVE/API2/Network/SDN/Controllers.pm
b/src/PVE/API2/Network/SDN/Controllers.pm
index d8f18ab..0540a65 100644
--- a/src/PVE/API2/Network/SDN/Controllers.pm
+++ b/src/PVE/API2/Network/SDN/Controllers.pm
@@ -215,6 +215,7 @@ __PACKAGE__->register_method ({
my $id = extract_param($param, 'controller');
my $digest = extract_param($param, 'digest');
+ my $delete = extract_param($param, 'delete');
PVE::Network::SDN::lock_sdn_config(
sub {
@@ -228,6 +229,12 @@ __PACKAGE__->register_method ({
my $plugin =
PVE::Network::SDN::Controllers::Plugin->lookup($scfg->{type});
my $opts = $plugin->check_config($id, $param, 0, 1);
+ if ($delete) {
+ $delete = [ PVE::Tools::split_list($delete) ];
+ my $options = $plugin->private()->{options}->{$scfg->{type}};
+ PVE::SectionConfig::delete_from_config($scfg, $options, $opts,
$delete);
+ }
+
foreach my $k (%$opts) {
$scfg->{$k} = $opts->{$k};
}
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH network 4/7] api: take partial configs for PUT /cluster/sdn/vnets//subnets/
Handle 'delete' parameter and partial updates.
See 2 commits earlier for explanation.
Cc: Alexandre Derumier
Signed-off-by: Wolfgang Bumiller
---
src/PVE/API2/Network/SDN/Subnets.pm | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/Network/SDN/Subnets.pm
b/src/PVE/API2/Network/SDN/Subnets.pm
index c263cd5..7a4c331 100644
--- a/src/PVE/API2/Network/SDN/Subnets.pm
+++ b/src/PVE/API2/Network/SDN/Subnets.pm
@@ -247,6 +247,8 @@ __PACKAGE__->register_method ({
my $id = extract_param($param, 'subnet');
my $digest = extract_param($param, 'digest');
+ my $delete = extract_param($param, 'delete');
+
my $vnet = $param->{vnet};
my $privs = [ 'SDN.Allocate' ];
@@ -266,9 +268,15 @@ __PACKAGE__->register_method ({
PVE::SectionConfig::assert_if_modified($cfg, $digest);
my $opts = PVE::Network::SDN::SubnetPlugin->check_config($id,
$param, 0, 1);
- $cfg->{ids}->{$id} = $opts;
- raise_param_exc({ ipam => "you can't change ipam"}) if
$opts->{ipam} && $scfg->{ipam} && $opts->{ipam} ne $scfg->{ipam};
+ my $data = $cfg->{ids}->{$id};
+ if ($delete) {
+ $delete = [ PVE::Tools::split_list($delete) ];
+ my $options =
+
PVE::Network::SDN::SubnetPlugin->private()->{options}->{$data->{type}};
+ PVE::SectionConfig::delete_from_config($data, $options, $opts,
$delete);
+ }
+ $data->{$_} = $opts->{$_} for keys $opts->%*;
my $subnet = PVE::Network::SDN::Subnets::sdn_subnets_config($cfg,
$id);
PVE::Network::SDN::SubnetPlugin->on_update_hook($zone, $id,
$subnet, $scfg);
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH network 2/7] api: take partial configs for PUT /cluster/sdn/zones/
Zones previously expected a complete config, but the API schema
also contains a 'delete' parameter via the SectionConfig's
updateSchema() helper. This was not handled, and instead failed to
validate as part of the config.
The same is true for vnets and subnets, while ipams, dns and
controller entries followed our usual update procedures (but also
ignored the 'delete' parameter).
Since all of our SectionConfig based API endpoints are supposed to
take changes, rather than complete configs, this changes these
endpoints to not replace the full configuration anymore.
This is a major break for automation tools (the web UI already passed
the full config each time).
Cc: Alexandre Derumier
Signed-off-by: Wolfgang Bumiller
---
src/PVE/API2/Network/SDN/Zones.pm | 18 +++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/Network/SDN/Zones.pm
b/src/PVE/API2/Network/SDN/Zones.pm
index 1c3356e..b09c9ad 100644
--- a/src/PVE/API2/Network/SDN/Zones.pm
+++ b/src/PVE/API2/Network/SDN/Zones.pm
@@ -261,6 +261,11 @@ __PACKAGE__->register_method ({
my $id = extract_param($param, 'zone');
my $digest = extract_param($param, 'digest');
+ my $delete = extract_param($param, 'delete');
+
+ if ($delete) {
+ $delete = [ PVE::Tools::split_list($delete) ];
+ }
PVE::Network::SDN::lock_sdn_config(sub {
my $zone_cfg = PVE::Network::SDN::Zones::config();
@@ -274,8 +279,17 @@ __PACKAGE__->register_method ({
my $plugin =
PVE::Network::SDN::Zones::Plugin->lookup($scfg->{type});
my $opts = $plugin->check_config($id, $param, 0, 1);
- if ($opts->{ipam} && !$scfg->{ipam} || $opts->{ipam} ne
$scfg->{ipam}) {
+ my $old_ipam = $scfg->{ipam};
+
+ if ($delete) {
+ my $options = $plugin->private()->{options}->{$scfg->{type}};
+ PVE::SectionConfig::delete_from_config($scfg, $options, $opts,
$delete);
+ }
+ $scfg->{$_} = $opts->{$_} for keys $opts->%*;
+
+ my $new_ipam = $scfg->{ipam};
+ if (!$new_ipam != !$old_ipam || (($new_ipam//'') ne
($old_ipam//''))) {
# don't allow ipam change if subnet are defined for now, need
to implement resync ipam content
my $subnets_cfg = PVE::Network::SDN::Subnets::config();
for my $subnetid (sort keys %{$subnets_cfg->{ids}}) {
@@ -285,8 +299,6 @@ __PACKAGE__->register_method ({
}
}
- $zone_cfg->{ids}->{$id} = $opts;
-
my $dnsserver = $opts->{dns};
raise_param_exc({ dns => "$dnsserver don't exist"}) if $dnsserver
&& !$dns_cfg->{ids}->{$dnsserver};
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH pve-network] fix dhcpv6 router advertisement
Thank you for the update. This works now. I tested with IPv6 only and dual stack. - ping gateway - ping VM - hotplug NIC and get a new IP - migration ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] boot: add Secure Boot information
and refer to the (updated) wiki article for more in-depth explanations.
Signed-off-by: Fabian Grünbichler
---
local-zfs.adoc | 6 +-
system-booting.adoc | 42 +-
2 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/local-zfs.adoc b/local-zfs.adoc
index b711f72..63de884 100644
--- a/local-zfs.adoc
+++ b/local-zfs.adoc
@@ -524,13 +524,17 @@ process of the new disk has progressed.
# proxmox-boot-tool format
-# proxmox-boot-tool init
+# proxmox-boot-tool init [grub]
NOTE: `ESP` stands for EFI System Partition, which is setup as partition #2 on
bootable disks setup by the {pve} installer since version 5.4. For details, see
xref:sysboot_proxmox_boot_setup[Setting up a new partition for use as synced
ESP].
+NOTE: make sure to pass 'grub' as mode to `proxmox-boot-tool init` if
+`proxmox-boot-tool status` indicates your current disks are using Grub,
+especially if Secure Boot is enabled!
+
.With plain `grub`:
diff --git a/system-booting.adoc b/system-booting.adoc
index 0b32810..7c2b026 100644
--- a/system-booting.adoc
+++ b/system-booting.adoc
@@ -9,8 +9,9 @@ endif::wiki[]
selected in the installer.
For EFI Systems installed with ZFS as the root filesystem `systemd-boot` is
-used. All other deployments use the standard `grub` bootloader (this usually
-also applies to systems which are installed on top of Debian).
+used, unless Secure Boot is enabled. All other deployments use the standard
+`grub` bootloader (this usually also applies to systems which are installed on
+top of Debian).
[[sysboot_installer_part_scheme]]
@@ -30,9 +31,10 @@ The created partitions are:
used for the chosen storage type
Systems using ZFS as root filesystem are booted with a kernel and initrd image
-stored on the 512 MB EFI System Partition. For legacy BIOS systems, `grub` is
-used, for EFI systems `systemd-boot` is used. Both are installed and configured
-to point to the ESPs.
+stored on the 512 MB EFI System Partition. For legacy BIOS systems, and EFI
+systems with Secure Boot enabled, `grub` is used, for EFI systems without
+Secure Boot, `systemd-boot` is used. Both are installed and configured to point
+to the ESPs.
`grub` in BIOS mode (`--target i386-pc`) is installed onto the BIOS Boot
Partition of all selected disks on all systems booted with `grub`
@@ -100,6 +102,15 @@ To setup an existing, unmounted ESP located on `/dev/sda2`
for inclusion in
# proxmox-boot-tool init /dev/sda2
+or
+
+
+# proxmox-boot-tool init /dev/sda2 grub
+
+
+to force initialization with Grub instead of systemd-boot, for example for
+Secure Boot support.
+
Afterwards `/etc/kernel/proxmox-boot-uuids` should contain a new line with the
UUID of the newly added partition. The `init` command will also automatically
trigger a refresh of all configured ESPs.
@@ -359,3 +370,24 @@ systems if you call the tool interactively.
# proxmox-boot-tool refresh
+
+[[sysboot_secure_boot]]
+Secure Boot
+~~~
+
+Since {pve} 8.1, Secure Boot is supported out of the box via signed packages
+and integration in `proxmox-boot-tool`.
+
+The following packages need to be installed for Secure Boot to be enabled:
+
+- shim-signed (shim bootloader signed by Microsoft)
+- shim-helpers-amd64-signed (fallback bootloader and MOKManager, signed by
Proxmox)
+- grub-efi-amd64-signed (Grub EFI bootloader, signed by Proxmox)
+- proxmox-kernel-6.X.Y-Z-pve-signed (Kernel image, signed by Proxmox)
+
+Only Grub as bootloader is supported out of the box, since there are no other
+pre-signed bootloader packages available. Any new installation of {pve} will
+automatically have all of the above packages included.
+
+More details about how Secure Boot works, and how to customize the setup, are
+available in https://pve.proxmox.com/wiki/Secure_Boot_Setup[our wiki].
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [TurnKey Linux] Looking to update our signing key... Advice?
Hello! Am 22/11/2023 um 05:50 schrieb Jeremy Davis: > Apologies in advance if this is not the right place to post this. Please > redirect me to the appropriate forum if not. I'm also happy to discuss > off list if that is deemed more appropriate. It's fine here, thanks for reaching out. > My name is Jeremy and I work with TurnKey Linux. > > As a housekeeping matter, we're looking to update our GPG signing key - > that we sign the index file we provide for downloading our LXC templates > via the PVE UI (which includes hashes of our templates). That would be indeed great, we switched to generating a new key for every new major release quite a bit ago. > The current key recently expired (caught us a bit unawares). We updated > the expiry to keep it alive. And it doesn't seem to have caused any > issues (at least not in my local PVE servers). > > However, the key is quite old and doesn't have current best practice > size (RSA-4098 AFAIK?). So I'd like to rotate it. Yes, our release keys use RSA 4096 (not 6 not 8 at the end): # sq inspect proxmox-release-bookworm.gpg proxmox-release-bookworm.gpg: OpenPGP Certificate. Fingerprint: F4E136C67CDCE41AE6DE6FC81140AF8F639E0C39 Public-key algo: RSA Public-key size: 4096 bits Creation time: 2022-11-27 13:26:52 UTC Expiration time: 2032-11-24 13:26:52 UTC (creation time + P3650D) Key flags: certification, signing UserID: Proxmox Bookworm Release Key > I was hoping that someone with some authoritative knowledge of the > relevant PVE components would be willing to give me some guidance on the > process (not generating the key itself, just the PVE integration > specific bits). Hopefully that can ensure that key rotation causes > minimal disruptions to users. Currently the public keys we use are tracked in the pve-manager repo, inside the aplinfo directory: https://git.proxmox.com/?p=pve-manager.git;a=tree;f=aplinfo;h=9dbe1f31f712bb537168bf11e052d5117c62e1f6;hb=ad1278fae8e6e678219a702eea960c746551c635 The build-system then concatenates all the trusted keys, i.e., our ans your current (old) one to a joined keyring that we use on checking the appliance index. So, you would just need to send us your new public key in a secure manner and we'd add that key to the keyring. Secure manner here would be to have it available on a TLS secured domain of your via HTTP and send it to us via email with a signature from the old (current) key. The one question is how you plan the upgrade, i.e., it might be nice to not have a hard switch between index signed with old to index signed with new key. For example, since doing a new GPG key per-release we also use a index that can be associated with the release, e.g. see: http://download.proxmox.com/images/ For example, the plain & compressed indexes, and the signature of the plain one, used for the Proxmox VE 8 series are: aplinfo-pve-8.dat aplinfo-pve-8.dat.asc aplinfo-pve-8.dat.gz It could be also good for TurnKey to provide the new templates under a new index so that older installation can still use them. Even if you want to consciously break support for systems using the old key, it might be more pleasant to do a phased switch even then. Especially as one could test the new index URL and signature without impacting production systems, you could still drop the signature with the ancient key in a few weeks or so. Any how, I'm asking the latter because that might need some extra adaption in our code, but not much, and if you give us the new URL to the new index we could integrate that too. But if you want to sent patches, then we'd also be happy about that, most of the code is also in pve-manager, in the PVE::APLInfo module (PVE/APLInfo.pm file). For how to contribute patches to our project see: https://pve.proxmox.com/wiki/Developer_Documentation > Also if there are any specific PVE recommendations/requirements re the > new GPG keypair to generate, that would also be great. Nothing technical, RSA 4096-bit key with a identity (mail email) that matches your org would be the baseline. Having a expiry of about 10y could be nice too, but not to hard-feelings there. cheers, Thomas ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH v4 cluster/network/manager/qemu-server/container/docs 00/33] Add support for DHCP servers to SDN
Hi, I just sent a patch to fix ipv6 RA. (we need to remove listen-ip from config, and use interface=, to get it work) I correctly see the packet sent now: Nov 22 08:55:13 formationkvm3 dnsmasq-dhcp[1222769]: IPv6 router advertisement enabled Nov 22 08:55:13 formationkvm3 dnsmasq[1222769]: cleared cache Nov 22 08:55:13 formationkvm3 dnsmasq-dhcp[1222769]: read /etc/dnsmasq.d/simpve/ethers Nov 22 08:55:14 formationkvm3 dnsmasq-dhcp[1222769]: RTR- ADVERT(vnetpve) 2a0a:1580:2000:6000:: Nov 22 08:55:26 formationkvm3 dnsmasq-dhcp[1222769]: RTR- ADVERT(vnetpve) 2a0a:1580:2000:6000:: Nov 22 08:55:38 formationkvm3 dnsmasq-dhcp[1222769]: RTR- ADVERT(vnetpve) 2a0a:1580:2000:6000:: testing with a vm, got 2a0a:1580:2000:6000::11 (with /128 mask) # ip addr 2: eth0@if409: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 12:45:e3:2e:f0:bf brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.2.14/24 brd 192.168.2.255 scope global eth0 valid_lft forever preferred_lft forever inet6 2a0a:1580:2000:6000::11/128 scope global valid_lft forever preferred_lft forever inet6 fe80::1045:e3ff:fe2e:f0bf/64 scope link valid_lft forever preferred_lft forever and default route from RA. (via the local-link) ~# ip -6 route ::1 dev lo proto kernel metric 256 pref medium 2a0a:1580:2000:6000::11 dev eth0 proto kernel metric 256 pref medium 2a0a:1580:2000:6000::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium default via fe80::a0f5:fdff:feb3:f04a dev eth0 proto ra metric 1024 expires 1456sec hoplimit 64 pref medium ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
