[pve-devel] [PATCH common] zsh-completion: Add missing flag to compadd
This fixes an issue with zsh completion where certain words were not added to
the
list of matches, but incorrectly interpreted as flags or options.
By passing the "--" flag, compadd is notified that all following arguments
should
be considered for completion and not interpreted as flags or options for
compadd.
Details can be found in the compadd documentation:
http://zsh.sourceforge.net/Doc/Release/Completion-Widgets.html#Completion-Builtin-Commands
Signed-off-by: Christian Ebner
---
src/PVE/CLIHandler.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/CLIHandler.pm b/src/PVE/CLIHandler.pm
index 249c7cc..763cd60 100644
--- a/src/PVE/CLIHandler.pm
+++ b/src/PVE/CLIHandler.pm
@@ -519,7 +519,7 @@ function _$exename() {
cmd=\${words[1]}
curr=\${words[cwords]}
prev=\${words[cwords-1]}
-compadd \$(COMP_CWORD="\$cwords" COMP_LINE="\$line" COMP_POINT="\$point" \\
+compadd -- \$(COMP_CWORD="\$cwords" COMP_LINE="\$line"
COMP_POINT="\$point" \\
$exename bashcomplete "\$cmd" "\$curr" "\$prev")
}
__EOD__
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH firewall] logging: Add missing logmsg for inbound rules
Signed-off-by: Christian Ebner
---
src/PVE/Firewall.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 255bb9a..d22b15a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2491,6 +2491,7 @@ sub enable_host_firewall {
$rule->{iface_in} = $rule->{iface} if $rule->{iface};
eval {
+ $rule->{logmsg} = "$rule->{action}: ";
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule,
'IN', $accept_action, $ipversion);
} elsif ($rule->{type} eq 'in') {
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH firewall] macros: add macro for Proxmox Mail Gateway web interface
Macro to allow access to the PMG web interface when hosted on PVE.
Signed-off-by: Christian Ebner
---
src/PVE/Firewall.pm | 4
1 file changed, 4 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4a534d0..255bb9a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -394,6 +394,10 @@ my $pve_fw_macros = {
{ action => 'PARAM', proto => 'udp', dport => '5632' },
{ action => 'PARAM', proto => 'tcp', dport => '5631' },
],
+'PMG' => [
+ "Proxmox Mail Gateway web interface",
+ { action => 'PARAM', proto => 'tcp', dport => '8006' },
+],
'POP3' => [
"POP3 traffic",
{ action => 'PARAM', proto => 'tcp', dport => '110' },
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] firewall-doc: update list of default ports by range used for migration
Signed-off-by: Christian Ebner
---
pve-firewall.adoc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 2bcdf6e..7c60330 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -426,6 +426,8 @@ following traffic is still allowed for all {pve} hosts in
the cluster:
* TCP traffic from management hosts to port 3128 for connections to the SPICE
proxy
* TCP traffic from management hosts to port 22 to allow ssh access
+* TCP traffic from management hosts to port range 6 to 60050 for migration
+ traffic
* UDP traffic in the cluster network to port 5404 and 5405 for corosync
* UDP multicast traffic in the cluster network
* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
@@ -634,6 +636,7 @@ Ports used by {pve}
* sshd (used for cluster actions): 22
* rpcbind: 111
* corosync multicast (if you run a cluster): 5404, 5405 UDP
+* some migration traffic: 6-60050 TCP
ifdef::manvolnum[]
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH firewall] rules: allow connections on port range 60000:60050 in management network for migration
Signed-off-by: Christian Ebner
---
src/PVE/Firewall.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index db16e0f..ae67bcd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2505,6 +2505,7 @@ sub enable_host_firewall {
ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999",
"-j $accept_action"); # PVE VNC Console
ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128", "-j
$accept_action"); # SPICE Proxy
ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22", "-j
$accept_action"); # SSH
+ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 6:60050",
"-j $accept_action"); # Migration
# corosync inbound rules
if (defined($corosync_conf)) {
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH common] cli-formatter: avoid warning when trying to sort on undefined key
Please do not apply, this breaks sorting!
> On November 21, 2019 3:21 PM Christian Ebner wrote:
>
>
> Example:
> pvesh get /nodes/{node}/qemu/{vmid}/rrddata --timeframe day
>
> If the sorting key is not defined in the dataset, e.g. when a VM was not
> running
> for some time within the given timeframe, this resulted in several ugly
> warnings.
>
> Signed-off-by: Christian Ebner
> ---
> src/PVE/CLIFormatter.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/CLIFormatter.pm b/src/PVE/CLIFormatter.pm
> index 0e9cbe6..65802f8 100644
> --- a/src/PVE/CLIFormatter.pm
> +++ b/src/PVE/CLIFormatter.pm
> @@ -175,9 +175,9 @@ sub print_text_table {
> if (defined($sort_key) && $sort_key ne 0) {
> my $type = $returnprops->{$sort_key}->{type} // 'string';
> if ($type eq 'integer' || $type eq 'number') {
> - @$data = sort { $a->{$sort_key} <=> $b->{$sort_key} } @$data;
> + @$data = sort { defined $a->{$sort_key} <=> defined $b->{$sort_key}
> } @$data;
> } else {
> - @$data = sort { $a->{$sort_key} cmp $b->{$sort_key} } @$data;
> + @$data = sort { defined $a->{$sort_key} cmp defined $b->{$sort_key}
> } @$data;
> }
> }
>
> --
> 2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v2 common] cli-formatter: avoid warning when trying to sort on undefined key
Example:
pvesh get /nodes/{node}/qemu/{vmid}/rrddata --timeframe day
If the sorting key is not defined in the dataset, e.g. when a VM was not running
for some time within the given timeframe, this resulted in several ugly
warnings.
Signed-off-by: Christian Ebner
---
v2: Oops, v1 is nonsense and breaks sorting.
src/PVE/CLIFormatter.pm | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/PVE/CLIFormatter.pm b/src/PVE/CLIFormatter.pm
index 0e9cbe6..21fa2df 100644
--- a/src/PVE/CLIFormatter.pm
+++ b/src/PVE/CLIFormatter.pm
@@ -175,9 +175,11 @@ sub print_text_table {
if (defined($sort_key) && $sort_key ne 0) {
my $type = $returnprops->{$sort_key}->{type} // 'string';
if ($type eq 'integer' || $type eq 'number') {
- @$data = sort { $a->{$sort_key} <=> $b->{$sort_key} } @$data;
+ @$data = sort { $a->{$sort_key} <=> $b->{$sort_key}
+ if defined $a->{$sort_key} && defined $b->{$sort_key} } @$data;
} else {
- @$data = sort { $a->{$sort_key} cmp $b->{$sort_key} } @$data;
+ @$data = sort { $a->{$sort_key} cmp $b->{$sort_key}
+ if defined $a->{$sort_key} && defined $b->{$sort_key} } @$data;
}
}
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH common] cli-formatter: avoid warning when trying to sort on undefined key
Example:
pvesh get /nodes/{node}/qemu/{vmid}/rrddata --timeframe day
If the sorting key is not defined in the dataset, e.g. when a VM was not running
for some time within the given timeframe, this resulted in several ugly
warnings.
Signed-off-by: Christian Ebner
---
src/PVE/CLIFormatter.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/CLIFormatter.pm b/src/PVE/CLIFormatter.pm
index 0e9cbe6..65802f8 100644
--- a/src/PVE/CLIFormatter.pm
+++ b/src/PVE/CLIFormatter.pm
@@ -175,9 +175,9 @@ sub print_text_table {
if (defined($sort_key) && $sort_key ne 0) {
my $type = $returnprops->{$sort_key}->{type} // 'string';
if ($type eq 'integer' || $type eq 'number') {
- @$data = sort { $a->{$sort_key} <=> $b->{$sort_key} } @$data;
+ @$data = sort { defined $a->{$sort_key} <=> defined $b->{$sort_key}
} @$data;
} else {
- @$data = sort { $a->{$sort_key} cmp $b->{$sort_key} } @$data;
+ @$data = sort { defined $a->{$sort_key} cmp defined $b->{$sort_key}
} @$data;
}
}
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] qm: fix typo: /ghen/When/
Signed-off-by: Christian Ebner
---
qm.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/qm.adoc b/qm.adoc
index 9ee4460..429cff6 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -507,7 +507,7 @@ host.
.Fixed Memory Allocation
[thumbnail="screenshot/gui-create-vm-memory.png"]
-ghen setting memory and minimum memory to the same amount
+When setting memory and minimum memory to the same amount
{pve} will simply allocate what you specify to your VM.
Even when using a fixed memory size, the ballooning device gets added to the
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v5 manager] fix #1291: add purge checkbox to VM/CT destroy dialog
Signed-off-by: Christian Ebner
---
version 5:
* only show checkbox for CT/VM destroy dialog (as suggested)
* added qtip to checkbox
www/manager6/window/SafeDestroy.js | 22 ++
1 file changed, 22 insertions(+)
diff --git a/www/manager6/window/SafeDestroy.js
b/www/manager6/window/SafeDestroy.js
index eb3e6665..e1a03601 100644
--- a/www/manager6/window/SafeDestroy.js
+++ b/www/manager6/window/SafeDestroy.js
@@ -26,6 +26,10 @@ Ext.define('PVE.window.SafeDestroy', {
getParams: function() {
var me = this;
+ var purgeCheckbox = me.lookupReference('purgeCheckbox');
+ if (purgeCheckbox.checked) {
+ me.params.purge = 1;
+ }
if (Ext.Object.isEmpty(me.params)) {
return '';
}
@@ -121,6 +125,18 @@ Ext.define('PVE.window.SafeDestroy', {
labelWidth: 300,
hideTrigger: true,
allowBlank: false
+ },
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'purge',
+ reference: 'purgeCheckbox',
+ fieldLabel: gettext('Purge'),
+ labelWidth: 300,
+ checked: false,
+ autoEl: {
+ tag: 'div',
+ 'data-qtip': gettext('Remove from replication and
backup jobs')
+ }
}
]
}
@@ -165,6 +181,12 @@ Ext.define('PVE.window.SafeDestroy', {
messageCmp.setHtml(msg);
+ if (!(item.type === 'VM' || item.type === 'CT')) {
+ let purgeCheckbox = me.lookupReference('purgeCheckbox');
+ purgeCheckbox.setDisabled(true);
+ purgeCheckbox.setHidden(true);
+ }
+
var confirmField = me.lookupReference('confirmField');
msg = gettext('Please enter the ID to confirm') +
' (' + item.id + ')';
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 guest-common 2/2] fix #1291: implement remove_vmid_from_backup_jobs
remove_vmid_from_backup_jobs updates the vzdump.cron backup jobs,
excluding the given vmid.
Signed-off-by: Christian Ebner
---
version 4:
* VZDump::Common cfs registers vzdump.cron instead of PVE::VZDump
PVE/VZDump/Plugin.pm | 46
1 file changed, 46 insertions(+)
diff --git a/PVE/VZDump/Plugin.pm b/PVE/VZDump/Plugin.pm
index 9933ef6..73bbae1 100644
--- a/PVE/VZDump/Plugin.pm
+++ b/PVE/VZDump/Plugin.pm
@@ -7,6 +7,8 @@ use POSIX qw(strftime);
use PVE::Tools;
use PVE::SafeSyslog;
+use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::VZDump::Common; # register parser/writer for vzdump.cron
my $log_level = {
err => 'ERROR:',
@@ -168,4 +170,48 @@ sub cleanup {
die "internal error"; # implement in subclass
}
+sub remove_vmid_from_list {
+my ($list, $rm_vmid) = @_;
+# this removes the given vmid from the list, if present
+return join(',', grep { $_ ne $rm_vmid } PVE::Tools::split_list($list));
+}
+
+sub remove_vmid_from_jobs {
+my ($jobs, $exclude_vmid) = @_;
+
+my $updated_jobs = [];
+foreach my $job (@$jobs) {
+ if (defined $job->{vmid}) {
+ my $list = remove_vmid_from_list($job->{vmid}, $exclude_vmid);
+ if ($list) {
+ $job->{vmid} = $list;
+ push @$updated_jobs, $job;
+ }
+ } elsif (defined $job->{exclude}) {
+ my $list = remove_vmid_from_list($job->{exclude}, $exclude_vmid);
+ if ($list) {
+ $job->{exclude} = $list;
+ } else {
+ delete $job->{exclude};
+ }
+ push @$updated_jobs, $job;
+ } else {
+ push @$updated_jobs, $job;
+ }
+}
+return $updated_jobs;
+}
+
+sub remove_vmid_from_backup_jobs {
+my ($vmid) = @_;
+
+cfs_lock_file('vzdump.cron', undef, sub {
+ my $vzdump_jobs = cfs_read_file('vzdump.cron');
+ my $jobs = $vzdump_jobs->{jobs} || [];
+ $vzdump_jobs->{jobs} = remove_vmid_from_jobs($jobs, $vmid);
+ cfs_write_file('vzdump.cron', $vzdump_jobs);
+});
+die "$@" if ($@);
+}
+
1;
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 manager 2/2] fix #1291: add purge checkbox to VM/CT destroy dialog
Signed-off-by: Christian Ebner
---
version 4:
* no changes since v3
www/manager6/window/SafeDestroy.js | 12
1 file changed, 12 insertions(+)
diff --git a/www/manager6/window/SafeDestroy.js
b/www/manager6/window/SafeDestroy.js
index eb3e6665..ef867deb 100644
--- a/www/manager6/window/SafeDestroy.js
+++ b/www/manager6/window/SafeDestroy.js
@@ -26,6 +26,10 @@ Ext.define('PVE.window.SafeDestroy', {
getParams: function() {
var me = this;
+ var purgeCheckbox = me.lookupReference('purgeCheckbox');
+ if (purgeCheckbox.checked) {
+ me.params.purge = 1;
+ }
if (Ext.Object.isEmpty(me.params)) {
return '';
}
@@ -121,6 +125,14 @@ Ext.define('PVE.window.SafeDestroy', {
labelWidth: 300,
hideTrigger: true,
allowBlank: false
+ },
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'purge',
+ reference: 'purgeCheckbox',
+ fieldLabel: gettext('Purge'),
+ labelWidth: 300,
+ checked: false
}
]
}
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 pve-docs 1/1] gen vzdump: json_config_properties() moved from VZDump to VZDump::Common
Signed-off-by: Christian Ebner
---
version 4:
* not present in v3
gen-vzdump.conf.5-opts.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gen-vzdump.conf.5-opts.pl b/gen-vzdump.conf.5-opts.pl
index 4e013fb..dc1e0c5 100755
--- a/gen-vzdump.conf.5-opts.pl
+++ b/gen-vzdump.conf.5-opts.pl
@@ -4,9 +4,9 @@ use lib '.';
use strict;
use warnings;
use PVE::RESTHandler;
-use PVE::VZDump;
+use PVE::VZDump::Common;
-my $prop = PVE::VZDump::json_config_properties();
+my $prop = PVE::VZDump::Common::json_config_properties();
my $skip = {
all => 1,
exclude => 1,
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [patch v4 container 1/1] fix #1291: add option purge for destroy_vm api call
When destroying a CT, we intentionally did not remove all related configs such
as
backup or replication jobs.
The intention of this flag is to allow the removal of such configs on destroy.
Signed-off-by: Christian Ebner
---
version 4:
* no changes since v3
src/PVE/API2/LXC.pm | 17 ++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 28c9047..5c22060 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -18,6 +18,7 @@ use PVE::LXC;
use PVE::LXC::Create;
use PVE::LXC::Migrate;
use PVE::GuestHelpers;
+use PVE::VZDump::Plugin;
use PVE::API2::LXC::Config;
use PVE::API2::LXC::Status;
use PVE::API2::LXC::Snapshot;
@@ -636,6 +637,11 @@ __PACKAGE__->register_method({
properties => {
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::LXC::complete_ctid_stopped }),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -656,9 +662,13 @@ __PACKAGE__->register_method({
die "unable to remove CT $vmid - used in HA resources\n"
if PVE::HA::Config::vm_is_ha_managed($vmid);
- # do not allow destroy if there are replication jobs
- my $repl_conf = PVE::ReplicationConfig->new();
- $repl_conf->check_for_existing_jobs($vmid);
+ if ($param->{purge}) {
+ PVE::ReplicationConfig::remove_vmid_jobs($vmid);
+ } else {
+ # do not allow destroy if there are replication jobs
+ my $repl_conf = PVE::ReplicationConfig->new();
+ $repl_conf->check_for_existing_jobs($vmid);
+ }
my $running_error_msg = "unable to destroy CT $vmid - container is
running\n";
@@ -674,6 +684,7 @@ __PACKAGE__->register_method({
PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $conf);
PVE::AccessControl::remove_vm_access($vmid);
PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid) if
($param->{purge});
};
my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 guest-common 1/2] vzdump: move registration of vzdump.cron from manager to guest-common to avoid cyclic dependency
The registration of the vzdump.cron file was handled in pve-manager.
By moving the relevant code to pve-guest-common, cyclic dependencies
for cfs registration are avoided.
This makes this patch of guest-common a build dependency for the other
packages touched in this patch series.
Signed-off-by: Christian Ebner
---
version 4:
* not present in v3
Makefile | 1 +
PVE/VZDump/Common.pm | 391 +++
2 files changed, 392 insertions(+)
create mode 100644 PVE/VZDump/Common.pm
diff --git a/Makefile b/Makefile
index c5a5967..47ac8a6 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,7 @@ install: PVE
install -m 0644 PVE/Replication.pm ${PERL5DIR}/PVE/
install -d ${PERL5DIR}/PVE/VZDump
install -m 0644 PVE/VZDump/Plugin.pm ${PERL5DIR}/PVE/VZDump/
+ install -m 0644 PVE/VZDump/Common.pm ${PERL5DIR}/PVE/VZDump/
.PHONY: upload
upload: ${DEB}
diff --git a/PVE/VZDump/Common.pm b/PVE/VZDump/Common.pm
new file mode 100644
index 000..4789a50
--- /dev/null
+++ b/PVE/VZDump/Common.pm
@@ -0,0 +1,391 @@
+package PVE::VZDump::Common;
+
+use strict;
+use warnings;
+use Digest::SHA;
+
+use PVE::Tools;
+use PVE::SafeSyslog qw(syslog);
+use PVE::Storage;
+use PVE::Cluster qw(cfs_register_file);
+use PVE::JSONSchema qw(get_standard_option);
+
+cfs_register_file('vzdump.cron',
+ \&parse_vzdump_cron_config,
+ \&write_vzdump_cron_config);
+
+my $dowhash_to_dow = sub {
+my ($d, $num) = @_;
+
+my @da = ();
+push @da, $num ? 1 : 'mon' if $d->{mon};
+push @da, $num ? 2 : 'tue' if $d->{tue};
+push @da, $num ? 3 : 'wed' if $d->{wed};
+push @da, $num ? 4 : 'thu' if $d->{thu};
+push @da, $num ? 5 : 'fri' if $d->{fri};
+push @da, $num ? 6 : 'sat' if $d->{sat};
+push @da, $num ? 7 : 'sun' if $d->{sun};
+
+return join ',', @da;
+};
+
+# parse crontab style day of week
+sub parse_dow {
+my ($dowstr, $noerr) = @_;
+
+my $dowmap = {mon => 1, tue => 2, wed => 3, thu => 4,
+ fri => 5, sat => 6, sun => 7};
+my $rdowmap = { '1' => 'mon', '2' => 'tue', '3' => 'wed', '4' => 'thu',
+ '5' => 'fri', '6' => 'sat', '7' => 'sun', '0' => 'sun'};
+
+my $res = {};
+
+$dowstr = '1,2,3,4,5,6,7' if $dowstr eq '*';
+
+foreach my $day (PVE::Tools::split_list($dowstr)) {
+ if ($day =~
m/^(mon|tue|wed|thu|fri|sat|sun)-(mon|tue|wed|thu|fri|sat|sun)$/i) {
+ for (my $i = $dowmap->{lc($1)}; $i <= $dowmap->{lc($2)}; $i++) {
+ my $r = $rdowmap->{$i};
+ $res->{$r} = 1;
+ }
+ } elsif ($day =~ m/^(mon|tue|wed|thu|fri|sat|sun|[0-7])$/i) {
+ $day = $rdowmap->{$day} if $day =~ m/\d/;
+ $res->{lc($day)} = 1;
+ } else {
+ return undef if $noerr;
+ die "unable to parse day of week '$dowstr'\n";
+ }
+}
+
+return $res;
+};
+
+my $confdesc = {
+vmid => {
+ type => 'string', format => 'pve-vmid-list',
+ description => "The ID of the guest system you want to backup.",
+ completion => \&PVE::Cluster::complete_local_vmid,
+ optional => 1,
+},
+node => get_standard_option('pve-node', {
+ description => "Only run if executed on this node.",
+ completion => \&PVE::Cluster::get_nodelist,
+ optional => 1,
+}),
+all => {
+ type => 'boolean',
+ description => "Backup all known guest systems on this host.",
+ optional => 1,
+ default => 0,
+},
+stdexcludes => {
+ type => 'boolean',
+ description => "Exclude temporary files and logs.",
+ optional => 1,
+ default => 1,
+},
+compress => {
+ type => 'string',
+ description => "Compress dump file.",
+ optional => 1,
+ enum => ['0', '1', 'gzip', 'lzo'],
+ default => '0',
+},
+pigz=> {
+ type => "integer",
+ description => "Use pigz instead of gzip when N>0.".
+ " N=1 uses half of cores, N>1 uses N as thread count.",
+ optional => 1,
+ default => 0,
+},
+quiet => {
+ type => 'boolean',
+ description => "Be quiet.",
+ optional => 1,
+ default => 0,
+},
+mode => {
+
[pve-devel] [PATCH v4 manager 1/2] vzdump: move code needed for cfs register of vzdump.cron to guest-common
This removes the cfs register code for vzdump.cron, now located in
pve-guest-common.
It therefore relies on the corresponding patches in pve-guest-common
be6bd58a51f2bba931136595b93cb1ad41b0abdd
and pve-docs
82af9e5b9a7f620356e46c76f324c1a425964243
as build dependencies.
Signed-off-by: Christian Ebner
---
version 4:
* not present in v3
PVE/API2/Backup.pm | 169 +--
PVE/API2/VZDump.pm | 5 +-
PVE/VZDump.pm | 213 +
3 files changed, 9 insertions(+), 378 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 0b69cc62..86377c0a 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -6,20 +6,17 @@ use Digest::SHA;
use PVE::SafeSyslog;
use PVE::Tools qw(extract_param);
-use PVE::Cluster qw(cfs_register_file cfs_lock_file cfs_read_file
cfs_write_file);
+use PVE::Cluster qw(cfs_lock_file cfs_read_file cfs_write_file);
use PVE::RESTHandler;
use PVE::RPCEnvironment;
use PVE::JSONSchema;
use PVE::Storage;
use PVE::Exception qw(raise_param_exc);
use PVE::VZDump;
+use PVE::VZDump::Common;
use base qw(PVE::RESTHandler);
-cfs_register_file ('vzdump.cron',
- \&parse_vzdump_cron_config,
- \&write_vzdump_cron_config);
-
PVE::JSONSchema::register_format('pve-day-of-week', \&verify_day_of_week);
sub verify_day_of_week {
my ($value, $noerr) = @_;
@@ -37,164 +34,6 @@ my $vzdump_job_id_prop = {
maxLength => 50
};
-my $dowhash_to_dow = sub {
-my ($d, $num) = @_;
-
-my @da = ();
-push @da, $num ? 1 : 'mon' if $d->{mon};
-push @da, $num ? 2 : 'tue' if $d->{tue};
-push @da, $num ? 3 : 'wed' if $d->{wed};
-push @da, $num ? 4 : 'thu' if $d->{thu};
-push @da, $num ? 5 : 'fri' if $d->{fri};
-push @da, $num ? 6 : 'sat' if $d->{sat};
-push @da, $num ? 7 : 'sun' if $d->{sun};
-
-return join ',', @da;
-};
-
-# parse crontab style day of week
-sub parse_dow {
-my ($dowstr, $noerr) = @_;
-
-my $dowmap = {mon => 1, tue => 2, wed => 3, thu => 4,
- fri => 5, sat => 6, sun => 7};
-my $rdowmap = { '1' => 'mon', '2' => 'tue', '3' => 'wed', '4' => 'thu',
- '5' => 'fri', '6' => 'sat', '7' => 'sun', '0' => 'sun'};
-
-my $res = {};
-
-$dowstr = '1,2,3,4,5,6,7' if $dowstr eq '*';
-
-foreach my $day (PVE::Tools::split_list($dowstr)) {
- if ($day =~
m/^(mon|tue|wed|thu|fri|sat|sun)-(mon|tue|wed|thu|fri|sat|sun)$/i) {
- for (my $i = $dowmap->{lc($1)}; $i <= $dowmap->{lc($2)}; $i++) {
- my $r = $rdowmap->{$i};
- $res->{$r} = 1;
- }
- } elsif ($day =~ m/^(mon|tue|wed|thu|fri|sat|sun|[0-7])$/i) {
- $day = $rdowmap->{$day} if $day =~ m/\d/;
- $res->{lc($day)} = 1;
- } else {
- return undef if $noerr;
- die "unable to parse day of week '$dowstr'\n";
- }
-}
-
-return $res;
-};
-
-my $vzdump_properties = {
-additionalProperties => 0,
-properties => PVE::VZDump::json_config_properties({}),
-};
-
-sub parse_vzdump_cron_config {
-my ($filename, $raw) = @_;
-
-my $jobs = []; # correct jobs
-
-my $ejobs = []; # mailfomerd lines
-
-my $jid = 1; # we start at 1
-
-my $digest = Digest::SHA::sha1_hex(defined($raw) ? $raw : '');
-
-while ($raw && $raw =~ s/^(.*?)(\n|$)//) {
- my $line = $1;
-
- next if $line =~ m/^\#/;
- next if $line =~ m/^\s*$/;
- next if $line =~ m/^PATH\s*=/; # we always overwrite path
-
- if ($line =~
m|^(\d+)\s+(\d+)\s+\*\s+\*\s+(\S+)\s+root\s+(/\S+/)?(#)?vzdump(\s+(.*))?$|) {
- eval {
- my $minute = int($1);
- my $hour = int($2);
- my $dow = $3;
- my $param = $7;
- my $enabled = $5;
-
- my $dowhash = parse_dow($dow, 1);
- die "unable to parse day of week '$dow' in '$filename'\n" if
!$dowhash;
-
- my $args = PVE::Tools::split_args($param);
- my $opts = PVE::JSONSchema::get_options($vzdump_properties,
$args, 'vmid');
-
- $opts->{enabled} = !defined($enabled);
- $opts->{id} = "$digest:$jid";
- $jid++;
- $opts->{starttime} = sprintf "%02d:%02d", $hour, $minute;
- $opts->{dow} = &$dowhash_to_dow($dowhash);
-
- push @$jobs, $opts;
- };
- my $err = $@;
- if ($er
[pve-devel] [patch v4 qemu 1/1] fix #1291: add option purge for vm_destroy api call
When destroying a VM, we intentionally did not remove all related configs such
as
backup or replication jobs.
The intention of this flag is to allow the removal of such configs on destroy.
Signed-off-by: Christian Ebner
---
version 4:
* no changes since v3
PVE/API2/Qemu.pm | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 267a08e..dcb2d52 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -28,6 +28,7 @@ use PVE::Network;
use PVE::Firewall;
use PVE::API2::Firewall::VM;
use PVE::API2::Qemu::Agent;
+use PVE::VZDump::Plugin;
BEGIN {
if (!$ENV{PVE_GENERATING_DOCS}) {
@@ -1457,6 +1458,11 @@ __PACKAGE__->register_method({
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::QemuServer::complete_vmid_stopped }),
skiplock => get_standard_option('skiplock'),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -1480,9 +1486,13 @@ __PACKAGE__->register_method({
die "unable to remove VM $vmid - used in HA resources\n"
if PVE::HA::Config::vm_is_ha_managed($vmid);
- # do not allow destroy if there are replication jobs
- my $repl_conf = PVE::ReplicationConfig->new();
- $repl_conf->check_for_existing_jobs($vmid);
+ if ($param->{purge}) {
+ PVE::ReplicationConfig::remove_vmid_jobs($vmid);
+ } else {
+ # do not allow destroy if there are replication jobs
+ my $repl_conf = PVE::ReplicationConfig->new();
+ $repl_conf->check_for_existing_jobs($vmid);
+ }
# early tests (repeat after locking)
die "VM $vmid is running - destroy failed\n"
@@ -1494,7 +1504,8 @@ __PACKAGE__->register_method({
syslog('info', "destroy VM $vmid: $upid\n");
PVE::QemuServer::vm_destroy($storecfg, $vmid, $skiplock);
PVE::AccessControl::remove_vm_access($vmid);
-PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid) if
($param->{purge});
};
return $rpcenv->fork_worker('qmdestroy', $vmid, $authuser, $realcmd);
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 0/7] add purge option for VM/CT destroy
When destroying a VM/CT, we intentionally did not remove all related configs such as backup or replication jobs. The intention of this flag is to allow the removal of such configs on destroy. This patch series implements this functionality and additionally moves the cfs register code for vzdump.cron to pve-guest-common to avoid a cyclic dependency. Christian Ebner (2): vzdump: move registration of vzdump.cron from manager to guest-common to avoid cyclic dependency fix #1291: implement remove_vmid_from_backup_jobs Makefile | 1 + PVE/VZDump/Common.pm | 391 +++ PVE/VZDump/Plugin.pm | 46 + 3 files changed, 438 insertions(+) create mode 100644 PVE/VZDump/Common.pm Christian Ebner (1): gen vzdump: json_config_properties() moved from VZDump to VZDump::Common gen-vzdump.conf.5-opts.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Christian Ebner (2): vzdump: move code needed for cfs register of vzdump.cron to guest-common fix #1291: add purge checkbox to VM/CT destroy dialog PVE/API2/Backup.pm | 169 +-- PVE/API2/VZDump.pm | 5 +- PVE/VZDump.pm | 213 + www/manager6/window/SafeDestroy.js | 12 ++ 4 files changed, 21 insertions(+), 378 deletions(-) Christian Ebner (1): fix #1291: add option purge for destroy_vm api call src/PVE/API2/LXC.pm | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) Christian Ebner (1): fix #1291: add option purge for vm_destroy api call PVE/API2/Qemu.pm | 19 +++ 1 file changed, 15 insertions(+), 4 deletions(-) -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH manager 3/4] spice: Add enhancements to VM Options panel
> On September 16, 2019 2:44 PM Stefan Reiter wrote:
>
>
> On 9/13/19 3:16 PM, Aaron Lauterer wrote:
> > Signed-off-by: Aaron Lauterer
> > ---
> > www/manager6/Utils.js| 18 ++
> > www/manager6/qemu/Options.js | 13 +
> > 2 files changed, 31 insertions(+)
> >
> > diff --git a/www/manager6/Utils.js b/www/manager6/Utils.js
> > index 6a489e7e..139200c3 100644
> > --- a/www/manager6/Utils.js
> > +++ b/www/manager6/Utils.js
> > @@ -334,6 +334,24 @@ Ext.define('PVE.Utils', { utilities: {
> > }
> > },
> >
> > +render_spice_enhancements: function(value) {
> > + if (!value) {
> > + return Proxmox.Utils.disabledText;
> > + }
> > + var props = PVE.Parser.parsePropertyString(value);
> > + if (Ext.Object.isEmpty(props)) {
> > + return Proxmox.Utils.disabledText;
> > + }
> > + var ret = [];
> > + if (props.foldersharing === "1") {
>
> I don't think '=== "1"' catches all cases here, USBEdit.js for example
> contains a check like this:
>
>if (/^usb3=(1|on|true)$/.test(data[i])) {
> ...
>}
>
> while our JSONSchema parser even accepts "yes" in addition to the ones
> above.
>
> Maybe a common Regex/helper like "parse_boolean" in JSONSchema.pm would
> be useful in JS too?
we have parseBoolean in Parser.js for that which checks for 1|yes|on|true and
makes sure upper/lower case is taken into account too.
>
>
> > + ret.push("Folder sharing enabled");
>
> These...
>
> > + }
> > + if (props.videostreaming === "all" || props.videostreaming ===
> > "filter") {
> > + ret.push("Video Streaming: " + props.videostreaming);
>
> ...need localization (gettext), since not language independent.
>
> > + } > + return ret.join(", ");
> > +},
> > +
> > // fixme: auto-generate this
> > // for now, please keep in sync with PVE::Tools::kvmkeymaps
> > kvm_keymaps: {
> > diff --git a/www/manager6/qemu/Options.js b/www/manager6/qemu/Options.js
> > index e1580060..96eb0499 100644
> > --- a/www/manager6/qemu/Options.js
> > +++ b/www/manager6/qemu/Options.js
> > @@ -281,6 +281,19 @@ Ext.define('PVE.qemu.Options', {
> > }
> > } : undefined
> > },
> > + spice_enhancements: {
> > + header: gettext('Spice Enhancements'),
> > + defaultValue: false,
> > + renderer: PVE.Utils.render_spice_enhancements,
> > + editor: caps.vms['VM.Config.Options'] ? {
> > + xtype: 'proxmoxWindowEdit',
> > + subject: gettext('Spice Enhancements'),
>
> Just as a note, SPICE enhancements currently don't have a documentation
> available, but once they do, an "onlineHelp" would be useful here.
>
> > + items: {
> > + xtype: 'pveSpiceEnhancementSelector',
> > + name: 'spice_enhancements',
> > + }
> > + } : undefined
> > + },
>
> Maybe disable this if VGA is not QXL (see also my note in 4/4).
>
> > hookscript: {
> > header: gettext('Hookscript')
> > }
> >
>
> ___
> pve-devel mailing list
> pve-devel@pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH v3 guest-common 1/2] fix #1291: implement remove_vmid_from_backup_jobs
Okay, sounds good to me, I will prepare a v4. Thanks for the feedback! > On September 5, 2019 10:01 AM Fabian Grünbichler > wrote: > > > On September 4, 2019 4:41 pm, Thomas Lamprecht wrote: > > On 01.07.19 15:43, Christian Ebner wrote: > >> remove_vmid_from_backup_jobs updates the vzdump.cron backup jobs, > >> excluding the given vmid. > >> > >> Signed-off-by: Christian Ebner > >> --- > >> PVE/VZDump/Plugin.pm | 46 > >> 1 file changed, 46 insertions(+) > >> > >> diff --git a/PVE/VZDump/Plugin.pm b/PVE/VZDump/Plugin.pm > >> index 9933ef6..f415242 100644 > >> --- a/PVE/VZDump/Plugin.pm > >> +++ b/PVE/VZDump/Plugin.pm > >> @@ -7,6 +7,8 @@ use POSIX qw(strftime); > >> > >> use PVE::Tools; > >> use PVE::SafeSyslog; > >> +use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file); > >> +use PVE::API2::Backup; > >^ > > above won't fly, that's a module from pve-manager and thus would create a > > cyclic > > build dependency.. And I'd rather reduce than increase them ;) > > > > The use is for the vzdump cron parser/writer which are cfs_registered in > > that > > file.. So either we move that out to a module here (or even higher up) or do > > something else, avoiding use of modules which are lower in the dependency > > chain. > > > > we want to use it from pve-container and qemu-server, so the only sane > choice is to move the cfs_register part to guest-common IMHO. polluting > pve-common or pve-cluster (or pve-access-control) is even worse, and > there's nothing else that fits the bill that we can access from > pve-container and qemu-server unless I am missing something.. ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH docs] pve-network: add short section explaining Open vSwitch
Okay, I can do that. Will dig a little bit deeper into Linux bridges and their current capabilities as well as OVS. Thx for your feedback! > On August 28, 2019 10:32 AM Thomas Lamprecht wrote: > > > On 28.08.19 10:10, Aaron Lauterer wrote: > > > > > > On 8/28/19 9:42 AM, Thomas Lamprecht wrote: > >> On 27.08.19 16:31, Aaron Lauterer wrote: > >>> On 8/27/19 12:27 PM, Christian Ebner wrote: > >>>> Signed-off-by: Christian Ebner > >>> > >>>> +In contrast to Linux virtual bridges, OVS bridges can carry multiple > >>>> VLANs over > >>>> +a sinlge bridge. > >>> > >>> # this is not true. by now Linux bridges can be set to VLAN aware and > >>> thus reduce the use cases for the OVS quite a bit. > >> > >> With vlan-aware on you cannot do any VXLANs anymore, AFAIK, which OVS > >> still can. > >> But yes, in general that comment is not the full truth so maybe just omit > >> it > >> for now.. > >> > > > > What if we put a subsection "Open vSwitch vs. Linux bridges" / "Comparison > > to Linux bridges" at the beginning of the OVS section? > > > > I think one or two paragraphs there could help people a lot to decide if > > they even need OVS. Talking about the features and use cases. In which > > situations the Linux Bridge is not enough anymore and OVS is needed. > > Sounds good to me. Would then need to be updated from time to time, though, as > Linux Bridges have seen quite some improvements over time I'd guess there's > more > to come in future kernel releases. ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] pve-network: add short section explaining Open vSwitch
Signed-off-by: Christian Ebner
---
pve-network.adoc | 140 ++-
1 file changed, 139 insertions(+), 1 deletion(-)
diff --git a/pve-network.adoc b/pve-network.adoc
index b2dae97..e8f17af 100644
--- a/pve-network.adoc
+++ b/pve-network.adoc
@@ -489,7 +489,145 @@ iface vmbr0 inet manual
+Open vSwitch
+
+
+https://www.openvswitch.org/[Open vSwitch (OVS)] is a "multilayer virtual
switch
+designed to enable network automation through programmatic extension, while
still
+supporting standard management interfaces and protocols". It is specifically
+tailored to function with virtualized environments.
+OVS is an alternative to Linux native bridges, bonds and VLAN interfaces and
+should never be mixed with these as this can cause problems and loss of
+connectivity.
+
+Installation
+
+
+In order to use and configure Open vSwitch (OvS) in {pve}, the
+'openvswitch-switch' package from the Proxmox VE package repositories has to be
+installed:
+
+
+# apt-get install openvswitch-switch
+
+
+Configuration
+^
+
+OVS configuration is easily performed via the web interface of the node under
+`System -> Network`.
+From there it is possible to create OVS brides, OVS bonds or an OVS internal
+ports.
+Advanced configuration is performed by editing `/etc/network/interfaces`,
+see the https://pve.proxmox.com/wiki/Open_vSwitch[Open vSwitch wiki page] for
+further details.
+
+OVS Bridge
+^^
+
+Just like a Linux virtual bridge, this will create a new OVS virtual bridge,
+allowing to attach raw ethernet devices and virtual interfaces such as OVS
bonds
+or OVS IntPorts.
+On creation, you can directly assing raw ethernet devices to attatch to the
+bridge ports and assing an IP address to the bridge.
+In contrast to Linux virtual bridges, OVS bridges can carry multiple VLANs over
+a sinlge bridge.
+
+.Example: A simple OVS bridge setup with a single interface
+
+allow-vmbr0 eth0
+iface eth0 inet manual
+ovs_type OVSPort
+ovs_bridge vmbr0
+
+auto vmbr0
+iface vmbr0 inet manual
+ovs_type OVSBridge
+ovs_ports eth0
+
+
+OVS Bond
+
+
+Bonds are used to join two or more network interfaces (slaves) to act as a
single
+unit in order to increase data throughput and to provide redundancy in case one
+of the links fails. Bonds must refer to raw ethernet devices (for example eth0,
+eth1).
+
+The following bond modes can be set in the web interface:
+
+* active-backup: This will configure an active/standby failover mode. All of
the
+traffic is send over the active interface as long as it is available, on
failure
+the standby interface is used.
+
+* balance-slb: Source load balancing or SLB bonding will divide traffic based
on
+the ethernet source address and VLAN tag. It assigns each source MAC+VLAN to a
+link.
+
+* LACP (balance-slb): This will configure balance-slb with LACP set to active.
+
+* LACP (balance-tcp): This will perform load balancing with layer 2 to layer 4
+data taken into consideration with LACP set to active.
+
+NOTE: The use of LACP for link aggregation is recommended when creating a
bond, but
+requires the switch on the other end to support this.
+
+For further details refere to the
+http://docs.openvswitch.org/en/latest/topics/bonding/[corresponding section in
+the Open vSwitch documentation.]
+
+.Example: A simple OVS bond configuration
+
+allow-vmbr0 bond0
+iface bond0 inet manual
+ovs_bonds eth0 eth1
+ovs_type OVSBond
+ovs_bridge vmbr0
+ovs_options bond_mode=balance-tcp lacp=active
+
+auto vmbr0
+iface vmbr0 inet manual
+ovs_type OVSBridge
+ovs_ports bond0
+
+
+OVS IntPort
+^^^
+
+The creation of an OVS IntPort is neccessary in order for the host to connect
to
+a VLAN on the bridge.
+This creates a virtual interface for the specified VLAN to which then an IP
+address can be assigned.
+The so created ports must also show up in the corresponding bridge definition
and
+have to be prefixed with the `allow-$bridge $iface`.
+
+.Example: A OVS IntPort with assigned IP address
+
+allow-vmbr0 bond0
+iface bond0 inet manual
+ovs_bonds eth0 eth1
+ovs_type OVSBond
+ovs_bridge vmbr0
+ovs_options tag=10 bond_mode=balance-tcp lacp=active
+
+allow-vmbr0 vlan10
+iface vlan10 inet static
+address 10.0.0.10
+netmask 24
+ovs_type OVSIntPort
+ovs_bridge vmbr0
+ovs_options tag=10
+
+auto vmbr0
+iface vmbr0 inet manual
+ovs_type OVSBridge
+ovs_ports bond0 vlan10
+
+
+For further details see http://docs.openvswitch.org/en/latest/[the Open
vSwitch documentation] and
+the https://pve.proxmox.com/wiki/Open_vSwitch[Open vSwitch wiki page].
+
TODO: explain IPv6 support?
-TODO: explain OVS
+
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH firewall] firewall macros: add new Ceph protocol v2 port while keeping v1 port
Signed-off-by: Christian Ebner
---
src/PVE/Firewall.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c946040..0c34439 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -214,7 +214,10 @@ my $pve_fw_macros = {
],
'Ceph' => [
"Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Deamons)",
+ # Legacy port for protocol v1
{ action => 'PARAM', proto => 'tcp', dport => '6789' },
+ # New port for protocol v2
+{ action => 'PARAM', proto => 'tcp', dport => '3300' },
{ action => 'PARAM', proto => 'tcp', dport => '6800:7300' },
],
'CVS' => [
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] Wrong path for ipset
Thank you for testing and reporting! We did notice this and fixed it with https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=c1031ab16cda7208eb161c891eceac31976a74b9 Best regards, Chris > On July 12, 2019 12:33 PM Caspar Smit wrote: > > > Hi, > > This commit changes the path for ipset from /sbin/ipset to /usr/sbin/ipset: > > https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=648cbd5ad0cdee2c0b4dd1e0b35da8760e8e0c27 > > But ipset is not available in /usr/sbin (the rest of the iptables tools are) > > Kind regards, > Caspar Smit > ___ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 qemu 5/7] Newline cleanup
Signed-off-by: Christian Ebner
---
PVE/API2/Qemu.pm | 9 -
1 file changed, 9 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index e2a63be..5bdd052 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1436,7 +1436,6 @@ __PACKAGE__->register_method({
}
});
-
__PACKAGE__->register_method({
name => 'destroy_vm',
path => '{vmid}',
@@ -1462,9 +1461,7 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
-
my $authuser = $rpcenv->get_user();
-
my $vmid = $param->{vmid};
my $skiplock = $param->{skiplock};
@@ -1473,11 +1470,8 @@ __PACKAGE__->register_method({
# test if VM exists
my $conf = PVE::QemuConfig->load_config($vmid);
-
my $storecfg = PVE::Storage::config();
-
PVE::QemuConfig->check_protection($conf, "can't remove VM $vmid");
-
die "unable to remove VM $vmid - used in HA resources\n"
if PVE::HA::Config::vm_is_ha_managed($vmid);
@@ -1493,11 +1487,8 @@ __PACKAGE__->register_method({
my $upid = shift;
syslog('info', "destroy VM $vmid: $upid\n");
-
PVE::QemuServer::vm_destroy($storecfg, $vmid, $skiplock);
-
PVE::AccessControl::remove_vm_access($vmid);
-
PVE::Firewall::remove_vmfw_conf($vmid);
};
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 manager 7/7] fix #1291: add purge checkbox to VM/CT destroy dialog
Signed-off-by: Christian Ebner
---
www/manager6/window/SafeDestroy.js | 12
1 file changed, 12 insertions(+)
diff --git a/www/manager6/window/SafeDestroy.js
b/www/manager6/window/SafeDestroy.js
index eb3e6665..ef867deb 100644
--- a/www/manager6/window/SafeDestroy.js
+++ b/www/manager6/window/SafeDestroy.js
@@ -26,6 +26,10 @@ Ext.define('PVE.window.SafeDestroy', {
getParams: function() {
var me = this;
+ var purgeCheckbox = me.lookupReference('purgeCheckbox');
+ if (purgeCheckbox.checked) {
+ me.params.purge = 1;
+ }
if (Ext.Object.isEmpty(me.params)) {
return '';
}
@@ -121,6 +125,14 @@ Ext.define('PVE.window.SafeDestroy', {
labelWidth: 300,
hideTrigger: true,
allowBlank: false
+ },
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'purge',
+ reference: 'purgeCheckbox',
+ fieldLabel: gettext('Purge'),
+ labelWidth: 300,
+ checked: false
}
]
}
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 container 4/7] fix #1291: add option purge for destroy_vm api call
When destroying a CT, we intentionally did not remove all related configs such
as
backup or replication jobs.
The intention of this flag is to allow the removal of such configs on destroy.
Signed-off-by: Christian Ebner
---
src/PVE/API2/LXC.pm | 17 ++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 1561cfe..0acb59e 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -18,6 +18,7 @@ use PVE::LXC;
use PVE::LXC::Create;
use PVE::LXC::Migrate;
use PVE::GuestHelpers;
+use PVE::VZDump::Plugin;
use PVE::API2::LXC::Config;
use PVE::API2::LXC::Status;
use PVE::API2::LXC::Snapshot;
@@ -627,6 +628,11 @@ __PACKAGE__->register_method({
properties => {
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::LXC::complete_ctid_stopped }),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -647,9 +653,13 @@ __PACKAGE__->register_method({
die "unable to remove CT $vmid - used in HA resources\n"
if PVE::HA::Config::vm_is_ha_managed($vmid);
- # do not allow destroy if there are replication jobs
- my $repl_conf = PVE::ReplicationConfig->new();
- $repl_conf->check_for_existing_jobs($vmid);
+ if ($param->{purge}) {
+ PVE::ReplicationConfig::remove_vmid_jobs($vmid);
+ } else {
+ # do not allow destroy if there are replication jobs
+ my $repl_conf = PVE::ReplicationConfig->new();
+ $repl_conf->check_for_existing_jobs($vmid);
+ }
my $running_error_msg = "unable to destroy CT $vmid - container is
running\n";
@@ -665,6 +675,7 @@ __PACKAGE__->register_method({
PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $conf);
PVE::AccessControl::remove_vm_access($vmid);
PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid) if
($param->{purge});
};
my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 qemu 6/7] fix #1291: add option purge for vm_destroy api call
When destroying a VM, we intentionally did not remove all related configs such
as
backup or replication jobs.
The intention of this flag is to allow the removal of such configs on destroy.
Signed-off-by: Christian Ebner
---
PVE/API2/Qemu.pm | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 5bdd052..2f2a47b 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -28,6 +28,7 @@ use PVE::Network;
use PVE::Firewall;
use PVE::API2::Firewall::VM;
use PVE::API2::Qemu::Agent;
+use PVE::VZDump::Plugin;
BEGIN {
if (!$ENV{PVE_GENERATING_DOCS}) {
@@ -1452,6 +1453,11 @@ __PACKAGE__->register_method({
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::QemuServer::complete_vmid_stopped }),
skiplock => get_standard_option('skiplock'),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -1475,9 +1481,13 @@ __PACKAGE__->register_method({
die "unable to remove VM $vmid - used in HA resources\n"
if PVE::HA::Config::vm_is_ha_managed($vmid);
- # do not allow destroy if there are replication jobs
- my $repl_conf = PVE::ReplicationConfig->new();
- $repl_conf->check_for_existing_jobs($vmid);
+ if ($param->{purge}) {
+ PVE::ReplicationConfig::remove_vmid_jobs($vmid);
+ } else {
+ # do not allow destroy if there are replication jobs
+ my $repl_conf = PVE::ReplicationConfig->new();
+ $repl_conf->check_for_existing_jobs($vmid);
+ }
# early tests (repeat after locking)
die "VM $vmid is running - destroy failed\n"
@@ -1489,7 +1499,8 @@ __PACKAGE__->register_method({
syslog('info', "destroy VM $vmid: $upid\n");
PVE::QemuServer::vm_destroy($storecfg, $vmid, $skiplock);
PVE::AccessControl::remove_vm_access($vmid);
-PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid) if
($param->{purge});
};
return $rpcenv->fork_worker('qmdestroy', $vmid, $authuser, $realcmd);
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 0/7] add purge option for VM/CT destroy
When destroying a VM/CT, we intentionally did not remove all related configs such as backup or replication jobs. The intention of this flag is to allow the removal of such configs on destroy. Christian Ebner (2): fix #1291: implement remove_vmid_from_backup_jobs fix #1291: implement remove_vmid_jobs for ReplicationConfig PVE/ReplicationConfig.pm | 14 PVE/VZDump/Plugin.pm | 46 2 files changed, 60 insertions(+) Christian Ebner (2): Newline cleanups fix #1291: add option purge for destroy_vm api call src/PVE/API2/LXC.pm | 21 ++--- 1 file changed, 14 insertions(+), 7 deletions(-) Christian Ebner (2): Newline cleanup fix #1291: add option purge for vm_destroy api call PVE/API2/Qemu.pm | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) Christian Ebner (1): fix #1291: add purge checkbox to VM/CT destroy dialog www/manager6/window/SafeDestroy.js | 12 1 file changed, 12 insertions(+) -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 container 3/7] Newline cleanups
Signed-off-by: Christian Ebner
---
src/PVE/API2/LXC.pm | 4
1 file changed, 4 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index cf14d75..1561cfe 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -636,16 +636,12 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
-
my $authuser = $rpcenv->get_user();
-
my $vmid = $param->{vmid};
# test if container exists
my $conf = PVE::LXC::Config->load_config($vmid);
-
my $storage_cfg = cfs_read_file("storage.cfg");
-
PVE::LXC::Config->check_protection($conf, "can't remove CT $vmid");
die "unable to remove CT $vmid - used in HA resources\n"
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 guest-common 2/2] fix #1291: implement remove_vmid_jobs for ReplicationConfig
Allows to remove replication jobs from the config based on the vmid.
Signed-off-by: Christian Ebner
---
PVE/ReplicationConfig.pm | 14 ++
1 file changed, 14 insertions(+)
diff --git a/PVE/ReplicationConfig.pm b/PVE/ReplicationConfig.pm
index d597799..e58597e 100644
--- a/PVE/ReplicationConfig.pm
+++ b/PVE/ReplicationConfig.pm
@@ -258,6 +258,20 @@ sub delete_job {
lock($code);
}
+sub remove_vmid_jobs {
+my ($vmid) = @_;
+
+my $code = sub {
+ my $cfg = __PACKAGE__->new();
+ foreach my $id (keys %{$cfg->{ids}}) {
+ delete $cfg->{ids}->{$id} if ($cfg->{ids}->{$id}->{guest} == $vmid);
+ }
+ $cfg->write();
+};
+
+lock($code);
+}
+
sub swap_source_target_nolock {
my ($jobid) = @_;
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 guest-common 1/2] fix #1291: implement remove_vmid_from_backup_jobs
remove_vmid_from_backup_jobs updates the vzdump.cron backup jobs,
excluding the given vmid.
Signed-off-by: Christian Ebner
---
PVE/VZDump/Plugin.pm | 46
1 file changed, 46 insertions(+)
diff --git a/PVE/VZDump/Plugin.pm b/PVE/VZDump/Plugin.pm
index 9933ef6..f415242 100644
--- a/PVE/VZDump/Plugin.pm
+++ b/PVE/VZDump/Plugin.pm
@@ -7,6 +7,8 @@ use POSIX qw(strftime);
use PVE::Tools;
use PVE::SafeSyslog;
+use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::API2::Backup;
my $log_level = {
err => 'ERROR:',
@@ -168,4 +170,48 @@ sub cleanup {
die "internal error"; # implement in subclass
}
+sub remove_vmid_from_list {
+my ($list, $rm_vmid) = @_;
+# this removes the given vmid from the list, if present
+return join(',', grep { $_ ne $rm_vmid } PVE::Tools::split_list($list));
+}
+
+sub remove_vmid_from_jobs {
+my ($jobs, $exclude_vmid) = @_;
+
+my $updated_jobs = [];
+foreach my $job (@$jobs) {
+ if (defined $job->{vmid}) {
+ my $list = remove_vmid_from_list($job->{vmid}, $exclude_vmid);
+ if ($list) {
+ $job->{vmid} = $list;
+ push @$updated_jobs, $job;
+ }
+ } elsif (defined $job->{exclude}) {
+ my $list = remove_vmid_from_list($job->{exclude}, $exclude_vmid);
+ if ($list) {
+ $job->{exclude} = $list;
+ } else {
+ delete $job->{exclude};
+ }
+ push @$updated_jobs, $job;
+ } else {
+ push @$updated_jobs, $job;
+ }
+}
+return $updated_jobs;
+}
+
+sub remove_vmid_from_backup_jobs {
+my ($vmid) = @_;
+
+cfs_lock_file('vzdump.cron', undef, sub {
+ my $vzdump_jobs = cfs_read_file('vzdump.cron');
+ my $jobs = $vzdump_jobs->{jobs} || [];
+ $vzdump_jobs->{jobs} = remove_vmid_from_jobs($jobs, $vmid);
+ cfs_write_file('vzdump.cron', $vzdump_jobs);
+});
+die "$@" if ($@);
+}
+
1;
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC v2 0/3] fix #1291: add purge option for VM/CT destroy
The purge flag allows to remove the vmid from the vzdump.cron backup jobs on VM/CT destruction. Christian Ebner (1): fix #1291: implement remove_vmid_from_backup_jobs PVE/VZDump/Plugin.pm | 46 1 file changed, 46 insertions(+) Christian Ebner (1): fix #1291: add purge option to vm_destroy api call PVE/API2/Qemu.pm | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) Christian Ebner (1): fix #1291: add option purge for destroy_vm api call src/PVE/API2/LXC.pm | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC v2 qemu 2/3] fix #1291: add purge option to vm_destroy api call
The purge flag allows to remove the vmid from the vzdump.cron backup jobs.
Signed-off-by: Christian Ebner
---
version 2:
* s/remove_vmid_from_cronjobs/remove_vmid_from_backup_jobs/
PVE/API2/Qemu.pm | 18 --
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index a628a20..62da1d8 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -28,6 +28,7 @@ use PVE::Network;
use PVE::Firewall;
use PVE::API2::Firewall::VM;
use PVE::API2::Qemu::Agent;
+use PVE::VZDump::Plugin;
BEGIN {
if (!$ENV{PVE_GENERATING_DOCS}) {
@@ -1436,7 +1437,6 @@ __PACKAGE__->register_method({
}
});
-
__PACKAGE__->register_method({
name => 'destroy_vm',
path => '{vmid}',
@@ -1453,6 +1453,11 @@ __PACKAGE__->register_method({
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::QemuServer::complete_vmid_stopped }),
skiplock => get_standard_option('skiplock'),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -1462,9 +1467,7 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
-
my $authuser = $rpcenv->get_user();
-
my $vmid = $param->{vmid};
my $skiplock = $param->{skiplock};
@@ -1473,11 +1476,8 @@ __PACKAGE__->register_method({
# test if VM exists
my $conf = PVE::QemuConfig->load_config($vmid);
-
my $storecfg = PVE::Storage::config();
-
PVE::QemuConfig->check_protection($conf, "can't remove VM $vmid");
-
die "unable to remove VM $vmid - used in HA resources\n"
if PVE::HA::Config::vm_is_ha_managed($vmid);
@@ -1493,12 +1493,10 @@ __PACKAGE__->register_method({
my $upid = shift;
syslog('info', "destroy VM $vmid: $upid\n");
-
PVE::QemuServer::vm_destroy($storecfg, $vmid, $skiplock);
-
PVE::AccessControl::remove_vm_access($vmid);
-
-PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid) if
($param->{purge});
};
return $rpcenv->fork_worker('qmdestroy', $vmid, $authuser, $realcmd);
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC v2 container 3/3] fix #1291: add option purge for destroy_vm api call
The purge option allows to remove the vmid from the vzdump.cron jobs.
Signed-off-by: Christian Ebner
---
version 2:
* s/remove_vmid_from_cronjobs/remove_vmid_from_backup_jobs/
src/PVE/API2/LXC.pm | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index cf14d75..299312a 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -18,6 +18,7 @@ use PVE::LXC;
use PVE::LXC::Create;
use PVE::LXC::Migrate;
use PVE::GuestHelpers;
+use PVE::VZDump::Plugin;
use PVE::API2::LXC::Config;
use PVE::API2::LXC::Status;
use PVE::API2::LXC::Snapshot;
@@ -627,6 +628,11 @@ __PACKAGE__->register_method({
properties => {
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::LXC::complete_ctid_stopped }),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -636,16 +642,12 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
-
my $authuser = $rpcenv->get_user();
-
my $vmid = $param->{vmid};
# test if container exists
my $conf = PVE::LXC::Config->load_config($vmid);
-
my $storage_cfg = cfs_read_file("storage.cfg");
-
PVE::LXC::Config->check_protection($conf, "can't remove CT $vmid");
die "unable to remove CT $vmid - used in HA resources\n"
@@ -669,6 +671,7 @@ __PACKAGE__->register_method({
PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $conf);
PVE::AccessControl::remove_vm_access($vmid);
PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid) if
($param->{purge});
};
my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC v2 guest-common 1/3] fix #1291: implement remove_vmid_from_backup_jobs
remove_vmid_from_backup_jobs updates the vzdump.cron backup jobs,
excluding the given vmid.
Signed-off-by: Christian Ebner
---
version 2:
* refactored remove_vmid_form_list
* s/exclude/remove/
* s/cron_cfg/vzdump_jobs/
* refactored closure
PVE/VZDump/Plugin.pm | 46
1 file changed, 46 insertions(+)
diff --git a/PVE/VZDump/Plugin.pm b/PVE/VZDump/Plugin.pm
index 9933ef6..f415242 100644
--- a/PVE/VZDump/Plugin.pm
+++ b/PVE/VZDump/Plugin.pm
@@ -7,6 +7,8 @@ use POSIX qw(strftime);
use PVE::Tools;
use PVE::SafeSyslog;
+use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::API2::Backup;
my $log_level = {
err => 'ERROR:',
@@ -168,4 +170,48 @@ sub cleanup {
die "internal error"; # implement in subclass
}
+sub remove_vmid_from_list {
+my ($list, $rm_vmid) = @_;
+# this removes the given vmid from the list, if present
+return join(',', grep { $_ ne $rm_vmid } PVE::Tools::split_list($list));
+}
+
+sub remove_vmid_from_jobs {
+my ($jobs, $exclude_vmid) = @_;
+
+my $updated_jobs = [];
+foreach my $job (@$jobs) {
+ if (defined $job->{vmid}) {
+ my $list = remove_vmid_from_list($job->{vmid}, $exclude_vmid);
+ if ($list) {
+ $job->{vmid} = $list;
+ push @$updated_jobs, $job;
+ }
+ } elsif (defined $job->{exclude}) {
+ my $list = remove_vmid_from_list($job->{exclude}, $exclude_vmid);
+ if ($list) {
+ $job->{exclude} = $list;
+ } else {
+ delete $job->{exclude};
+ }
+ push @$updated_jobs, $job;
+ } else {
+ push @$updated_jobs, $job;
+ }
+}
+return $updated_jobs;
+}
+
+sub remove_vmid_from_backup_jobs {
+my ($vmid) = @_;
+
+cfs_lock_file('vzdump.cron', undef, sub {
+ my $vzdump_jobs = cfs_read_file('vzdump.cron');
+ my $jobs = $vzdump_jobs->{jobs} || [];
+ $vzdump_jobs->{jobs} = remove_vmid_from_jobs($jobs, $vmid);
+ cfs_write_file('vzdump.cron', $vzdump_jobs);
+});
+die "$@" if ($@);
+}
+
1;
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC qemu 2/3] fix #1291: add purge option to vm_destroy api call
The purge flag allows to remove the vmid from the vzdump.cron backup jobs.
Signed-off-by: Christian Ebner
---
PVE/API2/Qemu.pm | 18 --
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index a628a20..60b0f11 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -28,6 +28,7 @@ use PVE::Network;
use PVE::Firewall;
use PVE::API2::Firewall::VM;
use PVE::API2::Qemu::Agent;
+use PVE::VZDump::Plugin;
BEGIN {
if (!$ENV{PVE_GENERATING_DOCS}) {
@@ -1436,7 +1437,6 @@ __PACKAGE__->register_method({
}
});
-
__PACKAGE__->register_method({
name => 'destroy_vm',
path => '{vmid}',
@@ -1453,6 +1453,11 @@ __PACKAGE__->register_method({
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::QemuServer::complete_vmid_stopped }),
skiplock => get_standard_option('skiplock'),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -1462,9 +1467,7 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
-
my $authuser = $rpcenv->get_user();
-
my $vmid = $param->{vmid};
my $skiplock = $param->{skiplock};
@@ -1473,11 +1476,8 @@ __PACKAGE__->register_method({
# test if VM exists
my $conf = PVE::QemuConfig->load_config($vmid);
-
my $storecfg = PVE::Storage::config();
-
PVE::QemuConfig->check_protection($conf, "can't remove VM $vmid");
-
die "unable to remove VM $vmid - used in HA resources\n"
if PVE::HA::Config::vm_is_ha_managed($vmid);
@@ -1493,12 +1493,10 @@ __PACKAGE__->register_method({
my $upid = shift;
syslog('info', "destroy VM $vmid: $upid\n");
-
PVE::QemuServer::vm_destroy($storecfg, $vmid, $skiplock);
-
PVE::AccessControl::remove_vm_access($vmid);
-
-PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_cronjobs($vmid) if
($param->{purge});
};
return $rpcenv->fork_worker('qmdestroy', $vmid, $authuser, $realcmd);
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC 0/3] fix #1291: add purge option for VM/CT destroy
The purge flag allows to remove the vmid from the vzdump.cron backup jobs on VM/CT destruction. Christian Ebner (1): fix #1291: implement remove_vmid_from_cronjobs PVE/VZDump/Plugin.pm | 51 +++ 1 file changed, 51 insertions(+) Christian Ebner (1): fix #1291: add purge option to vm_destroy api call PVE/API2/Qemu.pm | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) Christian Ebner (1): fix #1291: add option purge for destroy_vm api call src/PVE/API2/LXC.pm | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC guest-common 1/3] fix #1291: implement remove_vmid_from_cronjobs
remove_vmid_from_cronjobs updates the vzdump.cron backup jobs,
excluding the given vmid.
Signed-off-by: Christian Ebner
---
PVE/VZDump/Plugin.pm | 51 +++
1 file changed, 51 insertions(+)
diff --git a/PVE/VZDump/Plugin.pm b/PVE/VZDump/Plugin.pm
index 9933ef6..28f018b 100644
--- a/PVE/VZDump/Plugin.pm
+++ b/PVE/VZDump/Plugin.pm
@@ -7,6 +7,8 @@ use POSIX qw(strftime);
use PVE::Tools;
use PVE::SafeSyslog;
+use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::API2::Backup;
my $log_level = {
err => 'ERROR:',
@@ -168,4 +170,53 @@ sub cleanup {
die "internal error"; # implement in subclass
}
+sub exclude_vmid_from_list {
+my ($list, $exclude_vmid) = @_;
+
+my $updated_list = [];
+foreach my $vmid (PVE::Tools::split_list($list)) {
+ push @$updated_list, $vmid if $vmid ne $exclude_vmid;
+}
+return join ",", @$updated_list;
+}
+
+sub exclude_vmid_from_jobs {
+my ($jobs, $exclude_vmid) = @_;
+
+my $updated_jobs = [];
+foreach my $job (@$jobs) {
+ if (defined $job->{vmid}) {
+ my $list = exclude_vmid_from_list($job->{vmid}, $exclude_vmid);
+ if ($list) {
+ $job->{vmid} = $list;
+ push @$updated_jobs, $job;
+ }
+ } elsif (defined $job->{exclude}) {
+ my $list = exclude_vmid_from_list($job->{exclude}, $exclude_vmid);
+ if ($list) {
+ $job->{exclude} = $list;
+ } else {
+ delete $job->{exclude};
+ }
+ push @$updated_jobs, $job;
+ } else {
+ push @$updated_jobs, $job;
+ }
+}
+return $updated_jobs;
+}
+
+sub remove_vmid_from_cronjobs {
+my ($vmid) = @_;
+
+my $update_cron = sub {
+ my $cron_cfg = cfs_read_file('vzdump.cron');
+ my $jobs = $cron_cfg->{jobs} || [];
+ $cron_cfg->{jobs} = exclude_vmid_from_jobs($jobs, $vmid);
+ cfs_write_file('vzdump.cron', $cron_cfg);
+};
+cfs_lock_file('vzdump.cron', undef, $update_cron);
+die "$@" if ($@);
+}
+
1;
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC container 3/3] fix #1291: add option purge for destroy_vm api call
The purge option allows to remove the vmid from the vzdump.cron jobs.
Signed-off-by: Christian Ebner
---
src/PVE/API2/LXC.pm | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index cf14d75..563cfb9 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -18,6 +18,7 @@ use PVE::LXC;
use PVE::LXC::Create;
use PVE::LXC::Migrate;
use PVE::GuestHelpers;
+use PVE::VZDump::Plugin;
use PVE::API2::LXC::Config;
use PVE::API2::LXC::Status;
use PVE::API2::LXC::Snapshot;
@@ -627,6 +628,11 @@ __PACKAGE__->register_method({
properties => {
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid', { completion =>
\&PVE::LXC::complete_ctid_stopped }),
+ purge => {
+ type => 'boolean',
+ description => "Remove vmid from backup cron jobs.",
+ optional => 1,
+ },
},
},
returns => {
@@ -636,16 +642,12 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
-
my $authuser = $rpcenv->get_user();
-
my $vmid = $param->{vmid};
# test if container exists
my $conf = PVE::LXC::Config->load_config($vmid);
-
my $storage_cfg = cfs_read_file("storage.cfg");
-
PVE::LXC::Config->check_protection($conf, "can't remove CT $vmid");
die "unable to remove CT $vmid - used in HA resources\n"
@@ -669,6 +671,7 @@ __PACKAGE__->register_method({
PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $conf);
PVE::AccessControl::remove_vm_access($vmid);
PVE::Firewall::remove_vmfw_conf($vmid);
+ PVE::VZDump::Plugin::remove_vmid_from_cronjobs($vmid) if
($param->{purge});
};
my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager] backup jobs: Aquire lock before modifying vzdump.cron
Signed-off-by: Christian Ebner
---
PVE/API2/Backup.pm | 108 +
1 file changed, 59 insertions(+), 49 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 3dfe8a0d..141402b1 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -270,15 +270,19 @@ __PACKAGE__->register_method({
if defined($param->{$key}) && ($user ne 'root@pam');
}
- my $data = cfs_read_file('vzdump.cron');
+ my $create_job = sub {
+ my $data = cfs_read_file('vzdump.cron');
- $param->{dow} = 'mon,tue,wed,thu,fri,sat,sun' if
!defined($param->{dow});
- $param->{enabled} = 1 if !defined($param->{enabled});
- PVE::VZDump::verify_vzdump_parameters($param, 1);
+ $param->{dow} = 'mon,tue,wed,thu,fri,sat,sun' if
!defined($param->{dow});
+ $param->{enabled} = 1 if !defined($param->{enabled});
+ PVE::VZDump::verify_vzdump_parameters($param, 1);
- push @{$data->{jobs}}, $param;
+ push @{$data->{jobs}}, $param;
- cfs_write_file('vzdump.cron', $data);
+ cfs_write_file('vzdump.cron', $data);
+ };
+ cfs_lock_file('vzdump.cron', undef, $create_job);
+ die "$@" if ($@);
return undef;
}});
@@ -348,25 +352,29 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- my $data = cfs_read_file('vzdump.cron');
+ my $delete_job = sub {
+ my $data = cfs_read_file('vzdump.cron');
- my $jobs = $data->{jobs} || [];
- my $newjobs = [];
+ my $jobs = $data->{jobs} || [];
+ my $newjobs = [];
- my $found;
- foreach my $job (@$jobs) {
- if ($job->{id} eq $param->{id}) {
- $found = 1;
- } else {
- push @$newjobs, $job;
+ my $found;
+ foreach my $job (@$jobs) {
+ if ($job->{id} eq $param->{id}) {
+ $found = 1;
+ } else {
+ push @$newjobs, $job;
+ }
}
- }
- raise_param_exc({ id => "No such job '$param->{id}'" }) if !$found;
+ raise_param_exc({ id => "No such job '$param->{id}'" }) if !$found;
- $data->{jobs} = $newjobs;
+ $data->{jobs} = $newjobs;
- cfs_write_file('vzdump.cron', $data);
+ cfs_write_file('vzdump.cron', $data);
+ };
+ cfs_lock_file('vzdump.cron', undef, $delete_job);
+ die "$@" if ($@);
return undef;
}});
@@ -419,50 +427,52 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- my $data = cfs_read_file('vzdump.cron');
+ my $update_job = sub {
+ my $data = cfs_read_file('vzdump.cron');
- my $jobs = $data->{jobs} || [];
+ my $jobs = $data->{jobs} || [];
- die "no options specified\n" if !scalar(keys %$param);
+ die "no options specified\n" if !scalar(keys %$param);
- PVE::VZDump::verify_vzdump_parameters($param);
+ PVE::VZDump::verify_vzdump_parameters($param);
- my @delete = PVE::Tools::split_list(extract_param($param, 'delete'));
+ my @delete = PVE::Tools::split_list(extract_param($param,
'delete'));
- foreach my $job (@$jobs) {
- if ($job->{id} eq $param->{id}) {
+ foreach my $job (@$jobs) {
+ if ($job->{id} eq $param->{id}) {
- foreach my $k (@delete) {
- if (!PVE::VZDump::option_exists($k)) {
- raise_param_exc({ delete => "unknown option '$k'" });
- }
+ foreach my $k (@delete) {
+ if (!PVE::VZDump::option_exists($k)) {
+ raise_param_exc({ delete => "unknown option '$k'"
});
+ }
- delete $job->{$k};
- }
+ delete $job->{$k};
+ }
- foreach my $k (keys %$param) {
- $job->{$k} = $param->{$k};
- }
+ foreach my $k (keys %$param) {
+ $job->{$k} = $param->{$k};
+ }
- $job->{all} = 1 if defined($job->{exclude});
+ $job->{all} = 1 if defined($job->{exclude});
- if (defined($param->{vmid})) {
- delete $job
[pve-devel] [PATCH ha-manager] fix #2234: fix typo in service description
replace Ressource by Resource Signed-off-by: Christian Ebner --- debian/pve-ha-crm.service | 2 +- debian/pve-ha-lrm.service | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/pve-ha-crm.service b/debian/pve-ha-crm.service index 800ce9b..b54992f 100644 --- a/debian/pve-ha-crm.service +++ b/debian/pve-ha-crm.service @@ -1,5 +1,5 @@ [Unit] -Description=PVE Cluster Ressource Manager Daemon +Description=PVE Cluster Resource Manager Daemon ConditionPathExists=/usr/sbin/pve-ha-crm Wants=pve-cluster.service Wants=watchdog-mux.service diff --git a/debian/pve-ha-lrm.service b/debian/pve-ha-lrm.service index 024566b..b5a9108 100644 --- a/debian/pve-ha-lrm.service +++ b/debian/pve-ha-lrm.service @@ -1,5 +1,5 @@ [Unit] -Description=PVE Local HA Ressource Manager Daemon +Description=PVE Local HA Resource Manager Daemon ConditionPathExists=/usr/sbin/pve-ha-lrm Wants=pve-cluster.service Wants=watchdog-mux.service -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v5 manager] fix #2190: Base64 encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow characters such as whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
In principle SMBIOS allows to pass any zero terminated string to the
corresponding fields in the structure type 1 (System Information).
By base64 encoding the values clashing of the config is avoided.
Relies on the corresponding patch to qemu-server to pass parameter verification
and correct parsing.
Signed-off-by: Christian Ebner
---
Version 5:
* As discussed offline, allow multiline editing of the fields in the UI
www/manager6/Parser.js | 31 +
www/manager6/qemu/Smbios1Edit.js | 42
2 files changed, 53 insertions(+), 20 deletions(-)
diff --git a/www/manager6/Parser.js b/www/manager6/Parser.js
index 958deae5..242965dd 100644
--- a/www/manager6/Parser.js
+++ b/www/manager6/Parser.js
@@ -528,12 +528,18 @@ Ext.define('PVE.Parser', { statics: {
},
parseQemuSmbios1: function(value) {
- var res = {};
-
- Ext.Array.each(value.split(','), function(p) {
- var kva = p.split('=', 2);
- res[kva[0]] = kva[1];
- });
+ var res = value.split(',').reduce(function (accumulator, currentValue) {
+ var splitted = currentValue.split(new RegExp("=(.+)"));
+ accumulator[splitted[0]] = splitted[1];
+ return accumulator;
+ }, {});
+
+ if (PVE.Parser.parseBoolean(res.base64, false)) {
+ Ext.Object.each(res, function(key, value) {
+ if (key === 'uuid') { return; }
+ res[key] = Ext.util.Base64.decode(value);
+ });
+ }
return res;
},
@@ -541,10 +547,19 @@ Ext.define('PVE.Parser', { statics: {
printQemuSmbios1: function(data) {
var datastr = '';
-
+ var base64 = false;
Ext.Object.each(data, function(key, value) {
if (value === '') { return; }
- datastr += (datastr !== '' ? ',' : '') + key + '=' + value;
+ if (key === 'uuid') {
+ datastr += (datastr !== '' ? ',' : '') + key + '=' + value;
+ } else {
+ // values should be base64 encoded from now on, mark config
strings correspondingly
+ if (!base64) {
+ base64 = true;
+ datastr += (datastr !== '' ? ',' : '') + 'base64=1';
+ }
+ datastr += (datastr !== '' ? ',' : '') + key + '=' +
Ext.util.Base64.encode(value);
+ }
});
return datastr;
diff --git a/www/manager6/qemu/Smbios1Edit.js b/www/manager6/qemu/Smbios1Edit.js
index fdb0d150..2184b918 100644
--- a/www/manager6/qemu/Smbios1Edit.js
+++ b/www/manager6/qemu/Smbios1Edit.js
@@ -36,39 +36,57 @@ Ext.define('PVE.qemu.Smbios1InputPanel', {
name: 'uuid'
},
{
- xtype: 'textfield',
+ xtype: 'textareafield',
fieldLabel: gettext('Manufacturer'),
- regex: /^\S+$/,
+ fieldStyle: {
+ height: '2em',
+ minHeight: '2em'
+ },
name: 'manufacturer'
},
{
- xtype: 'textfield',
+ xtype: 'textareafield',
fieldLabel: gettext('Product'),
- regex: /^\S+$/,
+ fieldStyle: {
+ height: '2em',
+ minHeight: '2em'
+ },
name: 'product'
},
{
- xtype: 'textfield',
+ xtype: 'textareafield',
fieldLabel: gettext('Version'),
- regex: /^\S+$/,
+ fieldStyle: {
+ height: '2em',
+ minHeight: '2em'
+ },
name: 'version'
},
{
- xtype: 'textfield',
+ xtype: 'textareafield',
fieldLabel: gettext('Serial'),
- regex: /^\S+$/,
+ fieldStyle: {
+ height: '2em',
+ minHeight: '2em'
+ },
name: 'serial'
},
{
- xtype: 'textfield',
+ xtype: 'textareafield',
[pve-devel] [PATCH v4 manager 2/2] fix #2190: Base64 encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow characters such as whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
In principle SMBIOS allows to pass any zero terminated string to the
corresponding fields in the structure type 1 (System Information).
By base64 encoding the values clashing of the config is avoided.
Relies on the corresponding patch to qemu-server to pass parameter verification
and correct parsing.
Signed-off-by: Christian Ebner
---
Version 4:
* Cleaner code by the use of reduce() to parse the property string
* make sure the base64=1 is only appended if the string contains
base64 encoded values
www/manager6/Parser.js | 31 +++
www/manager6/qemu/Smbios1Edit.js | 6 --
2 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/www/manager6/Parser.js b/www/manager6/Parser.js
index 958deae5..242965dd 100644
--- a/www/manager6/Parser.js
+++ b/www/manager6/Parser.js
@@ -528,12 +528,18 @@ Ext.define('PVE.Parser', { statics: {
},
parseQemuSmbios1: function(value) {
- var res = {};
-
- Ext.Array.each(value.split(','), function(p) {
- var kva = p.split('=', 2);
- res[kva[0]] = kva[1];
- });
+ var res = value.split(',').reduce(function (accumulator, currentValue) {
+ var splitted = currentValue.split(new RegExp("=(.+)"));
+ accumulator[splitted[0]] = splitted[1];
+ return accumulator;
+ }, {});
+
+ if (PVE.Parser.parseBoolean(res.base64, false)) {
+ Ext.Object.each(res, function(key, value) {
+ if (key === 'uuid') { return; }
+ res[key] = Ext.util.Base64.decode(value);
+ });
+ }
return res;
},
@@ -541,10 +547,19 @@ Ext.define('PVE.Parser', { statics: {
printQemuSmbios1: function(data) {
var datastr = '';
-
+ var base64 = false;
Ext.Object.each(data, function(key, value) {
if (value === '') { return; }
- datastr += (datastr !== '' ? ',' : '') + key + '=' + value;
+ if (key === 'uuid') {
+ datastr += (datastr !== '' ? ',' : '') + key + '=' + value;
+ } else {
+ // values should be base64 encoded from now on, mark config
strings correspondingly
+ if (!base64) {
+ base64 = true;
+ datastr += (datastr !== '' ? ',' : '') + 'base64=1';
+ }
+ datastr += (datastr !== '' ? ',' : '') + key + '=' +
Ext.util.Base64.encode(value);
+ }
});
return datastr;
diff --git a/www/manager6/qemu/Smbios1Edit.js b/www/manager6/qemu/Smbios1Edit.js
index fdb0d150..c0c43683 100644
--- a/www/manager6/qemu/Smbios1Edit.js
+++ b/www/manager6/qemu/Smbios1Edit.js
@@ -38,37 +38,31 @@ Ext.define('PVE.qemu.Smbios1InputPanel', {
{
xtype: 'textfield',
fieldLabel: gettext('Manufacturer'),
- regex: /^\S+$/,
name: 'manufacturer'
},
{
xtype: 'textfield',
fieldLabel: gettext('Product'),
- regex: /^\S+$/,
name: 'product'
},
{
xtype: 'textfield',
fieldLabel: gettext('Version'),
- regex: /^\S+$/,
name: 'version'
},
{
xtype: 'textfield',
fieldLabel: gettext('Serial'),
- regex: /^\S+$/,
name: 'serial'
},
{
xtype: 'textfield',
fieldLabel: 'SKU',
- regex: /^\S+$/,
name: 'sku'
},
{
xtype: 'textfield',
fieldLabel: gettext('Family'),
- regex: /^\S+$/,
name: 'family'
}
];
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 qemu 1/2] fix #2190: Base64 encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow characters such as whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
In principle SMBIOS allows to pass any zero terminated string to the
corresponding fields in the structure type 1 (System Information).
By base64 encoding the values clashing of the config is avoided.
Relies on the corresponding patch to pve-manager to obtain base64 encoded
values.
Signed-off-by: Christian Ebner
---
Version 4:
* Improved regex for base64 encoded strings
PVE/QemuServer.pm | 53 +++--
1 file changed, 39 insertions(+), 14 deletions(-)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 1f27a0b..c6d95e5 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -21,6 +21,7 @@ use JSON;
use Fcntl;
use PVE::SafeSyslog;
use Storable qw(dclone);
+use MIME::Base64;
use PVE::Exception qw(raise raise_param_exc);
use PVE::Storage;
use PVE::Tools qw(run_command lock_file lock_file_full file_read_firstline
dir_glob_foreach $IPV6RE);
@@ -2358,7 +2359,7 @@ sub vmconfig_cleanup_pending {
return $changes;
}
-# smbios:
[manufacturer=str][,product=str][,version=str][,serial=str][,uuid=uuid][,sku=str][,family=str]
+# smbios:
[manufacturer=str][,product=str][,version=str][,serial=str][,uuid=uuid][,sku=str][,family=str][,base64=bool]
my $smbios1_fmt = {
uuid => {
type => 'string',
@@ -2369,46 +2370,51 @@ my $smbios1_fmt = {
},
version => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/]+={0,2}',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 version.",
optional => 1,
},
serial => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/]+={0,2}',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 serial number.",
optional => 1,
},
manufacturer => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/]+={0,2}',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 manufacturer.",
optional => 1,
},
product => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/]+={0,2}',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 product ID.",
optional => 1,
},
sku => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/]+={0,2}',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 SKU string.",
optional => 1,
},
family => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/]+={0,2}',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 family string.",
optional => 1,
},
+base64 => {
+ type => 'boolean',
+ description => 'Flag to indicate that the SMBIOS values are base64
encoded',
+ optional => 1,
+},
};
sub parse_smbios1 {
@@ -3524,7 +3530,26 @@ sub config_to_command {
push @$cmd, '-daemonize';
if ($conf->{smbios1}) {
- push @$cmd, '-smbios', "type=1,$conf->{smbios1}";
+ my $smbios_conf = parse_smbios1($conf->{smbios1});
+ if ($smbios_conf->{base64}) {
+ # Do not pass base64 flag to qemu
+ delete $smbios_conf->{base64};
+ my $smbios_string = "";
+ foreach my $key (keys %$smbios_conf) {
+ my $value;
+ if ($key eq "uuid") {
+ $value = $smbios_conf->{uuid}
+ } else {
+ $value = decode_base64($smbios_conf->{$key});
+ }
+ # qemu accepts any binary data, only commas need escaping by
double comma
+ $value =~ s/,/,,/g;
+ $smbios_string .= "," . $key . "=" . $value if $value;
+ }
+ push @$cmd, '-smbios', "type=1" . $smbios_string;
+ } else {
+ push @$cmd, '-smbios', "type=1,$conf->{smbios1}";
+ }
}
if ($conf->{vmgenid}) {
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 0/2] fix #2190: Base64 encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the SMBIOS settings edit has to allow characters such as whitespaces. https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/ In principle SMBIOS allows to pass any zero terminated string to the corresponding fields in the structure type 1 (System Information). By base64 encoding the values clashing of the config is avoided, backwards compatibility is maintained. Christian Ebner (1): fix #2190: Base64 encode SMBIOS value strings in order to allow more characters PVE/QemuServer.pm | 53 +++-- 1 file changed, 39 insertions(+), 14 deletions(-) Christian Ebner (1): fix #2190: Base64 encode SMBIOS value strings in order to allow more characters www/manager6/Parser.js | 31 +++ www/manager6/qemu/Smbios1Edit.js | 6 -- 2 files changed, 23 insertions(+), 14 deletions(-) -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu 1/2] fix #2190: Base64 encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow characters such as whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
In principle SMBIOS allows to pass any zero terminated string to the
corresponding fields in the structure type 1 (System Information).
By base64 encoding the values clashing of the config is avoided.
Relies on the corresponding patch to pve-manager to obtain base64 encoded
values.
Signed-off-by: Christian Ebner
---
Version 3:
* use base64 instead of URL encoding
* maintain backwards compatibility when reading old configs
PVE/QemuServer.pm | 53 +++--
1 file changed, 39 insertions(+), 14 deletions(-)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 1a22fb4..741081c 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -21,6 +21,7 @@ use JSON;
use Fcntl;
use PVE::SafeSyslog;
use Storable qw(dclone);
+use MIME::Base64;
use PVE::Exception qw(raise raise_param_exc);
use PVE::Storage;
use PVE::Tools qw(run_command lock_file lock_file_full file_read_firstline
dir_glob_foreach $IPV6RE);
@@ -2358,7 +2359,7 @@ sub vmconfig_cleanup_pending {
return $changes;
}
-# smbios:
[manufacturer=str][,product=str][,version=str][,serial=str][,uuid=uuid][,sku=str][,family=str]
+# smbios:
[manufacturer=str][,product=str][,version=str][,serial=str][,uuid=uuid][,sku=str][,family=str][,base64=bool]
my $smbios1_fmt = {
uuid => {
type => 'string',
@@ -2369,46 +2370,51 @@ my $smbios1_fmt = {
},
version => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/=]+',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 version.",
optional => 1,
},
serial => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/=]+',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 serial number.",
optional => 1,
},
manufacturer => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/=]+',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 manufacturer.",
optional => 1,
},
product => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/=]+',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 product ID.",
optional => 1,
},
sku => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/=]+',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 SKU string.",
optional => 1,
},
family => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ pattern => '[A-Za-z0-9+\/=]+',
+ format_description => 'Base64 encoded string',
description => "Set SMBIOS1 family string.",
optional => 1,
},
+base64 => {
+ type => 'boolean',
+ description => 'Flag to indicate that the SMBIOS values are base64
encoded',
+ optional => 1,
+},
};
sub parse_smbios1 {
@@ -3524,7 +3530,26 @@ sub config_to_command {
push @$cmd, '-daemonize';
if ($conf->{smbios1}) {
- push @$cmd, '-smbios', "type=1,$conf->{smbios1}";
+ my $smbios_conf = parse_smbios1($conf->{smbios1});
+ if ($smbios_conf->{base64}) {
+ # Do not pass base64 flag to qemu
+ delete $smbios_conf->{base64};
+ my $smbios_string = "";
+ foreach my $key (keys %$smbios_conf) {
+ my $value;
+ if ($key eq "uuid") {
+ $value = $smbios_conf->{uuid}
+ } else {
+ $value = decode_base64($smbios_conf->{$key});
+ }
+ # qemu accepts any binary data, only commas need escaping by
double comma
+ $value =~ s/,/,,/g;
+ $smbios_string .= "," . $key . "=" . $value if $value;
+ }
+ push @$cmd, '-smbios', "type=1" . $smbios_string;
+ } else {
+ push @$cmd, '-smbios', "type=1,$conf->{smbios1}";
+ }
}
if ($conf->{vmgenid}) {
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager 2/2] fix #2190: Base64 encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow characters such as whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
In principle SMBIOS allows to pass any zero terminated string to the
corresponding fields in the structure type 1 (System Information).
By base64 encoding the values clashing of the config is avoided.
Relies on the corresponding patch to qemu-server to pass parameter verification
and correct parsing.
Signed-off-by: Christian Ebner
---
Version 3:
* use base64 encoding instead of URL encoding
* backwards compatible to old configs
www/manager6/Parser.js | 19 ---
www/manager6/qemu/Smbios1Edit.js | 6 --
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/www/manager6/Parser.js b/www/manager6/Parser.js
index 958deae5..d266a4f3 100644
--- a/www/manager6/Parser.js
+++ b/www/manager6/Parser.js
@@ -530,21 +530,34 @@ Ext.define('PVE.Parser', { statics: {
parseQemuSmbios1: function(value) {
var res = {};
+ var regex = new RegExp("=(.+)");
Ext.Array.each(value.split(','), function(p) {
- var kva = p.split('=', 2);
+ var kva = p.split(regex);
res[kva[0]] = kva[1];
});
+ if (PVE.Parser.parseBoolean(res.base64, false)) {
+ Ext.Object.each(res, function(key, value) {
+ if (key === 'uuid') { return; }
+ res[key] = Ext.util.Base64.decode(value);
+ });
+ }
+
return res;
},
printQemuSmbios1: function(data) {
- var datastr = '';
+ // values should be base64 encoded from now on, mark config strings
correspondingly
+ var datastr = 'base64=1';
Ext.Object.each(data, function(key, value) {
if (value === '') { return; }
- datastr += (datastr !== '' ? ',' : '') + key + '=' + value;
+ if (key === 'uuid') {
+ datastr += ',' + key + '=' + value;
+ } else {
+ datastr += ',' + key + '=' + Ext.util.Base64.encode(value);
+ }
});
return datastr;
diff --git a/www/manager6/qemu/Smbios1Edit.js b/www/manager6/qemu/Smbios1Edit.js
index fdb0d150..c0c43683 100644
--- a/www/manager6/qemu/Smbios1Edit.js
+++ b/www/manager6/qemu/Smbios1Edit.js
@@ -38,37 +38,31 @@ Ext.define('PVE.qemu.Smbios1InputPanel', {
{
xtype: 'textfield',
fieldLabel: gettext('Manufacturer'),
- regex: /^\S+$/,
name: 'manufacturer'
},
{
xtype: 'textfield',
fieldLabel: gettext('Product'),
- regex: /^\S+$/,
name: 'product'
},
{
xtype: 'textfield',
fieldLabel: gettext('Version'),
- regex: /^\S+$/,
name: 'version'
},
{
xtype: 'textfield',
fieldLabel: gettext('Serial'),
- regex: /^\S+$/,
name: 'serial'
},
{
xtype: 'textfield',
fieldLabel: 'SKU',
- regex: /^\S+$/,
name: 'sku'
},
{
xtype: 'textfield',
fieldLabel: gettext('Family'),
- regex: /^\S+$/,
name: 'family'
}
];
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH 0/2] fix #2190: Base64 encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the SMBIOS settings edit has to allow characters such as whitespaces. https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/ In principle SMBIOS allows to pass any zero terminated string to the corresponding fields in the structure type 1 (System Information). By base64 encoding the values clashing of the config is avoided, backwards compatibility is maintained. Christian Ebner (1): fix #2190: Base64 encode SMBIOS value strings in order to allow more characters PVE/QemuServer.pm | 53 +++-- 1 file changed, 39 insertions(+), 14 deletions(-) Christian Ebner (1): fix #2190: Base64 encode SMBIOS value strings in order to allow more characters www/manager6/Parser.js | 19 --- www/manager6/qemu/Smbios1Edit.js | 6 -- 2 files changed, 16 insertions(+), 9 deletions(-) -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH firewall] Remove redundant logging of packets passing the tap chain.
Incomming and outgoing packets passing the firewall bridge were unneccessarily
logged, leading to double entries.
The first log entry occurred when passing the bridge, the second when the
packets
fate was decided (ACCEPT/DROP/REJECT).
Signed-off-by: Christian Ebner
---
src/PVE/Firewall.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f84e6d9..abcc1e8 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2387,10 +2387,10 @@ sub generate_tap_rules_direction {
# plug the tap chain to bridge chain
if ($direction eq 'IN') {
ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
- "-m physdev --physdev-is-bridged --physdev-out $iface",
"-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-out $iface",
"-j $tapchain");
} else {
ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
- "-m physdev --physdev-is-bridged --physdev-in $iface",
"-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-in $iface",
"-j $tapchain");
}
}
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] pve-firewall: default loglevel behaviour change
Hi Alexandre,
you are right, logging the packets passing the firewall bridge seems a bit
overkill and redundant.
Will send a patch to fix this.
> On May 15, 2019 at 4:08 PM Alexandre DERUMIER wrote:
>
>
> Hi,
>
> since this commit
>
>
> https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff;f=src/PVE/Firewall.pm;h=ccc5d7ffb62f1ef4c4d59e363192f512c88742c9;hp=6ac303831a62f630d437ef0e0508decd2b72f5ac;hb=3489f8a2b9597201fe8e42fa5832507f96169619;hpb=33efd363ab32d3f8f6a9c49e481cb62a8da40b5d
>
> @@ -2341,10 +2348,10 @@ sub generate_tap_rules_direction {
> # plug the tap chain to bridge chain
> if ($direction eq 'IN') {
> ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
> - "-m physdev --physdev-is-bridged --physdev-out
> $iface", "-j $tapchain");
> + "-m physdev --physdev-is-bridged --physdev-out
> $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
> } else {
> ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
> - "-m physdev --physdev-is-bridged --physdev-in
> $iface", "-j $tapchain");
> + "-m physdev --physdev-is-bridged --physdev-in
> $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
> }
> }
>
>
>
> The default loglevel of a vm is logging all packets comming to the tap chain
> ex:
> -A PVEFW-FWBR-IN -m physdev --physdev-out tap135i0 --physdev-is-bridged -m
> limit --limit 1/sec -j NFLOG --nflog-prefix ":135:6:PVEFW-FWBR-IN: FWBR-IN: "
>
> Previously, it was only for the final DROP/REJECT/ACCEPT action
>
>
> Here a example with a connection to port 53, with default action input/output
> policy = reject, loglevelin:info, and no rule to allow port
> [OPTIONS]
>
> log_level_out: info
> macfilter: 1
> policy_out: REJECT
> enable: 1
> policy_in: REJECT
> dhcp: 0
> log_level_in: info
>
> [RULES]
>
>
>
>
>
> 135 6 PVEFW-FWBR-IN 15/May/2019:15:53:23 +0200 FWBR-IN: IN=fwbr135i0
> OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0
> MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29
> LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389
> LEN=263
> 135 6 tap135i0-IN 15/May/2019:15:53:23 +0200 policy REJECT: IN=fwbr135i0
> OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0
> MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29
> LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389
> LEN=263
>
>
> As you see, it's logged twice. (once when coming to tap chain, one when final
> action is reject)
>
> Same if you make a rule in the vm, activating log on the rule, it's loggued
> twice.
>
> I would like to be able to remove this logging in FWBR-IN, and only log on
> rules or default input/output policy action.
> But currently, if I disable the loglevel=nolog, it's disabling too the log
> for default action.
>
>
> I'm not sure, but do we really need this log on FWBR-IN ? (I mean, we don't
> have any info if it's drop/accept/reject, so it's pretty useless, we only now
> that a packet is coming).
> Or maybe could we have a different loglevel option for default input/output
> policy ?
>
> ___
> pve-devel mailing list
> pve-devel@pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v2 0/2] URI encode SMBIOS value strings in order to allow more
On some occasions e.g. license checking, the manufacturer string in the SMBIOS settings edit has to allow characters such as whitespaces. https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/ Use URI encoding for format string in order to allow for such cases. Christian Ebner (1): fix #2190: URI encode SMBIOS value strings in order to allow more characters PVE/QemuServer.pm | 32 +++- 1 file changed, 19 insertions(+), 13 deletions(-) Christian Ebner (1): fix #2190: URI encode SMBIOS value strings in order to allow more characters www/manager6/Parser.js | 4 ++-- www/manager6/qemu/Smbios1Edit.js | 12 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v2 qemu 1/1] fix #2190: URI encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow characters such as whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
Use URI encoding for format string in order to allow for such cases.
Signed-off-by: Christian Ebner
---
Version 2:
- Changed format verification to url encoded
PVE/QemuServer.pm | 32 +++-
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 9d560ec..8b2fd49 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -2369,43 +2369,43 @@ my $smbios1_fmt = {
},
version => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ format => 'urlencoded',
+ format_description => 'URI encoded string',
description => "Set SMBIOS1 version.",
optional => 1,
},
serial => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ format => 'urlencoded',
+ format_description => 'URI encoded string',
description => "Set SMBIOS1 serial number.",
optional => 1,
},
manufacturer => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ format => 'urlencoded',
+ format_description => 'URI encoded string',
description => "Set SMBIOS1 manufacturer.",
optional => 1,
},
product => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ format => 'urlencoded',
+ format_description => 'URI encoded string',
description => "Set SMBIOS1 product ID.",
optional => 1,
},
sku => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ format => 'urlencoded',
+ format_description => 'URI encoded string',
description => "Set SMBIOS1 SKU string.",
optional => 1,
},
family => {
type => 'string',
- pattern => '\S+',
- format_description => 'string',
+ format => 'urlencoded',
+ format_description => 'URI encoded string',
description => "Set SMBIOS1 family string.",
optional => 1,
},
@@ -3524,7 +3524,13 @@ sub config_to_command {
push @$cmd, '-daemonize';
if ($conf->{smbios1}) {
- push @$cmd, '-smbios', "type=1,$conf->{smbios1}";
+ my $smbios_conf = parse_smbios1($conf->{smbios1});
+ my $smbios_string = "";
+ foreach my $key (keys %$smbios_conf) {
+ my $value = uri_unescape($smbios_conf->{$key});
+ $smbios_string .= "," . $key . "=" . $value if $value;
+ }
+ push @$cmd, '-smbios', "type=1" . $smbios_string;
}
if ($conf->{vmgenid}) {
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v2 manager 1/1] fix #2190: URI encode SMBIOS value strings in order to allow more characters
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow characters such as whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
Relies on the corresponding patch to qemu-server to pass parameter verification.
Signed-off-by: Christian Ebner
---
Version 2:
- URI encode SMBIOS values
www/manager6/Parser.js | 4 ++--
www/manager6/qemu/Smbios1Edit.js | 12 ++--
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/www/manager6/Parser.js b/www/manager6/Parser.js
index 958deae5..b95bfcf5 100644
--- a/www/manager6/Parser.js
+++ b/www/manager6/Parser.js
@@ -532,7 +532,7 @@ Ext.define('PVE.Parser', { statics: {
Ext.Array.each(value.split(','), function(p) {
var kva = p.split('=', 2);
- res[kva[0]] = kva[1];
+ res[kva[0]] = decodeURIComponent(kva[1]);
});
return res;
@@ -544,7 +544,7 @@ Ext.define('PVE.Parser', { statics: {
Ext.Object.each(data, function(key, value) {
if (value === '') { return; }
- datastr += (datastr !== '' ? ',' : '') + key + '=' + value;
+ datastr += (datastr !== '' ? ',' : '') + key + '=' +
encodeURIComponent(value);
});
return datastr;
diff --git a/www/manager6/qemu/Smbios1Edit.js b/www/manager6/qemu/Smbios1Edit.js
index fdb0d150..17d3f9ec 100644
--- a/www/manager6/qemu/Smbios1Edit.js
+++ b/www/manager6/qemu/Smbios1Edit.js
@@ -38,37 +38,37 @@ Ext.define('PVE.qemu.Smbios1InputPanel', {
{
xtype: 'textfield',
fieldLabel: gettext('Manufacturer'),
- regex: /^\S+$/,
+ regex: /^[^\n\r\f\v,=]+$/,
name: 'manufacturer'
},
{
xtype: 'textfield',
fieldLabel: gettext('Product'),
- regex: /^\S+$/,
+ regex: /^[^\n\r\f\v,=]+$/,
name: 'product'
},
{
xtype: 'textfield',
fieldLabel: gettext('Version'),
- regex: /^\S+$/,
+ regex: /^[^\n\r\f\v,=]+$/,
name: 'version'
},
{
xtype: 'textfield',
fieldLabel: gettext('Serial'),
- regex: /^\S+$/,
+ regex: /^[^\n\r\f\v,=]+$/,
name: 'serial'
},
{
xtype: 'textfield',
fieldLabel: 'SKU',
- regex: /^\S+$/,
+ regex: /^[^\n\r\f\v,=]+$/,
name: 'sku'
},
{
xtype: 'textfield',
fieldLabel: gettext('Family'),
- regex: /^\S+$/,
+ regex: /^[^\n\r\f\v,=]+$/,
name: 'family'
}
];
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager 2/2] fix #2190: allow multiple words separated by whitespaces in SMBIOS manufacturer string
On some occasions e.g. license checking, the manufacturer string in the
SMBIOS settings edit has to allow multiple words separated by whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
Relies on the corresponding patch to qemu-server to pass parameter verification.
Signed-off-by: Christian Ebner
---
www/manager6/qemu/Smbios1Edit.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/www/manager6/qemu/Smbios1Edit.js b/www/manager6/qemu/Smbios1Edit.js
index fdb0d150..b482f90d 100644
--- a/www/manager6/qemu/Smbios1Edit.js
+++ b/www/manager6/qemu/Smbios1Edit.js
@@ -38,7 +38,7 @@ Ext.define('PVE.qemu.Smbios1InputPanel', {
{
xtype: 'textfield',
fieldLabel: gettext('Manufacturer'),
- regex: /^\S+$/,
+ regex: /^\S+(\s+\S+)*$/,
name: 'manufacturer'
},
{
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu 1/2] fix #2190: allow multiple words separated by whitespaces in SMBIOS manufacturer string
On some occasions, e.g. license checking, the manufacturer string for the
SMBIOS configuration has to allow for multiple words separated by whitespaces.
https://forum.proxmox.com/threads/proxmox-and-windows-rok-license-for-dell.53236/
Signed-off-by: Christian Ebner
---
PVE/QemuServer.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 2ca5f6e..56b9e50 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -2383,7 +2383,7 @@ my $smbios1_fmt = {
},
manufacturer => {
type => 'string',
- pattern => '\S+',
+ pattern => '\S+(\s+\S+)*',
format_description => 'string',
description => "Set SMBIOS1 manufacturer.",
optional => 1,
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH 0/2] fix #2190: allow multiple words separated by whitespaces in SMBIOS manufacturer string
Christian Ebner (1): fix #2190: allow multiple words separated by whitespaces in SMBIOS manufacturer string PVE/QemuServer.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Christian Ebner (1): fix: #2190 allow multiple words separated by whitespaces in SMBIOS manufacturer string www/manager6/qemu/Smbios1Edit.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] Bug #2193
It seems that the ARP filtering with ebtables introduced a bug: https://bugzilla.proxmox.com/show_bug.cgi?id=2193 After some digging, it turned out that the problem is that ebtables masks the provided arp-ip-src address. So while the provided rule looks like this: -A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1/24 -j RETURN the output of ebtables-save looks like this: -A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.0/24 -j RETURN note the change from 1 to 0 for the IP address. This leads to different hashes and therefore the firewall service spams the log with errors, because of seemingly not applied rules. @Alexandre: Does the assumption is correct, that you simply want to allow only the one source ip, here 10.0.0.1? If so we should change the corresponding rule to one without CIDR suffix, e.g. -A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1 -j RETURN in which case ebtables does not mangle with the rule and the hash should be equal. Also, note that the $pve_ebtables_chainname_regex must probably be updated to include the -ARP suffix. If you want I can provide a patch for this, if your intention was different please let us know. --- Best regards, Christian Ebner ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH qemu] fix: #1075: Restore VM template to VM and try to convert to template.
If a vdisk_create_base fails because the storage backend does not support the
base image creation, it leaves behind the original disk image, this is correct.
This should not create further problems. For such templates, the user gets a
warning stating it is not possible to create a linked clone, only full clones
are possible.
So the code simply mimics the current behavior, where the user restores to VM
and then manually converts to template. This leads to the same result.
> On April 24, 2019 at 7:56 PM Thomas Lamprecht wrote:
>
>
> Am 4/19/19 um 12:06 PM schrieb Christian Ebner:
> > The restore of a backup from a VM template will first restore the VM and
> > then
> > convert the restored VM back into a template.
> > This automatically performes the steps of the current behaviour, where the
> > user
> > has to manually convert the restored VM back to a template.
> >
> > Signed-off-by: Christian Ebner
> > ---
> > PVE/API2/Qemu.pm | 11 +--
> > PVE/QemuServer.pm | 1 -
> > 2 files changed, 9 insertions(+), 3 deletions(-)
> >
> > diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> > index 651f64f..f61e58e 100644
> > --- a/PVE/API2/Qemu.pm
> > +++ b/PVE/API2/Qemu.pm
> > @@ -556,14 +556,21 @@ __PACKAGE__->register_method({
> > PVE::QemuConfig->check_protection($conf, $emsg);
> >
> > die "$emsg vm is running\n" if
> > PVE::QemuServer::check_running($vmid);
> > - die "$emsg vm is a template\n" if
> > PVE::QemuConfig->is_template($conf);
> >
> > my $realcmd = sub {
> > PVE::QemuServer::restore_archive($archive, $vmid, $authuser, {
> > storage => $storage,
> > pool => $pool,
> > unique => $unique,
> > - bwlimit => $bwlimit, });
> > + bwlimit => $bwlimit,
> > + });
> > + my $restored_conf = PVE::QemuConfig->load_config($vmid);
> > + # Convert restored VM to template if backup was VM template
> > + if (PVE::QemuConfig->is_template($restored_conf)) {
> > + warn "Convert to template.\n";
> > + eval { PVE::QemuServer::template_create($vmid,
> > $restored_conf) };
>
> hmm, at the moment we can only restore to all disks to a single target
> storage, or? because the lack of cleanup inside template_create, if one
> vdisk_create_base fails, may then not be a real problem often here, but
> can still happen.. error handling is a bit hard to do arbitrary in this
> case, thus it was probably left out in the first place.
>
> Commit bbd560974af465b2d4d55e6528001e93d4962e06 changed the "die" if a
> storage does not supports templating to just ignore it, as it then needs
> to be full cloned, so yes your quite simple patch seems to do the right
> thing™, need to rethink this a bit, seems almost to easy for the fact that
> we actively didn't do it.. ^^
>
> > + warn $@ if $@;
> > + }
> >
> > PVE::AccessControl::add_vm_to_pool($vmid, $pool) if $pool;
> >
> > diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
> > index cd86fec..2ca5f6e 100644
> > --- a/PVE/QemuServer.pm
> > +++ b/PVE/QemuServer.pm
> > @@ -5904,7 +5904,6 @@ sub restore_update_config_line {
> > return if $line =~ m/^lock:/;
> > return if $line =~ m/^unused\d+:/;
> > return if $line =~ m/^parent:/;
> > -return if $line =~ m/^template:/; # restored VM is never a template
> >
> > my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');
> > if (($line =~ m/^(vlan(\d+)):\s*(\S+)\s*$/)) {
> >
>
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu] fix: #1075: Restore VM template to VM and try to convert to template.
The restore of a backup from a VM template will first restore the VM and then
convert the restored VM back into a template.
This automatically performes the steps of the current behaviour, where the user
has to manually convert the restored VM back to a template.
Signed-off-by: Christian Ebner
---
PVE/API2/Qemu.pm | 11 +--
PVE/QemuServer.pm | 1 -
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 651f64f..f61e58e 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -556,14 +556,21 @@ __PACKAGE__->register_method({
PVE::QemuConfig->check_protection($conf, $emsg);
die "$emsg vm is running\n" if
PVE::QemuServer::check_running($vmid);
- die "$emsg vm is a template\n" if
PVE::QemuConfig->is_template($conf);
my $realcmd = sub {
PVE::QemuServer::restore_archive($archive, $vmid, $authuser, {
storage => $storage,
pool => $pool,
unique => $unique,
- bwlimit => $bwlimit, });
+ bwlimit => $bwlimit,
+ });
+ my $restored_conf = PVE::QemuConfig->load_config($vmid);
+ # Convert restored VM to template if backup was VM template
+ if (PVE::QemuConfig->is_template($restored_conf)) {
+ warn "Convert to template.\n";
+ eval { PVE::QemuServer::template_create($vmid,
$restored_conf) };
+ warn $@ if $@;
+ }
PVE::AccessControl::add_vm_to_pool($vmid, $pool) if $pool;
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index cd86fec..2ca5f6e 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -5904,7 +5904,6 @@ sub restore_update_config_line {
return if $line =~ m/^lock:/;
return if $line =~ m/^unused\d+:/;
return if $line =~ m/^parent:/;
-return if $line =~ m/^template:/; # restored VM is never a template
my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');
if (($line =~ m/^(vlan(\d+)):\s*(\S+)\s*$/)) {
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v2 container] fix: #1075: Correctly restore CT templates form backup
Restoring a backup from a CT template wrongly resulted in a CT with the template
flag set in the config.
This makes sure the CT template backup gets restored to a CT and only if the
storage supports templates, the resulting CT is converted to a template.
Otherwise the backup restores simply to a CT.
Signed-off-by: Christian Ebner
---
Version 2:
* Minor changes to improve code readability as suggested
* Refactor check if storage supports templates
* Omit unneeded call of PVE::LXC::update_lxc_config as the config does not
exist after a restore anyway
src/PVE/API2/LXC.pm | 40
src/PVE/LXC/Create.pm | 4 +++-
2 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 5a8a9c9..cf14d75 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -335,6 +335,7 @@ __PACKAGE__->register_method({
my $code = sub {
my $old_conf = PVE::LXC::Config->load_config($vmid);
+ my $was_template;
my $vollist = [];
eval {
@@ -344,6 +345,7 @@ __PACKAGE__->register_method({
if ($is_root && $archive ne '-') {
my $orig_conf;
($orig_conf, $orig_mp_param) =
PVE::LXC::Create::recover_config($archive);
+ $was_template = delete $orig_conf->{template};
# When we're root call 'restore_configuration' with
ristricted=0,
# causing it to restore the raw lxc entries, among
which there may be
# 'lxc.idmap' entries. We need to make sure that the
extracted contents
@@ -423,6 +425,17 @@ __PACKAGE__->register_method({
foreach my $mp (keys %$delayed_mp_param) {
$conf->{$mp} = $delayed_mp_param->{$mp};
}
+ # If the template flag was set, we try to convert again to
template after restore
+ if ($was_template) {
+ print STDERR "Convert restored container to template...\n";
+ if (my $err = check_storage_supports_templates($conf)) {
+ warn $err;
+ warn "Leave restored backup as container instead of
converting to template.\n"
+ } else {
+ PVE::LXC::template_create($vmid, $conf);
+ $conf->{template} = 1;
+ }
+ }
PVE::LXC::Config->write_config($vmid, $conf);
};
if (my $err = $@) {
@@ -443,6 +456,22 @@ __PACKAGE__->register_method({
return $rpcenv->fork_worker($workername, $vmid, $authuser, $realcmd);
}});
+sub check_storage_supports_templates {
+my ($conf) = @_;
+
+my $scfg = PVE::Storage::config();
+eval {
+ PVE::LXC::Config->foreach_mountpoint($conf, sub {
+ my ($ms, $mp) = @_;
+
+ my ($sid) = PVE::Storage::parse_volume_id($mp->{volume}, 0);
+ die "Warning: Directory storage '$sid' does not support container
templates!\n"
+ if $scfg->{ids}->{$sid}->{path};
+ });
+};
+return $@
+}
+
__PACKAGE__->register_method({
name => 'vmdiridx',
path => '{vmid}',
@@ -1177,14 +1206,9 @@ __PACKAGE__->register_method({
die "you can't convert a CT to template if the CT is running\n"
if PVE::LXC::check_running($vmid);
- my $scfg = PVE::Storage::config();
- PVE::LXC::Config->foreach_mountpoint($conf, sub {
- my ($ms, $mp) = @_;
-
- my ($sid) =PVE::Storage::parse_volume_id($mp->{volume}, 0);
- die "Directory storage '$sid' does not support container
templates!\n"
- if $scfg->{ids}->{$sid}->{path};
- });
+ if (my $err = check_storage_supports_templates($conf)) {
+ die $err;
+ }
my $realcmd = sub {
PVE::LXC::template_create($vmid, $conf);
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index c0ef1d7..ed79611 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -139,7 +139,6 @@ sub recover_config {
$conf = PVE::LXC::Config::parse_pct_config("/lxc/0.conf" , $raw);
delete $conf->{snapshots};
- delete $conf->{template}; # restored CT is never a template
PVE::LXC::Config->foreach_mountpoint($conf, sub {
my ($ms, $mountpoint) = @_;
@@ -174,6 +173,9 @@ sub restore_configuration {
next if $key eq 'digest' || $key eq 'rootfs' || $key eq 'snapshots'
|| $key eq 'unprivileged' || $key eq 'parent';
next if $k
[pve-devel] [PATCH container] fix: #1075: Correctly restore CT templates form backup
Restoring a backup from a CT template wrongly resulted in a CT with the template
flag set in the config.
This makes sure the CT template backup gets restored to a CT and only if the
storage supports templates, the resulting CT is converted to a template.
Otherwise the backup restores simply to a CT.
Signed-off-by: Christian Ebner
---
src/PVE/API2/LXC.pm | 28
src/PVE/LXC/Create.pm | 2 +-
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 5a8a9c9..42e11fb 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -335,6 +335,7 @@ __PACKAGE__->register_method({
my $code = sub {
my $old_conf = PVE::LXC::Config->load_config($vmid);
+ my $was_template;
my $vollist = [];
eval {
@@ -344,6 +345,10 @@ __PACKAGE__->register_method({
if ($is_root && $archive ne '-') {
my $orig_conf;
($orig_conf, $orig_mp_param) =
PVE::LXC::Create::recover_config($archive);
+ if ($orig_conf->{template}) {
+ $was_template = $orig_conf->{template};
+ delete $orig_conf->{template};
+ }
# When we're root call 'restore_configuration' with
ristricted=0,
# causing it to restore the raw lxc entries, among
which there may be
# 'lxc.idmap' entries. We need to make sure that the
extracted contents
@@ -424,6 +429,29 @@ __PACKAGE__->register_method({
$conf->{$mp} = $delayed_mp_param->{$mp};
}
PVE::LXC::Config->write_config($vmid, $conf);
+
+ # If the template flag was set, we try to convert again to
template after restore
+ if ($was_template) {
+ print STDERR "Convert restored container to template...\n";
+ my $scfg = PVE::Storage::config();
+ eval {
+ PVE::LXC::Config->foreach_mountpoint($conf, sub {
+ my ($ms, $mp) = @_;
+
+ my ($sid)
=PVE::Storage::parse_volume_id($mp->{volume}, 0);
+ die "Warning: Directory storage '$sid' does not
support container templates!\nLeave restored backup as container instead\n"
+ if $scfg->{ids}->{$sid}->{path};
+ });
+ };
+ if (my $err = $@) {
+ warn $err;
+ } else {
+ PVE::LXC::template_create($vmid, $conf);
+ $conf->{template} = 1;
+ PVE::LXC::Config->write_config($vmid, $conf);
+ PVE::LXC::update_lxc_config($vmid, $conf);
+ }
+ }
};
if (my $err = $@) {
PVE::LXC::destroy_disks($storage_cfg, $vollist);
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index c0ef1d7..4b527ff 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -139,7 +139,6 @@ sub recover_config {
$conf = PVE::LXC::Config::parse_pct_config("/lxc/0.conf" , $raw);
delete $conf->{snapshots};
- delete $conf->{template}; # restored CT is never a template
PVE::LXC::Config->foreach_mountpoint($conf, sub {
my ($ms, $mountpoint) = @_;
@@ -174,6 +173,7 @@ sub restore_configuration {
next if $key eq 'digest' || $key eq 'rootfs' || $key eq 'snapshots'
|| $key eq 'unprivileged' || $key eq 'parent';
next if $key =~ /^mp\d+$/; # don't recover mountpoints
next if $key =~ /^unused\d+$/; # don't recover unused disks
+ next if $key =~ /^template$/; # restored CT is never a template by
default
if ($restricted && $key eq 'lxc') {
warn "skipping custom lxc options, restore manually as root:\n";
warn "\n";
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [RFC firewall 1/3] make verbose a global state
Looks fine, definitely an improvement in readability.
> On April 11, 2019 at 3:28 PM Thomas Lamprecht wrote:
>
>
> This is part of the project 'stop the parameter rabbit hole madness'
> and tries to make reading the firewall code a little bit easier.
>
> Here we remove passing $verbose from 44 method signatures, while it
> was used in 4 of those methods, a ration of 1/11 is simply not
> acceptable for such a thing as a verbosity flag..
>
> Remove it, and just make it a global variable with a setter for now.
>
> Verbose is not modified in any API call, only in a Service
> environment callablle by CLI, so we are save to do so.
>
> If we decide to add some sort of firewall instance (i.e., a blessed
> $self "object") with some state we could also move it there, but
> making it global now doesn't hurt.
>
> Signed-off-by: Thomas Lamprecht
> ---
> src/PVE/Firewall.pm | 98 +
> src/PVE/Service/pve_firewall.pm | 37 +++--
> 2 files changed, 71 insertions(+), 64 deletions(-)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 48e6300..92b02aa 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -131,7 +131,6 @@ my $nodename = PVE::INotify::nodename();
> my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
>
> my $default_log_level = 'nolog'; # avoid logs by default
> -
> my $global_log_ratelimit = '--limit 1/sec';
>
> my $log_level_hash = {
> @@ -145,6 +144,11 @@ my $log_level_hash = {
> emerg => 0,
> };
>
> +my $verbose = 0;
> +sub set_verbose {
> +$verbose = shift;
> +}
> +
> # %rule
> #
> # name => optional
> @@ -2569,7 +2573,7 @@ sub get_mark_values {
> }
>
> sub parse_fw_rule {
> -my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
> +my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env) = @_;
>
> my $orig_line = $line;
>
> @@ -2795,7 +2799,7 @@ sub parse_alias {
> }
>
> sub generic_fw_config_parser {
> -my ($filename, $fh, $verbose, $cluster_conf, $empty_conf, $rule_env) =
> @_;
> +my ($filename, $fh, $cluster_conf, $empty_conf, $rule_env) = @_;
>
> my $section;
> my $group;
> @@ -2892,7 +2896,7 @@ sub generic_fw_config_parser {
> warn "$prefix: $@" if $@;
> } elsif ($section eq 'rules') {
> my $rule;
> - eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res,
> $rule_env, $verbose); };
> + eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res,
> $rule_env); };
> if (my $err = $@) {
> warn "$prefix: $err";
> next;
> @@ -2900,7 +2904,7 @@ sub generic_fw_config_parser {
> push @{$res->{$section}}, $rule;
> } elsif ($section eq 'groups') {
> my $rule;
> - eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, undef,
> 'group', $verbose); };
> + eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, undef,
> 'group'); };
> if (my $err = $@) {
> warn "$prefix: $err";
> next;
> @@ -2958,15 +2962,15 @@ sub generic_fw_config_parser {
> }
>
> sub parse_hostfw_config {
> -my ($filename, $fh, $cluster_conf, $verbose) = @_;
> +my ($filename, $fh, $cluster_conf) = @_;
>
> my $empty_conf = { rules => [], options => {}};
>
> -return generic_fw_config_parser($filename, $fh, $verbose, $cluster_conf,
> $empty_conf, 'host');
> +return generic_fw_config_parser($filename, $fh, $cluster_conf,
> $empty_conf, 'host');
> }
>
> sub parse_vmfw_config {
> -my ($filename, $fh, $cluster_conf, $rule_env, $verbose) = @_;
> +my ($filename, $fh, $cluster_conf, $rule_env) = @_;
>
> my $empty_conf = {
> rules => [],
> @@ -2976,11 +2980,11 @@ sub parse_vmfw_config {
> ipset_comments => {},
> };
>
> -return generic_fw_config_parser($filename, $fh, $verbose, $cluster_conf,
> $empty_conf, $rule_env);
> +return generic_fw_config_parser($filename, $fh, $cluster_conf,
> $empty_conf, $rule_env);
> }
>
> sub parse_clusterfw_config {
> -my ($filename, $fh, $verbose) = @_;
> +my ($filename, $fh) = @_;
>
> my $section;
> my $group;
> @@ -2995,7 +2999,7 @@ sub parse_clusterfw_config {
> ipset_comments => {},
> };
>
> -return generic_fw_config_parser($filename, $fh, $verbose, $empty_conf,
> $empty_conf, 'cluster');
> +return generic_fw_config_parser($filename, $fh, $empty_conf,
> $empty_conf, 'cluster');
> }
>
> sub run_locked {
> @@ -3047,7 +3051,7 @@ sub read_local_vm_config {
> };
>
> sub load_vmfw_conf {
> -my ($cluster_conf, $rule_env, $vmid, $dir, $verbose) = @_;
> +my ($cluster_conf, $rule_env, $vmid, $dir) = @_;
>
> my $vmfw_conf = {};
>
> @@ -3055,7 +3059,7 @@ sub load_vmfw_conf {
>
> my $filename = "$dir/$vmid.fw";
> if (my $fh = IO::File->new($filename, O_RDONLY)) {
> - $vmfw_conf = parse_vmfw_config($filename, $fh,
[pve-devel] [PATCH firewall] fix: Check if VM firewall enabled before generating NICs tap rules
Only if the VM firewall is enabled, the tap rules for each of the NICs should be
generated, analogous to the current behaviour for CTs.
Signed-off-by: Christian Ebner
---
src/PVE/Firewall.pm | 24 +---
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 48e6300..91e21ed 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3572,17 +3572,19 @@ sub compile_iptables_filter {
my $vmfw_conf = $vmfw_configs->{$vmid};
return if !$vmfw_conf;
- foreach my $netid (sort keys %$conf) {
- next if $netid !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
- next if !$net->{firewall};
- my $iface = "tap${vmid}i$1";
-
- my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface,
$netid, $macaddr,
-$vmfw_conf, $vmid, 'IN',
$ipversion);
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface,
$netid, $macaddr,
-$vmfw_conf, $vmid, 'OUT',
$ipversion);
+if ($vmfw_conf->{options}->{enable}) {
+ foreach my $netid (sort keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ next if !$net->{firewall};
+ my $iface = "tap${vmid}i$1";
+
+ my $macaddr = $net->{macaddr};
+ generate_tap_rules_direction($ruleset, $cluster_conf,
$iface, $netid, $macaddr,
+$vmfw_conf, $vmid, 'IN',
$ipversion);
+ generate_tap_rules_direction($ruleset, $cluster_conf,
$iface, $netid, $macaddr,
+$vmfw_conf, $vmid, 'OUT',
$ipversion);
+ }
}
};
warn $@ if $@; # just to be sure - should not happen
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH storage] Status: Include command error in error message when storage activation fails
Signed-off-by: Christian Ebner
---
PVE/API2/Storage/Status.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/PVE/API2/Storage/Status.pm b/PVE/API2/Storage/Status.pm
index 1b0486a..9a5a952 100644
--- a/PVE/API2/Storage/Status.pm
+++ b/PVE/API2/Storage/Status.pm
@@ -442,7 +442,7 @@ __PACKAGE__->register_method ({
PVE::Tools::run_command([@remcmd, '/usr/sbin/pvesm', 'status',
'--storage', $param->{storage}]);
};
- die "can't activate storage '$param->{storage}' on node '$node'\n"
if $@;
+ die "can't activate storage '$param->{storage}' on node '$node':
$@\n" if $@;
PVE::Tools::run_command([@remcmd, '/bin/mkdir', '-p', '--',
PVE::Tools::shell_quote($dirname)],
errmsg => "mkdir failed");
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager] ui: Restore.js: Fix error where the textfield did not default to next free VMID
Signed-off-by: Christian Ebner
---
www/manager6/window/Restore.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/www/manager6/window/Restore.js b/www/manager6/window/Restore.js
index d7e1fb3d..870b0dde 100644
--- a/www/manager6/window/Restore.js
+++ b/www/manager6/window/Restore.js
@@ -38,7 +38,7 @@ Ext.define('PVE.window.Restore', {
IDfield = Ext.create('PVE.form.GuestIDSelector', {
name: 'vmid',
guestType: me.vmtype,
- loadNextGuestID: true,
+ loadNextFreeID: true,
validateExists: false
});
}
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH i18n] it: Improvements and additions to italian translation
Signed-off-by: Christian Ebner
---
it.po | 50 +-
1 file changed, 25 insertions(+), 25 deletions(-)
diff --git a/it.po b/it.po
index 8051363..8e86f29 100644
--- a/it.po
+++ b/it.po
@@ -63,7 +63,7 @@ msgstr ""
#: pmg-gui/js/NavigationTree.js:22 pmg-gui/js/Utils.js:32
msgid "Action Objects"
-msgstr "Elementi dell'Azione"
+msgstr "Elementi d'azione"
#: proxmox-widget-toolkit/node/NetworkView.js:279 pmg-gui/js/RuleEditor.js:45
#: pmg-gui/js/RuleInfo.js:256
@@ -143,7 +143,7 @@ msgstr "Amministratore"
#: pmg-gui/js/SystemOptions.js:76
msgid "Administrator EMail"
-msgstr "Amministratore delle E-Mail"
+msgstr "Amministratore E-Mail"
#: proxmox-widget-toolkit/window/Edit.js:334
#: pve-manager/www/manager6/window/Wizard.js:162
@@ -209,7 +209,7 @@ msgstr "Siete sicuro che volete distaccare l'elemento {0}"
#: pve-manager/www/manager6/StateProvider.js:184
msgid "Are you sure you want to navigate away from this page?"
-msgstr "Sicuro di volervi allontanare da questa pagina?"
+msgstr "Siete sicuro che volete allontanarvi da questa pagina?"
#: proxmox-widget-toolkit/button/Button.js:127 pmg-gui/js/RuleInfo.js:44
#: pmg-gui/js/UserBlackWhiteList.js:182
@@ -255,7 +255,7 @@ msgstr "Autenticazione"
#: pmg-gui/js/SpamQuarantineOptions.js:34
msgid "Authentication mode"
-msgstr "Metodo di Autenticazione"
+msgstr "Metodo di autenticazione"
#: pve-manager/www/manager6/window/Restore.js:72
msgid "Autogenerate unique properties, e.g., MAC addresses"
@@ -276,12 +276,12 @@ msgstr "Disponibile"
#: pmg-gui/js/RuleInfo.js:328
msgid "Available Objects"
-msgstr "elementi Disponibili"
+msgstr "Elementi disponibili"
#: pmg-gui/js/GeneralMailStatistics.js:119
#: pmg-gui/js/dashboard/MailProcessing.js:49
msgid "Avg. Mail Processing Time"
-msgstr "Tempo Medio di Processo"
+msgstr "Tempo medio di gestione mail"
#: pmg-gui/js/Utils.js:561
msgid "BCC"
@@ -332,7 +332,7 @@ msgstr ""
#: pmg-gui/js/LDAPConfig.js:139
msgid "Base DN for Groups"
-msgstr "Base DN per Gruppi"
+msgstr "Base DN per gruppi"
#: pve-manager/www/manager6/dc/AuthEdit.js:53
msgid "Base Domain Name"
@@ -364,7 +364,7 @@ msgstr "Block Size"
#: pmg-gui/js/VirusDetectorOptions.js:11
msgid "Block encrypted archives"
-msgstr "Blocca Archivi Criptati"
+msgstr "Archivi criptati a blocchi"
#: pmg-gui/js/Utils.js:515
msgid "Body"
@@ -407,7 +407,7 @@ msgstr "Bridge ports"
#: pmg-gui/js/ClamAVDatabase.js:89
msgid "Build time"
-msgstr "Tempo di Build"
+msgstr "Tempo di build"
#: pve-manager/www/manager6/dc/RoleView.js:69
msgid "Built-In"
@@ -521,7 +521,7 @@ msgstr "Capacità"
#: pve-manager/www/manager6/ceph/CephInstallWizard.js:183
msgid "Ceph cluster configuration"
-msgstr "Configurazione Ceph Server"
+msgstr "Configurazione server Ceph"
#: pve-manager/www/manager6/ceph/FS.js:117
msgid "CephFS"
@@ -534,7 +534,7 @@ msgstr "Certificato"
#: pve-manager/www/manager6/node/Certificates.js:173
msgid "Certificate Chain"
-msgstr ""
+msgstr "Catena certificati"
#: pve-manager/www/manager6/node/Config.js:178
msgid "Certificates"
@@ -584,7 +584,7 @@ msgstr "Limite del tasso di connessioni client"
#: pmg-gui/js/MailProxyOptions.js:63
msgid "Client Message Rate Limit"
-msgstr "Limite nel tasso di Messaggi Client"
+msgstr "Limite del tasso di messaggi client"
#: proxmox-widget-toolkit/Utils.js:458 proxmox-widget-toolkit/Utils.js:476
#: pve-manager/www/manager6/lxc/CmdMenu.js:120
@@ -796,7 +796,7 @@ msgstr "Modo console"
#: pmg-gui/js/ContactStatistics.js:102 pmg-gui/js/ContactStatistics.js:149
#: pmg-gui/js/ContactStatistics.js:209 pmg-gui/js/NavigationTree.js:184
msgid "Contact"
-msgstr "contatto"
+msgstr "Contatto"
#: pve-manager/www/manager6/Utils.js:450
#: pve-manager/www/manager6/ha/ResourceEdit.js:186
@@ -1096,7 +1096,7 @@ msgstr "Consegna"
#: pmg-gui/js/FetchmailEdit.js:77 pmg-gui/js/FetchmailView.js:113
msgid "Deliver to"
-msgstr "Consegna a "
+msgstr "Consegna a"
#: proxmox-widget-toolkit/node/APT.js:40
#: proxmox-widget-toolkit/node/ServiceView.js:172
@@ -1148,7 +1148,7 @@ msgstr "Distruggi MDS"
#: proxmox-widget-toolkit/Utils.js:505
msgid "Destroy image from unknown guest"
-msgstr ""
+msgstr "Distruggere l'immagine di guest sconosciuto"
#: pve-manager/www/manager6/q
[pve-devel] [PATCH manager] Allow to set the IP broadcast address used to send the WoL packet
In order to send the WoL packet to a specific broadcast domain, the user can
define the broadcast address in the config, as fallback 255.255.255.255 is used.
By this, the route and therefore the NIC is decided by the kernel.
Signed-off-by: Christian Ebner
---
PVE/API2/Nodes.pm| 25 -
PVE/CLI/pvenode.pm | 2 +-
PVE/NodeConfig.pm| 6 ++
www/manager6/node/CmdMenu.js | 3 ++-
4 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 8a2c2384..81596f25 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -490,9 +490,19 @@ __PACKAGE__->register_method({
},
},
returns => {
- type => 'string',
- format => 'mac-addr',
- description => 'MAC address used to assemble the WoL magic packet.',
+ type => 'object',
+ properties => {
+ wakeonlan => {
+ type => 'string',
+ format => 'mac-addr',
+ description => 'MAC address used to assemble the WoL magic
packet.',
+ },
+ wakeonlanaddr => {
+ type => 'string',
+ format => 'ip',
+ description => 'IP-Broadcast address used to send the WoL magic
packet.',
+ },
+ },
},
code => sub {
my ($param) = @_;
@@ -506,6 +516,9 @@ __PACKAGE__->register_method({
my $config = PVE::NodeConfig::load_config($node);
my $mac_addr = $config->{wakeonlan};
+ my $broadcast_addr = $config->{wakeonlanaddr};
+ $broadcast_addr = '255.255.255.255' if !defined $broadcast_addr;
+
if (!defined($mac_addr)) {
die "No wake on LAN MAC address defined for '$node'!\n";
}
@@ -513,7 +526,7 @@ __PACKAGE__->register_method({
$mac_addr =~ s/://g;
my $packet = chr(0xff) x 6 . pack('H*', $mac_addr) x 16;
- my $addr = gethostbyname('255.255.255.255');
+ my $addr = gethostbyname($broadcast_addr);
my $port = getservbyname('discard', 'udp');
my $to = Socket::pack_sockaddr_in($port, $addr);
@@ -527,7 +540,9 @@ __PACKAGE__->register_method({
close($sock);
- return $config->{wakeonlan};
+ my $ret->{wakeonlan} = $config->{wakeonlan};
+ $ret->{wakeonlanaddr} = $broadcast_addr;
+ return $ret;
}});
__PACKAGE__->register_method({
diff --git a/PVE/CLI/pvenode.pm b/PVE/CLI/pvenode.pm
index 1989e8b3..41120050 100644
--- a/PVE/CLI/pvenode.pm
+++ b/PVE/CLI/pvenode.pm
@@ -212,7 +212,7 @@ our $cmddef = {
wakeonlan => [ 'PVE::API2::Nodes::Nodeinfo', 'wakeonlan', [ 'node' ], {},
sub {
my ($mac_addr) = @_;
- print "Wake on LAN packet send for '$mac_addr'\n";
+ print "Wake on LAN packet send for '$mac_addr->{wakeonlan}' via
'$mac_addr->{wakeonlanaddr}'\n";
} ],
};
diff --git a/PVE/NodeConfig.pm b/PVE/NodeConfig.pm
index b52868e2..4f9df886 100644
--- a/PVE/NodeConfig.pm
+++ b/PVE/NodeConfig.pm
@@ -67,6 +67,12 @@ my $confdesc = {
format => 'mac-addr',
optional => 1,
},
+wakeonlanaddr => {
+ type => 'string',
+ description => 'IP Broadcast address for wake on LAN',
+ format => 'ip',
+ optional => 1,
+},
};
my $acmedesc = {
diff --git a/www/manager6/node/CmdMenu.js b/www/manager6/node/CmdMenu.js
index f718f69a..9d266363 100644
--- a/www/manager6/node/CmdMenu.js
+++ b/www/manager6/node/CmdMenu.js
@@ -103,7 +103,8 @@ Ext.define('PVE.node.CmdMenu', {
Ext.Msg.show({
title: 'Success',
icon: Ext.Msg.INFO,
- msg: Ext.String.format(gettext("Wake on LAN packet
send for '{0}': '{1}'"), me.nodename, response.result.data)
+ msg: Ext.String.format(gettext("Wake on LAN packet
send for '{0}': '{1}' via '{2}'"),
+ me.nodename, response.result.data.wakeonlan,
response.result.data.wakeonlanaddr)
});
}
});
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu-server] qm create: Set the NICs firewall to enabled by default on container creation
Signed-off-by: Christian Ebner
---
PVE/API2/Qemu.pm | 4
1 file changed, 4 insertions(+)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 5469089..f9ce355 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -526,6 +526,10 @@ __PACKAGE__->register_method({
PVE::QemuServer::cleanup_drive_path($opt, $storecfg,
$drive);
$param->{$opt} = PVE::QemuServer::print_drive($vmid,
$drive);
+ } elsif ($opt =~ m/^net\d+/) {
+ my $net = PVE::QemuServer::parse_net($param->{$opt});
+ $net->{'firewall'} = 1 if !defined($net->{'firewall'});
+ $param->{$opt} = PVE::QemuServer::print_net($net);
}
}
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH container] pct create: Set the NICs firewall to enabled by default on container creation
Signed-off-by: Christian Ebner
---
src/PVE/API2/LXC.pm | 4
1 file changed, 4 insertions(+)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 5a8a9c9..8234df4 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -296,6 +296,10 @@ __PACKAGE__->register_method({
} elsif ($opt =~ m/^unused\d+$/) {
warn "ignoring '$opt', cannot create/restore with unused
volume\n";
delete $param->{$opt};
+ } elsif ($opt =~ m/^net\d+$/) {
+ my $net = PVE::LXC::Config->parse_lxc_network($param->{$opt});
+ $net->{'firewall'} = 1 if !defined($net->{'firewall'});
+ $no_disk_param->{$opt} =
PVE::LXC::Config->print_lxc_network($net);
} else {
$no_disk_param->{$opt} = $value;
}
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager] fix: #1218 Expose unique MAC address generation on restore of VMs and CTs in UI
Adds a checkbox to the restore window, allowing the user to avoid MAC address
collisions when restoring a VM/CT to a different vmid.
When restoring to the same vmid the checkbox is not visible.
Signed-off-by: Christian Ebner
---
www/manager6/window/Restore.js | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/www/manager6/window/Restore.js b/www/manager6/window/Restore.js
index ddea6a37..6d565f2d 100644
--- a/www/manager6/window/Restore.js
+++ b/www/manager6/window/Restore.js
@@ -28,6 +28,7 @@ Ext.define('PVE.window.Restore', {
});
var IDfield;
+ var unique;
if (me.vmid) {
IDfield = Ext.create('Ext.form.field.Display', {
name: 'vmid',
@@ -41,6 +42,11 @@ Ext.define('PVE.window.Restore', {
loadNextGuestID: true,
validateExists: false
});
+ unique = Ext.create('Proxmox.form.Checkbox', {
+ name: 'unique',
+ fieldLabel: gettext('Unique MAC address'),
+ checked: false
+ });
}
var items = [
@@ -61,7 +67,8 @@ Ext.define('PVE.window.Restore', {
tag: 'div',
'data-qtip': gettext("Use '0' to disable all bandwidth
limits.")
}
- }
+ },
+ unique
];
/*jslint confusion: true*/
@@ -119,6 +126,7 @@ Ext.define('PVE.window.Restore', {
vmid: me.vmid || values.vmid,
force: me.vmid ? 1 : 0
};
+ if (values.unique) { params.unique = 1; }
if (values.bwlimit !== undefined) {
params.bwlimit = values.bwlimit * 1024;
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager] fix: #1145 enable CT/VM firewall by default on creation via WebUI
Signed-off-by: Christian Ebner
---
www/manager6/lxc/Network.js | 1 +
www/manager6/qemu/HardwareView.js | 3 ++-
www/manager6/qemu/NetworkEdit.js | 6 --
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/www/manager6/lxc/Network.js b/www/manager6/lxc/Network.js
index 88c6e561..1e11539d 100644
--- a/www/manager6/lxc/Network.js
+++ b/www/manager6/lxc/Network.js
@@ -56,6 +56,7 @@ Ext.define('PVE.lxc.NetworkInputPanel', {
cdata.name = 'eth0';
me.dataCache = {};
}
+ cdata.firewall = (me.insideWizard || me.isCreate);
if (!me.dataCache) {
throw "no dataCache specified";
diff --git a/www/manager6/qemu/HardwareView.js
b/www/manager6/qemu/HardwareView.js
index bfa06927..ba588e37 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -638,7 +638,8 @@ Ext.define('PVE.qemu.HardwareView', {
handler: function() {
var win =
Ext.create('PVE.qemu.NetworkEdit', {
url: '/api2/extjs/' + baseurl,
- pveSelNode: me.pveSelNode
+ pveSelNode: me.pveSelNode,
+ isCreate: true
});
win.on('destroy', reload);
win.show();
diff --git a/www/manager6/qemu/NetworkEdit.js b/www/manager6/qemu/NetworkEdit.js
index dd950d2b..abce4903 100644
--- a/www/manager6/qemu/NetworkEdit.js
+++ b/www/manager6/qemu/NetworkEdit.js
@@ -82,7 +82,8 @@ Ext.define('PVE.qemu.NetworkInputPanel', {
{
xtype: 'proxmoxcheckbox',
fieldLabel: gettext('Firewall'),
- name: 'firewall'
+ name: 'firewall',
+ checked: (me.insideWizard || me.isCreate)
}
];
@@ -185,7 +186,8 @@ Ext.define('PVE.qemu.NetworkEdit', {
var ipanel = Ext.create('PVE.qemu.NetworkInputPanel', {
confid: me.confid,
- nodename: nodename
+ nodename: nodename,
+ isCreate: me.isCreate
});
Ext.applyIf(me, {
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH container] fix: #1218 Add flag 'unique' to pct restore in order to set new MAC addresses to NICs
Signed-off-by: Christian Ebner
---
src/PVE/API2/LXC.pm | 9 -
src/PVE/LXC/Create.pm | 9 -
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 6de121f..3d5460c 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -144,6 +144,12 @@ __PACKAGE__->register_method({
type => 'boolean',
description => "Mark this as restore task.",
},
+ unique => {
+ optional => 1,
+ type => 'boolean',
+ description => "Assign a unique random ethernet address.",
+ requires => 'restore',
+ },
pool => {
optional => 1,
type => 'string', format => 'pve-poolid',
@@ -197,6 +203,7 @@ __PACKAGE__->register_method({
# 'unprivileged' is read-only, so we can't pass it to update_pct_config
my $unprivileged = extract_param($param, 'unprivileged');
my $restore = extract_param($param, 'restore');
+ my $unique = extract_param($param, 'unique');
if ($restore) {
# fixme: limit allowed parameters
@@ -397,7 +404,7 @@ __PACKAGE__->register_method({
PVE::LXC::Create::restore_archive($archive, $rootdir,
$conf, $ignore_unpack_errors, $bwlimit);
if ($restore) {
- PVE::LXC::Create::restore_configuration($vmid,
$rootdir, $conf, !$is_root);
+ PVE::LXC::Create::restore_configuration($vmid,
$rootdir, $conf, !$is_root, $unique);
} else {
my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
# detect OS
PVE::LXC::Config->write_config($vmid, $conf); # safe
config (after OS detection)
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index 564d6db..39827a6 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -159,7 +159,7 @@ sub recover_config {
}
sub restore_configuration {
-my ($vmid, $rootdir, $conf, $restricted) = @_;
+my ($vmid, $rootdir, $conf, $restricted, $unique) = @_;
# restore: try to extract configuration from archive
@@ -184,6 +184,13 @@ sub restore_configuration {
warn "\n";
next;
}
+ if (($unique && $key =~ /^net\d+/)) {
+ my $net = PVE::LXC::Config->parse_lxc_network($oldconf->{$key});
+ my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');
+ $net->{hwaddr} =
PVE::Tools::random_ether_addr($dc->{mac_prefix});
+ $conf->{$key} = PVE::LXC::Config->print_lxc_network($net);
+ next;
+ }
$conf->{$key} = $oldconf->{$key} if !defined($conf->{$key});
}
unlink($pct_cfg_fn);
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager v2] Allow to set the firewall log rate limit and burst from the UI
Signed-off-by: Christian Ebner
---
Version 2:
* Values are retained in config while disable/enable
* Removed disabling of the textfield and combobox when unchecking enable
in order to get the values instead of undefined.
* initComponent -> autoLoad: true
www/manager6/Makefile | 1 +
www/manager6/grid/FirewallOptions.js | 8 +++
www/manager6/window/FirewallLograteEdit.js | 94 ++
3 files changed, 103 insertions(+)
create mode 100644 www/manager6/window/FirewallLograteEdit.js
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index 962a3f4d..5ad70933 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -85,6 +85,7 @@ JSSRC=
\
window/StartupEdit.js \
window/CephInstall.js \
window/FirewallEnableEdit.js\
+ window/FirewallLograteEdit.js \
panel/NotesView.js \
grid/ResourceGrid.js\
grid/PoolMembers.js \
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index 72fad34f..2952e854 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -103,6 +103,14 @@ Ext.define('PVE.FirewallOptions', {
} else if (me.fwtype === 'dc') {
add_boolean_row('enable', gettext('Firewall'), 0);
add_boolean_row('ebtables', 'ebtables', 1);
+ me.rows.log_ratelimit = {
+ header: gettext('Log rate limit'),
+ required: true,
+ defaultValue: 'enable=0',
+ editor: {
+ xtype: 'pveFirewallLograteEdit'
+ }
+ };
}
if (me.fwtype === 'dc' || me.fwtype === 'vm') {
diff --git a/www/manager6/window/FirewallLograteEdit.js
b/www/manager6/window/FirewallLograteEdit.js
new file mode 100644
index ..c48be192
--- /dev/null
+++ b/www/manager6/window/FirewallLograteEdit.js
@@ -0,0 +1,94 @@
+/*jslint confusion: true*/
+Ext.define('PVE.FirewallLograteInputPanel', {
+extend: 'Proxmox.panel.InputPanel',
+xtype: 'pveFirewallLograteInputPanel',
+
+viewModel: {},
+
+items: [
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'enable',
+ reference: 'enable',
+ fieldLabel: gettext('Enable'),
+ value: false
+ },
+ {
+ layout: 'hbox',
+ border: false,
+ items: [
+ {
+ xtype: 'numberfield',
+ name: 'rate',
+ fieldLabel: gettext('Log rate limit'),
+ minValue: 1,
+ maxValue: 99,
+ allowBlank: false,
+ flex: 2,
+ value: 1
+ },
+ {
+ html: '/'
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ name: 'unit',
+ comboItems: [['second', 'second'], ['minute', 'minute'],
+ ['hour', 'hour'], ['day', 'day']],
+ allowBlank: false,
+ flex: 1,
+ value: 'second'
+ }
+ ]
+ },
+ {
+ xtype: 'numberfield',
+ name: 'burst',
+ fieldLabel: gettext('Log burst limit'),
+ minValue: 1,
+ maxValue: 99,
+ value: 5
+ }
+],
+
+onGetValues: function(values) {
+ var me = this;
+
+ var vals = {};
+ vals.enable = values.enable !== undefined ? 1 : 0;
+ vals.rate = values.rate + '/' + values.unit;
+ vals.burst = values.burst;
+ var properties = PVE.Parser.printPropertyString(vals, undefined);
+ if (properties == '') {
+ return { 'delete': 'log_ratelimit' };
+ }
+ return { log_ratelimit: properties };
+},
+
+setValues: function(values) {
+ var me = this;
+
+ var properties = {};
+ if (values.log_ratelimit !== undefined) {
+ properties = PVE.Parser.parsePropertyString(values.log_ratelimit);
+ var matches =
properties.rate.match(/^(\d+)\/(second|minute|hour|day)$/);
+ if (matches) {
+ properties.rate = matches[1];
+ properties.unit = matches[2];
+ }
+ }
+
Re: [pve-devel] [RFC firewall] allow to enable/disable and modify cluster wide log ratelimits
Looks good! Acknowledged
> On March 21, 2019 at 7:59 AM Thomas Lamprecht wrote:
>
>
> Signed-off-by: Thomas Lamprecht
> Cc: Christian Ebner
> ---
>
> just a POC, but should all be working, @christian could you take a look at
> this?
>
> src/PVE/Firewall.pm | 63 +++--
> 1 file changed, 61 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index f294d36..46dc787 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -132,6 +132,8 @@ my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
>
> my $default_log_level = 'nolog'; # avoid logs by default
>
> +my $global_log_ratelimit = '--limit 1/sec';
> +
> my $log_level_hash = {
> debug => 7,
> info => 6,
> @@ -1199,6 +1201,33 @@ our $cluster_option_properties = {
> optional => 1,
> enum => ['ACCEPT', 'REJECT', 'DROP'],
> },
> +log_ratelimit => {
> + description => "Log ratelimiting settings",
> + type => 'string', format => {
> + enable => {
> + default_key => 1,
> + description => 'Enable or disable log rate limiting',
> + type => 'boolean',
> + default => '1',
> + },
> + rate => {
> + type => 'string',
> + description => 'Frequency with which the burst bucket gets
> refilled',
> + optional => 1,
> + pattern => '[1-9][0-9]*\/(second|minute|hour|day)',
> + format_description => 'rate',
> + default => '1/second',
> + },
> + burst => {
> + type => 'integer',
> + minimum => 0,
> + optional => 1,
> + description => 'Inital burst of packages which will get logged',
> + default => 5,
> + },
> + },
> + optional => 1,
> +},
> };
>
> our $host_option_properties = {
> @@ -2103,10 +2132,14 @@ sub get_log_rule_base {
> $vmid = 0 if !defined($vmid);
> $msg = "" if !defined($msg);
>
> +my $rlimit = '';
> +if (defined($global_log_ratelimit)) {
> + $rlimit = "-m limit $global_log_ratelimit ";
> +}
> +
> # Note: we use special format for prefix to pass further
> # info to log daemon (VMID, LOGLEVEL and CHAIN)
> -
> -return "-m limit --limit 1/sec -j NFLOG --nflog-prefix
> \":$vmid:$loglevel:$chain: $msg\"";
> +return "${rlimit}-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain:
> $msg\"";
> }
>
> sub ruleset_add_chain_policy {
> @@ -2697,6 +2730,9 @@ sub parse_clusterfw_option {
> } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
> $opt = lc($1);
> $value = uc($3);
> +} elsif ($line =~ m/^(log_ratelimit):\s*(\S+)\s*$/) {
> + $opt = lc($1);
> + $value = $2;
> } else {
> die "can't parse option '$line'\n"
> }
> @@ -3332,6 +3368,27 @@ sub round_powerof2 {
> return ++$int;
> }
>
> +my $set_global_log_ratelimit = sub {
> +my $cluster_opts = shift;
> +
> +$global_log_ratelimit = '--limit 1/sec';
> +if (defined(my $log_rlimit = $cluster_opts->{log_ratelimit})) {
> + my $ll_format = $cluster_option_properties->{log_ratelimit}->{format};
> + my $limit = PVE::JSONSchema::parse_property_string($ll_format,
> $log_rlimit);
> +
> + if ($limit->{enable}) {
> + if (my $rate = $limit->{rate}) {
> + $global_log_ratelimit = "--limit $rate";
> + }
> + if (my $burst = $limit->{burst}) {
> + $global_log_ratelimit .= " --limit-burst $burst";
> + }
> + } else {
> + $global_log_ratelimit = undef;
> + }
> +}
> +};
> +
> sub load_clusterfw_conf {
> my ($filename, $verbose) = @_;
>
> @@ -3340,6 +3397,8 @@ sub load_clusterfw_conf {
> my $cluster_conf = {};
> if (my $fh = IO::File->new($filename, O_RDONLY)) {
> $cluster_conf = parse_clusterfw_config($filename, $fh, $verbose);
> +
> + $set_global_log_ratelimit->($cluster_conf->{options});
> }
>
> return $cluster_conf;
> --
> 2.20.1
>
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH manager] Allow to set the firewall log rate limit and burst from the UI
Signed-off-by: Christian Ebner
---
www/manager6/Makefile | 1 +
www/manager6/grid/FirewallOptions.js | 8 +++
www/manager6/window/FirewallLograteEdit.js | 105 +
3 files changed, 114 insertions(+)
create mode 100644 www/manager6/window/FirewallLograteEdit.js
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index 962a3f4d..5ad70933 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -85,6 +85,7 @@ JSSRC=
\
window/StartupEdit.js \
window/CephInstall.js \
window/FirewallEnableEdit.js\
+ window/FirewallLograteEdit.js \
panel/NotesView.js \
grid/ResourceGrid.js\
grid/PoolMembers.js \
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index 72fad34f..2952e854 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -103,6 +103,14 @@ Ext.define('PVE.FirewallOptions', {
} else if (me.fwtype === 'dc') {
add_boolean_row('enable', gettext('Firewall'), 0);
add_boolean_row('ebtables', 'ebtables', 1);
+ me.rows.log_ratelimit = {
+ header: gettext('Log rate limit'),
+ required: true,
+ defaultValue: 'enable=0',
+ editor: {
+ xtype: 'pveFirewallLograteEdit'
+ }
+ };
}
if (me.fwtype === 'dc' || me.fwtype === 'vm') {
diff --git a/www/manager6/window/FirewallLograteEdit.js
b/www/manager6/window/FirewallLograteEdit.js
new file mode 100644
index ..dc754411
--- /dev/null
+++ b/www/manager6/window/FirewallLograteEdit.js
@@ -0,0 +1,105 @@
+/*jslint confusion: true*/
+Ext.define('PVE.FirewallLograteInputPanel', {
+extend: 'Proxmox.panel.InputPanel',
+xtype: 'pveFirewallLograteInputPanel',
+
+viewModel: {},
+
+items: [
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'enable',
+ reference: 'enable',
+ fieldLabel: gettext('Enable'),
+ value: false
+ },
+ {
+ layout: 'hbox',
+ border: false,
+ items: [
+ {
+ xtype: 'numberfield',
+ name: 'rate',
+ fieldLabel: gettext('Log rate limit'),
+ minValue: 1,
+ maxValue: 99,
+ allowBlank: false,
+ flex: 2,
+ value: 1,
+ bind: {
+ disabled: '{!enable.checked}'
+ }
+ },
+ {
+ html: '/'
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ name: 'unit',
+ comboItems: [['second', 'second'], ['minute', 'minute'],
+ ['hour', 'hour'], ['day', 'day']],
+ allowBlank: false,
+ flex: 1,
+ value: 'second',
+ bind: {
+ disabled: '{!enable.checked}'
+ }
+ }
+ ]
+ },
+ {
+ xtype: 'numberfield',
+ name: 'burst',
+ fieldLabel: gettext('Log burst limit'),
+ minValue: 1,
+ maxValue: 99,
+ value: 5,
+ bind: {
+ disabled: '{!enable.checked}'
+ }
+ }
+],
+
+onGetValues: function(values) {
+ var me = this;
+ if (values.enable) {
+ values.rate += '/' + values.unit;
+ delete values.unit;
+ }
+ var properties = PVE.Parser.printPropertyString(values, undefined);
+ if (properties == '') {
+ return { 'delete': 'log_ratelimit' };
+ }
+ return { log_ratelimit: properties };
+},
+
+setValues: function(values) {
+ var me = this;
+
+ var properties = PVE.Parser.parsePropertyString(values.log_ratelimit);
+ var matches =
properties.rate.match(/^(\d+)\/(second|minute|hour|day)$/);
+ if (matches) {
+ properties.rate = matches[1];
+ properties.unit = matches[2];
+ }
+ me.callParent([properties]);
+}
+});
+
+Ext.define('PVE.FirewallLograteEdit'
[pve-devel] [PATCH docs] Extending the firewall documentation regarding standard rules and logging
Signed-off-by: Christian Ebner
---
pve-firewall.adoc | 123 --
1 file changed, 110 insertions(+), 13 deletions(-)
diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 0781334..286c24b 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -404,28 +404,125 @@ If you want to see the generated iptables rules you can
use:
# iptables-save
+[[pve_firewall_default_rules]]
+Default firewall rules
+--
+
+The following traffic is filtered by the default firewall configuration:
+
+Datacenter incomming/outgoing DROP/REJECT
+~
+
+If the input/output policy for the firewall is set to DROP/REJECT, the
following
+traffic is still allowed for the host:
+
+* traffic over the loopback interface
+* already established connections
+* traffic using the igmp protocol
+* tcp traffic from management hosts to port 8006 in order to allow access to
+the web interface
+* tcp traffic from management hosts to the port range 5900 to 5999 allowing
+traffic for the VNC web console
+* tcp traffic from management hosts to port 3128 for connections to the SPICE
+proxy
+* tcp traffic from management hosts to port 22 to allow ssh access
+* udp traffic in the cluster network to port 5404 and 5405 for corosync
+* udp multicast traffic in the cluster network
+* icmp traffic type 3,4 or 11
+
+The following traffic is dropped, but not logged even with logging enabled:
+
+* tcp connections with invalid connection state
+* Broad-, multi- and anycast traffic not related to corosync
+* tcp traffic to port 43
+* udp traffic to ports 135 and 445
+* udp traffic to the port range 137 to 139
+* udp traffic form source port 137 to port range 1024 to 65535
+* udp traffic to port 1900
+* tcp traffic to port 135, 139 and 445
+* udp traffic originating from source port 53
+
+The rest of the traffic is dropped/rejected and logged.
+This may vary depending on the additional options enabled in
+*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.
+
+Please inspect the output of
+
+ # iptables-save
+
+to see the firewall chains and rules active on your system.
+
+VM/CT incomming/outgoing DROP/REJECT
+
+
+This drops/rejects all the traffic to the VMs, with some exceptions for DHCP,
NDP,
+Router Advertisement, MAC and IP filtering depending on the set configuration.
+The same rules for dropping/rejecting packets are inherited from the
datacenter,
+while the exceptions for accepted incomming/outgoing traffic of the host do not
+apply.
+
+Again, please inspect the output of
+
+ # iptables-save
+
+to see in detail the firewall chains and rules active for the VMs/CTs.
+
Logging of firewall rules
-
-By default, logging of traffic filtered by the firewall rules is disabled. To
-enable logging for the default firewall rules, the log-level for incommig and
-outgoing traffic has to be set in the firewall `Options` tab for the host
and/or
-the VM/CT firewall.
-Logging of dropped packets is rate limited to 1 packet per second in order to
-reduce output to the log file.
-Further, only some dropped or rejected packets are logged for the standard
rules.
+By default, all logging of traffic filtered by the firewall rules is disabled.
+To enable logging, the `loglevel` for incommig and/or outgoing traffic has to
be
+set in *Firewall* -> *Options*. This can be done for the host as well as for
the
+VM/CT firewall individually. By this, logging of {PVE}'s standard firewall
rules
+is enabled and the output can be observed in *Firewall* -> *Log*.
+Further, only some dropped or rejected packets are logged for the standard
rules
+(see xref:pve_firewall_default_rules[default firewall rules]).
+
+`loglevel` does not affect how much of the filtered traffic is logged. It
+changes a `LOGID` appended as prefix to the log output for easier filtering and
+post-processing.
+
+`loglevel` is one of the following flags:
+
+[[pve_firewall_log_levels]]
+[width="25%", options="header"]
+|===
+| loglevel | LOGID
+| nolog| no log
+| emerg| 0
+| alert| 1
+| crit | 2
+| err | 3
+| warning | 4
+| notice | 5
+| info | 6
+| debug| 7
+|===
+
+A typical firewall log output looks like this:
+
+
+VMID LOGID CHAIN TIMESTAMP POLICY: PACKET_DETAILS
+
+
+In case of the host firewall, `VMID` is equal to 0.
-// TODO: describe standard/default rules and note which of them get logged
+
+Logging of user defined firewall rules
+~~
In order to log packets filtered by user-defined firewall rules, it is possible
to set a log-level parameter for each rule individually.
This allows to log in a fine grained manner and independent of the log-level
-defined for the standard rules in the firewall `Options`.
+defined for the standard rules in *Firewall* -> *Options*.
+
+Whi
[pve-devel] [RFC v3 manager] fix: # 2123 Logging of user defined firewall rules
This patch relies on the corresponding patch to pve-firewall, adding the user
defined log levels for firewall rules.
By this, the user can select a per-rule log level for self defined rules. These
are independent of the global log level, which is defined in the firewall
options.
Signed-off-by: Christian Ebner
---
Version 3:
* fieldName -> fieldLabel
* set defaults for name and fieldLabel
www/manager6/grid/FirewallOptions.js | 20 +++-
www/manager6/grid/FirewallRules.js | 17 +++--
2 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index 1d56ecc0..72fad34f 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -53,12 +53,9 @@ Ext.define('PVE.FirewallOptions', {
subject: name,
fieldDefaults: { labelWidth: labelWidth || 100 },
items: {
- xtype: 'proxmoxKVComboBox',
+ xtype: 'pveFirewallLogLevels',
name: name,
- fieldLabel: name,
- comboItems: [['nolog', 'nolog'], ['info', 'info'],
['err', 'err'],
- ['warning', 'warning'], ['crit', 'crit'],
['alert', 'alert'],
- ['emerg', 'emerg'], ['debug', 'debug']]
+ fieldLabel: name
}
}
};
@@ -179,3 +176,16 @@ Ext.define('PVE.FirewallOptions', {
me.on('deactivate', me.rstore.stopUpdate);
}
});
+
+
+Ext.define('PVE.FirewallLogLevels', {
+extend: 'Proxmox.form.KVComboBox',
+alias: ['widget.pveFirewallLogLevels'],
+
+name: 'log',
+fieldLabel: gettext('Log level'),
+value: 'nolog',
+comboItems: [['nolog', 'nolog'], ['emerg', 'emerg'], ['alert', 'alert'],
+ ['crit', 'crit'], ['err', 'err'], ['warning', 'warning'],
+ ['notice', 'notice'], ['info', 'info'], ['debug', 'debug']]
+});
diff --git a/www/manager6/grid/FirewallRules.js
b/www/manager6/grid/FirewallRules.js
index 85b30371..1a6b2002 100644
--- a/www/manager6/grid/FirewallRules.js
+++ b/www/manager6/grid/FirewallRules.js
@@ -59,7 +59,7 @@ Ext.define('PVE.FirewallRulePanel', {
// hack: editable ComboGrid returns nothing when empty, so we need to
set ''
// Also, disabled text fields return nothing, so we need to set ''
- Ext.Array.each(['source', 'dest', 'macro', 'proto', 'sport', 'dport'],
function(key) {
+ Ext.Array.each(['source', 'dest', 'macro', 'proto', 'sport', 'dport',
'log'], function(key) {
if (values[key] === undefined) {
values[key] = '';
}
@@ -205,9 +205,14 @@ Ext.define('PVE.FirewallRulePanel', {
name: 'dport',
value: '',
fieldLabel: gettext('Dest. port')
+ },
+ {
+ xtype: 'pveFirewallLogLevels',
+ name: 'log',
+ fieldLabel: gettext('Log level')
}
];
-
+
me.columnB = [
{
xtype: 'textfield',
@@ -736,6 +741,14 @@ Ext.define('PVE.FirewallRules', {
width: 100
},
{
+ header: gettext('Log level'),
+ dataIndex: 'log',
+ renderer: function(value, metaData, record) {
+ return render_errors('log', value, metaData, record);
+ },
+ width: 100
+ },
+ {
header: gettext('Comment'),
dataIndex: 'comment',
flex: 1,
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH firewall] Remove hard coded rate limit of logged packets
As some users rely on logging of all packets dropped/rejected, this removes the
hard coded rate limit.
Signed-off-by: Christian Ebner
---
src/PVE/Firewall.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f294d36..30e2b4b 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2106,7 +2106,7 @@ sub get_log_rule_base {
# Note: we use special format for prefix to pass further
# info to log daemon (VMID, LOGLEVEL and CHAIN)
-return "-m limit --limit 1/sec -j NFLOG --nflog-prefix
\":$vmid:$loglevel:$chain: $msg\"";
+return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\"";
}
sub ruleset_add_chain_policy {
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of user defined firewall rules
Okay, I will send a patch to remove the hard coded rate limit. Maybe we might introduce a host / datacenter level option to set such a limit in the future. Thanks for the feedback! > On March 19, 2019 at 4:22 PM Alexandre DERUMIER wrote: > > > >>BTW, are you sure that's it's only limiting logging ? What happen on an > >>ACCEPT log for example ? > sorry, respond to my myself, it's only applied on -j LOG, so it's ok. > > > > - Mail original - > De: "aderumier" > À: "pve-devel" > Envoyé: Mardi 19 Mars 2019 16:09:56 > Objet: Re: [pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of > user defined firewall rules > > Hi, > > Nice work ! > > > Could we have an option to disable rate limit or configure it (host option > for example) > > The patch change the current behaviour on default vm log action, where we > don't have limit currently. > > (and I really need to log all dropped/reject) > > > BTW, are you sure that's it's only limiting logging ? What happen on an > ACCEPT log for example ? > > > Alexandre > > - Mail original - > De: "Thomas Lamprecht" > À: "pve-devel" , "Christian Ebner" > > Envoyé: Mardi 19 Mars 2019 14:40:22 > Objet: [pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of user > defined firewall rules > > On 3/18/19 5:05 PM, Christian Ebner wrote: > > This allows a user to log traffic filtered by a self defined firewall rule. > > Therefore the API is extended to include a 'log' option allow to specify > > the > > log level for each rule individually. > > > > The 'log' option can also be specified in the fw config. In order to reduce > > the > > log amount, logging is limited to 1 entry per second. > > > > For now the rule has to be created or edited via the pvesh API call or via > > the > > firewall config in order to set the log level. > > > > Signed-off-by: Christian Ebner > > --- > > > > Version 2: > > * Added missing $logmsg to PVEFW-FWBRR-IN and PVEFW-FWBR-OUT rules > > * Added '--limit-burst 1' to rate limit NFLOG to 1 packet per second > > > > src/PVE/API2/Firewall/Rules.pm | 3 ++ > > src/PVE/Firewall.pm | 63 +- > > 2 files changed, 40 insertions(+), 26 deletions(-) > > > > applied, with a followup to change the burst limit back to the default of 5. > Thanks! > > > ___ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > ___ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > ___ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] Fixed some typos and slight language improvements
Signed-off-by: Christian Ebner --- pve-firewall.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pve-firewall.adoc b/pve-firewall.adoc index acaca95..3e417e8 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -35,7 +35,7 @@ containers. Features like firewall macros, security groups, IP sets and aliases help to make that task easier. While all configuration is stored on the cluster file system, the -`iptables`-based firewall runs on each cluster node, and thus provides +`iptables`-based firewall service runs on each cluster node, and thus provides full isolation between virtual machines. The distributed nature of this system also provides much higher bandwidth than a central firewall solution. @@ -74,9 +74,9 @@ You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*, or on a *Node* -> *Firewall*), or you can edit the configuration files directly using your preferred editor. -Firewall configuration files contains sections of key-value +Firewall configuration files contain sections of key-value pairs. Lines beginning with a `#` and blank lines are considered -comments. Sections starts with a header line containing the section +comments. Sections start with a header line containing the section name enclosed in `[` and `]`. -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC v2 manager 1/1] fix: # 2123 Logging of user defined firewall rules
This patch relies on the corresponding patch to pve-firewall, adding the user
defined log levels for firewall rules.
By this, the user can select a per-rule log level for self defined rules. These
are independent of the global log level, which is defined in the firewall
options.
Signed-off-by: Christian Ebner
---
Version 2:
* Introduced PVE.FirewallLogLevel to share it between FirewallOptions.js and
FirewallRules.js
* Reordered elements of the array to be in order of the corresponding
numeric
value from the log_level_hash as defined in
pve-firewall/src/PVE/Firewall.pm
www/manager6/grid/FirewallOptions.js | 20 +++-
www/manager6/grid/FirewallRules.js | 17 +++--
2 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index 1d56ecc0..f2e65fbc 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -53,12 +53,9 @@ Ext.define('PVE.FirewallOptions', {
subject: name,
fieldDefaults: { labelWidth: labelWidth || 100 },
items: {
- xtype: 'proxmoxKVComboBox',
+ xtype: 'pveFirewallLogLevels',
name: name,
- fieldLabel: name,
- comboItems: [['nolog', 'nolog'], ['info', 'info'],
['err', 'err'],
- ['warning', 'warning'], ['crit', 'crit'],
['alert', 'alert'],
- ['emerg', 'emerg'], ['debug', 'debug']]
+ fieldLabel: name
}
}
};
@@ -179,3 +176,16 @@ Ext.define('PVE.FirewallOptions', {
me.on('deactivate', me.rstore.stopUpdate);
}
});
+
+
+Ext.define('PVE.FirewallLogLevels', {
+extend: 'Proxmox.form.KVComboBox',
+alias: ['widget.pveFirewallLogLevels'],
+
+name: name,
+fieldName: name,
+value: 'nolog',
+comboItems: [['nolog', 'nolog'], ['emerg', 'emerg'], ['alert', 'alert'],
+ ['crit', 'crit'], ['err', 'err'], ['warning', 'warning'],
+ ['notice', 'notice'], ['info', 'info'], ['debug', 'debug']]
+});
diff --git a/www/manager6/grid/FirewallRules.js
b/www/manager6/grid/FirewallRules.js
index 85b30371..1a6b2002 100644
--- a/www/manager6/grid/FirewallRules.js
+++ b/www/manager6/grid/FirewallRules.js
@@ -59,7 +59,7 @@ Ext.define('PVE.FirewallRulePanel', {
// hack: editable ComboGrid returns nothing when empty, so we need to
set ''
// Also, disabled text fields return nothing, so we need to set ''
- Ext.Array.each(['source', 'dest', 'macro', 'proto', 'sport', 'dport'],
function(key) {
+ Ext.Array.each(['source', 'dest', 'macro', 'proto', 'sport', 'dport',
'log'], function(key) {
if (values[key] === undefined) {
values[key] = '';
}
@@ -205,9 +205,14 @@ Ext.define('PVE.FirewallRulePanel', {
name: 'dport',
value: '',
fieldLabel: gettext('Dest. port')
+ },
+ {
+ xtype: 'pveFirewallLogLevels',
+ name: 'log',
+ fieldLabel: gettext('Log level')
}
];
-
+
me.columnB = [
{
xtype: 'textfield',
@@ -736,6 +741,14 @@ Ext.define('PVE.FirewallRules', {
width: 100
},
{
+ header: gettext('Log level'),
+ dataIndex: 'log',
+ renderer: function(value, metaData, record) {
+ return render_errors('log', value, metaData, record);
+ },
+ width: 100
+ },
+ {
header: gettext('Comment'),
dataIndex: 'comment',
flex: 1,
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC docs 0/3] Add logging for user-defined firewall rules
This patches allow to set per rule log-levels for user-defined firewall rules. pve-docs: Christian Ebner (1): fix: #2123 Logging of user defined firewall rules pve-firewall.adoc | 43 +++ 1 file changed, 43 insertions(+) pve-firewall: Christian Ebner (1): fix: #2123 Logging of user defined firewall rules src/PVE/API2/Firewall/Rules.pm | 3 ++ src/PVE/Firewall.pm| 63 +- 2 files changed, 40 insertions(+), 26 deletions(-) pve-manager: Christian Ebner (1): fix: # 2123 Logging of user defined firewall rules www/manager6/grid/FirewallOptions.js | 20 +++- www/manager6/grid/FirewallRules.js | 17 +++-- 2 files changed, 30 insertions(+), 7 deletions(-) -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC docs 1/1] fix: #2123 Logging of user defined firewall rules
Extends the documentation to mention the additional option to define a per-rule log level for user-defined rules. Signed-off-by: Christian Ebner --- pve-firewall.adoc | 43 +++ 1 file changed, 43 insertions(+) diff --git a/pve-firewall.adoc b/pve-firewall.adoc index acaca95..555e90e 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -404,6 +404,49 @@ If you want to see the generated iptables rules you can use: # iptables-save +Logging of firewall rules +- + +By default, logging of traffic filtered by the firewall rules is disabled. To +enable logging for the default firewall rules, the log-level for incommig and +outgoing traffic has to be set in the firewall `Options` tab for the host and/or +the VM/CT firewall. +Logging of dropped packets is rate limited to 1 packet per second in order to +reduce output to the log file. +Further, only some dropped or rejected packets are logged for the standard rules. + +In order to log packets filtered by user-defined firewall rules, it is possible +to set a log-level parameter for each rule individually. +This allows to log in a fine grained manner and independent of the log-level +defined for the standard rules. +In particular, each rule is logged independently from the log-level set for the +standard rules in the firewall `Options`. + +The log level for the rule can also be set via the firewall configuration file by +appending a `-log ` to the selected rule. +Here, `` is one of the following flags, attached to the log output: +`nolog, emerg, alert, crit, err, warning, notice, info, debug` + +For example: + + +IN REJECT -p icmp -log nolog + + +is the same as + + +IN REJECT -p icmp + + +whereas + + +IN REJECT -p icmp -log debug + + +produces a log output flagged with the `debug` level. + Tips and Tricks --- -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [RFC v2 firewall 1/1] fix: #2123 Logging of user defined firewall rules
This allows a user to log traffic filtered by a self defined firewall rule.
Therefore the API is extended to include a 'log' option allow to specify the
log level for each rule individually.
The 'log' option can also be specified in the fw config. In order to reduce the
log amount, logging is limited to 1 entry per second.
For now the rule has to be created or edited via the pvesh API call or via the
firewall config in order to set the log level.
Signed-off-by: Christian Ebner
---
Version 2:
* Added missing $logmsg to PVEFW-FWBRR-IN and PVEFW-FWBR-OUT rules
* Added '--limit-burst 1' to rate limit NFLOG to 1 packet per second
src/PVE/API2/Firewall/Rules.pm | 3 ++
src/PVE/Firewall.pm| 63 +-
2 files changed, 40 insertions(+), 26 deletions(-)
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index 1670986..f0bc562 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -141,6 +141,9 @@ sub register_get_rule {
type => 'integer',
optional => 1,
},
+ log => PVE::Firewall::get_standard_option('pve-fw-loglevel', {
+ description => 'Log level for firewall rule',
+ }),
iface => {
type => 'string',
optional => 1,
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 6ac3038..ccc5d7f 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1363,6 +1363,9 @@ my $rule_properties = {
minimum => 0,
optional => 1,
},
+log => get_standard_option('pve-fw-loglevel', {
+ description => "Log level for firewall rule.",
+}),
sport => {
description => "Restrict TCP/UDP source port. $port_descr",
type => 'string', format => 'pve-fw-sport-spec',
@@ -2008,8 +2011,10 @@ sub ipt_rule_to_cmds {
}
my @iptcmds;
-if (defined $rule->{log} && $rule->{log}) {
- my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg},
$rule->{log});
+if ($rule->{log} && $rule->{log} ne 'nolog') {
+ my $log = $rule->{log};
+ my $loglevel = $log_level_hash->{$log};
+ my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg},
$loglevel);
push @iptcmds, "-A $chain $matchstr $logaction";
}
push @iptcmds, "-A $chain $matchstr $targetstr";
@@ -2017,7 +2022,7 @@ sub ipt_rule_to_cmds {
}
sub ruleset_generate_rule {
-my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf) = @_;
+my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf, $vmid) =
@_;
my $rules;
@@ -2030,7 +2035,7 @@ sub ruleset_generate_rule {
# update all or nothing
my @ipt_rule_cmds;
foreach my $r (@$rules) {
- push @ipt_rule_cmds, ipt_rule_to_cmds($r, $chain, $ipversion,
$cluster_conf, $fw_conf);
+ push @ipt_rule_cmds, ipt_rule_to_cmds($r, $chain, $ipversion,
$cluster_conf, $fw_conf, $vmid);
}
foreach my $c (@ipt_rule_cmds) {
ruleset_add_ipt_cmd($ruleset, $chain, $c);
@@ -2064,17 +2069,18 @@ sub ruleset_add_ipt_cmd {
}
sub ruleset_addrule {
- my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_;
+my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_;
- die "no such chain '$chain'\n" if !$ruleset->{$chain};
+die "no such chain '$chain'\n" if !$ruleset->{$chain};
- if (defined($log) && $log) {
- my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $log);
+if ($log) {
+ my $loglevel = $log_level_hash->{$log};
+ my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $loglevel);
push @{$ruleset->{$chain}}, "-A $chain $match $logaction";
- }
- # for stable ebtables digests avoid double-spaces to match ebtables-save
output
- $match .= ' ' if length($match);
- push @{$ruleset->{$chain}}, "-A $chain ${match}$action";
+}
+# for stable ebtables digests avoid double-spaces to match ebtables-save
output
+$match .= ' ' if length($match);
+push @{$ruleset->{$chain}}, "-A $chain ${match}$action";
}
sub ruleset_insertrule {
@@ -2094,7 +2100,7 @@ sub get_log_rule_base {
# Note: we use special format for prefix to pass further
# info to log daemon (VMID, LOGLEVEL and CHAIN)
-return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\"";
+return "-m limit --limit 1/sec --limit-burst 1 -j NFLOG --nflog-prefix
\":$vmid:$loglevel:$chain: $msg\"";
}
sub ruleset_add_chain_policy {
@@ -2
[pve-devel] [RFC manager] fix: # 2123 Logging of user defined firewall rules
This patch relies on the corresponding patch to pve-firewall, adding the user
defined log levels for firewall rules.
By this, the user can select a per rule log level for self defined rules. These
are independent of the global log level, which is defined in the firewall
options.
Signed-off-by: Christian Ebner
---
www/manager6/grid/FirewallRules.js | 21 +++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/www/manager6/grid/FirewallRules.js
b/www/manager6/grid/FirewallRules.js
index 85b30371..27795e96 100644
--- a/www/manager6/grid/FirewallRules.js
+++ b/www/manager6/grid/FirewallRules.js
@@ -59,7 +59,7 @@ Ext.define('PVE.FirewallRulePanel', {
// hack: editable ComboGrid returns nothing when empty, so we need to
set ''
// Also, disabled text fields return nothing, so we need to set ''
- Ext.Array.each(['source', 'dest', 'macro', 'proto', 'sport', 'dport'],
function(key) {
+ Ext.Array.each(['source', 'dest', 'macro', 'proto', 'sport', 'dport',
'log'], function(key) {
if (values[key] === undefined) {
values[key] = '';
}
@@ -205,9 +205,18 @@ Ext.define('PVE.FirewallRulePanel', {
name: 'dport',
value: '',
fieldLabel: gettext('Dest. port')
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ name: 'log',
+ value: 'nolog',
+ fieldLabel: gettext('Log level'),
+ comboItems: [['nolog', 'nolog'], ['info', 'info'], ['err',
'err'],
+ ['warning', 'warning'], ['crit', 'crit'], ['alert',
'alert'],
+ ['emerg', 'emerg'], ['debug', 'debug']]
}
];
-
+
me.columnB = [
{
xtype: 'textfield',
@@ -736,6 +745,14 @@ Ext.define('PVE.FirewallRules', {
width: 100
},
{
+ header: gettext('Log level'),
+ dataIndex: 'log',
+ renderer: function(value, metaData, record) {
+ return render_errors('log', value, metaData, record);
+ },
+ width: 100
+ },
+ {
header: gettext('Comment'),
dataIndex: 'comment',
flex: 1,
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs] Remove all mentions of sheepdog from the docs
As sheepdog is no longer actively maintained according to one of the developers, it is planed to remove it for the upcomming version 6 of Proxmox VE. This removes mentions of sheepdog from the docs. Signed-off-by: Christian Ebner --- api-viewer/apidata.js | 2 -- pve-intro.adoc| 5 ++--- pvesm.1-synopsis.adoc | 2 +- pvesm.adoc| 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/api-viewer/apidata.js b/api-viewer/apidata.js index 13c1e2c..e9ec49f 100644 --- a/api-viewer/apidata.js +++ b/api-viewer/apidata.js @@ -33940,7 +33940,6 @@ var pveapi = [ "lvmthin", "nfs", "rbd", -"sheepdog", "zfs", "zfspool" ], @@ -34306,7 +34305,6 @@ var pveapi = [ "lvmthin", "nfs", "rbd", -"sheepdog", "zfs", "zfspool" ], diff --git a/pve-intro.adoc b/pve-intro.adoc index f0b0d1e..0ced310 100644 --- a/pve-intro.adoc +++ b/pve-intro.adoc @@ -126,9 +126,8 @@ running Containers and KVM guests. It basically creates an archive of the VM or CT data which includes the VM/CT configuration files. KVM live backup works for all storage types including VM images on -NFS, CIFS, iSCSI LUN, Ceph RBD or Sheepdog. The new backup format is -optimized for storing VM backups fast and effective (sparse files, out -of order data, minimized I/O). +NFS, CIFS, iSCSI LUN, Ceph RBD. The new backup format is optimized for storing +VM backups fast and effective (sparse files, out of order data, minimized I/O). High Availability Cluster diff --git a/pvesm.1-synopsis.adoc b/pvesm.1-synopsis.adoc index 5a71906..5d265c7 100644 --- a/pvesm.1-synopsis.adoc +++ b/pvesm.1-synopsis.adoc @@ -4,7 +4,7 @@ Create a new storage. -``: `` :: +``: `` :: Storage type. diff --git a/pvesm.adoc b/pvesm.adoc index 00f3d7a..5300f50 100644 --- a/pvesm.adoc +++ b/pvesm.adoc @@ -60,7 +60,7 @@ Block level storage:: Allows to store large 'raw' images. It is usually not possible to store other files (ISO, backups, ..) on such storage types. Most modern block level storage implementations support snapshots and clones. -RADOS, Sheepdog and GlusterFS are distributed systems, replicating storage +RADOS and GlusterFS are distributed systems, replicating storage data to different nodes. @@ -79,7 +79,6 @@ data to different nodes. |iSCSI/kernel |iscsi |block |yes |no |yes |iSCSI/libiscsi |iscsidirect |block |yes |no |yes |Ceph/RBD |rbd |block |yes |yes |yes -|Sheepdog |sheepdog|block |yes |yes |beta |ZFS over iSCSI |zfs |block |yes |yes |yes |= -- 2.11.0 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [RFC firewall] fix: #2123 Logging of user defined firewall rules
As I understand it this matches the 5 packets from the burst and then only if
the burst refilled.
See
https://thelowedown.wordpress.com/2008/07/03/iptables-how-to-use-the-limits-module/
We could let the user decide the rate and burst limit, but that would probably
be a bit overkill and add unwanted complexity.
Without rate limit there is the danger of spaming the logs...
I doubt that you will get any hints about unlogged packages as they simply
won't match the rule for logging, although I still need to test this.
> On March 14, 2019 at 1:31 PM Thomas Lamprecht wrote:
>
>
> On 3/14/19 1:06 PM, Christian Ebner wrote:
> > This allows a user to log traffic filtered by a self defined firewall rule.
> > Therefore the API is extended to include a 'log' option allow to specify the
> > log level for each rule individually.
> >
> > The 'log' option can also be specified in the fw config. In order to reduce
> > the
> > log amount, logging is limited to 1 entry per second.
>
> quick glance over the code looks not bad, but I'm not sure of the hard-coded
> limit,
> maybe not even about the limit itself...
>
> Also the docs state:
> > This module matches at a limited rate using a token bucket filter. A rule
> > using
> > this extension will match until this limit is reached. It can be used in
> > combination with the LOG target to give limited logging, for example.
> > --limit rate[/second|/minute|/hour|/day]
> > Maximum average matching rate: specified as a number, with an optional
> > `/second',
> > `/minute', `/hour', or `/day' suffix; the default is 3/hour.
> > --limit-burst
> > ...
> -- http://ipset.netfilter.org/iptables-extensions.man.html
>
>
> So how does this logs in reality, does it logs a full second, or does it
> always
> logs for the burst (default 5) and then only if the burst refilled?
> Does one sees hints about "not logged packages", e.g., like systemd does,
> e.g.,
> IIRC something like "suppressed XYZ count of log messages from service foo" is
> done there.
>
> Just not that we come again in a situation where the user thinks _all_ is
> logged,
> but infact all is then _not_ logged.
>
> >
> > For now the rule has to be created or edited via the pvesh API call or via
> > the
> > firewall config in order to set the log level.
> >
> > Signed-off-by: Christian Ebner
> > ---
> >
> > This is a tentative patch in order to allow fine grained logging of packets
> > dropped by user defined rules.
> > Feedback is very much appreciated.
> >
> > src/PVE/API2/Firewall/Rules.pm | 3 +++
> > src/PVE/Firewall.pm| 59
> > +-
> > 2 files changed, 38 insertions(+), 24 deletions(-)
> >
> > diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
> > index 1670986..f0bc562 100644
> > --- a/src/PVE/API2/Firewall/Rules.pm
> > +++ b/src/PVE/API2/Firewall/Rules.pm
> > @@ -141,6 +141,9 @@ sub register_get_rule {
> > type => 'integer',
> > optional => 1,
> > },
> > + log => PVE::Firewall::get_standard_option('pve-fw-loglevel', {
> > + description => 'Log level for firewall rule',
> > + }),
> > iface => {
> > type => 'string',
> > optional => 1,
> > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> > index 6ac3038..8bb7bb9 100644
> > --- a/src/PVE/Firewall.pm
> > +++ b/src/PVE/Firewall.pm
> > @@ -1363,6 +1363,9 @@ my $rule_properties = {
> > minimum => 0,
> > optional => 1,
> > },
> > +log => get_standard_option('pve-fw-loglevel', {
> > + description => "Log level for firewall rule.",
> > +}),
> > sport => {
> > description => "Restrict TCP/UDP source port. $port_descr",
> > type => 'string', format => 'pve-fw-sport-spec',
> > @@ -2008,8 +2011,10 @@ sub ipt_rule_to_cmds {
> > }
> >
> > my @iptcmds;
> > -if (defined $rule->{log} && $rule->{log}) {
> > - my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg},
> > $rule->{log});
> > +if ($rule->{log} && $rule->{log} ne 'nolog') {
> > + my $log = $rule->{log};
> > + my $loglevel = $log_level_hash->{$log};
> > + my $l
[pve-devel] [RFC firewall] fix: #2123 Logging of user defined firewall rules
This allows a user to log traffic filtered by a self defined firewall rule.
Therefore the API is extended to include a 'log' option allow to specify the
log level for each rule individually.
The 'log' option can also be specified in the fw config. In order to reduce the
log amount, logging is limited to 1 entry per second.
For now the rule has to be created or edited via the pvesh API call or via the
firewall config in order to set the log level.
Signed-off-by: Christian Ebner
---
This is a tentative patch in order to allow fine grained logging of packets
dropped by user defined rules.
Feedback is very much appreciated.
src/PVE/API2/Firewall/Rules.pm | 3 +++
src/PVE/Firewall.pm| 59 +-
2 files changed, 38 insertions(+), 24 deletions(-)
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index 1670986..f0bc562 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -141,6 +141,9 @@ sub register_get_rule {
type => 'integer',
optional => 1,
},
+ log => PVE::Firewall::get_standard_option('pve-fw-loglevel', {
+ description => 'Log level for firewall rule',
+ }),
iface => {
type => 'string',
optional => 1,
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 6ac3038..8bb7bb9 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1363,6 +1363,9 @@ my $rule_properties = {
minimum => 0,
optional => 1,
},
+log => get_standard_option('pve-fw-loglevel', {
+ description => "Log level for firewall rule.",
+}),
sport => {
description => "Restrict TCP/UDP source port. $port_descr",
type => 'string', format => 'pve-fw-sport-spec',
@@ -2008,8 +2011,10 @@ sub ipt_rule_to_cmds {
}
my @iptcmds;
-if (defined $rule->{log} && $rule->{log}) {
- my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg},
$rule->{log});
+if ($rule->{log} && $rule->{log} ne 'nolog') {
+ my $log = $rule->{log};
+ my $loglevel = $log_level_hash->{$log};
+ my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg},
$loglevel);
push @iptcmds, "-A $chain $matchstr $logaction";
}
push @iptcmds, "-A $chain $matchstr $targetstr";
@@ -2017,7 +2022,7 @@ sub ipt_rule_to_cmds {
}
sub ruleset_generate_rule {
-my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf) = @_;
+my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf, $vmid) =
@_;
my $rules;
@@ -2030,7 +2035,7 @@ sub ruleset_generate_rule {
# update all or nothing
my @ipt_rule_cmds;
foreach my $r (@$rules) {
- push @ipt_rule_cmds, ipt_rule_to_cmds($r, $chain, $ipversion,
$cluster_conf, $fw_conf);
+ push @ipt_rule_cmds, ipt_rule_to_cmds($r, $chain, $ipversion,
$cluster_conf, $fw_conf, $vmid);
}
foreach my $c (@ipt_rule_cmds) {
ruleset_add_ipt_cmd($ruleset, $chain, $c);
@@ -2064,17 +2069,18 @@ sub ruleset_add_ipt_cmd {
}
sub ruleset_addrule {
- my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_;
-
- die "no such chain '$chain'\n" if !$ruleset->{$chain};
+my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_;
- if (defined($log) && $log) {
- my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $log);
+die "no such chain '$chain'\n" if !$ruleset->{$chain};
+
+if ($log) {
+ my $loglevel = $log_level_hash->{$log};
+ my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $loglevel);
push @{$ruleset->{$chain}}, "-A $chain $match $logaction";
- }
- # for stable ebtables digests avoid double-spaces to match ebtables-save
output
- $match .= ' ' if length($match);
- push @{$ruleset->{$chain}}, "-A $chain ${match}$action";
+}
+# for stable ebtables digests avoid double-spaces to match ebtables-save
output
+$match .= ' ' if length($match);
+push @{$ruleset->{$chain}}, "-A $chain ${match}$action";
}
sub ruleset_insertrule {
@@ -2094,7 +2100,7 @@ sub get_log_rule_base {
# Note: we use special format for prefix to pass further
# info to log daemon (VMID, LOGLEVEL and CHAIN)
-return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\"";
+return "-m limit --limit 1/sec -j NFLOG --nflog-prefix
\":$vmid:$loglevel:$chain: $msg\"";
}
sub ruleset_add_chain_policy {
@@ -2234,7 +2240,7 @@ sub rules
[pve-devel] [PATCH v6 manager] 1145 Warn if datacenter firewall is disabled
This warns the user that the datacenter firewall is disabled when editing the
host or the VM/CT firewall status.
Signed-off-by: Christian Ebner
---
Version 6:
* moved FirewallEnableEdit from grid to window folder
* use cbind to set the checkbox
* use fixed width of 350 for the window
* Changed warning text
www/manager6/Makefile | 1 +
www/manager6/grid/FirewallOptions.js | 23 --
www/manager6/window/FirewallEnableEdit.js | 50 +++
3 files changed, 71 insertions(+), 3 deletions(-)
create mode 100644 www/manager6/window/FirewallEnableEdit.js
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index e75f0de6..922451b9 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -83,6 +83,7 @@ JSSRC=
\
window/BackupConfig.js \
window/Settings.js \
window/StartupEdit.js \
+ window/FirewallEnableEdit.js\
panel/NotesView.js \
grid/ResourceGrid.js\
grid/PoolMembers.js \
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index cddbdbbf..1d56ecc0 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -64,9 +64,17 @@ Ext.define('PVE.FirewallOptions', {
};
};
-
if (me.fwtype === 'node') {
- add_boolean_row('enable', gettext('Firewall'), 1);
+ me.rows.enable = {
+ required: true,
+ defaultValue: 1,
+ header: gettext('Firewall'),
+ renderer: Proxmox.Utils.format_boolean,
+ editor: {
+ xtype: 'pveFirewallEnableEdit',
+ defaultValue: 1
+ }
+ };
add_boolean_row('nosmurfs', gettext('SMURFS filter'), 1);
add_boolean_row('tcpflags', gettext('TCP flags filter'), 0);
add_boolean_row('ndp', 'NDP', 1);
@@ -78,7 +86,16 @@ Ext.define('PVE.FirewallOptions', {
add_log_row('tcp_flags_log_level', 120);
add_log_row('smurf_log_level');
} else if (me.fwtype === 'vm') {
- add_boolean_row('enable', gettext('Firewall'), 0);
+ me.rows.enable = {
+ required: true,
+ defaultValue: 0,
+ header: gettext('Firewall'),
+ renderer: Proxmox.Utils.format_boolean,
+ editor: {
+ xtype: 'pveFirewallEnableEdit',
+ defaultValue: 0
+ }
+ };
add_boolean_row('dhcp', 'DHCP', 1);
add_boolean_row('ndp', 'NDP', 1);
add_boolean_row('radv', gettext('Router Advertisement'), 0);
diff --git a/www/manager6/window/FirewallEnableEdit.js
b/www/manager6/window/FirewallEnableEdit.js
new file mode 100644
index ..075bc462
--- /dev/null
+++ b/www/manager6/window/FirewallEnableEdit.js
@@ -0,0 +1,50 @@
+/*jslint confusion: true*/
+Ext.define('PVE.FirewallEnableEdit', {
+extend: 'Proxmox.window.Edit',
+alias: ['widget.pveFirewallEnableEdit'],
+mixins: ['Proxmox.Mixin.CBind'],
+
+subject: gettext('Firewall'),
+cbindData: {
+ defaultValue: 0
+},
+width: 350,
+
+items: [
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'enable',
+ uncheckedValue: 0,
+ cbind: {
+ defaultValue: '{defaultValue}',
+ checked: '{defaultValue}'
+ },
+ deleteDefaultValue: false,
+ fieldLabel: gettext('Firewall')
+ },
+ {
+ xtype: 'displayfield',
+ name: 'warning',
+ userCls: 'pve-hint',
+ value: gettext('Warning: Firewall still disabled at datacenter
level!'),
+ hidden: true
+ }
+],
+
+beforeShow: function() {
+ var me = this;
+
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/cluster/firewall/options',
+ method: 'GET',
+ failure: function(response, opts) {
+ Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+ },
+ success: function(response, opts) {
+ if (!response.result.data.enable) {
+ me.down('displayfield[name=warning]').setVisible(true);
+ }
+ }
+ });
+}
+});
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH storage] fix #585: remove leftover disks/directory after VM creation failed
When trying to create a qcow2 disk image with a size larger than available on
the
storage, this will fail.
As qemu-img does not clean up the disk afterwards, it needs to be deleted
explicitly. Further, the vmid folder is cleaned up once it is empty.
Signed-off-by: Christian Ebner
---
PVE/Storage/GlusterfsPlugin.pm | 7 ++-
PVE/Storage/Plugin.pm | 7 ++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/PVE/Storage/GlusterfsPlugin.pm b/PVE/Storage/GlusterfsPlugin.pm
index 1f9465f..b3e5553 100644
--- a/PVE/Storage/GlusterfsPlugin.pm
+++ b/PVE/Storage/GlusterfsPlugin.pm
@@ -274,7 +274,12 @@ sub alloc_image {
push @$cmd, '-f', $fmt, $volumepath, "${size}K";
-run_command($cmd, errmsg => "unable to create image");
+eval { run_command($cmd, errmsg => "unable to create image"); };
+if ($@) {
+ unlink $path;
+ rmdir $imagedir;
+ die "$@";
+}
return "$vmid/$name";
}
diff --git a/PVE/Storage/Plugin.pm b/PVE/Storage/Plugin.pm
index 10c2c73..7964441 100644
--- a/PVE/Storage/Plugin.pm
+++ b/PVE/Storage/Plugin.pm
@@ -665,7 +665,12 @@ sub alloc_image {
push @$cmd, '-f', $fmt, $path, "${size}K";
- run_command($cmd, errmsg => "unable to create image");
+ eval { run_command($cmd, errmsg => "unable to create image"); };
+ if ($@) {
+ unlink $path;
+ rmdir $imagedir;
+ die "$@";
+ }
}
return "$vmid/$name";
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v5 manager] 1145 Warn if datacenter firewall is disabled
This warns the user that the datacenter firewall is disabled when editing the
host or the VM/CT firewall status.
Signed-off-by: Christian Ebner
---
Version 5:
* Removed unneeded fieldDefaults
* Removed unneeded fwtype
* Put warning text into gettext()
www/manager6/Makefile | 1 +
www/manager6/grid/FirewallEnableEdit.js | 49 +
www/manager6/grid/FirewallOptions.js| 23 ++--
3 files changed, 70 insertions(+), 3 deletions(-)
create mode 100644 www/manager6/grid/FirewallEnableEdit.js
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index e75f0de6..951242d4 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -89,6 +89,7 @@ JSSRC=
\
grid/FirewallRules.js \
grid/FirewallAliases.js \
grid/FirewallOptions.js \
+ grid/FirewallEnableEdit.js \
tree/ResourceTree.js\
panel/IPSet.js \
panel/ConfigPanel.js\
diff --git a/www/manager6/grid/FirewallEnableEdit.js
b/www/manager6/grid/FirewallEnableEdit.js
new file mode 100644
index ..bbe60e43
--- /dev/null
+++ b/www/manager6/grid/FirewallEnableEdit.js
@@ -0,0 +1,49 @@
+Ext.define('PVE.FirewallEnableEdit', {
+extend: 'Proxmox.window.Edit',
+alias: ['widget.pveFirewallEnableEdit'],
+
+subject: gettext('Firewall'),
+
+items: [
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'enable',
+ itemId: 'enablecheckbox',
+ uncheckedValue: 0,
+ defaultValue: 0,
+ checked: false,
+ deleteDefaultValue: false,
+ labelWidth: 120,
+ fieldLabel: gettext('Firewall')
+ },
+ {
+ xtype: 'displayfield',
+ name: 'warning',
+ itemId: 'warning',
+ userCls: 'pve-hint',
+ value: gettext('Warning! Firewall disabled at datacenter level!'),
+ hidden: true
+ }
+],
+
+beforeShow: function() {
+ var me = this;
+
+ var checkbox = me.down('#enablecheckbox');
+ checkbox.defaultValue = me.defaultValue;
+ checkbox.checked = me.defaultValue ? true : false;
+
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/cluster/firewall/options',
+ method: 'GET',
+ failure: function(response, opts) {
+ Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+ },
+ success: function(response, opts) {
+ if (!response.result.data.enable) {
+ me.down('#warning').setVisible(true);
+ }
+ }
+ });
+}
+});
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index cddbdbbf..1d56ecc0 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -64,9 +64,17 @@ Ext.define('PVE.FirewallOptions', {
};
};
-
if (me.fwtype === 'node') {
- add_boolean_row('enable', gettext('Firewall'), 1);
+ me.rows.enable = {
+ required: true,
+ defaultValue: 1,
+ header: gettext('Firewall'),
+ renderer: Proxmox.Utils.format_boolean,
+ editor: {
+ xtype: 'pveFirewallEnableEdit',
+ defaultValue: 1
+ }
+ };
add_boolean_row('nosmurfs', gettext('SMURFS filter'), 1);
add_boolean_row('tcpflags', gettext('TCP flags filter'), 0);
add_boolean_row('ndp', 'NDP', 1);
@@ -78,7 +86,16 @@ Ext.define('PVE.FirewallOptions', {
add_log_row('tcp_flags_log_level', 120);
add_log_row('smurf_log_level');
} else if (me.fwtype === 'vm') {
- add_boolean_row('enable', gettext('Firewall'), 0);
+ me.rows.enable = {
+ required: true,
+ defaultValue: 0,
+ header: gettext('Firewall'),
+ renderer: Proxmox.Utils.format_boolean,
+ editor: {
+ xtype: 'pveFirewallEnableEdit',
+ defaultValue: 0
+ }
+ };
add_boolean_row('dhcp', 'DHCP', 1);
add_boolean_row('ndp', 'NDP', 1);
add_boolean_row('radv', gettext('Router Advertisement'), 0);
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v4 manager] 1145 Warn if datacenter firewall is disabled
This warns the user that the datacenter firewall is disabled when editing the
host or the VM/CT firewall status.
Signed-off-by: Christian Ebner
---
Version 4:
* Code refactored to be more declarative as suggested
* Removed warning about pve-firewall service not running
* Fixed logic of checkbox being checked/unchecked
www/manager6/Makefile | 1 +
www/manager6/grid/FirewallEnableEdit.js | 52 +
www/manager6/grid/FirewallOptions.js| 25 ++--
3 files changed, 75 insertions(+), 3 deletions(-)
create mode 100644 www/manager6/grid/FirewallEnableEdit.js
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index e75f0de6..951242d4 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -89,6 +89,7 @@ JSSRC=
\
grid/FirewallRules.js \
grid/FirewallAliases.js \
grid/FirewallOptions.js \
+ grid/FirewallEnableEdit.js \
tree/ResourceTree.js\
panel/IPSet.js \
panel/ConfigPanel.js\
diff --git a/www/manager6/grid/FirewallEnableEdit.js
b/www/manager6/grid/FirewallEnableEdit.js
new file mode 100644
index ..ff73f948
--- /dev/null
+++ b/www/manager6/grid/FirewallEnableEdit.js
@@ -0,0 +1,52 @@
+Ext.define('PVE.FirewallEnableEdit', {
+extend: 'Proxmox.window.Edit',
+alias: ['widget.pveFirewallEnableEdit'],
+
+subject: gettext('Firewall'),
+fieldDefaults: {
+ labelWidth: 100
+},
+
+items: [
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'enable',
+ itemId: 'enablecheckbox',
+ uncheckedValue: 0,
+ defaultValue: 0,
+ checked: false,
+ deleteDefaultValue: false,
+ labelWidth: 120,
+ fieldLabel: gettext('Firewall')
+ },
+ {
+ xtype: 'displayfield',
+ name: 'warning',
+ itemId: 'warning',
+ userCls: 'pve-hint',
+ value: 'Warning! Firewall disabled at datacenter level!',
+ hidden: true
+ }
+],
+
+beforeShow: function() {
+ var me = this;
+
+ var checkbox = me.down('#enablecheckbox');
+ checkbox.defaultValue = me.defaultValue;
+ checkbox.checked = me.defaultValue ? true : false;
+
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/cluster/firewall/options',
+ method: 'GET',
+ failure: function(response, opts) {
+ Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+ },
+ success: function(response, opts) {
+ if (!response.result.data.enable) {
+ me.down('#warning').setVisible(true);
+ }
+ }
+ });
+}
+});
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index cddbdbbf..bb83742f 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -64,9 +64,18 @@ Ext.define('PVE.FirewallOptions', {
};
};
-
if (me.fwtype === 'node') {
- add_boolean_row('enable', gettext('Firewall'), 1);
+ me.rows.enable = {
+ required: true,
+ defaultValue: 1,
+ header: gettext('Firewall'),
+ renderer: Proxmox.Utils.format_boolean,
+ editor: {
+ xtype: 'pveFirewallEnableEdit',
+ fwtype: me.fwtype,
+ defaultValue: 1
+ }
+ };
add_boolean_row('nosmurfs', gettext('SMURFS filter'), 1);
add_boolean_row('tcpflags', gettext('TCP flags filter'), 0);
add_boolean_row('ndp', 'NDP', 1);
@@ -78,7 +87,17 @@ Ext.define('PVE.FirewallOptions', {
add_log_row('tcp_flags_log_level', 120);
add_log_row('smurf_log_level');
} else if (me.fwtype === 'vm') {
- add_boolean_row('enable', gettext('Firewall'), 0);
+ me.rows.enable = {
+ required: true,
+ defaultValue: 0,
+ header: gettext('Firewall'),
+ renderer: Proxmox.Utils.format_boolean,
+ editor: {
+ xtype: 'pveFirewallEnableEdit',
+ fwtype: me.fwtype,
+ defaultValue: 0
+ }
+ };
add_boolean_row('dhcp', 'DHCP', 1);
add_boolean_row('ndp', 'NDP', 1);
add_boolean_row('radv', gettext('Router Advertisement'), 0);
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH v3 manager] 1145 Warn if datacenter firewall or host firewall service is disabled
This shows a warning when the user edits the host firewall status or the VM/CT
firewall status, but the datacenter level firewall is disabled or the
pve-firewall service is not running on the host.
Signed-off-by: Christian Ebner
---
Version 3:
* As discussed offline with Dominik and Thomas, we should keep this as
simple as possible, only showing the warinings, no checkboxes for NIC ecc.
* The code was completely refactored as compared to the previous version,
the main functionality is now contained within FirewallEnableEdit.js
www/manager6/Makefile | 1 +
www/manager6/grid/FirewallEnableEdit.js | 74 +
www/manager6/grid/FirewallOptions.js| 25 +--
www/manager6/lxc/Config.js | 3 +-
www/manager6/node/Config.js | 3 +-
www/manager6/qemu/Config.js | 3 +-
6 files changed, 103 insertions(+), 6 deletions(-)
create mode 100644 www/manager6/grid/FirewallEnableEdit.js
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index e75f0de6..951242d4 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -89,6 +89,7 @@ JSSRC=
\
grid/FirewallRules.js \
grid/FirewallAliases.js \
grid/FirewallOptions.js \
+ grid/FirewallEnableEdit.js \
tree/ResourceTree.js\
panel/IPSet.js \
panel/ConfigPanel.js\
diff --git a/www/manager6/grid/FirewallEnableEdit.js
b/www/manager6/grid/FirewallEnableEdit.js
new file mode 100644
index ..b2ee0400
--- /dev/null
+++ b/www/manager6/grid/FirewallEnableEdit.js
@@ -0,0 +1,74 @@
+Ext.define('PVE.FirewallEnableEdit', {
+extend: 'Proxmox.window.Edit',
+alias: ['widget.pveFirewallEnableEdit'],
+
+initComponent : function() {
+ var me = this;
+
+ var dcFirewallDisabledHint = Ext.createWidget({
+ xtype: 'displayfield',
+ userCls: 'pve-hint',
+ value: 'Warning! Firewall disabled at datacenter level!',
+ hidden: true
+ });
+
+ var fwServiceDisabledHint = Ext.createWidget({
+ xtype: 'displayfield',
+ userCls: 'pve-hint',
+ value: 'Warning! Firewall service not running on node!',
+ hidden: true
+ });
+
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/cluster/firewall/options',
+ method: 'GET',
+ failure: function(response, opts) {
+ Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+ },
+ success: function(response, opts) {
+ if (!response.result.data.enable) {
+ dcFirewallDisabledHint.setVisible(true);
+ }
+ }
+ });
+
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/nodes/' + me.nodename +
'/services/pve-firewall/state',
+ method: 'GET',
+ failure: function(response, opts) {
+ Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+ },
+ success: function(response, opts) {
+ var data = response.result.data;
+ if (data.state !== 'running') {
+ fwServiceDisabledHint.setVisible(true);
+ }
+ }
+ });
+
+ Ext.applyIf(me, {
+ subject: gettext('Firewall'),
+ fieldDefaults: {
+ labelWidth: 100
+ },
+ items: [
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'enable',
+ uncheckedValue: 0,
+ defaultValue: 0,
+ checked: true,
+ deleteDefaultValue: false,
+ labelWidth: Proxmox.Utils.compute_min_label_width(
+ gettext('Firewall'), 120),
+ fieldLabel: gettext('Firewall')
+ },
+ dcFirewallDisabledHint,
+ fwServiceDisabledHint
+ ]
+ });
+
+ me.callParent();
+ me.load();
+}
+});
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index cddbdbbf..0eb1e02c 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -64,9 +64,18 @@ Ext.define('PVE.FirewallOptions', {
};
};
-
if (me.fwtype === 'node') {
- add_boolean_row('enable', gettext('Firewall'), 1);
+ me.rows.enable = {
+ required:
Re: [pve-devel] applied: [PATCH qemu-server] Fix 2097 allow to set and pass wwn parameter for ide, sata and scsi disks
Ah, yes sorry for that. Note to myself: include such info in future commit
messages.
Thx for the feedback!
> On February 26, 2019 at 7:58 AM Thomas Lamprecht
> wrote:
>
>
> On 2/25/19 5:30 PM, Christian Ebner wrote:
> > This allows to set the wwn parameter for ide, sata and scsi disks in the VM
> > config and passes it to the qemu command on execution.
> >
>
> Thanks, but missing about why you did not add it to %drivedesc_base, I can
> tell
> that VirtIO-Block does not support it, but it would be a nice info to have in
> the commit message, makes it easier and quicker to review and maybe others
> cannot tell at the first glance ;-) Anyway, applied with slightly enhanced
> commit message, thanks!
>
>
> > Signed-off-by: Christian Ebner
> > ---
> > PVE/QemuServer.pm | 16
> > 1 file changed, 16 insertions(+)
> >
> > diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
> > index 6dc68a4..2d3bf58 100644
> > --- a/PVE/QemuServer.pm
> > +++ b/PVE/QemuServer.pm
> > @@ -1052,6 +1052,16 @@ my %ssd_fmt = (
> > },
> > );
> >
> > +my %wwn_fmt = (
> > +wwn => {
> > + type => 'string',
> > + pattern => qr/^(0x)[0-9a-fA-F]{16}/,
> > + format_description => 'wwn',
> > + description => "The drive's worldwide name, encoded as 16 bytes hex
> > string, prefixed by '0x'.",
> > + optional => 1,
> > +},
> > +);
> > +
> > my $add_throttle_desc = sub {
> > my ($key, $type, $what, $unit, $longunit, $minimum) = @_;
> > my $d = {
> > @@ -1100,6 +1110,7 @@ my $ide_fmt = {
> > %drivedesc_base,
> > %model_fmt,
> > %ssd_fmt,
> > +%wwn_fmt,
> > };
> > PVE::JSONSchema::register_format("pve-qm-ide", $ide_fmt);
> >
> > @@ -1116,6 +1127,7 @@ my $scsi_fmt = {
> > %queues_fmt,
> > %scsiblock_fmt,
> > %ssd_fmt,
> > +%wwn_fmt,
> > };
> > my $scsidesc = {
> > optional => 1,
> > @@ -1127,6 +1139,7 @@
> > PVE::JSONSchema::register_standard_option("pve-qm-scsi", $scsidesc);
> > my $sata_fmt = {
> > %drivedesc_base,
> > %ssd_fmt,
> > +%wwn_fmt,
> > };
> > my $satadesc = {
> > optional => 1,
> > @@ -1153,6 +1166,7 @@ my $alldrive_fmt = {
> > %queues_fmt,
> > %scsiblock_fmt,
> > %ssd_fmt,
> > +%wwn_fmt,
> > };
> >
> > my $efidisk_fmt = {
> > @@ -1784,6 +1798,7 @@ sub print_drivedevice_full {
> > if ($drive->{ssd} && ($devicetype eq 'block' || $devicetype eq 'hd')) {
> > $device .= ",rotation_rate=1";
> > }
> > + $device .= ",wwn=$drive->{wwn}" if $drive->{wwn};
> >
> > } elsif ($drive->{interface} eq 'ide' || $drive->{interface} eq
> > 'sata') {
> > my $maxdev = ($drive->{interface} eq 'sata') ? $MAX_SATA_DISKS : 2;
> > @@ -1808,6 +1823,7 @@ sub print_drivedevice_full {
> > $device .= ",rotation_rate=1";
> > }
> > }
> > + $device .= ",wwn=$drive->{wwn}" if $drive->{wwn};
> > } elsif ($drive->{interface} eq 'usb') {
> > die "implement me";
> > # -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0
> >
>
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu-server] Fix 2097 allow to set and pass wwn parameter for ide, sata and scsi disks
This allows to set the wwn parameter for ide, sata and scsi disks in the VM
config and passes it to the qemu command on execution.
Signed-off-by: Christian Ebner
---
PVE/QemuServer.pm | 16
1 file changed, 16 insertions(+)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 6dc68a4..2d3bf58 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -1052,6 +1052,16 @@ my %ssd_fmt = (
},
);
+my %wwn_fmt = (
+wwn => {
+ type => 'string',
+ pattern => qr/^(0x)[0-9a-fA-F]{16}/,
+ format_description => 'wwn',
+ description => "The drive's worldwide name, encoded as 16 bytes hex
string, prefixed by '0x'.",
+ optional => 1,
+},
+);
+
my $add_throttle_desc = sub {
my ($key, $type, $what, $unit, $longunit, $minimum) = @_;
my $d = {
@@ -1100,6 +1110,7 @@ my $ide_fmt = {
%drivedesc_base,
%model_fmt,
%ssd_fmt,
+%wwn_fmt,
};
PVE::JSONSchema::register_format("pve-qm-ide", $ide_fmt);
@@ -1116,6 +1127,7 @@ my $scsi_fmt = {
%queues_fmt,
%scsiblock_fmt,
%ssd_fmt,
+%wwn_fmt,
};
my $scsidesc = {
optional => 1,
@@ -1127,6 +1139,7 @@ PVE::JSONSchema::register_standard_option("pve-qm-scsi",
$scsidesc);
my $sata_fmt = {
%drivedesc_base,
%ssd_fmt,
+%wwn_fmt,
};
my $satadesc = {
optional => 1,
@@ -1153,6 +1166,7 @@ my $alldrive_fmt = {
%queues_fmt,
%scsiblock_fmt,
%ssd_fmt,
+%wwn_fmt,
};
my $efidisk_fmt = {
@@ -1784,6 +1798,7 @@ sub print_drivedevice_full {
if ($drive->{ssd} && ($devicetype eq 'block' || $devicetype eq 'hd')) {
$device .= ",rotation_rate=1";
}
+ $device .= ",wwn=$drive->{wwn}" if $drive->{wwn};
} elsif ($drive->{interface} eq 'ide' || $drive->{interface} eq 'sata') {
my $maxdev = ($drive->{interface} eq 'sata') ? $MAX_SATA_DISKS : 2;
@@ -1808,6 +1823,7 @@ sub print_drivedevice_full {
$device .= ",rotation_rate=1";
}
}
+ $device .= ",wwn=$drive->{wwn}" if $drive->{wwn};
} elsif ($drive->{interface} eq 'usb') {
die "implement me";
# -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH container 7/7] 1891 Add zsh command completion generation for pct
Generates the zsh command completion scripts for pct.
Signed-off-by: Christian Ebner
---
src/Makefile | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/Makefile b/src/Makefile
index f68eb5d..b0c30de 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -16,6 +16,7 @@ PODDIR=${DOCDIR}/pod
MAN1DIR=${MANDIR}/man1/
MAN5DIR=${MANDIR}/man5/
BASHCOMPLDIR=${PREFIX}/share/bash-completion/completions/
+ZSHCOMPLDIR=${PREFIX}/share/zsh/vendor-completions/
export PERLDIR=${PREFIX}/share/perl5
# this require package pve-doc-generator
@@ -28,12 +29,17 @@ pct.bash-completion:
PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::pct;
PVE::CLI::pct->generate_bash_completions();" >$@.tmp
mv $@.tmp $@
+pct.zsh-completion:
+ PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::pct;
PVE::CLI::pct->generate_zsh_completions();" >$@.tmp
+ mv $@.tmp $@
+
.PHONY: check
check: test
make -C test
.PHONY: install
-install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook
lxc-pve-poststop-hook lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion
pve-userns.seccomp
+install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook
lxc-pve-poststop-hook \
+ lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion pct.zsh-completion
pve-userns.seccomp
PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::pct;
PVE::CLI::pct->verify_api();"
install -d ${SBINDIR}
install -m 0755 pct ${SBINDIR}
@@ -52,6 +58,7 @@ install: pct lxc-pve.conf lxc-pve-prestart-hook
lxc-pve-autodev-hook lxc-pve-pos
install -d ${LXC_COMMON_CONFIG_DIR}
install -m 0644 lxc-pve.conf ${LXC_COMMON_CONFIG_DIR}/01-pve.conf
install -m 0644 -D pct.bash-completion ${BASHCOMPLDIR}/pct
+ install -m 0644 -D pct.zsh-completion ${ZSHCOMPLDIR}/_pct
make -C PVE install
install -d ${MAN1DIR}
install -d ${MAN5DIR}
@@ -81,6 +88,7 @@ clean:
make -C test clean
make cleanup-docgen
rm -rf *.1 *.5 *.tmp *.bash-completion
+ rm -rf *.1 *.5 *.tmp *.zsh-completion
find . -name '*~' -exec rm {} ';'
.PHONY: distclean
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH storage] 1891 Add zsh command completion for pvesm
This adds the zsh command completion generation for pvesm.
Signed-off-by: Christian Ebner
---
Makefile | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 8f27cd1..bece3f1 100644
--- a/Makefile
+++ b/Makefile
@@ -10,6 +10,7 @@ MANDIR=${PREFIX}/share/man
DOCDIR=${PREFIX}/share/doc/${PACKAGE}
MAN1DIR=${MANDIR}/man1/
BASHCOMPLDIR=${PREFIX}/share/bash-completion/completions/
+ZSHCOMPLDIR=${PREFIX}/share/zsh/vendor-completions/
export PERLDIR=${PREFIX}/share/perl5
@@ -34,8 +35,12 @@ pvesm.bash-completion:
perl -I. -T -e "use PVE::CLI::pvesm;
PVE::CLI::pvesm->generate_bash_completions();" >$@.tmp
mv $@.tmp $@
+pvesm.zsh-completion:
+ perl -I. -T -e "use PVE::CLI::pvesm;
PVE::CLI::pvesm->generate_zsh_completions();" >$@.tmp
+ mv $@.tmp $@
+
.PHONY: install
-install: PVE pvesm.1 pvesm.bash-completion
+install: PVE pvesm.1 pvesm.bash-completion pvesm.zsh-completion
install -d ${DESTDIR}${SBINDIR}
install -m 0755 pvesm ${DESTDIR}${SBINDIR}
make -C PVE install
@@ -43,6 +48,7 @@ install: PVE pvesm.1 pvesm.bash-completion
install -m 0644 pvesm.1 ${DESTDIR}/usr/share/man/man1/
gzip -9 -n ${DESTDIR}/usr/share/man/man1/pvesm.1
install -m 0644 -D pvesm.bash-completion ${DESTDIR}${BASHCOMPLDIR}/pvesm
+ install -m 0644 -D pvesm.zsh-completion ${DESTDIR}${ZSHCOMPLDIR}/_pvesm
.PHONY: deb
deb: ${DEB}
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu-server] 1891 Add zsh command completion for qm and qmrestore
This adds the zsh command completion for qm and qmrestore.
Signed-off-by: Christian Ebner
---
Makefile | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 369e660..bdad719 100644
--- a/Makefile
+++ b/Makefile
@@ -20,6 +20,7 @@ MAN1DIR=${MANDIR}/man1/
MAN5DIR=${MANDIR}/man5/
MAN8DIR=${MANDIR}/man8/
BASHCOMPLDIR=${PREFIX}/share/bash-completion/completions/
+ZSHCOMPLDIR=${PREFIX}/share/zsh/vendor-completions/
export PERLDIR=${PREFIX}/share/perl5
PERLINCDIR=${PERLDIR}/asm-x86_64
@@ -54,7 +55,16 @@ qmrestore.bash-completion:
PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::qmrestore;
PVE::CLI::qmrestore->generate_bash_completions();" >$@.tmp
mv $@.tmp $@
-PKGSOURCES=qm qm.1 qmrestore qmrestore.1 qmextract qm.conf.5
qm.bash-completion qmrestore.bash-completion qmeventd qmeventd.8
+qm.zsh-completion:
+ PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::qm;
PVE::CLI::qm->generate_zsh_completions();" >$@.tmp
+ mv $@.tmp $@
+
+qmrestore.zsh-completion:
+ PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::qmrestore;
PVE::CLI::qmrestore->generate_zsh_completions();" >$@.tmp
+ mv $@.tmp $@
+
+PKGSOURCES=qm qm.1 qmrestore qmrestore.1 qmextract qm.conf.5
qm.bash-completion qmrestore.bash-completion \
+ qm.zsh-completion qmrestore.zsh-completion qmeventd qmeventd.8
.PHONY: install
install: ${PKGSOURCES}
@@ -71,6 +81,8 @@ install: ${PKGSOURCES}
install -m 0644 pve-q35.cfg ${DESTDIR}/usr/share/${PACKAGE}
install -m 0644 -D qm.bash-completion ${DESTDIR}/${BASHCOMPLDIR}/qm
install -m 0644 -D qmrestore.bash-completion
${DESTDIR}/${BASHCOMPLDIR}/qmrestore
+ install -m 0644 -D qm.zsh-completion ${DESTDIR}/${ZSHCOMPLDIR}/_qm
+ install -m 0644 -D qmrestore.zsh-completion
${DESTDIR}/${ZSHCOMPLDIR}/_qmrestore
install -m 0644 -D bootsplash.jpg ${DESTDIR}/usr/share/${PACKAGE}
make -C PVE install
install -m 0755 qm ${DESTDIR}${SBINDIR}
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH cluster] 1891 Add zsh command completion for pvecm
This adds the generation of the zsh command completion scripts for
pvecm.
Signed-off-by: Christian Ebner
---
data/PVE/Makefile | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/data/PVE/Makefile b/data/PVE/Makefile
index b87a0f8..509f0ea 100644
--- a/data/PVE/Makefile
+++ b/data/PVE/Makefile
@@ -3,6 +3,7 @@ PERL5DIR=${DESTDIR}/usr/share/perl5
PVEDIR=${PERL5DIR}/PVE
MAN=${DESTDIR}/usr/share/man
BASHCOMPLETION=${DESTDIR}/usr/share/bash-completion/completions
+ZSHCOMPLETION=${DESTDIR}/usr/share/zsh/vendor-completions
PERL_VENDORARCH=$(shell perl -MConfig -e 'print $$Config{vendorarch};')
PVE_VENDORARCH=${DESTDIR}/${PERL_VENDORARCH}/auto/PVE/IPCC
@@ -15,7 +16,7 @@ SOURCES=IPCC.pm Cluster.pm Corosync.pm
all:
.PHONY: install
-install: pvecm ${SOURCES} IPCC.so pvecm.1 pvecm.bash-completion
datacenter.cfg.5
+install: pvecm ${SOURCES} IPCC.so pvecm.1 pvecm.bash-completion
pvecm.zsh-completion datacenter.cfg.5
install -D -m 0755 pvecm ${DESTDIR}/usr/bin/pvecm
install -d ${PVEDIR}
for f in ${SOURCES}; do install -m 0664 $$f ${PVEDIR}/$$f; done
@@ -23,12 +24,17 @@ install: pvecm ${SOURCES} IPCC.so pvecm.1
pvecm.bash-completion datacenter.cfg.5
install -D pvecm.1 ${MAN}/man1/pvecm.1
install -D datacenter.cfg.5 ${MAN}/man5/datacenter.cfg.5
install -m 0644 -D pvecm.bash-completion ${BASHCOMPLETION}/pvecm
+ install -m 0644 -D pvecm.zsh-completion ${ZSHCOMPLETION}/_pvecm
for d in ${SUBDIRS}; do $(MAKE) -C $$d install; done
%.bash-completion:
perl -I.. -T -e "use PVE::CLI::$*;
PVE::CLI::$*->generate_bash_completions();" >$@.tmp
mv $@.tmp $@
+%.zsh-completion:
+ perl -I.. -T -e "use PVE::CLI::$*;
PVE::CLI::$*->generate_zsh_completions();" >$@.tmp
+ mv $@.tmp $@
+
Cluster/IPCConst.pm:
$(MAKE) -C Cluster IPCConst.pm
@@ -56,5 +62,5 @@ export NOVIEW=1
.PHONY: clean
clean:
$(MAKE) cleanup-docgen
- rm -f IPCC.so IPCC.o IPCC.c pvecm.bash-completion
+ rm -f IPCC.so IPCC.o IPCC.c pvecm.bash-completion pvecm.zsh-completion
for d in ${SUBDIRS}; do $(MAKE) -C $$d clean; done
--
2.11.0
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
