On April 29, 2020 11:58 am, Fabian Ebner wrote:
> The update_pct_config call leads to a write_config call and so the
> configuration file was created before it was intended to be created.
>
> When the CFS is updated in between the write_config call and the
> PVE::Cluster::check_vmid_unused call in
On April 29, 2020 4:24 pm, Thomas Lamprecht wrote:
> as the nbd server could have been stopped by something else.
> Further, it makes no sense to die and mark the migration thus as
> failed, just because of a NBD server stop issue.
>
> At this point the migration hand off to the target was done al
On 4/30/20 8:35 AM, Fabian Grünbichler wrote:
> On April 29, 2020 4:24 pm, Thomas Lamprecht wrote:
>> Signed-off-by: Thomas Lamprecht
>> ---
>>
>> This was rather quickly assembled to fix an obvious issue, some in depth look
>> at this would be nice, @Fabi or @Fabian :)
>
> LGTM!
>
It really sh
On April 29, 2020 4:24 pm, Thomas Lamprecht wrote:
> Signed-off-by: Thomas Lamprecht
> ---
>
> This was rather quickly assembled to fix an obvious issue, some in depth look
> at this would be nice, @Fabi or @Fabian :)
LGTM!
>
> PVE/QemuMigrate.pm | 5 -
> 1 file changed, 4 insertions(+),
On 4/29/20 4:50 PM, Thomas Lamprecht wrote:
On 4/29/20 2:32 PM, Dominik Csapak wrote:
opens a window with the parameters for the sync and two buttons:
'preview' and 'sync'
both open the taskviewer, but the 'preview' one sets the 'dry-run'
parameter so that it does not get written out to the
Signed-off-by: Andreas Steinel
---
pvesm.adoc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pvesm.adoc b/pvesm.adoc
index 5340c3d..b76ce87 100644
--- a/pvesm.adoc
+++ b/pvesm.adoc
@@ -84,8 +84,8 @@ data to different nodes.
^1^: On file based storages, snapshots are po
On 4/29/20 2:32 PM, Dominik Csapak wrote:
> opens a window with the parameters for the sync and two buttons:
> 'preview' and 'sync'
>
> both open the taskviewer, but the 'preview' one sets the 'dry-run'
> parameter so that it does not get written out to the user.cfg
>
> loads the realm config and
On 4/29/20 2:32 PM, Dominik Csapak wrote:
> opens a window with the parameters for the sync and two buttons:
> 'preview' and 'sync'
>
> both open the taskviewer, but the 'preview' one sets the 'dry-run'
> parameter so that it does not get written out to the user.cfg
>
> loads the realm config and
as the nbd server could have been stopped by something else.
Further, it makes no sense to die and mark the migration thus as
failed, just because of a NBD server stop issue.
At this point the migration hand off to the target was done already,
so normally we're good, if it fails we have other (fol
Signed-off-by: Thomas Lamprecht
---
This was rather quickly assembled to fix an obvious issue, some in depth look
at this would be nice, @Fabi or @Fabian :)
PVE/QemuMigrate.pm | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index 7
Currently icmp types are handled via 'dport'. This is not documented
anywhere except for a single line of comment in the code. To untangle
the icmp-type handling from the dport handling a new 'icmp-type'
parameter is introduced.
The valid 'icmp-type' values are limited to either the names
(icmp[v6
The combogrid contains all valid icmp types that iptables accepts. In
addition to the names, the Type[/Code] value is shown as well.
As the simple solution with setStore() does not work to change the store
for the combogrid and the values are only set on the first field with
the corresponding name
This has to be done in both icmp and icmpv6 cases. Currently if
'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
is no icmp-type handling. As this is meant to fix the iptables-restore
failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
introduced.
These error
This removes icmpv6-type 'any' as it is not supported by ip6tables. Also
introduced new icmpv6 types 'beyond-scope', 'failed-policy' and
'reject-route'. These values were taken from 'ip6tables -p icmpv6 -h'.
Signed-off-by: Mira Limbeck
---
src/PVE/Firewall.pm | 4 +++-
1 file changed, 3 insertio
Signed-off-by: Mira Limbeck
---
pve-firewall-rules-opts.adoc | 4
1 file changed, 4 insertions(+)
diff --git a/pve-firewall-rules-opts.adoc b/pve-firewall-rules-opts.adoc
index 13ec8d8..5e8c01e 100644
--- a/pve-firewall-rules-opts.adoc
+++ b/pve-firewall-rules-opts.adoc
@@ -6,6 +6,10 @@ Res
The first 2 pve-firewall patches contain the actual fix to #2645. As we
ignore warnings when pve-firewall is run as a daemon, we don't get any
information regarding invalid icmp-types in the logs. To get these
messages you have to run pve-firewall compile and look at the output.
Patch 3 introduces
opens a window with the parameters for the sync and two buttons:
'preview' and 'sync'
both open the taskviewer, but the 'preview' one sets the 'dry-run'
parameter so that it does not get written out to the user.cfg
loads the realm config and prefills the selection with values from
the config, and
On 4/29/20 1:34 PM, Fabian Ebner wrote:
> Signed-off-by: Fabian Ebner
> ---
>
> Follow-up for
> https://pve.proxmox.com/pipermail/pve-devel/2020-April/043041.html
>
> PVE/QemuServer.pm | 11 ++-
> 1 file changed, 2 insertions(+), 9 deletions(-)
>
> diff --git a/PVE/QemuServer.pm b/PVE
On 4/29/20 1:54 PM, Dominik Csapak wrote:
> copy/pasted the other mail to only write on answer:
>
> On 4/29/20 1:52 PM, Thomas Lamprecht wrote:
>> On 4/27/20 4:40 PM, Dominik Csapak wrote:
>>> opens a window with the parameters for the sync and two buttons:
>>> 'preview' and 'sync'
>>>
>>> both op
copy/pasted the other mail to only write on answer:
On 4/29/20 1:52 PM, Thomas Lamprecht wrote:
> On 4/27/20 4:40 PM, Dominik Csapak wrote:
>> opens a window with the parameters for the sync and two buttons:
>> 'preview' and 'sync'
>>
>> both open the taskviewer, but the 'preview' one sets the 'n
On 4/27/20 4:40 PM, Dominik Csapak wrote:
> opens a window with the parameters for the sync and two buttons:
> 'preview' and 'sync'
>
> both open the taskviewer, but the 'preview' one sets the 'no-write'
> parameter so that it does not get written out to the user.cfg
>
Oh, and maybe it's nicer i
On 4/27/20 4:40 PM, Dominik Csapak wrote:
> opens a window with the parameters for the sync and two buttons:
> 'preview' and 'sync'
>
> both open the taskviewer, but the 'preview' one sets the 'no-write'
> parameter so that it does not get written out to the user.cfg
>
> loads the realm config an
Signed-off-by: Fabian Ebner
---
Follow-up for https://pve.proxmox.com/pipermail/pve-devel/2020-April/043041.html
PVE/QemuServer.pm | 11 ++-
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 63b368f..efacc45 100644
--- a/PVE/QemuSe
On 4/16/20 2:54 PM, Fabian Ebner wrote:
> by excluding vmstate. It is referenced by snapshots, but
> is not a volume containing a snapshot.
>
> Signed-off-by: Fabian Ebner
> ---
> PVE/QemuMigrate.pm | 2 ++
> PVE/QemuServer.pm | 2 +-
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff
On 4/27/20 9:19 AM, Fabian Grünbichler wrote:
> this is only used for migration via 'qm mtunnel', regular users should
> never need to resume a VM that does not logically belong to the node it
> is running on
>
> Signed-off-by: Fabian Grünbichler
> ---
> PVE/API2/Qemu.pm | 2 ++
> 1 file changed
The update_pct_config call leads to a write_config call and so the
configuration file was created before it was intended to be created.
When the CFS is updated in between the write_config call and the
PVE::Cluster::check_vmid_unused call in create_and_lock_config,
the container file would already
On 4/29/20 10:52 AM, Fabian Grünbichler wrote:
> to allow some level of safe concurrent config modification, instead of
> the current free for all.
>
> Signed-off-by: Fabian Grünbichler
> ---
>
> Notes:
> require pve-cluster that provides cfs_lock_firewall, or switching to
> cfs_lock_dom
On 4/29/20 10:52 AM, Fabian Grünbichler wrote:
> so that API paths that raise an exception while holding a CFS lock
> properly propagate that exception to the client, instead of the
> stringified version with added noise about locks added to the front.
>
> Signed-off-by: Fabian Grünbichler
> ---
On 4/29/20 10:52 AM, Fabian Grünbichler wrote:
> Signed-off-by: Fabian Grünbichler
> ---
> alternatively we could re-use 'cfs_lock_domain', which is currently
> only used by HA and was intended as general-purpose cfs_lock wrapper..
> I'd shorten the firewall- prefix to fw- in that case though.
>
On 4/28/20 2:52 PM, Dominik Csapak wrote:
> when a backup includes a cloudinit disk on a non-existent storage,
> the restore fails with 'storage' does not exist
>
> this happens because we want to get the format of the disk, by
> checking the source storage
>
> we fix this by using the target sto
wherever we have a r-m-w cycle.
Signed-off-by: Fabian Grünbichler
---
Notes:
best viewed with -w
src/PVE/API2/Firewall/Aliases.pm | 80 +---
src/PVE/API2/Firewall/Cluster.pm | 36
src/PVE/API2/Firewall/Groups.pm | 52 ++-
src/PVE/API2/Firewall/Host.pm|
for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here. otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.
Signed-off-by: Fabian Grünbichler
---
src/PVE/API2/Firewall/IPSet
for ipset, rules and alias API generation modules.
Signed-off-by: Fabian Grünbichler
---
Notes:
separated from using them for easier reviewing
src/PVE/API2/Firewall/Aliases.pm | 24
src/PVE/API2/Firewall/IPSet.pm | 48
src/PVE/API2/Firewa
instead of silently dropping them when writing the config out.
Signed-off-by: Fabian Grünbichler
---
src/PVE/Firewall.pm | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7b26ac5..4d86032 100644
--- a/src/PVE/Firew
while this was already handled properly (as empty rules), adding this as
error makes it much more visible (in the GUI as well).
Signed-off-by: Fabian Grünbichler
---
src/PVE/Firewall.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4d86032.
so that API paths that raise an exception while holding a CFS lock
properly propagate that exception to the client, instead of the
stringified version with added noise about locks added to the front.
Signed-off-by: Fabian Grünbichler
---
Notes:
there seems to be nothing that matches on the p
Signed-off-by: Fabian Grünbichler
---
Notes:
best viewed with -w
src/PVE/Firewall.pm | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index eda39eb..7b26ac5 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.
to allow some level of safe concurrent config modification, instead of
the current free for all.
Signed-off-by: Fabian Grünbichler
---
Notes:
require pve-cluster that provides cfs_lock_firewall, or switching to
cfs_lock_domain as mentioned in pve-cluster#1
lock_hostfw_conf could
the second cluster patch is optional, but improves usability of
non-worker API calls that do
cfs_lock_foo(..., sub {
raise_foo
});
the last three firewall patches are unrelated bug fixes that I found
while testing.
pve-cluster:
Fabian Grünbichler (2):
cfs_lock: add firewall lock helper
Signed-off-by: Fabian Grünbichler
---
alternatively we could re-use 'cfs_lock_domain', which is currently
only used by HA and was intended as general-purpose cfs_lock wrapper..
I'd shorten the firewall- prefix to fw- in that case though.
domain-fw-host-$foo might be more confusing to end users th
On 4/9/20 1:28 PM, Wolfgang Bumiller wrote:
> v2 just has minor fixups to the previous series.
>
> Initial cover letter:
>
> There's probably more to come, and not all our settings are yet
> automatically converted to cgroupv2 in `update_lxc_config`, but the one
> most people probably run into is
41 matches
Mail list logo