Am 15.07.2014 07:11, schrieb Alexandre Derumier:
> Apply after my others ipv6 patches
to me it does not apply:
Applying: fix ip6tables for venet0 ips
error: patch failed: src/PVE/Firewall.pm:3163
error: src/PVE/Firewall.pm: patch does not apply
Patch failed at 0001 fix ip6tables for venet0 ips
to holiday on 17 July, so I'll try to send patches before.
>
>
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: "pve-devel" , "Dietmar Maurer"
>
> Envoyé: Mardi 8 Juillet 20
Hi,
i was thinking to give some people in our office the ability to store
their own custom iso's for vm installation.
Is it correct that i have to add a NFS storage per user? So if i have 35
users i have to add 35 storages to PVE? Or is there another possibility
to give users the ability to uploa
Am 08.07.2014 00:25, schrieb Alexandre DERUMIER:
>>> Sure, but especially in this case i wouldn't go with nftables. Nobody
>>> knows how many bugs there arre. How many crashes in kernel or userspace
>>> somebody has to expect. And even nobody knows when it will be declared
>>> stable.
>
> I sh
full
Now you should see the backtrace incl functions and values.
Stefan
>
>
>
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: "pve-devel"
> Envoyé: Lundi 7 Juillet 2014 14:26:37
> 0040c647 sp 7fffb7178620 error 4 in nft[40+44000]
>
>
> So, maybe it's a bug in current rhel kernel.
> (I'll test with a 3.15 kernel)
segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried
to attach with gdb und the debug libs?
Stefan
Hi,
Am 07.07.2014 07:46, schrieb Alexandre DERUMIER:
>>> My feeling is that we should use nft, else we will do all work twice.
>>>
> yes.
>
>>> But the current iptables implementation is a good start for the first
>>> release.
>
> I'll try to build a nftables rules sample manually to see wha
ebtables-restore (same format
>> than iptables),
>> but they are not provided by debian ebtables package.(debian remove them in
>> their patches).
>> do you think we can provide a pve-ebtables package ?
>
> Strange why do they delete it in their package
Am 06.07.2014 um 05:32 schrieb Dietmar Maurer :
>> BTW, I'll also rework my ipv6 patch.
>>
>> I thinked about extend $ruleset, to something like
>>
>> $ruleset->{iptables}->{filter}
>> $ruleset->{iptables}->{nat}
>> $ruleset->{ip6tables}->{filter}
>> $ruleset->{ebtables}->{filter}
>>
>> Like t
p110i0-OUT -p IPV4 -s $macaddr -j ACCEPT
> -A tap110i0-OUT -p ARP -s $macaddr -j ACCEPT
> -A tap110i0-OUT -j DROP
looks great
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: "pve-devel"
Am 04.07.2014 13:50, schrieb Stefan Priebe - Profihost AG:
> Am 04.07.2014 13:45, schrieb Alexandre DERUMIER:
>>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even
>>>> though ip traffic will then never reach the VM he still can tell via ar
t's dropped.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: "pve-devel"
> Envoyé: Vendredi 4 Juillet 2014 11:28:40
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] secti
x27;t check the
> mac address.
> (don't known if it can be a security problem)
Stefan
>
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: "pve-devel"
> Envoyé: Vendredi 4 Ju
Am 04.07.2014 11:07, schrieb Stefan Priebe - Profihost AG:
> Am 04.07.2014 11:03, schrieb Alexandre DERUMIER:
>>>> Main problem is that iptables is only layer3. What about layer2 IP / mac
>>>> spoofing?
>>
>> yes, mac filtering need to be done like curr
h start.
> I wonder if we couldn't have something like:
>
> memory : memory,maxmem=...,dimmsize=...
>
> and compute the dimm devices from this.
>
>
> (But in this case we can't mix dimm size)
>
>
> - Mail original -
>
> De: "Ste
his?
Stefan
>
>
>
> ----- Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Vendredi 4 Juillet 2014 10:53:24
> Objet: Re: [pve-devel] [PATCH 2/2] add memory/dimm hot
tefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER" , "pve-devel"
>
> Envoyé: Vendredi 4 Juillet 2014 10:55:58
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>
> Am 1
Am 19.06.2014 07:50, schrieb Alexandre DERUMIER:
>>> But I don't see anywhere in the code where theses rules are generate ?
>
> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same
> level that blacklist.
>
> (and maybe make blacklist ipset more generic, if we can create a r
Am 04.07.2014 10:49, schrieb Alexandre DERUMIER:
> Thanks for the patch, I think it's not too much different in qemu 2.1
>
> I see in you code :
> my $MAX_DIMMS = 10;
>
>
>
> and
>
> + push @$cmd, '-m',
> "size=".$memory.",slots=10,maxmem=".$conf->{maxmemory}."G";
>
>
> is "slots=10" = max
Hi,
wouldn't it make sense to also use ebtables for PVE?
So we can for example only allow:
arp traffic (matching the mac)
IPV4
IPV6
nothing else.
Stefan
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listi
Ok bad idea.
What I want to archieve is that even when all policies are set to enabled I
want to have a highly isolated network for the vms. No broadcast or multicast
should leave the vm. Only layer3 stuff.
Stefan
Excuse my typo sent from my mobile phone.
> Am 04.07.2014 um 05:58 schrieb Diet
Am 03.07.2014 12:00, schrieb Alexandre DERUMIER:
> qemu 2.1 rc0 has been released
>
> interesting new features:
>
> - Support for memory hotplug using the new "pc-dimm" device and the QOM
> objects "memory-backend-ram" and "memory-backend-file".
I already have PVE code ready for memory hotplug
Am 26.06.2014 um 07:44 schrieb Alexandre DERUMIER :
>>> but Proxmox VE simply run 'lvremove', sow what 'client side' do you talk
>>> about?
>
> Maybe at the iscsi layer ? maybe multipathing ?
>
> Do you have more information about the problem ?
I would prefer an strace of the hanging lvm pro
Am 25.06.2014 07:37, schrieb Dietmar Maurer:
> I just switched to noVNC as default viewer:
>
>
>
> https://git.proxmox.com/?p=pve-manager.git;a=commitdiff;h=251f2f6bfcbac213607872fd991bba2cc4988f61
>
>
>
> The datacenter option ‘console’ can now have 3 values:
>
>
>
> * html5 (noVNC, de
Am 23.06.2014 12:14, schrieb Dietmar Maurer:
>> Should work on nearly any kernel there are no changes in the veth driver.
>
> Again, what package do you want me to apply this patch (2.6.32 or 3.10.0
> kernel, or both)?
ah sorry 3.10
Stefan
___
pve-dev
Am 23.06.2014 05:58, schrieb Dietmar Maurer:
> This patch is for which kernel ?
Should work on nearly any kernel there are no changes in the veth driver.
>> -Original Message-
>> From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf Of
>> Stefan Priebe
>> Sent: Samstag, 21.
Am 19.06.2014 17:13, schrieb Stefan Priebe - Profihost AG:
>
>
> Am 19.06.2014 17:06, schrieb Dietmar Maurer:
>>>> What kind of backup storage do you use?
>>>>
>>>
>>> plain mounted disk. So just a directory.
>>
>> Standard install
Am 19.06.2014 17:05, schrieb Dietmar Maurer:
>> is this a bug or a feature?
>
> Feature. It lists backups for all VMs you can backup/restore.
>
> I know, this is clumsy for admin account, because it lists all baclups.
>
ah OK thanks - yes if you have around 24 backups per VM and you can't
find
Am 19.06.2014 17:06, schrieb Dietmar Maurer:
>>> What kind of backup storage do you use?
>>>
>>
>> plain mounted disk. So just a directory.
>
> Standard installation? Or modified something (kernel)?
>
OK it works fine with compress lzo it does not with compress 0.
Stefan
Am 19.06.2014 17:02, schrieb Dietmar Maurer:
>> ERROR: vma_queue_write: write error - Invalid argument
>
> What kind of backup storage do you use?
>
plain mounted disk. So just a directory.
Stefan
___
pve-devel mailing list
pve-devel@pve.proxmox.com
Am 19.06.2014 17:06, schrieb Dietmar Maurer:
>>> What kind of backup storage do you use?
>>>
>>
>> plain mounted disk. So just a directory.
>
> Standard installation? Or modified something (kernel)?
Standard with Vanilla 3.10.43 kernel. Do you think it is kernel related?
Stefan
e_write: write error - Invalid
argument
INFO: Backup job finished with errors
job errors
Stefan
Am 19.06.2014 16:41, schrieb Stefan Priebe - Profihost AG:
> Hello,
>
> on my test system i'm using lvm instead of ceph. I see pretty often that
> backups hang at 0%.
>
> Is this is k
Hello,
on my test system i'm using lvm instead of ceph. I see pretty often that
backups hang at 0%.
Is this is known bug?
Output of the backup task is:
-
INFO: starting new backup job: vzdump 200 --compress 0 --storage
pxebackups --node testnode
I
Hi,
is this a bug or a feature?
VM 101:
there are also backups listed for vm102, 103, ...
Stefan
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Am 18.06.2014 13:00, schrieb Dietmar Maurer:
> I just added websocket support to PVE::HTTPServer.pm, and modified the
>
> noVNC console to use that new feature. See:
>
>
>
> https://git.proxmox.com/?p=qemu-server.git;a=commitdiff;h=3e7567e05e1df6b11c2d3c4dee86aec9c8f57a14
>
> https://git.prox
Hi,
is there any reason why VM firewall support is directly combined with
cluster firewall?
I mean it's nice if PVE brings it's own firewall for the host nodes but
for people like me who already have their firewall concepts for the host
nodes it a mess.
I really would like only to use the firewa
ize 64 maxelem 64
add PVEFW-0-management 10.255.0.0/24
create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Env
cloud3-1351 pve-firewall[7944]: status update error:
> command '/sbin/iptables-restore -n' failed: exit code 1
>
> Stefan
>
>> - Mail original -
>>
>> De: "Stefan Priebe - Profihost AG"
>> À: "Alexandre DERUMIER"
>>
t; #pve-firewall compile
>
> to see generated rules ?
The output is very long! Do you need everything?
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Envoyé:
17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
command '/sbin/iptables-restore -n' failed: exit code 1
Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG:
> OK adding an empty
> netpoll pdo controller to the veth device in the kernel fixes the problem.
>
t indeed we can improve that (I'll try to have a look at it)
>
>
>>> I just don't get why it works for vmbr1 but not for vmbr0.
>
> can you try to manually add
>
> #brctl addif fwln2004i0 fwbr2004i0
> #brctl addif fwpr2004p0 vmbr0
>
> ?
&g
lling...
if i do a
rmmod netconsole
everything works fine.
So it's a kernel bug.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Lundi 16 Juin 201
netconsole device to log all kernel
messages and also pre boot messages to a custom server.
It seems the netconsole driver breaks this. I'll have a look at it.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
p0 works fine ?!?!
# brctl addif vmbr1 fwpr2004p0; echo $?
0
#
I don't get it.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Lundi 16 Juin 2014 11:40:5
2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de
I think this should get cleaned in that case?
Stefan
>
> ----- Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Lundi
What is the difference between the normal tap device without firewall -
which works fine for me on vmbr0 and vmbr1 and the firewall tap one?
Stefan
Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG:
> Hi,
>
> i get the same problem with the official redhat PVE Kernel.
>
&g
Hi,
i get the same problem with the official redhat PVE Kernel.
What i don't understand is that it works fine with vmbr1 but not with
vmbr0.
Interfaces file on host:
auto vmbr0
iface vmbr0 inet static
address XX.XX.XX.XX
netmask 255.255.255.128
gateway XX.XX.XX.XX
#x27;t support polling, aborting "
>
> do you use a custom kernel ?
Yes it's a custom 3.10.43 vanilla kernel. As i was using 3.10 already
since a year as i needed some feature not supported by the RHEL 5 kernel.
Will look into the kernel source code.
Stefan
> - Mail o
eys %$conf) {
> next if $netid !~ m/^net(\d+)$/;
> my $net = PVE::QemuServer::parse_net($conf->{$netid});
> next if !$net->{firewall}; >> skip is net firewall is
> disable
>
>
>
> but for openvz venet, we need t
Hello,
ok since i found the 3rd checkbox. It tries to enable the firewall.
But it fails.
PVE Output:
can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
can't add interface 'iface' to bridge 'vmbr0'
/var/lib/qemu-server/pve-bridge: could not launch network script
Kernel Output:
[1705113.081
copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge;
>
> $newbridge = &$create_firewall_bridge_linux($iface, $newbridge) if
> $firewall;
>
> &$bridge_add_interface($newbridge, $iface);
> } else {
> &$cleanup_firewall_br
Am 16.06.2014 09:21, schrieb Stefan Priebe - Profihost AG:
> Am 13.06.2014 20:33, schrieb Dietmar Maurer:
>>> i would like to have different levels of firewall. Something the USER / VM
>>> Owner
>>> can control and something the PVE Manage / Sysadmin can control.
Am 13.06.2014 20:33, schrieb Dietmar Maurer:
>> i would like to have different levels of firewall. Something the USER / VM
>> Owner
>> can control and something the PVE Manage / Sysadmin can control.
>>
>> So i can give the user the ability to use the new cool firewall code but i
>> can still
>>
brxx is plugged to vmbrx
> through a veth pair.
> So this is done online.
Seems like this one is never created:
[/etc/pve]# ip a l|grep fwbr
[/etc/pve]#
> - Mail original -----
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER" , "D
f the user disabled "his" firewall -
the datacenter admin still wants his ip filter and a mac filter set.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Dietmar Maurer" , "Alexandre DERUMIER"
>
> C
original -
>
> De: "Dietmar Maurer"
> À: "Stefan Priebe - Profihost AG" , "Alexandre
> DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Vendredi 13 Juin 2014 14:54:32
> Objet: RE: [pve-devel] pve-firewall : add ipfilter protection
>
Hi,
i would like to have different levels of firewall. Something the USER /
VM Owner can control and something the PVE Manage / Sysadmin can control.
So i can give the user the ability to use the new cool firewall code but
i can still be shure that he doesn't use a DHCP Server, didn't disable
the
Am 13.06.2014 14:54, schrieb Dietmar Maurer:
>> OK seems my testing is wrong.
>>
>> What is did:
>>
>> /etc/pve/firewall/2004.fw:
>> [IPSET ipfilter-net0]
>> 10.10.28.5
>>
>> I then enabled the Firewall for this VM.
>
> Also enabled the firewall in cluster.fw?
>
>> The VM has now 10.10.28.4 on ne
> Am 12.06.2014 10:41, schrieb Dietmar Maurer:
>>
>>
>>> -Original Message-
>>> From: Alexandre DERUMIER [mailto:aderum...@odiso.com]
>>> Sent: Donnerstag, 12. Juni 2014 10:37
>>> To: Dietmar Maurer
>>> Cc: pve-devel@pve.proxmox.com; Stefan Priebe
>>> Subject: Re: [pve-devel] pve-firewall :
Hi,
OK my test setup is up and running.
I'm not really familiar with the current firewall code in PVE.
Are the global rules really global or just copied to each VM while
they're created?
Is it later possible to give a user the possibility to do its own
firewall stuff but not being allowed to ED
Am 13.06.2014 12:07, schrieb Dietmar Maurer:
>> I am still a bit unhappy with the qemu-server side. I will try to work on
>> that next
>> week.
>
> To test with your qemu-server patches you need to apply:
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index ebacc95..ab4ba00 100644
> ---
Am 13.06.2014 09:41, schrieb Dietmar Maurer:
> Hi Stefan,
>
>
>
> I just assembled a noVNC package:
>
>
>
> https://git.proxmox.com/?p=novnc-pve.git;a=summary
>
>
>
> Note: I use different paths, so that we do not conflict with upstream
> package.
Great. Anything to test?
Stefan
_
Hi,
Am 12.06.2014 08:39, schrieb Dietmar Maurer:
>> OK, I finally understand the problem. I guess I will implement the suggestion
>> from Alexandre:
>>
>> [ipset ipfilter-net0]
>> ...
>>
>>
>> I guess that will work for you?
>
> OK, Implemented - please can you test?
Sounds great! I'll hopefully
Am 11.06.2014 um 17:26 schrieb Dietmar Maurer :
>>> 192.168.0.1
>>> 10.0.0.0/8
>>>
>>
>> Thanks - will try that but how to bind this to mac addressesv or network
>> interfaces? I mean a user can have multiple network interfaces.
>>
>> Maybe he is allowed to use IPA on net0 and IPB on net1
168.0.1
> 10.0.0.0/8
>
Thanks - will try that but how to bind this to mac addressesv or network
interfaces? I mean a user can have multiple network interfaces.
Maybe he is allowed to use IPA on net0 and IPB on net1 but not IPB on net0.
Greets,
Stefan
> ----- Mail original -
Am 11.06.2014 10:07, schrieb Dietmar Maurer:
Would it make sense to also allow ip/mask notation so pve knows more about
>> the network? May be display user ip settings?
>>
>> Don't have tested, but I think it should work. I'll test that today.
>
> I just applied a simplified version of your
Hi,
it is correct that only root can do firewall stuff?
Is it planned to add custom access rights later?
Stefan
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Would it make sense to also allow ip/mask notation so pve knows more about the
network? May be display user ip settings?
Stefan
Excuse my typo sent from my mobile phone.
> Am 11.06.2014 um 04:03 schrieb Alexandre Derumier :
>
> currently only for qemu.
>
> for openvz:
>
> -veth not yet imple
matnwfilter.html
Greets,
Stefan
> Alexandre
>
> - Mail original -
>
> De: "Alexandre DERUMIER"
> À: "Stefan Priebe - Profihost AG"
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Jeudi 5 Juin 2014 13:20:30
> Objet: Re: [pve-devel] pve-firewal
or several use cases. But if you
think of users having only 1 vm and only beeing allowed to use one ip it
is a lot of work to create pools for each.
I would prefer a solution which covers both.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
>
wants to use and we still
want to have the above protection.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER" , "Dietmar Maurer"
>
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Je
e able to change the allowed IP. Is this assumption correct?
Stefan
> - Mail original -
>
> De: "Dietmar Maurer"
> À: "Stefan Priebe - Profihost AG" , "Alexandre
> DERUMIER"
> Cc: pve-devel@pve.proxmox.com
> Envoyé: Mercredi 4 Juin 20
Am 04.06.2014 17:24, schrieb Dietmar Maurer:
> I am unable to apply this patch:
>
> error: patch failed: debian/patches/series:28
> error: debian/patches/series: patch does not apply
> Patch failed at 0001 fix another aio bug
> 0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
>
>
my f
Am 04.06.2014 14:19, schrieb Dietmar Maurer:
>> I'm just afraid about the current situation which has no security at all. So
>> everybody can configure any ip he wants and send packets with it.
>
> The 'allowed_ips' ipset idea is very easy to implement ...
>
OK so adding option IP to each netX.
Am 04.06.2014 14:19, schrieb Dietmar Maurer:
>>> The attacker is inside the VM.
>>>
>> inside the VM where your DHCP live?
>
> no, inside a VM which used dhcp.
That doesn't matter. Normally you don't accept DHCP replies from this VM
only requests.
>> Then he already has control over all your DHC
Am 04.06.2014 14:13, schrieb Dietmar Maurer:
>>> What happen in case of a malicious hacker, which send false dhcp response
>> over the network ?
>>
>> Where / at which point? Normally you have a trusted MAC and IP for DHCP
>> Server.
>>
>> Then on the switches itself you also use DHCP Snooping. So
?
I'm just afraid about the current situation which has no security at
all. So everybody can configure any ip he wants and send packets with it.
Stefan
> - Mail original -
>
> De: "Stefan Priebe - Profihost AG"
> À: "Alexandre DERUMIER"
> Cc:
>> I like this one ;) also, could be use when we'll implement dhcp server
>> inside proxmox.
>
> But dietmar correctly comments on how do we know the IP. Or just as a
> textfield set in the creation wizard? Makes this sence.
>
> What are the enable DHCP and M
0=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>>> It is then easy to implement such filter.
>
> also a good idea.
>
> Alexandre - any suggestions?
>
>
> Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG:
>> Am 04.06.2014 12:10, schri
>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>> It is then easy to implement such filter.
also a good idea.
Alexandre - any suggestions?
Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG:
> Am 04.06.2014 12:10, schrieb Dietmar Maurer:
>
Am 04.06.2014 12:10, schrieb Dietmar Maurer:
>> i'm starting to deploy the pve-firewall code on a test cluster.
>>
>> Something i really would like to have is dhcp snooping on the linux bridge
>> so that
>> VMs controlled by somebody else can't use fake / wrong ip adresses.
>>
>> Is something like
Hi,
i'm starting to deploy the pve-firewall code on a test cluster.
Something i really would like to have is dhcp snooping on the linux
bridge so that VMs controlled by somebody else can't use fake / wrong ip
adresses.
Is something like this possible with the current firewall code?
Stefan
_
Am 04.06.2014 11:17, schrieb Dietmar Maurer:
>>> Do you talk about add/remove a CDROM device, or changing/eject CDROM
>> media?
>>>
>>
>> add remove a cdrom device. Adding is possible but removing isn't.
>
> I think adding a device should not be possible?
>
It depends - i think adding a cdrom i
Am 04.06.2014 11:13, schrieb Dietmar Maurer:
>> currently adding a new CDROM is allowed if you have VM.Config.CDROM rights.
>> But you can't delete it with these rights.
>>
>> You get an exception regarding missing VM.Config.Disk rights.
>>
>> Is this correct?
>
> Do you talk about add/remove a CD
Am 04.06.2014 11:07, schrieb Dietmar Maurer:
>> so everything is forced to be encrypted otherwise the browser won't load it
>
> AFAIK we always encrypt anyways, so what it the advantage?
>
> Also, we use self-signed certificates by default.
>
Was just an idea - to be sure that everything is alw
Am 04.06.2014 10:55, schrieb Dietmar Maurer:
>> wouldn't it make sense if pveproxy generally set the
>> Strict-Transport-Security
>> Header?
>
> Why?
>
so everything is forced to be encrypted otherwise the browser won't load it
___
pve-devel mailing l
Hi,
wouldn't it make sense if pveproxy generally set the
Strict-Transport-Security Header?
--
Stefan
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Hi,
currently adding a new CDROM is allowed if you have VM.Config.CDROM
rights. But you can't delete it with these rights.
You get an exception regarding missing VM.Config.Disk rights.
Is this correct?
Stefan
___
pve-devel mailing list
pve-devel@pve.p
Am 03.06.2014 11:02, schrieb Dietmar Maurer:
As for self
signed certs wss needs to run on the SAME port as the webui. As no
browser supports accepting certs for WSS.
>>>
>>> Do we need the same port or the same cert?
>>
>> Sadly yes. All browsers save the acceptance of a cert for hos
Am 03.06.2014 10:41, schrieb Dietmar Maurer:
>>> Sure. But not for SPICE.
>>
>> yeah for WSS we would need a special proxy running inside pveproxy.
>
> pveproxy is wrong place for that. I think spiceproxy would work better
> (unencrypted).
>
>> As for self
>> signed certs wss needs to run on the
Am 03.06.2014 10:32, schrieb Dietmar Maurer:
>> OK it's the same for java. There we have ssh and vencrypt in RBD
>
> Sure. But not for SPICE.
yeah for WSS we would need a special proxy running inside pveproxy. As
for self signed certs wss needs to run on the SAME port as the webui. As
no browser
Am 03.06.2014 10:23, schrieb Dietmar Maurer:
>>> Anyways, this is not really important right now. Just want to show
>>> that the current approach is not really optional (useless encrypt/decrypt
>>> which
>> wastes CPU power).
>>
>> at which stage?
>
> HTTPS <==> SSH <==> kvm
>
> So I think we en
Am 03.06.2014 10:14, schrieb Dietmar Maurer:
>>> websocket
>>>Opens an additional TCP listening port dedicated to VNC
>>>Websocket connections. By definition the Websocket port is
>>>5700+display. If host is specified connections will only be
>>>
Am 03.06.2014 09:58, schrieb Dietmar Maurer:
>>> OK - but which advantage do we get
>>
>> You patch seem to break VNC when started via /etc/inetd.conf
>>
>> Also, simply using normal VNC features seems more correct to me.
>>
>>> beside we need to care about another
>>> patch while upgrading qemu ve
Am 03.06.2014 05:46, schrieb Dietmar Maurer:
>>> Also, It seems quite easy to support multiple auth. The server just
>>> needs to send all supported auth modes in
>>>
>>> ui/vnc.c method protocol_version()
>>>
>>> something like:
>>>
>>> } else {
>>> VNC_DEBUG("Telling client we supp
Am 02.06.2014 um 17:06 schrieb Dietmar Maurer :
is there a way to execute a monitor command on VM 100 running on 1
from server 2?
I need this to change the VNC parameters on a target VM.
>>>
>>> Maybe you can use ssh to execute a command on the other node.
>>
>> Yeah but th
Am 02.06.2014 um 17:04 schrieb Dietmar Maurer :
>> But it does not in qemu. It's an enum in the code supporting only one way. I
>> can't
>> change it.
>
> What is the problem exactly?
Qemu does not support multiple author at once. It only supports changing auth
type with monitor command that'
Am 02.06.2014 um 14:51 schrieb Dietmar Maurer :
>> is there a way to execute a monitor command on VM 100 running on 1 from
>> server 2?
>>
>> I need this to change the VNC parameters on a target VM.
>
> Maybe you can use ssh to execute a command on the other node.
Yeah but there is no one line
Am 02.06.2014 um 14:52 schrieb Dietmar Maurer :
>> I need this to change the VNC parameters on a target VM.
>
> Besides, I don't really think this is the right way. VNC should simply
> support several auth types.
But it does not in qemu. It's an enum in the code supporting only one way. I
can
Hi,
is there a way to execute a monitor command on VM 100 running on 1 from
server 2?
I need this to change the VNC parameters on a target VM.
Stefan
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/p
301 - 400 of 1027 matches
Mail list logo