[pve-devel] [PATCH installer] assistant: fix spelling and precise text in help usage output
Signed-off-by: Alexander Zeidler
---
proxmox-auto-install-assistant/src/main.rs | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/proxmox-auto-install-assistant/src/main.rs
b/proxmox-auto-install-assistant/src/main.rs
index 9bc083e..0debd29 100644
--- a/proxmox-auto-install-assistant/src/main.rs
+++ b/proxmox-auto-install-assistant/src/main.rs
@@ -91,16 +91,16 @@ struct CommandValidateAnswer {
/// Prepare an ISO for automated installation.
///
-/// The behavior of how to fetch an answer file must be set with the
'--fetch-from', parameter. The
+/// The behavior of how to fetch an answer file must be set with the
'--fetch-from' parameter. The
/// answer file can be:{n}
/// * integrated into the ISO itself ('iso'){n}
-/// * needs to be present in a partition / file-system with the label
'PROXMOX-AIS' (Proxmox
+/// * present on a partition / file-system with the label 'PROXMOX-AIS'
(Proxmox
/// Automated Installer Source) ('partition'){n}
-/// * get requested via an HTTP Post request ('http').
+/// * requested via an HTTP Post request ('http').
///
/// The URL for the HTTP mode can be defined for the ISO with the '--url'
argument. If not present,
-/// it will try to get a URL from a DHCP option (250, TXT) or by querying a
DNS TXT record at
-/// 'proxmox-auto-installer.{search domain}'.
+/// it will try to get a URL from a DHCP option (250, TXT) or by querying a
DNS TXT record for the
+/// domain 'proxmox-auto-installer.{search domain}'.
///
/// The TLS certificate fingerprint can either be defined via the
'--cert-fingerprint' argument or
/// alternatively via the custom DHCP option (251, TXT) or in a DNS TXT record
located at
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH installer] install module: getters: correctly use plural in error messages
Signed-off-by: Alexander Zeidler
---
Proxmox/Install.pm | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
index 6ad9d17..c0f8955 100644
--- a/Proxmox/Install.pm
+++ b/Proxmox/Install.pm
@@ -255,7 +255,7 @@ sub get_zfs_raid_setup {
$cmd .= " @$hd[1]";
}
} elsif ($filesys eq 'zfs (RAID1)') {
- die "zfs (RAID1) needs at least 2 device\n" if $diskcount < 2;
+ die "zfs (RAID1) needs at least 2 devices\n" if $diskcount < 2;
$cmd .= ' mirror ';
my $hd = @$devlist[0];
my $expected_size = @$hd[2]; # all disks need approximately same size
@@ -265,7 +265,7 @@ sub get_zfs_raid_setup {
$cmd .= " @$hd[1]";
}
} elsif ($filesys eq 'zfs (RAID10)') {
- die "zfs (RAID10) needs at least 4 device\n" if $diskcount < 4;
+ die "zfs (RAID10) needs at least 4 devices\n" if $diskcount < 4;
die "zfs (RAID10) needs an even number of devices\n" if $diskcount & 1;
for (my $i = 0; $i < $diskcount; $i+=2) {
@@ -329,10 +329,10 @@ sub get_btrfs_raid_setup {
if ($filesys eq 'btrfs (RAID0)') {
$mode = 'raid0';
} elsif ($filesys eq 'btrfs (RAID1)') {
- die "btrfs (RAID1) needs at least 2 device\n" if $diskcount < 2;
+ die "btrfs (RAID1) needs at least 2 devices\n" if $diskcount < 2;
$mode = 'raid1';
} elsif ($filesys eq 'btrfs (RAID10)') {
- die "btrfs (RAID10) needs at least 4 device\n" if $diskcount < 4;
+ die "btrfs (RAID10) needs at least 4 devices\n" if $diskcount < 4;
$mode = 'raid10';
} else {
die "unknown btrfs mode '$filesys'\n";
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH container] fix #5414: use proper percentages in `pct df`
while some people write percentages as 0.XX , putting a % next to that is just
confusing. also, combined with the format modifier this would be rather lossy,
and also not match regular `df` output..
Signed-off-by: Fabian Grünbichler
---
src/PVE/CLI/pct.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm
index c48321d..4504b54 100755
--- a/src/PVE/CLI/pct.pm
+++ b/src/PVE/CLI/pct.pm
@@ -433,7 +433,7 @@ __PACKAGE__->register_method({
my $used = $format->($df->{used});
my $avail = $format->($df->{avail});
- my $pc = sprintf('%.1f', $df->{used}/$df->{total});
+ my $pc = sprintf('%.1f', 100 * $df->{used} / $df->{total});
my $entry = [ $name, $mp->{volume}, $total, $used, $avail,
$pc, $path ];
push @list, $entry;
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH qemu-server v8 1/3] add C program to get hardware capabilities from CPUID
On Thu Apr 25, 2024 at 1:24 PM CEST, Markus Frank wrote:
> Implement a systemd service that runs a C program that extracts AMD
> SEV hardware information such as reduced-phys-bios and cbitpos from
> CPUID at boot time, looks if SEV, SEV-ES & SEV-SNP are enabled, and
> outputs these details as JSON to /run/qemu-server/hw-params.json.
>
> This programm can also be used to read and save other hardware
> information at boot time.
>
> Signed-off-by: Markus Frank
> Co-authored-by: Thomas Lamprecht
> ---
> v8:
> * renamed query-machine-params to query-machine-capabilities
>
> v7:
> * renamed amd-sev-support to query-machine-params
> * mv /run/amd-sev-params to /run/qemu-server/hw-params.json
> * add "mkdir /run/qemu-server" to ensure that the directory exists
> * moved json content to amd-sev property inside a bigger json
> so that other hardware parameters could also be read at boot time and
> included in this json file.
>
> Makefile | 1 +
> query-machine-capabilities/Makefile | 21 +++
> .../query-machine-capabilities.c | 55 +++
> .../query-machine-capabilities.service| 12
> 4 files changed, 89 insertions(+)
> create mode 100644 query-machine-capabilities/Makefile
> create mode 100644 query-machine-capabilities/query-machine-capabilities.c
> create mode 100644
> query-machine-capabilities/query-machine-capabilities.service
>
> diff --git a/Makefile b/Makefile
> index 133468d..ed67fe0 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -65,6 +65,7 @@ install: $(PKGSOURCES)
> install -m 0644 -D bootsplash.jpg $(DESTDIR)/usr/share/$(PACKAGE)
> $(MAKE) -C PVE install
> $(MAKE) -C qmeventd install
> + $(MAKE) -C query-machine-capabilities install
> $(MAKE) -C qemu-configs install
> $(MAKE) -C vm-network-scripts install
> install -m 0755 qm $(DESTDIR)$(SBINDIR)
> diff --git a/query-machine-capabilities/Makefile
> b/query-machine-capabilities/Makefile
> new file mode 100644
> index 000..c5f6348
> --- /dev/null
> +++ b/query-machine-capabilities/Makefile
> @@ -0,0 +1,21 @@
> +DESTDIR=
> +PREFIX=/usr
> +SBINDIR=${PREFIX}/libexec/qemu-server
> +SERVICEDIR=/lib/systemd/system
> +
> +CC ?= gcc
> +CFLAGS += -O2 -fanalyzer -Werror -Wall -Wextra -Wpedantic -Wtype-limits
> -Wl,-z,relro -std=gnu11
> +
> +query-machine-capabilities: query-machine-capabilities.c
> + $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
> +
> +.PHONY: install
> +install: query-machine-capabilities
> + install -d ${DESTDIR}/${SBINDIR}
> + install -d ${DESTDIR}${SERVICEDIR}
> + install -m 0644 query-machine-capabilities.service
> ${DESTDIR}${SERVICEDIR}
> + install -m 0755 query-machine-capabilities ${DESTDIR}${SBINDIR}
> +
> +.PHONY: clean
> +clean:
> + rm -f query-machine-capabilities
> diff --git a/query-machine-capabilities/query-machine-capabilities.c
> b/query-machine-capabilities/query-machine-capabilities.c
> new file mode 100644
> index 000..f4a9f9f
> --- /dev/null
> +++ b/query-machine-capabilities/query-machine-capabilities.c
> @@ -0,0 +1,55 @@
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +int main() {
> +uint32_t eax, ebx, ecx, edx;
> +
> +// query Encrypted Memory Capabilities, see:
> +//
> https://en.wikipedia.org/wiki/CPUID#EAX=801Fh:_Encrypted_Memory_Capabilities
> +uint32_t query_function = 0x801F;
> +asm volatile("cpuid"
> + : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx)
> + : "0"(query_function)
> +);
> +
> +bool sev_support = (eax & (1<<1)) != 0;
> +bool sev_es_support = (eax & (1<<3)) != 0;
> +bool sev_snp_support = (eax & (1<<4)) != 0;
> +
> +uint8_t cbitpos = ebx & 0x3f;
> +uint8_t reduced_phys_bits = (ebx >> 6) & 0x3f;
> +
> +FILE *file;
> +char filename[] = "/run/qemu-server/host-hw-capabilities.json";
> +
> +mkdir("/run/qemu-server/", 0755);
> +
wouldn't it make sense to check whether this call succeeded too like you
do for the `fopen` below? also might be nice to use `strerror` and
handle `errno` in those cases too.
> +file = fopen(filename, "w");
> +if (file == NULL) {
> + perror("Error opening file");
> + return 1;
> +}
> +
> +fprintf(file,
> + "{"
> + " \"amd-sev\": {"
> + " \"cbitpos\": %u,"
> + " \"reduced-phys-bits\": %u,"
> + " \"sev-support\": %s,"
> + " \"sev-support-es\": %s,"
> + " \"sev-support-snp\": %s"
> + " }"
> + " }\n",
> + cbitpos,
> + reduced_phys_bits,
> + sev_support ? "true" : "false",
> + sev_es_support ? "true" : "false",
> + sev_snp_support ? "true" : "false"
> +);
> +
> +fclose(file);
> +return 0;
> +}
> diff --git a/query-machine-capabilities/query-machine-capabilities.service
> b/query-machine-capabilities/query-machine-capabilities.service
> new file mode 100644
> index 000..f926074
> --- /dev/null
> +++
[pve-devel] [PATCH docs v8 3/3] add AMD SEV documentation
add documentation for the "[PATCH qemu-server] config: add AMD SEV
support" patch.
Signed-off-by: Markus Frank
---
v8:
* adjust changed parameter names in examples
v5:
* removed NodeConfig part
v4:
* added text that SEV-ES is experimental
qm.adoc | 103
1 file changed, 103 insertions(+)
diff --git a/qm.adoc b/qm.adoc
index 42c26db..2001bd4 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -715,6 +715,109 @@ systems.
When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
of RAM available to the host.
+[[qm_memory_encryption]]
+Memory Encryption
+~
+
+[[qm_memory_encryption_sev]]
+AMD SEV
+^^^
+
+SEV (Secure Encrypted Virtualization) enables memory encryption per VM using
+AES-128 encryption and the AMD Secure Processor.
+
+SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts
+all CPU register contents when a VM stops running, to prevent leakage of
+information to the hypervisor. This feature is very experimental.
+
+*Host Requirements:*
+
+* AMD EPYC CPU
+* SEV-ES is only supported on AMD EPYC 7xx2 and newer
+* configure AMD memory encryption in the BIOS settings of the host machine
+* add "kvm_amd.sev=1" to kernel parameters if not enabled by default
+* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on
the
+host (SME) see
https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt
+* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4
+
+To check if SEV is enabled on the host search for `sev` in dmesg and print out
+the SEV kernel parameter of kvm_amd:
+
+
+# dmesg | grep -i sev
+[...] ccp :45:00.1: sev enabled
+[...] ccp :45:00.1: SEV API:
+[...] SEV supported: ASIDs
+[...] SEV-ES supported: ASIDs
+# cat /sys/module/kvm_amd/parameters/sev
+Y
+
+
+*Guest Requirements:*
+
+* edk2-OVMF
+* advisable to use Q35
+* The guest operating system must contain SEV-support.
+
+*Limitations:*
+
+* Because the memory is encrypted the memory usage on host is always wrong.
+* Operations that involve saving or restoring memory like snapshots
+& live migration do not work yet or are attackable.
+https://github.com/PSPReverse/amd-sev-migration-attack
+* PCI passthrough is not supported.
+* SEV-ES is very experimental.
+* QEMU & AMD-SEV documentation is very limited.
+
+Example Configuration:
+
+
+# qm set -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
+
+
+The *type* defines the encryption technology ("type=" is not necessary).
+Available options are std & es.
+
+The QEMU *policy* parameter gets calculated with the *no-debug* and
+*no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1.
+If *type* is *es* the policy-bit 2 is set to 1 so that SEV-ES is enabled.
+Policy-bit 3 (nosend) is always set to 1 to prevent migration-attacks. For more
+information on how to calculate the policy see:
+https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD
SEV API Specification Chapter 3]
+
+The *kernel-hashes* is per default off for backward compatibility with older
+OVMF images and guests that do not measure the kernel/initrd.
+See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html
+
+*Check if SEV is working on the guest*
+
+Method 1 - dmesg:
+
+Output should look like this.
+
+
+# dmesg | grep -i sev
+AMD Memory Encryption Features active: SEV
+
+
+Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
+
+Output should be 1.
+
+
+# apt install msr-tools
+# modprobe msr
+# rdmsr -a 0xc0010131
+1
+
+
+Links:
+
+* https://developer.amd.com/sev/
+* https://github.com/AMDESE/AMDSEV
+* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
+* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
+* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
[[qm_network_device]]
Network Device
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu-server v8 1/3] add C program to get hardware capabilities from CPUID
Implement a systemd service that runs a C program that extracts AMD
SEV hardware information such as reduced-phys-bios and cbitpos from
CPUID at boot time, looks if SEV, SEV-ES & SEV-SNP are enabled, and
outputs these details as JSON to /run/qemu-server/hw-params.json.
This programm can also be used to read and save other hardware
information at boot time.
Signed-off-by: Markus Frank
Co-authored-by: Thomas Lamprecht
---
v8:
* renamed query-machine-params to query-machine-capabilities
v7:
* renamed amd-sev-support to query-machine-params
* mv /run/amd-sev-params to /run/qemu-server/hw-params.json
* add "mkdir /run/qemu-server" to ensure that the directory exists
* moved json content to amd-sev property inside a bigger json
so that other hardware parameters could also be read at boot time and
included in this json file.
Makefile | 1 +
query-machine-capabilities/Makefile | 21 +++
.../query-machine-capabilities.c | 55 +++
.../query-machine-capabilities.service| 12
4 files changed, 89 insertions(+)
create mode 100644 query-machine-capabilities/Makefile
create mode 100644 query-machine-capabilities/query-machine-capabilities.c
create mode 100644
query-machine-capabilities/query-machine-capabilities.service
diff --git a/Makefile b/Makefile
index 133468d..ed67fe0 100644
--- a/Makefile
+++ b/Makefile
@@ -65,6 +65,7 @@ install: $(PKGSOURCES)
install -m 0644 -D bootsplash.jpg $(DESTDIR)/usr/share/$(PACKAGE)
$(MAKE) -C PVE install
$(MAKE) -C qmeventd install
+ $(MAKE) -C query-machine-capabilities install
$(MAKE) -C qemu-configs install
$(MAKE) -C vm-network-scripts install
install -m 0755 qm $(DESTDIR)$(SBINDIR)
diff --git a/query-machine-capabilities/Makefile
b/query-machine-capabilities/Makefile
new file mode 100644
index 000..c5f6348
--- /dev/null
+++ b/query-machine-capabilities/Makefile
@@ -0,0 +1,21 @@
+DESTDIR=
+PREFIX=/usr
+SBINDIR=${PREFIX}/libexec/qemu-server
+SERVICEDIR=/lib/systemd/system
+
+CC ?= gcc
+CFLAGS += -O2 -fanalyzer -Werror -Wall -Wextra -Wpedantic -Wtype-limits
-Wl,-z,relro -std=gnu11
+
+query-machine-capabilities: query-machine-capabilities.c
+ $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
+
+.PHONY: install
+install: query-machine-capabilities
+ install -d ${DESTDIR}/${SBINDIR}
+ install -d ${DESTDIR}${SERVICEDIR}
+ install -m 0644 query-machine-capabilities.service
${DESTDIR}${SERVICEDIR}
+ install -m 0755 query-machine-capabilities ${DESTDIR}${SBINDIR}
+
+.PHONY: clean
+clean:
+ rm -f query-machine-capabilities
diff --git a/query-machine-capabilities/query-machine-capabilities.c
b/query-machine-capabilities/query-machine-capabilities.c
new file mode 100644
index 000..f4a9f9f
--- /dev/null
+++ b/query-machine-capabilities/query-machine-capabilities.c
@@ -0,0 +1,55 @@
+#include
+#include
+#include
+#include
+#include
+
+int main() {
+uint32_t eax, ebx, ecx, edx;
+
+// query Encrypted Memory Capabilities, see:
+//
https://en.wikipedia.org/wiki/CPUID#EAX=801Fh:_Encrypted_Memory_Capabilities
+uint32_t query_function = 0x801F;
+asm volatile("cpuid"
+: "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx)
+: "0"(query_function)
+);
+
+bool sev_support = (eax & (1<<1)) != 0;
+bool sev_es_support = (eax & (1<<3)) != 0;
+bool sev_snp_support = (eax & (1<<4)) != 0;
+
+uint8_t cbitpos = ebx & 0x3f;
+uint8_t reduced_phys_bits = (ebx >> 6) & 0x3f;
+
+FILE *file;
+char filename[] = "/run/qemu-server/host-hw-capabilities.json";
+
+mkdir("/run/qemu-server/", 0755);
+
+file = fopen(filename, "w");
+if (file == NULL) {
+ perror("Error opening file");
+ return 1;
+}
+
+fprintf(file,
+ "{"
+ " \"amd-sev\": {"
+ " \"cbitpos\": %u,"
+ " \"reduced-phys-bits\": %u,"
+ " \"sev-support\": %s,"
+ " \"sev-support-es\": %s,"
+ " \"sev-support-snp\": %s"
+ " }"
+ " }\n",
+ cbitpos,
+ reduced_phys_bits,
+ sev_support ? "true" : "false",
+ sev_es_support ? "true" : "false",
+ sev_snp_support ? "true" : "false"
+);
+
+fclose(file);
+return 0;
+}
diff --git a/query-machine-capabilities/query-machine-capabilities.service
b/query-machine-capabilities/query-machine-capabilities.service
new file mode 100644
index 000..f926074
--- /dev/null
+++ b/query-machine-capabilities/query-machine-capabilities.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=read AMD SEV parameters
+RequiresMountsFor=/run
+Before=pve-ha-lrm.service
+Before=pve-guests.service
+
+[Service]
+ExecStart=/usr/libexec/qemu-server/query-machine-capabilities
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
[pve-devel] [PATCH qemu-server v8 2/3] config: add AMD SEV support
This patch is for enabling AMD SEV (Secure Encrypted Virtualization)
support in QEMU.
VM-Config-Examples:
amd_sev: type=std,no-debug=1,no-key-sharing=1
amd_sev: es,no-debug=1,kernel-hashes=1
kernel-hashes, reduced-phys-bios & cbitpos correspond to the
variables with the same name in QEMU.
kernel-hashes=1 adds kernel-hashes to enable measured linux kernel
launch since it is per default off for backward compatibility.
reduced-phys-bios and cbitpos are system specific and are read out by
the query-machine-capabilities.service on boot and saved to the
/run/qemu-server/host-hw-capabilities.json file. This file is parsed
and than used by qemu-server to correctly start a AMD SEV VM.
type=std stands for standard sev to differentiate it from sev-es (es)
or sev-snp (snp) when support is upstream.
QEMU's sev-guest policy gets calculated with the parameters nodbg
& noks. These parameters correspond to policy-bits 0 & 1. If type is
'es' than policy-bit 2 gets set to 1 to activate SEV-ES. Policy bit 3
(nosend) is always set to 1, because migration features for sev are
not upstream yet and are attackable.
SEV-ES is highly experimental since it could not be tested.
see coherent doc patch
Signed-off-by: Markus Frank
---
v8:
* renamed "params" to "capabilities" or "caps"
* renamed "nodbg" to "no-debug" and "noks" to "no-key-sharing"
* untainted json_text as it prevented a SEV VM from starting via GUI
v7:
* adjustments for the changes made in the query-machine-params C program
v6:
* rebase on master
* removed unused $sev_node_fmt object
v5:
* parse /run/amd-sev-params for hardware parameters
* removed NodeConfig dependency
* only disallow live-migration and snapshots with vmstate
-> allow offline migration and snapshots without vmstate
v4:
* reduced lines of code
* added text that SEV-ES is experimental
PVE/API2/Qemu.pm | 11 +++
PVE/QemuMigrate.pm | 4 +++
PVE/QemuServer.pm | 79 ++
3 files changed, 94 insertions(+)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 2a349c8..c29809d 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -4512,6 +4512,11 @@ __PACKAGE__->register_method({
push $local_resources->@*, "clipboard=vnc";
}
+ # do not allow live migration with AMD SEV enabled
+ if ($res->{running} && $vmconf->{amd_sev}) {
+ push $local_resources->@*, "amd_sev";
+ }
+
# if vm is not running, return target nodes where local storage/mapped
devices are available
# for offline migration
if (!$res->{running}) {
@@ -5192,6 +5197,12 @@ __PACKAGE__->register_method({
die "unable to use snapshot name 'pending' (reserved name)\n"
if lc($snapname) eq 'pending';
+ my $conf = PVE::QemuConfig->load_config($vmid);
+ if ($param->{vmstate} && $conf->{amd_sev}) {
+ die "Snapshots that include memory are not supported while memory"
+ ." is encrypted by AMD SEV.\n"
+ }
+
my $realcmd = sub {
PVE::Cluster::log_msg('info', $authuser, "snapshot VM $vmid:
$snapname");
PVE::QemuConfig->snapshot_create($vmid, $snapname,
$param->{vmstate},
diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index 8d9b35a..340402a 100644
--- a/PVE/QemuMigrate.pm
+++ b/PVE/QemuMigrate.pm
@@ -260,6 +260,10 @@ sub prepare {
die "VMs with 'clipboard' set to 'vnc' are not live migratable!\n";
}
+if ($running && $conf->{'amd_sev'}) {
+ die "cannot live-migrate VM when AMD SEV is enabled.\n";
+}
+
my $vollist = PVE::QemuServer::get_vm_volumes($conf);
my $storages = {};
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 82e7d6a..3417a86 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -177,6 +177,37 @@ my $agent_fmt = {
},
};
+my $sev_fmt = {
+type => {
+ description => "Enable standard SEV with type='std' or enable"
+ ." experimental SEV-ES with the 'es' option.",
+ type => 'string',
+ default_key => 1,
+ format_description => "sev-type",
+ enum => ['std', 'es'],
+ maxLength => 3,
+},
+'no-debug' => {
+ description => "Sets policy bit 0 to 1 to disallow debugging of guest",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+},
+'no-key-sharing' => {
+ description => "Sets policy bit 1 to 1 to disallow key sharing with
other guests",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+},
+"kernel-hashes" => {
+ description => "Add kernel hashes to guest firmware for measured linux
kernel launch",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+},
+};
+PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt);
+
my $vga_fmt = {
type => {
description => "Select the VGA type.",
@@ -358,6 +389,12 @@ my $confdesc = {
description => "Memory properties.",
format =>
[pve-devel] [PATCH pve-network 1/1] vnets : add ports isolation
--- Begin Message ---
Add support for bridge ports isolation
https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564
This allow to drop traffic between all ports having isolation enabled
on the local bridge, but allow traffic with non isolated ports.
Here,we isolate traffic between vms but allow traffic coming from outside.
Main usage is for layer3 routed or natted setup, but some users have requested
it
for layer2/bridge network with proxy arp.
So we can enable it at vnet level.
Signed-off-by: Alexandre Derumier
---
src/PVE/Network/SDN/VnetPlugin.pm | 5 +
src/PVE/Network/SDN/Zones/Plugin.pm | 1 +
2 files changed, 6 insertions(+)
diff --git a/src/PVE/Network/SDN/VnetPlugin.pm
b/src/PVE/Network/SDN/VnetPlugin.pm
index 062904c..58e177b 100644
--- a/src/PVE/Network/SDN/VnetPlugin.pm
+++ b/src/PVE/Network/SDN/VnetPlugin.pm
@@ -72,6 +72,10 @@ sub properties {
maxLength => 256,
optional => 1,
},
+ 'ports-isolation' => {
+ type => 'boolean',
+ description => "Enable bridge ports isolation.",
+ }
};
}
@@ -81,6 +85,7 @@ sub options {
tag => { optional => 1},
alias => { optional => 1 },
vlanaware => { optional => 1 },
+ 'ports-isolation' => { optional => 1 },
};
}
diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm
b/src/PVE/Network/SDN/Zones/Plugin.pm
index 26cc0da..dce7e57 100644
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -236,6 +236,7 @@ sub tap_plug {
my $opts = {};
$opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'};
+$opts->{isolation} = 1 if $vnet->{'ports-isolation'};
PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate,
$opts);
}
--
2.39.2
--- End Message ---
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-common 1/1] tap_plug: add support for bridge port isolation
--- Begin Message ---
This is allow to block traffic/isolation traffic between all ports
on the bridge with isolation (so between the vms), ans still allow
incoming traffic from uplink.
Signed-off-by: Alexandre Derumier
---
src/PVE/Network.pm | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index a4f5ba9..6654ea1 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -218,6 +218,13 @@ sub disable_ipv6 {
return;
}
+my $bridge_enable_port_isolation = sub {
+ my ($iface) = @_;
+
+ eval { run_command(['/sbin/bridge', 'link', 'set', 'dev', $iface,
'isolated', 'on']) };
+ die "unable to enable port isolation on interface $iface - $@\n" if $@;
+};
+
my $bridge_disable_interface_learning = sub {
my ($iface) = @_;
@@ -394,7 +401,7 @@ sub veth_delete {
}
my $create_firewall_bridge_linux = sub {
-my ($iface, $bridge, $tag, $trunks, $no_learning) = @_;
+my ($iface, $bridge, $tag, $trunks, $no_learning, $isolation) = @_;
my ($vmid, $devid) = &$parse_tap_device_name($iface);
my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid);
@@ -409,6 +416,7 @@ my $create_firewall_bridge_linux = sub {
&$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
&$bridge_disable_interface_learning($vethfwpeer) if $no_learning;
+$bridge_enable_port_isolation->($vethfwpeer) if $isolation;
&$bridge_add_interface($fwbr, $vethfw);
&$bridge_add_interface($fwbr, $iface);
@@ -468,6 +476,7 @@ sub tap_plug {
$opts->{learning} = !($bridge &&
$bridge->{'bridge-disable-mac-learning'}); # default learning to on
}
my $no_learning = !$opts->{learning};
+my $isolation = $opts->{isolation};
# cleanup old port config from any openvswitch bridge
eval {
@@ -488,7 +497,7 @@ sub tap_plug {
}
if ($firewall) {
- &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks,
$no_learning);
+ &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks,
$no_learning, $isolation);
} else {
&$bridge_add_interface($bridge, $iface, $tag, $trunks);
}
@@ -496,6 +505,7 @@ sub tap_plug {
$bridge_disable_interface_learning->($iface);
add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac});
}
+ $bridge_enable_port_isolation->($iface) if $isolation;
} else {
&$cleanup_firewall_bridge($iface); # remove stale devices
--
2.39.2
--- End Message ---
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
--- Begin Message --- This patches series add support for sdn vnet bridge ports isolation pve-network: Alexandre Derumier (1): vnets : add ports isolation src/PVE/Network/SDN/VnetPlugin.pm | 5 + src/PVE/Network/SDN/Zones/Plugin.pm | 1 + 2 files changed, 6 insertions(+) pve-common: Alexandre Derumier (1): tap_plug: add support for bridge port isolation src/PVE/Network.pm | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) pve-manager: Alexandre Derumier (1): sdn: vnet: add ports-isolation option. www/manager6/sdn/VnetEdit.js | 12 1 file changed, 12 insertions(+) -- 2.39.2 --- End Message --- ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-manager 1/1] sdn: vnet: add ports-isolation option.
--- Begin Message ---
also move vlan-aware in advanced section
Signed-off-by: Alexandre Derumier
---
www/manager6/sdn/VnetEdit.js | 12
1 file changed, 12 insertions(+)
diff --git a/www/manager6/sdn/VnetEdit.js b/www/manager6/sdn/VnetEdit.js
index cdd83ed4..a00f83e6 100644
--- a/www/manager6/sdn/VnetEdit.js
+++ b/www/manager6/sdn/VnetEdit.js
@@ -52,6 +52,18 @@ Ext.define('PVE.sdn.VnetInputPanel', {
deleteEmpty: "{!isCreate}",
},
},
+],
+advancedItems: [
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'ports-isolation',
+ uncheckedValue: null,
+ checked: false,
+ fieldLabel: gettext('Ports Isolation'),
+ cbind: {
+ deleteEmpty: "{!isCreate}",
+ },
+ },
{
xtype: 'proxmoxcheckbox',
name: 'vlanaware',
--
2.39.2
--- End Message ---
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH container] fix #5414: use proper percentages in `pct df`
Am 25/04/2024 um 09:40 schrieb Fabian Grünbichler:
> while some people write percentages as 0.XX , putting a % next to that is just
> confusing. also, combined with the format modifier this would be rather lossy,
> and also not match regular `df` output..
>
Fixes: c6b5965 ("added 'pct df'")
(but I now forgot to amend it too...)
> Signed-off-by: Fabian Grünbichler
> ---
> src/PVE/CLI/pct.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>
applied, thanks!
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH qemu 1/4] makefile: adapt firmware blob removal to changes for QEMU 8.2
Namely, it's also necessary to remove .dts source files from the
meson.build file, because the .dtb file names are not directly listed
anymore since commit 6e0dc9d2a8 ("meson: compile bundled device
trees").
The same commit also introduced a "'.dtb'" in a line not just listing
a file name and removing that line would break the script. Be more
precise and require an alphanumeric character before the suffix.
Signed-off-by: Fiona Ebner
---
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index c05c641..a719e43 100644
--- a/Makefile
+++ b/Makefile
@@ -31,7 +31,8 @@ PC_BIOS_FW_PURGE_LIST_IN = \
s390-ccw.img \
s390-netboot.img \
u-boot.e500 \
- .*\.dtb \
+ .*[a-zA-Z0-9]\.dtb \
+ .*[a-zA-Z0-9]\.dts \
qemu_vga.ndrv \
slof.bin \
opensbi-riscv.*-generic-fw_dynamic.bin \
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied-series: [PATCH installer] install module: getters: correctly use plural in error messages
Am 25/04/2024 um 10:40 schrieb Alexander Zeidler: > Signed-off-by: Alexander Zeidler > --- > Proxmox/Install.pm | 8 > 1 file changed, 4 insertions(+), 4 deletions(-) > > applied both patches, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH-SERIES qemu] update to QEMU 9.0.0
QEMU 8.2.2 required many changes, in particular to the alloc-track block driver. It should be the same as [0] just with backup fleecing patches added in. See the patch for details. The only bigger change in QEMU 9.0.0 is that the AioContext locking was removed, and it just required dropping the calls to acquire and release the lock. See the patch for details. Did not see any outstanding important fixes on the qemu-stable mailing list currently, so none picked up. [0]: https://lists.proxmox.com/pipermail/pve-devel/2024-March/062422.html Fiona Ebner (4): makefile: adapt firmware blob removal to changes for QEMU 8.2 makefile: also filter 64-bit hppa ROM for QEMU 8.2 update submodule and patches to QEMU 8.2.2 update submodule and patches to QEMU 9.0.0 Makefile | 4 +- ...d-support-for-sync-bitmap-mode-never.patch | 88 --- ...-support-for-conditional-and-always-.patch | 14 +- ...check-for-bitmap-mode-without-bitmap.patch | 4 +- ...-to-bdrv_dirty_bitmap_merge_internal.patch | 8 +- .../0006-mirror-move-some-checks-to-qmp.patch | 14 +- ...race-with-clients-disconnecting-earl.patch | 6 +- ...as-Internal-cdbs-have-16-byte-length.patch | 2 +- ...ial-deadlock-when-draining-during-tr.patch | 10 +- ...orkaround-Windows-not-handling-name.patch} | 4 +- ...dirty-bitmap-fix-loading-bitmap-when.patch | 48 ...t-graph-lock-Disable-locking-for-now.patch | 140 -- ...-workaround-snapshot-performance-reg.patch | 57 ...sgx_epc_get_section-stub-is-reachabl.patch | 34 --- ...k-type-as-not-available-when-there-i.patch | 86 --- ...ttach-event-vq-notifier-with-no_poll.patch | 65 - ...-Re-enable-notifications-after-drain.patch | 125 - ...-increase-NOFILE-soft-limit-on-POSIX.patch | 119 - ...-using-ioeventfd-state-in-irqfd-cond.patch | 61 - ...k-file-change-locking-default-to-off.patch | 2 +- ...djust-network-script-path-to-etc-kvm.patch | 4 +- ...he-CPU-model-to-kvm64-32-instead-of-.patch | 4 +- ...ui-spice-default-to-pve-certificates.patch | 4 +- ...erfs-no-default-logfile-if-daemonize.patch | 2 +- ...lock-rbd-disable-rbd_cache_writethro.patch | 2 +- ...PVE-Up-glusterfs-allow-partial-reads.patch | 10 +- ...return-success-on-info-without-snaps.patch | 4 +- ...dd-add-osize-and-read-from-to-stdin-.patch | 16 +- ...E-Up-qemu-img-dd-add-isize-parameter.patch | 14 +- ...PVE-Up-qemu-img-dd-add-n-skip_create.patch | 22 +- ...-add-l-option-for-loading-a-snapshot.patch | 22 +- ...virtio-balloon-improve-query-balloon.patch | 16 +- .../0014-PVE-qapi-modify-query-machines.patch | 10 +- .../0015-PVE-qapi-modify-spice-query.patch| 6 +- ...nnel-implementation-for-savevm-async.patch | 13 +- ...async-for-background-state-snapshots.patch | 110 ...add-optional-buffer-size-to-QEMUFile.patch | 63 ++--- ...add-the-zeroinit-block-driver-filter.patch | 71 +++-- ...-Add-dummy-id-command-line-parameter.patch | 20 +- ...t-target-i386-disable-LINT0-after-re.patch | 4 +- ...le-posix-make-locking-optiono-on-cre.patch | 33 ++- ...sed-balloon-qemu-4-0-config-size-fal.patch | 4 +- ...E-Allow-version-code-in-machine-type.patch | 32 +-- ...e-bcs-bitmap-initialization-to-job-c.patch | 6 +- ...VE-Backup-add-vma-backup-format-code.patch | 54 ++-- ...-Backup-add-backup-dump-block-driver.patch | 14 +- ...d-sequential-job-transaction-support.patch | 14 +- ...ckup-Proxmox-backup-patches-for-QEMU.patch | 87 --- ...estore-new-command-to-restore-from-p.patch | 8 +- ...k-driver-to-map-backup-archives-into.patch | 111 ...ct-stderr-to-journal-when-daemonized.patch | 29 ++- ...igrate-dirty-bitmap-state-via-savevm.patch | 22 +- ...dirty-bitmap-migrate-other-bitmaps-e.patch | 2 +- ...all-back-to-open-iscsi-initiatorname.patch | 4 +- ...PVE-block-stream-increase-chunk-size.patch | 2 +- ...> 0038-block-add-alloc-track-driver.patch} | 243 +++--- ...accept-NULL-qiov-in-bdrv_pad_request.patch | 64 - ...rbd-workaround-for-ceph-issue-53784.patch} | 8 +- ...fix-handling-of-holes-in-.bdrv_co_b.patch} | 4 +- ...-rbd-implement-bdrv_co_block_status.patch} | 6 +- ...rror-out-when-auto-remove-is-not-set.patch | 43 ...d-seemingly-superfluous-child-permis.patch | 84 ++ ...alloc-track-fix-deadlock-during-drop.patch | 154 --- ...ck-copy-before-write-fix-permission.patch} | 4 +- ...apshots-hold-the-BQL-during-setup-ca.patch | 191 -- ...-write-support-unligned-snapshot-di.patch} | 4 +- ...vm-async-don-t-hold-BQL-during-setup.patch | 30 --- ...-write-create-block_copy-bitmap-in-.patch} | 12 +- ...backup-add-discard-source-parameter.patch} | 52 ++-- ...-allow-specifying-minimum-cluster-s.patch} | 24 +- ...m-cluster-size-to-performance-optio.patch} | 18 +- ...0050-PVE-backup-add-fleecing-option.patch} | 62 +++-- debian/patches/series | 39 +-- qemu
[pve-devel] [PATCH qemu 2/4] makefile: also filter 64-bit hppa ROM for QEMU 8.2
Same rationale as 6facdf3 ("also exclude hppa-firmware.img ROM from
build"), not used by Proxmox VE and would cause a failure during
build.
Signed-off-by: Fiona Ebner
---
Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
index a719e43..f23b041 100644
--- a/Makefile
+++ b/Makefile
@@ -24,6 +24,7 @@ endif
PC_BIOS_FW_PURGE_LIST_IN = \
hppa-firmware.img \
+ hppa-firmware64.img \
openbios-ppc \
openbios-sparc32 \
openbios-sparc64 \
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH proxmox-firewall] config: nftables: add support for icmp-type any
We support any as wildcard for matching all icmp types. Implement
parsing logic for parsing the any value and support converting the any
value into an nftables expression.
Signed-off-by: Stefan Hanreich
---
proxmox-nftables/src/expression.rs | 2 ++
proxmox-ve-config/src/firewall/types/rule_match.rs | 12
2 files changed, 14 insertions(+)
diff --git a/proxmox-nftables/src/expression.rs
b/proxmox-nftables/src/expression.rs
index 20559e8..18b92d4 100644
--- a/proxmox-nftables/src/expression.rs
+++ b/proxmox-nftables/src/expression.rs
@@ -185,6 +185,7 @@ impl From<> for Expression {
match value {
IcmpType::Numeric(id) => Expression::from(*id),
IcmpType::Named(name) => Expression::from(*name),
+IcmpType::Any => Expression::Range(Box::new((u8::MIN.into(),
u8::MAX.into(,
}
}
}
@@ -205,6 +206,7 @@ impl From<> for Expression {
match value {
Icmpv6Type::Numeric(id) => Expression::from(*id),
Icmpv6Type::Named(name) => Expression::from(*name),
+Icmpv6Type::Any => Expression::Range(Box::new((u8::MIN.into(),
u8::MAX.into(,
}
}
}
diff --git a/proxmox-ve-config/src/firewall/types/rule_match.rs
b/proxmox-ve-config/src/firewall/types/rule_match.rs
index 948b426..94d8624 100644
--- a/proxmox-ve-config/src/firewall/types/rule_match.rs
+++ b/proxmox-ve-config/src/firewall/types/rule_match.rs
@@ -511,6 +511,7 @@ impl FromStr for Icmp {
pub enum IcmpType {
Numeric(u8),
Named(&'static str),
+Any,
}
#[sortable]
@@ -536,6 +537,10 @@ impl std::str::FromStr for IcmpType {
type Err = Error;
fn from_str(s: ) -> Result {
+if s.eq_ignore_ascii_case("any") {
+return Ok(Self::Any);
+}
+
if let Ok(ty) = s.trim().parse::() {
return Ok(Self::Numeric(ty));
}
@@ -553,6 +558,7 @@ impl fmt::Display for IcmpType {
match self {
IcmpType::Numeric(ty) => write!(f, "{ty}"),
IcmpType::Named(ty) => write!(f, "{ty}"),
+IcmpType::Any => write!(f, "any"),
}
}
}
@@ -664,6 +670,7 @@ impl FromStr for Icmpv6 {
pub enum Icmpv6Type {
Numeric(u8),
Named(&'static str),
+Any,
}
#[sortable]
@@ -693,6 +700,10 @@ impl std::str::FromStr for Icmpv6Type {
type Err = Error;
fn from_str(s: ) -> Result {
+if s.eq_ignore_ascii_case("any") {
+return Ok(Self::Any);
+}
+
if let Ok(ty) = s.trim().parse::() {
return Ok(Self::Numeric(ty));
}
@@ -710,6 +721,7 @@ impl fmt::Display for Icmpv6Type {
match self {
Icmpv6Type::Numeric(ty) => write!(f, "{ty}"),
Icmpv6Type::Named(ty) => write!(f, "{ty}"),
+Icmpv6Type::Any => write!(f, "any"),
}
}
}
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH proxmox-firewall] firewall: improve error handling of firewall
Error handling of the firewall binary should now be much more robust
on configuration errors. Instead of panicking in some cases it should
now log an error.
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/bin/proxmox-firewall.rs | 7 +-
proxmox-firewall/src/config.rs | 239 +--
proxmox-firewall/src/firewall.rs | 7 +-
proxmox-firewall/tests/integration_tests.rs | 51 ++--
4 files changed, 155 insertions(+), 149 deletions(-)
diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs
b/proxmox-firewall/src/bin/proxmox-firewall.rs
index 4e07993..b61007d 100644
--- a/proxmox-firewall/src/bin/proxmox-firewall.rs
+++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
@@ -5,6 +5,7 @@ use std::time::{Duration, Instant};
use anyhow::{Context, Error};
+use proxmox_firewall::config::{FirewallConfig, PveFirewallConfigLoader,
PveNftConfigLoader};
use proxmox_firewall::firewall::Firewall;
use proxmox_nftables::{client::NftError, NftClient};
@@ -24,7 +25,9 @@ fn remove_firewall() -> Result<(), std::io::Error> {
}
fn handle_firewall() -> Result<(), Error> {
-let firewall = Firewall::new();
+let config = FirewallConfig::new(::new(),
::new())?;
+
+let firewall = Firewall::new(config);
if !firewall.is_enabled() {
return remove_firewall().with_context(|| "could not remove firewall
tables".to_string());
@@ -84,7 +87,7 @@ fn main() -> Result<(), std::io::Error> {
let start = Instant::now();
if let Err(error) = handle_firewall() {
-log::error!("error creating firewall rules: {error}");
+log::error!("error updating firewall rules: {error}");
}
let duration = start.elapsed();
diff --git a/proxmox-firewall/src/config.rs b/proxmox-firewall/src/config.rs
index 2cf3e39..5bd2512 100644
--- a/proxmox-firewall/src/config.rs
+++ b/proxmox-firewall/src/config.rs
@@ -2,9 +2,8 @@ use std::collections::BTreeMap;
use std::default::Default;
use std::fs::File;
use std::io::{self, BufReader};
-use std::sync::OnceLock;
-use anyhow::Error;
+use anyhow::{format_err, Context, Error};
use proxmox_ve_config::firewall::cluster::Config as ClusterConfig;
use proxmox_ve_config::firewall::guest::Config as GuestConfig;
@@ -19,15 +18,19 @@ use proxmox_nftables::types::ListChain;
use proxmox_nftables::NftClient;
pub trait FirewallConfigLoader {
-fn cluster() -> Option>;
-fn host() -> Option>;
-fn guest_list() -> GuestMap;
-fn guest_config(, vmid: , guest: ) -> Option>;
-fn guest_firewall_config(, vmid: ) -> Option>;
+fn cluster() -> Result>, Error>;
+fn host() -> Result>, Error>;
+fn guest_list() -> Result;
+fn guest_config(
+,
+vmid: ,
+guest: ,
+) -> Result>, Error>;
+fn guest_firewall_config(, vmid: ) -> Result>, Error>;
}
#[derive(Default)]
-struct PveFirewallConfigLoader {}
+pub struct PveFirewallConfigLoader {}
impl PveFirewallConfigLoader {
pub fn new() -> Self {
@@ -56,69 +59,70 @@ const CLUSTER_CONFIG_PATH: =
"/etc/pve/firewall/cluster.fw";
const HOST_CONFIG_PATH: = "/etc/pve/local/host.fw";
impl FirewallConfigLoader for PveFirewallConfigLoader {
-fn cluster() -> Option> {
+fn cluster() -> Result>, Error> {
log::info!("loading cluster config");
-let fd =
-open_config_file(CLUSTER_CONFIG_PATH).expect("able to read cluster
firewall config");
+let fd = open_config_file(CLUSTER_CONFIG_PATH)?;
if let Some(file) = fd {
let buf_reader = Box::new(BufReader::new(file)) as Box;
-return Some(buf_reader);
+return Ok(Some(buf_reader));
}
-None
+Ok(None)
}
-fn host() -> Option> {
+fn host() -> Result>, Error> {
log::info!("loading host config");
-let fd = open_config_file(HOST_CONFIG_PATH).expect("able to read host
firewall config");
+let fd = open_config_file(HOST_CONFIG_PATH)?;
if let Some(file) = fd {
let buf_reader = Box::new(BufReader::new(file)) as Box;
-return Some(buf_reader);
+return Ok(Some(buf_reader));
}
-None
+Ok(None)
}
-fn guest_list() -> GuestMap {
+fn guest_list() -> Result {
log::info!("loading vmlist");
-GuestMap::new().expect("able to read vmlist")
+GuestMap::new()
}
-fn guest_config(, vmid: , entry: ) -> Option> {
+fn guest_config(
+,
+vmid: ,
+entry: ,
+) -> Result>, Error> {
log::info!("loading guest #{vmid} config");
-let fd = open_config_file(::config_path(vmid, entry))
-.expect("able to read guest config");
+let fd = open_config_file(::config_path(vmid, entry))?;
if let Some(file) = fd {
let buf_reader = Box::new(BufReader::new(file)) as Box;
-return Some(buf_reader);
+return
[pve-devel] [PATCH proxmox-firewall] config: macros: add SPICEproxy macro
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/resources/macros.json | 9 +
1 file changed, 9 insertions(+)
diff --git a/proxmox-ve-config/resources/macros.json
b/proxmox-ve-config/resources/macros.json
index 67e1d89..2fcc0fb 100644
--- a/proxmox-ve-config/resources/macros.json
+++ b/proxmox-ve-config/resources/macros.json
@@ -735,6 +735,15 @@
],
"desc": "Spam Assassin SPAMD traffic"
},
+ "SPICEproxy": {
+"code": [
+ {
+"dport": "3128",
+"proto": "tcp"
+ }
+],
+"desc": "Proxmox VE SPICE display proxy traffic"
+ },
"SSH": {
"code": [
{
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH proxmox-firewall] config: nftables: add support for icmp-type any
Am 25/04/2024 um 19:16 schrieb Stefan Hanreich: > We support any as wildcard for matching all icmp types. Implement > parsing logic for parsing the any value and support converting the any > value into an nftables expression. > > Signed-off-by: Stefan Hanreich > --- > proxmox-nftables/src/expression.rs | 2 ++ > proxmox-ve-config/src/firewall/types/rule_match.rs | 12 > 2 files changed, 14 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH proxmox-firewall] firewall: improve error handling of firewall
Am 25/04/2024 um 19:23 schrieb Stefan Hanreich: > Error handling of the firewall binary should now be much more robust > on configuration errors. Instead of panicking in some cases it should > now log an error. > > Signed-off-by: Stefan Hanreich > --- > proxmox-firewall/src/bin/proxmox-firewall.rs | 7 +- > proxmox-firewall/src/config.rs | 239 +-- > proxmox-firewall/src/firewall.rs | 7 +- > proxmox-firewall/tests/integration_tests.rs | 51 ++-- > 4 files changed, 155 insertions(+), 149 deletions(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH proxmox-firewall] config: macros: add SPICEproxy macro
Am 25/04/2024 um 19:16 schrieb Stefan Hanreich: > Signed-off-by: Stefan Hanreich > --- > proxmox-ve-config/resources/macros.json | 9 + > 1 file changed, 9 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
