ith the size and dir parts addressed, and the small nit I noted inline
with patch #1, consider this
Reviewed-by: Fabian Grünbichler
unless somebody comes up with a symlink-related attack scenario that
would be exploitable on a regular PVE setup which I missed, of course ;)
> parts of the test
On June 15, 2023 2:03 pm, Noel Ullreich wrote:
> This patch allows `get_subdir_files` to recursively call itself, so that
> subdirectories of set depth can be searched. We allow searching for
> isos, vztmpl and snippets but not backups.
>
> As a security measure, when parsing a given path, parent
it's not returned anymore by the corresponding backends, since fetching
changelogs is now fully delegated to `apt`.
Signed-off-by: Fabian Grünbichler
---
Notes:
could benefit from a Breaks on old versions of pve-manager/pmg-api ,
but not strictly required, it will simply
support for it got added to Proxmox repositories, so there is no need to use
custom logic and manual fetching for this anymore.
Signed-off-by: Fabian Grünbichler
---
Notes:
requires versioned depends on proxmox-widget-toolkit.
pbs-api-types/src/lib.rs | 2 -
src/api2/node/apt.rs | 85
support for it got added to Proxmox repositories, so there is no need to use
custom logic and manual fetching for this anymore.
Signed-off-by: Fabian Grünbichler
---
Notes:
requires versioned depends on proxmox-widget-toolkit.
PVE/API2/APT.pm | 101
support for it got added to Proxmox repositories, so there is no need to use
custom logic and manual fetching for this anymore.
Signed-off-by: Fabian Grünbichler
---
Notes:
requires versioned depends on proxmox-widget-toolkit.
src/PMG/API2/APT.pm | 108
this series switches all apt changelog fetching to `apt changelog`,
dropping our own custom logic in turn.
(opted to send the whole series to pve-devel to avoid noise, obviously the
PMG/PBS patches are for PMG/PBS ;))
pmg-api:
Fabian Grünbichler (1):
apt: use `apt changelog` for changelog
pinned in this context and verified against the cache of pinned fingerprints.
Reported-by: Roland Kletzing
Signed-off-by: Fabian Grünbichler
---
Notes:
CA cert access was verified using strace
src/PVE/APIServer/AnyEvent.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE
these are backed up directly with proxmox-backup-client, and the invocation was
lacking the key parameters.
Signed-off-by: Fabian Grünbichler
---
Should possibly be cherry-picked for stable-7 (no changes required)
PVE/VZDump/QemuServer.pm | 18 ++
1 file changed, 18 insertions
else mirroring bookworm-security will skip *all* components..
Signed-off-by: Fabian Grünbichler
---
Reported on the forum:
https://forum.proxmox.com/threads/proxmox-offline-mirror-released.115219/page-3#post-568763
and fix verified by recompiling proxmox-offline-mirror with patched
librust
On June 16, 2023 1:33 pm, Fiona Ebner wrote:
> Increases flexibility/user-friendliness.
>
> Suggested-by: Thomas Lamprecht
> Signed-off-by: Fiona Ebner
> ---
>
> (Build-)dependency bump for libpve-cluster-perl needed.
>
> Dependency bump for ha-manager needed (to have the runtime dir exist
> a
to allow early checking of the merged config, if the backup archive passed in
is a proper volume where extraction is possible.
Signed-off-by: Fabian Grünbichler
---
Notes:
this check needs to be inside the worker since we don't know how long
extracting the config takes..
to avoid duplicate work, always set 'volid' to the backup volume's volid, if it
was successfully parsed as such.
Signed-off-by: Fabian Grünbichler
---
PVE/API2/Qemu.pm | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API
On June 14, 2023 10:46 am, Dominik Csapak wrote:
> this series is the remaining part to add a cluster-wide device mapping for
> pci and usb
> devices. so that an admin can configure a device to be availble for
> migration and configuring for uses that are non-root
> (the existing pattern can be co
On June 14, 2023 10:46 am, Dominik Csapak wrote:
> this adds the typical section config crud API calls for
> USB and PCI resource mapping to /cluster/resource/{TYPE}
>
> the only special thing that this series does is the list call
> for both has a special 'check-node' parameter that uses the
> 'p
On June 14, 2023 10:46 am, Dominik Csapak wrote:
> this patch allows configuring pci devices that are mapped via cluster
> resource mapping when the user has 'Resource.Use' on the ACL path
> '/mapping/pci/{ID}' (in addition to the usual required vm config
> privileges)
>
> When given multiple map
On June 14, 2023 10:46 am, Dominik Csapak wrote:
> this patch allows configuring usb devices that are mapped via
> cluster resource mapping when the user has 'Resource.Use' on the ACL
> path '/resource/usb/{ID}' (in addition to the usual required vm config
> privileges)
>
> for now, this is only v
adapt to recent changes:
- PVESDNUser role, SDN.Use privilege
- Permissions.Modify no longer part of PVESysAdmin and PVEAdmin
- PVE reserved prefix for builtin roles
and add some notes and warnings about dangerous aspects of permission
management, and missing parts.
Signed-off-by: Fabian
k for $param->{cmd}) previous to this commit, it was just not
exposed via our web UI, since the corresponding button/wizard was only enabled
for root@pam.
Signed-off-by: Fabian Grünbichler
---
Notes:
RFC because for a nice UX we probably want to somehow display or inject the
command tha
non-login commands are still restricted to root@pam if they where before.
Signed-off-by: Fabian Grünbichler
---
PVE/API2/Nodes.pm | 10 +-
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 81c7f3788..649735115 100644
--- a/PVE/API2
the last patch is RFC since we likely want to add another change to improve the
UX, but there are several options which are all a bit meh.
Fabian Grünbichler (3):
node console: restrict all non-login commands to root@pam
node console: allow usage for non-pam realms
node console: lift root
: Fabian Grünbichler
---
PVE/API2/Nodes.pm | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 9269694d6..81c7f3788 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -949,7 +949,7 @@ __PACKAGE__->register_met
next patch adds acl-related checks
Signed-off-by: Fabian Grünbichler
---
PVE/CLI/pve7to8.pm | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/PVE/CLI/pve7to8.pm b/PVE/CLI/pve7to8.pm
index 6b51e98eb..7dc66499a 100644
--- a/PVE/CLI/pve7to8.pm
+++ b/PVE/CLI
as a warning only - depending on desired privileges, no action might be
necessary.
Signed-off-by: Fabian Grünbichler
---
PVE/CLI/pve7to8.pm | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/PVE/CLI/pve7to8.pm b/PVE/CLI/pve7to8.pm
index 7dc66499a..82441b0f8 100644
On June 13, 2023 1:21 pm, Fabian Grünbichler wrote:
> On June 12, 2023 7:43 pm, Alexandre Derumier wrote:
>> if vnet has not been generated (this should never happend)
>> warn the user to check if "source /etc/network/interfaces.d/sdn'
>> exist
>>
On June 12, 2023 7:43 pm, Alexandre Derumier wrote:
> if vnet has not been generated (this should never happend)
> warn the user to check if "source /etc/network/interfaces.d/sdn'
> exist
>
> Signed-off-by: Alexandre Derumier
> ---
> src/PVE/Network/SDN/Zones.pm | 6 +-
> 1 file changed, 5 i
On June 12, 2023 7:43 pm, Alexandre Derumier wrote:
> Vnets were wrongly displayed in the main tree because of this,
> and error was not set on zone
>
> Signed-off-by: Alexandre Derumier
> ---
> src/PVE/Network/SDN/Zones.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
On June 12, 2023 5:29 pm, DERUMIER, Alexandre wrote:
> Le lundi 12 juin 2023 à 16:36 +0200, Fabian Grünbichler a écrit :
>> one more thing I realized while testing that might be worthy of a
>> follow
>> up - if you configure SDN, but for some reason, your
>> /etc/networ
applied the pve-manager and pve-network patches (and your pve-network
follow-up, plus some fixes of my own).
some more things that might be worthy of a follow-up:
- for the ACL panel of a zone, also displaying the vnet + vlan ACLs
might be nice
- for the ACL panel fo a vnet, also displaying zone
one more thing I realized while testing that might be worthy of a follow
up - if you configure SDN, but for some reason, your
/etc/network/interfaces is missing the "source .." line, the error
handling behaviour is very strange:
- vnets are displayed in the resource tree next to zones
- no proper i
From: Alexandre Derumier
Signed-off-by: Alexandre Derumier
FG: add missing /sdn/zones path
Signed-off-by: Fabian Grünbichler
backport: drop removal of /sdn/vnet/.. path
(cherry picked from commit 4d5b0937a3497282aae4d3e8fafbe519c9ef4ea2)
Signed-off-by: Fabian Grünbichler
---
src/PVE
From: Alexandre Derumier
Signed-off-by: Alexandre Derumier
FG: fix test
Signed-off-by: Fabian Grünbichler
drop test changes, not needed for stable-7
(cherry picked from commit a62d78db3398417b302249b3593e75a783d9a4e3)
Signed-off-by: Fabian Grünbichler
---
src/PVE/AccessControl.pm | 3
when creating a new container
when restoring a backup
when cloning a container
and obviously, when changing the nics of an existing container
Signed-off-by: Fabian Grünbichler
---
src/PVE/API2/LXC.pm | 12 +++-
src/PVE/LXC.pm| 17 -
src/PVE/LXC/Create.pm | 5
pve-network requires more work:
- there is a lot of /sdn/vnets/.. permission checks leftover (all of the
vnet/subnet code!)
- there are /sdn/vnets/../subnets/.. ACL paths that need to be dropped,
or they clash with /sdn/zones//[/]
- the GUI seems to be broken when "Advanced" is not ticked
I st
Reviewed-by: Fabian Grünbichler
but this might require a follow-up, see below.
On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier
> ---
> PVE/API2/Qemu.pm | 33 +
> 1 file changed, 29 insertions(+), 4 deletions(
applied with a small fixup, I'll write the corresponding pve-container
patch on Friday.
On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> if a tag is defined, test if user have a specific access to the vlan (or
> propagate from full bridge acl or zone)
> if trunks is defined, we check permissi
applied this one with a bit of followups to make it more readable, but
no semantic changes intended.
On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> always check permissions, also when not filtered
>
> Signed-off-by: Alexandre Derumier
> ---
> PVE/API2/Network.pm | 25 +++--
I had the following fixup for this locally:
```
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index a7224d7f3..07e5261f2 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -474,23 +474,22 @@ __PACKAGE__->register_method({
}
}
- #add default "localnet
applied this one with a bit of follow-ups, please check them out!
On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> check if user have access to 1 vlan of the bridge
> or the bridge itself
>
> Signed-off-by: Alexandre Derumier
> ---
> src/PVE/RPCEnvironment.pm | 18 ++
> 1 fi
applied this one as well (with a small fixup for a test case)
On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier
> ---
> src/PVE/AccessControl.pm | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
>
applied this one, with a small fixup..
On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier
> ---
> src/PVE/AccessControl.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> index 8
On June 6, 2023 2:15 pm, DERUMIER, Alexandre wrote:
>> > + # check propagate on bridge itself
>> > + return 1 if $self->check_any($username, $path, $privs,
>> > $noerr);
>>
>> this doesn't actually check propagation though? for that you could
>> either:
>> - use $self->permissions (it
> Benjamin via pve-devel hat am 06.06.2023 09:55
> CEST geschrieben:
> Hey there!
>
> So, a while ago I emailed about my MooseFS plugin for Proxmox -
> https://github.com/Zorlin/pve-moosefs
>
> It was in pretty rough shape and didn't work yet. It works now, and allows
> you to mount MooseFS and
On June 6, 2023 8:54 am, DERUMIER, Alexandre wrote:
> Le mardi 06 juin 2023 à 05:32 +, DERUMIER, Alexandre a écrit :
>> > to have at least the local bridge ACL path (for the zone, or for
>> > the
>> > zone and the bridges?) in the regular ACL selectors in 7.x as well,
>> > if
>> > we pull in so
On June 6, 2023 7:32 am, DERUMIER, Alexandre wrote:
> Le lundi 05 juin 2023 à 12:13 +0200, Fabian Grünbichler a écrit :
>> On June 5, 2023 1:37 am, Alexandre Derumier wrote:
>> > add vnet/localbridge permissions management
>> >
>> > Hi,
>> > as we
to reduce the chances of accidentally handing out privilege modification
privileges. the old default setup of having Permissions.Modify in PVESysAdmin
and PVEAdmin weakened the distinction between those roles and Administrator.
Signed-off-by: Fabian Grünbichler
---
Notes:
this is obviously
VEVMAdmin to create ACLs for other
users/tokens with PVEVMUser (on '/vm/XXX'), but not with Administrator or
PVEPermAdmin.
Signed-off-by: Fabian Grünbichler
---
Notes:
this one is also a breaking change, but a bit more niche -> IMHO a callout
in the release notes is sufficient.
On June 5, 2023 1:37 am, Alexandre Derumier wrote:
> add vnet/localbridge permissions management
>
> Hi,
> as we has discuted some weeks ago,
> this patche serie introduce management of acl for vnets && local bridges
>
> I have reuse current sdn permissions path, to have common paths
>
> /sdn/vn
On June 5, 2023 1:37 am, Alexandre Derumier wrote:
> check if user have access to 1 vlan of the bridge
> or the bridge itself
>
> Signed-off-by: Alexandre Derumier
> ---
> src/PVE/RPCEnvironment.pm | 17 +
> 1 file changed, 17 insertions(+)
>
> diff --git a/src/PVE/RPCEnvironmen
On June 5, 2023 1:37 am, Alexandre Derumier wrote:
> test first if user have access to the full zone (any bridge/vlan)
> if a tag is defined, test if user have a specific access to the vlan (or
> propagate from full bridge acl)
> if no tag, test if user have access to full bridge. (if trunks are d
On June 2, 2023 2:12 pm, DERUMIER, Alexandre wrote:
> Le vendredi 02 juin 2023 à 13:43 +0200, Fabian Grünbichler a écrit :
>> a few more places that come to my mind that might warrant further
>> thinking or discussion:
>> - restoring a backup
> doesn't it also
On May 26, 2023 9:33 am, Alexandre Derumier wrote:
> For proxmox 8, following the pve-manager patch serie
> https://lists.proxmox.com/pipermail/pve-devel/2023-May/056970.html
>
> This patch serie add check of permissions for bridge/vnets access
> (currently only at vm create/update, I'm note surei
a few more places that come to my mind that might warrant further
thinking or discussion:
- restoring a backup
- cloning a VM
On May 26, 2023 9:33 am, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier
> ---
> PVE/API2/Qemu.pm | 37 -
> 1 file chang
On May 26, 2023 9:27 am, Alexandre Derumier wrote:
> We need to display the bridge is the user have a permission
> on any vlan on the bridge.
>
> to avoid to check permissions on 4096 vlans for each bridge
> (could be slow with a lot of bridges),
> we first list vlans where acls are defined.
>
>
On May 26, 2023 9:27 am, Alexandre Derumier wrote:
> Signed-off-by: Alexandre Derumier
> ---
> PVE/API2/Network.pm | 12 +---
> 1 file changed, 5 insertions(+), 7 deletions(-)
>
> diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
> index b3faba1a..ba3b3e0e 100644
> --- a/PVE/API2/Ne
On May 26, 2023 9:27 am, Alexandre Derumier wrote:
> add a default virtual zone called 'local' in the ressource tree,
> and handle permissions like a true sdn zone
>
> Signed-off-by: Alexandre Derumier
> ---
> PVE/API2/Cluster.pm | 12
> PVE/API2/Network.pm
On May 16, 2023 3:07 pm, Konstantin wrote:
> Hello,
>
> > most tools have ways to exclude certain paths ;)
>
> Yeah - and every time when this "need to be excluded datasets"
> list/names changed we need to update exclude options for this tools as
> well. It seems that just make this datasets n
On May 17, 2023 9:02 am, Alexandre Derumier wrote:
> Hi,
>
> we used kvm64 as default cpumodel since the begin of proxmox. (basically,
> it's like a pentium4 cpu flags).
>
> New distros like rhel9 are compiled to use more modern cpu flags.
> (and windows already use new flags since year, and we
this were not entirely consistent and sometimes the checks were repeated.
Signed-off-by: Fabian Grünbichler
---
src/PVE/Firewall.pm | 17 -
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a16c035..5fa264a 100644
r messages are a lot more informative as well.
Signed-off-by: Fabian Grünbichler
---
Notes:
without this patch, it's possible to set such a rule over the GUI and the
pve-firewall just logs:
status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or
'iptab
> Konstantin hat am 11.05.2023 13:56 CEST geschrieben:
>
>
> Hello,
> > nit: for single patches, there is no need to add a coverletter. also,
> > please include relevant information in the commit message!
> I'm new here, so sorry - will follow rules in future.
no worries! check out https://pve
> As we know, ProxMox have only three possible "categories" of mount points:
> ProxMox storage provider supplied, block device and bind mount. I've prepared
> a little patch for pve-container package which adds a fourth "category" named
> "zfs" - so with this patch it's possible to add such ZFS
On May 10, 2023 10:18 am, Dominik Csapak wrote:
> enables section configs in the style of:
>
>
> type: id
> property value
> property value2
> property value3
>
>
> can be combined with property strings
>
> the provided createSchema just uses the name of the property but th
> Jorge Ventura via pve-devel hat am 06.05.2023
> 22:44 CEST geschrieben:
> I sent a patch recently that is working properly but later I detected
> a warning from the Perl interpreter.
>
> How should I proceed?
> 1) Send a single [PATCH 1/1] completely fixed ?
this option, but mark the PATCH
On April 25, 2023 12:21 pm, Markus Frank wrote:
> adds support for sharing directorys with a guest vm
>
> virtio-9p can be simply started with qemu
9p is not really maintained anymore upstream AFAIK (only "Odd Fixes"),
and had security issues in the past. Is there a good reason for
supporting it
On April 25, 2023 12:21 pm, Markus Frank wrote:
> Signed-off-by: Markus Frank
> ---
> src/PVE/API2/Directory.pm | 68 +++
this parts seems to be included by accident? ;)
> src/PVE/AccessControl.pm | 16 +
> src/PVE/RPCEnvironment.pm | 12 ++-
> 3
see cover letter for high level aspects!
On April 25, 2023 12:21 pm, Markus Frank wrote:
> and made an API Endpoint for getting, adding and removing
> directories to the config.
>
> Signed-off-by: Markus Frank
> ---
> PVE/API2/DirConfig.pm | 129 +++
> PVE/API2/M
thanks for working on this! it's a long-standing feature request and
implementing it will make quite a few people happy. also sorry for not
getting back at you in v2/3 already. there's some high level stuff that
I'll reply with here, and then some more concrete feedback on individual
patches.
ther
On May 2, 2023 3:17 pm, Aaron Lauterer wrote:
> Scan the VM config and store the volid and full path for each storage.
> Do the same when we scan each storage. Then we can have these
> scenarios:
> * multiple storage configurations might point to the same storage
> The result is, that when scannin
On May 2, 2023 3:17 pm, Aaron Lauterer wrote:
> Scan the VM config and store the volid and full path for each storage.
> Do the same when we scan each storage. Then we can have these
> scenarios:
> * multiple storage configurations might point to the same storage
> The result is, that when scannin
the cloudinit options except for ipconfig are all modifiable with just
"VM.Config.Cloudinit".
Signed-off-by: Fabian Grünbichler
---
www/manager6/qemu/CloudInit.js | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/www/manager6/qemu/CloudInit.js b/www/man
guest.
pve-managar
Fabian Grünbichler (2):
ui: cloudinit: match backend privilege checks
ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit
www/manager6/qemu/CloudInit.js | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
qemu-server
Fabian Grünbichler (1):
upda
).
Signed-off-by: Fabian Grünbichler
---
https://forum.proxmox.com/threads/role-vm-config-networking-prevent-cloud-init-networking.126719
and https://bugzilla.proxmox.com/show_bug.cgi?id=2741 for some prior
discussions..
PVE/API2/Qemu.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff
Signed-off-by: Fabian Grünbichler
---
Notes:
only if the qemu-server patch gets applied, and then it can be folded into
the
previous commit
www/manager6/qemu/CloudInit.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/www/manager6/qemu/CloudInit.js b/www/manager6
On April 29, 2023 9:57 am, Thomas Lamprecht wrote:
> Am 28/04/2023 um 11:12 schrieb Fabian Grünbichler:
>>> It's was more about "offline" term, because we don't offline the source
>>> vm until the disk migration is finished. (to reduce downtime)
>&g
On April 28, 2023 11:33 am, Thomas Lamprecht wrote:
> Am 28/04/2023 um 09:15 schrieb DERUMIER, Alexandre:
>> We had discussed about it last year, but I would like to implement
>> permissions on vmbrX && sdn vnets, as it a breaking change.
>> https://git.proxmox.com/?p=pve-manager.git;a=commit;h=a37
On April 28, 2023 8:43 am, DERUMIER, Alexandre wrote:
>> >
>>> And currently we don't support yet offline storage migration. (BTW,
>>> This is also breaking migration with unused disk).
>>> I don't known if we can send send|receiv transfert through the
> tunnel ?
>>> (I never tested it)
>
>> we do
On April 27, 2023 7:50 am, DERUMIER, Alexandre wrote:
> Hi,
>
> Le mercredi 26 avril 2023 à 15:14 +0200, Fabian Grünbichler a écrit :
>> On April 25, 2023 6:52 pm, Alexandre Derumier wrote:
>> > This patch add support for remote migration when target
>> > cpu m
On April 25, 2023 6:52 pm, Alexandre Derumier wrote:
> This patch add support for remote migration when target
> cpu model is different.
>
> The target vm is restart after the migration
so this effectively introduces a new "hybrid" migration mode ;) the
changes are a bit smaller than I expected (
On April 24, 2023 10:01 am, DERUMIER, Alexandre wrote:
> I think it could be done with some kind of new naming for this kind of
> disk,
>
> like "template-." in the storage
>
> to match current lxc behaviour.
>
>
> I don't think we need to vm template itself inside this, only the disk.
>
thanks! (and sorry for the delay)
On March 31, 2023 6:12 pm, Mira Limbeck wrote:
> According to rfc2986 the only valid version is 0. No newer rfc changed
> that.
> See section 4.1:
> https://www.rfc-editor.org/rfc/rfc2986#section-4.1
>
> Manually verifying the CSR with openssl results in the foll
to make it a bit easier to configure access to the enterprise repositories.
Signed-off-by: Fabian Grünbichler
---
docs/offline-keys.rst | 3 +-
src/bin/proxmox-offline-mirror.rs | 102 ++
.../subscription.rs | 2
and reference the key part of the documentation.
Signed-off-by: Fabian Grünbichler
---
docs/offline-keys.rst | 2 ++
docs/offline-mirror.rst | 5 +
2 files changed, 7 insertions(+)
diff --git a/docs/offline-keys.rst b/docs/offline-keys.rst
index 91971e5..0f228eb 100644
--- a/docs/offline
it causes severe slow downs on fast disks, and we still have other rsyncable
compressors available.
it was originally added based on wrong documentation that made the performance
impact look a lot smaller than it actually is.
Signed-off-by: Fabian Grünbichler
---
Notes:
IMHO, we can always
x27;/var/lib/apt/lists/'.
Other suite values with a trailing or leading '/' are rejected with an error by
APT:
E: Malformed entry 1 in sources file /etc/apt/sources.list.d/test.list
(absolute Suite Component)
E: The list of sources could not be read.
so this should be
APT will not store the InRelease file in some cases, and some repositories
might not even have one in the first place.
Signed-off-by: Fabian Grünbichler
---
src/repositories/repository.rs | 19 ---
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/src/repositories
On April 6, 2023 1:23 pm, Thomas Lamprecht wrote:
> Am 04/04/2023 um 09:48 schrieb Fabian Grünbichler:
>> there are still repositories out there that are using things like
>> DSA/RSA-1024
>> and SHA1, so let's allow POM users to opt into accepting those insecure
>&g
a Path(Buf)'s Debug formatting already contains double quotes, no need to quote
it a second time..
Signed-off-by: Fabian Grünbichler
---
src/pool.rs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pool.rs b/src/pool.rs
index 7a67087..3da8c08 100644
--- a/src/po
by making the --id parameter optional, and structuring the output accordingly.
since pools are per base-dir, GC only needs to run once per base-dir instead of
for each mirror entry.
Signed-off-by: Fabian Grünbichler
---
src/bin/proxmox_offline_mirror_cmds/mirror.rs | 52 +--
1
there are still repositories out there that are using things like DSA/RSA-1024
and SHA1, so let's allow POM users to opt into accepting those insecure
cryptographic parameters, but keep the default settings secure.
Signed-off-by: Fabian Grünbichler
---
src/bin/proxmox-offline-mirr
the
(default and currently only) policy doesn't allow that (anymore).
the output is also improved in case the Release file is signed multiple times
and none of the signatures are accepted.
Signed-off-by: Fabian Grünbichler
---
src/helpers/verifier.rs | 35 ++-
1 file
this patch series improves the error messages when encountering an issue with
GPG verification, and offers an (opt-in) escape hatch for allowing weak
cryptographic algorithms if a repository still needs those.
Fabian Grünbichler (2):
improve GPG error messages
fix #4632: allow escape hatches
On March 3, 2023 3:50 pm, Noel Ullreich wrote:
> change the regex in `parse_volname` and `get_subdir_files` to allow
> subdirectories.
>
> Signed-off-by: Noel Ullreich
> ---
> PVE/Storage/Plugin.pm | 14 +++---
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/PVE/Stora
On March 3, 2023 3:50 pm, Noel Ullreich wrote:
> iterate through subdirs to find all the isos/container
> templates/snippets.
might be worth it to call out that this patch is broken without the second one,
unless you have appropriate "middle dirs" to make the unmodified REs in
get_subdir_files mat
with Stefan's R-b
On December 15, 2022 3:20 pm, Noel Ullreich wrote:
> updated the tags doc with slight rephrasing, corrected grammar,
> and fixed typos.
>
> Signed-off-by: Noel Ullreich
> ---
> changes since v1:
> * removed changes in datacenter.cfg.5-opts.adoc since it is an
> autogenerated fi
where applicable, or expand/replace where it's not a good fit or automatic
expansion doesn't work.
there are a few more in generated files, those need to be cleaned up
separately.
Signed-off-by: Fabian Grünbichler
---
Notes:
specifically, HA resources has \{pve\}, where the p
> Thomas Lamprecht hat am 27.03.2023 10:15 CEST
> geschrieben:
> Am 27/03/2023 um 09:58 schrieb Fabian Grünbichler:
> >
> >> Thomas Lamprecht hat am 26.03.2023 16:51 CEST
> >> geschrieben:
> > Also, Provides/virtual packages are not really a good fit fo
> Thomas Lamprecht hat am 26.03.2023 16:51 CEST
> geschrieben:
>
> In widget-toolkit we do not depend on any i18n package as widget-toolkit is
> also used in more than one project; adding an OR'd `pve-i18n | pmg-i18n |
> pbs-i18n` could work but is a bit of a PITA as some tools will use the fi
ck schedule '*/15' makes the spurious warning go away.
Signed-off-by: Fabian Grünbichler
---
PVE/API2/Replication.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index af77d2f4..d70b4607 100644
--- a/PVE/A
; raw (returns the ceph.conf file as is)
> * configdb -> db (returns the ceph config db contents)
>
> The old paths are still available and need to be dropped at some point.
>
> Signed-off-by: Aaron Lauterer
other than the nit below, patches 1 & 2:
Acked-by: F
401 - 500 of 1004 matches
Mail list logo