[pve-devel] [PATCH pve-network] add vnet vlan-aware option
Some users would like to be able to defined vlans at vm level, or allow trunks, on top of already tagged vnet. (including vlan on top of vxlan tunnel) Allow it on all layer2 plugins, and add a warn for evpn layer3 plugin. Signed-off-by: Alexandre Derumier --- PVE/Network/SDN/VnetPlugin.pm| 5 + PVE/Network/SDN/Zones.pm | 14 + PVE/Network/SDN/Zones/EvpnPlugin.pm | 1 + PVE/Network/SDN/Zones/Plugin.pm | 31 +--- PVE/Network/SDN/Zones/QinQPlugin.pm | 4 PVE/Network/SDN/Zones/VlanPlugin.pm | 4 PVE/Network/SDN/Zones/VxlanPlugin.pm | 4 7 files changed, 24 insertions(+), 39 deletions(-) diff --git a/PVE/Network/SDN/VnetPlugin.pm b/PVE/Network/SDN/VnetPlugin.pm index 179bfa4..2433013 100644 --- a/PVE/Network/SDN/VnetPlugin.pm +++ b/PVE/Network/SDN/VnetPlugin.pm @@ -58,6 +58,10 @@ sub properties { type => 'integer', description => "vlan or vxlan id", }, + vlanaware => { + type => 'boolean', + description => 'Allow vm VLANs to pass through this vnet.', + }, alias => { type => 'string', description => "alias name of the vnet", @@ -89,6 +93,7 @@ sub options { ipv4 => { optional => 1 }, ipv6 => { optional => 1 }, mac => { optional => 1 }, +vlanaware => { optional => 1 }, }; } diff --git a/PVE/Network/SDN/Zones.pm b/PVE/Network/SDN/Zones.pm index 436b103..b8dc54c 100644 --- a/PVE/Network/SDN/Zones.pm +++ b/PVE/Network/SDN/Zones.pm @@ -214,18 +214,6 @@ sub status { return($zone_status, $vnet_status); } -sub get_bridge_vlan { -my ($vnetid) = @_; - -my $vnet = PVE::Network::SDN::Vnets::get_vnet($vnetid); - -return ($vnetid, undef) if !$vnet; # fallback for classic bridge - -my $plugin_config = get_plugin_config($vnet); -my $plugin = PVE::Network::SDN::Zones::Plugin->lookup($plugin_config->{type}); -return $plugin->get_bridge_vlan($plugin_config, $vnetid, $vnet->{tag}); -} - sub tap_create { my ($iface, $bridge) = @_; @@ -270,7 +258,7 @@ sub tap_plug { if $plugin_config->{nodes} && !defined($plugin_config->{nodes}->{$nodename}); my $plugin = PVE::Network::SDN::Zones::Plugin->lookup($plugin_config->{type}); -$plugin->tap_plug($plugin_config, $vnet, $iface, $bridge, $firewall, $rate); +$plugin->tap_plug($plugin_config, $vnet, $tag, $iface, $bridge, $firewall, $trunks, $rate); } 1; diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm index 973e8e0..95fbb64 100644 --- a/PVE/Network/SDN/Zones/EvpnPlugin.pm +++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm @@ -50,6 +50,7 @@ sub generate_sdn_config { my $vrfvxlan = $plugin_config->{'vrf-vxlan'}; die "missing vxlan tag" if !$tag; +warn "vlan-aware vnet can't be enabled with evpn plugin" if $vnet->{vlanaware}; my @peers = split(',', $controller->{'peers'}); my ($ifaceip, $iface) = PVE::Network::SDN::Zones::Plugin::find_local_ip_interface_peers(\@peers); diff --git a/PVE/Network/SDN/Zones/Plugin.pm b/PVE/Network/SDN/Zones/Plugin.pm index 9ea7a50..0633b78 100644 --- a/PVE/Network/SDN/Zones/Plugin.pm +++ b/PVE/Network/SDN/Zones/Plugin.pm @@ -205,44 +205,23 @@ sub status { } -sub get_bridge_vlan { -my ($class, $plugin_config, $vnetid, $tag) = @_; - -my $bridge = $vnetid; -$tag = undef; - -die "bridge $bridge is missing" if !-d "/sys/class/net/$bridge/"; - -return ($bridge, $tag); -} - sub tap_create { my ($class, $plugin_config, $vnet, $iface, $vnetid) = @_; -my $tag = $vnet->{tag}; -my ($bridge, undef) = $class->get_bridge_vlan($plugin_config, $vnetid, $tag); -die "unable to get bridge setting\n" if !$bridge; - -PVE::Network::tap_create($iface, $bridge); +PVE::Network::tap_create($iface, $vnetid); } sub veth_create { my ($class, $plugin_config, $vnet, $veth, $vethpeer, $vnetid, $hwaddr) = @_; -my $tag = $vnet->{tag}; -my ($bridge, undef) = $class->get_bridge_vlan($plugin_config, $vnetid, $tag); -die "unable to get bridge setting\n" if !$bridge; - -PVE::Network::veth_create($veth, $vethpeer, $bridge, $hwaddr); +PVE::Network::veth_create($veth, $vethpeer, $vnetid, $hwaddr); } sub tap_plug { -my ($class, $plugin_config, $vnet, $iface, $vnetid, $firewall, $rate) = @_; - -my $tag = $vnet->{tag}; +my ($class, $plugin_config, $vnet, $tag, $iface, $vnetid, $firewall, $trunks, $rate) = @_; -($vnetid, $tag) = $class->get_bridge_vlan($plugin_config, $vnetid, $tag); -my $trunks = undef; +my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$vnetid/bridge/vlan_filtering"); +die "vm vlans are not allowed on vnet $vnetid" if !$vlan_aware && ($tag || $trunks); PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate); } diff --git a/PVE/Network/SDN/Zones/QinQPlugin.pm
[pve-devel] [PATCH v2 container] fix #2655: don't forget to setup securetty for centos >= 7
in template_fixup we only call this method for version < 7, but greater versions also need to allow lxc/tty[N] as secure. Signed-off-by: Oguz Bektas --- v1->v2: * call setup_securetty unconditionally src/PVE/LXC/Setup/CentOS.pm | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm index 1e6894b..3721ca7 100644 --- a/src/PVE/LXC/Setup/CentOS.pm +++ b/src/PVE/LXC/Setup/CentOS.pm @@ -109,10 +109,9 @@ sub template_fixup { my $data = $self->ct_file_get_contents($filename); $data =~ s!^(/sbin/start_udev.*)$!#$1!gm; $self->ct_file_set_contents($filename, $data); - - # edit /etc/securetty (enable login on console) - $self->setup_securetty($conf); } +# edit /etc/securetty (enable login on console) +$self->setup_securetty($conf); } sub setup_init { -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH container] fix #2655: don't forget to setup securetty for centos >= 7
On Mon, May 25, 2020 at 02:24:34PM +0200, Thomas Lamprecht wrote: > On 5/25/20 2:15 PM, Oguz Bektas wrote: > > in template_fixup we only call this method for version < 7, but greater > > versions also need to allow lxc/tty[N] as secure. > > > > Signed-off-by: Oguz Bektas > > --- > > src/PVE/LXC/Setup/CentOS.pm | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm > > index 1e6894b..757bc63 100644 > > --- a/src/PVE/LXC/Setup/CentOS.pm > > +++ b/src/PVE/LXC/Setup/CentOS.pm > > @@ -109,9 +109,10 @@ sub template_fixup { > > my $data = $self->ct_file_get_contents($filename); > > $data =~ s!^(/sbin/start_udev.*)$!#$1!gm; > > $self->ct_file_set_contents($filename, $data); > > - > > # edit /etc/securetty (enable login on console) > > $self->setup_securetty($conf); > > +} else { > > + $self->setup_securetty($conf); > > } > > so a if-else both ending in the same statement.. Why not move it out and > do that unconditionally after the if? okay > > And it doesn't regresses for other CentOS versions and un/privileged combos? worked fine after the patch, seems to fix the warnings and the login problems for privileged containers (centos 7). unprivileged containers work fine as before. centos 8 template doesn't have /etc/securetty at all, so root login is allowed by default. > > > } > > > > > ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH container] fix #2655: don't forget to setup securetty for centos >= 7
On 5/25/20 2:15 PM, Oguz Bektas wrote: > in template_fixup we only call this method for version < 7, but greater > versions also need to allow lxc/tty[N] as secure. > > Signed-off-by: Oguz Bektas > --- > src/PVE/LXC/Setup/CentOS.pm | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm > index 1e6894b..757bc63 100644 > --- a/src/PVE/LXC/Setup/CentOS.pm > +++ b/src/PVE/LXC/Setup/CentOS.pm > @@ -109,9 +109,10 @@ sub template_fixup { > my $data = $self->ct_file_get_contents($filename); > $data =~ s!^(/sbin/start_udev.*)$!#$1!gm; > $self->ct_file_set_contents($filename, $data); > - > # edit /etc/securetty (enable login on console) > $self->setup_securetty($conf); > +} else { > + $self->setup_securetty($conf); > } so a if-else both ending in the same statement.. Why not move it out and do that unconditionally after the if? And it doesn't regresses for other CentOS versions and un/privileged combos? > } > > ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH container] fix #2655: don't forget to setup securetty for centos >= 7
in template_fixup we only call this method for version < 7, but greater versions also need to allow lxc/tty[N] as secure. Signed-off-by: Oguz Bektas --- src/PVE/LXC/Setup/CentOS.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm index 1e6894b..757bc63 100644 --- a/src/PVE/LXC/Setup/CentOS.pm +++ b/src/PVE/LXC/Setup/CentOS.pm @@ -109,9 +109,10 @@ sub template_fixup { my $data = $self->ct_file_get_contents($filename); $data =~ s!^(/sbin/start_udev.*)$!#$1!gm; $self->ct_file_set_contents($filename, $data); - # edit /etc/securetty (enable login on console) $self->setup_securetty($conf); +} else { + $self->setup_securetty($conf); } } -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: Re: [PATCH widget-toolkit] return cookie again in authOK
On 5/25/20 1:46 PM, Dominik Csapak wrote: > the calling code did require that authOK returns the cookie if > there is a valid one > > make it now very explicit that the cookie gets returned instead > of using implicit short-circuit behaviour > > Signed-off-by: Dominik Csapak > --- > Utils.js | 6 +- > 1 file changed, 5 insertions(+), 1 deletion(-) > > applied, thanks! Shortly thought about complaining regarding returning two different falsy values, undefined on Proxmox.LoggedOut, false on that cookie/tfa check but it was the behavior before, so OK I guess ^^ ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH widget-toolkit] return cookie again in authOK
the calling code did require that authOK returns the cookie if there is a valid one make it now very explicit that the cookie gets returned instead of using implicit short-circuit behaviour Signed-off-by: Dominik Csapak --- Utils.js | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Utils.js b/Utils.js index cae25b2..402349a 100644 --- a/Utils.js +++ b/Utils.js @@ -208,7 +208,11 @@ Ext.define('Proxmox.Utils', { utilities: { return undefined; } let cookie = Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name); - return (Proxmox.UserName !== '') && (cookie && !cookie.startsWith("PVE:tfa!")); + if (Proxmox.UserName !== '' && cookie && !cookie.startsWith("PVE:tfa!")) { + return cookie; + } else { + return false; + } }, authClear: function() { -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-common] network: vlan-aware bridge: fix pvid when trunks is defined
Currently, when a trunks is defined, the vlan tag is not used for pvid with vlan-aware bridge. (It's ok with ovs switch) example: net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1,tag=2,trunks=2-11 before -- tap100i0 2-11 after - tap100i0 2 PVID Egress Untagged 3-11 No regression for other configurations: net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1 before -- tap100i0 1 PVID Egress Untagged 2-4094 after - tap100i0 1 PVID Egress Untagged 2-4094 net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1,tag=2 before -- tap100i0 2 PVID Egress Untagged after - tap100i0 2 PVID Egress Untagged net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1,trunks=2-11 before -- tap100i0 1 PVID Egress Untagged 2-11 after - tap100i0 1 PVID Egress Untagged 2-11 Signed-off-by: Alexandre Derumier --- src/PVE/Network.pm | 36 +--- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm index b5d3777..12536c7 100644 --- a/src/PVE/Network.pm +++ b/src/PVE/Network.pm @@ -216,26 +216,24 @@ my $bridge_add_interface = sub { my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); if ($vlan_aware) { - if ($tag) { - eval { run_command(['/sbin/bridge', 'vlan', 'del', 'dev', $iface, 'vid', '1-4094']) }; - die "failed to remove default vlan tags of $iface - $@\n" if $@; - eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $tag, 'pvid', 'untagged']) }; - die "unable to add vlan $tag to interface $iface - $@\n" if $@; - - warn "Caution: Setting VLAN ID 1 on a VLAN aware bridge may be dangerous\n" if $tag == 1; - } elsif (!$trunks) { - eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', '2-4094']) }; - die "unable to add default vlan tags to interface $iface - $@\n" if $@; - } - - if ($trunks) { - my @trunks_array = split /;/, $trunks; - foreach my $trunk (@trunks_array) { - eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $trunk]) }; - die "unable to add vlan $trunk to interface $iface - $@\n" if $@; - } - } +eval { run_command(['/sbin/bridge', 'vlan', 'del', 'dev', $iface, 'vid', '1-4094']) }; +die "failed to remove default vlan tags of $iface - $@\n" if $@; + +if ($trunks) { +my @trunks_array = split /;/, $trunks; +foreach my $trunk (@trunks_array) { +eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $trunk]) }; +die "unable to add vlan $trunk to interface $iface - $@\n" if $@; +} +} elsif (!$tag) { +eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', '2-4094']) }; +die "unable to add default vlan tags to interface $iface - $@\n" if $@; +} + +$tag = 1 if !$tag; +eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $tag, 'pvid', 'untagged']) }; +die "unable to add vlan $tag to interface $iface - $@\n" if $@; } }; -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: Re: [PATCH widget-toolkit] fix #2758: reject 'tfa' cookies
On 5/25/20 10:35 AM, Dominik Csapak wrote: > return false on authOK when the ticket is a tfa ticket > (starts with PVE:tfa!) > > when a user now loads the page with only a tfa ticket, it shows the > login window again > > Signed-off-by: Dominik Csapak > --- > Utils.js | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH widget-toolkit] fix #2758: reject 'tfa' cookies
return false on authOK when the ticket is a tfa ticket (starts with PVE:tfa!) when a user now loads the page with only a tfa ticket, it shows the login window again Signed-off-by: Dominik Csapak --- Utils.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Utils.js b/Utils.js index 22eddd2..cae25b2 100644 --- a/Utils.js +++ b/Utils.js @@ -207,7 +207,8 @@ Ext.define('Proxmox.Utils', { utilities: { if (Proxmox.LoggedOut) { return undefined; } - return (Proxmox.UserName !== '') && Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name); + let cookie = Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name); + return (Proxmox.UserName !== '') && (cookie && !cookie.startsWith("PVE:tfa!")); }, authClear: function() { -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH storage] Fix 2763: Revert "storage_migrate: check if target storage supports content type"
This reverts commit 95015dbbf24b710011965805e689c03923fb830c. parse_volname always gives 'images' and not 'rootdir'. In most cases the volume name alone does not contain the needed information, e.g. vm-123-disk-0 can be both a VM volume or a container volume. Signed-off-by: Fabian Ebner --- For this reason, we need to have the callers of storage_migrate check if the correct content type is available. No further changes are needed, because replication and container migration do not change storages, and for VM migration, the check is already there. PVE/Storage.pm | 5 - 1 file changed, 5 deletions(-) diff --git a/PVE/Storage.pm b/PVE/Storage.pm index f1e3b19..f523f20 100755 --- a/PVE/Storage.pm +++ b/PVE/Storage.pm @@ -619,11 +619,6 @@ sub storage_migrate { my $tcfg = storage_config($cfg, $target_storeid); -my $vtype = (parse_volname($cfg, $volid))[0]; - -die "content type '$vtype' is not available on storage '$target_storeid'\n" - if !$tcfg->{content}->{$vtype}; - my $target_volname; if ($opts->{target_volname}) { $target_volname = $opts->{target_volname}; -- 2.20.1 ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel