[pve-devel] [PATCH pve-network] add vnet vlan-aware option
Some users would like to be able to defined vlans at
vm level, or allow trunks, on top of already
tagged vnet. (including vlan on top of vxlan tunnel)
Allow it on all layer2 plugins, and add a warn
for evpn layer3 plugin.
Signed-off-by: Alexandre Derumier
---
PVE/Network/SDN/VnetPlugin.pm| 5 +
PVE/Network/SDN/Zones.pm | 14 +
PVE/Network/SDN/Zones/EvpnPlugin.pm | 1 +
PVE/Network/SDN/Zones/Plugin.pm | 31 +---
PVE/Network/SDN/Zones/QinQPlugin.pm | 4
PVE/Network/SDN/Zones/VlanPlugin.pm | 4
PVE/Network/SDN/Zones/VxlanPlugin.pm | 4
7 files changed, 24 insertions(+), 39 deletions(-)
diff --git a/PVE/Network/SDN/VnetPlugin.pm b/PVE/Network/SDN/VnetPlugin.pm
index 179bfa4..2433013 100644
--- a/PVE/Network/SDN/VnetPlugin.pm
+++ b/PVE/Network/SDN/VnetPlugin.pm
@@ -58,6 +58,10 @@ sub properties {
type => 'integer',
description => "vlan or vxlan id",
},
+ vlanaware => {
+ type => 'boolean',
+ description => 'Allow vm VLANs to pass through this vnet.',
+ },
alias => {
type => 'string',
description => "alias name of the vnet",
@@ -89,6 +93,7 @@ sub options {
ipv4 => { optional => 1 },
ipv6 => { optional => 1 },
mac => { optional => 1 },
+vlanaware => { optional => 1 },
};
}
diff --git a/PVE/Network/SDN/Zones.pm b/PVE/Network/SDN/Zones.pm
index 436b103..b8dc54c 100644
--- a/PVE/Network/SDN/Zones.pm
+++ b/PVE/Network/SDN/Zones.pm
@@ -214,18 +214,6 @@ sub status {
return($zone_status, $vnet_status);
}
-sub get_bridge_vlan {
-my ($vnetid) = @_;
-
-my $vnet = PVE::Network::SDN::Vnets::get_vnet($vnetid);
-
-return ($vnetid, undef) if !$vnet; # fallback for classic bridge
-
-my $plugin_config = get_plugin_config($vnet);
-my $plugin =
PVE::Network::SDN::Zones::Plugin->lookup($plugin_config->{type});
-return $plugin->get_bridge_vlan($plugin_config, $vnetid, $vnet->{tag});
-}
-
sub tap_create {
my ($iface, $bridge) = @_;
@@ -270,7 +258,7 @@ sub tap_plug {
if $plugin_config->{nodes} &&
!defined($plugin_config->{nodes}->{$nodename});
my $plugin =
PVE::Network::SDN::Zones::Plugin->lookup($plugin_config->{type});
-$plugin->tap_plug($plugin_config, $vnet, $iface, $bridge, $firewall,
$rate);
+$plugin->tap_plug($plugin_config, $vnet, $tag, $iface, $bridge, $firewall,
$trunks, $rate);
}
1;
diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm
b/PVE/Network/SDN/Zones/EvpnPlugin.pm
index 973e8e0..95fbb64 100644
--- a/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -50,6 +50,7 @@ sub generate_sdn_config {
my $vrfvxlan = $plugin_config->{'vrf-vxlan'};
die "missing vxlan tag" if !$tag;
+warn "vlan-aware vnet can't be enabled with evpn plugin" if
$vnet->{vlanaware};
my @peers = split(',', $controller->{'peers'});
my ($ifaceip, $iface) =
PVE::Network::SDN::Zones::Plugin::find_local_ip_interface_peers(\@peers);
diff --git a/PVE/Network/SDN/Zones/Plugin.pm b/PVE/Network/SDN/Zones/Plugin.pm
index 9ea7a50..0633b78 100644
--- a/PVE/Network/SDN/Zones/Plugin.pm
+++ b/PVE/Network/SDN/Zones/Plugin.pm
@@ -205,44 +205,23 @@ sub status {
}
-sub get_bridge_vlan {
-my ($class, $plugin_config, $vnetid, $tag) = @_;
-
-my $bridge = $vnetid;
-$tag = undef;
-
-die "bridge $bridge is missing" if !-d "/sys/class/net/$bridge/";
-
-return ($bridge, $tag);
-}
-
sub tap_create {
my ($class, $plugin_config, $vnet, $iface, $vnetid) = @_;
-my $tag = $vnet->{tag};
-my ($bridge, undef) = $class->get_bridge_vlan($plugin_config, $vnetid,
$tag);
-die "unable to get bridge setting\n" if !$bridge;
-
-PVE::Network::tap_create($iface, $bridge);
+PVE::Network::tap_create($iface, $vnetid);
}
sub veth_create {
my ($class, $plugin_config, $vnet, $veth, $vethpeer, $vnetid, $hwaddr) =
@_;
-my $tag = $vnet->{tag};
-my ($bridge, undef) = $class->get_bridge_vlan($plugin_config, $vnetid,
$tag);
-die "unable to get bridge setting\n" if !$bridge;
-
-PVE::Network::veth_create($veth, $vethpeer, $bridge, $hwaddr);
+PVE::Network::veth_create($veth, $vethpeer, $vnetid, $hwaddr);
}
sub tap_plug {
-my ($class, $plugin_config, $vnet, $iface, $vnetid, $firewall, $rate) = @_;
-
-my $tag = $vnet->{tag};
+my ($class, $plugin_config, $vnet, $tag, $iface, $vnetid, $firewall,
$trunks, $rate) = @_;
-($vnetid, $tag) = $class->get_bridge_vlan($plugin_config, $vnetid, $tag);
-my $trunks = undef;
+my $vlan_aware =
PVE::Tools::file_read_firstline("/sys/class/net/$vnetid/bridge/vlan_filtering");
+die "vm vlans are not allowed on vnet $vnetid" if !$vlan_aware && ($tag ||
$trunks);
PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate);
}
diff --git a/PVE/Network/SDN/Zones/QinQPlugin.pm
[pve-devel] [PATCH v2 container] fix #2655: don't forget to setup securetty for centos >= 7
in template_fixup we only call this method for version < 7, but greater
versions also need to allow lxc/tty[N] as secure.
Signed-off-by: Oguz Bektas
---
v1->v2:
* call setup_securetty unconditionally
src/PVE/LXC/Setup/CentOS.pm | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm
index 1e6894b..3721ca7 100644
--- a/src/PVE/LXC/Setup/CentOS.pm
+++ b/src/PVE/LXC/Setup/CentOS.pm
@@ -109,10 +109,9 @@ sub template_fixup {
my $data = $self->ct_file_get_contents($filename);
$data =~ s!^(/sbin/start_udev.*)$!#$1!gm;
$self->ct_file_set_contents($filename, $data);
-
- # edit /etc/securetty (enable login on console)
- $self->setup_securetty($conf);
}
+# edit /etc/securetty (enable login on console)
+$self->setup_securetty($conf);
}
sub setup_init {
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH container] fix #2655: don't forget to setup securetty for centos >= 7
On Mon, May 25, 2020 at 02:24:34PM +0200, Thomas Lamprecht wrote:
> On 5/25/20 2:15 PM, Oguz Bektas wrote:
> > in template_fixup we only call this method for version < 7, but greater
> > versions also need to allow lxc/tty[N] as secure.
> >
> > Signed-off-by: Oguz Bektas
> > ---
> > src/PVE/LXC/Setup/CentOS.pm | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm
> > index 1e6894b..757bc63 100644
> > --- a/src/PVE/LXC/Setup/CentOS.pm
> > +++ b/src/PVE/LXC/Setup/CentOS.pm
> > @@ -109,9 +109,10 @@ sub template_fixup {
> > my $data = $self->ct_file_get_contents($filename);
> > $data =~ s!^(/sbin/start_udev.*)$!#$1!gm;
> > $self->ct_file_set_contents($filename, $data);
> > -
> > # edit /etc/securetty (enable login on console)
> > $self->setup_securetty($conf);
> > +} else {
> > + $self->setup_securetty($conf);
> > }
>
> so a if-else both ending in the same statement.. Why not move it out and
> do that unconditionally after the if?
okay
>
> And it doesn't regresses for other CentOS versions and un/privileged combos?
worked fine after the patch, seems to fix the warnings and the
login problems for privileged containers (centos 7). unprivileged
containers work fine as before.
centos 8 template doesn't have /etc/securetty at all, so root login is
allowed by default.
>
> > }
> >
> >
>
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH container] fix #2655: don't forget to setup securetty for centos >= 7
On 5/25/20 2:15 PM, Oguz Bektas wrote:
> in template_fixup we only call this method for version < 7, but greater
> versions also need to allow lxc/tty[N] as secure.
>
> Signed-off-by: Oguz Bektas
> ---
> src/PVE/LXC/Setup/CentOS.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm
> index 1e6894b..757bc63 100644
> --- a/src/PVE/LXC/Setup/CentOS.pm
> +++ b/src/PVE/LXC/Setup/CentOS.pm
> @@ -109,9 +109,10 @@ sub template_fixup {
> my $data = $self->ct_file_get_contents($filename);
> $data =~ s!^(/sbin/start_udev.*)$!#$1!gm;
> $self->ct_file_set_contents($filename, $data);
> -
> # edit /etc/securetty (enable login on console)
> $self->setup_securetty($conf);
> +} else {
> + $self->setup_securetty($conf);
> }
so a if-else both ending in the same statement.. Why not move it out and
do that unconditionally after the if?
And it doesn't regresses for other CentOS versions and un/privileged combos?
> }
>
>
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH container] fix #2655: don't forget to setup securetty for centos >= 7
in template_fixup we only call this method for version < 7, but greater
versions also need to allow lxc/tty[N] as secure.
Signed-off-by: Oguz Bektas
---
src/PVE/LXC/Setup/CentOS.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm
index 1e6894b..757bc63 100644
--- a/src/PVE/LXC/Setup/CentOS.pm
+++ b/src/PVE/LXC/Setup/CentOS.pm
@@ -109,9 +109,10 @@ sub template_fixup {
my $data = $self->ct_file_get_contents($filename);
$data =~ s!^(/sbin/start_udev.*)$!#$1!gm;
$self->ct_file_set_contents($filename, $data);
-
# edit /etc/securetty (enable login on console)
$self->setup_securetty($conf);
+} else {
+ $self->setup_securetty($conf);
}
}
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: Re: [PATCH widget-toolkit] return cookie again in authOK
On 5/25/20 1:46 PM, Dominik Csapak wrote: > the calling code did require that authOK returns the cookie if > there is a valid one > > make it now very explicit that the cookie gets returned instead > of using implicit short-circuit behaviour > > Signed-off-by: Dominik Csapak > --- > Utils.js | 6 +- > 1 file changed, 5 insertions(+), 1 deletion(-) > > applied, thanks! Shortly thought about complaining regarding returning two different falsy values, undefined on Proxmox.LoggedOut, false on that cookie/tfa check but it was the behavior before, so OK I guess ^^ ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH widget-toolkit] return cookie again in authOK
the calling code did require that authOK returns the cookie if
there is a valid one
make it now very explicit that the cookie gets returned instead
of using implicit short-circuit behaviour
Signed-off-by: Dominik Csapak
---
Utils.js | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/Utils.js b/Utils.js
index cae25b2..402349a 100644
--- a/Utils.js
+++ b/Utils.js
@@ -208,7 +208,11 @@ Ext.define('Proxmox.Utils', { utilities: {
return undefined;
}
let cookie = Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
- return (Proxmox.UserName !== '') && (cookie &&
!cookie.startsWith("PVE:tfa!"));
+ if (Proxmox.UserName !== '' && cookie &&
!cookie.startsWith("PVE:tfa!")) {
+ return cookie;
+ } else {
+ return false;
+ }
},
authClear: function() {
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-common] network: vlan-aware bridge: fix pvid when trunks is defined
Currently, when a trunks is defined, the vlan tag is not used
for pvid with vlan-aware bridge. (It's ok with ovs switch)
example:
net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1,tag=2,trunks=2-11
before
--
tap100i0 2-11
after
-
tap100i0 2 PVID Egress Untagged
3-11
No regression for other configurations:
net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1
before
--
tap100i0 1 PVID Egress Untagged
2-4094
after
-
tap100i0 1 PVID Egress Untagged
2-4094
net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1,tag=2
before
--
tap100i0 2 PVID Egress Untagged
after
-
tap100i0 2 PVID Egress Untagged
net0: e1000=BA:90:68:B8:CF:F5,bridge=vmbr1,trunks=2-11
before
--
tap100i0 1 PVID Egress Untagged
2-11
after
-
tap100i0 1 PVID Egress Untagged
2-11
Signed-off-by: Alexandre Derumier
---
src/PVE/Network.pm | 36 +---
1 file changed, 17 insertions(+), 19 deletions(-)
diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index b5d3777..12536c7 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -216,26 +216,24 @@ my $bridge_add_interface = sub {
my $vlan_aware =
PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering");
if ($vlan_aware) {
- if ($tag) {
- eval { run_command(['/sbin/bridge', 'vlan', 'del', 'dev', $iface,
'vid', '1-4094']) };
- die "failed to remove default vlan tags of $iface - $@\n" if $@;
- eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface,
'vid', $tag, 'pvid', 'untagged']) };
- die "unable to add vlan $tag to interface $iface - $@\n" if $@;
-
- warn "Caution: Setting VLAN ID 1 on a VLAN aware bridge may be
dangerous\n" if $tag == 1;
- } elsif (!$trunks) {
- eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface,
'vid', '2-4094']) };
- die "unable to add default vlan tags to interface $iface - $@\n" if
$@;
- }
-
- if ($trunks) {
- my @trunks_array = split /;/, $trunks;
- foreach my $trunk (@trunks_array) {
- eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev',
$iface, 'vid', $trunk]) };
- die "unable to add vlan $trunk to interface $iface - $@\n" if
$@;
- }
- }
+eval { run_command(['/sbin/bridge', 'vlan', 'del', 'dev', $iface,
'vid', '1-4094']) };
+die "failed to remove default vlan tags of $iface - $@\n" if $@;
+
+if ($trunks) {
+my @trunks_array = split /;/, $trunks;
+foreach my $trunk (@trunks_array) {
+eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev',
$iface, 'vid', $trunk]) };
+die "unable to add vlan $trunk to interface $iface - $@\n" if
$@;
+}
+} elsif (!$tag) {
+eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface,
'vid', '2-4094']) };
+die "unable to add default vlan tags to interface $iface - $@\n"
if $@;
+}
+
+$tag = 1 if !$tag;
+eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface,
'vid', $tag, 'pvid', 'untagged']) };
+die "unable to add vlan $tag to interface $iface - $@\n" if $@;
}
};
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: Re: [PATCH widget-toolkit] fix #2758: reject 'tfa' cookies
On 5/25/20 10:35 AM, Dominik Csapak wrote: > return false on authOK when the ticket is a tfa ticket > (starts with PVE:tfa!) > > when a user now loads the page with only a tfa ticket, it shows the > login window again > > Signed-off-by: Dominik Csapak > --- > Utils.js | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH widget-toolkit] fix #2758: reject 'tfa' cookies
return false on authOK when the ticket is a tfa ticket
(starts with PVE:tfa!)
when a user now loads the page with only a tfa ticket, it shows the
login window again
Signed-off-by: Dominik Csapak
---
Utils.js | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Utils.js b/Utils.js
index 22eddd2..cae25b2 100644
--- a/Utils.js
+++ b/Utils.js
@@ -207,7 +207,8 @@ Ext.define('Proxmox.Utils', { utilities: {
if (Proxmox.LoggedOut) {
return undefined;
}
- return (Proxmox.UserName !== '') &&
Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+ let cookie = Ext.util.Cookies.get(Proxmox.Setup.auth_cookie_name);
+ return (Proxmox.UserName !== '') && (cookie &&
!cookie.startsWith("PVE:tfa!"));
},
authClear: function() {
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH storage] Fix 2763: Revert "storage_migrate: check if target storage supports content type"
This reverts commit 95015dbbf24b710011965805e689c03923fb830c.
parse_volname always gives 'images' and not 'rootdir'. In most
cases the volume name alone does not contain the needed information,
e.g. vm-123-disk-0 can be both a VM volume or a container volume.
Signed-off-by: Fabian Ebner
---
For this reason, we need to have the callers of storage_migrate check
if the correct content type is available. No further changes are
needed, because replication and container migration do not
change storages, and for VM migration, the check is already there.
PVE/Storage.pm | 5 -
1 file changed, 5 deletions(-)
diff --git a/PVE/Storage.pm b/PVE/Storage.pm
index f1e3b19..f523f20 100755
--- a/PVE/Storage.pm
+++ b/PVE/Storage.pm
@@ -619,11 +619,6 @@ sub storage_migrate {
my $tcfg = storage_config($cfg, $target_storeid);
-my $vtype = (parse_volname($cfg, $volid))[0];
-
-die "content type '$vtype' is not available on storage '$target_storeid'\n"
- if !$tcfg->{content}->{$vtype};
-
my $target_volname;
if ($opts->{target_volname}) {
$target_volname = $opts->{target_volname};
--
2.20.1
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
