Currently, if bridge receive an unknown dest mac (network bug/attack/..),
we are flooding packets to all bridge ports.
This can waste cpu time, even more with firewall enabled.
Also, if firewall is used with reject action, the src mac of RST
packet is the original unknown dest mac.
(This can block the server at Hetzner for example)
So, we can disable learning && unicast_flood on tap|veth|fwln port interface.
Then mac address need to be add statically in bridge fdb.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
The fallback had a "typo" in the realm and used 'root@pve' (pve vs.
pam) since initial import from SVN, but off-list talks with Dietmar
suggest that 'root@pam' was always the intended fallback value.
Call sites without a defined user parameter (found only push_file and
pull_file from pve-container) were logging the task-owner user as
'root@pve' which isn't a default one, so it wouldn't exist in most
setups.
For clarity, add a comment that this is only used for the task logs.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
[ T: Reword/add to commit message slightly ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
currently these are used by qemu-server for mapping source and target
storages, but this mechanism will be extended to network bridge maps and
re-used in pve-container as well, so let's put it next to the schema
definitions/helpers.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
not available on PMG and other places we use this lib (infra stuff)..
the perlmod stuff needs to be either more conditionally included, the
perlmod move to a more generic library (proxmox-rs?) or duplicated to
at least pmg-rs (albeit that wouldn't solve the infra pain points)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
by replacing the parsing code and 'compute_next_event' by their
PVE::RS::CalendarEvent equivalent
adapt the tests, since we do not have access to the internal structure
(and even if we had, it would be different) and the error messages
are different
the 'compute_next_event' and parsing tests still pass though
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
for re-use in qemu-server/pve-container, which already have this option
duplicated. the '-pair' is needed for remote migration, but can also be
a nice addition to regular intra-cluster migration to lift the
restriction of having identically named bridges.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Reviewed-by: Fabian Ebner <f.ebner@proxmox.com>
more consistent with the other options/formats like pve-storage-id
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Reviewed-by: Fabian Ebner <f.ebner@proxmox.com>
'wbytes' is for writes, but we accidentally added the value to 'diskread'
which left 'diskwrite' statistics always zero
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The CFS period µs value for cgroup v1 needs to be >= 1 µs and <= 1 s,
so resetting it to -1 (like we cab do for the quota) cannot work.
So, when the period is passed as undefined it should be set to 100ms,
i.e., the actual default value:
> - cpu.cfs_quota_us: the total available run-time within a period (in microseconds)
> - cpu.cfs_period_us: the length of a period (in microseconds)
> - cpu.stat: exports throttling statistics [explained further below]
>
> The default values are:
> cpu.cfs_period_us=100ms
> cpu.cfs_quota=-1
-- https://www.kernel.org/doc/html/v5.14/scheduler/sched-bwc.html
This issue was there since initial addition in its original repo,
pve-container commit 26b645e2.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
[ Thomas: add more information, adapt commit subject to reduce
redundancy, link to new RsT based doc page with a fixed version ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The path is not /that/ relevant privacy wise as we try to use
`O_TMPFILE` anyway and defaulting to /run generates trouble for calls
from non-root processes.
Try the user session run dir first, then /run if root or /tmp else.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reduce by a few lines in general and move out checking the address to
avoid to much (repeated) inline noise..
no semantic change intended.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
- Two-argument "open" used at line 462, column 3. See page 207 of
PBP. (Severity: 5)
- Subroutine "new" called using indirect syntax at line 487, column
15. See page 349 of PBP. (Severity: 5)
- Bareword file handle opened at line 1533, column 5. See pages 202,
204 of PBP. (Severity: 5)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
commit c86cfb8bbd dropped allow-hotplug
from the primary interfaces file completely on write, but that breaks
setups that come from plain Debian.
Instead, as stop-gap measurement, transform "allow-hotplug" to auto
in the PVE controlled config.
That avoids conflict and improves installing PVE on top of plain
Debian, as the interface still comes up after the first reboot.
But it is not ideal auto is not the same as hotplug, so we need to
also track that difference in the future, but that needs some
adaptions in the API too (change autostart from boolean to
string+enum or so=
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
With the merger the shop got moved from shop.maurer-it to
shop.proxmox.com, while we transparently redirect we also want to
stop doing that in a few years, so use new domain.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
