which returns a list of challenge api types with the schema of their
required data (if it exists)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[ Thomas: adapt to my changes from proxmox-acme schema def and change
path from challengeschema to challenge-schema ]
As proxmox-acme has now a default delay for DNS challenge plugins,
which is the important one. Those are just for not overloading the
acme servers with a lot of requests, but once the challenge was
propagate they have it verified pretty quickly, so reduce delay for
checking validation after first requesting it down to 10 seconds
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
re-loading it always would mean that we could potentially switch the
config to something completely different, and the mix of the previous
and the old could result in total bogus actions.
Better to use the same one for one full order, even if it may get
"outdated" it was still valid in the past and most important
coherent.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Drop various leftovers from the storage content API module this was
based on, e.g., ACME plugins have no fixed options and the like.
Also, the descriptions shouldn't mention "storage".
Further, drop the "update_config" "helper" with its operations
effectively only increasing code complexity and adding another rabbit
hole to jump into.
IF, this should have been factoring out the lock+read+write cycle
only, living the rest to a passed CODE-ref, but honestly that saves
only really the read and write config lines, and at this point
nothing is really gained, so just let it be.
Should have been actually three or so separate patches, but to deep
into this rabbit hole to care..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
for now mostly due to the "nice" property of the acmedomains which
do not use their property key as index but actually the doamain.
Without this one could set up duplicated domain entries just fine,
but once using them -> error.
This is not nice UX, so verify node config before writing an updated
one out, to catch those issues.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
add checks, encoding of loaded data files, update API path, proper inclusion into API tree
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
instead of relying that the authorization URLs and the ordered
identifiers are sorted the same way for already validated
authorizations.
on the contrary, RFC 8555 even says:
"The authorizations required are dictated by server policy; there may
not be a 1:1 relationship between the order identifiers and the
authorizations required."
authorizations MUST always include a single identifier, no matter which
state they are in.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
mixed bag of improvements:
- return hash based on domain
- check for duplicate domains, allow overlap between main and additional
keys otherwise
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
With this configuration it is possible to use many different plugins
with different providers and users.
Signed-off-by: Wolfgang Link <w.link@proxmox.com>
The public_addr option for creating a new MON is only valid for manual
startup (since Ceph Jewel) and is just ignored by ceph-mon during setup.
As the MON is started after the creation through systemd without an IP
specified. It is trying to auto-select an IP.
Before this patch the public_addr was only explicitly written to the
ceph.conf if no public_network was set. The mon_address is only needed
in the config on the first start of the MON.
The ceph-mon itself tries to select an IP on the following conditions.
- no public_network or public_addr is in the ceph.conf
* startup fails
- public_network is in the ceph.conf
* with a single network, take the first available IP
* on multiple networks, walk through the list orderly and start on
the first network where an IP is found
Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
so that we can choose to only include the versions and not all metadata
this is done to avoid having a seperate 'versions' api call
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
instead of having multiple regexes in various places for the name,
define a 'SERVICE_REGEX' in PVE::Ceph::Services, and use that
everywhere in the api where we need it
additionally limit new sevices to 200 characters, since
systemd units have a limit of 256 characters[0] (including suffix), and
200 seems to be enough.
users can now create ceph services on machines with hostnames
longer than 32 characters
0: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
the network and the cluster network are optional in the ceph config
and with 'pveceph init', so only check if we have an ip address
from those networks if it is actually configured
otherwise, the createosd call dies with an 'ip' error message
even if it would work
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
To (re)start and stop Ceph services the API calls systemd units using the
function ceph_service_cmd. If unspecified, this function assumes the type
".target" for a unit. By making the unit type suffix in the API optional, it
can make use of this assumption.
Signed-off-by: Dominic Jäger <d.jaeger@proxmox.com>
We need a recent version *and* our patches on top of the vanilla
ifupdown2:
0001-don-t-remove-tap-veth-fwpr-interfaces-from-bridge-on.patch
0004-don-t-remove-bridge-is-tap-veth-are-still-plugged.patch
So check for at least 1.2.8 and the pve string in the version output.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
It's possible to have a situation where the cluster network (used for
inter-OSD traffic) is not configured on a node. The OSD can still be
created but can't communicate.
This check will abort the creation if there is no IP within the subnet
of the cluster network present on the node. If there is no dedicated
cluster network the public network is used as a failsafe even though
this situation should not occur.
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
Ceph MGR fails to start when installed on a node without existing
symlink to /etc/pve/ceph.conf.
Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
To make it backward compaitble. NBo real harm without this, but lots
of ugly undefiend $val warnings...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Just because OVS is installed it doesn't mean that OVS interface
(changes) are configured - so check for that.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
the code returns undef in case there is no 'tos', and the code
calling this api call handles a non-existing tos already, but
fails in that case becasue of the failing return value verification
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
It's a bit hard to figure out the exact constellation required for
this to happen, but we saw it in live systems when one node was dead
in a three node cluster.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
include the version as string and as parts, as we do the split
already. Also include the build commit, so if we re-release a ceph
version, we can differ here too.
Use node as key, to make the new entry a bit more general, could be
easily expanded with other infos, if required.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Removed in commit fcb8022169 as we
wanted to re-use Debian Busters upstream version, but we re-uploaded
our own again. And besides that, this version would be still
interesting if it was not uploaded by us..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This moves the cfs register code for vzdump.cron to the
pve-guest-common package. Therefore, it relies on the corresponding
patches in pve-guest-common and pve-docs as build dependencies.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
commit 2d2ed7ab53 had a valid cause but
unnecessarily used the static PVE::AccessControl::check_permissions.
As the RPCEnvironment based check method has a "$noerr" parameter and
we already have a rpcenv instance readily available, we can use that
one just fine.
this is the last caller of PVE::AccessControl::check_permissions(),
which is the last caller of PVE::AccessControl::permission(). both can
thus be dropped altogether.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
It was intended that for partitioned disks, we create one and use it.
Instead the code died always when the disk was used and not of type 'LVM'
We now check correctly the 2 cases:
* used for partitions and has gpt
* used and lvm
The remaining api call handles those two cases correctly
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
If you updated a job in "exclude" mode with some VMIDs specified to "pool" mode,
the backup job would retain the "exclude" section and thus not back up all VMs.
The GUI misrepresents this, showing that all VMs will be backed up or
straight up break and show "exclude" mode again, with the backend still
being on "pool" - to prevent this, we always delete a jobs "exclude" list
when it's switched to "pool".
Co-authored-by: Tim Marx <t.marx@proxmox.com>
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
This was previously gated to CLI only, but it causes a vzdump job
started with the newly introduced "Run Now" button to fail if it
includes VMIDs on other nodes.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
use PUT for setting or unsetting, as POST/DELETE (like the old node
specific API used) makes no sense. One does not creates or deletes
the flag, they are always here. One just updates their value
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Add a new private helper which just does that for us, to avoid having
the same, or multiple implementations doing the same thing.
Allow to pass the $rados for sharing the same connection but also
just create it else for convenience
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
this api call can set multiple flags at once, but does this in a
worker since this can take quiet some time
also we only set/unset flags that are not already set/unset (respectively)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
we want a GET api call where we return all available flags with
description, but the GET 'flags' api call already returns a string
and not an array, so we cannot use that
instead, we add a new api call that returns that feature and
with e.g. pve 7 we can remove the 'flags' api call and
rename 'flags2' to 'flags'
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
this is used to generate the paramters for the set/unset api call
and will be used for the parameters of the upcoming 'set multiple flags' call
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
we want to improve the version hints in the osd tree gui and need
the version at the host nodes
we could (and want to) workaround it in the gui to have that
info for both versions of the api call
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
commit 970f96fdbb did not account for
getting the correct size parameter from the api call, so we ignored
it always resulting in uses not be able to set an explicit db/wal
size
Originally-fixed-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
instead of silently ignoring them. since we are in a task worker here
this is especially important - otherwise the task status/result is also
wrong!
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
nautilus puts non running monitors also in the monmap, so only show
as running when it has quorum
this is also not 100% correct, but the only 'correct' alternative is
to try and get/parse the systemd status of the units and broadcast it
to the pmxcfs
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
this fixes an issue where only one monitor is in mon_host, which is
offline, prevents a client connection
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
if auth is 'none' there is no client keyring, so do not generate it and
do not write it into the config
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
ms_bind_ipv4 is default true and osds look for both
ipv6 and ipv4 addresses in cluster network/public network
since we only allow for one network each (which must be either
ipv4 or ipv6) we disallow ipv4 if ipv6 is detected
this fixes not starting osds on an ipv6 enabled, newly-setup cluster
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
when there is no 'public_network' in the config, the monitor
can only find an ip if it is given explicitly, either via commandline
(not possible with systemd) or via the ceph.conf
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
a 'mon remove' does this already for us, so do not stop it
this lead to a race where we could stop the next to the last monitor
before it was removed from the cluster, leading to a state
where two monitor were needed for quorum, but only one did exist
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
we need to remove an ip, ip:port or a ipvector from monhost
so use multiple regex search and replaces for this
this looks not really nice, but due to the strange format
of the line (e.g. ',' is a seperator inside and outside of a vector,
also ipv6 adresses may be surrounded with [] but so are vectors),
i found no better way
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
otherwise it is possible that multiple users create monitors at the same
time, resulting in a wrong ceph.conf and probably worse
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
in nautilus, the default msgr protocol is v2, but it has to be
explicitely given to monmaptool, also we don't want to use the
monitor sections anymore so only update mon_host
ceph can cope with mixed mon_host and monitor sections, so this is
not a problem
also the ceph-create-keys part is not necessary anymore since
this is done by the monitor itself now
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
by using our new 'get_services_info'
this already checks for nautilus+ style 'mon_host' key in the ceph.conf
for the ip address
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
it makes no sense to have the mon key inside the client.admin.keyring
also the order and operations did not make much sense
also create the client admin keyring when creating the config
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
if we already have a monitor, we can try to get the public_network via
the ceph configuration database
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
in a case where we cannot connect to any monitor, we did not get
any info even if we have them via the pmxcfs
so get the RADOS object in an eval, and get the info we have from the
config/pmxcfs, and set the state to unknown if we cannot query via RADOS
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
since we do not support creating filestore osds anymore, drop
the journal size from the config
and move the keyring from global to client
this makes it possible to omit the osd keyring path
(which was the default but got overwritten from the global section)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
ifupdown2 reload can't work with openswitch until we implement
ovs.
I don't think that too much users are mixing ovs && bridge anyway.
It's possible to use ifupdown2 with ovs for ifup/down with ifupdown script,
but config need to be changed, and I don't have tested too much.
(maybe add a conflict in ifupdown2 package with openvswitch package for now)
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
This was for vxlan interfaces and fixed in ifupdown2 with my last patches.
simply reload network, and if we still have errors, we can use ifquery to check them later
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
using the new get_guest_config_property helper from pve-cluster,
which allows us to get this info with relatively low overhead.
With a somewhat realistic setup of 303 guest configurations here my
API call timing changes from ~ 24 to 26 ms without this to 26 to 28
ms with this patch applied, which seems reasonable.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
ceph luminous does not use the 'name' property in the metadata
everywhere, so fall back to 'id'
this makes the ceph dashboard usable while having still luminous
(relevant for upgrading)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
