This patch fixes a regression for hosts disabling ipv6 via kernel
commandline ('ipv6.disable=1')introduced in commit
e224b7d2e6
(disabling IPv6 via sysctl did not exhibit these problems)
by hardcoding the address to '::', pveproxy and spiceproxy failed to
start with:
'unable to create socket - Address family not supported by protocol'
This patch depends on the commit in pve-common, which tries first
binding to '::' and then falling back to '0.0.0.0', and needs a
versioned dependency bump on libpve-common-perl.
With this patch the listening addresses are (`ss -tlnp |grep 8006` output)
* ipv6 disabled via kernel cmdline: '0.0.0.0:8006'
* sysctl net.ipv6.conf.all.disable_ipv6=1: '*:8006'
* sysctl net.ipv6.bindv6only=1: '[::]:8006'
* else: '*:8006'
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The $host variable is set to "::0" by default to listen on wildcard
(with 'Domain' => PF_INET6).
If 'LISTEN_IP' is defined in /etc/default/pveproxy, that IP will be used
instead.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
Since pve-container commit
c48a25452dccca37b3915e49b7618f6880aeafb1
the code to get the cpuset controller path lives in pve-commons PVE::CGroup.
Use that and improve the logging in case some error happens in the future.
Such an error will only be logged once per pvestatd run,
so it does not spam the log.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This uses the newly introduced PVE::LXC::CGroup's
cpuset_controller_path() method to find the controller path,
so we need to depend on the newer pve-container package.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
pvestatd will check if the KVM version has changed using
kvm_user_version (which automatically clears its cache if QEMU/KVM
updates), and if it has, query supported CPU flags and broadcast them as
key-value pairs to the cluster.
If detection fails, we clear the kv-store and set up a delay (120s), to not
try again too quickly.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Commit 0dd73a7fec (statd: refactor update_node_status) changed $target
in pvestatd's auto_balloning sub into a variable:
my $target = int($res->{$vmid});
but then uses it in a string as a parameter to the $log function:
$log->("BALLOON $vmid to $target (%d)\n", $target - $current);
This surprisingly causes the variable to be incorrectly converted into a
JSON string by perl's to_json (called in QMPClient after mon_cmd):
{"value":"1234"}
instead of
{"value":1234}
which causes QEMU to report the parameter as invalid:
"Invalid parameter type for 'value', expected: integer"
This behaviour is made even trickier, since $target internally is still
considered more of an 'int' (although that's a weak claim in perl
anyway), showing up without quotes in Dumper et. al. - but the perldoc
for to_json scheds some light:
simple scalars
Simple Perl scalars (any scalar that is not a reference) are the
most difficult objects to encode: this module will encode undefined
scalars as JSON "null" values, scalars that have last been used in a
string context before encoding as JSON strings, and anything else as
number value
So coerce to_json to treat $target as an integer by using it as one and
everything is fine again.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
it seems that we have a reference leak or the like somewhere in the
(graphite?) status plugin, while the recent transaction based update
mechanism made it slightly better, it's still bad with a lot of VMs..
Until we can track that down, or abandon perl for good, avoid to
frequent restarts by allowing statd to grow 15 MB of memory usage
after initial calibration (it's memory usage at the 10th cycle)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
For now it only handles the plugin registration and the two recently
integrated helpers.
But, this is a prepartation to move the external metrics server
update mechanic from a stateless always-newly-connect-send-disconnect
to a statefull transaction based mechanis; see later patches
keep the PVE::Status::Plugin use in pvestatd, as we read the cfs
hosted status.cfg there, and the parser is defined by the common
status plugin base module.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
include the version as string and as parts, as we do the split
already. Also include the build commit, so if we re-release a ceph
version, we can differ here too.
Use node as key, to make the new entry a bit more general, could be
easily expanded with other infos, if required.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Avoids the need to stop the current pveproxy and restart it in debug
mode, if one wants to get the debug un-minified sources for ExtJS,
for example.
For a local PVE instance the following URL would ensure you load the
debug sources:
https://localhost:8006/?debug#v1:0:18:4:25:19::8:20:28
For convenience allow to omit the parameters value, and default to
true, iow, ?debug and ?debug=1 are the same, one could force it off -
even if the server was started in debug mode - by using ?debug=0
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
and use the broadcast when a service is added/removed
we will use 'get_cluster_service' in the future when we generate a list
of services of a specific type
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Wit commit a74ba607d4 we switched over
to using the dpkg-dev provided helpers to set package version,
architecture and such in the buildsystem.
But unlike other repositories we used the version also for giving it
back over the API through the during build generated PVE::pvecfg
module, which wasn't fully updated to the new style.
This patch does that, and also cleans up semantics a bit, the
following two changed:
release is now the Debian release, instead of the "package release"
(i.e., the -X part of a full package version).
version is now simply the full (pve-manager) version, e.g., 6.0-1 or
the currently for testing used 6.0-0+1
This allows to do everything we used this information for even in a
slightly easier way (no string concat needed anymore), and fits also
with the terminology we often used in our public channels (mailing
lists, forum, website)
Remove some cruft as we touch things.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
read_proxy_conf was moved to the new PVE::ApiServer::Utils so that it
can be reused by other apiservers (e.g., PMG one). Use that one, so
that we can remove it here later
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
disabling http compression is considered good practice and certain TLS-testing
scripts/sites lower the security rating if it's enabled.
compression is still on by default for the potential speed/performance gain.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
fix#2069 (the report includes rationale and also information on test-cases).
Tested by:
* running testssl.sh [0]
* enabling this setting (our default cipherlist prefers AES256,
chromium on stretch AES128)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The default CIPHERS allowed for a fair amount of not really considered
secure anymore connections. This updated cipher list is taken from
mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
if we do not have a language cookie, try to read
the language from the datacenter.cfg and fall back to 'en'
also set it into the 'Proxmox' object, so that the gui can show it
in the LoginWindow
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
allows us to remove the external loading of extjs from the cloudflare
cdn in pve-docs easier with having the external hosted version in
mind.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we will use components from proxmox-widget-toolkit rather than
directly from pve-manager
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we do not set an Expire header for our js files, and certain browsers
do not even make the request then (on which we would answer
with a correct 304 not modified)
so to force the browser to load a new version of the gui when we change
something, we add the package version as a get parameter
when doing this, the browsers still cache the file, until the get
parameter changes, which is exactly what we want
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
instead of having font-awesome copied into the repository,
depend on the debian package 'fonts-font-awesome', which provides all we
need
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
We're already limiting CPUs to lxc/cpuset.effective_cpus,
so let's use the highest cpuid from that set as a maximum to
initialize the container count array.
