Stefan Hanreich [Mon, 10 Mar 2025 08:50:56 +0000 (09:50 +0100)]
ipam: netbox: factor out common api methods and unify error handling
Create a helper method that abstracts the common code used in making
netbox requests. Move all api_request incovations over to using the
helper method. This saves us from writing lots of repeated code.
This also updates the helpers and introduces error checking there.
Helpers didn't catch any errors and the invoking methods didn't as
well. This meant that functions with $noerr set to 1 would still error
out. We now pass $noerr to the helper functions and they behave the
same as the parent methods. This requires some additional checks in
the call sites of the helpers.
Also canonicalize all URLs, since Netbox does that and it saves us a
redirect.
d/control: break the circular build-dependency with pve-firewall, and more
Currently pve-network has a (versioned) build-dep of pve-firewall, which has
a (versioned) runtime dependency of a newer version of libpve-network-perl,
which is not available because it has not been built. It turns out that
pve-firewall is only needed in testing, so let's only pull it in if
we don't use the "nocheck" build profile so that we can actually build
pve-network from source.
perl is a build-essential so no need to add it in build-deps.
dns: powerdns: correctly handle different records types (A / AAAA)
This fixes an issue with dual stacking, when using a zone with both a
IPv4 and IPv6 subnet and the same DNS suffix, pve-network will try to
set both DNS records (type A and AAAA) in the same powerdns rrset,
causing an API error, and effectively causing no forward DNS records
being created.
This change edits the `get_zone_rrset` function so that it takes the
DNS record type into account.
Signed-off-by: Matthieu Pignolet <m@mpgn.dev> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
[TL: wrap commit message] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:31 +0000 (15:19 +0100)]
dns: powerdns integration: add fingerprint option to api requests
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:30 +0000 (15:19 +0100)]
ipam: dns base plugin: add fingerprint to available properties
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:29 +0000 (15:19 +0100)]
ipam: netbox integration: add fingerprint option to api requests
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:28 +0000 (15:19 +0100)]
ipam: phpIPAM integration: add fingerprint option to api requests
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:26 +0000 (15:19 +0100)]
ipam: base plugin: add fingerprint to available properties
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:25 +0000 (15:19 +0100)]
api request helper: enforce TLS cert-check and add cert-fingerprint option
Currently, we do not verify the TLS certificate for API requests
external IPAM and DNS integration. This could allow man-in-the-middle
attacks, albeit most IPAM infrastructure is on controlled and isolated
LANs, so it's not something that should frequently happen; and
technically our IPAM integration is still marked as tech-preview,
which had its reasons.
Enforce verification, and allow users to pass a cert SHA256
fingerprint to ensure a certificates validity if it's not trusted by
the system trust store, as it's, e.g., the case for self-signed certs.
The code was adapted from the one in pve-apiclient, which we cannot
reuse directly as it is only implemented for requests against PVE
nodes, not as a generic HTTP client request helper.
Add the new dependency `libio-socket-ssl-perl` required to get the
verify callback for the TLS certificate used for cert-fingerprint
checking.
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
[TL: return valid for non-leaf certs and rewrite commit message] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:24 +0000 (15:19 +0100)]
api request helper: use builtin method to check success of requests
Avoid using a regex if we have a builtin function ready to use.
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
[TL: touch up commit message] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Hannes Duerr [Mon, 10 Feb 2025 14:19:27 +0000 (15:19 +0100)]
ipam: phpIPAM: remove unused variables
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Hannes Duerr <h.duerr@proxmox.com>
[TL: drop all other unused Dumper use statements] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Fri, 7 Feb 2025 13:40:37 +0000 (14:40 +0100)]
sdn: fix comparison of pending configuration values
The conditional assignment caused falsy values to be converted to
undef when comparing them. This led to the behavior that configuration
values that are interpreted by perl as falsy would get wrongly
compared and always show up as pending changes.
As an example the 'bgp-multipath-as-path-relax' or 'ebgp' keys of the
bgp controller configuration are booleans and get stored as 0 in the
controller configuration when they're turned off. They always showed
up as a pending change, because of the behavior described above.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stoiko Ivanov [Wed, 20 Nov 2024 14:13:34 +0000 (15:13 +0100)]
d/postinst: do not break, if ipam-file moves fail
failing a package-install does not help repairing the situation - so
inform the user about the issue instead of erroring out. The copy
could fail if a node is not quorate, so writes in /etc/pve are a bit
more likely to fail
adapts the change introduced in d0628df ("debian: migrate legacy mac/ipam cache/state files")
Stefan Hanreich [Tue, 19 Nov 2024 13:30:56 +0000 (14:30 +0100)]
debian: migrate legacy mac/ipam cache/state files
We opted for a simple copy of the legacy file to the new location,
since any other migration path would be too strenuous. The worst-case
scenario of failures with this approach is losing IPAM / MAC entries
that are created during the update window in the legacy files by nodes
that are not yet updated to the new version. Those can be fixed by a
simple start / stop of the affected VMs, triggering a rewrite of the
IPAM database.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
[ TL: output message if files get moved and add todo-comment ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stoiko Ivanov [Mon, 18 Nov 2024 20:55:37 +0000 (21:55 +0100)]
ipam: move mac-cache.db to unprivileged sdn/ subdirectory
follows commit: 0f48bc6 ("ipam: move state file of PVE plugin over to common sdn directory")
as far as reasoning goes, and also closely code-wise (if only to make
the clean-up with PVE 9.0 a bit more straight-forward):
files in priv/ are sensitive in the sense that access there can be
used to hijack (external systems) - the mac-cache can be kept next to
the remaining sdn-config.
minimally tested on my machine.
depends on the pve-cluster commit sent with this.
Thomas Lamprecht [Mon, 18 Nov 2024 17:17:18 +0000 (18:17 +0100)]
split into implementation and API endpoint packages
To better handle the case where firewall requires to parse the SDN
config and this package here would like to mount some vnet specific
firewall endpoints, without a split we got a cyclic dependency here,
and those are painful, especially on bootstrapping.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This allow to drop traffic between all ports having isolation enabled
on the local bridge, but allow traffic with non isolated ports.
Here,we isolate traffic between vms but allow traffic coming from outside.
Main usage is for layer3 routed or natted setup, but some users have requested it
for layer2/bridge network with proxy arp.
So we can enable it at vnet level.
Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
[ SH: improve option naming and description slightly ] Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Thomas Lamprecht [Mon, 18 Nov 2024 15:34:37 +0000 (16:34 +0100)]
ipam: move state file of PVE plugin over to common sdn directory
This does not contain data that needs to be protected to avoid
hijacking (external) systems, like our credentials for certain storage
types or encryption keys, so placing it in the strictly root-only
'priv/' folder was always a bit overkill.
Now we want to make the firewall more SDN aware and thus need also to
parse the SDN config there. This means having to also read the IPAM
statefile here, and as of now we would need to move over quite a few
API endpoints to be proxied to the privileged pvedaemon running as
root, as otherwise they would fail to read the full SDN config & state
required.
That is not a big problem, but it's also not really nice, we got the
privilege separation for a reason after all. Thus, move the backing
file for the PVE IPAM plugin state over to the general /etc/pve/sdn
path, where www-data (and thus pveproxy) can read it, but still not
write it. Fallback to the old location for backward compatibility.
This way the file will be automatically written to the new place on
the first change. This is not fool-proof, but there's only so much we
can do here to support a sane upgrade path, so fall back to a base
requirement of all cluster nodes using the same package versions.
FWIW, Stefan Hanreich tested a very similar diff I sent to him
off-list, but it was not close enough to add a T-b now.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:18:05 +0000 (15:18 +0200)]
tests: remove old Vnets tests
The did not work and were primarily testing against internal state.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:18:04 +0000 (15:18 +0200)]
tests: test VNets functionality as a blackbox
Add several tests for Vnets in test_vnets_blackbox. State setup as well
as testing results is done only via the API to test on the API
boundaries not not against the internal state. Internal state is mocked
to avoid requiring access to system files or pmxcfs.
Mocking is done by reading and writing to a hash that holds the entire
state of SDN. The state is reset after every test run.
Testing is done via helper functions: nic_join and nic_start.
When a nic joins a Vnet, currently it always - and only - calls
add_next_free_cidr(). The same is true if a nic starts on Vnet, which
only calles add_dhcp_mapping.
These test functions homogenize the parameter list in contrast to the
current calls to the current functions. The intention for the functions
is that they can be moved to Vnets.pm to be called from QemuServer and
LXC!
The tests are composed of a test function which can be parameterized. To
call the test function, the run_test function takes the function pointer
and passes the rest of the arguments to the test functions. It also
takes care of resetting the test state.
This allows fine-grained parameterization per-test directly in the code
instead of separated files that require the entire state to be passed
in.
The tests setup the SDN by creating a simple zone and a simple vnet. The
nic_join and nic_start function is called with different subnet
configuration wiht and without a dhcp-range configured and with or
without an already present IP in the IPAM.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:18:03 +0000 (15:18 +0200)]
debian: blackbox tests depend on libpve-access-control at build
For mocking RPCEnvironment in sbuild.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:18:02 +0000 (15:18 +0200)]
sdn: api: extract function that creates the sdn directory.
create_etc_interfaces_sdn_dir creates the /etc/pve/sdn directory.
This allows mocking in tests to prevent system fs access in tests
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:18:01 +0000 (15:18 +0200)]
sdn: dnsmasq: extract function that updates dnsmasq lease via dbus
Extract the dbus based interactions with dnsmasq so that it can be
mocked in tests.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:18:00 +0000 (15:18 +0200)]
sdn: dnsmasq: extract function that generates the ethers file path
Extracted to a function so it can be mocked in tests.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:17:59 +0000 (15:17 +0200)]
dns: dnsmasq: extract function to systemctl command.
systemctl_service() is a wrapper around PVE::Tools::run_command to allow
mocking the systemctl interactions in tests.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:17:58 +0000 (15:17 +0200)]
sdn: zones: extract function that reads datacenter config
The datacenter_config() functions in SDN::Zones::Plugin is a simple
wrapper that reads datacenter.cfg via cfs.
This allows mocking datacenter.cfg in tests.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Fri, 5 Apr 2024 13:17:57 +0000 (15:17 +0200)]
sdn: dhcp: rollback allocated ips on failure
If DHCP is configured for IPv4 and IPv6, failing to obtain an IPv6 IP
does not roll back the allocation made for IPv4. This patch rolls back
any changes made in case of failure, so that IP allocation is actually
atomic.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Stefan Lendl <s.lendl@proxmox.com> Tested-by: Stefan Lendl <s.lendl@proxmox.com> Signed-off-by: Stefan Lendl <s.lendl@proxmox.com>
Stefan Hanreich [Fri, 5 Apr 2024 13:17:56 +0000 (15:17 +0200)]
sdn: dhcp: only consider subnets that have dhcp-range configured
If DHCP is enabled on a zone with subnets, but no subnet has a
dhcp-range configured, then starting a VM will fail because no IP can
be allocated. This patch fixes this by only considering subnets that
have a dhcp-range configured and only failing if there is at least one
subnet with a dhcp-range configured.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Stefan Lendl <s.lendl@proxmox.com> Tested-by: Stefan Lendl <s.lendl@proxmox.com> Signed-off-by: Stefan Lendl <s.lendl@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:17:55 +0000 (15:17 +0200)]
sdn: dhcp: request both IPv4 and IPv6 addresses on VM start
If previously an IP was allocated in the IPAM, but a new subnet added
for the other IP version, we need to allocate an IP in the new subnet.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Fri, 5 Apr 2024 13:17:54 +0000 (15:17 +0200)]
sdn: dhcp: get next free ip for a specific IP version
Specify the IP version (4|6) for which an IP shall be requested from the IPAM.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Tue, 2 Apr 2024 11:07:41 +0000 (13:07 +0200)]
tests: run tests in sbuild
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Tue, 2 Apr 2024 11:07:40 +0000 (13:07 +0200)]
tests: mocking more functions to avoid system access
previously extracted functions are now mocked in the zone tests
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Tue, 2 Apr 2024 11:07:39 +0000 (13:07 +0200)]
evpn: extract read_local_frr_config
to allow mocking local fs access
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Lendl [Tue, 2 Apr 2024 11:07:38 +0000 (13:07 +0200)]
controllers: extract read_etc_network_interfaces
to allow mocking local fs access
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Tested-by: Max Carrara <m.carrara@proxmox.com> Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Mon, 4 Mar 2024 14:11:28 +0000 (15:11 +0100)]
fix #5275: remove priority field from powerdns
Since v3.4.2 the priority field has been removed and since v4.9 they
are actively rejected by PowerDNS. Stop sending this field in order to
make the PowerDNS plugin work with versions >= 4.9 again. [1]
sdn: prefer proxy from datacenter.cfg for api calls
We only setup proxies from the environment previously, but also check
the one configured in the cluster-wide datacenter.cfg and prefer that
over anything else.
controllers: evpn: bugfix: use prefix-list in route-map instead evpn match
"match evpn" in route-map is broken since 8.5.0
https://github.com/FRRouting/frr/issues/14419
the patch
https://github.com/FRRouting/frr/commit/272c6d5db128ff7450fe9fcd16c046160594deb3
is converting type-2 && type-5 evpn routes to prefix-prefix.
(fixing prefix-list not working previously, but breaking "match evpn")
So, simply use prefix-list now, as "match epvn" was a workaround anyway.
reported on the forum, where user have routing loop between the 2 exit-nodes:
https://forum.proxmox.com/threads/sdn-with-evpn-controller-routing-loop-when-using-multiple-exit-nodes.137362/
Thomas Lamprecht [Mon, 22 Jan 2024 10:51:42 +0000 (11:51 +0100)]
buildsys: add explicit default target
Currently the dinstall was the default target due to being the first
one listed, that's rather unusual compared to all of our other repos,
so align this one to our unwritten norm of using the `deb` one as
default target.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 29 Nov 2023 10:37:05 +0000 (11:37 +0100)]
controllers: fix interfacing with read_etc_network_interfaces
While not used currently in the parser, passing 1 as file name still
makes no sense, and we might want to rework that in general, as why
does this have to use the non-inotify read path and manually open the
file.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Tue, 28 Nov 2023 08:58:57 +0000 (09:58 +0100)]
dhcp: dnsmasq: untaint when deleting configuration files
The current invocation is quite unsafe and triggers the taint mode of
Perl that is enabled for our API daemons, but not pvesh used on
cluster-wide apply.
Replacing it with dir_glob_foreach solves those issues.
Reported-By: Friedrich Weber <f.weber@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
projects / matthieu / pve-network.git / log