From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 549761FF17A for ; Fri, 18 Jul 2025 18:27:14 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0357035CCD; Fri, 18 Jul 2025 18:27:14 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Fri, 18 Jul 2025 18:26:24 +0200 Message-Id: <20250718162638.444705-5-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250718162638.444705-1-s.hanreich@proxmox.com> References: <20250718162638.444705-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -1.223 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods LONGWORDS 2.035 Long string of long words RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [pve-storage.target, network.target, proxmox.com, fw.new, multi-user.target] Subject: [pve-devel] [PATCH pve-manager v2 02/16] services: add pvesdncommit and pvefirewallcommit X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Thomas Lamprecht Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Changes to /etc/network/interfaces already get automatically applied by pvenetcommit. In order to support automatically applying all configuration files generated by proxmox-network-interface-pinning, add two additional service that apply the SDN and the firewall configuration respectively. If the network configuration gets automatically applied, it makes sense that the SDN configuration should also get re-applied, since it relies on the current network configuration for some features (e.g. SNAT ouput interface, IS-IS interface, ..). For the firewall, the configuration file that gets automatically applied is currently only generated by proxmox-network-interface-pinning, so anyone not using that tool should see no effect at all. They are split into their own one-shot services, since pvenetcommit needs to run before the network configuration gets loaded and applied by ifupdown2, but pvesdncommit requires the new network configuration to be already applied in order to work properly. pvefirewallcommit requires at least pmxcfs to be up and running, since it reads / writes configuration files there. Signed-off-by: Stefan Hanreich Link: https://lore.proxmox.com/20250716151815.348161-9-s.hanreich@proxmox.com Signed-off-by: Thomas Lamprecht --- bin/Makefile | 4 +++- bin/pvefirewallcommit | 14 ++++++++++++++ bin/pvesdncommit | 14 ++++++++++++++ debian/postinst | 2 +- services/Makefile | 4 +++- services/pvefirewallcommit.service | 13 +++++++++++++ services/pvesdncommit.service | 13 +++++++++++++ 7 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 bin/pvefirewallcommit create mode 100644 bin/pvesdncommit create mode 100644 services/pvefirewallcommit.service create mode 100644 services/pvesdncommit.service diff --git a/bin/Makefile b/bin/Makefile index c36ac3398..2d5e6f3c5 100644 --- a/bin/Makefile +++ b/bin/Makefile @@ -29,7 +29,9 @@ SCRIPTS = \ HELPERS = \ pve-startall-delay \ - pve-init-ceph-crash + pve-init-ceph-crash \ + pvefirewallcommit \ + pvesdncommit MIGRATIONS = \ pve-lvm-disable-autoactivation diff --git a/bin/pvefirewallcommit b/bin/pvefirewallcommit new file mode 100644 index 000000000..ebcf9812d --- /dev/null +++ b/bin/pvefirewallcommit @@ -0,0 +1,14 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use PVE::INotify; + +my $local_node = PVE::INotify::nodename(); +my $current_fw_config_file = "/etc/pve/nodes/$local_node/host.fw"; +my $new_fw_config_file = "/etc/pve/nodes/$local_node/host.fw.new"; + +rename($new_fw_config_file, $current_fw_config_file) if -e $new_fw_config_file; + +exit 0; diff --git a/bin/pvesdncommit b/bin/pvesdncommit new file mode 100644 index 000000000..2654e17ed --- /dev/null +++ b/bin/pvesdncommit @@ -0,0 +1,14 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use PVE::Network::SDN; + +PVE::Network::SDN::commit_config(); + +PVE::Network::SDN::generate_zone_config(); +PVE::Network::SDN::generate_dhcp_config(); +PVE::Network::SDN::generate_controller_config(1); + +exit 0; diff --git a/debian/postinst b/debian/postinst index aba399045..dac40c3d8 100755 --- a/debian/postinst +++ b/debian/postinst @@ -170,7 +170,7 @@ case "$1" in # same as dh_systemd_enable (code copied) UNITS="pvedaemon.service pveproxy.service spiceproxy.service pvestatd.service pvebanner.service pvescheduler.service pve-daily-update.timer" - NO_RESTART_UNITS="pvenetcommit.service pve-guests.service" + NO_RESTART_UNITS="pvenetcommit.service pve-guests.service pvesdncommit.service pvefirewallcommit.service" for unit in ${UNITS} ${NO_RESTART_UNITS}; do deb-systemd-helper unmask "$unit" >/dev/null || true diff --git a/services/Makefile b/services/Makefile index 8a60fa9bb..b056c7c4d 100644 --- a/services/Makefile +++ b/services/Makefile @@ -13,7 +13,9 @@ SERVICES= \ pve-storage.target \ pve-daily-update.service\ pve-daily-update.timer \ - pvescheduler.service + pvescheduler.service \ + pvesdncommit.service \ + pvefirewallcommit.service .PHONY: install install: $(SERVICES) diff --git a/services/pvefirewallcommit.service b/services/pvefirewallcommit.service new file mode 100644 index 000000000..1c9a70e74 --- /dev/null +++ b/services/pvefirewallcommit.service @@ -0,0 +1,13 @@ +[Unit] +Description=Commit Proxmox VE Firewall changes +DefaultDependencies=no +Wants=pve-cluster.service +After=pve-cluster.service + +[Service] +ExecStart=/usr/share/pve-manager/helpers/pvefirewallcommit +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/services/pvesdncommit.service b/services/pvesdncommit.service new file mode 100644 index 000000000..b8b8c781f --- /dev/null +++ b/services/pvesdncommit.service @@ -0,0 +1,13 @@ +[Unit] +Description=Commit Proxmox VE SDN changes +DefaultDependencies=no +Wants=pve-cluster.service network.target +After=frr.service network.target pve-cluster.service + +[Service] +ExecStart=/usr/share/pve-manager/helpers/pvesdncommit +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel