From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 96F151FF14C for ; Fri, 26 Jun 2026 15:10:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8490B11242; Fri, 26 Jun 2026 15:10:54 +0200 (CEST) From: David Riley To: pve-devel@lists.proxmox.com Subject: [PATCH access-control/cluster/common/manager/network/proxmox-widget-toolkit/qemu-server v2 00/10] fix #7294: pool: add SDN VNets as pool members Date: Fri, 26 Jun 2026 15:10:25 +0200 Message-ID: <20260626131035.112374-1-d.riley@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782479440959 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.137 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [sdn.pm,plugin.pm,vnetplugin.pm,proxmox.com,qemumigrate.pm,helpers.pm,cluster.pm,tools.pm,rpcenvironment.pm,pool.pm,accesscontrol.pm] Message-ID-Hash: XIXDJ4VXNJKXAOM275CPAPHLW6SB2CGQ X-Message-ID-Hash: XIXDJ4VXNJKXAOM275CPAPHLW6SB2CGQ X-MailFrom: d.riley@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This series implements support for adding SDN VNets to resource pools, resolving #7294 [0]. This series depends on the v4 'fix #7520: sdn: prune orphaned ACLs and handle VNet migrations' [1]. It does not, however, add zones as pool members as requested in #7294. Zones currently share ACL paths for managing the zone itself and allocating VNets within it. This makes self-service VNet management without also granting zone management (and its associated side-effects) difficult. This patch series extends the pool section in the user.cfg and introduces a new network property to the pool configuration which will hold VNet entries: * vnet// * vnet/// The type prefix allows future extension to other network resource types. To prevent potential data loss from overwriting newly added VNets, a cluster-version check is added which ensures all nodes are running a version that supports this feature. Note: The hardcoded version guard should be updated to match the final target release when being applied. The existing version check helpers were moved from `qemu-server` to a new module within `pve-cluster` to make them available for this implementation, and any future developments that require gatekeeping. Appropriate attribution has been included for the relocated code. Please let me know if this organizational move aligns with current design preferences or additional adjustments are needed. --- Thanks @Gabriel, @Daniel K. and @Jakob for the feedback. Differences from v1: - Access: Fix permissions propagation. Pool ACL paths are setup without propagation, therefore checking /sdn/zones/// fails even if the user has the permission for the base path /sdn/zones//. To allow this, the roles of the base VNet path are looked up if the exact tagged path is not found in the pool (see patch 5/9). - API: Add a unified property string format for VNets (zone=,vnet=,tag=]), ensuring that zone and vnet are strictly required and coupled. - API CLI: Add typetext to the vnet format for better error messages in the CLI - API: The registered format validation for VNets and Zones now also check the length. - API: Add membership checks for network resources during add/delete operations (matching storage/VM behavior). - Relocated version helpers from PVE::Cluster to PVE::Tools - UI: Fix light mode. The icons are now light grey to match the storage and vm icons. - Series is now based on v4 instead of v3 of [1] - Minor refactors [0] https://bugzilla.proxmox.com/show_bug.cgi?id=7294 [1] https://lore.proxmox.com/pve-devel/20260626105258.56914-1-d.riley@proxmox.com/ pve-manager: David Riley (3): ui: replace var with let to match style guide for variable declaration fix #7294: api: pool: add SDN VNets as pool members fix #7294: ui: pool: add SDN VNets as pool members PVE/API2/Pool.pm | 135 +++++++++++++++++++++++++-- www/css/ext6-pve.css | 15 +++ www/manager6/Utils.js | 1 + www/manager6/grid/PoolMembers.js | 151 ++++++++++++++++++++++++++++--- 4 files changed, 282 insertions(+), 20 deletions(-) proxmox-widget-toolkit: David Riley (1): fix #7294: css: theme: add opacity override for pool VNet icon src/proxmox-dark/scss/other/_icons.scss | 12 ++++++++++++ 1 file changed, 12 insertions(+) pve-access-control: David Riley (1): fix #7294: acl: pool: add SDN VNets as pool members src/PVE/AccessControl.pm | 93 ++++++++++++++++++++++++++++++++++++--- src/PVE/RPCEnvironment.pm | 68 ++++++++++++++++++++++++++-- src/test/parser_writer.pl | 53 ++++++++++++++++++---- 3 files changed, 198 insertions(+), 16 deletions(-) pve-network: David Riley (2): fix #7294: sdn: register api formats for zones and vnets fix #7294: sdn: vnet: update pool members on vnet migration and deletion src/PVE/Network/SDN.pm | 15 +++++++++++++++ src/PVE/Network/SDN/VnetPlugin.pm | 25 ++++++++++++++++++++++--- src/PVE/Network/SDN/Zones/Plugin.pm | 25 ++++++++++++++++++++++--- 3 files changed, 59 insertions(+), 6 deletions(-) pve-common: David Riley (1): tools: add helpers for version comparison src/PVE/Tools.pm | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) pve-cluster: David Riley (1): fix #7294: cluster: helpers: add cluster-wide version assertion src/PVE/Cluster.pm | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) qemu-server: David Riley (1): fix #7294: helpers: use cluster-wide version helper src/PVE/QemuMigrate.pm | 3 ++- src/PVE/QemuServer/Helpers.pm | 42 ++--------------------------------- 2 files changed, 4 insertions(+), 41 deletions(-) Summary over all repositories: 15 files changed, 637 insertions(+), 85 deletions(-) -- Generated by murpp 0.11.0