all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] superseded: [RFC common/firewall/manager/network/proxmox{-ve-rs, -firewall} 0/7] NIC renaming mitigations
Date: Wed, 16 Jul 2025 17:19:14 +0200	[thread overview]
Message-ID: <6dd07fe9-a1a0-46b8-a73b-b277f6cf0a83@proxmox.com> (raw)
In-Reply-To: <20250709194526.560709-1-s.hanreich@proxmox.com>

https://lore.proxmox.com/pve-devel/20250716151815.348161-1-s.hanreich@proxmox.com/

On 7/9/25 21:45, Stefan Hanreich wrote:
> This patch series contains the following features:
> * transparent altname support for {pve, proxmox}-firewall and pve-network
> * pveeth tool for pinning NIC names
> 
> Both are features aimed at mitigating the fallout caused from changing network
> interface names. Sending it as an RFC, since I will be gone for a few days and
> wanted to publish my current state to start some discussion on the approaches
> I've taken with the tools and possible additions / changes. Nothing in here is
> final or particularly polished.
> 
> Both patch series only received rudimentary testing and are work in progress, so
> use at your own risk, I am not responsible for any broken hosts / VMs.
> 
> For more information on the pveeth tool, see the respective commit.
> 
> TODO:
> * possibly change wakeonlan setting in node config
> * decide on how to handle host.fw / cluster.fw:
> 
> cluster.fw cannot be automatically updated, since the generated mapping might
> differ from the one generated on other nodes. One possibility would be to
> generate the mapping for the NICs one-by-one on each host, thus ensuring a
> consistent name on all nodes. Then add a flag that overwrites cluster.fw.
> 
> cluster/host.fw is the only configuration file that gets applied immediately
> when updating it, since the firewall continously polls this file and applies the
> settings. We could add the new name as altname via ip link, ensuring that the
> firewall rules still work before *and* after reboot. Shouldn't be too hard to
> add (possibly with a flag). This is possible because of the new altname support
> {pve, proxmox}-firewall.
> 
> * update detection of physical NICs
> 
> We currently rely on the PHYSICAL_NIC_RE to detect physical network interfaces.
> We could instead use the ip link output for determining whether an interface is
> physical or not. This works in every case, except for PullMetric.pm. For this we
> could introduce another variable and fall back on the old logic depending on its
> existence. Maybe some one with more knowledge on the metrics system can chime in
> here. I have patches for this on my staff repo in case you are interested:
> 
> pve-manager:physical-nic-re
> pve-common:physical-nic-re
> 
> pve-common:
> 
> Stefan Hanreich (2):
>   network: add ip link and altname helpers
>   network: add nic prefix to physical nic regex
> 
>  src/PVE/Network.pm | 47 +++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 46 insertions(+), 1 deletion(-)
> 
> 
> proxmox-ve-rs:
> 
> Stefan Hanreich (1):
>   config: ip link struct
> 
>  proxmox-ve-config/src/host/mod.rs     |  1 +
>  proxmox-ve-config/src/host/network.rs | 35 +++++++++++++++++++++++++++
>  2 files changed, 36 insertions(+)
>  create mode 100644 proxmox-ve-config/src/host/network.rs
> 
> 
> proxmox-firewall:
> 
> Stefan Hanreich (1):
>   firewall: add altname support for firewall rules
> 
>  proxmox-firewall/src/config.rs              | 29 +++++++++++++++++++++
>  proxmox-firewall/src/rule.rs                |  6 ++++-
>  proxmox-firewall/tests/integration_tests.rs |  7 +++++
>  3 files changed, 41 insertions(+), 1 deletion(-)
> 
> 
> pve-firewall:
> 
> Stefan Hanreich (1):
>   firewall: add altname support
> 
>  src/PVE/Firewall.pm | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> 
> pve-network:
> 
> Stefan Hanreich (1):
>   controllers: isis: add altname support
> 
>  src/PVE/Network/SDN/Controllers/IsisPlugin.pm | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> 
> pve-manager:
> 
> Stefan Hanreich (1):
>   cli: add pveeth
> 
>  PVE/CLI/Makefile  |   1 +
>  PVE/CLI/pveeth.pm | 538 ++++++++++++++++++++++++++++++++++++++++++++++
>  bin/Makefile      |   5 +
>  bin/pveeth        |   8 +
>  4 files changed, 552 insertions(+)
>  create mode 100644 PVE/CLI/pveeth.pm
>  create mode 100644 bin/pveeth
> 
> 
> Summary over all repositories:
>   12 files changed, 684 insertions(+), 5 deletions(-)
> 



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


      parent reply	other threads:[~2025-07-16 15:18 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-09 19:45 [pve-devel] " Stefan Hanreich
2025-07-09 19:45 ` [pve-devel] [PATCH pve-common 1/2] network: add ip link and altname helpers Stefan Hanreich
2025-07-09 19:45 ` [pve-devel] [PATCH pve-common 2/2] network: add nic prefix to physical nic regex Stefan Hanreich
2025-07-09 19:45 ` [pve-devel] [PATCH proxmox-ve-rs 1/1] config: ip link struct Stefan Hanreich
2025-07-09 19:45 ` [pve-devel] [PATCH proxmox-firewall 1/1] firewall: add altname support for firewall rules Stefan Hanreich
2025-07-09 19:45 ` [pve-devel] [PATCH pve-firewall 1/1] firewall: add altname support Stefan Hanreich
2025-07-09 19:45 ` [pve-devel] [PATCH pve-network 1/1] controllers: isis: " Stefan Hanreich
2025-07-09 19:45 ` [pve-devel] [PATCH pve-manager 1/1] cli: add pveeth Stefan Hanreich
2025-07-10 14:53   ` Gabriel Goller
2025-07-10 15:08     ` Thomas Lamprecht
2025-07-10 16:25       ` Gabriel Goller
2025-07-15 12:30         ` Stefan Hanreich
2025-07-15 12:35           ` Stefan Hanreich
2025-07-15 13:51           ` Thomas Lamprecht
2025-07-15 14:06             ` Stefan Hanreich
2025-07-15 15:02             ` Stefan Hanreich
2025-07-16 15:19 ` Stefan Hanreich [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6dd07fe9-a1a0-46b8-a73b-b277f6cf0a83@proxmox.com \
    --to=s.hanreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal