Re: [pdm-devel] [RFC datacenter-manager 3/3] api: add subscription endpoints

From: Dominik Csapak <d.csapak@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
	pdm-devel@lists.proxmox.com
Subject: Re: [pdm-devel] [RFC datacenter-manager 3/3] api: add subscription endpoints
Date: Mon, 1 Dec 2025 13:42:14 +0100	[thread overview]
Message-ID: <ec96f8d7-8fa0-4dbb-a883-9315e7970267@proxmox.com> (raw)
In-Reply-To: <20251201113917.518311-4-f.gruenbichler@proxmox.com>

some comments inline

rest LGTM

On 12/1/25 12:38 PM, Fabian Grünbichler wrote:
> for the PDM system itself, by proxy of how many of the remote nodes have valid
> subscriptions above a certain level.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> the thresholds here are rather arbitrary of course, as is the refresh
> interval for cached subscription information..
> 
>   server/src/api/nodes/mod.rs          |   2 +
>   server/src/api/nodes/subscription.rs | 191 +++++++++++++++++++++++++++
>   server/src/api/resources.rs          |   2 +-
>   3 files changed, 194 insertions(+), 1 deletion(-)
>   create mode 100644 server/src/api/nodes/subscription.rs
> 
> diff --git a/server/src/api/nodes/mod.rs b/server/src/api/nodes/mod.rs
> index a0fe14a..3a795d6 100644
> --- a/server/src/api/nodes/mod.rs
> +++ b/server/src/api/nodes/mod.rs
> @@ -11,6 +11,7 @@ pub mod journal;
>   pub mod network;
>   pub mod rrddata;
>   pub mod status;
> +pub mod subscription;
>   pub mod syslog;
>   pub mod tasks;
>   pub mod termproxy;
> @@ -45,6 +46,7 @@ pub const SUBDIRS: SubdirMap = &sorted!([
>       ("journal", &journal::ROUTER),
>       ("network", &network::ROUTER),
>       ("rrdata", &rrddata::ROUTER),
> +    ("subscription", &subscription::ROUTER),
>       ("status", &status::ROUTER),
>       ("syslog", &syslog::ROUTER),
>       ("tasks", &tasks::ROUTER),
> diff --git a/server/src/api/nodes/subscription.rs b/server/src/api/nodes/subscription.rs
> new file mode 100644
> index 0000000..343a2c8
> --- /dev/null
> +++ b/server/src/api/nodes/subscription.rs
> @@ -0,0 +1,191 @@
> +use std::collections::HashMap;
> +
> +use anyhow::{bail, Error};
> +
> +use proxmox_router::{Permission, Router};
> +use proxmox_schema::api;
> +use proxmox_schema::api_types::NODE_SCHEMA;
> +use proxmox_subscription::files::update_apt_auth;
> +use proxmox_subscription::{SubscriptionInfo, SubscriptionStatus};
> +use proxmox_sys::fs::CreateOptions;
> +
> +use pdm_api_types::remotes::RemoteType;
> +use pdm_api_types::subscription::{
> +    NodeSubscriptionInfo, SubscriptionLevel, SubscriptionStatistics,
> +};
> +use pdm_api_types::PRIV_SYS_MODIFY;
> +
> +use crate::api::resources::get_subscription_info_for_remote;
> +
> +const PRODUCT_URL: &str = "https://www.proxmox.com/en/proxmox-datacenter-maanger/pricing";

typo:

s/maanger/manager/

> +const APT_AUTH_FN: &str = "/etc/apt/auth.conf.d/pdm.conf";
> +const APT_AUTH_URL: &str = "enterprise.proxmox.com/debian/pdm";
> +
> +// minimum ratio of nodes with active subscriptions
> +const SUBSCRIPTION_THRESHOLD: f64 = 0.9;
> +// max ratio of nodes with community subscriptions, among nodes with subscriptions
> +const COMMUNITY_THRESHOLD: f64 = 0.4;
> +
> +fn apt_auth_file_opts() -> CreateOptions {
> +    let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
> +    CreateOptions::new().perm(mode).owner(nix::unistd::ROOT)
> +}
> +
> +async fn get_all_subscription_infos(
> +) -> Result<HashMap<String, (RemoteType, HashMap<String, Option<NodeSubscriptionInfo>>)>, Error> {
> +    let (remotes_config, _digest) = pdm_config::remotes::config()?;
> +
> +    let mut subscription_info = HashMap::new();
> +    for (remote_name, remote) in remotes_config.iter() {
> +        match get_subscription_info_for_remote(remote, 24 * 60 * 60).await {
> +            Ok(info) => {
> +                subscription_info.insert(remote_name.to_string(), (remote.ty, info));
> +            }
> +            Err(err) => {
> +                log::debug!("Failed to get subscription info for remote {remote_name} - {err}");
> +                subscription_info.insert(remote_name.to_string(), (remote.ty, HashMap::new()));
> +            }
> +        }
> +    }
> +    Ok(subscription_info)
> +}
> +
> +fn count_subscriptions(
> +    subscription_infos: &HashMap<
> +        String,
> +        (RemoteType, HashMap<String, Option<NodeSubscriptionInfo>>),
> +    >,
> +) -> SubscriptionStatistics {
> +    let mut stats = SubscriptionStatistics::default();
> +    for (_remote, (_remote_type, remote_infos)) in subscription_infos.iter() {
> +        if remote_infos.is_empty() {
> +            // count remotes without info as at least one node
> +            stats.total_nodes += 1;
> +            continue;

this would count an unreachable remote as one not subscribed node, or?

> +        }
> +        for (_node, node_info) in remote_infos.iter() {
> +            stats.total_nodes += 1;
> +            if let Some(info) = node_info {
> +                if info.status == SubscriptionStatus::Active {
> +                    stats.active_subscriptions += 1;
> +                    if info.level == SubscriptionLevel::Community {
> +                        stats.community += 1;
> +                    }
> +                }
> +            }
> +        }
> +    }
> +    stats
> +}
> +
> +fn check_counts(stats: SubscriptionStatistics) -> Result<(), Error> {
> +    let subscribed_ratio = stats.active_subscriptions as f64 / stats.total_nodes as f64;
> +    let community_ratio = stats.community as f64 / stats.active_subscriptions as f64;
> +
> +    if subscribed_ratio > SUBSCRIPTION_THRESHOLD {
> +        if community_ratio < COMMUNITY_THRESHOLD {
> +            return Ok(());
> +        } else {
> +            bail!("Too many remote nodes with community level subscription!");
> +        }
> +    } else {
> +        bail!("Too many remote nodes without active subscription!");
> +    }
> +}
> +
> +#[api(
> +    access: { permission: &Permission::Anybody, },
> +    input: {
> +        properties: {
> +            node: {
> +                schema: NODE_SCHEMA,
> +            },
> +        },
> +    },
> +    returns: {
> +        type: SubscriptionInfo,
> +    }
> +)]
> +/// Return subscription status
> +pub async fn get_subscription() -> Result<SubscriptionInfo, Error> {
> +    let infos = get_all_subscription_infos().await?;
> +
> +    let stats = count_subscriptions(&infos);
> +
> +    if let Err(err) = check_counts(stats) {
> +        Ok(SubscriptionInfo {
> +            status: SubscriptionStatus::Invalid,
> +            message: Some(format!("{err}")),
> +            serverid: None,
> +            url: Some(PRODUCT_URL.into()),
> +            ..Default::default()
> +        })
> +    } else {
> +        Ok(SubscriptionInfo {
> +            status: SubscriptionStatus::Active,
> +            url: Some(PRODUCT_URL.into()),
> +            ..Default::default()
> +        })
> +    }
> +}
> +
> +#[api(
> +    input: {
> +        properties: {
> +            node: {
> +                schema: NODE_SCHEMA,
> +            },
> +        },
> +    },
> +    protected: true,
> +    access: {
> +        permission: &Permission::Privilege(&["system"], PRIV_SYS_MODIFY, false),
> +    },
> +)]
> +/// Update subscription information
> +pub async fn check_subscription() -> Result<(), Error> {
> +    let infos = get_all_subscription_infos().await?;
> +    let stats = count_subscriptions(&infos);
> +
> +    if let Err(err) = check_counts(stats) {
> +        update_apt_auth(APT_AUTH_FN, apt_auth_file_opts(), APT_AUTH_URL, None, None)?;
> +        return Err(err);
> +    }
> +
> +    let mut found = false;
> +    'outer: for (remote, (remote_type, remote_info)) in infos.iter() {
> +        if *remote_type != RemoteType::Pve {
> +            continue;
> +        }
> +        for (node, node_info) in remote_info.iter() {
> +            if let Some(info) = node_info {
> +                if info.status == SubscriptionStatus::Active
> +                    && info.key.is_some()
> +                    && info.serverid.is_some()
> +                {
> +                    log::info!("Using subscription of node '{node}' of remote '{remote}' for enterprise repository access");
> +                    update_apt_auth(
> +                        APT_AUTH_FN,
> +                        apt_auth_file_opts(),
> +                        APT_AUTH_URL,
> +                        info.key.clone(),
> +                        info.serverid.clone(),
> +                    )?;
> +                    found = true;
> +                    break 'outer;
> +                }
> +            }
> +        }
> +    }
> +
> +    if !found {
> +        log::warn!("No valid subscription found for configuring enterprise repository access..");
> +        update_apt_auth(APT_AUTH_FN, apt_auth_file_opts(), APT_AUTH_URL, None, None)?;
> +    }
> +
> +    Ok(())
> +}
> +
> +pub const ROUTER: Router = Router::new()
> +    .get(&API_METHOD_GET_SUBSCRIPTION)
> +    .post(&API_METHOD_CHECK_SUBSCRIPTION);
> diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs
> index 4beaa54..adab021 100644
> --- a/server/src/api/resources.rs
> +++ b/server/src/api/resources.rs
> @@ -767,7 +767,7 @@ static SUBSCRIPTION_CACHE: LazyLock<RwLock<HashMap<String, CachedSubscriptionSta
>   ///
>   /// If recent enough cached data is available, it is returned
>   /// instead of calling out to the remote.
> -async fn get_subscription_info_for_remote(
> +pub async fn get_subscription_info_for_remote(
>       remote: &Remote,
>       max_age: u64,
>   ) -> Result<HashMap<String, Option<NodeSubscriptionInfo>>, Error> {

_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel