From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
by lore.proxmox.com (Postfix) with ESMTPS id 2AB1B1FF164
for <inbox@lore.proxmox.com>; Fri, 20 Jun 2025 16:35:16 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 32966E8C3;
Fri, 20 Jun 2025 16:32:48 +0200 (CEST)
From: Daniel Kral <d.kral@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Fri, 20 Jun 2025 16:31:37 +0200
Message-Id: <20250620143148.218469-30-d.kral@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250620143148.218469-1-d.kral@proxmox.com>
References: <20250620143148.218469-1-d.kral@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.011 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH ha-manager v2 25/26] api: groups,
services: assert use-location-rules feature flag
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
Assert whether certain properties are allowed to be passed for the HA
groups and HA services API endpoints depending on whether the
use-location-rules feature flag is enabled or disabled.
Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
changes since v1:
- NEW!
src/PVE/API2/HA/Groups.pm | 20 ++++++++++++++++++++
src/PVE/API2/HA/Resources.pm | 30 ++++++++++++++++++++++++++----
src/PVE/API2/HA/Status.pm | 6 +++++-
3 files changed, 51 insertions(+), 5 deletions(-)
diff --git a/src/PVE/API2/HA/Groups.pm b/src/PVE/API2/HA/Groups.pm
index 32350df..4dcb458 100644
--- a/src/PVE/API2/HA/Groups.pm
+++ b/src/PVE/API2/HA/Groups.pm
@@ -32,6 +32,15 @@ my $api_copy_config = sub {
return $group_cfg;
};
+my $verify_group_api_call_is_allowed = sub {
+ my ($noerr) = @_;
+
+ return 1 if !PVE::HA::Config::is_ha_location_enabled();
+
+ die "ha groups are not allowed because location rules are enabled\n" if !$noerr;
+ return 0;
+};
+
__PACKAGE__->register_method({
name => 'index',
path => '',
@@ -55,6 +64,9 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ # return empty list instead of errors
+ return [] if !$verify_group_api_call_is_allowed->(1);
+
my $cfg = PVE::HA::Config::read_group_config();
my $res = [];
@@ -89,6 +101,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
my $cfg = PVE::HA::Config::read_group_config();
return &$api_copy_config($cfg, $param->{group});
@@ -109,6 +123,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
# create /etc/pve/ha directory
PVE::Cluster::check_cfs_quorum();
mkdir("/etc/pve/ha");
@@ -160,6 +176,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
my $digest = extract_param($param, 'digest');
my $delete = extract_param($param, 'delete');
@@ -233,6 +251,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
my $group = extract_param($param, 'group');
PVE::HA::Config::lock_ha_domain(
diff --git a/src/PVE/API2/HA/Resources.pm b/src/PVE/API2/HA/Resources.pm
index 5916204..f41fa2f 100644
--- a/src/PVE/API2/HA/Resources.pm
+++ b/src/PVE/API2/HA/Resources.pm
@@ -5,7 +5,7 @@ use warnings;
use PVE::SafeSyslog;
use PVE::Tools qw(extract_param);
-use PVE::Cluster;
+use PVE::Cluster qw(cfs_read_file);
use PVE::HA::Config;
use PVE::HA::Resources;
use HTTP::Status qw(:constants);
@@ -22,7 +22,7 @@ use base qw(PVE::RESTHandler);
my $resource_type_enum = PVE::HA::Resources->lookup_types();
my $api_copy_config = sub {
- my ($cfg, $sid) = @_;
+ my ($cfg, $sid, $remove_group) = @_;
die "no such resource '$sid'\n" if !$cfg->{ids}->{$sid};
@@ -30,9 +30,23 @@ my $api_copy_config = sub {
$scfg->{sid} = $sid;
$scfg->{digest} = $cfg->{digest};
+ delete $scfg->{group} if $remove_group;
+
return $scfg;
};
+my $assert_service_params_are_allowed = sub {
+ my ($param) = @_;
+
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
+ die "'group' is not allowed because location rules are enabled in datacenter config\n"
+ if defined($param->{group}) && $use_location_rules;
+
+ die "'failback' is not allowed because location rules are disabled in datacenter config\n",
+ if defined($param->{failback}) && !$use_location_rules;
+};
+
sub check_service_state {
my ($sid, $req_state) = @_;
@@ -78,9 +92,11 @@ __PACKAGE__->register_method({
my $cfg = PVE::HA::Config::read_resources_config();
my $groups = PVE::HA::Config::read_group_config();
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
my $res = [];
foreach my $sid (keys %{ $cfg->{ids} }) {
- my $scfg = &$api_copy_config($cfg, $sid);
+ my $scfg = &$api_copy_config($cfg, $sid, $use_location_rules);
next if $param->{type} && $param->{type} ne $scfg->{type};
if ($scfg->{group} && !$groups->{ids}->{ $scfg->{group} }) {
$scfg->{errors}->{group} = "group '$scfg->{group}' does not exist";
@@ -154,7 +170,9 @@ __PACKAGE__->register_method({
my $sid = PVE::HA::Config::parse_sid($param->{sid});
- return &$api_copy_config($cfg, $sid);
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
+ return &$api_copy_config($cfg, $sid, $use_location_rules);
},
});
@@ -188,6 +206,8 @@ __PACKAGE__->register_method({
$plugin->exists($name);
+ $assert_service_params_are_allowed->($param);
+
my $opts = $plugin->check_config($sid, $param, 1, 1);
PVE::HA::Config::lock_ha_domain(
@@ -235,6 +255,8 @@ __PACKAGE__->register_method({
die "types does not match\n" if $param_type ne $type;
}
+ $assert_service_params_are_allowed->($param);
+
if (my $group = $param->{group}) {
my $group_cfg = PVE::HA::Config::read_group_config();
diff --git a/src/PVE/API2/HA/Status.pm b/src/PVE/API2/HA/Status.pm
index 1547e0e..eba3876 100644
--- a/src/PVE/API2/HA/Status.pm
+++ b/src/PVE/API2/HA/Status.pm
@@ -241,6 +241,8 @@ __PACKAGE__->register_method({
}
}
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
my $add_service = sub {
my ($sid, $sc, $ss) = @_;
@@ -260,7 +262,9 @@ __PACKAGE__->register_method({
# also return common resource attributes
if (defined($sc)) {
$data->{request_state} = $sc->{state};
- foreach my $key (qw(group max_restart max_relocate comment)) {
+ my @attributes = qw(max_restart max_relocate comment);
+ push @attributes, 'group' if !$use_location_rules;
+ foreach my $key (@attributes) {
$data->{$key} = $sc->{$key} if defined($sc->{$key});
}
}
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel