From: "Daniel Kral" <d.kral@proxmox.com>
To: "David Riley" <d.riley@proxmox.com>, <pve-devel@lists.proxmox.com>
Subject: Re: [PATCH pve-manager 2/9] fix #7294: api: pool: add SDN VNets as pool members
Date: Mon, 22 Jun 2026 13:20:15 +0200 [thread overview]
Message-ID: <DJFJDGPU7X2X.1GWPRLWEA6W6H@proxmox.com> (raw)
In-Reply-To: <20260611145935.147788-3-d.riley@proxmox.com>
Some comments inline
On Thu Jun 11, 2026 at 4:59 PM CEST, David Riley wrote:
> Extend the pool API to accept SDN VNets and optional VLAN tags. Group
> VNets under the new 'network' property type in the pool configuration.
>
> Unlike VMs or containers which strictly belong to a single pool, VNets
> are shared similar to storage. A single VNet can be assigned to
> multiple pools simultaneously, allowing cross-team usage without
> management conflicts.
>
> Enforce a cluster-wide version check before allowing network
> assignments. This prevents older nodes from accidentally overwriting
> the newly structured pool configurations.
>
> Link: https://bugzilla.proxmox.com/show_bug.cgi?id=7294
> Signed-off-by: David Riley <d.riley@proxmox.com>
> ---
> PVE/API2/Pool.pm | 137 ++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 135 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
> index 63aff5bb..f1eb6eb3 100644
> --- a/PVE/API2/Pool.pm
> +++ b/PVE/API2/Pool.pm
> @@ -5,8 +5,10 @@ use warnings;
>
> use PVE::AccessControl;
> use PVE::Cluster qw (cfs_read_file cfs_write_file);
> +use PVE::Cluster::Helpers qw(assert_min_cluster_version);
> use PVE::Exception qw(raise_param_exc);
> use PVE::INotify;
> +use PVE::Network;
> use PVE::Storage;
>
> use PVE::SafeSyslog;
> @@ -61,7 +63,7 @@ __PACKAGE__->register_method({
> properties => {
> type => {
> type => 'string',
> - enum => ['qemu', 'lxc', 'openvz', 'storage'],
> + enum => ['qemu', 'lxc', 'openvz', 'storage', 'network'],
> },
> id => {
> type => 'string',
> @@ -77,6 +79,10 @@ __PACKAGE__->register_method({
> type => 'string',
> optional => 1,
> },
> + vnet => {
> + type => 'string',
> + optional => 1,
> + },
> },
> },
> },
> @@ -135,6 +141,29 @@ __PACKAGE__->register_method({
> }
> }
>
> + if (!defined($param->{type}) || $param->{type} eq 'network') {
> + if ($pool_config->{network}) {
> + for my $net_key (sort keys %{ $pool_config->{network} }) {
nit: `$pool_config->{network}->%*` might be more readable
> + my ($type, @path) = split('/', $net_key);
> +
> + if ($type eq 'vnet') {
> + my ($zoneid, $vnet, $vlan) = @path;
> +
> + my $description = "$vnet ($zoneid)";
> + $description = "$vnet.$vlan ($zoneid)" if defined($vlan);
> +
> + push @$members,
> + {
> + type => 'network',
> + id => $net_key,
> + text => $description,
> + 'network-type' => $type,
> + };
> + }
> + }
> + }
> + }
> +
> my $pool_info = {
> members => $members,
> };
> @@ -243,6 +272,25 @@ __PACKAGE__->register_method({
> format => 'pve-storage-id-list',
> optional => 1,
> },
> + zone => {
> + description => 'SDN Zone',
> + type => 'string',
> + format => 'pve-sdn-zone-id',
> + optional => 1,
> + },
> + vnet => {
> + description => 'VNet to add or remove from this pool.',
> + type => 'string',
> + format => 'pve-sdn-vnet-id',
> + optional => 1,
> + },
The other parameters like 'vms' and 'storage' allow specifying a list of
them to be added or removed at a single time, would that also make sense
with VNets?
Either way, is there some way to make zone, vnetid and tag a single
property so it's clear that zone and vnet are required to add a VNet and
tag is optional?
> + tag => {
> + description => "Specify a VLAN tag",
> + optional => 1,
> + type => 'integer',
> + minimum => 1,
> + maximum => 4094,
> + },
> 'allow-move' => {
> description => 'Allow adding a guest even if already in another pool.'
> . ' The guest will be removed from its current pool and added to this one.',
> @@ -295,6 +343,25 @@ __PACKAGE__->register_method({
> format => 'pve-storage-id-list',
> optional => 1,
> },
> + zone => {
> + description => 'SDN Zone',
> + type => 'string',
> + format => 'pve-sdn-zone-id',
> + optional => 1,
> + },
> + vnet => {
> + description => 'VNet to add or remove from this pool.',
> + type => 'string',
> + format => 'pve-sdn-vnet-id',
> + optional => 1,
> + },
> + tag => {
> + description => "Specify a VLAN tag",
> + optional => 1,
> + type => 'integer',
> + minimum => 1,
> + maximum => 4094,
> + },
> 'allow-move' => {
> description => 'Allow adding a guest even if already in another pool.'
> . ' The guest will be removed from its current pool and added to this one.',
> @@ -304,7 +371,7 @@ __PACKAGE__->register_method({
> },
> delete => {
> description =>
> - 'Remove the passed VMIDs and/or storage IDs instead of adding them.',
> + 'Remove the passed VMIDs, storage IDs and/or VNets instead of adding them.',
> type => 'boolean',
> optional => 1,
> default => 0,
> @@ -373,6 +440,56 @@ __PACKAGE__->register_method({
> }
> }
>
> + if (defined($param->{vnet}) && defined($param->{zone})) {
AFAICT there's no error that e.g. zone is missing and it will do nothing
even though a user might have expected the VNet to be added without
specifying the zone.
nit: might be nice to destructure them through a tuple:
my ($zone, $vnetid, $tag) = $param->@{qw(zone vnet tag)};
> + # gatekeep vnet as pool members
> + assert_min_cluster_version(9, 2, 3);
nit: might be nicer to prefix it with the full module path here so that
it's clear that it's not a local subroutine (is usually fine for
more well-known helpers), but no hard feelings.
> +
> + my $zones_cfg = PVE::Network::SDN::Zones::config();
> + my $zone = $param->{zone};
> +
> + if (!$zones_cfg->{ids}->{$zone}) {
> + die "SDN Zone '$zone' does not exist\n";
> + }
> +
> + my $vnets_cfg = PVE::Network::SDN::Vnets::config();
> + my $tag = $param->{tag};
> +
> + my $vnetid = $param->{vnet};
> + my $vnet_data = $vnets_cfg->{ids}->{$vnetid}
> + or die "VNet '$vnetid' does not exist\n";
> +
> + my $vnet_zone = $vnet_data->{zone};
> + if ($zone ne $vnet_zone) {
> + die "VNet '$vnetid' does not belong to zone '$zone' (it belongs to"
> + . " '$vnet_zone')\n";
> + }
nit: might be nice to make this a single
die "VNet ...\n" if $zone ne $vnet_data->{zone};
to not have two variables with essentially the same content after this?
> +
> + my $has_tag = defined($tag) && $tag ne '';
When is $tag eq '' true? Shouldn't the API verification already catch
that $tag is a string even though it should be an integer?
> + if ($has_tag) {
> + my $native_tag = $vnet_data->{tag};
> + if (!defined($native_tag) || $tag != $native_tag) {
> + die
> + "VNet '$vnetid' is not VLAN-aware, cannot assign a specific tag\n"
> + if !$vnet_data->{vlanaware};
> + }
> + }
> +
> + my $network_key = "vnet/$vnet_zone/$vnetid";
> + $network_key .= "/$tag" if $has_tag;
nit: not sure about this, but could also be put in the previous if
block, but I see the point that this should probably be tightly put
together so it's easy to see the possible contents of $network_key
> +
> + $rpcenv->check_perm_modify(
> + $authuser,
> + "/sdn/zones/$vnet_zone/$vnetid",
> + ['SDN.Allocate'],
> + );
> +
> + if ($param->{delete}) {
> + delete $pool_config->{network}->{$network_key};
> + } else {
> + $pool_config->{network}->{$network_key} = 1;
> + }
> + }
> +
> cfs_write_file("user.cfg", $usercfg);
> },
> "update pools failed",
> @@ -437,6 +554,14 @@ __PACKAGE__->register_method({
> type => 'string',
> optional => 1,
> },
> + zone => {
> + type => 'string',
> + optional => 1,
> + },
> + vnet => {
> + type => 'string',
> + optional => 1,
> + },
> },
> },
> },
> @@ -524,6 +649,14 @@ __PACKAGE__->register_method({
> die "pool '$pool' is not empty (contains storage '$storeid')\n";
> }
>
> + for my $netid (sort keys %{ $pool_config->{network} }) {
nit: `$pool_config->{network}->%*` might be more readable
> + my ($type, $id) = split('/', $netid, 2);
> + $type //= 'network';
> + $id //= $netid;
> +
> + die "pool '$pool' is not empty (contains $type '$id')\n";
> + }
> +
> delete($usercfg->{pools}->{$pool});
> PVE::AccessControl::delete_pool_acl($pool, $usercfg);
>
next prev parent reply other threads:[~2026-06-22 11:20 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 14:59 [PATCH access-control/cluster/manager/network/qemu-server 0/9] fix #7294: pool: add SDN VNets as pool members David Riley
2026-06-11 14:59 ` [PATCH pve-manager 1/9] ui: replace var with let to match style guide for variable declaration David Riley
2026-06-11 14:59 ` [PATCH pve-manager 2/9] fix #7294: api: pool: add SDN VNets as pool members David Riley
2026-06-22 11:20 ` Daniel Kral [this message]
2026-06-22 13:37 ` David Riley
2026-06-24 7:32 ` Daniel Kral
2026-06-11 14:59 ` [PATCH pve-manager 3/9] fix #7294: ui: " David Riley
2026-06-11 14:59 ` [PATCH pve-access-control 4/9] fix #7294: acl: " David Riley
2026-06-11 14:59 ` [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets David Riley
2026-06-12 12:18 ` Gabriel Goller
2026-06-12 12:51 ` David Riley
2026-06-12 13:46 ` Gabriel Goller
2026-06-12 14:17 ` David Riley
2026-06-11 14:59 ` [PATCH pve-network 6/9] fix #7294: sdn: vnet: update pool members on vnet migration and deletion David Riley
2026-06-11 16:21 ` Gabriel Goller
2026-06-12 6:37 ` David Riley
2026-06-12 8:41 ` Gabriel Goller
2026-06-11 14:59 ` [PATCH pve-cluster 7/9] cluster: add helpers module with version comparison functions David Riley
2026-06-22 9:31 ` Daniel Kral
2026-06-22 11:44 ` David Riley
2026-06-11 14:59 ` [PATCH pve-cluster 8/9] fix #7294: cluster: helpers: add cluster-wide version assertion David Riley
2026-06-22 9:42 ` Daniel Kral
2026-06-22 11:53 ` David Riley
2026-06-11 14:59 ` [PATCH qemu-server 9/9] fix #7294: helpers: use cluster-wide version helper David Riley
2026-06-19 10:01 ` [PATCH access-control/cluster/manager/network/qemu-server 0/9] fix #7294: pool: add SDN VNets as pool members Jakob Klocker
2026-06-19 11:12 ` David Riley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJFJDGPU7X2X.1GWPRLWEA6W6H@proxmox.com \
--to=d.kral@proxmox.com \
--cc=d.riley@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox