From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 7301B1FF15F
	for <inbox@lore.proxmox.com>; Mon, 18 Nov 2024 10:02:17 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id CA944AB0E;
	Mon, 18 Nov 2024 10:02:20 +0100 (CET)
Message-ID: <cabba697-8b98-414f-844e-42003631cf59@proxmox.com>
Date: Mon, 18 Nov 2024 10:02:17 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Thomas Lamprecht <t.lamprecht@proxmox.com>,
 Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20241115120937.169342-1-s.hanreich@proxmox.com>
 <20241115120937.169342-7-s.hanreich@proxmox.com>
 <cfd24b51-431c-401b-a116-eb0c683807b1@proxmox.com>
Content-Language: en-US
From: Stefan Hanreich <s.hanreich@proxmox.com>
In-Reply-To: <cfd24b51-431c-401b-a116-eb0c683807b1@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.659 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH pve-firewall v4 6/9] api: load sdn ipsets
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On 11/17/24 15:30, Thomas Lamprecht wrote:
> Am 15.11.24 um 13:09 schrieb Stefan Hanreich:
>> Since the SDN configuration reads the IPAM config file, which resides
> 
> does that mean the earlier patches already require this? They load
> the SDN config already FWICT; and if so, it would be great to either
> have that change in those patches or upfront as separate patches, this
> has rather reaching consequences after all...

That's indeed an oversight on my part, the default behavior of
load_clusterfw_conf changed to loading the SDN configuration in v4 so
that patch is actually required if they are not all applied at the same
time. If we stick with /etc/pve/priv (see below) I'll reorder the
commits accordingly.

>> in /etc/pve/priv we need to add the protected flag to several
>> endpoints.
> 
> That's wrong, the general IPAM config resides in /etc/pve/sdn/ipams.cfg,
> the ipam.db from the PVE IPAM Plugin does indeed reside in the private
> directory.
> 
> But, why's that? The commits adding it weren't really telling, but there
> are no secrets in there, so why does it have to be priv? We could move
> them over to /etc/pve/sdn/pve-ipam.db with some backward compat handling
> (either in pmxcfs directly or in the backend site of things). Just tell
> me if that would be fine in general, or what the original reason for having
> this file only visible for root, and I can help you here.

Depends on if you consider a database of all assigned IPs inside the
cluster as sensitive information, iirc we erred on the side of caution
in this case and stored it in /etc/pve/priv.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel