As proxmox-acme has now a default delay for DNS challenge plugins,
which is the important one. Those are just for not overloading the
acme servers with a lot of requests, but once the challenge was
propagate they have it verified pretty quickly, so reduce delay for
checking validation after first requesting it down to 10 seconds
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
re-loading it always would mean that we could potentially switch the
config to something completely different, and the mix of the previous
and the old could result in total bogus actions.
Better to use the same one for one full order, even if it may get
"outdated" it was still valid in the past and most important
coherent.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
api: acme plugins: we're not the storage content API endpoint
Drop various leftovers from the storage content API module this was
based on, e.g., ACME plugins have no fixed options and the like.
Also, the descriptions shouldn't mention "storage".
Further, drop the "update_config" "helper" with its operations
effectively only increasing code complexity and adding another rabbit
hole to jump into.
IF, this should have been factoring out the lock+read+write cycle
only, living the rest to a passed CODE-ref, but honestly that saves
only really the read and write config lines, and at this point
nothing is really gained, so just let it be.
Should have been actually three or so separate patches, but to deep
into this rabbit hole to care..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
NodeConfig: ensure locked context has current view
similar to the recent changes for pve-guest-common - we start each API
call with a cfs_update, but while we were waiting for the flock another
R-M-W cycle might have happened, so we need to refresh after obtaining
the lock.
for now mostly due to the "nice" property of the acmedomains which
do not use their property key as index but actually the doamain.
Without this one could set up duplicated domain entries just fine,
but once using them -> error.
This is not nice UX, so verify node config before writing an updated
one out, to catch those issues.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
instead of relying that the authorization URLs and the ordered
identifiers are sorted the same way for already validated
authorizations.
on the contrary, RFC 8555 even says:
"The authorizations required are dictated by server policy; there may
not be a 1:1 relationship between the order identifiers and the
authorizations required."
authorizations MUST always include a single identifier, no matter which
state they are in.
exact same thing commit 67cb91e4d7c98ab8cf4d8047af5e3789932bb52c
already did for the old location of this, but indentation error was
introduced again when moving it (fix y'all editors..)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
ui: don't block offline migration due non-referenced disk in the config
All local disks can/will be migrated if not for a reason we don't
know about yet at this stage. The disks we get from the API call as
'local_disks' are either referenced by the config or by snapshots in
the config (which was not checked for and the reason one could run
into the 'else if' branch).
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
if our self-signed certificate expires in more than 825 days, but was
created after July 2019 it won't be accepted by modern Apple devices. we
fixed the issuance to generate shorter-lived certificates in November
2019, this cleans up the existing ones to fix this and similar future
issues.
two years / 730 days as cut-off was chosen since it's our new maximum
self-signed certificate lifetime, and should thus catch all old-style
certificates.
another positive side-effect is that we can now phase out support for
older certificates faster, e.g. if we want to move to bigger keys,
different signature algorithms, or anything else in that direction.
this modifies AuthEditBase so that if there is a sync inputpanel specified,
we display it in a second tab (we need to modify the bodyPadding here,
else the whole window has too much padding)
we use the same panel for both ldap/ad, since the most options behave
the same (except for user_attribute, but the default for AD is
sAMAccount which i think is good enough for now, users can still
override it in the cli)
ui: Utils: delete_if_default: add values by correct type
if 'delete' is an Array, we want to push into it, not append a string
this could be an issue when we use an edit window with multiple inputpanels
and deleteEmpty set on some fields
Thomas Lamprecht [Sun, 26 Apr 2020 10:29:24 +0000 (12:29 +0200)]
ui: drop login-user fixed token edit due to multi window/z-index issues
We normally do not stack windows and it breaks/allows some funky
stuff.. As this isn't really required and can be done just fine over
the the DC -> Token panel, especially as we prefill the username to
the logged in one for new tokens now..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alwin Antreich [Wed, 11 Mar 2020 15:22:36 +0000 (16:22 +0100)]
Fix: ceph: mon_address not considered by new MON
The public_addr option for creating a new MON is only valid for manual
startup (since Ceph Jewel) and is just ignored by ceph-mon during setup.
As the MON is started after the creation through systemd without an IP
specified. It is trying to auto-select an IP.
Before this patch the public_addr was only explicitly written to the
ceph.conf if no public_network was set. The mon_address is only needed
in the config on the first start of the MON.
The ceph-mon itself tries to select an IP on the following conditions.
- no public_network or public_addr is in the ceph.conf
* startup fails
- public_network is in the ceph.conf
* with a single network, take the first available IP
* on multiple networks, walk through the list orderly and start on
the first network where an IP is found
ui: node: lower statusStore interval outside of summary panel
We normally only use that information for the nodes power management
buttons, only the Summary panel profits from more frequent updates
(due to the uptime, and resource usage graphs).
So use 5s interval in general and switch to 1s for the summary panel
only.
This also fixes a bug where the node-config panel owned store got
stopped by mistake if the summary panel, which shared the use of that
store, was "destroyed" (left).
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This uses the newly introduced PVE::LXC::CGroup's
cpuset_controller_path() method to find the controller path,
so we need to depend on the newer pve-container package.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
on the view destroy we have to stop the updatestore again,
they do not get cleaned up by a destroy because until they are stopped
the have a reference on themselves, which prevent a garbage collection
Thomas Lamprecht [Thu, 26 Mar 2020 14:17:10 +0000 (15:17 +0100)]
followup sdn: move a bit below and fix showing on initial load
if the webinterface got loaded the api call to check if SDN is
available did not yet returned, so we could show it by accident -
even if libpve-network-perl wasn't instralled.
Fix that by hiding it (once) in the failure callback of the API call.
also move menu entries below, before Firewall, this fits better to
networking.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>