Dominik Csapak [Thu, 16 Feb 2017 08:24:18 +0000 (09:24 +0100)]
(maybe) fixes #1229: fix port reservation
when reserving ports, we use lock_file to lock the
reservation file, but then use file_set_content which
writes a new file and renames it, making the lock invalid
and different processes waiting for the lock get inconsistent
data
instead we use a designated lock file for the lock, so that we don't
lose the lock when writing the reservation file
this should fix the problem that sometimes multiple vms get the
same vnc/spice port
We shouldn't mix different tool sets on the one hand, and on
the other hand net-tools is an optional package in stretch
and there's no real need for us to depend on it.
When a container stops or hotplug changes are applied we
do a veth_delete() which does not cleanup the firewall
bridges or OVS ports. This is problematic at the next
startup. When creating a network device we usually want to
copy the MTU of the bridge we intend to put it on, however,
with OVS still having the old port lying around the
recreated device gets associated with the bridge before we
read its MTU, potentially reducing it to that of the newly
created device.
This cleanup also gets rid of stale fwbr/fwln devices from
stopped containers.
unless we are in cleanup mode from a failed snapshot_create,
in which case the config already has a 'snapshot' lock.
this is necessary to prevent concurrent starting of or other
actions on the guest in the windows inbetween holding the
flock, e.g. when removing the volume snapshot (which can
take a bit of time).
JSONSchema: named formats in parse_property_string
While our code currently passes the format hashes directly,
some code gets them via the format property of a
configuration description which verifies successfully via
check_format() for named property string formats, so this
should be allowed.
Thomas Lamprecht [Fri, 28 Oct 2016 09:53:24 +0000 (11:53 +0200)]
add get_local_ip_from_cidr
The get_local_ip_from_cidr method can be used to determine addresses
configured on interfaces from the callers node which are located
in the subnet. The subnet can be passed in CIDR notation.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
SectionConfig: always write out explicitly set booleans
Because when only writing the ones which are true we're
breaking the ones which default to true (like the mkdir
option on directory storages, where we need a false value
to be written out explicitly).
Many interfaces used to get an ipv6 link-local address which
was usually unusable and therefore pointless.
In order to ensure consistency this is called in various
places:
* $bridge_add_interface() and $ovs_bridge_add_port() because
it's generally a good choice for bridge ports.
* tap_create() and veth_create() because the activate the
interfaces and we want to avoid the link local address to
exist temporarily between bringing the interface up and
adding it to a bridge.
* create_firewall_bridge_*() because firewall bridges aren't
meant to have addresses either.
* activate_bridge_vlan() - if vlan_filtering is disabled we
create vlan-bridges and neither them nor their physical
ports should have link local addresses.
The 'pattern' property has type string and format regex, so
it makes sense to allow Regexp objects to be used for it.
While check_type() doesn't know the format, Regexp objects
can be treated like strings anyway, including compared via
'eq' or matched via '=~', so we allow strings to generally
come from a Regexp object.
Commit de9a267 introduced vec() to optimize the generation
by using binary operations instead of converting back and
forth between hex and strings, but forgot to switch over to
the binary sha1 method. This resulted in only the first 6
hex digits of the output string making up the address.
Fix #132: hold a lock while setting up vlan bridges
It's possible for two simultaneous VM starts to try to
create vlan bridges on non-vlan-aware bridges
simultaneously, which causes one of them to fail with the
error "can't add bridge ...".
This essentially performas the task of systemd-run while
also waiting for the job to finish.
With the systemd-run version in jessie we run into a race
condition where the executed process can start forking child
processes before the systemd daemon is done setting up the
scope's cgroups, causing the children to NOT be included in
the cgroups. This means the child processes (in our case
qemu) will not adhere to the limits we want to apply to it
via cgroups.
enter_systemd_scope() performs the setup task of systemd-run
and waits for the job to finish, after this we can spawn the
qemu process without systemd-run.
Since we already allow this for container IP addresses it is
reasonable to assume the host might be using such a setup as
well. (You can use an additional route to reach the gateway
and then simply have no "LAN".) Some people seem to want
this...
Thomas Lamprecht [Wed, 25 May 2016 09:03:10 +0000 (11:03 +0200)]
run_cli_handler: add no_rpcenv parameter
This can be used if a CLIHandler child class does not needs or wants
RPCEnv. E.g. this is the case with pve-cluster, as it's a dependency
of the package where RPCEnv resides (access-control), so this can be
set to avoid a implicit circular build dependency.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>