]> git.proxmox.com Git - pve-manager.git/blob - PVE/API2/Network.pm
projects / pve-manager.git / blob
? search:


00d964a79fa834a3cd41ccf7013d4224443f7597
[pve-manager.git] / PVE / API2 / Network.pm
1 package PVE::API2::Network;
2
3 use strict;
4 use warnings;
5
6 use Net::IP qw(:PROC);
7 use PVE::Tools qw(extract_param dir_glob_regex);
8 use PVE::SafeSyslog;
9 use PVE::INotify;
10 use PVE::Exception qw(raise_param_exc);
11 use PVE::RESTHandler;
12 use PVE::RPCEnvironment;
13 use PVE::JSONSchema qw(get_standard_option);
14 use PVE::AccessControl;
15 use IO::File;
16
17 use base qw(PVE::RESTHandler);
18
19 my $have_sdn;
20 eval {
21 require PVE::Network::SDN;
22 $have_sdn = 1;
23 };
24
25 my $iflockfn = "/etc/network/.pve-interfaces.lock";
26
27 my $bond_mode_enum = [
28 'balance-rr',
29 'active-backup', # OVS and Linux
30 'balance-xor',
31 'broadcast',
32 '802.3ad',
33 'balance-tlb',
34 'balance-alb',
35 'balance-slb', # OVS
36 'lacp-balance-slb', # OVS
37 'lacp-balance-tcp', # OVS
38 ];
39
40 my $network_type_enum = ['bridge', 'bond', 'eth', 'alias', 'vlan',
41 'OVSBridge', 'OVSBond', 'OVSPort', 'OVSIntPort'];
42
43 my $confdesc = {
44 type => {
45 description => "Network interface type",
46 type => 'string',
47 enum => [@$network_type_enum, 'unknown'],
48 },
49 comments => {
50 description => "Comments",
51 type => 'string',
52 optional => 1,
53 },
54 comments6 => {
55 description => "Comments",
56 type => 'string',
57 optional => 1,
58 },
59 autostart => {
60 description => "Automatically start interface on boot.",
61 type => 'boolean',
62 optional => 1,
63 },
64 bridge_vlan_aware => {
65 description => "Enable bridge vlan support.",
66 type => 'boolean',
67 optional => 1,
68 },
69 bridge_ports => {
70 description => "Specify the interfaces you want to add to your bridge.",
71 optional => 1,
72 type => 'string', format => 'pve-iface-list',
73 },
74 ovs_ports => {
75 description => "Specify the interfaces you want to add to your bridge.",
76 optional => 1,
77 type => 'string', format => 'pve-iface-list',
78 },
79 ovs_tag => {
80 description => "Specify a VLan tag (used by OVSPort, OVSIntPort, OVSBond)",
81 optional => 1,
82 type => 'integer',
83 minimum => 1,
84 maximum => 4094,
85 },
86 ovs_options => {
87 description => "OVS interface options.",
88 optional => 1,
89 type => 'string',
90 maxLength => 1024,
91 },
92 ovs_bridge => {
93 description => "The OVS bridge associated with a OVS port. This is required when you create an OVS port.",
94 optional => 1,
95 type => 'string', format => 'pve-iface',
96 },
97 slaves => {
98 description => "Specify the interfaces used by the bonding device.",
99 optional => 1,
100 type => 'string', format => 'pve-iface-list',
101 },
102 ovs_bonds => {
103 description => "Specify the interfaces used by the bonding device.",
104 optional => 1,
105 type => 'string', format => 'pve-iface-list',
106 },
107 bond_mode => {
108 description => "Bonding mode.",
109 optional => 1,
110 type => 'string', enum => $bond_mode_enum,
111 },
112 'bond-primary' => {
113 description => "Specify the primary interface for active-backup bond.",
114 optional => 1,
115 type => 'string', format => 'pve-iface',
116 },
117 bond_xmit_hash_policy => {
118 description => "Selects the transmit hash policy to use for slave selection in balance-xor and 802.3ad modes.",
119 optional => 1,
120 type => 'string',
121 enum => ['layer2', 'layer2+3', 'layer3+4' ],
122 },
123 'vlan-raw-device' => {
124 description => "Specify the raw interface for the vlan interface.",
125 optional => 1,
126 type => 'string', format => 'pve-iface',
127 },
128 'vlan-id' => {
129 description => "vlan-id for a custom named vlan interface (ifupdown2 only).",
130 optional => 1,
131 type => 'integer',
132 minimum => 1,
133 maximum => 4094,
134 },
135 gateway => {
136 description => 'Default gateway address.',
137 type => 'string', format => 'ipv4',
138 optional => 1,
139 },
140 netmask => {
141 description => 'Network mask.',
142 type => 'string', format => 'ipv4mask',
143 optional => 1,
144 requires => 'address',
145 },
146 address => {
147 description => 'IP address.',
148 type => 'string', format => 'ipv4',
149 optional => 1,
150 requires => 'netmask',
151 },
152 cidr => {
153 description => 'IPv4 CIDR.',
154 type => 'string', format => 'CIDRv4',
155 optional => 1,
156 },
157 mtu => {
158 description => 'MTU.',
159 optional => 1,
160 type => 'integer',
161 minimum => 1280,
162 maximum => 65520,
163 },
164 gateway6 => {
165 description => 'Default ipv6 gateway address.',
166 type => 'string', format => 'ipv6',
167 optional => 1,
168 },
169 netmask6 => {
170 description => 'Network mask.',
171 type => 'integer', minimum => 0, maximum => 128,
172 optional => 1,
173 requires => 'address6',
174 },
175 address6 => {
176 description => 'IP address.',
177 type => 'string', format => 'ipv6',
178 optional => 1,
179 requires => 'netmask6',
180 },
181 cidr6 => {
182 description => 'IPv6 CIDR.',
183 type => 'string', format => 'CIDRv6',
184 optional => 1,
185 },
186 };
187
188 sub json_config_properties {
189 my $prop = shift;
190
191 foreach my $opt (keys %$confdesc) {
192 $prop->{$opt} = $confdesc->{$opt};
193 }
194
195 return $prop;
196 }
197
198 __PACKAGE__->register_method({
199 name => 'index',
200 path => '',
201 method => 'GET',
202 permissions => { user => 'all' },
203 description => "List available networks",
204 proxyto => 'node',
205 parameters => {
206 additionalProperties => 0,
207 properties => {
208 node => get_standard_option('pve-node'),
209 type => {
210 description => "Only list specific interface types.",
211 type => 'string',
212 enum => [ @$network_type_enum, 'any_bridge', 'any_local_bridge' ],
213 optional => 1,
214 },
215 },
216 },
217 returns => {
218 type => "array",
219 items => {
220 type => "object",
221 properties => {},
222 },
223 links => [ { rel => 'child', href => "{iface}" } ],
224 },
225 code => sub {
226 my ($param) = @_;
227
228 my $rpcenv = PVE::RPCEnvironment::get();
229 my $authuser = $rpcenv->get_user();
230
231 my $tmp = PVE::INotify::read_file('interfaces', 1);
232 my $config = $tmp->{data};
233 my $changes = $tmp->{changes};
234
235 $rpcenv->set_result_attrib('changes', $changes) if $changes;
236
237 my $ifaces = $config->{ifaces};
238
239 delete $ifaces->{lo}; # do not list the loopback device
240
241 if (my $tfilter = $param->{type}) {
242 my $vnets;
243
244 if ($have_sdn && $tfilter eq 'any_bridge') {
245 $vnets = PVE::Network::SDN::get_local_vnets(); # returns already access-filtered
246 }
247
248 for my $k (sort keys $ifaces->%*) {
249 my $type = $ifaces->{$k}->{type};
250 my $is_bridge = $type eq 'bridge' || $type eq 'OVSBridge';
251 my $bridge_match = $is_bridge && $tfilter =~ /^any(_local)?_bridge$/;
252 my $match = $tfilter eq $type || $bridge_match;
253 delete $ifaces->{$k} if !$match;
254 }
255
256 if (defined($vnets)) {
257 $ifaces->{$_} = $vnets->{$_} for keys $vnets->%*
258 }
259 }
260
261 #always check bridge access
262 my $can_access_vnet = sub {
263 return 1 if $authuser eq 'root@pam';
264 return 1 if $rpcenv->check_sdn_bridge($authuser, "localnetwork", $_[0], ['SDN.Audit', 'SDN.Use'], 1);
265 };
266 for my $k (sort keys $ifaces->%*) {
267 my $type = $ifaces->{$k}->{type};
268 delete $ifaces->{$k} if ($type eq 'bridge' || $type eq 'OVSBridge') && !$can_access_vnet->($k);
269 }
270
271 return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
272 }});
273
274 __PACKAGE__->register_method({
275 name => 'revert_network_changes',
276 path => '',
277 method => 'DELETE',
278 permissions => {
279 check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
280 },
281 protected => 1,
282 description => "Revert network configuration changes.",
283 proxyto => 'node',
284 parameters => {
285 additionalProperties => 0,
286 properties => {
287 node => get_standard_option('pve-node'),
288 },
289 },
290 returns => { type => "null" },
291 code => sub {
292 my ($param) = @_;
293
294 unlink "/etc/network/interfaces.new";
295
296 return undef;
297 }});
298
299 my $check_duplicate = sub {
300 my ($config, $newiface, $key, $name) = @_;
301
302 foreach my $iface (keys %$config) {
303 raise_param_exc({ $key => "$name already exists on interface '$iface'." })
304 if ($newiface ne $iface) && $config->{$iface}->{$key};
305 }
306 };
307
308 my $check_duplicate_gateway = sub {
309 my ($config, $newiface) = @_;
310 return &$check_duplicate($config, $newiface, 'gateway', 'Default gateway');
311 };
312
313 my $check_duplicate_gateway6 = sub {
314 my ($config, $newiface) = @_;
315 return &$check_duplicate($config, $newiface, 'gateway6', 'Default ipv6 gateway');
316 };
317
318 my $check_duplicate_ports = sub {
319 my ($config, $newiface, $newparam) = @_;
320
321 my $param_name;
322 my $get_portlist = sub {
323 my ($param) = @_;
324 my $ports = '';
325 for my $k (qw(bridge_ports ovs_ports slaves ovs_bonds)) {
326 if ($param->{$k}) {
327 $ports .= " $param->{$k}";
328 $param_name //= $k;
329 }
330 }
331 return PVE::Tools::split_list($ports);
332 };
333
334 my $new_ports = {};
335 for my $p ($get_portlist->($newparam)) {
336 $new_ports->{$p} = 1;
337 }
338 return if !(keys %$new_ports);
339
340 for my $iface (keys %$config) {
341 next if $iface eq $newiface;
342
343 my $d = $config->{$iface};
344 for my $p ($get_portlist->($d)) {
345 raise_param_exc({ $param_name => "$p is already used on interface '$iface'." })
346 if $new_ports->{$p};
347 }
348 }
349 };
350
351 sub ipv6_tobin {
352 return Net::IP::ip_iptobin(Net::IP::ip_expand_address(shift, 6), 6);
353 }
354
355 my $check_ipv6_settings = sub {
356 my ($address, $netmask) = @_;
357
358 raise_param_exc({ netmask => "$netmask is not a valid subnet length for ipv6" })
359 if $netmask < 0 || $netmask > 128;
360
361 raise_param_exc({ address => "$address is not a valid host IPv6 address." })
362 if !Net::IP::ip_is_ipv6($address);
363
364 my $binip = ipv6_tobin($address);
365 my $binmask = Net::IP::ip_get_mask($netmask, 6);
366
367 my $type = ($binip eq $binmask) ? 'ANYCAST' : Net::IP::ip_iptypev6($binip);
368
369 if (defined($type) && $type !~ /^(?:(?:GLOBAL|(?:UNIQUE|LINK)-LOCAL)-UNICAST)$/) {
370 raise_param_exc({ address => "$address with type '$type', cannot be used as host IPv6 address." });
371 }
372 };
373
374 my $map_cidr_to_address_netmask = sub {
375 my ($param) = @_;
376
377 if ($param->{cidr}) {
378 raise_param_exc({ address => "address conflicts with cidr" })
379 if $param->{address};
380 raise_param_exc({ netmask => "netmask conflicts with cidr" })
381 if $param->{netmask};
382
383 my ($address, $netmask) = $param->{cidr} =~ m!^(.*)/(\d+)$!;
384 $param->{address} = $address;
385 $param->{netmask} = $netmask;
386 delete $param->{cidr};
387 }
388
389 if ($param->{cidr6}) {
390 raise_param_exc({ address6 => "address6 conflicts with cidr6" })
391 if $param->{address6};
392 raise_param_exc({ netmask6 => "netmask6 conflicts with cidr6" })
393 if $param->{netmask6};
394
395 my ($address, $netmask) = $param->{cidr6} =~ m!^(.*)/(\d+)$!;
396 $param->{address6} = $address;
397 $param->{netmask6} = $netmask;
398 delete $param->{cidr6};
399 }
400 };
401
402 __PACKAGE__->register_method({
403 name => 'create_network',
404 path => '',
405 method => 'POST',
406 permissions => {
407 check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
408 },
409 description => "Create network device configuration",
410 protected => 1,
411 proxyto => 'node',
412 parameters => {
413 additionalProperties => 0,
414 properties => json_config_properties({
415 node => get_standard_option('pve-node'),
416 iface => get_standard_option('pve-iface')}),
417 },
418 returns => { type => 'null' },
419 code => sub {
420 my ($param) = @_;
421
422 my $node = extract_param($param, 'node');
423 my $iface = extract_param($param, 'iface');
424
425 my $code = sub {
426 my $config = PVE::INotify::read_file('interfaces');
427 my $ifaces = $config->{ifaces};
428
429 raise_param_exc({ iface => "interface already exists" })
430 if $ifaces->{$iface};
431
432 &$check_duplicate_gateway($ifaces, $iface)
433 if $param->{gateway};
434 &$check_duplicate_gateway6($ifaces, $iface)
435 if $param->{gateway6};
436
437 $check_duplicate_ports->($ifaces, $iface, $param);
438
439 $map_cidr_to_address_netmask->($param);
440
441 &$check_ipv6_settings($param->{address6}, int($param->{netmask6}))
442 if $param->{address6};
443
444 my $families = $param->{families} = [];
445 push @$families, 'inet'
446 if $param->{address} && !grep(/^inet$/, @$families);
447 push @$families, 'inet6'
448 if $param->{address6} && !grep(/^inet6$/, @$families);
449 @$families = ('inet') if !scalar(@$families);
450
451 $param->{method} = $param->{address} ? 'static' : 'manual';
452 $param->{method6} = $param->{address6} ? 'static' : 'manual';
453
454 if ($param->{type} =~ m/^OVS/) {
455 -x '/usr/bin/ovs-vsctl' ||
456 die "Open VSwitch is not installed (need package 'openvswitch-switch')\n";
457 }
458
459 if ($param->{type} eq 'OVSIntPort' || $param->{type} eq 'OVSBond') {
460 my $brname = $param->{ovs_bridge};
461 raise_param_exc({ ovs_bridge => "parameter is required" }) if !$brname;
462 my $br = $ifaces->{$brname};
463 raise_param_exc({ ovs_bridge => "bridge '$brname' does not exist" }) if !$br;
464 raise_param_exc({ ovs_bridge => "interface '$brname' is no OVS bridge" })
465 if $br->{type} ne 'OVSBridge';
466
467 my @ports = split (/\s+/, $br->{ovs_ports} || '');
468 $br->{ovs_ports} = join(' ', @ports, $iface)
469 if ! grep { $_ eq $iface } @ports;
470 }
471
472 $ifaces->{$iface} = $param;
473
474 PVE::INotify::write_file('interfaces', $config);
475 };
476
477 PVE::Tools::lock_file($iflockfn, 10, $code);
478 die $@ if $@;
479
480 return undef;
481 }});
482
483 __PACKAGE__->register_method({
484 name => 'update_network',
485 path => '{iface}',
486 method => 'PUT',
487 permissions => {
488 check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
489 },
490 description => "Update network device configuration",
491 protected => 1,
492 proxyto => 'node',
493 parameters => {
494 additionalProperties => 0,
495 properties => json_config_properties({
496 node => get_standard_option('pve-node'),
497 iface => get_standard_option('pve-iface'),
498 delete => {
499 type => 'string', format => 'pve-configid-list',
500 description => "A list of settings you want to delete.",
501 optional => 1,
502 }}),
503 },
504 returns => { type => 'null' },
505 code => sub {
506 my ($param) = @_;
507
508 my $node = extract_param($param, 'node');
509 my $iface = extract_param($param, 'iface');
510 my $delete = extract_param($param, 'delete');
511
512 my $code = sub {
513 my $config = PVE::INotify::read_file('interfaces');
514 my $ifaces = $config->{ifaces};
515
516 raise_param_exc({ iface => "interface does not exist" })
517 if !$ifaces->{$iface};
518
519 my $families = ($param->{families} ||= []);
520 foreach my $k (PVE::Tools::split_list($delete)) {
521 delete $ifaces->{$iface}->{$k};
522 @$families = grep(!/^inet$/, @$families) if $k eq 'address';
523 @$families = grep(!/^inet6$/, @$families) if $k eq 'address6';
524 if ($k eq 'cidr') {
525 delete $ifaces->{$iface}->{netmask};
526 delete $ifaces->{$iface}->{address};
527 } elsif ($k eq 'cidr6') {
528 delete $ifaces->{$iface}->{netmask6};
529 delete $ifaces->{$iface}->{address6};
530 }
531 }
532
533 $map_cidr_to_address_netmask->($param);
534
535 &$check_duplicate_gateway($ifaces, $iface)
536 if $param->{gateway};
537 &$check_duplicate_gateway6($ifaces, $iface)
538 if $param->{gateway6};
539
540 $check_duplicate_ports->($ifaces, $iface, $param);
541
542 if ($param->{address}) {
543 push @$families, 'inet' if !grep(/^inet$/, @$families);
544 } else {
545 @$families = grep(!/^inet$/, @$families);
546 }
547 if ($param->{address6}) {
548 &$check_ipv6_settings($param->{address6}, int($param->{netmask6}));
549 push @$families, 'inet6' if !grep(/^inet6$/, @$families);
550 } else {
551 @$families = grep(!/^inet6$/, @$families);
552 }
553 @$families = ('inet') if !scalar(@$families);
554
555 $param->{method} = $param->{address} ? 'static' : 'manual';
556 $param->{method6} = $param->{address6} ? 'static' : 'manual';
557
558 foreach my $k (keys %$param) {
559 $ifaces->{$iface}->{$k} = $param->{$k};
560 }
561
562 PVE::INotify::write_file('interfaces', $config);
563 };
564
565 PVE::Tools::lock_file($iflockfn, 10, $code);
566 die $@ if $@;
567
568 return undef;
569 }});
570
571 __PACKAGE__->register_method({
572 name => 'network_config',
573 path => '{iface}',
574 method => 'GET',
575 permissions => {
576 check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
577 },
578 description => "Read network device configuration",
579 proxyto => 'node',
580 parameters => {
581 additionalProperties => 0,
582 properties => {
583 node => get_standard_option('pve-node'),
584 iface => get_standard_option('pve-iface'),
585 },
586 },
587 returns => {
588 type => "object",
589 properties => {
590 type => {
591 type => 'string',
592 },
593 method => {
594 type => 'string',
595 },
596 },
597 },
598 code => sub {
599 my ($param) = @_;
600
601 my $config = PVE::INotify::read_file('interfaces');
602 my $ifaces = $config->{ifaces};
603
604 raise_param_exc({ iface => "interface does not exist" })
605 if !$ifaces->{$param->{iface}};
606
607 return $ifaces->{$param->{iface}};
608 }});
609
610 sub ifupdown2_version {
611 my $v;
612 PVE::Tools::run_command(['ifreload', '-V'], outfunc => sub { $v //= shift });
613 return if !defined($v) || $v !~ /^\s*ifupdown2:(\S+)\s*$/;
614 $v = $1;
615 my ($major, $minor, $extra, $pve) = split(/\.|-/, $v);
616 my $is_pve = defined($pve) && $pve =~ /(pve|pmx|proxmox)/;
617
618 return ($major * 100000 + $minor * 1000 + $extra * 10, $is_pve, $v);
619 }
620 sub assert_ifupdown2_installed {
621 die "you need ifupdown2 to reload network configuration\n" if ! -e '/usr/share/ifupdown2';
622 my ($v, $pve, $v_str) = ifupdown2_version();
623 die "incompatible 'ifupdown2' package version '$v_str'! Did you installed from Proxmox repositories?\n"
624 if $v < (1*100000 + 2*1000 + 8*10) || !$pve;
625 }
626
627 __PACKAGE__->register_method({
628 name => 'reload_network_config',
629 path => '',
630 method => 'PUT',
631 permissions => {
632 check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
633 },
634 description => "Reload network configuration",
635 protected => 1,
636 proxyto => 'node',
637 parameters => {
638 additionalProperties => 0,
639 properties => {
640 node => get_standard_option('pve-node'),
641 },
642 },
643 returns => { type => 'string' },
644 code => sub {
645
646 my ($param) = @_;
647
648 my $rpcenv = PVE::RPCEnvironment::get();
649
650 my $authuser = $rpcenv->get_user();
651
652 my $current_config_file = "/etc/network/interfaces";
653 my $new_config_file = "/etc/network/interfaces.new";
654
655 assert_ifupdown2_installed();
656
657 my $worker = sub {
658
659 rename($new_config_file, $current_config_file) if -e $new_config_file;
660
661 if ($have_sdn) {
662 PVE::Network::SDN::generate_zone_config();
663 }
664
665 my $err = sub {
666 my $line = shift;
667 if ($line =~ /(warning|error): (\S+):/) {
668 print "$2 : $line \n";
669 }
670 };
671 PVE::Tools::run_command(['ifreload', '-a'], errfunc => $err);
672
673 if ($have_sdn) {
674 PVE::Network::SDN::generate_controller_config(1);
675 }
676 };
677 return $rpcenv->fork_worker('srvreload', 'networking', $authuser, $worker);
678 }});
679
680 __PACKAGE__->register_method({
681 name => 'delete_network',
682 path => '{iface}',
683 method => 'DELETE',
684 permissions => {
685 check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
686 },
687 description => "Delete network device configuration",
688 protected => 1,
689 proxyto => 'node',
690 parameters => {
691 additionalProperties => 0,
692 properties => {
693 node => get_standard_option('pve-node'),
694 iface => get_standard_option('pve-iface'),
695 },
696 },
697 returns => { type => 'null' },
698 code => sub {
699 my ($param) = @_;
700
701 my $code = sub {
702 my $config = PVE::INotify::read_file('interfaces');
703 my $ifaces = $config->{ifaces};
704
705 raise_param_exc({ iface => "interface does not exist" })
706 if !$ifaces->{$param->{iface}};
707
708 my $d = $ifaces->{$param->{iface}};
709 if ($d->{type} eq 'OVSIntPort' || $d->{type} eq 'OVSBond') {
710 if (my $brname = $d->{ovs_bridge}) {
711 if (my $br = $ifaces->{$brname}) {
712 if ($br->{ovs_ports}) {
713 my @ports = split (/\s+/, $br->{ovs_ports});
714 my @new = grep { $_ ne $param->{iface} } @ports;
715 $br->{ovs_ports} = join(' ', @new);
716 }
717 }
718 }
719 }
720
721 delete $ifaces->{$param->{iface}};
722
723 PVE::INotify::write_file('interfaces', $config);
724 };
725
726 PVE::Tools::lock_file($iflockfn, 10, $code);
727 die $@ if $@;
728
729 return undef;
730 }});
The Proxmox VE Management API and Web UI