we don't have a mandatory Ceph major version upgrade this time around,
so this check does not make sense. instead, we want noout until the full
cluster is upgraded. let's use the simple approach and just flip the
switch to "turn off noout if all of Ceph is a single version" in the PVE
7.x branch.
these were mostly relevant for the Luminous -> Nautilus upgrade, and we
don't need to list all the default passing states that our tooling sets
up anyway.
the old one is not available post-upgrade, let's use a single codepath
for this.
the new API only allows querying user-settable flags, but the only flags
we check besides 'noout' are not relevant for an upgrade of PVE 6.x to
7.x (PVE 6.x only supports Nautilus+ which requires these flags to be
set in order to work) so we can just drop those outdated checks instead
of extending/refactoring the API.
pve6to7: check for containers not supporting pure cgroupv2
Helpers copied from pve-container to avoid versioned bumps.
Early returns when no containers are running, or the containers don't
use systemd, as well as returning after finding the first affected
container to minimize impact and resource usage.
Checking running containers first since following /proc/<pid>/root is
cheaper than mounting all volumes for a container
ui: node status: prioritize non-production and fix ok case
Non-production repositories will always pull in their newer software,
so even if enterprise+subscription is OK we should mark it with
priority if, e.g., pvetest is enabled.
There was also a bug regarding the all OK state
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Reiter [Mon, 5 Jul 2021 10:15:28 +0000 (12:15 +0200)]
ui: dc/guests: remove 'line-height' from default style
Firefox doesn't correctly break to the next line if the line-height
is set as is (with certain fonts, including the default on debian it
seems). Simply remove it, as it isn't necessary.
Suggested-by: Dominik Csapak <d.csapak@proxmox.com> Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
The nvme-cli package is recommended by (our) Ceph packages, but here
--no-install-recommends is used to avoid pulling in too much.
The issue with not installing nvme-cli is that a "security
information" mail notification is triggered by sudo each time Ceph
tries to get the device health metrics. While there is a sudoers
rule for /usr/sbin/nvme, Ceph uses 'sudo nvme ...', so it does not
apply when the package is not installed.
This didn't seem to happen with sudo in buster.
It's about 1 MiB of additional packages (nvme-cli + uuid-runtime).
As both, the whole panels body and the actual items all had their own
padding it added up quite a bit.
Some padding is good to avoid elements being "glued" to the parent
borders, but that can be done with also with ~15 px vs. 30 px on each
side, so no need to waste that much extra space we can use in some
languages to render content
Added benefit, the status panel now is more in sync with the RRD
panels regarding content start/end.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
the icon on the left side look a bit weird here, as the lines
directly above had none and the actual status which the icon tried to
emphasize is on the right anyway.
Rework also the output.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
We had done so already in PBS and PMG since a bit without seeing
anything broken due to it, which makes sense as this was enabled for
*during* the step-by-step upgrade from ExtJS 4 to 5 (and then
directly 6).
Re-enabling could help with some accessibility issues we have some
tangential reports[0].
ui: rework global searchfield, drop cruft, improve readability
Single letter variable names really do not help understanding what's
going on, as do overly general names like fields for the split up
words we actually search+filter for.
Using a switch block as map is often also not ideal (way more syntax
noise and style hacks like break on the same line to keep it
compact), rather just use an actual object map.
Some of the improvements where not possible when this was
implemented, as then we ensured < es5 compat for IE 10 support.
With for-of and nullish-chaining a few things to get nicer to
express.
While at it also fix comment text width making them less look like
haikus and improve match calculation comment to avoid implying that
match is either 0, 1 or 2, it can be higher too (if multiple columns
match).
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
d/postinst: actively remove pvetest repository (add for beta) again
in theory we'd need to be more cautios but this was added only during
beta, which is when we do not really provided any stability
guarantee, further, it's rather unlikely that one added very
important repos that, when removed, break something (again *during*
beta).
The new APT repo management makes it also easy to see when one does
not gets any PVE updates, and one can add the pvetest repo there
again easily too.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
ui: download do not clear meta info on certValidity change
Makes no sense, as the URL is the same so the info, if any at all, is
still valid - not counting the rather rare case where in the exact
moment one disables cert checking a MITM interception goes live ;-)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
fix #1710: ui: storage: add download from url button
uses the common function PVE::Tools::download_file_from_url to
download a iso image or container template.
note: Only users with permissions `Sys.Audit` and `Sys.Modify` on
`/` are permitted to use the api endpoints due to security reasons.
(it is possible to download files from internal networks which would
be not visible/accessible from outside)
Due to the ability of this api endpoint to request files on internal
networks (which would not be visible/accessible from outside) it is
restricted to users with permissions `Sys.Audit` and `Sys.Modify` on
`/`. Users with these permissions are able to alter node (network)
config anyway, so this should not create any further security risk.
ui: Workspace: use domains info to hide password/tfa items
in the user menu
we have to make an additional api call here, since it is the only
place (currently) where we can get the realm type
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[ Thomas: adapt to move of parse_userid to widget-toolkit ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Thu, 24 Jun 2021 08:17:59 +0000 (10:17 +0200)]
ui: implement OpenId login
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
[ Thomas: amended the following changes:
- factor out openid_login_param to widget-toolkit as
getOpenIDRedirectionAuthorization and use it
- use camel case to match our JS style guide and our framework (and
basically the rest of the JS world)
- minor cleanups like moving variable definition into the single if
branch their used
] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
these were mostly releveant for upgrading from Corosync 2.x to 3.x - so
keep the warnings/errors, but reduce the noise a bit by skipping lots of
PASS output.
api: cluster/backupinfo: rework bogus index endpoint
This had a myriad of issues:
* marked as protected, thus forwarded to the privileged daemon even
if it just returned static information
* did not return directory index but a "stub" string, which does not
makes sense.
* not named index
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 29 Jun 2021 15:51:55 +0000 (17:51 +0200)]
d/postinst: regenerate machine-id also for 4.0 beta ISOs
With some poking around I got the hold of more released ISO files,
while beta it seems that we have some loyal installations setup with
a 4.0 beta and updated to 7.0 beta[0] (cool stuff!)
Fabian Ebner [Wed, 30 Jun 2021 09:16:18 +0000 (11:16 +0200)]
pve6to7: more fine-grained detection of misconfigured guest volumes
If neither 'rootdir' nor 'images' are configured on a storage, but
there are guest images, just log the number of volumes found. If they
are relevant for migration, the check for unreferenced volumes will
catch them later.
Also detect content type mismatch for all volumes of existing guests,
which also covers the case of a VM image on a storage with only
'rootdir' and vice versa. To catch all such unreferenced volumes too,
it is necessary to scan all storages that do not have both content
types configured.
Change the message from 'will not work' to 'might not work'. If a
volume only referenced by a snapshot is misconfigured, it doesn't mean
that the guest doesn't work at all. Or it might be an ISO on a
misconfigured storage.
Hannes Laimer [Mon, 28 Jun 2021 10:40:34 +0000 (12:40 +0200)]
api: cluster/resources: add 'name' property to return schema
VM names are returned by the endpoint anyway, therefore it makes sense
to add it to the endpoint specification so it also appears in the API
docs and is visible when using pvesh with text output.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>