On 11/17/24 15:30, Thomas Lamprecht wrote: > Am 15.11.24 um 13:09 schrieb Stefan Hanreich: >> Since the SDN configuration reads the IPAM config file, which resides > > does that mean the earlier patches already require this? They load > the SDN config already FWICT; and if so, it would be great to either > have that change in those patches or upfront as separate patches, this > has rather reaching consequences after all...
That's indeed an oversight on my part, the default behavior of load_clusterfw_conf changed to loading the SDN configuration in v4 so that patch is actually required if they are not all applied at the same time. If we stick with /etc/pve/priv (see below) I'll reorder the commits accordingly. >> in /etc/pve/priv we need to add the protected flag to several >> endpoints. > > That's wrong, the general IPAM config resides in /etc/pve/sdn/ipams.cfg, > the ipam.db from the PVE IPAM Plugin does indeed reside in the private > directory. > > But, why's that? The commits adding it weren't really telling, but there > are no secrets in there, so why does it have to be priv? We could move > them over to /etc/pve/sdn/pve-ipam.db with some backward compat handling > (either in pmxcfs directly or in the backend site of things). Just tell > me if that would be fine in general, or what the original reason for having > this file only visible for root, and I can help you here. Depends on if you consider a database of all assigned IPs inside the cluster as sensitive information, iirc we erred on the side of caution in this case and stored it in /etc/pve/priv. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
