[pve-devel] [pve-network 1/1] ipam: move mac-cache.db to unprivileged sdn/ subdirectory

Mon, 18 Nov 2024 12:56:07 -0800 

follows commit:
0f48bc6 ("ipam: move state file of PVE plugin over to common sdn directory")
as far as reasoning goes, and also closely code-wise (if only to make
the clean-up with PVE 9.0 a bit more straight-forward):
files in priv/ are sensitive in the sense that access there can be
used to hijack (external systems) - the mac-cache can be kept next to
the remaining sdn-config.

minimally tested on my machine.
depends on the pve-cluster commit sent with this.

Signed-off-by: Stoiko Ivanov <s.iva...@proxmox.com>
---
 src/PVE/Network/SDN/Ipams.pm | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Network/SDN/Ipams.pm b/src/PVE/Network/SDN/Ipams.pm
index 926df90..c689b8f 100644
--- a/src/PVE/Network/SDN/Ipams.pm
+++ b/src/PVE/Network/SDN/Ipams.pm
@@ -20,9 +20,34 @@ PVE::Network::SDN::Ipams::NetboxPlugin->register();
 PVE::Network::SDN::Ipams::PhpIpamPlugin->register();
 PVE::Network::SDN::Ipams::Plugin->init();
 
-my $macdb_filename = 'priv/macs.db';
+my $macdb_filename = "sdn/mac-cache.json";
+my $macdb_filename_legacy = 'priv/macs.db';
+
+cfs_register_file(
+    $macdb_filename,
+    sub {
+       my ($filename , $data) = @_;
+       if (defined($data)) {
+           return json_reader($filename, $data);
+       } else {
+           # TODO: remove legacy cache file handling with PVE 9+ after 
ensuring all call sites got
+           # switched over.
+           return cfs_read_file($macdb_filename_legacy);
+       }
+    },
+    sub {
+       my ($filename , $data) = @_;
+       # TODO: remove below with PVE 9+, add a pve8to9 check to allow doing so.
+       if (-e $macdb_filename_legacy && -e $macdb_filename) {
+           # only clean-up if we succeeded to write the new path at least once
+           unlink $macdb_filename_legacy or $!{ENOENT} or warn "failed to 
unlink legacy MAC cache - $!\n";
+       }
+       return json_writer->($filename, $data);
+    }
+);
 
-cfs_register_file($macdb_filename, \&json_reader, \&json_writer);
+# drop reading $macdb_filename_legacy with PVE 9+ - for now do not write it 
anymore.
+cfs_register_file($macdb_filename_legacy, \&json_reader, undef);
 
 sub json_reader {
     my ($filename, $data) = @_;
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to