[pve-devel] [PATCH pve-network v2 8/8] partial fix #5496: subnet: ipam: add update_subnet hook

Stefan Hanreich Tue, 11 Mar 2025 12:29:25 -0700

Because of how the Netbox IPAM plugin works (utilizing IP ranges to
represent DHCP ranges), we need a hook in the IPAM plugin that runs on
updates to the subnet because DHCP ranges can be edited. The update
hook in Netbox checks which DHCP ranges got added and which got
deleted and then performs the respective changes in the Netbox IPAM.
This operates under the assumption that DHCP ranges do not overlap
(which is not supported by Netbox anyway).


Only Netbox needs to do work on update, so we can leave this as noop
in phpIPAM and the PVE IPAM, because they have no notion of IP ranges
or similar entities. phpIPAM doesn't support DHCP ranges at all and
PVE IPAM simply uses DHCP ranges as a constraint when allocating an
IP.

I decided on this approach over just creating IP ranges on demand when
assigning IPs, because this keeps Netbox clean and in sync with the
PVE state. It doesn't leave remnants of IP ranges in the Netbox
database, which can lead to errors when trying to create IP ranges
that overlap with IP ranges that already existed in an SDN subnet.

This method tries to check for any possible errors before editing the
entities. There is still a small window where external changes can
occur that lead to errors. We are touching multiple entities here, so
in case of errors users have to fix their Netbox instance manually.

Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
---
 src/PVE/Network/SDN/Ipams/NetboxPlugin.pm  | 54 ++++++++++++++++++++++
 src/PVE/Network/SDN/Ipams/PVEPlugin.pm     |  5 ++
 src/PVE/Network/SDN/Ipams/PhpIpamPlugin.pm |  5 ++
 src/PVE/Network/SDN/Ipams/Plugin.pm        |  6 +++
 src/PVE/Network/SDN/SubnetPlugin.pm        |  6 ++-
 src/PVE/Network/SDN/Subnets.pm             | 12 +++++
 6 files changed, 87 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Network/SDN/Ipams/NetboxPlugin.pm 
b/src/PVE/Network/SDN/Ipams/NetboxPlugin.pm
index af9be25..a691323 100644
--- a/src/PVE/Network/SDN/Ipams/NetboxPlugin.pm
+++ b/src/PVE/Network/SDN/Ipams/NetboxPlugin.pm
@@ -96,6 +96,60 @@ sub add_subnet {
     }
 }
 
+sub update_subnet {
+    my ($class, $plugin_config, $subnetid, $subnet, $old_subnet, $noerr) = @_;
+
+    # old subnet in SubnetPlugin hook has already parsed dhcp-ranges
+    # new subnet doesn't
+    my $old_dhcp_ranges = $old_subnet->{'dhcp-range'};
+    my $new_dhcp_ranges = PVE::Network::SDN::Subnets::get_dhcp_ranges($subnet);
+
+    my $hash_range = sub {
+       my ($dhcp_range) = @_;
+       "$dhcp_range->{'start-address'} - $dhcp_range->{'end-address'}"
+    };
+
+    my $old_lookup = {};
+    for my $dhcp_range (@$old_dhcp_ranges) {
+       my $hash = $hash_range->($dhcp_range);
+       $old_lookup->{$hash} = undef;
+    }
+
+    my $new_lookup = {};
+    for my $dhcp_range (@$new_dhcp_ranges) {
+       my $hash = $hash_range->($dhcp_range);
+       $new_lookup->{$hash} = undef;
+    }
+
+    my $to_delete_ids = ();
+
+    # delete first so we don't get errors with overlapping ranges
+    for my $dhcp_range (@$old_dhcp_ranges) {
+       my $hash = $hash_range->($dhcp_range);
+
+       if (exists($new_lookup->{$hash})) {
+           next;
+       }
+
+       my $internalid = get_iprange_id($plugin_config, $dhcp_range, $noerr);
+
+       # definedness check, because ID could be 0
+       if (!defined($internalid)) {
+           warn "could not find id for ip range 
$dhcp_range->{'start-address'}:$dhcp_range->{'end-address'}";
+           next;
+       }
+
+       del_dhcp_range($plugin_config, $internalid, $noerr);
+    }
+
+    for my $dhcp_range (@$new_dhcp_ranges) {
+       my $hash = $hash_range->($dhcp_range);
+
+       add_dhcp_range($plugin_config, $dhcp_range, $noerr)
+           if !exists($old_lookup->{$hash});
+    }
+}
+
 sub del_subnet {
     my ($class, $plugin_config, $subnetid, $subnet, $noerr) = @_;
 
diff --git a/src/PVE/Network/SDN/Ipams/PVEPlugin.pm 
b/src/PVE/Network/SDN/Ipams/PVEPlugin.pm
index 742f1b1..59ad4ea 100644
--- a/src/PVE/Network/SDN/Ipams/PVEPlugin.pm
+++ b/src/PVE/Network/SDN/Ipams/PVEPlugin.pm
@@ -82,6 +82,11 @@ sub add_subnet {
     die "$@" if $@;
 }
 
+sub update_subnet {
+    my ($class, $plugin_config, $subnetid, $subnet, $old_subnet, $noerr) = @_;
+    # we don't need to do anything on update
+}
+
 sub only_gateway_remains {
     my ($ips) = @_;
 
diff --git a/src/PVE/Network/SDN/Ipams/PhpIpamPlugin.pm 
b/src/PVE/Network/SDN/Ipams/PhpIpamPlugin.pm
index df5048d..8ee430a 100644
--- a/src/PVE/Network/SDN/Ipams/PhpIpamPlugin.pm
+++ b/src/PVE/Network/SDN/Ipams/PhpIpamPlugin.pm
@@ -67,6 +67,11 @@ sub add_subnet {
     }
 }
 
+sub update_subnet {
+    my ($class, $plugin_config, $subnetid, $subnet, $old_subnet, $noerr) = @_;
+    # we don't need to do anything on update
+}
+
 sub del_subnet {
     my ($class, $plugin_config, $subnetid, $subnet, $noerr) = @_;
 
diff --git a/src/PVE/Network/SDN/Ipams/Plugin.pm 
b/src/PVE/Network/SDN/Ipams/Plugin.pm
index ab4cae8..6190c24 100644
--- a/src/PVE/Network/SDN/Ipams/Plugin.pm
+++ b/src/PVE/Network/SDN/Ipams/Plugin.pm
@@ -75,6 +75,12 @@ sub add_subnet {
     die "please implement inside plugin";
 }
 
+sub update_subnet {
+    my ($class, $plugin_config, $subnetid, $subnet, $old_subnet, $noerr) = @_;
+
+    die "please implement inside plugin";
+}
+
 sub del_subnet {
     my ($class, $plugin_config, $subnetid, $subnet, $noerr) = @_;
 
diff --git a/src/PVE/Network/SDN/SubnetPlugin.pm 
b/src/PVE/Network/SDN/SubnetPlugin.pm
index b911d69..8a79eae 100644
--- a/src/PVE/Network/SDN/SubnetPlugin.pm
+++ b/src/PVE/Network/SDN/SubnetPlugin.pm
@@ -201,7 +201,11 @@ sub on_update_hook {
     validate_dhcp_ranges($subnet);
 
     if ($ipam) {
-       PVE::Network::SDN::Subnets::add_subnet($zone, $subnetid, $subnet);
+       if ($old_subnet) {
+           PVE::Network::SDN::Subnets::update_subnet($zone, $subnetid, 
$subnet, $old_subnet);
+       } else {
+           PVE::Network::SDN::Subnets::add_subnet($zone, $subnetid, $subnet);
+       }
 
        #don't register gateway for pointopoint
        return if $pointopoint;
diff --git a/src/PVE/Network/SDN/Subnets.pm b/src/PVE/Network/SDN/Subnets.pm
index e2c8c9c..18847c2 100644
--- a/src/PVE/Network/SDN/Subnets.pm
+++ b/src/PVE/Network/SDN/Subnets.pm
@@ -194,6 +194,18 @@ sub add_subnet {
     $plugin->add_subnet($plugin_config, $subnetid, $subnet);
 }
 
+sub update_subnet {
+    my ($zone, $subnetid, $subnet, $old_subnet) = @_;
+
+    my $ipam = $zone->{ipam};
+    return if !$ipam;
+
+    my $ipam_cfg = PVE::Network::SDN::Ipams::config();
+    my $plugin_config = $ipam_cfg->{ids}->{$ipam};
+    my $plugin = 
PVE::Network::SDN::Ipams::Plugin->lookup($plugin_config->{type});
+    $plugin->update_subnet($plugin_config, $subnetid, $subnet, $old_subnet);
+}
+
 sub del_subnet {
     my ($zone, $subnetid, $subnet) = @_;
 
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-network v2 8/8] partial fix #5496: subnet: ipam: add update_subnet hook

Reply via email to