[pve-devel] [PATCH manager 2/2] api2: use JSONSchema to validate commands for "nodes/{node}/execute"

this also makes it more explicit what the different values should be Signed-off-by: Stefan Sterz --- not sure how sensible this is because most of the information here won't show up in the api viewer. i couldn't figure out how to make it show up and not make breaking changes to the endpoint or ch

[pve-devel] [PATCH manager 1/2] fix: api2: add return type to nodes/{node}/execute endpoint

since this was missing a proper return type definition the api viewer couldn't display the endpoint (`retinfs.items` was undefined). also the `pvesh` command would complain that it cannot properly format the return type because the variable `$item_type` in `CLIFormatter.pm` was not defined. Signed

[pve-devel] [PATCH qemu-server] cleanup pci devices in more situations

if the preparing of pci devices or the start of the vm fails, we need to cleanup the pci devices (reservations *and* mdevs), or else it might happen that there are leftovers which must be manually removed. to include also mdevs now, refactor the cleanup code from 'vm_stop_cleanup' into it's own fu

[pve-devel] [PATCH firewall] fix #4175: ignore non-filter ebtables tables

we only ever add rules to the filter table, without this we'd add all rules from other tables (which might have been manually filled by the admin) to the filter table as well - adding another copy on every iteration of the firewall update cycle! note that ebtables-restore seems to flush tables con

Re: [pve-devel] [PATCH-SERIES v2 manager/guest-common] replication: improve removal of stale snapshots/volumes

Am 13.06.22 um 12:29 schrieb Fabian Ebner: > In certain scenarios, see manager 2/2 and guest-common 3/4, replicated > volumes could end up orphaned. This series attempts to fix those, as > well as making removal of stale replication snaphsots a bit more > robust. Also includes some slight documenta

Re: [pve-devel] [PATCH v7 qemu-server 00/10] cloudinit pending behaviour change

Am 22.06.22 um 13:51 schrieb Alexandre Derumier: > Hi, > > This is an attempt to cleanup current behaviour of cloudinit online changes. > > Currently, we setup cloudinit options as pending, until we generate the > config drive. > > This is not 100% true, because some option like vm name, nic ma

Re: [pve-devel] [PATCH V3 pve-manager 1/2] fix #2822: add lvm, lvmthin & zfs storage for all cluster nodes

Am 19.07.22 um 13:57 schrieb Stefan Hrdlicka: > This adds a dropdown box for LVM, LVMThin & ZFS storage options where a > cluster node needs to be chosen. As default the current node is > selected. It restricts the the storage to be only availabe on the > selected node. > > Signed-off-by: Stefan H

Re: [pve-devel] [PATCH v4 access-control++ 00/18] SuperUser privilege

On June 2, 2022 9:24 am, Oguz Bektas wrote: > big thanks to Fabian G. for the earlier reviews :) > > v3 was not reviewed but i thought i should rebase it to make it easier. > i also noticed some things that weren't addressed or were > incorrect, so those are hopefully fixed now. sorry for the lon

Re: [pve-devel] [PATCH v4 docs 18/18] pveum: add SU privilege and SA role

On June 2, 2022 9:24 am, Oguz Bektas wrote: > with some warnings about imposed restrictions and the danger of giving > this role/privilege to untrusted users. this should probably have a warning about giving whole groups SuperUser privileges, since anybody able to add users to that group (which d

Re: [pve-devel] [PATCH v4 qemu-server 08/18] api: allow superusers to use 'skiplock' option

On June 2, 2022 9:24 am, Oguz Bektas wrote: > also mark the intentionally root-only migration related options > in param descriptions and leave a reminder comment. how are these changes related? please split them up into two patches (or merge the comment part into the other path that adds similar

Re: [pve-devel] [PATCH v4 manager 15/18] ui: adapt sensible 'root@pam' checks to SU

On June 2, 2022 9:24 am, Oguz Bektas wrote: > Signed-off-by: Oguz Bektas > --- > * left off ceph since we drop to a /bin/login shell anyways > > www/manager6/lxc/Resources.js | 6 +++--- > www/manager6/window/Migrate.js | 4 ++-- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --gi

Re: [pve-devel] [PATCH v4 qemu-server 06/18] api: allow SU privileged users to edit root-only options for VM configs

On June 2, 2022 9:24 am, Oguz Bektas wrote: > we now allow users with SU privilege to edit real device configurations > for VMs. > > they still need the required privilege to edit the corresponding > configuration options (e.g. `VM.Config.HWType`), as well as the SU > privilege. > > Co-authored-b

Re: [pve-devel] [PATCH v4 access-control 05/18] api: allow superusers to edit tfa and password settings

On June 2, 2022 9:24 am, Oguz Bektas wrote: > - prevent non-SU to change SU passwords > - warning messages on raise_perm_exc() > - log who did the password change > - has_superuser_anywhere helper > > Suggested-by: Fabian Grünbichler > Signed-off-by: Oguz Bektas > --- > src/PVE/API2/AccessContr

Re: [pve-devel] [PATCH v4 access-control 03/18] api: acl: only allow granting SU privilege if user already has it

On June 2, 2022 9:24 am, Oguz Bektas wrote: > also check for 'propagate' bit on the target path to verify if the > user can grant SU privileges on there. > > Co-authored-by: Fabian Grünbichler > Signed-off-by: Oguz Bektas > --- > src/PVE/API2/ACL.pm | 16 > 1 file changed, 16 i