[pve-devel] [PATCH manager] pveproxy: add LISTEN variable to /etc/default/pveproxy
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 21 10:06:16 CET 2017
meta: a pve-docs patch adding the new parameter(s) and appropriate
warnings would be nice.
bin/pvebanner also does not honor these settings..
On Wed, Nov 15, 2017 at 02:10:36PM +0100, Wolfgang Bumiller wrote:
> That way one can explicitly set the listen address.
> Useful for single nodes to limit the GUI to 127.0.0.1, or in
> clusters to limit it to a private cluster network.
>
> (Note that proxied cluster requests use the hostname so it
> should usually contain either nothing, the hostname, or the
> first IP the hostname resolves to, otherwise proxied
> requests will either hang a little, or simply not work.)
>
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> ---
> Also note that this is NOT a good way to choose between IPv4 and IPv6.
> The default logic was chosen to make it hard to break cluster
> communication. If the hostname resolves to IPv6 first and you
> specifically listen on IPv4, other cluster nodes will first try
> IPv6 and fail.
> So personally I recommend using the actual $hostname, or some fixed
> ip for single nodes, and nothing else.
>
> PVE/API2Tools.pm | 9 +++++++++
> PVE/Service/pveproxy.pm | 7 +++++--
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/API2Tools.pm b/PVE/API2Tools.pm
> index f1df2384..47cce416 100644
> --- a/PVE/API2Tools.pm
> +++ b/PVE/API2Tools.pm
> @@ -230,6 +230,7 @@ sub read_proxy_config {
> $shcmd .= 'echo \"POLICY:\$POLICY\";';
> $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
> $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
> + $shcmd .= 'echo \"LISTEN:\$LISTEN\";';
>
> my $data = -f $conffile ? `bash -c "$shcmd"` : '';
>
> @@ -252,6 +253,14 @@ sub read_proxy_config {
> $res->{$key} = $value;
> } elsif ($key eq 'DHPARAMS') {
> $res->{$key} = $value;
> + } elsif ($key eq 'LISTEN') {
> + die "invalid listen address: '$value'\n"
> + if $value !~ /^([^:]+)(?::(\d+))?$/;
breaks IPv6 ;)
I wonder if we really need the port though? it's only useful in the
current state for single-node-clusters, because for all others proxying
requests would break when switching ports..
> + my ($host, $port) = ($1, int($2));
> + die "invalid port: '$port'\n"
> + if $port > 0xFFFF;
> + $res->{LISTEN_HOST} = $host;
> + $res->{LISTEN_PORT} = $port;
> } else {
> # silently skip everythin else?
> }
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index 7d39900a..15783daa 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -64,8 +64,11 @@ sub init {
> my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
> die "unable to open lock file '${accept_lock_fn}' - $!\n";
>
> - my $family = PVE::Tools::get_host_address_family($self->{nodename});
> - my $socket = $self->create_reusable_socket(8006, undef, $family);
> + my $host = $proxyconf->{LISTEN_HOST} || $self->{nodename};
> + my $port = $proxyconf->{LISTEN_PORT} || 8006;
> + my $family = PVE::Tools::get_host_address_family($host);
> +
> + my $socket = $self->create_reusable_socket($port, $host, $family);
>
> my $dirs = {};
>
> --
> 2.11.0
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list