[pve-devel] [PATCH v2 0/1] do not allow multicast MAC-addresses

Stoiko Ivanov s.ivanov at proxmox.com
Mon Mar 11 22:50:12 CET 2019

As discussed on the list [0] setting a multicast mac-address breaks starting
containers. This is most evident if you set a mac_prefix for your cluster, with
leading to multicast macs (odd second hexdigit of the first byte).

The proposed idea of 'die'ing in 'PVE::Tools::random_ether_addr' did not seem
the best idea (if the original patch would have been applied on pve-cluster,
the check in random_ether_addr would never lead to the desired error-message).

During my quick tests I noticed that setting a multicast mac breaks most/all
use-cases (LXC refuses to start and seemingly does so since 2010 [1], and Qemu
happily starts, but the link of the nic cannot be set to up (the guest kernel
refuses)) - so I went ahead and enforced unicast mac addresses in the
JSON-Schema for qemu-server and pve-container.

The fourth patch (for proxmox-widget-toolkit) just provides visual feedback for
users trying to set such a mac_prefix.

I assume the potential for regression not to be too high, because a user would
need to have set a multicast mac_prefix, and in that case they would not get
a link with/could not start their guests.

Changes from v1:
* put the new regex enforcing uni-cast macs into pve-container/qemu-server's
  JSONSchema, to provide direct feedback to users while doing any operation
  with such a guest
* adapted proxmox-widget-toolkit to provide feedback in the GUI

[0] https://pve.proxmox.com/pipermail/pve-devel/2019-March/035996.html
[1] https://lists.linuxcontainers.org/pipermail/lxc-users/2010-August/000783.html

Stoiko Ivanov (1):
  mac_prefix: do not allow multicast prefixes

 data/PVE/Cluster.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Stoiko Ivanov (1):
  enforce unicast MAC for netconfig

 src/PVE/LXC/Config.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Stoiko Ivanov (1):
  enforce unicast MAC for $net_fmt

 PVE/QemuServer.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Stoiko Ivanov (1):
  MacPrefix: prevent multicast MacPrefixes

 Toolkit.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


More information about the pve-devel mailing list