[pve-devel] [PATCH v2 0/1] do not allow multicast MAC-addresses
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Mar 12 06:23:04 CET 2019
On 3/11/19 10:50 PM, Stoiko Ivanov wrote:
> As discussed on the list [0] setting a multicast mac-address breaks starting
> containers. This is most evident if you set a mac_prefix for your cluster, with
> leading to multicast macs (odd second hexdigit of the first byte).
>
> The proposed idea of 'die'ing in 'PVE::Tools::random_ether_addr' did not seem
> the best idea (if the original patch would have been applied on pve-cluster,
> the check in random_ether_addr would never lead to the desired error-message).
>
> During my quick tests I noticed that setting a multicast mac breaks most/all
> use-cases (LXC refuses to start and seemingly does so since 2010 [1], and Qemu
> happily starts, but the link of the nic cannot be set to up (the guest kernel
> refuses)) - so I went ahead and enforced unicast mac addresses in the
> JSON-Schema for qemu-server and pve-container.
why not moving all those to the new registered 'mac-addr' format[0] from JSON
schema and return a sane error message, so that an user immediately understands
why this address may not really be ideal. As a plus we got also rid of the 5
MAC regexes sprinkled all over the place.
[0]: https://git.proxmox.com/?p=pve-common.git;a=commit;h=14324ea8744ccca64453bea72a746a758a5cd9b9
>
> The fourth patch (for proxmox-widget-toolkit) just provides visual feedback for
> users trying to set such a mac_prefix.
>
> I assume the potential for regression not to be too high, because a user would
> need to have set a multicast mac_prefix, and in that case they would not get
> a link with/could not start their guests.
>
> Changes from v1:
> * put the new regex enforcing uni-cast macs into pve-container/qemu-server's
> JSONSchema, to provide direct feedback to users while doing any operation
> with such a guest
> * adapted proxmox-widget-toolkit to provide feedback in the GUI
>
> [0] https://pve.proxmox.com/pipermail/pve-devel/2019-March/035996.html
> [1] https://lists.linuxcontainers.org/pipermail/lxc-users/2010-August/000783.html
>
> pve-cluster:
> Stoiko Ivanov (1):
> mac_prefix: do not allow multicast prefixes
>
> data/PVE/Cluster.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> pve-container:
> Stoiko Ivanov (1):
> enforce unicast MAC for netconfig
>
> src/PVE/LXC/Config.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> qemu-server:
> Stoiko Ivanov (1):
> enforce unicast MAC for $net_fmt
>
> PVE/QemuServer.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> proxmox-widget-toolkit:
> Stoiko Ivanov (1):
> MacPrefix: prevent multicast MacPrefixes
>
> Toolkit.js | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>
More information about the pve-devel
mailing list