[pve-devel] [PATCH pve-firewall v4 6/9] api: load sdn ipsets
Stefan Hanreich
s.hanreich at proxmox.com
Mon Nov 18 10:02:17 CET 2024
On 11/17/24 15:30, Thomas Lamprecht wrote:
> Am 15.11.24 um 13:09 schrieb Stefan Hanreich:
>> Since the SDN configuration reads the IPAM config file, which resides
>
> does that mean the earlier patches already require this? They load
> the SDN config already FWICT; and if so, it would be great to either
> have that change in those patches or upfront as separate patches, this
> has rather reaching consequences after all...
That's indeed an oversight on my part, the default behavior of
load_clusterfw_conf changed to loading the SDN configuration in v4 so
that patch is actually required if they are not all applied at the same
time. If we stick with /etc/pve/priv (see below) I'll reorder the
commits accordingly.
>> in /etc/pve/priv we need to add the protected flag to several
>> endpoints.
>
> That's wrong, the general IPAM config resides in /etc/pve/sdn/ipams.cfg,
> the ipam.db from the PVE IPAM Plugin does indeed reside in the private
> directory.
>
> But, why's that? The commits adding it weren't really telling, but there
> are no secrets in there, so why does it have to be priv? We could move
> them over to /etc/pve/sdn/pve-ipam.db with some backward compat handling
> (either in pmxcfs directly or in the backend site of things). Just tell
> me if that would be fine in general, or what the original reason for having
> this file only visible for root, and I can help you here.
Depends on if you consider a database of all assigned IPs inside the
cluster as sensitive information, iirc we erred on the side of caution
in this case and stored it in /etc/pve/priv.
More information about the pve-devel
mailing list