[pve-devel] [RFC common/firewall/manager/network/proxmox{-ve-rs, -firewall} 0/7] NIC renaming mitigations

[Stefan Hanreich]

This patch series contains the following features:
* transparent altname support for {pve, proxmox}-firewall and pve-network
* pveeth tool for pinning NIC names

Both are features aimed at mitigating the fallout caused from changing network
interface names. Sending it as an RFC, since I will be gone for a few days and
wanted to publish my current state to start some discussion on the approaches
I've taken with the tools and possible additions / changes. Nothing in here is
final or particularly polished.

Both patch series only received rudimentary testing and are work in progress, so
use at your own risk, I am not responsible for any broken hosts / VMs.

For more information on the pveeth tool, see the respective commit.

TODO:
* possibly change wakeonlan setting in node config
* decide on how to handle host.fw / cluster.fw:

cluster.fw cannot be automatically updated, since the generated mapping might
differ from the one generated on other nodes. One possibility would be to
generate the mapping for the NICs one-by-one on each host, thus ensuring a
consistent name on all nodes. Then add a flag that overwrites cluster.fw.

cluster/host.fw is the only configuration file that gets applied immediately
when updating it, since the firewall continously polls this file and applies the
settings. We could add the new name as altname via ip link, ensuring that the
firewall rules still work before *and* after reboot. Shouldn't be too hard to
add (possibly with a flag). This is possible because of the new altname support
{pve, proxmox}-firewall.

* update detection of physical NICs

We currently rely on the PHYSICAL_NIC_RE to detect physical network interfaces.
We could instead use the ip link output for determining whether an interface is
physical or not. This works in every case, except for PullMetric.pm. For this we
could introduce another variable and fall back on the old logic depending on its
existence. Maybe some one with more knowledge on the metrics system can chime in
here. I have patches for this on my staff repo in case you are interested:

pve-manager:physical-nic-re
pve-common:physical-nic-re

pve-common:

Stefan Hanreich (2):
  network: add ip link and altname helpers
  network: add nic prefix to physical nic regex

 src/PVE/Network.pm | 47 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)


proxmox-ve-rs:

Stefan Hanreich (1):
  config: ip link struct

 proxmox-ve-config/src/host/mod.rs     |  1 +
 proxmox-ve-config/src/host/network.rs | 35 +++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 proxmox-ve-config/src/host/network.rs


proxmox-firewall:

Stefan Hanreich (1):
  firewall: add altname support for firewall rules

 proxmox-firewall/src/config.rs              | 29 +++++++++++++++++++++
 proxmox-firewall/src/rule.rs                |  6 ++++-
 proxmox-firewall/tests/integration_tests.rs |  7 +++++
 3 files changed, 41 insertions(+), 1 deletion(-)


pve-firewall:

Stefan Hanreich (1):
  firewall: add altname support

 src/PVE/Firewall.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)


pve-network:

Stefan Hanreich (1):
  controllers: isis: add altname support

 src/PVE/Network/SDN/Controllers/IsisPlugin.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)


pve-manager:

Stefan Hanreich (1):
  cli: add pveeth

 PVE/CLI/Makefile  |   1 +
 PVE/CLI/pveeth.pm | 538 ++++++++++++++++++++++++++++++++++++++++++++++
 bin/Makefile      |   5 +
 bin/pveeth        |   8 +
 4 files changed, 552 insertions(+)
 create mode 100644 PVE/CLI/pveeth.pm
 create mode 100644 bin/pveeth


Summary over all repositories:
  12 files changed, 684 insertions(+), 5 deletions(-)

-- 
Generated by git-murpp 0.8.0