mirror of
git://git.proxmox.com/git/pve-network.git
synced 2025-01-03 05:17:58 +03:00
0f48bc6561
This does not contain data that needs to be protected to avoid hijacking (external) systems, like our credentials for certain storage types or encryption keys, so placing it in the strictly root-only 'priv/' folder was always a bit overkill. Now we want to make the firewall more SDN aware and thus need also to parse the SDN config there. This means having to also read the IPAM statefile here, and as of now we would need to move over quite a few API endpoints to be proxied to the privileged pvedaemon running as root, as otherwise they would fail to read the full SDN config & state required. That is not a big problem, but it's also not really nice, we got the privilege separation for a reason after all. Thus, move the backing file for the PVE IPAM plugin state over to the general /etc/pve/sdn path, where www-data (and thus pveproxy) can read it, but still not write it. Fallback to the old location for backward compatibility. This way the file will be automatically written to the new place on the first change. This is not fool-proof, but there's only so much we can do here to support a sane upgrade path, so fall back to a base requirement of all cluster nodes using the same package versions. FWIW, Stefan Hanreich tested a very similar diff I sent to him off-list, but it was not close enough to add a T-b now. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> |
||
|---|---|---|
| debian | ||
| src | ||
| .gitignore | ||
| Makefile | ||