New packages in pvetest! Firewall, Html5 Console, Two-factor authentication

[spirit]

Hi,

I have just played around with the new amazing firewall features. But it looks like currently only IPv4 is supported. I guess you're planning IPv6 as well?

Thanks, Martin

yes, it's planned
Prelimary patches are already done, but timeframe was too short for the first release.

 

[snowman66]

Html5 Console (noVNC) for Shell, Containers and Virtual Machines

will be there support for clipboard (copy/paste)?


And firewall does not like security groups names with minus symbol (for example: "pve-admin" you'll get error: status update error: unable to apply firewall changes).

thanks.

 

[ivensiya]

Which port is used for HTML5?

 

[spirit]

Which port is used for HTML5?

It's use port 8006 (websocket proxy), same than proxmox web interface.

(like this, no problem for https websockets certicates).

 

[vonline]

Hi all,


I'm new for Proxmox, i installed spice-html5 ( http://www.spice-space.org/page/Html5 ), and i have a problem:
In linux: everything is ok.
In Windows: remote pointer not the same client local pointer, it's hard to use .


So everybody tell me how to fix, or tell me new version Html5 Console have fixed it yet ?


Sorry my english's not good.

 

[tom]

Hi all,


I'm new for Proxmox, i installed spice-html5 ( http://www.spice-space.org/page/Html5 ), and i have a problem:
In linux: everything is ok.
In Windows: remote pointer not the same client local pointer, it's hard to use .


So everybody tell me how to fix, or tell me new version Html5 Console have fixed it yet ?


Sorry my english's not good.

We do not use spice-html5 here, so you do not have to install this.

 

[vonline]

We do not use spice-html5 here, so you do not have to install this.

Thanks for fast reply

So html5 console is just noVNC, no spice, client windows do not install libvirt to access console ?
Thanks guys

 

[tom]

yes, we use noVNC a html5 console client - a modern browser like Firefox or Chrome is enough to access.

just to note, libvirt is not used on Proxmox VE.

if you want to use spice, you need to install virt-viewer on your desktop, see http://pve.proxmox.com/wiki/SPICE

 

[kobuki]

I had a look at the new firewall functionality in the test PVE release. It looks great, but I seem to have trouble activating rules. I globally activated the fw, but after adding rules to a vm for example, I see nothing changing in the output of eg. iptables-save so no rules are actually added. Is it just a tech preview to see how it will work or am I missing something trivial? Maybe I need to check/enable things by hand in the text config file under /etc/pve?

 

[tom]

did you enable the firewall on the virtual nic? see VM hardware config.

 

[kobuki]

No, I didn't. Now I fixed that but still no dice:

root@pvetest1:/etc/pve# cat firewall/100.fw
[OPTIONS]

enable: 1

[RULES]

IN DROP -source 1.1.1.1

root@pvetest1:/etc/pve# cat local/host.fw
[RULES]

IN ACCEPT -source 2.2.2.2

root@pvetest1:/etc/pve# iptables-save
# Generated by iptables-save v1.4.14 on Wed Aug  6 13:42:09 2014
*mangle
:PREROUTING ACCEPT [3066:1126641]
:INPUT ACCEPT [3047:1125042]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2030:1860838]
:POSTROUTING ACCEPT [2030:1860838]
COMMIT
# Completed on Wed Aug  6 13:42:09 2014
# Generated by iptables-save v1.4.14 on Wed Aug  6 13:42:09 2014
*filter
:INPUT ACCEPT [3047:1125042]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2030:1860838]
COMMIT
# Completed on Wed Aug  6 13:42:09 2014

EDIT: I realised I haven't enabled the FW in /etc/pve/firewall/cluster.fw - now I did and all looks nice and dandy.

Could this be put somewhere on the web GUI? It would be very convenient, then would be no need to create files for the FW on the host by hand at all.

 

[dietmar]

No, I didn't. Now I fixed that but still no dice:

You enabled firewall in /etc/pve/firewall/cluster.fw?

 

[kobuki]

Yeah, now I did and this solved the problem, thanks, see my edit too. Could this maybe put in Datacenter/Options in the future, on the GUI? It looks to a be global setting in the cluster.

 

[dietmar]

Yeah, now I did and this solved the problem, thanks, see my edit too. Could this maybe put in Datacenter/Options in the future, on the GUI? It looks to a be global setting in the cluster.

It is already on the GUI, see Datacenter/Firewall/Options

 

[kobuki]

Ah, indeed it is. It seems I was a little too hasty, looking at other places, but it's on the pages represented by the bottom tab row.

 

[kobuki]

It appears that the features mentioned in this thread are already integrated in the newest packages in tne no-subscription repo. Is it just me or I've missed an announcement? I'm glad nevertheless, the NoVNC console is a true blessing affter all the clowning around with Java applets during the last years (not the PVE team's mistake of course)...

 

[dietmar]

Is it just me or I've missed an announcement?

We do not announce package updates in pve-no-subscription.

 

[mir]

I have also had the chance to try it out in a test installation. Can't wait to see it in enterprise repo

 

[kobuki]

We do not announce package updates in pve-no-subscription.

You announce dot releases so I had the impression that such large and important changes such as these are worth mentioning the shift. Anyway I'm glad they're in.

 

[macday]

I have a problem with changing UUID Hardware ID´s with the change qemu.kvm 1.7 to 2.1...is there a change in the vitual bios?...i had to reactivate some windows machines.