New packages in pvetest! Firewall, Html5 Console, Two-factor authentication

martin

martin

Proxmox Staff Member
Staff member
Apr 28, 2005
754
1,740
223
We just uploaded a lot of packages for testing (pvetest repository), containing new features and improvements but also countless bug fixes.

The most important feature: Proxmox VE Firewall for the cluster, the host and also for container and virtual machines. Of course, fully integrated into the GUI.

All highlights

  • Proxmox VE Firewall
  • Html5 Console (noVNC) for Shell, Containers and Virtual Machines
  • Two-factor authentication
  • QEMU 2.1
  • New 3.10 Kernel (based on RHEL7, for now without OpenVZ support)
  • Latest stable 2.6.32 kernel
  • Countless updates, including corosync and fence-agents
A big Thank-you to our active community for all feedback, testing, bug reporting and patch submissions. For complete release notes see the change logs of each package.

Package repositories
http://pve.proxmox.com/wiki/Package_repositories

Everybody is encouraged to test and give feedback!
__________________
Best regards,

Martin Maurer
Proxmox VE project leader
 
Hmmmm,

reboot,
deleted browser cache
no changes in the webgui?!

:-D

root@proxmox:~# pveversion -vproxmox-ve-2.6.32: 3.2-129 (running kernel: 2.6.32-30-pve)
pve-manager: 3.2-4 (running version: 3.2-4/e24a91c1)
pve-kernel-2.6.32-28-pve: 2.6.32-124
pve-kernel-2.6.32-30-pve: 2.6.32-130
pve-kernel-2.6.32-29-pve: 2.6.32-126
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.5-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.5-1
pve-cluster: 3.0-12
qemu-server: 3.1-16
pve-firmware: 1.1-3
libpve-common-perl: 3.0-18
libpve-access-control: 3.0-11
libpve-storage-perl: 3.0-19
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-6
vzctl: 4.0-1pve5
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 1.7-8
ksm-control-daemon: 1.1-1
glusterfs-client: 3.4.2-1
Click to expand...

Edit:

everything is fine... there was a problem in the repository settings :D
 
Last edited:
martin said:
We just uploaded a lot of packages for testing (pvetest repository), containing new features and improvements but also countless bug fixes.

The most important feature: Proxmox VE Firewall for the cluster, the host and also for container and virtual machines. Of course, fully integrated into the GUI.

All highlights

  • Proxmox VE Firewall
  • Html5 Console (noVNC) for Shell, Containers and Virtual Machines
  • Two-factor authentication
  • QEMU 2.1
  • New 3.10 Kernel (based on RHEL7, for now without OpenVZ support)
  • Latest stable 2.6.32 kernel
  • Countless updates, including corosync and fence-agents
A big Thank-you to our active community for all feedback, testing, bug reporting and patch submissions. For complete release notes see the change logs of each package.

Package repositories
http://pve.proxmox.com/wiki/Package_repositories

Everybody is encouraged to test and give feedback!
__________________
Best regards,

Martin Maurer
Proxmox VE project leader
Click to expand...


Ok, did the update... and there is a issue with pci passthrough (in this case passthrough of a LSI SAS OnBoard Controller Card)!

My host shows:

errorpve31.jpg

And the VM (Openmediavault) stucks after GRUB. But i can see that the Controller BIOS works in the VM cause it's updating the Adapter-List.

Host isn't reachable after this error.

Hmmmmm, if i choose the pve-30 at boot i got the same error - but it worked before :/ Is there a undo option? o_O

PCI-Passthrough looks like "hostpci0: 02:00.0" in the conf file of the VM - are there more options needed now?
 
Last edited:
AFAIR there are some changes for pci passthrough, try 3.10.3 kernel, maybe this helps here.

in order to downgrade, you need to manually download and install the older packages with dpkg -i packagename.deb
 
tom said:
AFAIR there are some changes for pci passthrough, try 3.10.3 kernel, maybe this helps here.

in order to downgrade, you need to manually download and install the older packages with dpkg -i packagename.deb
Click to expand...

Thanks for your fast reply and sorry for my "noob"-question: how can i install the new kernel and were can i download the older qemu (version 1.7-8) deb package?

thank you!
 
Last edited:
> apt-get install pve-kernel-3.10.0.3-pve

please note, there is no openvz support in this kernel.
 
looks like i have to reactivate IOMMU in the new kernel... lets have a look :-D

hmm, it is activated

root@proxmox:/boot/grub# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-3-pve root=/dev/mapper/pve-root ro quiet intel_iommu=on pci-stub.ids=1002:683d,1002:aab0,1000:0086
Click to expand...

If i start the VM i get:

kvm: -device pci-assign,host=02:00.0,id=hostpci0,bus=pci.0,addr=0x10: No IOMMU found. Unable to assign device "hostpci0"
kvm: -device pci-assign,host=02:00.0,id=hostpci0,bus=pci.0,addr=0x10: Device initialization failed.
kvm: -device pci-assign,host=02:00.0,id=hostpci0,bus=pci.0,addr=0x10: Device 'kvm-pci-assign' could not be initialized
TASK ERROR: start failed: command '/usr/bin/kvm -id 102 -chardev 'socket,id=qmp,path=/var/run/qemu-server/102.qmp,server,nowait' -mon 'chardev=qmp,mode=control' -vnc unix:/var/run/qemu-server/102.vnc,x509,password -pidfile /var/run/qemu-server/102.pid -daemonize -name omv -smp 'sockets=1,cores=2' -nodefaults -boot 'menu=on' -vga cirrus -cpu host,+x2apic -k de -m 4096 -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' -device 'usb-tablet,id=tablet,bus=uhci.0,port=1' -device 'pci-assign,host=02:00.0,id=hostpci0,bus=pci.0,addr=0x10' -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:88c1f1f0d733' -drive 'file=/var/lib/vz/images/102/vm-102-disk-1.raw,if=none,id=drive-virtio0,format=raw,aio=native,cache=none' -device 'virtio-blk-pci,drive=drive-virtio0,id=virtio0,bus=pci.0,addr=0xa,bootindex=100' -drive 'file=/mnt/proxmox_share1/template/iso/gparted-live-0.16.2-11-i486.iso,if=none,id=drive-ide0,media=cdrom,aio=native' -device 'ide-cd,bus=ide.0,unit=0,drive=drive-ide0,id=ide0' -netdev 'type=tap,id=net0,ifname=tap102i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on' -device 'virtio-net-pci,romfile=,mac=D2:73:C0:03:6D:F8,netdev=net0,bus=pci.0,addr=0x12,id=net0'' failed: exit code 1
Click to expand...

:confused:
 
Last edited:
Great news and very cool features!

Maybe you can enhance the two factor authentication a litte bit to support my c200 token. To get it working I need to patch /usr/share/perl5/PVE/AccessControl.pm like this:
Code: 
diff -u /usr/share/perl5/PVE/AccessControl.pm  /usr/share/perl5/PVE/AccessControl.pm.c200
--- /usr/share/perl5/PVE/AccessControl.pm       2014-07-18 11:31:03.000000000 +0200
+++ /usr/share/perl5/PVE/AccessControl.pm.c200  2014-07-22 16:17:47.802987188 +0200
@@ -1234,7 +1234,7 @@
     die "oath: missing password\n" if !defined($otp);
     die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;

-    my $step = 30;
+    my $step = 60;

     my $found;

@@ -1250,7 +1250,7 @@
     foreach my $k (PVE::Tools::split_list($keys)) {
        # Note: we generate 3 values to allow small time drift
        my $now = localtime(time() - $step);
-       my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k];
+       my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '5', '-b', $k];
        eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
        last if $found;
     }

This is just a quick hack but I'm pretty sure the GUI could be enhanced to allow such configurations easily. The c200 token just needs a 60s step and for whatevery reason the token I currently use is a way ahead in time so I need a wider window. I've check that my host is sync with NTP.
 
mcflym said:
looks like i have to reactivate IOMMU in the new kernel... lets have a look :-D

hmm, it is activated



If i start the VM i get:



:confused:
Click to expand...


Well here is what i did and it worked:

Edit:
Not necessary: (added "pcie_acs_override=downstream" to cmdline:

cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-3-pve root=/dev/mapper/pve-root ro quiet pcie_acs_override=downstream intel_iommu=on
Click to expand...

--> is this really needed?)

and in the .conf file of the VM i added the driver for passthrough ",driver=vfio":

hostpci0: 02:00.0,driver=vfio
Click to expand...

related to this thread:

http://forum.proxmox.com/threads/17495-Issues-with-iommu-with-3-10-kernel-in-pvetest-repo
 
Last edited:
And it seems to be that USB3.0 mapping still isn't supported (even in kernel 3.10.3)?
 
Absolutely love the HTml5 Console. I can finally use my on the go Chromebook to manage things!
 
html5 concole is nice :)

after updating i am missing the /etc/pve/firewall/....
in the gui its available.
source & destination is a empty list...
 
mcflym said:
Edit:
Not necessary: (added "pcie_acs_override=downstream" to cmdline:
Click to expand...
pcie_acs_override isn't part of the default kernel (additional patch necessary). This is a quirk which is needed for some special hardware.
 
linum said:
Maybe you can enhance the two factor authentication a litte bit to support my c200 token.
Click to expand...

I just uploaded new packages with support for OATH 'step' and 'digit' options. Seems c200 produced 8digit tokens, so you also
need to set that.
 
Hello Dietmar,

good job, my token worked nearly out of the box. I still need to make the windows (the -w switch) bigger. I don't know how common such a "running ahead token" but the OTP provider for apache uses the last successful login time to adjust such tokens. I think you will need more real life experience is somewhat like this is needed. Maybe you could make the -w switch configurable (with a big warning) as well. I will try some other tokens ASAP.

Maybe I miss a point but it seems that you can configure only one OTP token type. Maybe using something like this https://code.google.com/p/mod-authn-otp/wiki/UsersFile to setup the token configuration would be better since you can add as many different tokens as you like. So instead of simply adding the seed as a base32 string you could write:

Code: 
HOTP/T60/D6/W5/hexseed=54fccc418a4d8acbddef6db4cc2f85ce99321d64
HOTP/T30/D8/b32seed=KT6MYQMKJWFMXXPPNW2MYL4FZ2MTEHLE

PS: The HTML5 console is awesome, I really love this!
 
Thank you for the new update, it rocks.
Is it possible to "assign IP address" to the KVM VM with new firewall feature ?
For example, VM network interface tap101 is allowed to use only 8.8.8.8 address or maybe there is already other options to prevent IP spoofing/stealing ?
 
RONIS said:
Thank you for the new update, it rocks.
Is it possible to "assign IP address" to the KVM VM with new firewall feature ?
For example, VM network interface tap101 is allowed to use only 8.8.8.8 address or maybe there is already other options to prevent IP spoofing/stealing ?
Click to expand...

Yes, you can defined an ipset "ipfilter" in vmid.fw, and defined authorized ipaddress by interfaces

I have updated the wiki:
https://pve.proxmox.com/wiki/Proxmox_VE_Firewall#IP_Sets
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back