bump version to 9.0.11

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

Makefile

@@ -19,6 +19,7 @@ all: $(SUBDIRS)
 tidy:
 	git ls-files ':*.p[ml]'| xargs -n4 -P0 proxmox-perltidy
 	$(MAKE) -C bin tidy
+	$(MAKE) -C www tidy
 
 .PHONY: check
 check: bin test www
@@ -74,7 +75,7 @@ distclean: clean
 .PHONY: clean
 clean:
 	set -e && for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done
-	rm -f $(PACKAGE)*.tar* country.dat *.deb *.dsc *.build *.buildinfo *.changes
+	rm -f $(PACKAGE)*.tar* *.deb *.dsc *.build *.buildinfo *.changes
 	rm -rf dest $(PACKAGE)-[0-9]*/
 
 .PHONY: dinstall

PVE/API2/ACMEPlugin.pm

@@ -50,6 +50,8 @@ my $modify_cfg_for_api = sub {
     return $plugin_cfg;
 };
 
+my $acme_challenge_api_create_and_return_schema = PVE::ACME::Challenge->createSchema();
+
 __PACKAGE__->register_method({
     name => 'index',
     path => '',
@@ -72,12 +74,7 @@ __PACKAGE__->register_method({
     },
     returns => {
         type => 'array',
-        items => {
-            type => "object",
-            properties => {
-                plugin => get_standard_option('pve-acme-pluginid'),
-            },
-        },
+        items => $acme_challenge_api_create_and_return_schema,
         links => [{ rel => 'child', href => "{plugin}" }],
     },
     code => sub {
@@ -111,9 +108,7 @@ __PACKAGE__->register_method({
             id => get_standard_option('pve-acme-pluginid'),
         },
     },
-    returns => {
-        type => 'object',
-    },
+    returns => $acme_challenge_api_create_and_return_schema,
     code => sub {
         my ($param) = @_;
 
@@ -131,7 +126,7 @@ __PACKAGE__->register_method({
         check => ['perm', '/', ['Sys.Modify']],
     },
     protected => 1,
-    parameters => PVE::ACME::Challenge->createSchema(),
+    parameters => $acme_challenge_api_create_and_return_schema,
     returns => {
         type => "null",
     },

PVE/API2/APT.pm

@@ -7,6 +7,7 @@ use POSIX;
 use File::stat ();
 use IO::File;
 use File::Basename;
+use Encode qw(decode);
 
 use LWP::UserAgent;
 
@@ -199,6 +200,52 @@ my $update_pve_pkgstatus = sub {
     return $pkglist;
 };
 
+my $apt_package_return_props = {
+    Arch => {
+        type => 'string',
+        description => 'Package Architecture.',
+        enum => [qw(armhf arm64 amd64 ppc64el risc64 s390x)],
+    },
+    Description => {
+        type => 'string',
+        description => 'Package description.',
+    },
+    NotifyStatus => {
+        type => 'string',
+        description => 'Version for which PVE has already sent an update notification for.',
+        optional => 1,
+    },
+    OldVersion => {
+        type => 'string',
+        description => 'Old version currently installed.',
+        optional => 1,
+    },
+    Origin => {
+        type => 'string',
+        description => "Package origin, e.g., 'Proxmox' or 'Debian'.",
+    },
+    Package => {
+        type => 'string',
+        description => 'Package name.',
+    },
+    Priority => {
+        type => 'string',
+        description => 'Package priority.',
+    },
+    Section => {
+        type => 'string',
+        description => 'Package section.',
+    },
+    Title => {
+        type => 'string',
+        description => 'Package title.',
+    },
+    Version => {
+        type => 'string',
+        description => 'New version to be updated to.',
+    },
+};
+
 __PACKAGE__->register_method({
     name => 'list_updates',
     path => 'update',
@@ -219,7 +266,7 @@ __PACKAGE__->register_method({
         type => "array",
         items => {
             type => "object",
-            properties => {},
+            properties => $apt_package_return_props,
         },
     },
     code => sub {
@@ -418,7 +465,7 @@ __PACKAGE__->register_method({
             timeout => 10,
             logfunc => sub {
                 my $line = shift;
-                $output .= "$line\n";
+                $output .= decode('UTF-8', $line) . "\n";
             },
             noerr => 1,
         );
@@ -743,7 +790,27 @@ __PACKAGE__->register_method({
         type => "array",
         items => {
             type => "object",
-            properties => {},
+            properties => {
+                $apt_package_return_props->%*,
+                CurrentState => {
+                    type => 'string',
+                    description => 'Current state of the package installed on the system.',
+                    # Possible CurrentState variants according to AptPkg::Cache
+                    enum => [
+                        qw(Installed NotInstalled UnPacked HalfConfigured HalfInstalled ConfigFiles)
+                    ],
+                },
+                RunningKernel => {
+                    type => 'string',
+                    description => "Kernel release, only for package 'proxmox-ve'.",
+                    optional => 1,
+                },
+                ManagerVersion => {
+                    type => 'string',
+                    description => "Version of the currently running pve-manager API server.",
+                    optional => 1,
+                },
+            },
         },
     },
     code => sub {
@@ -795,7 +862,6 @@ __PACKAGE__->register_method({
         my @pkgs = qw(
             ceph-fuse
             corosync
-            glusterfs-client
             libjs-extjs
             libknet1
             libproxmox-acme-perl

PVE/API2/Backup.pm

@@ -667,7 +667,6 @@ __PACKAGE__->register_method({
         my $vzconf = cfs_read_file('vzdump.cron');
         my $all_jobs = $vzconf->{jobs} || [];
         my $job;
-        my $rrd = PVE::Cluster::rrd_dump();
 
         for my $j (@$all_jobs) {
             if ($j->{id} eq $param->{id}) {

PVE/API2/Capabilities.pm

@@ -6,7 +6,9 @@ use warnings;
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::RESTHandler;
 
+use PVE::API2::Qemu::CPU;
 use PVE::API2::Qemu::Machine;
+use PVE::API2::NodeCapabilities::Qemu::Migration;
 
 use base qw(PVE::RESTHandler);
 
@@ -20,11 +22,17 @@ __PACKAGE__->register_method({
     path => 'qemu/machines',
 });
 
+__PACKAGE__->register_method({
+    subclass => 'PVE::API2::NodeCapabilities::Qemu::Migration',
+    path => 'qemu/migration',
+});
+
 __PACKAGE__->register_method({
     name => 'index',
     path => '',
     method => 'GET',
     permissions => { user => 'all' },
+    proxyto => 'node',
     description => "Node capabilities index.",
     parameters => {
         additionalProperties => 0,
@@ -56,6 +64,7 @@ __PACKAGE__->register_method({
     path => 'qemu',
     method => 'GET',
     permissions => { user => 'all' },
+    proxyto => 'node',
     description => "QEMU capabilities index.",
     parameters => {
         additionalProperties => 0,
@@ -75,7 +84,7 @@ __PACKAGE__->register_method({
         my ($param) = @_;
 
         my $result = [
-            { name => 'cpu' }, { name => 'machines' },
+            { name => 'cpu' }, { name => 'machines' }, { name => 'migration' },
         ];
 
         return $result;

PVE/API2/Ceph/MDS.pm

@@ -37,6 +37,7 @@ __PACKAGE__->register_method({
             properties => {
                 name => {
                     description => "The name (ID) for the MDS",
+                    type => 'string',
                 },
                 addr => {
                     type => 'string',

PVE/API2/Ceph/MGR.pm

@@ -38,6 +38,7 @@ __PACKAGE__->register_method({
             properties => {
                 name => {
                     description => "The name (ID) for the MGR",
+                    type => 'string',
                 },
                 addr => {
                     type => 'string',

PVE/API2/Ceph/OSD.pm

@@ -423,6 +423,29 @@ __PACKAGE__->register_method({
         # See FIXME below
         my @udev_trigger_devs = ();
 
+        # $size is in kibibytes
+        my $osd_lvcreate = sub {
+            my ($vg, $lv, $size) = @_;
+
+            my $cmd = [
+                '/sbin/lvcreate',
+                '-aly',
+                '-Wy',
+                '--yes',
+                '--size',
+                $size . "k",
+                '--name',
+                $lv,
+                # explicitly enable autoactivation, because Ceph never explicitly
+                # activates LVs by itself
+                '--setautoactivation',
+                'y',
+                $vg,
+            ];
+
+            run_command($cmd, errmsg => "lvcreate '$vg/$lv' error");
+        };
+
         my $create_part_or_lv = sub {
             my ($dev, $size, $type) = @_;
 
@@ -443,7 +466,7 @@ __PACKAGE__->register_method({
                 my $lv = $type . "-" . UUID::uuid();
 
                 PVE::Storage::LVMPlugin::lvm_create_volume_group($dev->{devpath}, $vg);
-                PVE::Storage::LVMPlugin::lvcreate($vg, $lv, "${size}k");
+                $osd_lvcreate->($vg, $lv, $size);
 
                 if (PVE::Diskmanage::is_partition($dev->{devpath})) {
                     eval { PVE::Diskmanage::change_parttype($dev->{devpath}, '8E00'); };
@@ -475,7 +498,7 @@ __PACKAGE__->register_method({
 
                 my $lv = $type . "-" . UUID::uuid();
 
-                PVE::Storage::LVMPlugin::lvcreate($vg, $lv, "${size}k");
+                $osd_lvcreate->($vg, $lv, $size);
 
                 return "$vg/$lv";
 

PVE/API2/Ceph/Pool.pm

@@ -108,6 +108,7 @@ __PACKAGE__->register_method({
                 bytes_used => {
                     type => 'integer',
                     title => 'Used',
+                    renderer => 'bytes',
                 },
                 target_size => {
                     type => 'integer',

PVE/API2/Cluster.pm

@@ -178,7 +178,10 @@ __PACKAGE__->register_method({
     path => 'log',
     method => 'GET',
     description => "Read cluster log",
-    permissions => { user => 'all' },
+    permissions => {
+        description => "The user needs 'Sys.Syslog' on '/' in order to get all logs.",
+        user => 'all',
+    },
     parameters => {
         additionalProperties => 0,
         properties => {
@@ -301,6 +304,14 @@ __PACKAGE__->register_method({
                     renderer => 'bytes',
                     minimum => 0,
                 },
+                memhost => {
+                    description =>
+                        "Used memory in bytes from the point of view of the host (for types 'qemu').",
+                    type => 'integer',
+                    optional => 1,
+                    renderer => 'bytes',
+                    minimum => 0,
+                },
                 maxmem => {
                     description => "Number of available memory in bytes"
                         . " (for types 'node', 'qemu' and 'lxc').",
@@ -364,7 +375,7 @@ __PACKAGE__->register_method({
                 },
                 diskread => {
                     description =>
-                        "The amount of bytes the guest read from its block devices since"
+                        "The number of bytes the guest read from its block devices since"
                         . " the guest was started. This info is not available for all storage types."
                         . " (for types 'qemu' and 'lxc')",
                     type => 'integer',
@@ -373,7 +384,7 @@ __PACKAGE__->register_method({
                 },
                 diskwrite => {
                     description =>
-                        "The amount of bytes the guest wrote to its block devices since"
+                        "The number of bytes the guest wrote to its block devices since"
                         . " the guest was started. This info is not available for all storage types."
                         . " (for types 'qemu' and 'lxc')",
                     type => 'integer',
@@ -403,6 +414,11 @@ __PACKAGE__->register_method({
                     type => 'integer',
                     optional => 1,
                 },
+                sdn => {
+                    description => "The name of an SDN entity (for type 'sdn')",
+                    type => "string",
+                    optional => 1,
+                },
                 tags => {
                     description => "The guest's tags (for types 'qemu' and 'lxc')",
                     type => "string",

PVE/API2/Cluster/MetricServer.pm

@@ -3,16 +3,16 @@ package PVE::API2::Cluster::MetricServer;
 use warnings;
 use strict;
 
-use PVE::Tools qw(extract_param extract_sensitive_params);
-use PVE::Exception qw(raise_perm_exc raise_param_exc);
-use PVE::JSONSchema qw(get_standard_option);
+use PVE::APIClient::LWP;
+use PVE::AccessControl;
+use PVE::Cluster;
 use PVE::INotify;
 use PVE::RPCEnvironment;
+use PVE::SafeSyslog;
+use PVE::Tools qw(extract_param extract_sensitive_params);
+
 use PVE::ExtMetric;
 use PVE::PullMetric;
-use PVE::SafeSyslog;
-
-use PVE::RESTHandler;
 
 use base qw(PVE::RESTHandler);
 
@@ -325,6 +325,11 @@ __PACKAGE__->register_method({
                 optional => 1,
                 default => 0,
             },
+            'node-list' => {
+                type => 'string',
+                description => 'Only return metrics from nodes passed as comma-separated list',
+                optional => 1,
+            },
             'start-time' => {
                 type => 'integer',
                 description => 'Only include metrics with a timestamp > start-time.',
@@ -404,21 +409,36 @@ __PACKAGE__->register_method({
             $generations = 0;
         }
 
-        my @metrics = @{ PVE::PullMetric::get_local_metrics($generations) };
-
-        if (defined($start)) {
-            @metrics = grep {
-                $_->{timestamp} > ($start)
-            } @metrics;
-        }
+        my @node_list =
+            $param->{'node-list'} ? PVE::Tools::split_list($param->{'node-list'}) : ();
 
         my $nodename = PVE::INotify::nodename();
+        my $include_local_metrics =
+            !$param->{'node-list'} || grep { $nodename eq $_ } @node_list;
+
+        my @metrics;
+        if ($include_local_metrics) {
+            @metrics = @{ PVE::PullMetric::get_local_metrics($generations) };
+
+            if (defined($start)) {
+                @metrics = grep {
+                    $_->{timestamp} > ($start)
+                } @metrics;
+            }
+        }
 
         # Fan out to cluster members
         # Do NOT remove this check
-        if (!$local_only) {
+        if (!$local_only || @node_list) {
             my $members = PVE::Cluster::get_members();
 
+            @node_list = keys $members->%* if !@node_list;
+
+            if (my @unknown_nodes = grep { !exists($members->{$_}) } @node_list) {
+                die "Requested node-list contains unknown nodes - "
+                    . join(', ', @unknown_nodes) . "\n";
+            }
+
             my $rpcenv = PVE::RPCEnvironment::get();
             my $authuser = $rpcenv->get_user();
 
@@ -435,7 +455,7 @@ __PACKAGE__->register_method({
                 $ticket = PVE::AccessControl::assemble_ticket($authuser);
             }
 
-            for my $name (keys %$members) {
+            for my $name (@node_list) {
                 if ($name eq $nodename) {
                     # Skip own node, for that one we already have the metrics
                     next;
@@ -454,7 +474,7 @@ __PACKAGE__->register_method({
                         host => $ip,
                         port => 8006,
                         ticket => $ticket,
-                        timeout => 5,
+                        timeout => 20,
                     };
 
                     $conn_args->{cached_fingerprints} = { $fingerprint => 1 };

PVE/API2/HAConfig.pm

@@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option);
 use PVE::Exception qw(raise_param_exc);
 use PVE::API2::HA::Resources;
 use PVE::API2::HA::Groups;
+use PVE::API2::HA::Rules;
 use PVE::API2::HA::Status;
 
 use base qw(PVE::RESTHandler);
@@ -26,6 +27,11 @@ __PACKAGE__->register_method({
     path => 'groups',
 });
 
+__PACKAGE__->register_method({
+    subclass => "PVE::API2::HA::Rules",
+    path => 'rules',
+});
+
 __PACKAGE__->register_method({
     subclass => "PVE::API2::HA::Status",
     path => 'status',
@@ -57,7 +63,7 @@ __PACKAGE__->register_method({
         my ($param) = @_;
 
         my $res = [
-            { id => 'status' }, { id => 'resources' }, { id => 'groups' },
+            { id => 'status' }, { id => 'resources' }, { id => 'groups' }, { id => 'rules' },
         ];
 
         return $res;

PVE/API2/Network.pm

@@ -12,6 +12,7 @@ use PVE::RESTHandler;
 use PVE::RPCEnvironment;
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::AccessControl;
+use PVE::Network;
 use IO::File;
 
 use base qw(PVE::RESTHandler);
@@ -43,6 +44,7 @@ my $network_type_enum = [
     'eth',
     'alias',
     'vlan',
+    'fabric',
     'OVSBridge',
     'OVSBond',
     'OVSPort',
@@ -231,6 +233,32 @@ sub json_config_properties {
     return $prop;
 }
 
+sub extract_altnames {
+    my ($iface, $altnames) = @_;
+
+    $altnames = PVE::Network::altname_mapping() if !defined($altnames);
+
+    my $iface_altnames = [];
+    my $original_iface;
+
+    # when we get an altname, first extract the legacy iface name
+    if (my $legacy_iface = $altnames->{$iface}) {
+        push $iface_altnames->@*, $legacy_iface;
+        $original_iface = $iface;
+        $iface = $legacy_iface;
+    }
+
+    for my $altname (keys $altnames->%*) {
+        next if defined($original_iface) && $original_iface eq $altname;
+        if ($altnames->{$altname} eq $iface) {
+            push $iface_altnames->@*, $altname;
+        }
+    }
+
+    return [sort $iface_altnames->@*] if scalar($iface_altnames->@*) > 0;
+    return undef;
+}
+
 __PACKAGE__->register_method({
     name => 'index',
     path => '',
@@ -245,7 +273,7 @@ __PACKAGE__->register_method({
             type => {
                 description => "Only list specific interface types.",
                 type => 'string',
-                enum => [@$network_type_enum, 'any_bridge', 'any_local_bridge'],
+                enum => [@$network_type_enum, 'any_bridge', 'any_local_bridge', 'include_sdn'],
                 optional => 1,
             },
         },
@@ -390,26 +418,52 @@ __PACKAGE__->register_method({
 
         my $ifaces = $config->{ifaces};
 
+        my $altnames = PVE::Network::altname_mapping();
+
         delete $ifaces->{lo}; # do not list the loopback device
 
         if (my $tfilter = $param->{type}) {
             my $vnets;
+            my $fabrics;
 
-            if ($have_sdn && $tfilter eq 'any_bridge') {
+            if ($have_sdn && $tfilter =~ /^(any_bridge|include_sdn|vnet)$/) {
                 $vnets = PVE::Network::SDN::get_local_vnets(); # returns already access-filtered
             }
 
-            for my $k (sort keys $ifaces->%*) {
-                my $type = $ifaces->{$k}->{type};
-                my $is_bridge = $type eq 'bridge' || $type eq 'OVSBridge';
-                my $bridge_match = $is_bridge && $tfilter =~ /^any(_local)?_bridge$/;
-                my $match = $tfilter eq $type || $bridge_match;
-                delete $ifaces->{$k} if !$match;
+            if ($have_sdn && $tfilter =~ /^(include_sdn|fabric)$/) {
+                my $local_node = PVE::INotify::nodename();
+
+                $fabrics =
+                    PVE::Network::SDN::Fabrics::config(1)->get_interfaces_for_node($local_node);
+            }
+
+            if ($tfilter ne 'include_sdn') {
+                for my $k (sort keys $ifaces->%*) {
+                    my $type = $ifaces->{$k}->{type};
+                    my $is_bridge = $type eq 'bridge' || $type eq 'OVSBridge';
+                    my $bridge_match = $is_bridge && $tfilter =~ /^any(_local)?_bridge$/;
+                    my $match = $tfilter eq $type || $bridge_match;
+                    delete $ifaces->{$k} if !$match;
+                }
             }
 
             if (defined($vnets)) {
                 $ifaces->{$_} = $vnets->{$_} for keys $vnets->%*;
             }
+
+            if (defined($fabrics)) {
+                for my $fabric_id (keys %$fabrics) {
+                    next
+                        if !$rpcenv->check_any(
+                            $authuser,
+                            "/sdn/fabrics/$fabric_id",
+                            ['SDN.Audit', 'SDN.Use', 'SDN.Allocate'],
+                            1,
+                        );
+
+                    $ifaces->{$fabric_id} = $fabrics->{$fabric_id};
+                }
+            }
         }
 
         #always check bridge access
@@ -424,6 +478,9 @@ __PACKAGE__->register_method({
             my $type = $ifaces->{$k}->{type};
             delete $ifaces->{$k}
                 if ($type eq 'bridge' || $type eq 'OVSBridge') && !$can_access_vnet->($k);
+
+            my $iface_altnames = extract_altnames($k, $altnames);
+            $ifaces->{$k}->{altnames} = $iface_altnames if defined($iface_altnames);
         }
 
         return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
@@ -789,10 +846,15 @@ __PACKAGE__->register_method({
         my $config = PVE::INotify::read_file('interfaces');
         my $ifaces = $config->{ifaces};
 
-        raise_param_exc({ iface => "interface does not exist" })
-            if !$ifaces->{ $param->{iface} };
+        my $iface = $param->{iface};
 
-        return $ifaces->{ $param->{iface} };
+        raise_param_exc({ iface => "interface does not exist" })
+            if !$ifaces->{$iface};
+
+        my $altnames = extract_altnames($iface);
+        $ifaces->{$iface}->{altnames} = $altnames if defined($altnames);
+
+        return $ifaces->{$iface};
     },
 });
 
@@ -811,7 +873,7 @@ sub assert_ifupdown2_installed {
     die "you need ifupdown2 to reload network configuration\n" if !-e '/usr/share/ifupdown2';
     my ($v, $pve, $v_str) = ifupdown2_version();
     die
-        "incompatible 'ifupdown2' package version '$v_str'! Did you installed from Proxmox repositories?\n"
+        "incompatible 'ifupdown2' package version '$v_str'! Did you install from Proxmox repositories?\n"
         if $v < (1 * 100000 + 2 * 1000 + 8 * 10) || !$pve;
 }
 
@@ -829,6 +891,12 @@ __PACKAGE__->register_method({
         additionalProperties => 0,
         properties => {
             node => get_standard_option('pve-node'),
+            'regenerate-frr' => {
+                type => 'boolean',
+                description => 'Whether FRR config generation should get skipped or not.',
+                optional => 1,
+                default => 0,
+            },
         },
     },
     returns => { type => 'string' },
@@ -843,6 +911,8 @@ __PACKAGE__->register_method({
         my $current_config_file = "/etc/network/interfaces";
         my $new_config_file = "/etc/network/interfaces.new";
 
+        my $regenerate_frr = extract_param($param, 'regenerate-frr');
+
         assert_ifupdown2_installed();
 
         my $worker = sub {
@@ -850,7 +920,7 @@ __PACKAGE__->register_method({
             rename($new_config_file, $current_config_file) if -e $new_config_file;
 
             if ($have_sdn) {
-                PVE::Network::SDN::generate_zone_config();
+                PVE::Network::SDN::generate_etc_network_config();
                 PVE::Network::SDN::generate_dhcp_config();
             }
 
@@ -862,8 +932,15 @@ __PACKAGE__->register_method({
             };
             PVE::Tools::run_command(['ifreload', '-a'], errfunc => $err);
 
-            if ($have_sdn) {
-                PVE::Network::SDN::generate_controller_config(1);
+            if (defined($regenerate_frr)) {
+                # SDN (or a manual invocation) is requesting a
+                # specific behavior, so we abide by the parameter set.
+                PVE::Network::SDN::generate_frr_config(1) if $regenerate_frr;
+            } elsif (PVE::Network::SDN::running_config_has_frr()) {
+                # Reload is coming from the Web UI (or a manual
+                # invocation requesting no specific behavior), so we
+                # reload if there are FRR entities in the SDN config.
+                PVE::Network::SDN::generate_frr_config(1);
             }
         };
         return $rpcenv->fork_worker('srvreload', 'networking', $authuser, $worker);
@@ -922,3 +999,5 @@ __PACKAGE__->register_method({
         return undef;
     },
 });
+
+1;

PVE/API2/Nodes.pm

@@ -283,7 +283,7 @@ __PACKAGE__->register_method({
             { name => 'replication' },
             { name => 'report' },
             { name => 'rrd' }, # fixme: remove?
-            { name => 'rrddata' }, # fixme: remove?
+            { name => 'rrddata' },
             { name => 'scan' },
             { name => 'services' },
             { name => 'spiceshell' },
@@ -483,6 +483,10 @@ __PACKAGE__->register_method({
                         type => "integer",
                         description => "The free memory in bytes.",
                     },
+                    available => {
+                        type => "integer",
+                        description => "The available memory in bytes.",
+                    },
                     total => {
                         type => "integer",
                         description => "The total memory in bytes.",
@@ -550,6 +554,7 @@ __PACKAGE__->register_method({
         $res->{memory} = {
             free => $meminfo->{memfree},
             total => $meminfo->{memtotal},
+            available => $meminfo->{memavailable},
             used => $meminfo->{memused},
         };
 
@@ -836,7 +841,7 @@ __PACKAGE__->register_method({
             timeframe => {
                 description => "Specify the time frame you are interested in.",
                 type => 'string',
-                enum => ['hour', 'day', 'week', 'month', 'year'],
+                enum => ['hour', 'day', 'week', 'month', 'year', 'decade'],
             },
             ds => {
                 description => "The list of datasources you want to display.",
@@ -860,9 +865,10 @@ __PACKAGE__->register_method({
     code => sub {
         my ($param) = @_;
 
-        return PVE::RRD::create_rrd_graph(
-            "pve2-node/$param->{node}", $param->{timeframe}, $param->{ds}, $param->{cf},
-        );
+        my $path = "pve-node-9.0/$param->{node}";
+        $path = "pve2-node/$param->{node}" if !-e "/var/lib/rrdcached/db/${path}";
+        return PVE::RRD::create_rrd_graph($path, $param->{timeframe},
+            $param->{ds}, $param->{cf});
 
     },
 });
@@ -883,7 +889,7 @@ __PACKAGE__->register_method({
             timeframe => {
                 description => "Specify the time frame you are interested in.",
                 type => 'string',
-                enum => ['hour', 'day', 'week', 'month', 'year'],
+                enum => ['hour', 'day', 'week', 'month', 'year', 'decade'],
             },
             cf => {
                 description => "The RRD consolidation function",
@@ -903,8 +909,9 @@ __PACKAGE__->register_method({
     code => sub {
         my ($param) = @_;
 
-        return PVE::RRD::create_rrd_data("pve2-node/$param->{node}", $param->{timeframe},
-            $param->{cf});
+        my $path = "pve-node-9.0/$param->{node}";
+        $path = "pve2-node/$param->{node}" if !-e "/var/lib/rrdcached/db/${path}";
+        return PVE::RRD::create_rrd_data($path, $param->{timeframe}, $param->{cf});
     },
 });
 
@@ -1096,17 +1103,46 @@ my $shell_cmd_map = {
     },
 };
 
+my %shell_cmd_params = (
+    cmd => {
+        type => 'string',
+        description => "Run specific command or default to login (requires 'root\@pam')",
+        enum => [sort keys %$shell_cmd_map],
+        optional => 1,
+        default => 'login',
+    },
+    'cmd-opts' => {
+        type => 'string',
+        description => "Add parameters to a command. Encoded as null terminated strings.",
+        requires => 'cmd',
+        optional => 1,
+        default => '',
+    },
+);
+
 sub get_shell_command {
-    my ($user, $shellcmd, $args) = @_;
+    my ($user, $shellcmd, $args, $tunnel_cmd) = @_;
+
+    my $is_ssh_tunneling = defined($tunnel_cmd) && scalar(@$tunnel_cmd);
 
     my $cmd;
     if ($user eq 'root@pam') {
         if (defined($shellcmd) && exists($shell_cmd_map->{$shellcmd})) {
             my $def = $shell_cmd_map->{$shellcmd};
-            $cmd = [@{ $def->{cmd} }]; # clone
+
+            if ($is_ssh_tunneling && $cmd eq 'login') {
+                # stop-gap to avoid running into a racy bug with nested login, i.e. first from SSH
+                # second would be this command here, likely related to vhangup.
+                $cmd = [];
+            } else {
+                $cmd = [$def->{cmd}->@*]; # clone
+            }
+
             if (defined($args) && $def->{allow_args}) {
                 push @$cmd, split("\0", $args);
             }
+        } elsif ($is_ssh_tunneling) {
+            $cmd = []; # SSH logs us already in as root, and we must not nest login (vhangup).
         } else {
             $cmd = ['/bin/login', '-f', 'root'];
         }
@@ -1114,7 +1150,8 @@ sub get_shell_command {
         # non-root must always login for now, we do not have a superuser role!
         $cmd = ['/bin/login'];
     }
-    return $cmd;
+
+    return $is_ssh_tunneling ? [$tunnel_cmd->@*, $cmd->@*] : $cmd;
 }
 
 my $get_vnc_connection_info = sub {
@@ -1149,22 +1186,7 @@ __PACKAGE__->register_method({
         additionalProperties => 0,
         properties => {
             node => get_standard_option('pve-node'),
-            cmd => {
-                type => 'string',
-                description =>
-                    "Run specific command or default to login (requires 'root\@pam')",
-                enum => [keys %$shell_cmd_map],
-                optional => 1,
-                default => 'login',
-            },
-            'cmd-opts' => {
-                type => 'string',
-                description =>
-                    "Add parameters to a command. Encoded as null terminated strings.",
-                requires => 'cmd',
-                optional => 1,
-                default => '',
-            },
+            %shell_cmd_params,
             websocket => {
                 optional => 1,
                 type => 'boolean',
@@ -1214,9 +1236,9 @@ __PACKAGE__->register_method({
         $sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192)
             if !$sslcert;
 
-        my ($port, $remcmd) = $get_vnc_connection_info->($node);
+        my ($port, $tunnel_cmd) = $get_vnc_connection_info->($node);
 
-        my $shcmd = get_shell_command($user, $param->{cmd}, $param->{'cmd-opts'});
+        my $shcmd = get_shell_command($user, $param->{cmd}, $param->{'cmd-opts'}, $tunnel_cmd);
 
         my $timeout = 10;
 
@@ -1240,7 +1262,7 @@ __PACKAGE__->register_method({
             push @$cmd, '-notls', '-listen', 'localhost';
         }
 
-        push @$cmd, '-c', @$remcmd, @$shcmd;
+        push @$cmd, '-c', @$shcmd;
 
         my $realcmd = sub {
             my $upid = shift;
@@ -1300,22 +1322,7 @@ __PACKAGE__->register_method({
         additionalProperties => 0,
         properties => {
             node => get_standard_option('pve-node'),
-            cmd => {
-                type => 'string',
-                description =>
-                    "Run specific command or default to login (requires 'root\@pam')",
-                enum => [keys %$shell_cmd_map],
-                optional => 1,
-                default => 'login',
-            },
-            'cmd-opts' => {
-                type => 'string',
-                description =>
-                    "Add parameters to a command. Encoded as null terminated strings.",
-                requires => 'cmd',
-                optional => 1,
-                default => '',
-            },
+            %shell_cmd_params,
         },
     },
     returns => {
@@ -1337,9 +1344,9 @@ __PACKAGE__->register_method({
         my $authpath = "/nodes/$node";
         my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath);
 
-        my ($port, $remcmd) = $get_vnc_connection_info->($node);
+        my ($port, $tunnel_cmd) = $get_vnc_connection_info->($node);
 
-        my $shcmd = get_shell_command($user, $param->{cmd}, $param->{'cmd-opts'});
+        my $shcmd = get_shell_command($user, $param->{cmd}, $param->{'cmd-opts'}, $tunnel_cmd);
 
         my $realcmd = sub {
             my $upid = shift;
@@ -1349,7 +1356,7 @@ __PACKAGE__->register_method({
             my $cmd = [
                 '/usr/bin/termproxy', $port, '--path', $authpath, '--perm', 'Sys.Console', '--',
             ];
-            push @$cmd, @$remcmd, @$shcmd;
+            push @$cmd, @$shcmd;
 
             PVE::Tools::run_command($cmd);
         };
@@ -1430,22 +1437,7 @@ __PACKAGE__->register_method({
         properties => {
             node => get_standard_option('pve-node'),
             proxy => get_standard_option('spice-proxy', { optional => 1 }),
-            cmd => {
-                type => 'string',
-                description =>
-                    "Run specific command or default to login (requires 'root\@pam')",
-                enum => [keys %$shell_cmd_map],
-                optional => 1,
-                default => 'login',
-            },
-            'cmd-opts' => {
-                type => 'string',
-                description =>
-                    "Add parameters to a command. Encoded as null terminated strings.",
-                requires => 'cmd',
-                optional => 1,
-                default => '',
-            },
+            %shell_cmd_params,
         },
     },
     returns => get_standard_option('remote-viewer-config'),

PVE/API2/Pool.pm

@@ -189,10 +189,13 @@ __PACKAGE__->register_method({
                 my $pool = $param->{poolid};
 
                 die "pool '$pool' already exists\n" if $usercfg->{pools}->{$pool};
-                if ($pool =~ m!^(.*)/[^/]+$!) {
-                    my $parent = $1;
+                if ($pool =~ m!^(.*)/([^/]+)$!) {
+                    my ($parent, $leaf) = ($1, $2);
                     die "parent '$parent' of pool '$pool' does not exist\n"
                         if !defined($usercfg->{pools}->{$parent});
+                    die "pool name must start with a letter\n" if $leaf !~ m!^[A-Za-z]!;
+                } else {
+                    die "pool name must start with a letter\n" if $pool !~ m!^[A-Za-z]!;
                 }
 
                 $usercfg->{pools}->{$pool} = {

PVE/API2/Replication.pm

@@ -3,21 +3,23 @@ package PVE::API2::Replication;
 use warnings;
 use strict;
 
-use PVE::JSONSchema qw(get_standard_option);
-use PVE::RPCEnvironment;
+use PVE::Cluster;
+use PVE::Exception qw(raise_perm_exc);
 use PVE::Format qw(render_timestamp);
-use PVE::ProcFSTools;
-
-use PVE::ReplicationConfig;
-use PVE::ReplicationState;
-use PVE::Replication;
-use PVE::QemuConfig;
-use PVE::QemuServer;
+use PVE::INotify;
+use PVE::JSONSchema qw(get_standard_option);
 use PVE::LXC::Config;
 use PVE::LXC;
 use PVE::Notify;
-
+use PVE::ProcFSTools;
+use PVE::QemuConfig;
+use PVE::QemuServer;
+use PVE::ReplicationConfig;
+use PVE::ReplicationState;
+use PVE::Replication;
 use PVE::RESTHandler;
+use PVE::RPCEnvironment;
+use PVE::Tools;
 
 use base qw(PVE::RESTHandler);
 
@@ -234,7 +236,7 @@ __PACKAGE__->register_method({
             my $data = $extract_job_status->($jobs->{$id}, $id);
             my $guest = $data->{guest};
             next if defined($param->{guest}) && $guest != $param->{guest};
-            next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+            next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit'], 1);
             push @$res, $data;
         }
 
@@ -309,7 +311,7 @@ __PACKAGE__->register_method({
         my $data = $extract_job_status->($jobcfg, $jobid);
         my $guest = $data->{guest};
 
-        raise_perm_exc() if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+        $rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
 
         return $data;
     },
@@ -379,8 +381,8 @@ __PACKAGE__->register_method({
         my $vmid = $data->{guest};
         raise_perm_exc()
             if (!(
-                $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'])
-                || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'])
+                $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'], 1)
+                || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'], 1)
             ));
 
         my ($count, $lines) =
@@ -400,7 +402,8 @@ __PACKAGE__->register_method({
     proxyto => 'node',
     protected => 1,
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => {
         additionalProperties => 0,
@@ -415,7 +418,12 @@ __PACKAGE__->register_method({
     code => sub {
         my ($param) = @_;
 
+        my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
         my $jobid = $param->{id};
+        my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($jobid);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
 
         my $cfg = PVE::ReplicationConfig->new();
         my $jobcfg = $cfg->{ids}->{$jobid};

PVE/API2/ReplicationConfig.pm

@@ -3,17 +3,32 @@ package PVE::API2::ReplicationConfig;
 use warnings;
 use strict;
 
-use PVE::Tools qw(extract_param);
-use PVE::Exception qw(raise_perm_exc raise_param_exc);
-use PVE::JSONSchema qw(get_standard_option);
-use PVE::RPCEnvironment;
-use PVE::ReplicationConfig;
 use PVE::Cluster;
-
+use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::ReplicationConfig;
 use PVE::RESTHandler;
+use PVE::RPCEnvironment;
+use PVE::SectionConfig;
+use PVE::Storage;
+use PVE::Tools qw(extract_param);
+
+use PVE::API2::Replication;
 
 use base qw(PVE::RESTHandler);
 
+my $replication_api_return_props = {
+    PVE::ReplicationConfig->createSchema()->{properties}->%*,
+    guest => {
+        type => 'integer',
+        description => 'Guest ID.',
+    },
+    jobnum => {
+        type => 'integer',
+        description => 'Unique, sequential ID assigned to each job.',
+    },
+};
+
 __PACKAGE__->register_method({
     name => 'index',
     path => '',
@@ -32,7 +47,7 @@ __PACKAGE__->register_method({
         type => 'array',
         items => {
             type => "object",
-            properties => {},
+            properties => $replication_api_return_props,
         },
         links => [{ rel => 'child', href => "{id}" }],
     },
@@ -72,7 +87,13 @@ __PACKAGE__->register_method({
             id => get_standard_option('pve-replication-id'),
         },
     },
-    returns => { type => 'object' },
+    returns => {
+        type => 'object',
+        properties => {
+            $replication_api_return_props->%*,
+            digest => get_standard_option('pve-config-digest'),
+        },
+    },
     code => sub {
         my ($param) = @_;
 
@@ -87,7 +108,7 @@ __PACKAGE__->register_method({
 
         my $vmid = $data->{guest};
 
-        raise_perm_exc() if !$rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit']);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit']);
 
         $data->{id} = $param->{id};
 
@@ -104,19 +125,24 @@ __PACKAGE__->register_method({
     method => 'POST',
     description => "Create a new replication job",
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => PVE::ReplicationConfig->createSchema(),
     returns => { type => 'null' },
     code => sub {
         my ($param) = @_;
 
+        my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
         my $type = extract_param($param, 'type');
         my $plugin = PVE::ReplicationConfig->lookup($type);
         my $id = extract_param($param, 'id');
 
         # extract guest ID from job ID
         my ($guest) = PVE::ReplicationConfig::parse_replication_job_id($id);
+        $rpcenv->check($authuser, "/vms/$guest", ['VM.Replicate']);
 
         my $nodelist = PVE::Cluster::get_members();
         my $vmlist = PVE::Cluster::get_vmlist();
@@ -173,17 +199,24 @@ __PACKAGE__->register_method({
     method => 'PUT',
     description => "Update replication job configuration.",
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => PVE::ReplicationConfig->updateSchema(),
     returns => { type => 'null' },
     code => sub {
         my ($param) = @_;
 
+        my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
         my $id = extract_param($param, 'id');
         my $digest = extract_param($param, 'digest');
         my $delete = extract_param($param, 'delete');
 
+        my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($id);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
+
         my $code = sub {
             my $cfg = PVE::ReplicationConfig->new();
 
@@ -228,7 +261,8 @@ __PACKAGE__->register_method({
     method => 'DELETE',
     description => "Mark replication job for removal.",
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => {
         additionalProperties => 0,
@@ -253,11 +287,15 @@ __PACKAGE__->register_method({
         my ($param) = @_;
 
         my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
+        my $id = extract_param($param, 'id');
+        my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($id);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
 
         my $code = sub {
             my $cfg = PVE::ReplicationConfig->new();
 
-            my $id = $param->{id};
             if ($param->{force}) {
                 raise_param_exc({ 'keep' => "conflicts with parameter 'force'" })
                     if $param->{keep};

PVE/API2/Services.pm

@@ -50,15 +50,14 @@ my $essential_services = {
 # since postfix package 3.1.0-3.1 the postfix unit is only here to
 # manage subinstances, of which the  default is called "-".
 # This is where we look for the daemon status
-my $unit_extra_names = {
-    postfix => 'postfix@-',
-};
+my $unit_extra_names = {};
 
 my $get_full_service_state = sub {
     my ($service) = @_;
-    $service = $unit_extra_names->{$service} if $unit_extra_names->{$service};
-    my $res;
 
+    $service = $unit_extra_names->{$service} if $unit_extra_names->{$service};
+
+    my $res;
     my $parser = sub {
         my $line = shift;
         if ($line =~ m/^([^=\s]+)=(.*)$/) {
@@ -138,6 +137,82 @@ my $service_state = sub {
     return $res;
 };
 
+my $service_state_api_return_schema = {
+    'active-state' => {
+        type => 'string',
+        enum => [
+            qw(active inactive failed activating deactivating maintenance reloading refreshing unknown)
+        ],
+        description => 'Current state of the service process (systemd ActiveState).',
+    },
+    'desc' => {
+        type => 'string',
+        description => 'Description of the service.',
+    },
+    'name' => {
+        type => 'string',
+        description => 'Short identifier for the service (e.g., "pveproxy").',
+    },
+    'service' => {
+        type => 'string',
+        description => 'Systemd unit name (e.g., pveproxy).',
+    },
+    'state' => {
+        type => 'string',
+        # all systemd service unit substates
+        enum => [qw(
+            dead
+            condition
+            start-pre
+            start
+            start-post
+            running
+            exited
+            reload
+            reload-signal
+            reload-notify
+            mounting
+            stop
+            stop-watchdog
+            stop-sigterm
+            stop-sigkill
+            stop-post
+            final-watchdog
+            final-sigterm
+            final-sigkill
+            failed
+            dead-before-auto-restart
+            failed-before-auto-restart
+            dead-resources-pinned
+            auto-restart
+            auto-restart-queued
+            cleaning
+            unknown
+        )],
+        description => 'Execution status of the service (systemd SubState).',
+    },
+    'unit-state' => {
+        type => 'string',
+        enum => [qw(
+            enabled
+            enabled-runtime
+            linked
+            linked-runtime
+            alias
+            masked
+            masked-runtime
+            static
+            disabled
+            indirect
+            generated
+            transient
+            bad not-found
+            unknown
+        )],
+        description => 'Whether the service is enabled (systemd UnitFileState).',
+    },
+};
+
 __PACKAGE__->register_method({
     name => 'index',
     path => '',
@@ -158,7 +233,7 @@ __PACKAGE__->register_method({
         type => 'array',
         items => {
             type => "object",
-            properties => {},
+            properties => $service_state_api_return_schema,
         },
         links => [{ rel => 'child', href => "{service}" }],
     },
@@ -242,7 +317,7 @@ __PACKAGE__->register_method({
     },
     returns => {
         type => "object",
-        properties => {},
+        properties => $service_state_api_return_schema,
     },
     code => sub {
         my ($param) = @_;

PVE/API2/Tasks.pm

@@ -63,7 +63,7 @@ __PACKAGE__->register_method({
                 minimum => 0,
                 default => 50,
                 optional => 1,
-                description => "Only list this amount of tasks.",
+                description => "Only list this number of tasks.",
             },
             userfilter => {
                 type => 'string',
@@ -358,7 +358,7 @@ __PACKAGE__->register_method({
                 minimum => 0,
                 default => 50,
                 optional => 1,
-                description => "The amount of lines to read from the tasklog.",
+                description => "The number of lines to read from the tasklog.",
             },
             download => {
                 type => 'boolean',

PVE/API2/VZDump.pm

@@ -27,7 +27,7 @@ my sub assert_param_permission_vzdump {
 
     PVE::API2::Backup::assert_param_permission_common($rpcenv, $user, $param);
 
-    if (defined($param->{maxfiles}) || defined($param->{'prune-backups'})) {
+    if (defined($param->{'prune-backups'})) {
         if (my $storeid = PVE::VZDump::get_storage_param($param)) {
             $rpcenv->check($user, "/storage/$storeid", ['Datastore.Allocate']);
         }
@@ -40,12 +40,12 @@ __PACKAGE__->register_method({
     method => 'POST',
     description => "Create backup.",
     permissions => {
-        description => "The user needs 'VM.Backup' permissions on any VM, and "
-            . "'Datastore.AllocateSpace' on the backup storage (and fleecing storage when fleecing "
-            . "is used). The 'tmpdir', 'dumpdir', 'script' and 'job-id' parameters are restricted "
-            . "to the 'root\@pam' user. The 'maxfiles' and 'prune-backups' settings require "
-            . "'Datastore.Allocate' on the backup storage. The 'bwlimit', 'performance' and "
-            . "'ionice' parameters require 'Sys.Modify' on '/'.",
+        description => "The user needs 'VM.Backup' permissions on any VM, and"
+            . " 'Datastore.AllocateSpace' on the backup storage (and fleecing storage when fleecing"
+            . " is used). The 'tmpdir', 'dumpdir', 'script' and 'job-id' parameters are restricted"
+            . " to the 'root\@pam' user. The 'prune-backups' setting requires 'Datastore.Allocate'"
+            . " on the backup storage. The 'bwlimit', 'performance' and 'ionice' parameters require"
+            . " 'Sys.Modify' on '/'.",
         user => 'all',
     },
     protected => 1,

PVE/API2Tools.pm

@@ -41,6 +41,23 @@ sub get_hwaddress {
     return $hwaddress;
 }
 
+# each rrd key for a resource will only exist once. The key format might be different though. Therefore return on first hit
+sub get_rrd_key {
+    my ($rrd, $type, $id) = @_;
+
+    # check for old formats: pve2-{type}/{id}. For VMs and CTs the version number is different than for nodes and storages
+    if ($type ne "vm" && exists $rrd->{"pve2-${type}/${id}"}) {
+        return "pve2-${type}/${id}";
+    } elsif ($type eq "vm" && exists $rrd->{"pve2.3-${type}/${id}"}) {
+        return "pve2.3-${type}/${id}";
+    }
+
+    my $key = "pve-${type}-9.0/${id}";
+    if (defined($rrd->{$key})) {
+        return $key;
+    }
+}
+
 sub extract_node_stats {
     my ($node, $members, $rrd, $exclude_stats) = @_;
 
@@ -51,8 +68,8 @@ sub extract_node_stats {
         status => 'unknown',
     };
 
-    if (my $d = $rrd->{"pve2-node/$node"}) {
-
+    my $key = get_rrd_key($rrd, "node", $node);
+    if (my $d = $rrd->{$key}) {
         if (
             !$members || # no cluster
             ($members->{$node} && $members->{$node}->{online})
@@ -96,24 +113,9 @@ sub extract_vm_stats {
     };
 
     my $d;
+    my $key = get_rrd_key($rrd, "vm", $vmid);
 
-    if ($d = $rrd->{"pve2-vm/$vmid"}) {
-
-        $entry->{uptime} = ($d->[0] || 0) + 0;
-        $entry->{name} = $d->[1];
-        $entry->{status} = $entry->{uptime} ? 'running' : 'stopped';
-        $entry->{maxcpu} = ($d->[3] || 0) + 0;
-        $entry->{cpu} = ($d->[4] || 0) + 0;
-        $entry->{maxmem} = ($d->[5] || 0) + 0;
-        $entry->{mem} = ($d->[6] || 0) + 0;
-        $entry->{maxdisk} = ($d->[7] || 0) + 0;
-        $entry->{disk} = ($d->[8] || 0) + 0;
-        $entry->{netin} = ($d->[9] || 0) + 0;
-        $entry->{netout} = ($d->[10] || 0) + 0;
-        $entry->{diskread} = ($d->[11] || 0) + 0;
-        $entry->{diskwrite} = ($d->[12] || 0) + 0;
-
-    } elsif ($d = $rrd->{"pve2.3-vm/$vmid"}) {
+    if (my $d = $rrd->{$key}) {
 
         $entry->{uptime} = ($d->[0] || 0) + 0;
         $entry->{name} = $d->[1];
@@ -130,6 +132,10 @@ sub extract_vm_stats {
         $entry->{netout} = ($d->[12] || 0) + 0;
         $entry->{diskread} = ($d->[13] || 0) + 0;
         $entry->{diskwrite} = ($d->[14] || 0) + 0;
+
+        if ($key =~ /^pve-vm-/) {
+            $entry->{memhost} = ($d->[15] || 0) + 0;
+        }
     }
 
     return $entry;
@@ -151,7 +157,8 @@ sub extract_storage_stats {
         content => $content,
     };
 
-    if (my $d = $rrd->{"pve2-storage/$node/$storeid"}) {
+    my $key = get_rrd_key($rrd, "storage", "${node}/${storeid}");
+    if (my $d = $rrd->{$key}) {
         $entry->{maxdisk} = ($d->[1] || 0) + 0;
         $entry->{disk} = ($d->[2] || 0) + 0;
         $entry->{status} = 'available';

PVE/APLInfo.pm

@@ -171,7 +171,7 @@ sub download_aplinfo {
 
         # verify signature
         my $trustedkeyring = "/usr/share/doc/pve-manager/trustedkeys.gpg";
-        my $cmd = "/usr/bin/gpgv -q --keyring $trustedkeyring $sigfn $tmp";
+        my $cmd = "/usr/bin/sqv --keyring $trustedkeyring $sigfn $tmp";
 
         my $logfunc = sub { logmsg($logfd, "signature verification: $_[0]"); };
         eval { run_command($cmd, outfunc => $logfunc, errfunc => $logfunc); };

PVE/CLI/Makefile

@@ -8,8 +8,8 @@ SOURCES = \
 	pvesr.pm \
 	pvenode.pm \
 	pvesh.pm \
-	pve7to8.pm \
 	pve8to9.pm \
+	pve_network_interface_pinning.pm \
 
 all:
 

PVE/CLI/pve_network_interface_pinning.pm

@@ -0,0 +1,494 @@
+package PVE::CLI::pve_network_interface_pinning;
+
+use v5.36;
+
+use File::Copy;
+use POSIX qw(:errno_h);
+use Storable qw(dclone);
+
+use PVE::Firewall;
+use PVE::INotify;
+use PVE::Network;
+use PVE::Network::SDN;
+use PVE::Network::SDN::Controllers;
+use PVE::Network::SDN::Fabrics;
+use PVE::RPCEnvironment;
+use PVE::SectionConfig;
+use PVE::Tools;
+
+use PVE::CLIHandler;
+use base qw(PVE::CLIHandler);
+
+my $PVEETH_LOCK = "/run/lock/proxmox-network-interface-pinning.lck";
+
+sub setup_environment {
+    PVE::RPCEnvironment->setup_default_cli_env();
+}
+
+my sub update_sdn_fabrics {
+    my ($mapping) = @_;
+
+    print "Updating /etc/pve/sdn/fabrics.cfg\n";
+
+    my $code = sub {
+        my $local_node = PVE::INotify::nodename();
+
+        my $config = PVE::Network::SDN::Fabrics::config();
+        $config->map_interfaces($local_node, $mapping);
+        PVE::Network::SDN::Fabrics::write_config($config);
+    };
+
+    PVE::Network::SDN::lock_sdn_config($code);
+}
+
+my sub update_sdn_controllers {
+    my ($mapping) = @_;
+
+    print "Updating /etc/pve/sdn/controllers.cfg\n";
+
+    my $code = sub {
+        my $controllers = PVE::Network::SDN::Controllers::config();
+
+        my $local_node = PVE::INotify::nodename();
+
+        for my $controller (values $controllers->{ids}->%*) {
+            next
+                if ($controller->{node} && $local_node ne $controller->{node})
+                || $controller->{type} ne 'isis';
+
+            $controller->{'isis-ifaces'} = $mapping->list($controller->{'isis-ifaces'});
+        }
+
+        PVE::Network::SDN::Controllers::write_config($controllers);
+    };
+
+    PVE::Network::SDN::lock_sdn_config($code);
+}
+
+my sub update_etc_network_interfaces {
+    my ($mapping, $existing_pins) = @_;
+
+    print "Updating /etc/network/interfaces.new\n";
+
+    my $code = sub {
+        my $config = dclone(PVE::INotify::read_file('interfaces'));
+
+        my $old_ifaces = $config->{ifaces};
+        my $new_ifaces = {};
+
+        for my $iface_name (keys $old_ifaces->%*) {
+            my $iface = $old_ifaces->{$iface_name};
+
+            if ($existing_pins->{$iface_name} && $existing_pins->{$iface_name} ne $iface_name) {
+                # reading the interfaces file adds active interfaces to the
+                # configuration - we do not want to include already pinned
+                # interfaces in the new configuration when writing the new
+                # interface file multiple times, so we skip the interface here
+                # if there already exists a pin for it.
+                next;
+            }
+
+            if ($iface->{type} =~ m/^(eth|OVSPort|alias)$/) {
+                $iface_name = $mapping->name($iface_name);
+            } elsif ($iface->{type} eq 'vlan') {
+                $iface_name = $mapping->name($iface_name);
+                $iface->{'vlan-raw-device'} = $mapping->name($iface->{'vlan-raw-device'});
+            } elsif ($iface->{type} eq 'bond') {
+                $iface->{'bond-primary'} = $mapping->name($iface->{'bond-primary'});
+                $iface->{slaves} = $mapping->list($iface->{slaves});
+            } elsif ($iface->{type} eq 'bridge') {
+                $iface->{bridge_ports} = $mapping->list($iface->{bridge_ports});
+            } elsif ($iface->{type} eq 'OVSBridge') {
+                $iface->{ovs_ports} = $mapping->list($iface->{ovs_ports});
+            } elsif ($iface->{type} eq 'OVSBond') {
+                $iface->{ovs_bonds} = $mapping->list($iface->{ovs_bonds});
+            }
+
+            $new_ifaces->{$iface_name} = $iface;
+        }
+
+        $config->{ifaces} = $new_ifaces;
+        PVE::INotify::write_file('interfaces', $config, 1);
+    };
+
+    PVE::Tools::lock_file("/etc/network/.pve-interfaces.lock", 10, $code);
+    die $@ if $@;
+}
+
+my sub update_host_fw_config {
+    my ($mapping) = @_;
+
+    my $local_node = PVE::INotify::nodename();
+    print "Updating /etc/pve/nodes/$local_node/host.fw.new\n";
+
+    my $code = sub {
+        my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+
+        my $temp_fw_file = "/etc/pve/nodes/$local_node/host.fw.new";
+
+        my $host_fw_file = (-e $temp_fw_file) ? $temp_fw_file : undef;
+        my $host_conf = PVE::Firewall::load_hostfw_conf($cluster_conf, $host_fw_file);
+
+        for my $rule ($cluster_conf->{rules}->@*) {
+            next if !$rule->{iface};
+
+            warn "found reference to iface $rule->{iface} in cluster config - not updating."
+                if $mapping->{ $rule->{iface} };
+        }
+
+        for my $rule ($host_conf->{rules}->@*) {
+            next if !$rule->{iface};
+            $rule->{iface} = $mapping->name($rule->{iface});
+        }
+
+        PVE::Firewall::save_hostfw_conf($host_conf, "/etc/pve/nodes/$local_node/host.fw.new");
+    };
+
+    PVE::Firewall::run_locked($code);
+}
+
+my sub parse_link_file {
+    my ($file_name) = @_;
+
+    my $content = PVE::Tools::file_get_contents($file_name);
+    my @lines = split(/\n/, $content);
+
+    my $section;
+    my $data = {};
+
+    for my $line (@lines) {
+        next if $line =~ m/^\s*$/;
+
+        if ($line =~ m/^\[(Match|Link)\]$/) {
+            $section = $1;
+            $data->{$section} = {};
+        } elsif ($line =~ m/^([a-zA-Z]+)=(.+)$/) {
+            die "key-value pair before section at line: $line\n" if !$section;
+            $data->{$section}->{$1} = $2;
+        } else {
+            die "unrecognized line: $line\n";
+        }
+    }
+
+    return $data;
+}
+
+my $LINK_DIRECTORY = "/usr/local/lib/systemd/network/";
+
+sub ensure_link_directory_exists {
+    mkdir '/usr/local/lib/systemd' if !-d '/usr/local/lib/systemd';
+    mkdir $LINK_DIRECTORY if !-d $LINK_DIRECTORY;
+}
+
+my sub get_pinned {
+    my $link_files = {};
+
+    ensure_link_directory_exists();
+
+    PVE::Tools::dir_glob_foreach(
+        $LINK_DIRECTORY,
+        qr/^50-pve-(.+)\.link$/,
+        sub {
+            my $parsed = parse_link_file($LINK_DIRECTORY . $_[0]);
+            $link_files->{ $parsed->{'Match'}->{'MACAddress'} } = $parsed->{'Link'}->{'Name'};
+        },
+    );
+
+    return $link_files;
+}
+
+my $LINK_FILE_TEMPLATE = <<EOF;
+[Match]
+MACAddress=%s
+Type=ether
+
+[Link]
+Name=%s
+EOF
+
+my sub link_file_name {
+    my ($iface_name) = @_;
+    return "50-pve-$iface_name.link";
+}
+
+my sub delete_link_files {
+    my ($pinned) = @_;
+
+    ensure_link_directory_exists();
+
+    for my $iface_name (values %$pinned) {
+        my $link_file = $LINK_DIRECTORY . link_file_name($iface_name);
+
+        if (!unlink $link_file) {
+            return if $! == ENOENT;
+            warn "failed to delete $link_file";
+        }
+    }
+}
+
+my sub generate_link_files {
+    my ($ip_links, $mapping) = @_;
+
+    print "Generating link files\n";
+
+    ensure_link_directory_exists();
+
+    for my $ip_link (values $ip_links->%*) {
+        my $mapped_name = $mapping->name($ip_link->{ifname});
+        my $link_file_content =
+            sprintf($LINK_FILE_TEMPLATE, get_ip_link_mac($ip_link), $mapped_name);
+
+        PVE::Tools::file_set_contents(
+            $LINK_DIRECTORY . link_file_name($mapped_name),
+            $link_file_content,
+        );
+    }
+}
+
+package PVE::CLI::pve_network_interface_pinning::InterfaceMapping {
+    use PVE::CLI::pve_network_interface_pinning;
+    use PVE::Tools;
+
+    sub new {
+        my ($class, $mapping) = @_;
+        bless $mapping, $class;
+    }
+
+    sub generate {
+        my ($class, $ip_links, $pinned, $prefix) = @_;
+
+        my $index = 0;
+        my $mapping = {};
+
+        my %existing_names = map { $_ => 1 } values $pinned->%*;
+
+        my @sorted_links = sort {
+            $ip_links->{$a}->{ifindex} <=> $ip_links->{$b}->{ifindex};
+        } keys $ip_links->%*;
+
+        for my $ifname (@sorted_links) {
+            my $ip_link = $ip_links->{$ifname};
+            my $generated_name;
+
+            do {
+                $generated_name = $prefix . $index++;
+            } while ($existing_names{$generated_name});
+
+            $mapping->{$ifname} = $generated_name;
+
+            for my $altname ($ip_link->{altnames}->@*) {
+                $mapping->{$altname} = $generated_name;
+            }
+        }
+
+        bless $mapping, $class;
+    }
+
+    sub name {
+        my ($self, $iface_name) = @_;
+
+        if ($iface_name =~ m/^([a-zA-Z0-9_]+)([:\.]\d+)$/) {
+            my $mapped_name = $self->{$1} // $1;
+            my $suffix = $2;
+
+            return "$mapped_name$suffix";
+        }
+
+        return $self->{$iface_name} // $iface_name;
+    }
+
+    sub list {
+        my ($self, $list) = @_;
+
+        my @mapped_list = map { $self->name($_) } PVE::Tools::split_list($list);
+        return join(' ', @mapped_list);
+    }
+}
+
+sub get_ip_link_mac {
+    my ($ip_link) = @_;
+
+    # members of bonds can have a different MAC than the physical interface, so
+    # we need to check if they're enslaved
+    return $ip_link->{linkinfo}->{info_slave_data}->{perm_hwaddr} // $ip_link->{address};
+}
+
+sub iface_is_vf {
+    my ($iface_name) = @_;
+
+    return -l "/sys/class/net/$iface_name/device/physfn";
+}
+
+sub get_ip_links {
+    my $ip_links = PVE::Network::ip_link_details();
+
+    for my $iface_name (keys $ip_links->%*) {
+        delete $ip_links->{$iface_name}
+            if !PVE::Network::ip_link_is_physical($ip_links->{$iface_name})
+            || iface_is_vf($iface_name);
+    }
+
+    return $ip_links;
+}
+
+sub resolve_pinned {
+    my ($ip_links, $pinned) = @_;
+
+    my %mac_lookup = map { get_ip_link_mac($_) => $_->{ifname} } values $ip_links->%*;
+
+    my $resolved = {};
+
+    for my $mac (keys $pinned->%*) {
+        if (!$mac_lookup{$mac}) {
+            warn "could not resolve $mac to an existing interface";
+            next;
+        }
+
+        $resolved->{ $mac_lookup{$mac} } = $pinned->{$mac};
+    }
+
+    return $resolved;
+}
+
+__PACKAGE__->register_method({
+    name => 'generate',
+    path => 'generate',
+    method => 'POST',
+    description => 'Generate systemd.link files to pin the names of one or more network'
+        . ' interfaces and update all network-related configuration files.',
+    parameters => {
+        additionalProperties => 0,
+        properties => {
+            interface => {
+                description => 'Only pin a specific interface.',
+                type => 'string',
+                format => 'pve-iface',
+                default => '<all>', # just for the docs.
+                optional => 1,
+            },
+            prefix => {
+                description =>
+                    'Use a specific prefix for automatically choosing the pinned name.',
+                type => 'string',
+                pattern => '^[a-zA-Z][a-zA-Z0-9-_]{0,7}$',
+                default => 'nic', # just for the docs.
+                optional => 1,
+            },
+            'target-name' => {
+                description => 'Pin the interface to a specific name.',
+                type => 'string',
+                format => 'pve-iface',
+                optional => 1,
+                requires => 'interface',
+            },
+        },
+    },
+    returns => {
+        type => 'null',
+    },
+    code => sub {
+        my ($params) = @_;
+
+        my $iface = $params->{interface}; # undef means all.
+        my $target_name = $params->{'target-name'};
+
+        if (-t STDOUT) {
+            my $target = defined($iface) ? "the interface '$iface'" : 'all interfaces';
+            say "This will generate name pinning configuration for $target - continue (y/N)? ";
+
+            my $answer = <STDIN>;
+            my $continue = defined($answer) && $answer =~ m/^\s*y(?:es)?\s*$/i;
+
+            die "Aborting pinning as requested\n" if !$continue;
+        }
+
+        my $code = sub {
+            my $prefix = $params->{prefix} // 'nic';
+
+            my $ip_links = get_ip_links();
+            my $pinned = get_pinned();
+            my $existing_pins = resolve_pinned($ip_links, $pinned);
+
+            if ($iface) {
+                die "Could not find link with name '$iface'\n" if !$ip_links->{$iface};
+
+                die "There already exists a pin for NIC '$iface' - aborting.\n"
+                    if $existing_pins->{$iface};
+
+                $ip_links = { $iface => $ip_links->{$iface} };
+            } else {
+                for my $iface_name (keys $existing_pins->%*) {
+                    delete $ip_links->{$iface_name};
+                }
+            }
+
+            my $mapping;
+
+            if ($target_name) {
+                die "target-name already exists as link or pin!\n"
+                    if $ip_links->{$target_name} || grep { $target_name eq $_ } values $pinned->%*;
+
+                $mapping = PVE::CLI::pve_network_interface_pinning::InterfaceMapping->new({
+                    $iface => $target_name,
+                });
+            } else {
+                $mapping = PVE::CLI::pve_network_interface_pinning::InterfaceMapping->generate(
+                    $ip_links,
+                    $pinned,
+                    $prefix,
+                );
+            }
+
+            if (!$mapping->%*) {
+                print "Nothing to do, aborting.\n";
+                exit 0;
+            }
+
+            my $altnames = PVE::Network::altname_mapping($ip_links);
+
+            my @sorted_links = sort {
+                my $a_name = $altnames->{$a} // $a;
+                my $b_name = $altnames->{$b} // $b;
+
+                $ip_links->{$a_name}->{ifindex} <=> $ip_links->{$b_name}->{ifindex};
+            } grep {
+                $ip_links->{$_}
+            } keys $mapping->%*;
+
+            for my $old_name (@sorted_links) {
+                my $altname_string = '';
+
+                if (my $interface_altnames = $ip_links->{$old_name}->{altnames}) {
+                    $altname_string = join(', ', $interface_altnames->@*);
+                }
+
+                print "Name for link '$old_name' ";
+                print "($altname_string) " if $altname_string;
+                print "will change to '$mapping->{$old_name}'\n";
+
+            }
+
+            generate_link_files($ip_links, $mapping);
+            print "Successfully generated .link files in '/usr/local/lib/systemd/network/'\n";
+
+            update_host_fw_config($mapping);
+            update_etc_network_interfaces($mapping, $existing_pins);
+            update_sdn_controllers($mapping);
+            update_sdn_fabrics($mapping);
+
+            print "Successfully updated Proxmox VE configuration files.\n";
+            print "\nPlease reboot to apply the changes to your configuration\n\n";
+        };
+
+        PVE::Tools::lock_file($PVEETH_LOCK, 10, $code);
+        die $@ if $@;
+
+        return;
+    },
+});
+
+our $cmddef = {
+    generate => [__PACKAGE__, 'generate', [], {}],
+};
+
+1;

PVE/CLI/pveceph.pm

@@ -3,6 +3,7 @@ package PVE::CLI::pveceph;
 use strict;
 use warnings;
 
+use AptPkg::Cache;
 use Data::Dumper;
 use Fcntl ':flock';
 use File::Path;
@@ -136,9 +137,13 @@ __PACKAGE__->register_method({
             },
             repository => {
                 type => 'string',
-                enum => ['enterprise', 'no-subscription', 'test'],
+                enum => ['enterprise', 'no-subscription', 'test', 'manual'],
                 default => 'enterprise',
-                description => "Ceph repository to use.",
+                description => "Ceph repository to use. The 'manual' option will not configure"
+                    . " any repositories. Use it if the host cannot access the public repositories,"
+                    . " for example if Proxmox Offline Mirror is used. A repository that contains"
+                    . " the Ceph packages for the version needs to be manually configured before"
+                    . " starting the installation!",
                 optional => 1,
             },
             'allow-experimental' => {
@@ -161,19 +166,23 @@ __PACKAGE__->register_method({
             $enterprise_repo ? 'https://enterprise.proxmox.com' : 'http://download.proxmox.com';
 
         if (has_valid_subscription()) {
-            warn
-                "\nNOTE: The node has an active subscription but a non-production Ceph repository selected.\n\n"
-                if !$enterprise_repo;
+            if (!$enterprise_repo) {
+                warn "\nNOTE: The node has an active subscription but a non-production Ceph"
+                    . " repository selected.\n\n";
+            }
         } elsif ($enterprise_repo) {
             warn "\nWARN: Enterprise repository selected, but no active subscription!\n\n";
         } elsif ($repo eq 'no-subscription') {
-            warn
-                "\nHINT: The no-subscription repository is not the best choice for production setups.\n"
+            warn "\nHINT: The no-subscription repository is not the best choice for production"
+                . " setups.\n"
                 . "Proxmox recommends using the enterprise repository with a valid subscription.\n";
+        } elsif ($repo eq 'manual') {
+            warn "\nHINT: The manual repository option expects that the Ceph repository is"
+                . " already correctly configured. For example, when used in combination with"
+                . " Proxmox Offline Mirror.\n";
         } else {
-            warn
-                "\nWARN: The test repository should only be used for test setups or after consulting"
-                . " the official Proxmox support!\n\n";
+            warn "\nWARN: The test repository should only be used for test setups or after"
+                . " consulting the official Proxmox support!\n\n";
         }
 
         my $available_ceph_releases = PVE::Ceph::Releases::get_all_available_ceph_releases();
@@ -199,22 +208,24 @@ EOF
             die "Aborting installation as requested\n" if !$continue;
         }
 
-        PVE::Tools::file_set_contents("/etc/apt/sources.list.d/ceph.sources", $repo_source);
+        if ($repo ne "manual") {
+            PVE::Tools::file_set_contents("/etc/apt/sources.list.d/ceph.sources", $repo_source);
 
-        if ($available_ceph_releases->{$cephver}->{unsupported}) {
-            if ($param->{'allow-experimental'}) {
-                warn
-                    "NOTE: installing experimental/tech-preview Ceph release ${rendered_release}!\n";
-            } elsif (-t STDOUT) {
-                print
-                    "Ceph ${rendered_release} is currently considered a technology preview for Proxmox VE - continue (y/N)? ";
-                my $answer = <STDIN>;
-                my $continue = defined($answer) && $answer =~ m/^\s*y(?:es)?\s*$/i;
+            if ($available_ceph_releases->{$cephver}->{unsupported}) {
+                if ($param->{'allow-experimental'}) {
+                    warn
+                        "NOTE: installing experimental/tech-preview Ceph release ${rendered_release}!\n";
+                } elsif (-t STDOUT) {
+                    print "Ceph ${rendered_release} is currently considered a technology"
+                        . " preview for Proxmox VE - continue (y/N)? ";
+                    my $answer = <STDIN>;
+                    my $continue = defined($answer) && $answer =~ m/^\s*y(?:es)?\s*$/i;
 
-                die "Aborting installation as requested\n" if !$continue;
-            } else {
-                die
-                    "refusing to install tech-preview Ceph release ${rendered_release} without 'allow-experimental' parameter!\n";
+                    die "Aborting installation as requested\n" if !$continue;
+                } else {
+                    die "Refusing to install tech-preview Ceph release ${rendered_release}"
+                        . " without 'allow-experimental' parameter!\n";
+                }
             }
         }
 
@@ -228,6 +239,25 @@ EOF
             );
         };
 
+        if ($repo eq "manual") {
+            my $apt_cache = AptPkg::Cache->new() || die "unable to initialize AptPkg::Cache\n";
+            my @ceph_versions = $apt_cache->{'ceph-common:amd64'}->{'VersionList'}->@*;
+            my $latest_available = $ceph_versions[0]->{'VerStr'};
+            my $selected_version =
+                PVE::Ceph::Releases::get_ceph_release_info($cephver)->{'release'};
+
+            if ($latest_available !~ "^$selected_version") {
+                die "Selected Ceph version '${selected_version}' does not match the available"
+                    . " version in the repository '${latest_available}' \n";
+            }
+
+            my $pkg_infos = $ceph_versions[0]->{'FileList'}->[0]->{'File'};
+            print "\nUsing the following manual repository:\n"
+                . "Site:\t\t $pkg_infos->{'Site'}\n"
+                . "Component:\t $pkg_infos->{'Component'}\n\n";
+
+        }
+
         my @apt_install =
             qw(apt-get --no-install-recommends -o Dpkg::Options::=--force-confnew install --);
         my @ceph_packages = qw(

PVE/ExtMetric.pm

@@ -6,9 +6,11 @@ use warnings;
 use PVE::Status::Plugin;
 use PVE::Status::Graphite;
 use PVE::Status::InfluxDB;
+use PVE::Status::OpenTelemetry;
 
 PVE::Status::Graphite->register();
 PVE::Status::InfluxDB->register();
+PVE::Status::OpenTelemetry->register();
 PVE::Status::Plugin->init();
 
 sub foreach_plug($&) {

PVE/PullMetric.pm

@@ -5,6 +5,7 @@ use warnings;
 use Proxmox::RS::SharedCache;
 use PVE::Network;
 
+# with the pvestatd 10s update intervall this covers 30 minutes of data.
 use constant OLD_GENERATIONS => 180;
 use constant LOCK_TIMEOUT => 2;
 
@@ -91,9 +92,18 @@ my sub get_node_metrics {
     push @$metrics, gauge($id, $timestamp, "uptime", $data->{uptime});
 
     my ($netin, $netout) = (0, 0);
-    for my $dev (grep { /^$PVE::Network::PHYSICAL_NIC_RE$/ } keys $data->{nics}->%*) {
-        $netin += $data->{nics}->{$dev}->{receive};
-        $netout += $data->{nics}->{$dev}->{transmit};
+
+    for my $dev (keys $data->{nics}->%*) {
+        my $nic_data = $data->{nics}->{$dev};
+
+        if ($nic_data->{type}) {
+            next if $nic_data->{type} ne 'physical';
+        } else {
+            next if $dev !~ /^$PVE::Network::PHYSICAL_NIC_RE$/;
+        }
+
+        $netin += $nic_data->{receive};
+        $netout += $nic_data->{transmit};
     }
     push @$metrics, derive($id, $timestamp, "net_in", $netin);
     push @$metrics, derive($id, $timestamp, "net_out", $netout);

PVE/Service/pvedaemon.pm

@@ -15,7 +15,7 @@ use base qw(PVE::Daemon);
 my $cmdline = [$0, @ARGV];
 
 my %daemon_options = (
-    max_workers => 3,
+    max_workers => 3, # may be overridden in init
     restart_on_error => 5,
     stop_wait_time => 15,
     leave_children_open_on_reload => 1,
@@ -26,6 +26,10 @@ my $daemon = __PACKAGE__->new('pvedaemon', $cmdline, %daemon_options);
 sub init {
     my ($self) = @_;
 
+    # all options other than MAX_WORKERS are ignored
+    my $proxyconf = PVE::APIServer::Utils::read_proxy_config($self->{name});
+    $self->{max_workers} = $proxyconf->{MAX_WORKERS} if $proxyconf->{MAX_WORKERS};
+
     my $accept_lock_fn = "/var/lock/pvedaemon.lck";
 
     my $lockfh = IO::File->new(">>${accept_lock_fn}")

PVE/Service/pveproxy.pm

@@ -29,7 +29,7 @@ use base qw(PVE::Daemon);
 my $cmdline = [$0, @ARGV];
 
 my %daemon_options = (
-    max_workers => 3,
+    max_workers => 3, # may be overridden in init
     restart_on_error => 5,
     stop_wait_time => 15,
     leave_children_open_on_reload => 1,
@@ -54,7 +54,8 @@ my $basedirs = {
     i18n => '/usr/share/pve-i18n',
     manager => '/usr/share/pve-manager',
     novnc => '/usr/share/novnc-pve',
-    sencha_touch => '/usr/share/javascript/sencha-touch',
+    yew_mobile => '/usr/share/pve-yew-mobile-gui',
+    i18n_yew => '/usr/share/pve-yew-mobile-i18n',
     widgettoolkit => '/usr/share/javascript/proxmox-widget-toolkit',
     xtermjs => '/usr/share/pve-xtermjs',
 };
@@ -64,6 +65,7 @@ sub init {
 
     # we use same ALLOW/DENY/POLICY as pveproxy
     my $proxyconf = PVE::APIServer::Utils::read_proxy_config($self->{name});
+    $self->{max_workers} = $proxyconf->{MAX_WORKERS} if $proxyconf->{MAX_WORKERS};
 
     my $accept_lock_fn = "/var/lock/pveproxy.lck";
 
@@ -86,12 +88,12 @@ sub init {
     add_dirs($dirs, '/pve2/images/' => "$basedirs->{manager}/images/");
     add_dirs($dirs, '/pve2/js/' => "$basedirs->{manager}/js/");
     add_dirs($dirs, '/pve2/locale/', "$basedirs->{i18n}/");
-    add_dirs($dirs, '/pve2/sencha-touch/', "$basedirs->{sencha_touch}/");
-    add_dirs($dirs, '/pve2/touch/', "$basedirs->{manager}/touch/");
     add_dirs($dirs, '/pwt/css/' => "$basedirs->{widgettoolkit}/css/");
     add_dirs($dirs, '/pwt/images/' => "$basedirs->{widgettoolkit}/images/");
     add_dirs($dirs, '/pwt/themes/' => "$basedirs->{widgettoolkit}/themes/");
     add_dirs($dirs, '/xtermjs/' => "$basedirs->{xtermjs}/");
+    add_dirs($dirs, '/yew-mobile/', "$basedirs->{yew_mobile}/");
+    add_dirs($dirs, '/yew-mobile/i18n/', "$basedirs->{i18n_yew}/");
 
     $self->{server_config} = {
         title => 'Proxmox VE API',
@@ -183,7 +185,7 @@ sub is_phone {
 
     return 1 if $ua =~ m/(iPhone|iPod|Windows Phone)/;
 
-    if ($ua =~ m/Mobile(\/|\s)/) {
+    if ($ua =~ m/Mobile\b/) {
         return 1 if $ua =~ m/(BlackBerry|BB)/;
         return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/);
     }
@@ -191,9 +193,16 @@ sub is_phone {
     return 0;
 }
 
-# NOTE: Requests to those pages are not authenticated
-# so we must be very careful here
+my sub get_path_mtime {
+    my ($path) = @_;
 
+    my @stat_res = stat($path) or $!{ENOENT} or die "failed to stat '$path' - $!\n";
+    my $mtime = $stat_res[9];
+
+    return $mtime;
+}
+
+# NOTE: Requests to those pages are not authenticated so we must be very careful here
 sub get_index {
     my ($nodename, $server, $r, $args) = @_;
 
@@ -248,6 +257,13 @@ sub get_index {
     my $wtversionraw = PVE::Tools::file_read_firstline("$basedirs->{widgettoolkit}/proxmoxlib.js");
     my $wtversion = $wtversionraw =~ m|^// (.*)$| ? $1 : '';
 
+    # while we could use the actual pkg version (e.g., shipped as pkg-version file in each
+    # respective package's /usr/share/<pkg> folder, this way it should also work when using make
+    # install to directly install to local root filesystem.
+    my $i18n_js_mtime = get_path_mtime('/usr/share/pve-i18n');
+    my $i18n_yew_mtime = get_path_mtime('/usr/share/pve-yew-mobile-i18n');
+    my $ui_yew_mtime = get_path_mtime('/usr/share/pve-yew-mobile-gui');
+
     my $debug = $server->{debug};
     if (exists $args->{debug}) {
         $debug = !defined($args->{debug}) || $args->{debug};
@@ -265,6 +281,10 @@ sub get_index {
         wtversion => $wtversion,
         theme => $theme,
         consenttext => $consent_text,
+        i18n_js_mtime => $i18n_js_mtime,
+        i18n_yew_mobile_mtime => $i18n_yew_mtime,
+        yew_mobile_mtime => $ui_yew_mtime,
+        yew_mobile_base_path => '/yew-mobile',
     };
 
     # by default, load the normal index
@@ -275,7 +295,7 @@ sub get_index {
     } elsif ($xtermjs) {
         $dir = $basedirs->{xtermjs};
     } elsif ($mobile) {
-        $dir = "$basedirs->{manager}/touch";
+        $dir = "$basedirs->{yew_mobile}";
     }
 
     my $page = '';

PVE/Service/pvestatd.pm

@@ -82,6 +82,12 @@ my $cached_kvm_version = '';
 my $next_flag_update_time;
 my $failed_flag_update_delay_sec = 120;
 
+# Checks if RRD files exist in the specified location.
+my $rrd_dir_exists = sub {
+    my ($location) = @_;
+    return -d "/var/lib/rrdcached/db/${location}";
+};
+
 sub update_supported_cpuflags {
     my $kvm_version = PVE::QemuServer::kvm_user_version();
 
@@ -155,6 +161,9 @@ my sub broadcast_static_node_info {
     }
 }
 
+my ($cached_ip_links, $cached_ip_link_last_update) = (undef, 0);
+my $MAX_IP_LINK_CACHE_AGE_SECONDS = 15 * 60; # every 15 minutes
+
 sub update_node_status {
     my ($status_cfg, $pull_txn) = @_;
 
@@ -171,41 +180,94 @@ sub update_node_status {
     my $sublevel = $subinfo->{level} || '';
 
     my $netdev = PVE::ProcFSTools::read_proc_net_dev();
+
+    my $ctime = time();
+    if (
+        !defined($cached_ip_links)
+        || ($ctime - $cached_ip_link_last_update) > $MAX_IP_LINK_CACHE_AGE_SECONDS
+    ) {
+        $cached_ip_links = PVE::Network::ip_link_details();
+        $cached_ip_link_last_update = $ctime;
+    }
+
     # traffic from/to physical interface cards
     my ($netin, $netout) = (0, 0);
-    for my $dev (grep { /^$PVE::Network::PHYSICAL_NIC_RE$/ } keys %$netdev) {
+    for my $dev (keys %$netdev) {
+        my $ip_link = $cached_ip_links->{$dev};
+
+        if ($ip_link && PVE::Network::ip_link_is_physical($ip_link)) {
+            $netdev->{$dev}->{type} = 'physical';
+        } else {
+            $netdev->{$dev}->{type} = 'virtual';
+            next;
+        }
+
         $netin += $netdev->{$dev}->{receive};
         $netout += $netdev->{$dev}->{transmit};
     }
 
     my $meminfo = PVE::ProcFSTools::read_meminfo();
 
+    my $pressures = PVE::ProcFSTools::read_pressure();
+
     my $dinfo = df('/', 1); # output is bytes
     # everything not free is considered to be used
     my $dused = $dinfo->{blocks} - $dinfo->{bfree};
 
-    my $ctime = time();
+    $ctime = time(); # df can need a long time, so requery time.
 
-    my $data = $generate_rrd_string->(
-        [
-            $uptime,
-            $sublevel,
-            $ctime,
-            $avg1,
-            $maxcpu,
-            $stat->{cpu},
-            $stat->{wait},
-            $meminfo->{memtotal},
-            $meminfo->{memused},
-            $meminfo->{swaptotal},
-            $meminfo->{swapused},
-            $dinfo->{blocks},
-            $dused,
-            $netin,
-            $netout,
-        ],
-    );
-    PVE::Cluster::broadcast_rrd("pve2-node/$nodename", $data);
+    my $data;
+    # TODO: drop old pve2- schema with PVE 10
+    if ($rrd_dir_exists->("pve-node-9.0")) {
+        $data = $generate_rrd_string->(
+            [
+                $uptime,
+                $sublevel,
+                $ctime,
+                $avg1,
+                $maxcpu,
+                $stat->{cpu},
+                $stat->{wait},
+                $meminfo->{memtotal},
+                $meminfo->{memused},
+                $meminfo->{swaptotal},
+                $meminfo->{swapused},
+                $dinfo->{blocks},
+                $dused,
+                $netin,
+                $netout,
+                $meminfo->{memavailable},
+                $meminfo->{arcsize},
+                $pressures->{cpu}->{some}->{avg10},
+                $pressures->{io}->{some}->{avg10},
+                $pressures->{io}->{full}->{avg10},
+                $pressures->{memory}->{some}->{avg10},
+                $pressures->{memory}->{full}->{avg10},
+            ],
+        );
+        PVE::Cluster::broadcast_rrd("pve-node-9.0/$nodename", $data);
+    } else {
+        $data = $generate_rrd_string->(
+            [
+                $uptime,
+                $sublevel,
+                $ctime,
+                $avg1,
+                $maxcpu,
+                $stat->{cpu},
+                $stat->{wait},
+                $meminfo->{memtotal},
+                $meminfo->{memused},
+                $meminfo->{swaptotal},
+                $meminfo->{swapused},
+                $dinfo->{blocks},
+                $dused,
+                $netin,
+                $netout,
+            ],
+        );
+        PVE::Cluster::broadcast_rrd("pve2-node/$nodename", $data);
+    }
 
     my $node_metric = {
         uptime => $uptime,
@@ -273,44 +335,101 @@ sub update_qemu_status {
         my $data;
         my $status = $d->{qmpstatus} || $d->{status} || 'stopped';
         my $template = $d->{template} ? $d->{template} : "0";
-        if ($d->{pid}) { # running
-            $data = $generate_rrd_string->([
-                $d->{uptime},
-                $d->{name},
-                $status,
-                $template,
-                $ctime,
-                $d->{cpus},
-                $d->{cpu},
-                $d->{maxmem},
-                $d->{mem},
-                $d->{maxdisk},
-                $d->{disk},
-                $d->{netin},
-                $d->{netout},
-                $d->{diskread},
-                $d->{diskwrite},
-            ]);
+
+        # TODO: drop old pve2.3- schema with PVE 10
+        if ($rrd_dir_exists->("pve-vm-9.0")) {
+            if ($d->{pid}) { # running
+                $data = $generate_rrd_string->([
+                    $d->{uptime},
+                    $d->{name},
+                    $status,
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    $d->{cpu},
+                    $d->{maxmem},
+                    $d->{mem},
+                    $d->{maxdisk},
+                    $d->{disk},
+                    $d->{netin},
+                    $d->{netout},
+                    $d->{diskread},
+                    $d->{diskwrite},
+                    $d->{memhost},
+                    $d->{pressurecpusome},
+                    $d->{pressurecpufull},
+                    $d->{pressureiosome},
+                    $d->{pressureiofull},
+                    $d->{pressurememorysome},
+                    $d->{pressurememoryfull},
+                ]);
+            } else {
+                $data = $generate_rrd_string->([
+                    0,
+                    $d->{name},
+                    $status,
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    undef,
+                    $d->{maxmem},
+                    undef,
+                    $d->{maxdisk},
+                    $d->{disk},
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                ]);
+            }
+            PVE::Cluster::broadcast_rrd("pve-vm-9.0/$vmid", $data);
         } else {
-            $data = $generate_rrd_string->([
-                0,
-                $d->{name},
-                $status,
-                $template,
-                $ctime,
-                $d->{cpus},
-                undef,
-                $d->{maxmem},
-                undef,
-                $d->{maxdisk},
-                $d->{disk},
-                undef,
-                undef,
-                undef,
-                undef,
-            ]);
+            if ($d->{pid}) { # running
+                $data = $generate_rrd_string->([
+                    $d->{uptime},
+                    $d->{name},
+                    $status,
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    $d->{cpu},
+                    $d->{maxmem},
+                    $d->{mem},
+                    $d->{maxdisk},
+                    $d->{disk},
+                    $d->{netin},
+                    $d->{netout},
+                    $d->{diskread},
+                    $d->{diskwrite},
+                ]);
+            } else {
+                $data = $generate_rrd_string->([
+                    0,
+                    $d->{name},
+                    $status,
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    undef,
+                    $d->{maxmem},
+                    undef,
+                    $d->{maxdisk},
+                    $d->{disk},
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                ]);
+            }
+            PVE::Cluster::broadcast_rrd("pve2.3-vm/$vmid", $data);
         }
-        PVE::Cluster::broadcast_rrd("pve2.3-vm/$vmid", $data);
 
         PVE::ExtMetric::update_all($transactions, 'qemu', $vmid, $d, $ctime, $nodename);
     }
@@ -506,44 +625,100 @@ sub update_lxc_status {
         my $d = $vmstatus->{$vmid};
         my $template = $d->{template} ? $d->{template} : "0";
         my $data;
-        if ($d->{status} eq 'running') { # running
-            $data = $generate_rrd_string->([
-                $d->{uptime},
-                $d->{name},
-                $d->{status},
-                $template,
-                $ctime,
-                $d->{cpus},
-                $d->{cpu},
-                $d->{maxmem},
-                $d->{mem},
-                $d->{maxdisk},
-                $d->{disk},
-                $d->{netin},
-                $d->{netout},
-                $d->{diskread},
-                $d->{diskwrite},
-            ]);
+        # TODO: drop old pve2.3-vm schema with PVE 10
+        if ($rrd_dir_exists->("pve-vm-9.0")) {
+            if ($d->{pid}) { # running
+                $data = $generate_rrd_string->([
+                    $d->{uptime},
+                    $d->{name},
+                    $d->{status},
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    $d->{cpu},
+                    $d->{maxmem},
+                    $d->{mem},
+                    $d->{maxdisk},
+                    $d->{disk},
+                    $d->{netin},
+                    $d->{netout},
+                    $d->{diskread},
+                    $d->{diskwrite},
+                    undef,
+                    $d->{pressurecpusome},
+                    $d->{pressurecpufull},
+                    $d->{pressureiosome},
+                    $d->{pressureiofull},
+                    $d->{pressurememorysome},
+                    $d->{pressurememoryfull},
+                ]);
+            } else {
+                $data = $generate_rrd_string->([
+                    0,
+                    $d->{name},
+                    $d->{status},
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    undef,
+                    $d->{maxmem},
+                    undef,
+                    $d->{maxdisk},
+                    $d->{disk},
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                ]);
+            }
+            PVE::Cluster::broadcast_rrd("pve-vm-9.0/$vmid", $data);
         } else {
-            $data = $generate_rrd_string->([
-                0,
-                $d->{name},
-                $d->{status},
-                $template,
-                $ctime,
-                $d->{cpus},
-                undef,
-                $d->{maxmem},
-                undef,
-                $d->{maxdisk},
-                $d->{disk},
-                undef,
-                undef,
-                undef,
-                undef,
-            ]);
+            if ($d->{status} eq 'running') { # running
+                $data = $generate_rrd_string->([
+                    $d->{uptime},
+                    $d->{name},
+                    $d->{status},
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    $d->{cpu},
+                    $d->{maxmem},
+                    $d->{mem},
+                    $d->{maxdisk},
+                    $d->{disk},
+                    $d->{netin},
+                    $d->{netout},
+                    $d->{diskread},
+                    $d->{diskwrite},
+                ]);
+            } else {
+                $data = $generate_rrd_string->([
+                    0,
+                    $d->{name},
+                    $d->{status},
+                    $template,
+                    $ctime,
+                    $d->{cpus},
+                    undef,
+                    $d->{maxmem},
+                    undef,
+                    $d->{maxdisk},
+                    $d->{disk},
+                    undef,
+                    undef,
+                    undef,
+                    undef,
+                ]);
+            }
+            PVE::Cluster::broadcast_rrd("pve2.3-vm/$vmid", $data);
         }
-        PVE::Cluster::broadcast_rrd("pve2.3-vm/$vmid", $data);
 
         PVE::ExtMetric::update_all($transactions, 'lxc', $vmid, $d, $ctime, $nodename);
     }
@@ -568,6 +743,7 @@ sub update_storage_status {
         my $data = $generate_rrd_string->([$ctime, $d->{total}, $d->{used}]);
 
         my $key = "pve2-storage/${nodename}/$storeid";
+        $key = "pve-storage-9.0/${nodename}/$storeid" if $rrd_dir_exists->("pve-storage-9.0");
         PVE::Cluster::broadcast_rrd($key, $data);
 
         PVE::ExtMetric::update_all($transactions, 'storage', $nodename, $storeid, $d, $ctime);
@@ -601,7 +777,10 @@ sub update_sdn_status {
 
 my $broadcast_version_info_done = 0;
 my sub broadcast_version_info : prototype() {
-    if (!$broadcast_version_info_done) {
+    if (
+        !$broadcast_version_info_done
+        || !scalar(keys PVE::Cluster::get_node_kv('version-info', $nodename)->%*)
+    ) {
         PVE::Cluster::broadcast_node_kv(
             'version-info', encode_json(PVE::pvecfg::version_info()),
         );

PVE/Status/InfluxDB.pm

@@ -6,6 +6,7 @@ use warnings;
 use POSIX qw(isnan isinf);
 use Scalar::Util 'looks_like_number';
 use IO::Socket::IP;
+use IO::Socket::SSL qw(SSL_VERIFY_NONE);
 use LWP::UserAgent;
 use HTTP::Request;
 
@@ -92,7 +93,7 @@ my $set_ssl_opts = sub {
     if (!$cert_verify) {
         $ua->ssl_opts(
             verify_hostname => 0,
-            SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
+            SSL_verify_mode => SSL_VERIFY_NONE,
         );
     }
 

PVE/Status/Makefile

@@ -3,6 +3,7 @@ include ../../defines.mk
 PERLSOURCE = 			\
 	Graphite.pm		\
 	InfluxDB.pm		\
+	OpenTelemetry.pm	\
 	Plugin.pm
 
 all:

PVE/Status/OpenTelemetry.pm

@@ -0,0 +1,712 @@
+package PVE::Status::OpenTelemetry;
+
+use strict;
+use warnings;
+
+use Compress::Zlib;
+use Encode;
+use HTTP::Request;
+use JSON;
+use LWP::UserAgent;
+use MIME::Base64 qw(decode_base64);
+
+use PVE::Cluster;
+use PVE::Status::Plugin;
+use PVE::Tools qw(extract_param);
+
+use base qw(PVE::Status::Plugin);
+
+sub type {
+    return 'opentelemetry';
+}
+
+sub properties {
+    return {
+        'otel-protocol' => {
+            type => 'string',
+            enum => ['http', 'https'],
+            description => 'HTTP protocol',
+            default => 'https',
+        },
+        'otel-path' => {
+            type => 'string',
+            description => 'OTLP endpoint path',
+            default => '/v1/metrics',
+            optional => 1,
+        },
+        'otel-timeout' => {
+            type => 'integer',
+            description => 'HTTP request timeout in seconds',
+            default => 5,
+            minimum => 1,
+            maximum => 10,
+        },
+        'otel-headers' => {
+            type => 'string',
+            description => 'Custom HTTP headers (JSON format, base64 encoded)',
+            optional => 1,
+            maxLength => 1024,
+        },
+        'otel-verify-ssl' => {
+            type => 'boolean',
+            description => 'Verify SSL certificates',
+            default => 1,
+        },
+        'otel-max-body-size' => {
+            type => 'integer',
+            description => 'Maximum request body size in bytes',
+            default => 10_000_000,
+            minimum => 1024,
+        },
+        'otel-resource-attributes' => {
+            type => 'string',
+            description => 'Additional resource attributes as JSON, base64 encoded',
+            optional => 1,
+            maxLength => 1024,
+        },
+        'otel-compression' => {
+            type => 'string',
+            enum => ['none', 'gzip'],
+            description => 'Compression algorithm for requests',
+            default => 'gzip',
+            optional => 1,
+        },
+    };
+}
+
+sub options {
+    return {
+        server => { optional => 0 },
+        port => { optional => 1 },
+        disable => { optional => 1 },
+        'otel-protocol' => { optional => 1 },
+        'otel-path' => { optional => 1 },
+        'otel-timeout' => { optional => 1 },
+        'otel-headers' => { optional => 1 },
+        'otel-verify-ssl' => { optional => 1 },
+        'otel-max-body-size' => { optional => 1 },
+        'otel-resource-attributes' => { optional => 1 },
+        'otel-compression' => { optional => 1 },
+    };
+}
+
+sub _connect {
+    my ($class, $cfg, $id) = @_;
+
+    my $connection = {
+        id => $id,
+        cfg => $cfg,
+        metrics => [],
+        stats => {
+            total_metrics => 0,
+            successful_batches => 0,
+            failed_batches => 0,
+        },
+    };
+
+    return $connection;
+}
+
+sub _disconnect {
+    my ($class, $connection) = @_;
+    # No persistent connection to cleanup
+}
+
+sub _get_otlp_url {
+    my ($class, $cfg) = @_;
+    my $proto = $cfg->{'otel-protocol'} || 'https';
+    my $port = $cfg->{port} || ($proto eq 'https' ? 4318 : 4317);
+    my $path = $cfg->{'otel-path'} || '/v1/metrics';
+
+    return "${proto}://$cfg->{server}:${port}${path}";
+}
+
+sub _decode_base64_json {
+    my ($class, $encoded_str) = @_;
+    return '' unless defined $encoded_str && $encoded_str ne '';
+
+    my $decoded_str = decode_base64($encoded_str);
+    die "base64 decode failed" if !defined $decoded_str;
+
+    return $decoded_str;
+}
+
+sub _parse_headers {
+    my ($class, $headers_str) = @_;
+    return {} unless defined $headers_str && $headers_str ne '';
+
+    my $decoded_str = $class->_decode_base64_json($headers_str);
+
+    my $headers = {};
+    eval {
+        my $json = JSON->new->decode($decoded_str);
+        die "headers must be a JSON hash" if ref($json) ne 'HASH';
+        $headers = $json;
+    };
+    if ($@) {
+        warn "Failed to parse headers '$headers_str' - $@";
+    }
+    return $headers;
+}
+
+sub _parse_resource_attributes {
+    my ($class, $json_str) = @_;
+    return [] unless defined $json_str && $json_str ne '';
+
+    my $decoded_str = $class->_decode_base64_json($json_str);
+
+    my $attributes = [];
+    eval {
+        # Ensure the JSON string is properly decoded as UTF-8
+        my $utf8_json =
+            utf8::is_utf8($decoded_str)
+            ? $decoded_str
+            : Encode::decode('utf-8', $decoded_str);
+        my $parsed = JSON->new->utf8(0)->decode($utf8_json);
+        die "resource attributes must be a JSON hash" if ref($parsed) ne 'HASH';
+        for my $key (keys %$parsed) {
+            push @$attributes,
+                {
+                    key => $key,
+                    value => { stringValue => $parsed->{$key} },
+                };
+        }
+    };
+    if ($@) {
+        warn "Failed to parse resource attributes '$json_str' - $@";
+    }
+    return $attributes;
+}
+
+sub _compress_json {
+    my ($class, $data) = @_;
+
+    my $json_str = JSON->new->utf8->encode($data);
+    my $compressed = Compress::Zlib::memGzip($json_str);
+
+    die "gzip compression failed: $Compress::Zlib::gzerrno" if !defined $compressed;
+
+    return $compressed;
+}
+
+sub _build_otlp_metrics {
+    my ($class, $metrics_data, $cfg) = @_;
+
+    my $cluster_name = 'single-node';
+    eval {
+        my $clinfo = PVE::Cluster::get_clinfo();
+        if ($clinfo && $clinfo->{cluster} && $clinfo->{cluster}->{name}) {
+            $cluster_name = $clinfo->{cluster}->{name};
+        }
+    };
+    # If reading fails, use default cluster name
+
+    my $node_name = PVE::INotify::nodename();
+    my $pve_version = PVE::pvecfg::version_text();
+
+    return {
+        resourceMetrics => [{
+            resource => {
+                attributes => [
+                    {
+                        key => 'service.name',
+                        value => { stringValue => 'proxmox-ve' },
+                    },
+                    {
+                        key => 'service.version',
+                        value => { stringValue => $pve_version },
+                    },
+                    {
+                        key => 'proxmox.cluster',
+                        value => { stringValue => $cluster_name },
+                    },
+                    {
+                        key => 'proxmox.node',
+                        value => { stringValue => $node_name },
+                    },
+                    @{ $class->_parse_resource_attributes($cfg->{'otel-resource-attributes'}) },
+                ],
+            },
+            scopeMetrics => [{
+                scope => {},
+                metrics => $metrics_data,
+            }],
+        }],
+    };
+}
+
+# Classify metric type (counter vs gauge) and determine suffix
+sub _classify_metric_type {
+    my ($class, $key, $metric_prefix) = @_;
+
+    # Counter type (cumulative values) - need _total suffix
+    if (
+        $key =~ /^(transmit|receive|netin|netout|diskread|diskwrite)$/
+        || $key =~ /_operations$/
+        || $key =~ /_merged$/
+        || $key =~ /^(rd_|wr_|read|write|sent|recv|tx|rx|packets|errors|dropped|collisions)/
+        || ($metric_prefix =~ /_cpustat$/
+            && $key =~ /^(user|system|idle|nice|steal|guest|irq|softirq|iowait|wait)$/)
+        || $metric_prefix =~ /_network$/
+    ) {
+        return ('counter', '_total');
+    }
+
+    # Gauge type (instantaneous values) - no suffix
+    return ('gauge', '');
+}
+
+sub _convert_node_metrics_recursive {
+    my ($class, $data, $ctime, $metric_prefix, $attributes) = @_;
+
+    my @metrics = ();
+
+    # Skip non-metric fields
+    my $skip_fields = {
+        name => 1,
+        tags => 1,
+        vmid => 1,
+        type => 1,
+        status => 1,
+        template => 1,
+        pid => 1,
+        agent => 1,
+        serial => 1,
+        ctime => 1,
+        nics => 1, # Skip nics - handled separately with device labels
+        storages => 1, # Skip storages - handled separately with storage labels
+    };
+
+    # Unit mapping for common metrics
+    my $unit_mapping = {
+        # Memory and storage (bytes)
+        mem => 'bytes',
+        memory => 'bytes',
+        swap => 'bytes',
+        disk => 'bytes',
+        size => 'bytes',
+        used => 'bytes',
+        free => 'bytes',
+        total => 'bytes',
+        avail => 'bytes',
+        available => 'bytes',
+        arcsize => 'bytes',
+        blocks => 'bytes',
+        bavail => 'bytes',
+        bfree => 'bytes',
+
+        # Network (bytes)
+        net => 'bytes',
+        receive => 'bytes',
+        transmit => 'bytes',
+        netin => 'bytes',
+        netout => 'bytes',
+        diskread => 'bytes',
+        diskwrite => 'bytes',
+
+        # CPU and time
+        cpu => 'percent',
+        wait => 'seconds',
+        iowait => 'seconds',
+        user => 'seconds',
+        system => 'seconds',
+        idle => 'seconds',
+        nice => 'seconds',
+        steal => 'seconds',
+        guest => 'seconds',
+        irq => 'seconds',
+        softirq => 'seconds',
+        uptime => 'seconds',
+
+        # Time measurements (nanoseconds)
+        time_ns => 'seconds',
+        total_time_ns => 'seconds',
+
+        # Load average (dimensionless)
+        avg => '1',
+        avg1 => '1',
+        avg5 => '1',
+        avg15 => '1',
+
+        # Counters and ratios (dimensionless)
+        cpus => '1',
+        operations => '1',
+        merged => '1',
+        ratio => '1',
+        count => '1',
+
+        # File system (files are counted, not sized)
+        files => '1',
+        ffree => '1',
+        fused => '1',
+        favail => '1',
+
+        # Percentages (dimensionless 0-100 scale)
+        per => 'percent',
+        fper => 'percent',
+        percent => 'percent',
+
+        # Boolean-like flags (dimensionless)
+        enabled => '1',
+        shared => '1',
+        active => '1',
+    };
+
+    for my $key (sort keys %$data) {
+        next if $skip_fields->{$key};
+        my $value = $data->{$key};
+        next if !defined($value);
+
+        # Classify metric type and get suffix
+        my ($metric_type, $suffix) = $class->_classify_metric_type($key, $metric_prefix);
+        my $metric_name = "${metric_prefix}_${key}${suffix}";
+
+        if (ref($value) eq 'HASH') {
+            # Recursive call for nested hashes
+            push @metrics,
+                $class->_convert_node_metrics_recursive(
+                    $value, $ctime, "${metric_prefix}_${key}", $attributes,
+                );
+        } elsif (
+            !ref($value)
+            && $value ne ''
+            && $value =~ /^[+-]?[0-9]*\.?[0-9]+([eE][+-]?[0-9]+)?$/
+        ) {
+            # Numeric value - create metric
+            my $unit = '1'; # default unit
+
+            # Try to determine unit based on key name
+            for my $pattern (keys %$unit_mapping) {
+                if ($key =~ /\Q$pattern\E/) {
+                    $unit = $unit_mapping->{$pattern};
+                    last;
+                }
+            }
+
+            # Determine if it's an integer or double
+            my $data_point = {
+                timeUnixNano => $ctime * 1_000_000_000,
+                attributes => $attributes,
+            };
+
+            if ($value =~ /\./ || $value =~ /[eE]/) {
+                $data_point->{asDouble} = $value + 0; # Convert to number
+            } else {
+                $data_point->{asInt} = int($value);
+            }
+
+            # Create metric with appropriate type
+            my $metric = {
+                name => $metric_name,
+                unit => $unit,
+            };
+
+            if ($metric_type eq 'counter') {
+                $metric->{sum} = {
+                    dataPoints => [$data_point],
+                    aggregationTemporality => 2, # AGGREGATION_TEMPORALITY_CUMULATIVE
+                    isMonotonic => \1 # JSON boolean true
+                };
+            } else {
+                $metric->{gauge} = { dataPoints => [$data_point] };
+            }
+
+            push @metrics, $metric;
+        }
+    }
+
+    return @metrics;
+}
+
+sub update_node_status {
+    my ($class, $txn, $node, $data, $ctime) = @_;
+
+    my @metrics = ();
+    my $base_attributes = [{ key => 'node', value => { stringValue => $node } }];
+
+    # Convert all node metrics recursively
+    push @metrics,
+        $class->_convert_node_metrics_recursive($data, $ctime, 'proxmox_node', $base_attributes);
+
+    # Handle special cases that need different attributes
+    # Network metrics with device labels
+    if (defined $data->{nics}) {
+        for my $iface (keys %{ $data->{nics} }) {
+            my $nic_attributes = [
+                { key => 'node', value => { stringValue => $node } },
+                { key => 'device', value => { stringValue => $iface } },
+            ];
+
+            # Use recursive processing for network metrics with device-specific attributes
+            push @metrics,
+                $class->_convert_node_metrics_recursive(
+                    $data->{nics}->{$iface},
+                    $ctime,
+                    'proxmox_node_network',
+                    $nic_attributes,
+                );
+        }
+    }
+
+    # Storage metrics with storage labels
+    if (defined $data->{storages}) {
+        for my $storage (keys %{ $data->{storages} }) {
+            my $storage_attributes = [
+                { key => 'node', value => { stringValue => $node } },
+                { key => 'storage', value => { stringValue => $storage } },
+            ];
+
+            # Use recursive processing for storage metrics with storage-specific attributes
+            push @metrics,
+                $class->_convert_node_metrics_recursive(
+                    $data->{storages}->{$storage},
+                    $ctime,
+                    'proxmox_node_storage',
+                    $storage_attributes,
+                );
+        }
+    }
+
+    push @{ $txn->{metrics} }, @metrics;
+}
+
+sub update_qemu_status {
+    my ($class, $txn, $vmid, $data, $ctime, $nodename) = @_;
+
+    my @metrics = ();
+    my $vm_attributes = [
+        { key => 'vmid', value => { stringValue => $vmid } },
+        { key => 'node', value => { stringValue => $nodename } },
+        { key => 'name', value => { stringValue => $data->{name} || '' } },
+        { key => 'type', value => { stringValue => 'qemu' } },
+    ];
+
+    # Use recursive processing for all VM metrics
+    push @metrics,
+        $class->_convert_node_metrics_recursive($data, $ctime, 'proxmox_vm', $vm_attributes);
+
+    push @{ $txn->{metrics} }, @metrics;
+}
+
+sub update_lxc_status {
+    my ($class, $txn, $vmid, $data, $ctime, $nodename) = @_;
+
+    my @metrics = ();
+    my $vm_attributes = [
+        { key => 'vmid', value => { stringValue => $vmid } },
+        { key => 'node', value => { stringValue => $nodename } },
+        { key => 'name', value => { stringValue => $data->{name} || '' } },
+        { key => 'type', value => { stringValue => 'lxc' } },
+    ];
+
+    # Use recursive processing for all LXC metrics
+    push @metrics,
+        $class->_convert_node_metrics_recursive($data, $ctime, 'proxmox_vm', $vm_attributes);
+
+    push @{ $txn->{metrics} }, @metrics;
+}
+
+sub update_storage_status {
+    my ($class, $txn, $nodename, $storeid, $data, $ctime) = @_;
+
+    my @metrics = ();
+    my $storage_attributes = [
+        { key => 'node', value => { stringValue => $nodename } },
+        { key => 'storage', value => { stringValue => $storeid } },
+    ];
+
+    # Use recursive processing for all storage metrics
+    push @metrics,
+        $class->_convert_node_metrics_recursive(
+            $data, $ctime, 'proxmox_storage', $storage_attributes,
+        );
+
+    push @{ $txn->{metrics} }, @metrics;
+}
+
+sub flush_data {
+    my ($class, $txn) = @_;
+
+    return if !$txn->{connection};
+    return if !$txn->{metrics} || !@{ $txn->{metrics} };
+
+    my $metrics = delete $txn->{metrics};
+    $txn->{metrics} = [];
+
+    eval {
+        $class->_send_metrics_batched($txn->{connection}, $metrics, $txn->{cfg});
+        $txn->{stats}->{successful_batches}++;
+    };
+
+    if (my $err = $@) {
+        $txn->{stats}->{failed_batches}++;
+        die "OpenTelemetry export failed '$txn->{id}': $err";
+    }
+}
+
+sub _send_metrics_batched {
+    my ($class, $connection, $metrics, $cfg) = @_;
+
+    my $max_body_size = $cfg->{'otel-max-body-size'} || 10_000_000;
+    my $total_metrics = @$metrics;
+
+    # Estimate metrics per batch based on size heuristics
+    my $estimated_batch_size = $class->_estimate_batch_size($metrics, $max_body_size, $cfg);
+
+    # If estimated batch size covers all metrics, try sending everything at once
+    if ($estimated_batch_size >= $total_metrics) {
+        my $otlp_data = $class->_build_otlp_metrics($metrics, $cfg);
+        my $serialized_size = $class->_get_serialized_size($otlp_data, $cfg);
+
+        if ($serialized_size <= $max_body_size) {
+            $class->send($connection, $otlp_data, $cfg);
+            return;
+        }
+        # If estimation was wrong, fall through to batching
+    }
+
+    # Send in batches
+    for (my $i = 0; $i < $total_metrics; $i += $estimated_batch_size) {
+        my $end_idx = $i + $estimated_batch_size - 1;
+        $end_idx = $total_metrics - 1 if $end_idx >= $total_metrics;
+
+        my @batch_metrics = @$metrics[$i .. $end_idx];
+        my $batch_otlp = $class->_build_otlp_metrics(\@batch_metrics, $cfg);
+
+        # Verify batch size is within limits
+        my $batch_size_bytes = $class->_get_serialized_size($batch_otlp, $cfg);
+        if ($batch_size_bytes > $max_body_size) {
+            # Fallback: send metrics one by one
+            for my $single_metric (@batch_metrics) {
+                my $single_otlp = $class->_build_otlp_metrics([$single_metric], $cfg);
+                $class->send($connection, $single_otlp, $cfg);
+            }
+        } else {
+            $class->send($connection, $batch_otlp, $cfg);
+        }
+    }
+}
+
+sub _estimate_batch_size {
+    my ($class, $metrics, $max_body_size, $cfg) = @_;
+
+    return 1 if @$metrics == 0;
+
+    # Sample first few metrics to estimate size per metric
+    my $sample_size = @$metrics > 10 ? 10 : @$metrics;
+    my @sample_metrics = @$metrics[0 .. $sample_size - 1];
+
+    my $sample_otlp = $class->_build_otlp_metrics(\@sample_metrics, $cfg);
+    my $sample_bytes = $class->_get_serialized_size($sample_otlp, $cfg);
+
+    # Calculate average bytes per metric with overhead
+    my $bytes_per_metric = $sample_bytes / $sample_size;
+
+    # Add 20% safety margin for OTLP structure overhead
+    $bytes_per_metric *= 1.2;
+
+    # Calculate how many metrics fit in max_body_size
+    my $estimated_count = int($max_body_size / $bytes_per_metric);
+
+    # Ensure at least 1 metric per batch, and cap at total metrics
+    $estimated_count = 1 if $estimated_count < 1;
+    $estimated_count = @$metrics if $estimated_count > @$metrics;
+
+    return $estimated_count;
+}
+
+sub _get_serialized_size {
+    my ($class, $data, $cfg) = @_;
+
+    my $serialized;
+    if (($cfg->{'otel-compression'} // 'gzip') eq 'gzip') {
+        $serialized = $class->_compress_json($data);
+    } else {
+        $serialized = JSON->new->utf8->encode($data);
+    }
+
+    return length($serialized);
+}
+
+sub send {
+    my ($class, $connection, $data, $cfg) = @_;
+
+    my $ua = LWP::UserAgent->new(
+        timeout => $cfg->{'otel-timeout'} || 5,
+        ssl_opts => { verify_hostname => $cfg->{'otel-verify-ssl'} // 1 },
+    );
+
+    my $url = $class->_get_otlp_url($cfg);
+
+    my $request_data;
+    my %headers = (
+        'Content-Type' => 'application/json',
+    );
+
+    # Safely add parsed headers
+    my $parsed_headers = $class->_parse_headers($cfg->{'otel-headers'});
+    if ($parsed_headers && ref($parsed_headers) eq 'HASH') {
+        %headers = (%headers, %$parsed_headers);
+    }
+
+    if (($cfg->{'otel-compression'} // 'gzip') eq 'gzip') {
+        $request_data = $class->_compress_json($data);
+        $headers{'Content-Encoding'} = 'gzip';
+    } else {
+        $request_data = JSON->new->utf8->encode($data);
+    }
+
+    my $req = HTTP::Request->new('POST', $url, [%headers], $request_data);
+
+    my $response = $ua->request($req);
+    die "OTLP request failed: " . $response->status_line unless $response->is_success;
+}
+
+sub test_connection {
+    my ($class, $cfg) = @_;
+
+    my $ua = LWP::UserAgent->new(
+        timeout => $cfg->{'otel-timeout'} || 5,
+        ssl_opts => { verify_hostname => $cfg->{'otel-verify-ssl'} // 1 },
+    );
+
+    my $url = $class->_get_otlp_url($cfg);
+
+    # Send empty metrics payload for testing
+    my $test_data = {
+        resourceMetrics => [{
+            resource => { attributes => [] },
+            scopeMetrics => [{
+                scope => {},
+                metrics => [],
+            }],
+        }],
+    };
+
+    my $request_data;
+    my %headers = (
+        'Content-Type' => 'application/json',
+    );
+
+    # Safely add parsed headers
+    my $parsed_headers = $class->_parse_headers($cfg->{'otel-headers'});
+    if ($parsed_headers && ref($parsed_headers) eq 'HASH') {
+        %headers = (%headers, %$parsed_headers);
+    }
+
+    if (($cfg->{'otel-compression'} // 'gzip') eq 'gzip') {
+        $request_data = $class->_compress_json($test_data);
+        $headers{'Content-Encoding'} = 'gzip';
+    } else {
+        $request_data = JSON->new->utf8->encode($test_data);
+    }
+
+    my $req = HTTP::Request->new('POST', $url, [%headers], $request_data);
+
+    my $response = $ua->request($req);
+    die "Connection test failed: " . $response->status_line unless $response->is_success;
+
+    return 1;
+}
+
+1;

PVE/VZDump.pm

@@ -177,28 +177,16 @@ my sub merge_performance {
     return $res;
 }
 
-my $parse_prune_backups_maxfiles = sub {
+my $parse_prune_backups = sub {
     my ($param, $kind) = @_;
 
-    my $maxfiles = delete $param->{maxfiles};
     my $prune_backups = $param->{'prune-backups'};
 
-    debugmsg(
-        'warn',
-        "both 'maxfiles' and 'prune-backups' defined as ${kind} - ignoring 'maxfiles'",
-    ) if defined($maxfiles) && defined($prune_backups);
-
     if (defined($prune_backups)) {
         return $prune_backups if ref($prune_backups) eq 'HASH'; # already parsed
         $param->{'prune-backups'} = PVE::JSONSchema::parse_property_string(
             'prune-backups', $prune_backups,
         );
-    } elsif (defined($maxfiles)) {
-        if ($maxfiles) {
-            $param->{'prune-backups'} = { 'keep-last' => $maxfiles };
-        } else {
-            $param->{'prune-backups'} = { 'keep-all' => 1 };
-        }
     }
 
     return $param->{'prune-backups'};
@@ -335,7 +323,7 @@ sub read_vzdump_defaults {
             defined($default) ? ($_ => $default) : ()
         } keys $fleecing_fmt->%*
     };
-    $parse_prune_backups_maxfiles->($defaults, "defaults in VZDump schema");
+    $parse_prune_backups->($defaults, "defaults in VZDump schema");
 
     my $raw;
     eval { $raw = PVE::Tools::file_get_contents($fn); };
@@ -360,7 +348,7 @@ sub read_vzdump_defaults {
         my @mailto = split_list($res->{mailto});
         $res->{mailto} = [@mailto];
     }
-    $parse_prune_backups_maxfiles->($res, "options in '$fn'");
+    $parse_prune_backups->($res, "options in '$fn'");
     parse_fleecing($res);
     parse_performance($res);
 
@@ -1548,10 +1536,7 @@ sub verify_vzdump_parameters {
     raise_param_exc({ pool => "option conflicts with option 'vmid'" })
         if $param->{pool} && $param->{vmid};
 
-    raise_param_exc({ 'prune-backups' => "option conflicts with option 'maxfiles'" })
-        if defined($param->{'prune-backups'}) && defined($param->{maxfiles});
-
-    $parse_prune_backups_maxfiles->($param, 'CLI parameters');
+    $parse_prune_backups->($param, 'CLI parameters');
     parse_fleecing($param);
     parse_performance($param);
 

aplinfo/Makefile

@@ -20,7 +20,9 @@ update:
 	mv aplinfo.dat.tmp aplinfo.dat
 
 trustedkeys.gpg: $(TRUSTED_KEYS)
-	sq keyring merge --output $@.tmp $(TRUSTED_KEYS)
+	sq keyring merge --output $(basename $@).asc.tmp $(TRUSTED_KEYS)
+	sq packet dearmor $(basename $@).asc.tmp --output $@.tmp
+	rm $(basename $@).asc.tmp
 	mv $@.tmp $@
 
 .PHONY: clean

aplinfo/aplinfo.dat

@@ -4,6 +4,19 @@ Description: News displayed on the admin interface
   For more information please visit our homepage at
   <a href='https://www.proxmox.com' target='_blank'>www.proxmox.com</a>
 
+Package: almalinux-10-default
+Version: 20250930
+Type: lxc
+OS: almalinux
+Section: system
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Architecture: amd64
+Location: system/almalinux-10-default_20250930_amd64.tar.xz
+md5sum: 15112c6ccd019b93fb5ab9d91f3f92fc
+sha512sum: ba26baea9b73188f1ec308f27a3c3e4efcd7fc8bfca976dc2dfffc89c5681df4ac3a96e136f841d769a8b6a04c6cf0db97ffef70def853a0c3486c90a30e3418
+Infopage: https://linuxcontainers.org
+Description: LXC default image for almalinux 10 (20250930)
+
 Package: almalinux-9-default
 Version: 20240911
 Type: lxc
@@ -44,18 +57,32 @@ Infopage: https://linuxcontainers.org
 Description: LXC default image for centos 9-stream (20240828)
 
 Package: debian-12-standard
-Version: 12.7-1
+Version: 12.12-1
 Type: lxc
 OS: debian-12
 Section: system
 Maintainer: Proxmox Support Team <support@proxmox.com>
 Architecture: amd64
-Location: system/debian-12-standard_12.7-1_amd64.tar.zst
-md5sum: 0b6959720ebd506b5ddb2fbf8780ca6c
-sha512sum: 39f6d06e082d6a418438483da4f76092ebd0370a91bad30b82ab6d0f442234d63fe27a15569895e34d6d1e5ca50319f62637f7fb96b98dbde4f6103cf05bff6d
+Location: system/debian-12-standard_12.12-1_amd64.tar.zst
+md5sum: 4e5a0a7183b6c8ca6867489820961e88
+sha512sum: 50c85eaaece677a3ebe01cc909b83872e9da2a22c29ae652838afce71e83222fdf40f6accecd7d52b180e912fc1f85ecdf7b3fc4d3027da4d865e509a9e76597
 Infopage: https://pve.proxmox.com/wiki/Linux_Container#pct_supported_distributions
 Description: Debian 12 Bookworm (standard)
- A small Debian Bullseye system including all standard packages.
+ A small Debian Bookworm system including all standard packages.
+
+Package: debian-13-standard
+Version: 13.1-2
+Type: lxc
+OS: debian-13
+Section: system
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Architecture: amd64
+Location: system/debian-13-standard_13.1-2_amd64.tar.zst
+md5sum: 5ee736fbc37d2068ca6695d7686b7d62
+sha512sum: 5aec4ab2ac5c16c7c8ecb87bfeeb10213abe96db6b85e2463585cea492fc861d7c390b3f9c95629bf690b95e9dfe1037207fc69c0912429605f208d5cb2621f8
+Infopage: https://pve.proxmox.com/wiki/Linux_Container#pct_supported_distributions
+Description: Debian 13 Trixie (standard)
+ A small Debian Trixie system including all standard packages.
 
 Package: devuan-5.0-standard
 Version: 5.0
@@ -97,19 +124,6 @@ sha512sum: 50495e3c066aa4f4a8886d8eebbb30ecf662bb7bf7209677fa9edfb82ce2d00172ad2
 Infopage: https://linuxcontainers.org
 Description: LXC openrc image for gentoo current (20250508)
 
-Package: openeuler-24.03-default
-Version: 20250507
-Type: lxc
-OS: openeuler
-Section: system
-Maintainer: Proxmox Support Team <support@proxmox.com>
-Architecture: amd64
-Location: system/openeuler-24.03-default_20250507_amd64.tar.xz
-md5sum: db93408ef4ac38193ef25ffb0bfc52db
-sha512sum: e0267c22e6e9401dac8ce8a6f572c51e23131b0d6b77743385a59a63fedcac36d401e818db3d0e98bac98d020e37926aade5a17de6995015733ade97bdd605be
-Infopage: https://linuxcontainers.org
-Description: LXC default image for openeuler 24.03 (20250507)
-
 Package: openeuler-25.03-default
 Version: 20250507
 Type: lxc
@@ -150,6 +164,33 @@ Infopage: https://www.proxmox.com/en/proxmox-mail-gateway/overview
 Description: Proxmox Mail Gateway 8.2
  A full featured mail proxy for spam and virus filtering, optimized for container environment.
 
+Package: proxmox-mail-gateway-9.0-standard
+Version: 9.0-1
+Type: lxc
+OS: debian-13
+Section: mail
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Architecture: amd64
+Location: mail/proxmox-mail-gateway-9.0-standard_9.0-1_amd64.tar.zst
+md5sum: 2346458e2947248b25ebbe3484086e5c
+sha512sum: 8c20d93aa5af8a94526ecedb6b1a18e45ea2dd80d48d1ca9c413fffcd93cccaf4f6767e6326d9fe12e737388a9fbe328ef16e677f7442d7da29b75c5eb9f5b01
+Infopage: https://www.proxmox.com/en/proxmox-mail-gateway/overview
+Description: Proxmox Mail Gateway 9.0
+ A full featured mail proxy for spam and virus filtering, optimized for container environment.
+
+Package: rockylinux-10-default
+Version: 20251001
+Type: lxc
+OS: rockylinux
+Section: system
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Architecture: amd64
+Location: system/rockylinux-10-default_20251001_amd64.tar.xz
+md5sum: 13ef16830a3f62727b8641b041529497
+sha512sum: 025d346a9aa9b27b90c28147cece917659cb320508cf248f59c776a00fd3a7009a9e1e0812217c990398588bb11b5a38abca82c0991a161ba3f27e1c6ee190ac
+Infopage: https://linuxcontainers.org
+Description: LXC default image for rockylinux 10 (20251001)
+
 Package: rockylinux-9-default
 Version: 20240912
 Type: lxc

bin/Makefile

@@ -12,9 +12,11 @@ CLITOOLS = \
 	pvesr \
 	pvenode \
 	pvesh \
-	pve7to8 \
 	pve8to9 \
 
+LIBEXECCLITOOLS = \
+	pve-network-interface-pinning \
+
 
 SCRIPTS =  			\
 	$(SERVICES)		\
@@ -28,15 +30,19 @@ SCRIPTS =  			\
 
 HELPERS =			\
 	pve-startall-delay	\
-	pve-init-ceph-crash
+	pve-init-ceph-crash	\
+	pve-firewall-commit	\
+	pve-sdn-commit
 
 MIGRATIONS =			\
-	pve-lvm-disable-autoactivation
+	pve-lvm-disable-autoactivation		\
+	pve-rbd-storage-configure-keyring
 
 SERVICE_MANS = $(addsuffix .8, $(SERVICES))
 
 CLI_MANS = 				\
 	$(addsuffix .1, $(CLITOOLS))	\
+	$(addsuffix .1, $(LIBEXECCLITOOLS))	\
 	pveversion.1			\
 	pveupgrade.1			\
 	pveperf.1			\
@@ -45,10 +51,12 @@ CLI_MANS = 				\
 BASH_COMPLETIONS = 						\
 	$(addsuffix .service-bash-completion, $(SERVICES)) 	\
 	$(addsuffix .bash-completion, $(CLITOOLS)) 		\
+	$(addsuffix .bash-completion, $(LIBEXECCLITOOLS)) 		\
 
 ZSH_COMPLETIONS =						\
 	$(addsuffix .service-zsh-completion, $(SERVICES)) 	\
 	$(addsuffix .zsh-completion, $(CLITOOLS))		\
+	$(addsuffix .zsh-completion, $(LIBEXECCLITOOLS))		\
 
 all: $(SERVICE_MANS) $(CLI_MANS)
 
@@ -61,13 +69,23 @@ all: $(SERVICE_MANS) $(CLI_MANS)
 	podselect $* > $@.tmp
 	mv $@.tmp $@
 
-pve7to8.1:
-	printf ".TH PVE7TO8 1\n.SH NAME\npve7to8 \- Proxmox VE upgrade checker script for 7.4+ to current 8.x\n" > $@.tmp
-	printf ".SH DESCRIPTION\nThis tool will help you to detect common pitfalls and misconfguration\
-	 before, and during the upgrade of a Proxmox VE system\n" >> $@.tmp
-	printf "Any failure must be addressed before the upgrade, and any warning must be addressed, \
-	 or at least carefully evaluated, if a false-positive is suspected\n" >> $@.tmp
-	printf ".SH SYNOPSIS\npve7to8 [--full]\n" >> $@.tmp
+pve-network-interface-pinning.1:
+	printf "pve-network-interface-pinning" > $@.tmp
+	printf ".TH PVE-NETWORK-INTERFACE-PINNING 1\n.SH NAME\npve-network-interface-pinning \- Assisted interface name pinning.\n" > $@.tmp
+	printf ".SH DESCRIPTION\nThis tool helps you to configure a network interface name pinning \
+	 and adapting all relevant Proxmox VE config files.\n" >> $@.tmp
+	mv $@.tmp $@
+
+pve-network-interface-pinning.api-verified:
+	perl ${PERL_DOC_INC} -T -e "use PVE::CLI::pve_network_interface_pinning; PVE::CLI::pve_network_interface_pinning->verify_api();"
+	touch 'pve-network-interface-pinning.service-api-verified'
+
+pve-network-interface-pinning.zsh-completion:
+	perl ${PERL_DOC_INC} -T -e "use PVE::CLI::pve_network_interface_pinning; PVE::CLI::pve_network_interface_pinning->generate_zsh_completions();" >$@.tmp
+	mv $@.tmp $@
+
+pve-network-interface-pinning.bash-completion:
+	perl ${PERL_DOC_INC} -T -e "use PVE::CLI::pve_network_interface_pinning; PVE::CLI::pve_network_interface_pinning->generate_bash_completions();" >$@.tmp
 	mv $@.tmp $@
 
 pve8to9.1:
@@ -86,16 +104,18 @@ pvereport.1.pod: pvereport
 
 .PHONY: tidy
 tidy:
-	echo $(SCRIPTS) $(HELPERS) $(MIGRATIONS) | xargs -n4 -P0 proxmox-perltidy
+	echo $(SCRIPTS) $(HELPERS) $(MIGRATIONS) $(LIBEXECCLITOOLS) | xargs -n4 -P0 proxmox-perltidy
 
 .PHONY: check
-check: $(addsuffix .service-api-verified, $(SERVICES)) $(addsuffix .api-verified, $(CLITOOLS))
+check: $(addsuffix .service-api-verified, $(SERVICES)) $(addsuffix .api-verified, $(CLITOOLS)) $(addsuffix .api-verified, $(LIBEXECCLITOOLS))
 	rm -f *.service-api-verified *.api-verified
 
 .PHONY: install
-install: $(SCRIPTS) $(CLI_MANS) $(SERVICE_MANS) $(BASH_COMPLETIONS) $(ZSH_COMPLETIONS)
+install: $(SCRIPTS) $(LIBEXECCLITOOLS) $(CLI_MANS) $(SERVICE_MANS) $(BASH_COMPLETIONS) $(ZSH_COMPLETIONS)
 	install -d $(BINDIR)
 	install -m 0755 $(SCRIPTS) $(BINDIR)
+	install -d $(LIBEXECDIR)
+	install -m 0755 $(LIBEXECCLITOOLS) $(LIBEXECDIR)
 	install -d $(USRSHARE)/helpers
 	install -m 0755 $(HELPERS) $(USRSHARE)/helpers
 	install -d $(USRSHARE)/migrations
@@ -105,8 +125,10 @@ install: $(SCRIPTS) $(CLI_MANS) $(SERVICE_MANS) $(BASH_COMPLETIONS) $(ZSH_COMPLE
 	install -d $(MAN8DIR)
 	install -m 0644 $(SERVICE_MANS) $(MAN8DIR)
 	for i in $(CLITOOLS); do install -m 0644 -D $$i.bash-completion $(BASHCOMPLDIR)/$$i; done
+	for i in $(LIBEXECCLITOOLS); do install -m 0644 -D $$i.bash-completion $(BASHCOMPLDIR)/$$i; done
 	for i in $(SERVICES); do install -m 0644 -D $$i.service-bash-completion $(BASHCOMPLDIR)/$$i; done
 	for i in $(CLITOOLS); do install -m 0644 -D $$i.zsh-completion $(ZSHCOMPLDIR)/_$$i; done
+	for i in $(LIBEXECCLITOOLS); do install -m 0644 -D $$i.zsh-completion $(ZSHCOMPLDIR)/_$$i; done
 	for i in $(SERVICES); do install -m 0644 -D $$i.service-zsh-completion $(ZSHCOMPLDIR)/_$$i; done
 
 .PHONY: clean

bin/pve-firewall-commit

@@ -0,0 +1,27 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Time::HiRes qw(usleep);
+
+use PVE::Cluster;
+use PVE::INotify;
+
+for (my $i = 0; !PVE::Cluster::check_cfs_quorum(1); $i++) {
+    print "waiting for pmxcfs mount to appear and get quorate...\n"
+        if $i % 50 == 0;
+
+    usleep(100 * 1000);
+}
+
+my $local_node = PVE::INotify::nodename();
+my $current_fw_config_file = "/etc/pve/nodes/$local_node/host.fw";
+my $new_fw_config_file = "/etc/pve/nodes/$local_node/host.fw.new";
+
+if (-e $new_fw_config_file) {
+    rename($new_fw_config_file, $current_fw_config_file)
+        or die "failed to commit new local node firewall config '$new_fw_config_file' - $!\n";
+}
+
+exit 0;

bin/pve-network-interface-pinning

@@ -0,0 +1,8 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::CLI::pve_network_interface_pinning;
+
+PVE::CLI::pve_network_interface_pinning->run_cli_handler();

bin/pve-rbd-storage-configure-keyring

@@ -0,0 +1,23 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::RPCEnvironment;
+use PVE::Storage;
+
+use PVE::CLI::pve8to9;
+
+sub main {
+    PVE::RPCEnvironment->setup_default_cli_env();
+
+    my $cfg = PVE::Storage::config();
+
+    print "INFO: Starting with PVE 9, externally managed RBD storages require that the 'keyring'"
+        . " option is configured in the storage's Ceph configuration. This script creates and"
+        . " updates the storage's Ceph configurations.\n";
+
+    PVE::CLI::pve8to9::check_rbd_storage_keyring($cfg, 0);
+}
+
+main();

bin/pve-sdn-commit

@@ -0,0 +1,102 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Time::HiRes qw(usleep);
+
+use PVE::Cluster;
+use PVE::Network::SDN;
+use PVE::Network::SDN::Zones;
+use PVE::Network::SDN::Vnets;
+use PVE::Network::SDN::Subnets;
+use PVE::Network::SDN::Controllers;
+use PVE::Network::SDN::Fabrics;
+use PVE::Tools;
+
+for (my $i = 0; !PVE::Cluster::check_cfs_quorum(1); $i++) {
+    print "waiting for pmxcfs mount to appear and get quorate...\n"
+        if $i % 50 == 0;
+
+    usleep(100 * 1000);
+}
+
+sub has_pending_changes {
+    my ($pending_config) = @_;
+
+    for my $entity (values $pending_config->{ids}->%*) {
+        return 1 if $entity->{state};
+    }
+
+    return 0;
+}
+
+sub fabrics_changed {
+    my $current_config = PVE::Network::SDN::Fabrics::config();
+    my $running_config = PVE::Network::SDN::Fabrics::config(1);
+
+    my ($running_fabrics, $running_nodes) = $running_config->list_all();
+    my ($current_fabrics, $current_nodes) = $current_config->list_all();
+
+    my $pending_fabrics = PVE::Network::SDN::pending_config(
+        { fabrics => { ids => $running_fabrics } },
+        { ids => $current_fabrics },
+        'fabrics',
+    );
+
+    my $pending_nodes = PVE::Network::SDN::pending_config(
+        { nodes => { ids => $running_nodes } },
+        { ids => $current_nodes },
+        'nodes',
+    );
+
+    return has_pending_changes($pending_fabrics) || has_pending_changes($pending_nodes);
+}
+
+sub sdn_changed {
+    my $running_config = PVE::Network::SDN::running_config();
+
+    my $configs = {
+        zones => PVE::Network::SDN::Zones::config(),
+        vnets => PVE::Network::SDN::Vnets::config(),
+        subnets => PVE::Network::SDN::Subnets::config(),
+        controllers => PVE::Network::SDN::Controllers::config(),
+    };
+
+    for my $type (keys $configs->%*) {
+        my $pending_config = PVE::Network::SDN::pending_config(
+            $running_config, $configs->{$type}, $type,
+        );
+
+        return 1 if has_pending_changes($pending_config);
+    }
+
+    return fabrics_changed();
+}
+
+if (!sdn_changed()) {
+    print "No changes to SDN configuration detected, skipping reload\n";
+    exit 0;
+}
+
+my $previous_config_has_frr = PVE::Network::SDN::running_config_has_frr();
+PVE::Network::SDN::commit_config();
+
+my $new_config_has_frr = PVE::Network::SDN::running_config_has_frr();
+my $regenerate_frr = ($previous_config_has_frr || $new_config_has_frr);
+
+PVE::Network::SDN::generate_etc_network_config();
+PVE::Network::SDN::generate_dhcp_config();
+
+my $err = sub {
+    my $line = shift;
+    if ($line =~ /(warning|error): (\S+):/) {
+        print "$2 : $line \n";
+    }
+};
+
+PVE::Tools::run_command(['ifreload', '-a'], errfunc => $err);
+
+PVE::Network::SDN::generate_frr_config(1) if $regenerate_frr;
+
+exit 0;

bin/pve7to8

@@ -1,8 +0,0 @@
-#!/usr/bin/perl
-
-use strict;
-use warnings;
-
-use PVE::CLI::pve7to8;
-
-PVE::CLI::pve7to8->run_cli_handler();

configs/Makefile

@@ -1,19 +1,16 @@
 include ../defines.mk
 
-all: country.dat
-
-country.dat: country.pl
-	./country.pl > country.dat
+all:
 
 .PHONY: install
-install: country.dat vzdump.conf pve-sources.sources pve-initramfs.conf pve-blacklist.conf pve.logrotate
+install: vzdump.conf pve-sources.sources pve-initramfs.conf pve-blacklist.conf pve.logrotate virtual-function-pinning.rules virtual-function-pinning-helper
 	install -D -m 0644 pve.logrotate $(DESTDIR)/etc/logrotate.d/pve
 	install -D -m 0644 pve-sources.sources $(DESTDIR)/etc/apt/sources.list.d/pve-enterprise.sources
 	install -D -m 0644 pve-blacklist.conf $(DESTDIR)/etc/modprobe.d/pve-blacklist.conf
 	install -D -m 0644 vzdump.conf $(DESTDIR)/etc/vzdump.conf
 	install -D -m 0644 pve-initramfs.conf $(DESTDIR)/etc/initramfs-tools/conf.d/pve-initramfs.conf
-	install -D -m 0644 country.dat $(DESTDIR)/usr/share/$(PACKAGE)/country.dat
 	install -D -m 0644 proxmox-ve-default.link $(DESTDIR)/usr/lib/systemd/network/99-default.link.d/proxmox-mac-address-policy.conf
+	install -D -m 0644 virtual-function-pinning.rules $(DESTDIR)/usr/lib/udev/rules.d/70-virtual-function-pinning.rules
+	install -D -m 0755 virtual-function-pinning-helper $(DESTDIR)/usr/lib/udev/virtual-function-naming-helper
 
 clean:
-	rm -f country.dat

configs/country.pl

@@ -1,81 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use PVE::Tools;
-
-# see also: http://en.wikipedia.org/wiki/Keyboard_layout
-#
-# country codes from: /usr/share/zoneinfo/iso3166.tab
-# timezones from: /usr/share/zoneinfo/zone.tab
-# keymaps: find /usr/share/keymaps/i386/ -type f -name '*.kmap.gz'
-# x11 layouts: /usr/share/X11/xkb/rules/xorg.lst
-
-my $country = {};
-
-my $line;
-open(TMP, "</usr/share/zoneinfo/iso3166.tab");
-while (defined($line = <TMP>)) {
-    if ($line =~ m/^([A-Z][A-Z])\s+(.*\S)\s*$/) {
-        $country->{ lc($1) } = $2;
-    }
-}
-close(TMP);
-
-# we need mappings for X11, console, and kvm vnc
-
-# LC(-LC)? => [DESC, kvm, console, X11, X11variant]
-my $keymaps = PVE::Tools::kvmkeymaps();
-
-foreach my $km (sort keys %$keymaps) {
-    my ($desc, $kvm, $console, $x11, $x11var) = @{ $keymaps->{$km} };
-
-    if ($km =~ m/^([a-z][a-z])-([a-z][a-z])$/i) {
-        defined($country->{$2}) || die "undefined country code '$2'";
-    } else {
-        defined($country->{$km}) || die "undefined country code '$km'";
-    }
-
-    $x11var = '' if !defined($x11var);
-    print "map:$km:$desc:$kvm:$console:$x11:$x11var:\n";
-}
-
-my $defmap = {
-    'us' => 'en-us',
-    'be' => 'fr-be',
-    'br' => 'pt-br',
-    'ca' => 'en-us',
-    'dk' => 'dk',
-    'nl' => 'en-us', # most Dutch people us US layout
-    'fi' => 'fi',
-    'fr' => 'fr',
-    'de' => 'de',
-    'at' => 'de',
-    'hu' => 'hu',
-    'is' => 'is',
-    'it' => 'it',
-    'va' => 'it',
-    'jp' => 'jp',
-    'lt' => 'lt',
-    'mk' => 'mk',
-    'no' => 'no',
-    'pl' => 'pl',
-    'pt' => 'pt',
-    'si' => 'si',
-    'es' => 'es',
-    'gi' => 'es',
-    'ch' => 'de-ch',
-    'gb' => 'en-gb',
-    'lu' => 'fr-ch',
-    'li' => 'de-ch',
-};
-
-my $mirrors = PVE::Tools::debmirrors();
-foreach my $cc (keys %$mirrors) {
-    die "undefined country code '$cc'" if !defined($country->{$cc});
-}
-
-foreach my $cc (sort keys %$country) {
-    my $map = $defmap->{$cc} || '';
-    my $mir = $mirrors->{$cc} || '';
-    print "$cc:$country->{$cc}:$map:$mir:\n";
-}

configs/virtual-function-pinning-helper

@@ -0,0 +1,37 @@
+#!/bin/sh
+set -eu
+
+DEVICE_SYSFS_PCI_PATH=$(realpath "/sys${DEVPATH}/../..");
+
+if [ ! -L "$DEVICE_SYSFS_PCI_PATH/physfn" ]; then
+    exit;
+fi
+
+PHYSFN_SYSFS_PCI_PATH=$(realpath "${DEVICE_SYSFS_PCI_PATH}/physfn");
+PHYSFN_IFACE_NAME=$(ls "${PHYSFN_SYSFS_PCI_PATH}/net")
+
+# interface is not pinned
+if [ ! -f "/usr/local/lib/systemd/network/50-pve-${PHYSFN_IFACE_NAME}.link" ]; then
+    exit;
+fi
+
+# pin is not applied - or interface doesn't exist
+if ! ip link show "$PHYSFN_IFACE_NAME" > /dev/null 2>&1 ; then
+    exit;
+fi
+
+DEVICE_PCI_ID=$(basename "$DEVICE_SYSFS_PCI_PATH");
+
+for file in $(find "${PHYSFN_SYSFS_PCI_PATH=$}/" -maxdepth 1 -type l -name 'virtfn*' ); do
+    VF_PCI_ID=$(basename "$(realpath "$file")");
+
+    if [ "$DEVICE_PCI_ID" = "$VF_PCI_ID" ]; then
+        VF_INDEX=$(basename "$file" | grep -Eo '[[:digit:]]+$' -);
+        echo "${PHYSFN_IFACE_NAME}v${VF_INDEX}";
+        exit;
+    fi
+done
+
+echo "interface seems to be a VF of ${PHYSFN_IFACE_NAME}, but could not find the VF index" 1>&2;
+exit;
+

configs/virtual-function-pinning.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="net", ACTION=="add", PROGRAM=="/usr/lib/udev/virtual-function-naming-helper", NAME="%c"

debian/changelog

@@ -1,3 +1,527 @@
+pve-manager (9.0.11) trixie; urgency=medium
+
+  * close #4248: ui: Add Reset button to right click context menu of virtual
+    machines, like available in the resource tree or the global search result.
+
+  * ui: guest snapshot: remove excess '}' at the end of window title
+
+  * fix #5244 pveceph: install: add new 'manual' repository option, which, for
+    example, can be useful for offline installation
+
+  * ui: ceph install wizard: add option and hint for 'manual' repository for,
+    e.g., offline installation through a Proxmox Offline Mirror managed
+    repository.
+
+  * fix typo in ifupdown2 version error message.
+
+  * update shipped appliance info index.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 06 Oct 2025 19:03:25 +0200
+
+pve-manager (9.0.10) trixie; urgency=medium
+
+  * ui: datacenter notes: fix visibility of top toolbar to allow editing the
+    notes again.
+
+  * api: node xterm.js and VNC shells: avoid nested login for already logged
+    in root@pam when tunneling to another node. This should avoid a race where
+    the shell hangs on load that seems to very rarely happen in Proxmox VE 9,
+    but currently the fix only covers the root@pam users. While this makes
+    this just a partial fix, as the issue is hard to reproduce it should not
+    only benefit some of the affected users, it will also help in confirming
+    the underlying root cause.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 12 Sep 2025 18:05:12 +0200
+
+pve-manager (9.0.9) trixie; urgency=medium
+
+  * ui: cluster dashboard: use higher warning thresholds for memory gauge and
+    the memory widget-column in the node overview table.
+
+  * cluster: resources: add sdn property to cluster resources return JSON
+    schema.
+
+  * ui: resource pool: never submit value of filter field when adding guests
+    to a pool.
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 10 Sep 2025 12:52:03 +0200
+
+pve-manager (9.0.8) trixie; urgency=medium
+
+  * api: apt list updates: complete JSON return schema to be used in the API
+    viewer and API clients like PDM.
+
+  * api: cluster resource: fix performance regression causing O(n²) lookups
+    slowing the API response, and thus also the initial load of the web UI,
+    significantly down on setups with more than a few hundred, or even
+    thousands of virtual guests.
+
+  * ui: resource tree: various performance improvement for the main resource
+    tree, making initial load, updates and scrolling significantly more
+    responsive on setups with thousands of virtual guests.
+
+  * ui: VM cpu: recognize kebab-cased properties like while parsing to avoid
+    loosing the value of such a manually set option on edit.
+
+  * api: apt: ensure change log entries are encoded as valid UTF-8.
+
+  * ui: storage summary: set 'bytes' as unit for metrics graph.
+
+  * cli: pveceph: set use bytes renderer when listing a pool's content.
+
+  * ui: SDN: ensure fabrics property gets correctly removed when editing a
+    EVPN controller or a VXLAN zone.
+
+  * ui: pool: add members: make virtual guest window bigger and resizeable.
+
+  * ui: pool members: add filter for name, node or vmid when adding guests.
+
+  * update shipped appliance info index.
+
+  * api: cluster: metric server: increase timeout when fetching other nodes
+    metrics from 5s to 20s.
+
+  * api: cluster metrics export: support requesting the metrics from a
+    specific set of nodes through a new 'node-list' parameter.
+
+  * ui: node and virtual guest status: increase warning/critical threshold
+    percentage for memory usage from 75% to 90% and 90% to 97.5% percent,
+    respectively, as leveraging most of the memory installed is fine and often
+    even wanted.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 08 Sep 2025 22:57:43 +0200
+
+pve-manager (9.0.7) trixie; urgency=medium
+
+  * pve8to9: rework systemd-boot checks
+
+  * configs: drop unused country.dat file from install
+
+  * fix #6599: ui: use font-awesome hdd icon instead of png
+
+  * ui: icons: use svg versions where possible
+
+  * ui: properly center ceph icon
+
+  * api: ceph: add missing type to api schema
+
+  * fix #6747: ceph: osd: swap vg and lv arguments when creating an OSD
+
+  * fix #6385: ui: pool: members: fix store reload on add/remove
+
+  * ha: rule edit: fix enabling ha rules which are disabled
+
+  * api: use 'number' instead of 'amount' for countable nouns
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 02 Sep 2025 14:26:43 +0200
+
+pve-manager (9.0.6) trixie; urgency=medium
+
+  * fix #6652: ceph: osd: enable autoactivation for OSD LVs on creation
+
+  * pve8to9: only allow systemd-boot when it is actually used before upgrade
+
+  * ui: ha: rules: fix edit button
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 20 Aug 2025 14:22:52 +0200
+
+pve-manager (9.0.5) trixie; urgency=medium
+
+  * fix #6657: pveproxy: detect mobile firefox better
+
+  * ui: storage edit: warn about disabling snapshot-as-volume-chain on LVM
+
+  * ui: make sure more datacenter option renderers are html encoded
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 13 Aug 2025 13:00:02 +0200
+
+pve-manager (9.0.4) trixie; urgency=medium
+
+  * 8to9 upgrade checks (pve8to9):
+    - skip check for running guests if already upgraded
+    - use check for unified cgroup v2 support via pve-container
+    - rework systemd-boot checks
+    - add check for removable GRUB entry
+    - support single-line repo entries with bracket options
+    - lvm config: check that --clear-needs-check-flag is set if there is a
+      thin_check_options override
+
+  * d/postinst: lvm config: check that --clear-needs-check-flag is set if there
+    is a thin_check_options override
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 08 Aug 2025 16:40:26 +0200
+
+pve-manager (9.0.3) trixie; urgency=medium
+
+  * d/postinst: add snippet to manage systemd-tmpfiles configurations to
+    ensure they are updated on package upgrade.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 05 Aug 2025 12:36:45 +0200
+
+pve-manager (9.0.2) trixie; urgency=medium
+
+  * fix permission regression for '/run/pve' directory, which is now managed
+    by systemd's tmpfile mechanism. Ensure it's created with root:www-data
+    user:group.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 05 Aug 2025 12:15:38 +0200
+
+pve-manager (9.0.1) trixie; urgency=medium
+
+  * network-interface-pinning: move to libexec and rename but add symlink to
+    pve-network-pinning-tool into usr/bin.
+
+  * ui: node memory RRD: change ZFS ARC color to a blue shade and available
+    memory to a green shade for more visual difference.
+
+  * pveproxy service: use heuristic to trigger initial appliance update on
+    first boot.
+
+  * network: improve reloading logic for FFR config, trust flag if set, else
+    reload only if there is a FRR controller configured.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 05 Aug 2025 12:07:04 +0200
+
+pve-manager (9.0.0) trixie; urgency=medium
+
+  * bump for final Proxmox VE 9.0 release.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 04 Aug 2025 23:13:26 +0200
+
+pve-manager (9.0.0~22) trixie; urgency=medium
+
+  * sync over 8 to 9 upgrade checks from stable-8 branch.
+
+  * api: backup: remove unneeded call of rrd_dump method.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 04 Aug 2025 21:43:25 +0200
+
+pve-manager (9.0.0~21) trixie; urgency=medium
+
+  * ui: migration pre-conditions: make lack of support for conntrack state
+    migration only a info-level severity.
+
+  * sync over 8 to 9 upgrade checks from stable-8 branch.
+
+  * api: network: default to not regenerating the frr configuration using new
+    parameter from SDN stack.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 04 Aug 2025 18:30:55 +0200
+
+pve-manager (9.0.0~20) trixie; urgency=medium
+
+  * api: node status: add the available memory to return value.
+
+  * ui: avoid stacked graphs for memory usage, can easily lead to confusion as
+    y-axis does not match the values anymore.
+
+  * ui: node memory RRD: add 'Available' graph.
+
+  * ui: ignore backend 501 error for migration precondition checks, most
+    likely stems from using a new web UI version operating on an older node,
+    e.g., when during the major upgrade.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 04 Aug 2025 16:58:46 +0200
+
+pve-manager (9.0.0~19) trixie; urgency=medium
+
+  * ui: ha affinity rules: use single data store and mirror it to child grids,
+    this avoids loading the data twice which then also ensures that they both
+    show the same consistent view of the ruleset.
+
+  * ui: ha affinity rules: various small UX polishing:
+    - give resource rule some more vertical space.
+    - add ID column but hide by default for now.
+    - give resource rules some more vertical space.
+
+  * ui: guest migrate: adapt HA migration checks to new property name also for
+    Containers.
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 02 Aug 2025 19:42:57 +0200
+
+pve-manager (9.0.0~18) trixie; urgency=medium
+
+  * sync over 8 to 9 upgrade checks from stable-8 branch.
+
+  * ui: RRD graphs: display PSI as percent again
+
+  * ui: guest migrate: fix logging unexpected errors to developer
+    console.
+
+  * ui: guest migrate: adapt HA migration checks to altered property name
+
+  * ui: sdn: allow sorting the IPAM and DHCP view by guest ID.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 01 Aug 2025 18:41:47 +0200
+
+pve-manager (9.0.0~17) trixie; urgency=medium
+
+  * make Yew based mobile UI package a required dependency and completely drop
+    legacy sencha-touch based mobile UI.
+
+  * ui: ha affinity rules: add CRUD ui for resource-to-resource rules.
+
+  * ui: VM & CT migration: display precondition messages for HA resource
+    affinity blockers.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Jul 2025 11:46:10 +0200
+
+pve-manager (9.0.0~16) trixie; urgency=medium
+
+  * ui: replace HA Groups CRUD with new HA Affinity Rules CRUD.
+
+  * api: route new ha affinity rules endpoints.
+
+  * ui: ha: support new per-resources failback flag.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Jul 2025 09:10:41 +0200
+
+pve-manager (9.0.0~15) trixie; urgency=medium
+
+  * pvestatd: collect and distribute new pve-{type}-9.0 metrics, with new
+    columns (pressure stall information, ZFS ARC, ...) and higher
+    time granularity.
+
+  * ui: node summary: use stacked memory graph with zfs arc.
+
+  * ui: add pressure stall information graphs to node and guest summary views.
+
+  * fix #6068: ui: qemu RRD metrics: improve calculation of actual on-host
+    memory usage by using the sum of the proportional set sizes for all
+    processes inside a VMs resource cgroup slice.
+
+  * post-installation: run promox-rrd-migration-tool to automatically migrate
+    existing data from previous format to new one.
+
+  * 8 to 9 upgrade: add checks for RRD metrics migration and increased on-disk
+    space usage needs.
+
+  * ui: RRD graphs: use title-case for titles.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Jul 2025 06:01:44 +0200
+
+pve-manager (9.0.0~14) trixie; urgency=medium
+
+  * http server: drop legacy yew mobile paths and fix yew mtime path.
+
+  * ui: lxc create wizard: always submit unprivileged field.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Jul 2025 01:11:57 +0200
+
+pve-manager (9.0.0~13) trixie; urgency=medium
+
+  * debian: add tpmfiles.d config to create /run/pve directory.
+
+  * pvestatd: prevent warnings for non-existing network devices.
+
+  * close #2809: replication: use new VM.Replicate privilege.
+
+  * backup: drop 'maxfiles' parameter, it was replaced by the more flexible
+    keep-X prune settings in PVE 7.0 already.
+
+  * api: expose new qemu migration capabilities endpoint.
+
+  * ui: migrate window: add checkbox for migrating VM conntrack state.
+
+  * http server: fix caching of i18n translation files, use mtime.
+
+  * http server: rework location for yew-mobile UI and provide mtimes.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Jul 2025 00:27:24 +0200
+
+pve-manager (9.0.0~12) trixie; urgency=medium
+
+  * 8to9 upgrade checks: sync over version from PVE 8.4 stable branch.
+
+  * external metric server: add support for OpenTelemetry.
+
+  * network-interface-pinning:
+    - use ifindex as order for pinning.
+    - improve printing mapping.
+    - add 'target-name' parameter.
+    - allow arbitrary target name and prefixes.
+
+  * fix #6534: ui: keep displaying help button in backup edit dialog.
+
+  * replace sencha touch mobile web UI by default with new Yew based one
+    written in rust. The new pve-yew-mobile-gui package can still be removed
+    to get the old package back, but it's planned to drop the outdated sencha
+    touch based mobile UI completely soon.
+
+  * pvestatd: pull metric: use ip link to detect physical interfaces, but
+    cache the data and update it only every 15 minutes to avoid frequent
+    polling, physical interfaces are not likely to change frequently.
+
+  * fix #5392: pveproxy, pvedaemon: make maximum number of worker configurable.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 29 Jul 2025 21:17:14 +0200
+
+pve-manager (9.0.0~11) trixie; urgency=medium
+
+  * 8to9 upgrade checks: machine version: place VMIDs in dedicated line.
+
+  * fix #6537: api: system services: system unit for postfix is again a normal
+    service in Trixie.
+
+  * ui: base storage: fix outdated wording in tech-preview hint.
+
+  * fix #6539: apl: use sqv instead of gpgv to verify signatures.
+
+  * network-interface-pinning: do not generate link files for virtual
+    functions (VFs).
+
+  * network-interface-pinning: fix pinning for bond members.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 22 Jul 2025 23:33:37 +0200
+
+pve-manager (9.0.0~10) trixie; urgency=medium
+
+  * d/postinst: only set-up pve-test repos for beta on fresh
+    installation as upgrades must have a valid repo already anyway, otherwise
+    they could not upgrade in the first place.
+
+  * 8to9 upgrade checks: fix calling the method for parsing network defices
+    from a VM config, it got moved in Proxmox VE 9 into a dedicated module.
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 19 Jul 2025 20:56:45 +0200
+
+pve-manager (9.0.0~9) trixie; urgency=medium
+
+  * guest metrics: drop support for ancient RRD schema from before Proxmox VE
+    2.3 from 2013.
+
+  * guest metrics: support and prefer new pve-{type}-9.0 RRD files.
+
+  * network-interface-pinning: fix subsequent invocations.
+
+  * network-interface-pinning: early exit if nothing to do.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 18 Jul 2025 20:48:14 +0200
+
+pve-manager (9.0.0~8) trixie; urgency=medium
+
+  * ui: add beta text with link to bug tracker
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 18 Jul 2025 15:39:55 +0200
+
+pve-manager (9.0.0~7) trixie; urgency=medium
+
+  * d/postinst: setup pve-test repo for updates during the beta phase.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 18 Jul 2025 15:24:25 +0200
+
+pve-manager (9.0.0~6) trixie; urgency=medium
+
+  * ui: dc/options: allow one to edit cluster wide replication settings.
+
+  * ui: disk storage selector: fix check for disabling format selector.
+
+  * 8to9 upgrade checks: fix duplicate variable name in same scope.
+
+  * fabrics: add max-length to fabric name to improve error message.
+
+  * ui: adapt to dropped VM.Monitor privilege.
+
+  * network-interface-pinning: avoid comparing undefined string.
+
+  * sdn-commit, firewall-commit: wait for cluster quorum.
+
+  * sdn-commit: only reload ifupdown if sdn configuration changed.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 18 Jul 2025 14:39:57 +0200
+
+pve-manager (9.0.0~5) trixie; urgency=medium
+
+  * pve8to9: sync upgrade checks from stable branch.
+
+  * api: apt versions: drop glusterfs-client from package list.
+
+  * ui: storage edit: only LVM supports changing ext. snapshots for existing
+    storages.
+
+   * ui: storage base: rename label to "Allow Snapshots as Volume-Chain".
+
+   * ui: qemu: network: adjust MTU emptyText to match new default behavior.
+
+   * fabric: increase width of fabric edit/add window and add empty text
+     attributes to some input fields.
+
+   * pve-sdn-commit: fix reloading logic.
+
+   * proxmox-network-interface-pinning: add fabrics support.
+
+   * api: capabilities: proxy index endpoints to respective nodes.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 17 Jul 2025 23:35:02 +0200
+
+pve-manager (9.0.0~4) trixie; urgency=medium
+
+  * ui: backup job edit: move notification related settings to separate tab.
+
+  * ui: one-shot backup: remove 'auto' notification mode for clarity.
+
+  * ui: oneshot backup: stop shifting UI when selecting 'legacy-sendmail'.
+
+  * pvescheduler: move PID file from aliased /var/run legacy path into the
+    underlying /run directory.
+
+  * cli: add proxmox-network-interface-pinning tool.
+
+  * services: add pve-sdn-commit and pve-firewall-commit for applying pending
+    changes on boot.
+
+  * ui: drop support for adding native GlusterFS storage, like it was done
+    already for QEMU and the pve-storage library.
+
+  * ui: base storage: add checkbox for storage-managed (external) snapshots
+    for supported storage types.
+
+  * api: use new SDN config generation functions.
+
+  * ui: add SDN fabrics management.
+
+  * api/ui: show/return alternative interface names for node network
+    interfaces.
+
+  * ui: login: display error messages and status on failure.
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 17 Jul 2025 02:33:52 +0200
+
+pve-manager (9.0.0~3) trixie; urgency=medium
+
+  * pve8to9: sync checks from stable branch.
+
+  * ui: enable online helplinks for VM audio edit panel and TPM panel.
+
+  * ui: enable online helplinks for tag config view.
+
+  * api: node services: track lxcfs, proxmox-firewall, pve-lxc-syscalld,
+    qmeventd units.
+
+  * ui: ceph: drop releases that are not available on PVE 9.
+
+  * pveceph: switch repo sources to modern deb822 format.
+
+  * ui: remove handling of obsolete notification-policy/target settings.
+
+  * ui: backup job details: show notification-mode instead of legacy keys.
+
+  * ui: guest importer: use modern 4MB EFI-type for imported VMs that use EFI
+    as firmware.
+
+  * ui: qemu disk edit: allow importing a disk from the import storage.
+
+  * ui: vm create wizard: allow importing disks directly from an import
+    storage.
+
+  * ui: import storage content: allow importing disks to existing VM disk
+    images from an import storage.
+
+  * fix #5894: pvestatd: always re-broadcast of node version-info if we cannot
+    find any information for our node.
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 16 Jul 2025 02:48:30 +0200
+
 pve-manager (9.0.0~2) trixie; urgency=medium
 
   * d/control: run all binary tragets under (fake)root to ensure dpkg-deb

debian/control

@@ -11,7 +11,7 @@ Build-Depends: debhelper-compat (= 13),
                libpve-access-control (>= 8.0.7),
                libpve-cluster-api-perl,
                libpve-cluster-perl (>= 6.1-6),
-               libpve-common-perl (>= 8.2.3),
+               libpve-common-perl (>= 9.0.4),
                libpve-guest-common-perl (>= 5.1.1),
                libpve-http-server-perl (>= 2.0-12),
                libpve-notify-perl,
@@ -24,8 +24,8 @@ Build-Depends: debhelper-compat (= 13),
                proxmox-widget-toolkit (>= 4.1.4),
                pve-cluster,
                pve-container,
-               pve-doc-generator (>= 8.3.2),
-               qemu-server (>= 8.0~~),
+               pve-doc-generator (>= 9.0.5),
+               qemu-server (>= 9.0.10~~),
                sq,
                unzip,
 Rules-Requires-Root: binary-targets
@@ -51,24 +51,23 @@ Depends: apt (>= 1.5~),
          libfilesys-df-perl,
          libjs-extjs (>= 7.0.0),
          libjs-qrcodejs (>= 1.20201119),
-         libjs-sencha-touch,
          libjson-perl,
          liblwp-protocol-https-perl,
          libnet-dns-perl,
          libproxmox-acme-perl,
          libproxmox-acme-plugins,
-         libproxmox-rs-perl (>= 0.3.4),
-         libpve-access-control (>= 8.2.0),
+         libproxmox-rs-perl (>= 0.4~),
+         libpve-access-control (>= 9.0.3),
          libpve-cluster-api-perl (>= 7.0-5),
          libpve-cluster-perl (>= 8.1.0),
-         libpve-common-perl (>= 8.2.6),
+         libpve-common-perl (>= 9.0.8),
          libpve-guest-common-perl (>= 5.1.4),
-         libpve-http-server-perl (>= 5.1.1),
-         libpve-network-api-perl (>= 0.9.9~),
-         libpve-network-perl (>= 0.9~),
+         libpve-http-server-perl (>= 6.0.3),
+         libpve-network-api-perl (>= 1.1~),
+         libpve-network-perl (>= 1.1~),
          libpve-notify-perl (>= 8.1.0),
-         libpve-rs-perl (>= 0.8.12),
-         libpve-storage-perl (>= 8.3.6),
+         libpve-rs-perl (>= 0.10.4),
+         libpve-storage-perl (>= 9.0.5),
          librados2-perl (>= 1.3-1),
          libtemplate-perl,
          libterm-readline-gnu-perl,
@@ -83,17 +82,20 @@ Depends: apt (>= 1.5~),
          postfix | mail-transport-agent,
          proxmox-mail-forward,
          proxmox-mini-journalreader (>= 1.3-1),
-         proxmox-widget-toolkit (>= 4.3.5),
-         pve-cluster (>= 8.0.5),
+         proxmox-rrd-migration-tool (>= 1.0.0),
+         proxmox-widget-toolkit (>= 5.0.2),
+         pve-cluster (>= 9.0.1),
          pve-container (>= 5.2.5),
-         pve-docs (>= 8.2.4),
+         pve-docs (>= 9.0.5),
          pve-firewall,
-         pve-ha-manager,
+         pve-ha-manager (>= 5.0.3),
          pve-i18n (>= 3.2.0~),
          pve-xtermjs (>= 4.7.0-1),
-         qemu-server (>= 8.3.11),
+         pve-yew-mobile-gui (>= 0.5.1),
+         qemu-server (>= 9.0.10),
          rsync,
          spiceterm,
+         sqv,
          systemd,
          vncterm,
          wget,

debian/copyright

@@ -1,4 +1,4 @@
-Copyright (C) 2010-2024 Proxmox Server Solutions GmbH
+Copyright (C) 2010-2025 Proxmox Server Solutions GmbH
 
 This software is written by Proxmox Server Solutions GmbH <support@proxmox.com>
 
@@ -41,29 +41,3 @@ open source applications that are distributed under a license other than GPL.
 * Open Source License Exception for Development
 
   http://www.sencha.com/products/ux-exception.php
-
-------------------------------
-
-Bootstrap html framework:
-
-The MIT License (MIT)
-
-Copyright (c) 2011-2014 Twitter, Inc
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

debian/links

@@ -0,0 +1,2 @@
+usr/libexec/proxmox/pve-network-interface-pinning usr/bin/pve-network-interface-pinning
+

debian/postinst

@@ -9,9 +9,15 @@ set -e
 # installed and configured.
 
 set_lvm_conf() {
+    # shellcheck disable=SC3043
     local FORCE="$1"
     LVM_CONF_MARKER="# added by pve-manager to avoid scanning"
 
+    if [ ! -e /etc/lvm/lvm.conf ]; then
+        echo "No /etc/lvm/lvm.conf found - skipping checking the global_filter."
+        return
+    fi
+
     # keep user changes afterwards provided marker is still there..
     if grep -qLF "$LVM_CONF_MARKER" /etc/lvm/lvm.conf && test -z "$FORCE"; then
         return 0 # only do these changes once
@@ -46,16 +52,21 @@ set_lvm_conf() {
         echo "Backing up lvm.conf before setting pve-manager specific settings.."
         cp -vb /etc/lvm/lvm.conf /etc/lvm/lvm.conf.bak
     fi
+    NEW_MARKER="$LVM_CONF_MARKER ZFS zvols and Ceph rbds"
     if test -n "$SET_FILTER"; then
         echo "Setting 'global_filter' in /etc/lvm/lvm.conf to prevent zvols and rbds from being scanned:"
         echo "$OLD_VALUE => $NEW_VALUE"
         if test -n "$OLD_VALUE"; then
-            sed -i -e "s/$LVM_CONF_MARKER ZFS zvols/$LVM_CONF_MARKER ZFS zvols and Ceph rbds/" /etc/lvm/lvm.conf
-            sed -i -e "s!^\([[:space:]]*\)\(global_filter[[:space:]]*=.*\)\$!\1# \2\n\1$NEW_VALUE!" /etc/lvm/lvm.conf
+            if grep -qLF "$LVM_CONF_MARKER" /etc/lvm/lvm.conf; then
+                sed -i -e "s/$LVM_CONF_MARKER ZFS zvols/$NEW_MARKER/" /etc/lvm/lvm.conf
+                sed -i -e 's!^\([[:space:]]*\)\(global_filter[[:space:]]*=.*\)$!\1# \2\n\1'"$NEW_VALUE"'!' /etc/lvm/lvm.conf
+            else
+                sed -i -e 's!^\([[:space:]]*\)\(global_filter[[:space:]]*=.*\)$!\1# \2\n\1'"$NEW_MARKER"'\n\1'"$NEW_VALUE"'!' /etc/lvm/lvm.conf
+            fi
         else
             cat >> /etc/lvm/lvm.conf <<EOF
 devices {
-     $LVM_CONF_MARKER ZFS zvols and Ceph rbds
+     $NEW_MARKER
      $NEW_VALUE
 }
 EOF
@@ -122,6 +133,13 @@ migrate_apt_auth_conf() {
     fi
 }
 
+# Copied from dh_installtmpfiles/13.24.2
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+       if [ -x "$(command -v systemd-tmpfiles)" ]; then
+               systemd-tmpfiles ${DPKG_ROOT:+--root="$DPKG_ROOT"} --create pve-manager.conf || true
+       fi
+fi
+
 case "$1" in
   triggered)
     # We don't print a status message here, as dpkg already said
@@ -155,22 +173,12 @@ case "$1" in
         pveam update || true
     fi
 
-    # Always try to clean old entry, even when proxmox-mail-forward entry is already present.
-    # This ensures it will still be cleaned after an upgrade following a downgrade.
-    if test -f /root/.forward; then
-        sed -i '\!|/usr/bin/pvemailforward!d' /root/.forward
-    fi
-
-    if ! test -f /root/.forward || ! grep -q '|/usr/bin/proxmox-mail-forward' /root/.forward; then
-        echo '|/usr/bin/proxmox-mail-forward' >>/root/.forward
-    fi
-
     systemctl --system daemon-reload >/dev/null || true
 
     # same as dh_systemd_enable (code copied)
 
     UNITS="pvedaemon.service pveproxy.service spiceproxy.service pvestatd.service pvebanner.service pvescheduler.service pve-daily-update.timer"
-    NO_RESTART_UNITS="pvenetcommit.service pve-guests.service"
+    NO_RESTART_UNITS="pvenetcommit.service pve-guests.service pve-sdn-commit.service pve-firewall-commit.service"
 
     for unit in ${UNITS} ${NO_RESTART_UNITS}; do
         deb-systemd-helper unmask "$unit" >/dev/null || true
@@ -187,21 +195,20 @@ case "$1" in
         fi
     done
 
-    # FIXME: remove after beta is over and add hunk to actively remove the repo
-    BETA_SOURCES="/etc/apt/sources.list.d/pvetest-for-beta.list"
-    if test -f "$BETA_SOURCES" && dpkg --compare-versions "$2" 'lt' '8.0.2' && dpkg --compare-versions "$2" 'gt' '8.0~'; then
-        echo "Removing the during beta added pvetest repository file again"
+    BETA_SOURCES="/etc/apt/sources.list.d/pve-test-for-beta.sources"
+    if test -f "$BETA_SOURCES" && dpkg --compare-versions "$2" 'lt' '9.0.1' && dpkg --compare-versions "$2" 'gt' '9.0~~'; then
+        printf "\nNOTE: Remove the pve-test repository, which was added during the beta phase.\nYou can (re-)add repositories on the web UI (Node -> Repositories)\n\n"
         rm -v "$BETA_SOURCES" || true
     fi
 
     if test ! -e /proxmox_install_mode && test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.1.4~'; then
-        if test -e /etc/lvm/lvm.conf ; then
-            set_lvm_conf 1
-        fi
+        # TODO: remove with PVE 10
+        # pass FORCE as we want to ensure the filter for RBDs gets added to our existing one.
+        set_lvm_conf 1
+    else
+        set_lvm_conf
     fi
 
-    set_lvm_conf
-
     if test -n "$2" && dpkg --compare-versions "$2" 'lt' '8.1.11'; then
         update_ceph_conf
     fi
@@ -225,6 +232,20 @@ case "$1" in
             migrate_apt_auth_conf
         fi
     fi
+
+    if test -n "$2" && dpkg --compare-versions "$2" 'lt' '9.0.0~15'; then
+        printf '\n\nNOTE: Migrating existing RRD metrics data from nodes, storages and virtual guests to new PVE format version - this can take some time!\n\n'
+        /usr/libexec/proxmox/proxmox-rrd-migration-tool --migrate || \
+            echo "migration failed, see output above for errors and try to migrate existing data manually by running '/usr/libexec/proxmox/proxmox-rrd-migration-tool --migrate'"
+    fi
+
+    if test -n "$2" && dpkg --compare-versions "$2" 'lt' '9.0.4'; then
+        if test -e /etc/lvm/lvm.conf && grep "^\s*thin_check_options" /etc/lvm/lvm.conf | grep -qv -- "--clear-needs-check-flag"; then
+            printf '\nNOTE: Detected override for 'thin_check_options' without '--clear-needs-check-flag' option in /etc/lvm/lvm.conf\n'
+            printf 'Add the option to the override or thin pools with minor issues might not automatically activate anymore!\n\n'
+        fi
+    fi
+
     ;;
 
   abort-upgrade|abort-remove|abort-deconfigure)

debian/tmpfiles

@@ -0,0 +1,2 @@
+#Type Path     Mode User Group     Age Argument
+d     /run/pve 0750 root www-data  -   -

defines.mk

@@ -1,6 +1,7 @@
 PACKAGE=pve-manager
 
 BINDIR=$(DESTDIR)/usr/bin
+LIBEXECDIR=$(DESTDIR)/usr/libexec/proxmox
 PERLLIBDIR=$(DESTDIR)/usr/share/perl5
 MAN1DIR=$(DESTDIR)/usr/share/man/man1
 MAN8DIR=$(DESTDIR)/usr/share/man/man8

services/Makefile

@@ -13,7 +13,9 @@ SERVICES=			\
 	pve-storage.target	\
 	pve-daily-update.service\
 	pve-daily-update.timer	\
-	pvescheduler.service
+	pvescheduler.service	\
+	pve-sdn-commit.service	\
+	pve-firewall-commit.service
 
 .PHONY: install
 install: $(SERVICES)

services/pve-firewall-commit.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Commit Proxmox VE Firewall changes
+DefaultDependencies=no
+Wants=pve-cluster.service
+After=corosync.service
+
+[Service]
+ExecStart=/usr/share/pve-manager/helpers/pve-firewall-commit
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

services/pve-sdn-commit.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Commit Proxmox VE SDN changes
+DefaultDependencies=no
+Wants=pve-cluster.service network.target
+After=frr.service network.target corosync.service
+
+[Service]
+ExecStart=/usr/share/pve-manager/helpers/pve-sdn-commit
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

services/pveproxy.service

@@ -13,6 +13,7 @@ After=ssh.service
 [Service]
 ExecStartPre=-/usr/bin/pvecm updatecerts --silent
 ExecStart=/usr/bin/pveproxy start
+ExecStartPost=-sh -c '[ ! -e /var/log/pveam.log ] && /usr/bin/pveupdate'
 ExecStop=/usr/bin/pveproxy stop
 ExecReload=/usr/bin/pveproxy restart
 PIDFile=/run/pveproxy/pveproxy.pid

services/pvescheduler.service

@@ -10,7 +10,7 @@ After=pve-storage.target
 ExecStart=/usr/bin/pvescheduler start
 ExecStop=/usr/bin/pvescheduler stop
 ExecReload=/usr/bin/pvescheduler restart
-PIDFile=/var/run/pvescheduler.pid
+PIDFile=/run/pvescheduler.pid
 KillMode=process
 Type=forking
 

services/pvestatd.service

@@ -2,7 +2,7 @@
 Description=PVE Status Daemon
 ConditionPathExists=/usr/bin/pvestatd
 Wants=pve-cluster.service
-After=pve-cluster.service
+After=pve-cluster.service pvenetcommit.service
 
 [Service]
 ExecStart=/usr/bin/pvestatd start

test/vzdump_new_test.pl

@@ -105,78 +105,6 @@ my @tests = (
         },
     },
     # TODO make parse error critical?
-    {
-        description => 'maxfiles vzdump 1',
-        vzdump_param => {
-            maxfiles => 0,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-all' => 1,
-            },
-            remove => 0,
-        },
-    },
-    {
-        description => 'maxfiles vzdump 2',
-        vzdump_param => {
-            maxfiles => 7,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-last' => 7,
-            },
-            remove => 1,
-        },
-    },
-    {
-        description => 'maxfiles storage 1',
-        storage_param => {
-            maxfiles => 0,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-all' => 1,
-            },
-            remove => 0,
-        },
-    },
-    {
-        description => 'maxfiles storage 2',
-        storage_param => {
-            maxfiles => 7,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-last' => 7,
-            },
-            remove => 1,
-        },
-    },
-    {
-        description => 'maxfiles CLI 1',
-        cli_param => {
-            maxfiles => 0,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-all' => 1,
-            },
-            remove => 0,
-        },
-    },
-    {
-        description => 'maxfiles CLI 2',
-        cli_param => {
-            maxfiles => 7,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-last' => 7,
-            },
-            remove => 1,
-        },
-    },
     {
         description => 'prune-backups vzdump 1',
         vzdump_param => {
@@ -219,19 +147,6 @@ my @tests = (
             remove => 0,
         },
     },
-    {
-        description => 'both vzdump 1',
-        vzdump_param => {
-            'prune-backups' => 'keep-all=1',
-            maxfiles => 7,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-all' => 1,
-            },
-            remove => 0,
-        },
-    },
     {
         description => 'prune-backups storage 1',
         storage_param => {
@@ -275,21 +190,6 @@ my @tests = (
             remove => 0,
         },
     },
-    {
-        description => 'both storage 1',
-        storage_param => {
-            'prune-backups' => 'keep-hourly=1,keep-monthly=2,keep-yearly=3',
-            maxfiles => 0,
-        },
-        expected => {
-            'prune-backups' => {
-                'keep-hourly' => 1,
-                'keep-monthly' => 2,
-                'keep-yearly' => 3,
-            },
-            remove => 1,
-        },
-    },
     {
         description => 'prune-backups CLI 1',
         cli_param => {
@@ -329,19 +229,10 @@ my @tests = (
         expected => "format error\n"
             . "foo: property is not defined in schema and the schema does not allow additional properties\n",
     },
-    {
-        description => 'both CLI 1',
-        cli_param => {
-            'prune-backups' => 'keep-hourly=1,keep-monthly=2,keep-yearly=3',
-            maxfiles => 4,
-        },
-        expected => "400 Parameter verification failed.\n"
-            . "prune-backups: option conflicts with option 'maxfiles'\n",
-    },
     {
         description => 'mixed 1',
         vzdump_param => {
-            maxfiles => 7,
+            'prune-backups' => 'keep-last=7',
         },
         storage_param => {
             'prune-backups' => 'keep-hourly=24',
@@ -357,7 +248,7 @@ my @tests = (
     {
         description => 'mixed 2',
         vzdump_param => {
-            maxfiles => 7,
+            'prune-backups' => 'keep-last=7',
         },
         storage_param => {
             'prune-backups' => 'keephourly=24',
@@ -372,7 +263,7 @@ my @tests = (
     {
         description => 'mixed 3',
         vzdump_param => {
-            maxfiles => 7,
+            'prune-backups' => 'keep-last=7',
         },
         cli_param => {
             'prune-backups' => 'keep-all=1',
@@ -387,7 +278,7 @@ my @tests = (
     {
         description => 'mixed 4',
         vzdump_param => {
-            maxfiles => 7,
+            'prune-backups' => 'keep-last=7',
         },
         storage_param => {
             'prune-backups' => 'keep-all=0,keep-last=10',
@@ -405,7 +296,7 @@ my @tests = (
     {
         description => 'mixed 5',
         vzdump_param => {
-            maxfiles => 7,
+            'prune-backups' => 'keep-last=7',
         },
         storage_param => {
             'prune-backups' => 'keep-all=0,keep-last=10',
@@ -650,7 +541,6 @@ foreach my $test (@tests) {
         my $vzdump = PVE::VZDump->new('fake cmdline', $test->{cli_param}, undef);
 
         my $opts = $vzdump->{opts} or die "did not get options\n";
-        die "maxfiles is defined" if defined($opts->{maxfiles});
 
         my $res = {};
         foreach my $opt (@{$tested_options}) {

www/Makefile

@@ -1,5 +1,5 @@
 include ../defines.mk
-SUBDIRS = images css manager6 mobile
+SUBDIRS = images css manager6
 
 all:
 
@@ -14,6 +14,10 @@ install:
 check:
 	$(MAKE) -C manager6 $@
 
+.PHONY: tidy
+tidy:
+	$(MAKE) -C manager6 $@
+
 .PHONY: clean
 clean:
 	set -e && for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done

www/css/ext6-pve.css

@@ -92,13 +92,7 @@
 /* loading in task list */
 .x-grid-row-loading {
     background: no-repeat center center;
-    background-image: url(../ext6/theme-crisp/resources/images/loadmask/loading.gif);
-}
-
-/* console icon in task list */
-.x-grid-row-console {
-    background: no-repeat center center;
-    background-image: url(../images/icon-display.png);
+    background-image: url(../images/spinner.svg);
 }
 
 /* for font-awesome colors */
@@ -256,7 +250,7 @@
 .pve-itype-treelist-item-icon-cdrom {
     top: 50%;
     transform: translateY(-50%);
-    content: url(../images/icon-cd.png);
+    content: url(../images/icon-cd-drive.svg);
 }
 
 /* the lxc template */
@@ -296,27 +290,15 @@
 }
 
 .pve-itype-icon-virt-viewer,
-.pve-itype-icon-tigervnc,
 .pve-itype-icon-novnc,
 .pve-itype-icon-xtermjs,
-.pve-itype-icon-display,
-.pve-itype-icon-network,
-.pve-itype-icon-network-server,
-.pve-itype-icon-keyboard,
 .pve-itype-icon-cdrom,
-.pve-itype-icon-qemu,
 .pve-itype-icon-qemu-template,
 .pve-itype-icon-qemu-running,
-.pve-itype-icon-lxc,
 .pve-itype-icon-lxc-template,
-.pve-itype-icon-lxc-running,
-.pve-itype-icon-swap,
 .pve-itype-icon-node,
 .pve-itype-icon-node-running,
-.pve-itype-icon-storage,
 .pve-itype-icon-pool,
-.pve-itype-icon-itype,
-.pve-itype-icon-usb,
 .pve-itype-icon-serial,
 .pve-itype-icon-cloud,
 .pve-itype-icon-pci,
@@ -342,84 +324,24 @@
     font-size: 14px;
 }
 
-.pve-itype-icon-qemu,
-.x-tree-node-computer,
-.x-grid-tree-node-expanded .x-tree-node-computer {
-    background-image: url(../images/icon-display.png);
-}
-
-.pve-itype-icon-lxc,
-.x-tree-node-lxc,
-.x-grid-tree-node-expanded .x-tree-node-lxc {
-    background-image: url(../images/lxc-off.png);
-}
-
-.pve-itype-icon-swap,
-.x-tree-node-lxc-swap,
-.x-grid-tree-node-expanded .x-tree-lxc-swap {
-    background-image: url(../images/icon-swap.png);
-}
-
-.pve-itype-icon-lxc-running,
-.x-tree-node-lxc-running,
-.x-grid-tree-node-expanded .x-tree-node-lxc-running {
-    background-image: url(../images/lxc-on.png);
-}
-
-.pve-itype-icon-storage,
-.x-tree-node-harddisk,
-.x-grid-tree-node-expanded .x-tree-node-harddisk {
-    background-image: url(../images/icon-harddisk.png);
-}
-
-.x-tree-node-snapshot,
-.x-grid-tree-node-expanded .x-tree-node-snapshot {
-    background-image: url(../images/snapshot.png);
-}
-
-.pve-itype-icon-itype {
-    background-image: url(../ext6/theme-classic/resources/images/tree/folder.gif);
-}
-
-.pve-itype-icon-network-server {
-    background-image: url(../images/network-server.png);
-}
-
-.pve-itype-icon-network {
-    background-image: url(../images/icon-network.png);
-}
-
-.pve-itype-icon-keyboard {
-    background-image: url(../images/icon-keyboard.png);
-}
-
 .pve-itype-icon-cdrom {
     background-size: 16px;
     background-image: url(../images/icon-cd-drive.svg);
 }
 
-.pve-itype-icon-display {
-    background-image: url(../images/icon-display.png);
-}
-
-.pve-itype-icon-tigervnc {
-    background-image: url(../images/tigervnc.png);
-}
-
 .pve-itype-icon-novnc {
-    background-image: url(../images/novnc.png);
+    background-size: 16px;
+    background-image: url(../images/novnc.svg);
 }
 
 .pve-itype-icon-virt-viewer {
-    background-image: url(../images/virt-viewer.png);
+    background-size: 16px;
+    background-image: url(../images/virt-viewer.svg);
 }
 
 .pve-itype-icon-xtermjs {
-    background-image: url(../images/xtermjs.png);
-}
-
-.pve-itype-icon-usb {
-    background-image: url(../images/icon-usb.png);
+    background-size: 16px;
+    background-image: url(../images/xtermjs.svg);
 }
 
 .pve-itype-icon-pci {
@@ -522,8 +444,8 @@ div.right-aligned {
     height: 14px;
     position: absolute;
     left: 1px;
-    top: 4px;
-    background-image: url(../images/logo-ceph.png);
+    top: 5px;
+    background-image: url(../images/logo-ceph.svg);
     background-size: 14px 14px;
     content: " ";
 }

www/images/Makefile

@@ -2,93 +2,50 @@ include ../../defines.mk
 
 all:
 
-# start.png /usr/share/icons/gnome/16x16/actions/media-playback-start.png
-# stop.png /usr/share/icons/gnome/16x16/actions/media-playback-stop.png
-# computer-template.png /usr/share/icons/gnome/16x16/mimetypes/gnome-mime-application-vnd.sun.xml.calc.template.png
+# virt-viewer.svg copied from virt-viewer source (and reformatted):
+# https://github.com/webrulon/virt-viewer/blob/master/icons/virt-viewer.svg
+#
+# novnc.svg copied from the noVnc source:
+# https://github.com/novnc/noVNC/blob/master/app/images/icons/novnc-icon-sm.svg
 
-# virt-viewer.png copied from virt-viewer sources
-# tigervnc.png converted from tigervnc sources
-# (tigervnc.org/media/tigervnc_16.svg)
-
-# checked.png converted from extjs examples/ux/css/images/checked.gif
-# unchecked.png converted from extjs examples/ux/css/images/unchecked.gif
-# swap.png downloaded from https://www.iconfinder.com/icons/17009/arrows_exchange_interact_refresh_reload_swap_sync_update_icon#size=16
-
-# icon-cd, icon-pci
+# icon-cd-drive and icon-pci
 # are self made (sources as .xcf)
-# icon-swap, icon-display, icon-harddisk, icon-keyboard, icon-network, icon-usb, icon-cloud
-# come from fontawesome (respective fa-refresh, fa-desktop, fa-hdd-o, fa-keyboard-o, fa-exchange, fa-usb, fa-ellipsis-h, fa-cloud)
+# icon-cloud
+# come from fontawesome (respective fa-cloud)
 
 # icon-serial is a modified version of
 # https://commons.wikimedia.org/wiki/File:DE9_Diagram.svg
 # (public domain)
 
-# ceph logos are from
-#  http://ceph.com/logos/
+# logo-ceph is adapted and reformatted from Ceph_Logo.svg:
+# https://github.com/ceph/ceph/blob/main/src/pybind/mgr/dashboard/frontend/src/assets/Ceph_Logo.svg
 
-# xtermjs.png is a cropped version of the logo found on
-# https://github.com/xtermjs/xterm.js
+# xtermjs.svg was copied from the xtermjs-branding sources:
+# https://github.com/xtermjs/xtermjs-branding/blob/master/logo.svg
 
-GNOME_IMAGES = 			\
-	checked.png		\
-	unchecked.png 		\
-	start.png		\
-	stop.png		\
-	gtk-stop.png		\
-	forward.png		\
-	display.png		\
-	keyboard.png		\
-	cdrom.png		\
-	network.png		\
-	drive-harddisk.png	\
-	network-server.png	\
-	connect_established.png	\
-	computer-template.png   \
-	computer.png
-
-IMAGES = $(GNOME_IMAGES)	\
-	virt-viewer.png		\
-	tigervnc.png		\
-	novnc.png		\
-	xtermjs.png		\
+IMAGES =			\
+	virt-viewer.svg		\
+	novnc.svg		\
+	xtermjs.svg		\
 	favicon.ico		\
-	snapshot.png		\
-	computer-on.png		\
-	memory.png		\
-	processor.png		\
 	proxmox_logo.png	\
-	network-server-on.png	\
-	network-server-off.png	\
-	lxc-on.png		\
-	lxc-off.png		\
-	openvz-on.png		\
-	openvz-off.png		\
-	blank.gif		\
-	swap.png		\
-	icon-swap.png		\
-	icon-cd.png		\
-	icon-network.png	\
-	icon-display.png	\
-	icon-harddisk.png	\
-	icon-keyboard.png	\
-	logo-ceph.png		\
+	logo-ceph.svg		\
 	logo-128.png		\
 	icon-serial.svg		\
 	icon-cloud.svg		\
 	icon-pci.svg		\
-	icon-usb.png 		\
 	icon-die.svg		\
 	icon-sdn.svg		\
 	icon-fa-network-wired.svg\
 	icon-cpu.svg		\
 	icon-memory.svg		\
 	icon-cd-drive.svg	\
-
+	spinner.svg		\
 
 icon-sdn.svg: icon-sdn.dot
 	fdp -Tsvg $< > $@
 
-.PHONY: install 
+.PHONY: install
 install: $(IMAGES)
 	install -d $(WWWIMAGEDIR)
 	install -m 0644 $(IMAGES) $(WWWIMAGEDIR)

www/images/logo-ceph.svg

@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   sodipodi:docname="Ceph_Logo.svg"
+   inkscape:version="1.0 (4035a4fb49, 2020-05-01)"
+   id="svg27"
+   version="1.1"
+   viewBox="0 0 22.93428 22.4424"
+   height="22.4424mm"
+   width="22.93428mm">
+  <defs
+     id="defs21">
+    <color-profile
+       xlink:href="file:///usr/share/color/icc/krita/sRGB-elle-V2-g10.icc"
+       name="sRGB-elle-V2-g10.icc"
+       id="color-profile35" />
+  </defs>
+  <sodipodi:namedview
+     inkscape:window-maximized="1"
+     inkscape:window-y="1080"
+     inkscape:window-x="3840"
+     inkscape:window-height="1051"
+     inkscape:window-width="1920"
+     fit-margin-bottom="0"
+     fit-margin-right="0"
+     fit-margin-left="0"
+     fit-margin-top="0"
+     showgrid="false"
+     inkscape:document-rotation="0"
+     inkscape:current-layer="layer1"
+     inkscape:document-units="mm"
+     inkscape:cy="39.499381"
+     inkscape:cx="29.58201"
+     inkscape:zoom="5.6"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0"
+     borderopacity="1.0"
+     bordercolor="#666666"
+     pagecolor="#ffffff"
+     id="base" />
+  <metadata
+     id="metadata24">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     transform="translate(-111.75311,-212.54075)"
+     id="layer1"
+     inkscape:groupmode="layer"
+     inkscape:label="Ebene 1">
+    <path
+       style="fill:#000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.264583"
+       d="m 123.18096,212.54075 c -1.54244,0 -3.03889,0.30198 -4.44866,0.89818
+        -1.36085,0.57588 -2.58333,1.3995 -3.63198,2.44903 -1.04982,1.04891
+        -1.87352,2.27125 -2.44969,3.63166 -0.59614,1.41006 -0.89752,2.90769
+        -0.89752,4.44931 0,0.88089 0.0998,1.75881 0.29917,2.60975 0.19372,0.82789
+        0.48107,1.63557 0.85432,2.40026 0.68819,1.40905 1.80379,2.81384
+        3.06538,3.86536 0.82281,-0.4498 1.28965,-0.94572 1.38884,-1.47622
+        0.0956,-0.50956 -0.12815,-1.05842 -0.7044,-1.72565 -1.36741,-1.56892
+        -2.12041,-3.58324 -2.12041,-5.6735 0,-4.76667 3.87763,-8.6456
+        8.64495,-8.6456 0.008,0 0.0393,6.6e-4 0.0393,6.6e-4 0,0 0.0305,-6.6e-4
+        0.0383,-6.6e-4 4.76715,0 8.64527,3.87893 8.64527,8.6456 0,2.09026
+        -0.75283,4.1046 -2.11975,5.67284 -0.57201,0.66284 -0.80153,1.23499
+        -0.70211,1.74922 0.10311,0.53107 0.56896,1.02002 1.38458,1.45397
+        1.26331,-1.05177 2.3782,-2.4564 3.06637,-3.86602 0.37372,-0.76469
+        0.66107,-1.57237 0.85464,-2.40026 0.1988,-0.85094 0.29983,-1.72886
+        0.29983,-2.60975 0,-1.54162 -0.30231,-3.03925 -0.89851,-4.44931
+        -0.57588,-1.36041 -1.40013,-2.58275 -2.44904,-3.63166 -1.04913,-1.04953
+        -2.27155,-1.87315 -3.63198,-2.44903 -1.40995,-0.5962 -2.90688,-0.89818
+        -4.44931,-0.89818 h -0.0393 z m -0.004,4.62214 c -0.32192,0 -0.64417,0.0219
+        -0.95873,0.0671 -0.92883,0.1324 -1.8401,0.46397 -2.63525,0.96004
+        -0.75897,0.47323 -1.43426,1.1087 -1.95215,1.83792 -0.53535,0.75374
+        -0.91954,1.62985 -1.10963,2.53316 -0.20655,0.97977 -0.19361,2.01224
+        0.0376,2.98552 0.21276,0.89514 0.61602,1.75703 1.16626,2.49191
+        0.14746,0.19797 0.31251,0.37855 0.48673,0.56987 0.058,0.063 0.11717,0.12782
+        0.17675,0.19411 0.002,0.002 0.003,0.003 0.005,0.005 0.007,0.007
+        0.0162,0.0158 0.0252,0.0265 0.60646,0.70473 0.91421,1.46388 0.91421,2.25525
+        0,1.19597 -0.66414,2.29315 -1.70895,2.85525 0.60776,0.33731 1.24734,0.61904
+        1.90404,0.83925 0.21816,0.0731 0.44001,0.13985 0.6625,0.19934
+        0.13296,-0.0835 0.58624,-0.42093 1.02943,-1.03369 0.42381,-0.58551
+        0.92331,-1.55674 0.89687,-2.85753 -0.0155,-0.78287 -0.17316,-1.54536
+        -0.46709,-2.26507 -0.29199,-0.71355 -0.71021,-1.36743 -1.24449,-1.94268 l
+        -0.002,-0.004 c -0.04,-0.0456 -0.0786,-0.0911 -0.11816,-0.13613
+        -0.20138,-0.23358 -0.40932,-0.47459 -0.57609,-0.75677 -0.20417,-0.34691
+        -0.35302,-0.71154 -0.44123,-1.08442 -0.13724,-0.57588 -0.1445,-1.18703
+        -0.0229,-1.76689 0.1135,-0.53315 0.3392,-1.04985 0.65563,-1.49522
+        0.30638,-0.43154 0.70637,-0.80806 1.15578,-1.08835 0.46898,-0.29265
+        1.00724,-0.48855 1.55511,-0.56627 0.18502,-0.0266 0.37651,-0.0403
+        0.56824,-0.0403 h 0.0409 0.0412 c 0.19212,0 0.38328,0.0137 0.56889,0.0403
+        0.54819,0.0777 1.08631,0.27362 1.55479,0.56627 0.44949,0.28029
+        0.84882,0.65681 1.15545,1.08835 0.31651,0.44537 0.54311,0.96207
+        0.65563,1.49522 0.12194,0.57986 0.11399,1.19101 -0.0222,1.76689
+        -0.0886,0.37288 -0.23731,0.73751 -0.44189,1.08442 -0.16594,0.28218
+        -0.37412,0.52319 -0.57544,0.75677 -0.0397,0.045 -0.0786,0.0905
+        -0.11783,0.13617 l -0.003,0.004 c -0.53338,0.57525 -0.9522,1.22913
+        -1.24416,1.94267 -0.29412,0.71971 -0.45106,1.4822 -0.46742,2.26507
+        -0.0261,1.30079 0.47323,2.27202 0.89753,2.85754 0.44229,0.61275
+        0.89596,0.95014 1.02877,1.03369 0.22233,-0.0595 0.44541,-0.12627
+        0.66349,-0.19934 0.6567,-0.22022 1.29635,-0.50194 1.90436,-0.83926
+        -1.04596,-0.5621 -1.70993,-1.65928 -1.70993,-2.85524 0,-0.78066
+        0.29884,-1.5183 0.91356,-2.25395 0.008,-0.0117 0.0182,-0.0208 0.0252,-0.0278
+        0.002,-0.002 0.004,-0.003 0.006,-0.005 0.0597,-0.0663 0.1185,-0.1311
+        0.17577,-0.19411 0.17488,-0.19132 0.33935,-0.3719 0.48706,-0.56987
+        0.55097,-0.73488 0.95359,-1.59677 1.16691,-2.49191 0.2306,-0.97328
+        0.24377,-2.00575 0.038,-2.98552 -0.19086,-0.90335 -0.57496,-1.77946
+        -1.10998,-2.5332 -0.51797,-0.72922 -1.19318,-1.36469 -1.95215,-1.83792
+        -0.79523,-0.49606 -1.70641,-0.82764 -2.63561,-0.96004 -0.31415,-0.0452
+        -0.63706,-0.0671 -0.95906,-0.0671 h -0.0409 -0.0452 z m 0.0429,4.65814 c
+        -1.24383,0 -2.25624,1.01222 -2.25624,2.25657 0,1.24414 1.01241,2.25624
+        2.25624,2.25624 1.24382,0 2.25591,-1.0121 2.25591,-2.25624 0,-1.24435
+        -1.01209,-2.25657 -2.25591,-2.25657 z"
+       id="path3043-5"
+       inkscape:connector-curvature="0" />
+  </g>
+</svg>

www/images/novnc.svg

@@ -0,0 +1,163 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="16"
+   height="16"
+   viewBox="0 0 16 16"
+   id="svg2"
+   version="1.1"
+   inkscape:version="0.91 r13725"
+   sodipodi:docname="novnc-icon-sm.svg">
+  <defs
+     id="defs4" />
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="45.254834"
+     inkscape:cx="9.722703"
+     inkscape:cy="5.5311896"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     units="px"
+     inkscape:object-nodes="true"
+     inkscape:snap-smooth-nodes="true"
+     inkscape:snap-midpoints="true"
+     inkscape:window-width="1920"
+     inkscape:window-height="1136"
+     inkscape:window-x="1920"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1">
+    <inkscape:grid
+       type="xygrid"
+       id="grid4169" />
+  </sodipodi:namedview>
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(0,-1036.3621)">
+    <rect
+       style="opacity:1;fill:#494949;fill-opacity:1;stroke:none;stroke-width:1;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+       id="rect4167"
+       width="16"
+       height="15.999992"
+       x="0"
+       y="1036.3622"
+       ry="2.6666584" />
+    <path
+       style="opacity:1;fill:#313131;fill-opacity:1;stroke:none;stroke-width:1;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+       d="M 2.6666667,1036.3621 C 1.1893373,1036.3621 0,1037.5515 0,1039.0288 l 0,10.6666 c 0,1.4774 1.1893373,2.6667 2.6666667,2.6667 l 4,0 C 11.837333,1052.3621 16,1046.7128 16,1039.6955 l 0,-0.6667 c 0,-1.4773 -1.189337,-2.6667 -2.666667,-2.6667 l -10.6666663,0 z"
+       id="rect4173"
+       inkscape:connector-curvature="0" />
+    <g
+       id="g4381">
+      <g
+         transform="translate(0.25,0.25)"
+         style="fill:#000000;fill-opacity:1"
+         id="g4365">
+        <g
+           style="fill:#000000;fill-opacity:1"
+           id="g4367">
+          <path
+             inkscape:connector-curvature="0"
+             id="path4369"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             d="m 4.3289754,1039.3621 c 0.1846149,0 0.3419956,0.071 0.4716623,0.2121 C 4.933546,1039.7121 5,1039.8793 5,1040.0759 l 0,3.2862 -1,0 0,-2.964 c 0,-0.024 -0.011592,-0.036 -0.034038,-0.036 l -1.931924,0 C 2.011349,1040.3621 2,1040.3741 2,1040.3981 l 0,2.964 -1,0 0,-4 z"
+             sodipodi:nodetypes="scsccsssscccs" />
+          <path
+             inkscape:connector-curvature="0"
+             id="path4371"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             d="m 6.6710244,1039.3621 2.6579513,0 c 0.184775,0 0.3419957,0.071 0.471662,0.2121 C 9.933546,1039.7121 10,1039.8793 10,1040.0759 l 0,2.5724 c 0,0.1966 -0.066454,0.3655 -0.1993623,0.5069 -0.1296663,0.1379 -0.286887,0.2069 -0.471662,0.2069 l -2.6579513,0 c -0.184775,0 -0.3436164,-0.069 -0.4765247,-0.2069 C 6.0648334,1043.0138 6,1042.8449 6,1042.6483 l 0,-2.5724 c 0,-0.1966 0.064833,-0.3638 0.1944997,-0.5017 0.1329083,-0.1414 0.2917497,-0.2121 0.4765247,-0.2121 z m 2.2949386,1 -1.931926,0 C 7.011344,1040.3621 7,1040.3741 7,1040.3981 l 0,1.928 c 0,0.024 0.011347,0.036 0.034037,0.036 l 1.931926,0 c 0.02269,0 0.034037,-0.012 0.034037,-0.036 l 0,-1.928 c 0,-0.024 -0.011347,-0.036 -0.034037,-0.036 z"
+             sodipodi:nodetypes="sscsscsscsscssssssssss" />
+        </g>
+        <g
+           style="fill:#000000;fill-opacity:1"
+           id="g4373">
+          <path
+             inkscape:connector-curvature="0"
+             id="path4375"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             d="m 3,1047.1121 1,-2.75 1,0 -1.5,4 -1,0 -1.5,-4 1,0 z"
+             sodipodi:nodetypes="cccccccc" />
+          <path
+             inkscape:connector-curvature="0"
+             id="path4377"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             d="m 9,1046.8621 0,-2.5 1,0 0,4 -1,0 -2,-2.5 0,2.5 -1,0 0,-4 1,0 z"
+             sodipodi:nodetypes="ccccccccccc" />
+          <path
+             inkscape:connector-curvature="0"
+             id="path4379"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             d="m 15,1045.3621 -2.96596,0 c -0.02269,0 -0.03404,0.012 -0.03404,0.036 l 0,1.928 c 0,0.024 0.01135,0.036 0.03404,0.036 l 2.96596,0 0,1 -3.324113,0 c -0.188017,0 -0.348479,-0.068 -0.481388,-0.2037 C 11.064833,1048.0192 11,1047.8511 11,1047.6542 l 0,-2.5842 c 0,-0.1969 0.06483,-0.3633 0.194499,-0.4991 0.132909,-0.1392 0.293371,-0.2088 0.481388,-0.2088 l 3.324113,0 z"
+             sodipodi:nodetypes="cssssccscsscscc" />
+        </g>
+      </g>
+      <g
+         id="g4356">
+        <g
+           id="g4347">
+          <path
+             sodipodi:nodetypes="scsccsssscccs"
+             d="m 4.3289754,1039.3621 c 0.1846149,0 0.3419956,0.071 0.4716623,0.2121 C 4.933546,1039.7121 5,1039.8793 5,1040.0759 l 0,3.2862 -1,0 0,-2.964 c 0,-0.024 -0.011592,-0.036 -0.034038,-0.036 l -1.931924,0 c -0.022689,0 -0.034038,0.012 -0.034038,0.036 l 0,2.964 -1,0 0,-4 z"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             id="path4143"
+             inkscape:connector-curvature="0" />
+          <path
+             sodipodi:nodetypes="sscsscsscsscssssssssss"
+             d="m 6.6710244,1039.3621 2.6579513,0 c 0.184775,0 0.3419957,0.071 0.471662,0.2121 C 9.933546,1039.7121 10,1039.8793 10,1040.0759 l 0,2.5724 c 0,0.1966 -0.066454,0.3655 -0.1993623,0.5069 -0.1296663,0.1379 -0.286887,0.2069 -0.471662,0.2069 l -2.6579513,0 c -0.184775,0 -0.3436164,-0.069 -0.4765247,-0.2069 C 6.0648334,1043.0138 6,1042.8449 6,1042.6483 l 0,-2.5724 c 0,-0.1966 0.064833,-0.3638 0.1944997,-0.5017 0.1329083,-0.1414 0.2917497,-0.2121 0.4765247,-0.2121 z m 2.2949386,1 -1.931926,0 C 7.011344,1040.3621 7,1040.3741 7,1040.3981 l 0,1.928 c 0,0.024 0.011347,0.036 0.034037,0.036 l 1.931926,0 c 0.02269,0 0.034037,-0.012 0.034037,-0.036 l 0,-1.928 c 0,-0.024 -0.011347,-0.036 -0.034037,-0.036 z"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             id="path4145"
+             inkscape:connector-curvature="0" />
+        </g>
+        <g
+           id="g4351">
+          <path
+             sodipodi:nodetypes="cccccccc"
+             d="m 3,1047.1121 1,-2.75 1,0 -1.5,4 -1,0 -1.5,-4 1,0 z"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#ffff00;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             id="path4147"
+             inkscape:connector-curvature="0" />
+          <path
+             sodipodi:nodetypes="ccccccccccc"
+             d="m 9,1046.8621 0,-2.5 1,0 0,4 -1,0 -2,-2.5 0,2.5 -1,0 0,-4 1,0 z"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#ffff00;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             id="path4149"
+             inkscape:connector-curvature="0" />
+          <path
+             sodipodi:nodetypes="cssssccscsscscc"
+             d="m 15,1045.3621 -2.96596,0 c -0.02269,0 -0.03404,0.012 -0.03404,0.036 l 0,1.928 c 0,0.024 0.01135,0.036 0.03404,0.036 l 2.96596,0 0,1 -3.324113,0 c -0.188017,0 -0.348479,-0.068 -0.481388,-0.2037 C 11.064833,1048.0192 11,1047.8511 11,1047.6542 l 0,-2.5842 c 0,-0.1969 0.06483,-0.3633 0.194499,-0.4991 0.132909,-0.1392 0.293371,-0.2088 0.481388,-0.2088 l 3.324113,0 z"
+             style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:medium;line-height:125%;font-family:Orbitron;-inkscape-font-specification:'Orbitron Bold';text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#ffff00;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+             id="path4151"
+             inkscape:connector-curvature="0" />
+        </g>
+      </g>
+    </g>
+  </g>
+</svg>