]>
Commit | Line | Data |
---|---|---|
f76a2828 DM |
1 | package PVE::API2::LXC; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
0e0958a5 FG |
6 | use Socket qw(SOCK_STREAM); |
7 | ||
f76a2828 DM |
8 | use PVE::SafeSyslog; |
9 | use PVE::Tools qw(extract_param run_command); | |
0620edda | 10 | use PVE::Exception qw(raise raise_param_exc raise_perm_exc); |
f76a2828 | 11 | use PVE::INotify; |
9c2d4ce9 | 12 | use PVE::Cluster qw(cfs_read_file); |
d949527f | 13 | use PVE::RRD; |
8b076579 | 14 | use PVE::DataCenterConfig; |
f76a2828 | 15 | use PVE::AccessControl; |
2f9b5ead | 16 | use PVE::Firewall; |
f76a2828 DM |
17 | use PVE::Storage; |
18 | use PVE::RESTHandler; | |
19 | use PVE::RPCEnvironment; | |
c5a8e04f | 20 | use PVE::ReplicationConfig; |
f76a2828 | 21 | use PVE::LXC; |
7af97ad5 | 22 | use PVE::LXC::Create; |
6f42807e | 23 | use PVE::LXC::Migrate; |
56462053 | 24 | use PVE::GuestHelpers; |
c5a09704 | 25 | use PVE::VZDump::Plugin; |
52389a07 DM |
26 | use PVE::API2::LXC::Config; |
27 | use PVE::API2::LXC::Status; | |
28 | use PVE::API2::LXC::Snapshot; | |
f76a2828 DM |
29 | use PVE::JSONSchema qw(get_standard_option); |
30 | use base qw(PVE::RESTHandler); | |
31 | ||
6c2e9377 WB |
32 | BEGIN { |
33 | if (!$ENV{PVE_GENERATING_DOCS}) { | |
34 | require PVE::HA::Env::PVE2; | |
35 | import PVE::HA::Env::PVE2; | |
36 | require PVE::HA::Config; | |
37 | import PVE::HA::Config; | |
38 | } | |
39 | } | |
f76a2828 | 40 | |
e90ddc4c FG |
41 | my $check_storage_access_migrate = sub { |
42 | my ($rpcenv, $authuser, $storecfg, $storage, $node) = @_; | |
43 | ||
44 | PVE::Storage::storage_check_enabled($storecfg, $storage, $node); | |
45 | ||
46 | $rpcenv->check($authuser, "/storage/$storage", ['Datastore.AllocateSpace']); | |
47 | ||
48 | my $scfg = PVE::Storage::storage_config($storecfg, $storage); | |
49 | die "storage '$storage' does not support CT rootdirs\n" | |
50 | if !$scfg->{content}->{rootdir}; | |
51 | }; | |
52 | ||
52389a07 DM |
53 | __PACKAGE__->register_method ({ |
54 | subclass => "PVE::API2::LXC::Config", | |
fa91e46f | 55 | path => '{vmid}/config', |
52389a07 | 56 | }); |
f76a2828 | 57 | |
52389a07 DM |
58 | __PACKAGE__->register_method ({ |
59 | subclass => "PVE::API2::LXC::Status", | |
60 | path => '{vmid}/status', | |
61 | }); | |
f76a2828 | 62 | |
52389a07 DM |
63 | __PACKAGE__->register_method ({ |
64 | subclass => "PVE::API2::LXC::Snapshot", | |
65 | path => '{vmid}/snapshot', | |
66 | }); | |
f76a2828 | 67 | |
52389a07 DM |
68 | __PACKAGE__->register_method ({ |
69 | subclass => "PVE::API2::Firewall::CT", | |
70 | path => '{vmid}/firewall', | |
71 | }); | |
1e6c8d5b | 72 | |
f76a2828 | 73 | __PACKAGE__->register_method({ |
5c752bbf DM |
74 | name => 'vmlist', |
75 | path => '', | |
f76a2828 DM |
76 | method => 'GET', |
77 | description => "LXC container index (per node).", | |
78 | permissions => { | |
79 | description => "Only list CTs where you have VM.Audit permissons on /vms/<vmid>.", | |
80 | user => 'all', | |
81 | }, | |
82 | proxyto => 'node', | |
83 | protected => 1, # /proc files are only readable by root | |
84 | parameters => { | |
85 | additionalProperties => 0, | |
86 | properties => { | |
87 | node => get_standard_option('pve-node'), | |
88 | }, | |
89 | }, | |
90 | returns => { | |
91 | type => 'array', | |
92 | items => { | |
93 | type => "object", | |
8233d33d | 94 | properties => $PVE::LXC::vmstatus_return_properties, |
f76a2828 DM |
95 | }, |
96 | links => [ { rel => 'child', href => "{vmid}" } ], | |
97 | }, | |
98 | code => sub { | |
99 | my ($param) = @_; | |
100 | ||
101 | my $rpcenv = PVE::RPCEnvironment::get(); | |
102 | my $authuser = $rpcenv->get_user(); | |
103 | ||
104 | my $vmstatus = PVE::LXC::vmstatus(); | |
105 | ||
106 | my $res = []; | |
107 | foreach my $vmid (keys %$vmstatus) { | |
108 | next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1); | |
109 | ||
110 | my $data = $vmstatus->{$vmid}; | |
f76a2828 DM |
111 | push @$res, $data; |
112 | } | |
113 | ||
114 | return $res; | |
5c752bbf | 115 | |
f76a2828 DM |
116 | }}); |
117 | ||
9c2d4ce9 | 118 | __PACKAGE__->register_method({ |
5c752bbf DM |
119 | name => 'create_vm', |
120 | path => '', | |
9c2d4ce9 DM |
121 | method => 'POST', |
122 | description => "Create or restore a container.", | |
123 | permissions => { | |
124 | user => 'all', # check inside | |
125 | description => "You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}. " . | |
126 | "For restore, it is enough if the user has 'VM.Backup' permission and the VM already exists. " . | |
127 | "You also need 'Datastore.AllocateSpace' permissions on the storage.", | |
128 | }, | |
129 | protected => 1, | |
130 | proxyto => 'node', | |
131 | parameters => { | |
132 | additionalProperties => 0, | |
1b4cf758 | 133 | properties => PVE::LXC::Config->json_config_properties({ |
9c2d4ce9 | 134 | node => get_standard_option('pve-node'), |
781e26b2 | 135 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::Cluster::complete_next_vmid }), |
9c2d4ce9 DM |
136 | ostemplate => { |
137 | description => "The OS template or backup file.", | |
5c752bbf | 138 | type => 'string', |
9c2d4ce9 | 139 | maxLength => 255, |
68e8f3c5 | 140 | completion => \&PVE::LXC::complete_os_templates, |
9c2d4ce9 | 141 | }, |
5c752bbf DM |
142 | password => { |
143 | optional => 1, | |
9c2d4ce9 DM |
144 | type => 'string', |
145 | description => "Sets root password inside container.", | |
168d6b07 | 146 | minLength => 5, |
9c2d4ce9 DM |
147 | }, |
148 | storage => get_standard_option('pve-storage-id', { | |
eb35f9c0 | 149 | description => "Default Storage.", |
9c2d4ce9 DM |
150 | default => 'local', |
151 | optional => 1, | |
c5362cda | 152 | completion => \&PVE::Storage::complete_storage_enabled, |
9c2d4ce9 DM |
153 | }), |
154 | force => { | |
5c752bbf | 155 | optional => 1, |
9c2d4ce9 DM |
156 | type => 'boolean', |
157 | description => "Allow to overwrite existing container.", | |
158 | }, | |
159 | restore => { | |
5c752bbf | 160 | optional => 1, |
9c2d4ce9 DM |
161 | type => 'boolean', |
162 | description => "Mark this as restore task.", | |
163 | }, | |
43912111 CE |
164 | unique => { |
165 | optional => 1, | |
166 | type => 'boolean', | |
167 | description => "Assign a unique random ethernet address.", | |
168 | requires => 'restore', | |
169 | }, | |
5c752bbf | 170 | pool => { |
9c2d4ce9 DM |
171 | optional => 1, |
172 | type => 'string', format => 'pve-poolid', | |
173 | description => "Add the VM to the specified pool.", | |
174 | }, | |
7c78b6cc WB |
175 | 'ignore-unpack-errors' => { |
176 | optional => 1, | |
177 | type => 'boolean', | |
178 | description => "Ignore errors when extracting the template.", | |
179 | }, | |
34ddbf08 FG |
180 | 'ssh-public-keys' => { |
181 | optional => 1, | |
182 | type => 'string', | |
183 | description => "Setup public SSH keys (one key per line, " . | |
184 | "OpenSSH format).", | |
185 | }, | |
f9b4407e | 186 | bwlimit => { |
8ead60ef | 187 | description => "Override I/O bandwidth limit (in KiB/s).", |
f9b4407e WB |
188 | optional => 1, |
189 | type => 'number', | |
190 | minimum => '0', | |
41e9b65c | 191 | default => 'restore limit from datacenter or storage config', |
f9b4407e | 192 | }, |
9d0225fb TL |
193 | start => { |
194 | optional => 1, | |
195 | type => 'boolean', | |
196 | default => 0, | |
197 | description => "Start the CT after its creation finished successfully.", | |
198 | }, | |
9c2d4ce9 DM |
199 | }), |
200 | }, | |
5c752bbf | 201 | returns => { |
9c2d4ce9 DM |
202 | type => 'string', |
203 | }, | |
204 | code => sub { | |
205 | my ($param) = @_; | |
206 | ||
61783321 TL |
207 | PVE::Cluster::check_cfs_quorum(); |
208 | ||
9c2d4ce9 | 209 | my $rpcenv = PVE::RPCEnvironment::get(); |
9c2d4ce9 DM |
210 | my $authuser = $rpcenv->get_user(); |
211 | ||
212 | my $node = extract_param($param, 'node'); | |
9c2d4ce9 | 213 | my $vmid = extract_param($param, 'vmid'); |
7c78b6cc | 214 | my $ignore_unpack_errors = extract_param($param, 'ignore-unpack-errors'); |
f9b4407e | 215 | my $bwlimit = extract_param($param, 'bwlimit'); |
9d0225fb TL |
216 | my $start_after_create = extract_param($param, 'start'); |
217 | ||
67afe46e | 218 | my $basecfg_fn = PVE::LXC::Config->config_file($vmid); |
9c2d4ce9 DM |
219 | my $same_container_exists = -f $basecfg_fn; |
220 | ||
425b62cb WB |
221 | # 'unprivileged' is read-only, so we can't pass it to update_pct_config |
222 | my $unprivileged = extract_param($param, 'unprivileged'); | |
9c2d4ce9 | 223 | my $restore = extract_param($param, 'restore'); |
43912111 | 224 | my $unique = extract_param($param, 'unique'); |
9c2d4ce9 | 225 | |
8fe13f0c FE |
226 | $param->{cpuunits} = PVE::CGroup::clamp_cpu_shares($param->{cpuunits}) |
227 | if defined($param->{cpuunits}); # clamp value depending on cgroup version | |
228 | ||
39170644 FG |
229 | # used to skip firewall config restore if user lacks permission |
230 | my $skip_fw_config_restore = 0; | |
231 | ||
148d1cb4 DM |
232 | if ($restore) { |
233 | # fixme: limit allowed parameters | |
148d1cb4 | 234 | } |
351bc0c4 | 235 | |
9c2d4ce9 DM |
236 | my $force = extract_param($param, 'force'); |
237 | ||
238 | if (!($same_container_exists && $restore && $force)) { | |
239 | PVE::Cluster::check_vmid_unused($vmid); | |
e22af68f | 240 | } else { |
61783321 | 241 | die "can't overwrite running container\n" if PVE::LXC::check_running($vmid); |
67afe46e FG |
242 | my $conf = PVE::LXC::Config->load_config($vmid); |
243 | PVE::LXC::Config->check_protection($conf, "unable to restore CT $vmid"); | |
9c2d4ce9 | 244 | } |
5c752bbf | 245 | |
9c2d4ce9 | 246 | my $password = extract_param($param, 'password'); |
34ddbf08 | 247 | my $ssh_keys = extract_param($param, 'ssh-public-keys'); |
2130286f | 248 | PVE::Tools::validate_ssh_public_keys($ssh_keys) if defined($ssh_keys); |
34ddbf08 | 249 | |
27916659 | 250 | my $pool = extract_param($param, 'pool'); |
f4b4443d | 251 | $rpcenv->check_pool_exist($pool) if defined($pool); |
9c2d4ce9 DM |
252 | |
253 | if ($rpcenv->check($authuser, "/vms/$vmid", ['VM.Allocate'], 1)) { | |
254 | # OK | |
255 | } elsif ($pool && $rpcenv->check($authuser, "/pool/$pool", ['VM.Allocate'], 1)) { | |
256 | # OK | |
257 | } elsif ($restore && $force && $same_container_exists && | |
258 | $rpcenv->check($authuser, "/vms/$vmid", ['VM.Backup'], 1)) { | |
259 | # OK: user has VM.Backup permissions, and want to restore an existing VM | |
39170644 FG |
260 | |
261 | # we don't want to restore a container-provided FW conf in this case | |
262 | # since the user is lacking permission to configure the container's FW | |
263 | $skip_fw_config_restore = 1; | |
b9623ef8 DC |
264 | |
265 | # error out if a user tries to change from unprivileged to privileged | |
266 | # explicit change is checked here, implicit is checked down below or happening in root-only paths | |
267 | my $conf = PVE::LXC::Config->load_config($vmid); | |
268 | if ($conf->{unprivileged} && defined($unprivileged) && !$unprivileged) { | |
269 | raise_perm_exc("cannot change from unprivileged to privileged without VM.Allocate"); | |
270 | } | |
9c2d4ce9 DM |
271 | } else { |
272 | raise_perm_exc(); | |
273 | } | |
274 | ||
9eb69152 | 275 | my $ostemplate = extract_param($param, 'ostemplate'); |
bb6afcb0 DM |
276 | my $storage = extract_param($param, 'storage') // 'local'; |
277 | ||
de41bced | 278 | PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, undef, $param, [], $unprivileged); |
9eb69152 | 279 | |
bb6afcb0 | 280 | my $storage_cfg = cfs_read_file("storage.cfg"); |
9c2d4ce9 | 281 | |
9c2d4ce9 | 282 | my $archive; |
9c2d4ce9 | 283 | if ($ostemplate eq '-') { |
351bc0c4 TM |
284 | die "pipe requires cli environment\n" |
285 | if $rpcenv->{type} ne 'cli'; | |
286 | die "pipe can only be used with restore tasks\n" | |
148d1cb4 DM |
287 | if !$restore; |
288 | $archive = '-'; | |
b51a98d4 | 289 | die "restore from pipe requires rootfs parameter\n" if !defined($param->{rootfs}); |
9c2d4ce9 | 290 | } else { |
d387c0be FE |
291 | my $content_type = $restore ? 'backup' : 'vztmpl'; |
292 | PVE::Storage::check_volume_access( | |
293 | $rpcenv, | |
294 | $authuser, | |
295 | $storage_cfg, | |
296 | $vmid, | |
297 | $ostemplate, | |
298 | $content_type, | |
299 | ); | |
99a0bcb0 | 300 | $archive = $ostemplate; |
9c2d4ce9 DM |
301 | } |
302 | ||
f9b4407e | 303 | my %used_storages; |
bb6afcb0 DM |
304 | my $check_and_activate_storage = sub { |
305 | my ($sid) = @_; | |
306 | ||
a1c27f86 | 307 | my $scfg = PVE::Storage::storage_check_enabled($storage_cfg, $sid, $node); |
bb6afcb0 DM |
308 | |
309 | raise_param_exc({ storage => "storage '$sid' does not support container directories"}) | |
310 | if !$scfg->{content}->{rootdir}; | |
311 | ||
312 | $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']); | |
313 | ||
314 | PVE::Storage::activate_storage($storage_cfg, $sid); | |
f9b4407e | 315 | $used_storages{$sid} = 1; |
bb6afcb0 DM |
316 | }; |
317 | ||
9c2d4ce9 | 318 | my $conf = {}; |
5b4657d0 | 319 | |
99132ce0 WB |
320 | my $is_root = $authuser eq 'root@pam'; |
321 | ||
b51a98d4 | 322 | my $no_disk_param = {}; |
db18c1e4 FG |
323 | my $mp_param = {}; |
324 | my $storage_only_mode = 1; | |
b51a98d4 | 325 | foreach my $opt (keys %$param) { |
78ccc99b DM |
326 | my $value = $param->{$opt}; |
327 | if ($opt eq 'rootfs' || $opt =~ m/^mp\d+$/) { | |
328 | # allow to use simple numbers (add default storage in that case) | |
db18c1e4 FG |
329 | if ($value =~ m/^\d+(\.\d+)?$/) { |
330 | $mp_param->{$opt} = "$storage:$value"; | |
331 | } else { | |
332 | $mp_param->{$opt} = $value; | |
333 | } | |
334 | $storage_only_mode = 0; | |
a9dd8015 FG |
335 | } elsif ($opt =~ m/^unused\d+$/) { |
336 | warn "ignoring '$opt', cannot create/restore with unused volume\n"; | |
337 | delete $param->{$opt}; | |
78ccc99b DM |
338 | } else { |
339 | $no_disk_param->{$opt} = $value; | |
340 | } | |
b51a98d4 | 341 | } |
bb6afcb0 | 342 | |
235dbdf3 | 343 | die "mount points configured, but 'rootfs' not set - aborting\n" |
db18c1e4 FG |
344 | if !$storage_only_mode && !defined($mp_param->{rootfs}); |
345 | ||
bb6afcb0 | 346 | # check storage access, activate storage |
db18c1e4 | 347 | my $delayed_mp_param = {}; |
015740e6 | 348 | PVE::LXC::Config->foreach_volume($mp_param, sub { |
bb6afcb0 DM |
349 | my ($ms, $mountpoint) = @_; |
350 | ||
351 | my $volid = $mountpoint->{volume}; | |
352 | my $mp = $mountpoint->{mp}; | |
353 | ||
e2007ac2 DM |
354 | if ($mountpoint->{type} ne 'volume') { # bind or device |
355 | die "Only root can pass arbitrary filesystem paths.\n" | |
99132ce0 | 356 | if !$is_root; |
e2007ac2 DM |
357 | } else { |
358 | my ($sid, $volname) = PVE::Storage::parse_volume_id($volid); | |
359 | &$check_and_activate_storage($sid); | |
360 | } | |
bb6afcb0 DM |
361 | }); |
362 | ||
363 | # check/activate default storage | |
db18c1e4 | 364 | &$check_and_activate_storage($storage) if !defined($mp_param->{rootfs}); |
bb6afcb0 | 365 | |
1b4cf758 | 366 | PVE::LXC::Config->update_pct_config($vmid, $conf, 0, $no_disk_param); |
9c2d4ce9 | 367 | |
425b62cb WB |
368 | $conf->{unprivileged} = 1 if $unprivileged; |
369 | ||
61783321 | 370 | my $emsg = $restore ? "unable to restore CT $vmid -" : "unable to create CT $vmid -"; |
bccaa371 | 371 | |
61783321 TL |
372 | eval { PVE::LXC::Config->create_and_lock_config($vmid, $force) }; |
373 | die "$emsg $@" if $@; | |
bccaa371 | 374 | |
0730b005 | 375 | my $destroy_config_on_error = !$same_container_exists; |
b9623ef8 | 376 | |
61783321 TL |
377 | my $code = sub { |
378 | my $old_conf = PVE::LXC::Config->load_config($vmid); | |
a2d3e5c3 | 379 | my $was_template; |
bccaa371 | 380 | |
0730b005 | 381 | my $vollist = []; |
27916659 | 382 | eval { |
5a7a51d0 WB |
383 | my $orig_mp_param; # only used if $restore |
384 | if ($restore) { | |
61783321 | 385 | die "can't overwrite running container\n" if PVE::LXC::check_running($vmid); |
32e56bed | 386 | if ($archive ne '-') { |
a48e5562 | 387 | my $orig_conf; |
bc871ffb | 388 | print "recovering backed-up configuration from '$archive'\n"; |
12aec1d2 | 389 | ($orig_conf, $orig_mp_param) = PVE::LXC::Create::recover_config($storage_cfg, $archive, $vmid); |
6597f369 | 390 | |
ee81952f FG |
391 | for my $opt (keys %$orig_conf) { |
392 | # early check before disks are created | |
393 | # the "real" check is in later on when actually merging the configs | |
394 | if ($opt =~ /^net\d+$/ && !defined($param->{$opt})) { | |
395 | PVE::LXC::check_bridge_access($rpcenv, $authuser, $orig_conf->{$opt}); | |
396 | } | |
397 | } | |
398 | ||
a2d3e5c3 | 399 | $was_template = delete $orig_conf->{template}; |
6597f369 | 400 | |
a67908f1 | 401 | # When we're root call 'restore_configuration' with restricted=0, |
5a7a51d0 WB |
402 | # causing it to restore the raw lxc entries, among which there may be |
403 | # 'lxc.idmap' entries. We need to make sure that the extracted contents | |
404 | # of the container match up with the restored configuration afterwards: | |
32e56bed | 405 | $conf->{lxc} = $orig_conf->{lxc} if $is_root; |
8ffdc116 OB |
406 | |
407 | $conf->{unprivileged} = $orig_conf->{unprivileged} | |
408 | if !defined($unprivileged) && defined($orig_conf->{unprivileged}); | |
b9623ef8 DC |
409 | |
410 | # implicit privileged change is checked here | |
411 | if ($old_conf->{unprivileged} && !$conf->{unprivileged}) { | |
412 | $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate']); | |
413 | } | |
5a7a51d0 | 414 | } |
f360d7f1 | 415 | } |
db18c1e4 | 416 | if ($storage_only_mode) { |
b51a98d4 | 417 | if ($restore) { |
a48e5562 | 418 | if (!defined($orig_mp_param)) { |
bc871ffb | 419 | print "recovering backed-up configuration from '$archive'\n"; |
12aec1d2 | 420 | (undef, $orig_mp_param) = PVE::LXC::Create::recover_config($storage_cfg, $archive, $vmid); |
a5246958 | 421 | } |
f360d7f1 | 422 | $mp_param = $orig_mp_param; |
db18c1e4 FG |
423 | die "rootfs configuration could not be recovered, please check and specify manually!\n" |
424 | if !defined($mp_param->{rootfs}); | |
015740e6 | 425 | PVE::LXC::Config->foreach_volume($mp_param, sub { |
db18c1e4 FG |
426 | my ($ms, $mountpoint) = @_; |
427 | my $type = $mountpoint->{type}; | |
428 | if ($type eq 'volume') { | |
429 | die "unable to detect disk size - please specify $ms (size)\n" | |
430 | if !defined($mountpoint->{size}); | |
431 | my $disksize = $mountpoint->{size} / (1024 * 1024 * 1024); # create_disks expects GB as unit size | |
432 | delete $mountpoint->{size}; | |
433 | $mountpoint->{volume} = "$storage:$disksize"; | |
434 | $mp_param->{$ms} = PVE::LXC::Config->print_ct_mountpoint($mountpoint, $ms eq 'rootfs'); | |
435 | } else { | |
15e4d443 | 436 | my $type = $mountpoint->{type}; |
7e0e7f38 FG |
437 | die "restoring rootfs to $type mount is only possible by specifying -rootfs manually!\n" |
438 | if ($ms eq 'rootfs'); | |
20f9339d | 439 | die "restoring '$ms' to $type mount is only possible for root\n" |
99132ce0 | 440 | if !$is_root; |
7e0e7f38 | 441 | |
15e4d443 FG |
442 | if ($mountpoint->{backup}) { |
443 | warn "WARNING - unsupported configuration!\n"; | |
235dbdf3 FG |
444 | warn "backup was enabled for $type mount point $ms ('$mountpoint->{mp}')\n"; |
445 | warn "mount point configuration will be restored after archive extraction!\n"; | |
15e4d443 FG |
446 | warn "contained files will be restored to wrong directory!\n"; |
447 | } | |
136040f4 | 448 | delete $mp_param->{$ms}; # actually delay bind/dev mps |
db18c1e4 FG |
449 | $delayed_mp_param->{$ms} = PVE::LXC::Config->print_ct_mountpoint($mountpoint, $ms eq 'rootfs'); |
450 | } | |
451 | }); | |
b51a98d4 | 452 | } else { |
db18c1e4 | 453 | $mp_param->{rootfs} = "$storage:4"; # defaults to 4GB |
b51a98d4 DM |
454 | } |
455 | } | |
b9623ef8 | 456 | |
0730b005 DT |
457 | # up until here we did not modify the container, besides the lock |
458 | $destroy_config_on_error = 1; | |
b51a98d4 | 459 | |
db18c1e4 FG |
460 | $vollist = PVE::LXC::create_disks($storage_cfg, $vmid, $mp_param, $conf); |
461 | ||
61783321 TL |
462 | # we always have the 'create' lock so check for more than 1 entry |
463 | if (scalar(keys %$old_conf) > 1) { | |
51665c2d | 464 | # destroy old container volumes |
61783321 | 465 | PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $old_conf, { lock => 'create' }); |
51665c2d | 466 | } |
51665c2d FG |
467 | |
468 | eval { | |
469 | my $rootdir = PVE::LXC::mount_all($vmid, $storage_cfg, $conf, 1); | |
f9b4407e | 470 | $bwlimit = PVE::Storage::get_bandwidth_limit('restore', [keys %used_storages], $bwlimit); |
bc871ffb FG |
471 | print "restoring '$archive' now..\n" |
472 | if $restore && $archive ne '-'; | |
99a0bcb0 | 473 | PVE::LXC::Create::restore_archive($storage_cfg, $archive, $rootdir, $conf, $ignore_unpack_errors, $bwlimit); |
51665c2d FG |
474 | |
475 | if ($restore) { | |
bc871ffb | 476 | print "merging backed-up and given configuration..\n"; |
99a0bcb0 | 477 | PVE::LXC::Create::restore_configuration($vmid, $storage_cfg, $archive, $rootdir, $conf, !$is_root, $unique, $skip_fw_config_restore); |
9fd103b2 | 478 | PVE::LXC::create_ifaces_ipams_ips($conf, $vmid) if $unique; |
4b4bbe55 OB |
479 | my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir); |
480 | $lxc_setup->template_fixup($conf); | |
51665c2d | 481 | } else { |
9fd103b2 | 482 | PVE::LXC::create_ifaces_ipams_ips($conf, $vmid); |
51665c2d FG |
483 | my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir); # detect OS |
484 | PVE::LXC::Config->write_config($vmid, $conf); # safe config (after OS detection) | |
485 | $lxc_setup->post_create_hook($password, $ssh_keys); | |
486 | } | |
487 | }; | |
488 | my $err = $@; | |
489 | PVE::LXC::umount_all($vmid, $storage_cfg, $conf, $err ? 1 : 0); | |
490 | PVE::Storage::deactivate_volumes($storage_cfg, PVE::LXC::Config->get_vm_volumes($conf)); | |
491 | die $err if $err; | |
27916659 DM |
492 | # set some defaults |
493 | $conf->{hostname} ||= "CT$vmid"; | |
494 | $conf->{memory} ||= 512; | |
495 | $conf->{swap} //= 512; | |
db18c1e4 FG |
496 | foreach my $mp (keys %$delayed_mp_param) { |
497 | $conf->{$mp} = $delayed_mp_param->{$mp}; | |
498 | } | |
a2d3e5c3 CE |
499 | # If the template flag was set, we try to convert again to template after restore |
500 | if ($was_template) { | |
501 | print STDERR "Convert restored container to template...\n"; | |
4c64d0db FE |
502 | PVE::LXC::template_create($vmid, $conf); |
503 | $conf->{template} = 1; | |
a2d3e5c3 | 504 | } |
67afe46e | 505 | PVE::LXC::Config->write_config($vmid, $conf); |
27916659 DM |
506 | }; |
507 | if (my $err = $@) { | |
9fd103b2 AD |
508 | eval { PVE::LXC::delete_ifaces_ipams_ips($conf, $vmid) }; |
509 | warn $@ if $@; | |
6c871c36 | 510 | PVE::LXC::destroy_disks($storage_cfg, $vollist); |
0730b005 DT |
511 | if ($destroy_config_on_error) { |
512 | eval { PVE::LXC::Config->destroy_config($vmid) }; | |
513 | warn $@ if $@; | |
62a991db DT |
514 | |
515 | if (!$skip_fw_config_restore) { # Only if user has permission to change the fw | |
516 | PVE::Firewall::remove_vmfw_conf($vmid); | |
517 | warn $@ if $@; | |
518 | } | |
0730b005 | 519 | } |
61783321 | 520 | die "$emsg $err"; |
6d098bf4 | 521 | } |
87273b2b | 522 | PVE::AccessControl::add_vm_to_pool($vmid, $pool) if $pool; |
9d0225fb TL |
523 | |
524 | PVE::API2::LXC::Status->vm_start({ vmid => $vmid, node => $node }) | |
525 | if $start_after_create; | |
9c2d4ce9 | 526 | }; |
5c752bbf | 527 | |
8a6fc617 | 528 | my $workername = $restore ? 'vzrestore' : 'vzcreate'; |
b9623ef8 DC |
529 | my $realcmd = sub { |
530 | eval { | |
531 | PVE::LXC::Config->lock_config($vmid, $code); | |
532 | }; | |
533 | if (my $err = $@) { | |
534 | # if we aborted before changing the container, we must remove the create lock | |
0730b005 | 535 | if (!$destroy_config_on_error) { |
b9623ef8 DC |
536 | PVE::LXC::Config->remove_lock($vmid, 'create'); |
537 | } | |
538 | die $err; | |
539 | } | |
540 | }; | |
9c2d4ce9 | 541 | |
8a6fc617 | 542 | return $rpcenv->fork_worker($workername, $vmid, $authuser, $realcmd); |
9c2d4ce9 DM |
543 | }}); |
544 | ||
f76a2828 DM |
545 | __PACKAGE__->register_method({ |
546 | name => 'vmdiridx', | |
5c752bbf | 547 | path => '{vmid}', |
f76a2828 DM |
548 | method => 'GET', |
549 | proxyto => 'node', | |
550 | description => "Directory index", | |
551 | permissions => { | |
552 | user => 'all', | |
553 | }, | |
554 | parameters => { | |
555 | additionalProperties => 0, | |
556 | properties => { | |
557 | node => get_standard_option('pve-node'), | |
558 | vmid => get_standard_option('pve-vmid'), | |
559 | }, | |
560 | }, | |
561 | returns => { | |
562 | type => 'array', | |
563 | items => { | |
564 | type => "object", | |
565 | properties => { | |
566 | subdir => { type => 'string' }, | |
567 | }, | |
568 | }, | |
569 | links => [ { rel => 'child', href => "{subdir}" } ], | |
570 | }, | |
571 | code => sub { | |
572 | my ($param) = @_; | |
573 | ||
574 | # test if VM exists | |
67afe46e | 575 | my $conf = PVE::LXC::Config->load_config($param->{vmid}); |
f76a2828 DM |
576 | |
577 | my $res = [ | |
578 | { subdir => 'config' }, | |
37c2dba8 | 579 | { subdir => 'pending' }, |
fff3a342 DM |
580 | { subdir => 'status' }, |
581 | { subdir => 'vncproxy' }, | |
a0226a00 | 582 | { subdir => 'termproxy' }, |
fff3a342 DM |
583 | { subdir => 'vncwebsocket' }, |
584 | { subdir => 'spiceproxy' }, | |
585 | { subdir => 'migrate' }, | |
c4a33727 | 586 | { subdir => 'clone' }, |
f76a2828 DM |
587 | # { subdir => 'initlog' }, |
588 | { subdir => 'rrd' }, | |
589 | { subdir => 'rrddata' }, | |
590 | { subdir => 'firewall' }, | |
cc5392c8 | 591 | { subdir => 'snapshot' }, |
985b18ed | 592 | { subdir => 'resize' }, |
f76a2828 | 593 | ]; |
5c752bbf | 594 | |
f76a2828 DM |
595 | return $res; |
596 | }}); | |
597 | ||
c4a33727 | 598 | |
f76a2828 | 599 | __PACKAGE__->register_method({ |
5c752bbf DM |
600 | name => 'rrd', |
601 | path => '{vmid}/rrd', | |
f76a2828 DM |
602 | method => 'GET', |
603 | protected => 1, # fixme: can we avoid that? | |
604 | permissions => { | |
605 | check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]], | |
606 | }, | |
607 | description => "Read VM RRD statistics (returns PNG)", | |
608 | parameters => { | |
609 | additionalProperties => 0, | |
610 | properties => { | |
611 | node => get_standard_option('pve-node'), | |
612 | vmid => get_standard_option('pve-vmid'), | |
613 | timeframe => { | |
614 | description => "Specify the time frame you are interested in.", | |
615 | type => 'string', | |
616 | enum => [ 'hour', 'day', 'week', 'month', 'year' ], | |
617 | }, | |
618 | ds => { | |
619 | description => "The list of datasources you want to display.", | |
620 | type => 'string', format => 'pve-configid-list', | |
621 | }, | |
622 | cf => { | |
623 | description => "The RRD consolidation function", | |
624 | type => 'string', | |
625 | enum => [ 'AVERAGE', 'MAX' ], | |
626 | optional => 1, | |
627 | }, | |
628 | }, | |
629 | }, | |
630 | returns => { | |
631 | type => "object", | |
632 | properties => { | |
633 | filename => { type => 'string' }, | |
634 | }, | |
635 | }, | |
636 | code => sub { | |
637 | my ($param) = @_; | |
638 | ||
d949527f | 639 | return PVE::RRD::create_rrd_graph( |
5c752bbf | 640 | "pve2-vm/$param->{vmid}", $param->{timeframe}, |
f76a2828 | 641 | $param->{ds}, $param->{cf}); |
5c752bbf | 642 | |
f76a2828 DM |
643 | }}); |
644 | ||
645 | __PACKAGE__->register_method({ | |
5c752bbf DM |
646 | name => 'rrddata', |
647 | path => '{vmid}/rrddata', | |
f76a2828 DM |
648 | method => 'GET', |
649 | protected => 1, # fixme: can we avoid that? | |
650 | permissions => { | |
651 | check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]], | |
652 | }, | |
653 | description => "Read VM RRD statistics", | |
654 | parameters => { | |
655 | additionalProperties => 0, | |
656 | properties => { | |
657 | node => get_standard_option('pve-node'), | |
658 | vmid => get_standard_option('pve-vmid'), | |
659 | timeframe => { | |
660 | description => "Specify the time frame you are interested in.", | |
661 | type => 'string', | |
662 | enum => [ 'hour', 'day', 'week', 'month', 'year' ], | |
663 | }, | |
664 | cf => { | |
665 | description => "The RRD consolidation function", | |
666 | type => 'string', | |
667 | enum => [ 'AVERAGE', 'MAX' ], | |
668 | optional => 1, | |
669 | }, | |
670 | }, | |
671 | }, | |
672 | returns => { | |
673 | type => "array", | |
674 | items => { | |
675 | type => "object", | |
676 | properties => {}, | |
677 | }, | |
678 | }, | |
679 | code => sub { | |
680 | my ($param) = @_; | |
681 | ||
d949527f | 682 | return PVE::RRD::create_rrd_data( |
f76a2828 DM |
683 | "pve2-vm/$param->{vmid}", $param->{timeframe}, $param->{cf}); |
684 | }}); | |
685 | ||
f76a2828 | 686 | __PACKAGE__->register_method({ |
5c752bbf DM |
687 | name => 'destroy_vm', |
688 | path => '{vmid}', | |
f76a2828 DM |
689 | method => 'DELETE', |
690 | protected => 1, | |
691 | proxyto => 'node', | |
692 | description => "Destroy the container (also delete all uses files).", | |
693 | permissions => { | |
694 | check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']], | |
695 | }, | |
696 | parameters => { | |
697 | additionalProperties => 0, | |
698 | properties => { | |
699 | node => get_standard_option('pve-node'), | |
68e8f3c5 | 700 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }), |
d51b84ff TL |
701 | force => { |
702 | type => 'boolean', | |
703 | description => "Force destroy, even if running.", | |
704 | default => 0, | |
705 | optional => 1, | |
706 | }, | |
c5a09704 CE |
707 | purge => { |
708 | type => 'boolean', | |
796e8eee TL |
709 | description => "Remove container from all related configurations." |
710 | ." For example, backup jobs, replication jobs or HA." | |
711 | ." Related ACLs and Firewall entries will *always* be removed.", | |
712 | default => 0, | |
c5a09704 CE |
713 | optional => 1, |
714 | }, | |
3b1c0970 TL |
715 | 'destroy-unreferenced-disks' => { |
716 | type => 'boolean', | |
717 | description => "If set, destroy additionally all disks with the VMID from all" | |
718 | ." enabled storages which are not referenced in the config.", | |
719 | optional => 1, | |
720 | }, | |
f76a2828 DM |
721 | }, |
722 | }, | |
5c752bbf | 723 | returns => { |
f76a2828 DM |
724 | type => 'string', |
725 | }, | |
726 | code => sub { | |
727 | my ($param) = @_; | |
728 | ||
729 | my $rpcenv = PVE::RPCEnvironment::get(); | |
f76a2828 | 730 | my $authuser = $rpcenv->get_user(); |
f76a2828 DM |
731 | my $vmid = $param->{vmid}; |
732 | ||
733 | # test if container exists | |
0512c360 | 734 | |
67afe46e | 735 | my $conf = PVE::LXC::Config->load_config($vmid); |
0512c360 FG |
736 | my $early_checks = sub { |
737 | my ($conf) = @_; | |
738 | PVE::LXC::Config->check_protection($conf, "can't remove CT $vmid"); | |
739 | PVE::LXC::Config->check_lock($conf); | |
7e806596 | 740 | |
0512c360 | 741 | my $ha_managed = PVE::HA::Config::service_is_configured("ct:$vmid"); |
b6e0b774 | 742 | |
0512c360 FG |
743 | if (!$param->{purge}) { |
744 | die "unable to remove CT $vmid - used in HA resources and purge parameter not set.\n" | |
745 | if $ha_managed; | |
3207b81a | 746 | |
0512c360 FG |
747 | # do not allow destroy if there are replication jobs without purge |
748 | my $repl_conf = PVE::ReplicationConfig->new(); | |
749 | $repl_conf->check_for_existing_jobs($vmid); | |
750 | } | |
751 | ||
752 | return $ha_managed; | |
753 | }; | |
754 | ||
755 | $early_checks->($conf); | |
c5a8e04f | 756 | |
d607c17d | 757 | my $running_error_msg = "unable to destroy CT $vmid - container is running\n"; |
d51b84ff | 758 | die $running_error_msg if !$param->{force} && PVE::LXC::check_running($vmid); # check early |
d607c17d | 759 | |
611fe3aa | 760 | my $code = sub { |
673cf209 | 761 | # reload config after lock |
67afe46e | 762 | $conf = PVE::LXC::Config->load_config($vmid); |
0512c360 | 763 | my $ha_managed = $early_checks->($conf); |
673cf209 | 764 | |
d51b84ff TL |
765 | if (PVE::LXC::check_running($vmid)) { |
766 | die $running_error_msg if !$param->{force}; | |
767 | warn "forced to stop CT $vmid before destroying!\n"; | |
768 | if (!$ha_managed) { | |
769 | PVE::LXC::vm_stop($vmid, 1); | |
770 | } else { | |
771 | run_command(['ha-manager', 'crm-command', 'stop', "ct:$vmid", '120']); | |
772 | } | |
773 | } | |
d607c17d | 774 | |
0512c360 | 775 | my $storage_cfg = cfs_read_file("storage.cfg"); |
3b1c0970 TL |
776 | PVE::LXC::destroy_lxc_container( |
777 | $storage_cfg, | |
778 | $vmid, | |
779 | $conf, | |
780 | { lock => 'destroyed' }, | |
781 | $param->{'destroy-unreferenced-disks'}, | |
782 | ); | |
7fc1d9eb | 783 | |
be5fc936 | 784 | PVE::AccessControl::remove_vm_access($vmid); |
2f9b5ead | 785 | PVE::Firewall::remove_vmfw_conf($vmid); |
c5a09704 | 786 | if ($param->{purge}) { |
3207b81a | 787 | print "purging CT $vmid from related configurations..\n"; |
c5a09704 CE |
788 | PVE::ReplicationConfig::remove_vmid_jobs($vmid); |
789 | PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid); | |
3207b81a TL |
790 | |
791 | if ($ha_managed) { | |
792 | PVE::HA::Config::delete_service_from_config("ct:$vmid"); | |
793 | print "NOTE: removed CT $vmid from HA resource configuration.\n"; | |
794 | } | |
c5a09704 | 795 | } |
7fc1d9eb TL |
796 | |
797 | # only now remove the zombie config, else we can have reuse race | |
798 | PVE::LXC::Config->destroy_config($vmid); | |
f76a2828 DM |
799 | }; |
800 | ||
67afe46e | 801 | my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); }; |
351bc0c4 | 802 | |
f76a2828 DM |
803 | return $rpcenv->fork_worker('vzdestroy', $vmid, $authuser, $realcmd); |
804 | }}); | |
805 | ||
fff3a342 DM |
806 | my $sslcert; |
807 | ||
808 | __PACKAGE__->register_method ({ | |
5b4657d0 DM |
809 | name => 'vncproxy', |
810 | path => '{vmid}/vncproxy', | |
fff3a342 DM |
811 | method => 'POST', |
812 | protected => 1, | |
813 | permissions => { | |
814 | check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]], | |
815 | }, | |
816 | description => "Creates a TCP VNC proxy connections.", | |
817 | parameters => { | |
818 | additionalProperties => 0, | |
819 | properties => { | |
820 | node => get_standard_option('pve-node'), | |
821 | vmid => get_standard_option('pve-vmid'), | |
822 | websocket => { | |
823 | optional => 1, | |
824 | type => 'boolean', | |
825 | description => "use websocket instead of standard VNC.", | |
826 | }, | |
bd0f4d6d DC |
827 | width => { |
828 | optional => 1, | |
829 | description => "sets the width of the console in pixels.", | |
830 | type => 'integer', | |
831 | minimum => 16, | |
832 | maximum => 4096, | |
833 | }, | |
834 | height => { | |
835 | optional => 1, | |
836 | description => "sets the height of the console in pixels.", | |
837 | type => 'integer', | |
838 | minimum => 16, | |
839 | maximum => 2160, | |
840 | }, | |
fff3a342 DM |
841 | }, |
842 | }, | |
5b4657d0 | 843 | returns => { |
fff3a342 DM |
844 | additionalProperties => 0, |
845 | properties => { | |
846 | user => { type => 'string' }, | |
847 | ticket => { type => 'string' }, | |
848 | cert => { type => 'string' }, | |
849 | port => { type => 'integer' }, | |
850 | upid => { type => 'string' }, | |
851 | }, | |
852 | }, | |
853 | code => sub { | |
854 | my ($param) = @_; | |
855 | ||
856 | my $rpcenv = PVE::RPCEnvironment::get(); | |
857 | ||
858 | my $authuser = $rpcenv->get_user(); | |
859 | ||
860 | my $vmid = $param->{vmid}; | |
861 | my $node = $param->{node}; | |
862 | ||
863 | my $authpath = "/vms/$vmid"; | |
864 | ||
865 | my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath); | |
866 | ||
867 | $sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192) | |
868 | if !$sslcert; | |
869 | ||
ec2c57eb | 870 | my ($remip, $family); |
5b4657d0 | 871 | |
fff3a342 | 872 | if ($node ne PVE::INotify::nodename()) { |
85ae6211 | 873 | ($remip, $family) = PVE::Cluster::remote_node_ip($node); |
ec2c57eb WB |
874 | } else { |
875 | $family = PVE::Tools::get_host_address_family($node); | |
fff3a342 DM |
876 | } |
877 | ||
ec2c57eb WB |
878 | my $port = PVE::Tools::next_vnc_port($family); |
879 | ||
fff3a342 DM |
880 | # NOTE: vncterm VNC traffic is already TLS encrypted, |
881 | # so we select the fastest chipher here (or 'none'?) | |
5b4657d0 | 882 | my $remcmd = $remip ? |
806eae70 | 883 | ['/usr/bin/ssh', '-e', 'none', '-t', $remip] : []; |
fff3a342 | 884 | |
67afe46e | 885 | my $conf = PVE::LXC::Config->load_config($vmid, $node); |
65213b67 | 886 | my $concmd = PVE::LXC::get_console_command($vmid, $conf, -1); |
aca816ad | 887 | |
5b4657d0 DM |
888 | my $shcmd = [ '/usr/bin/dtach', '-A', |
889 | "/var/run/dtach/vzctlconsole$vmid", | |
aca816ad | 890 | '-r', 'winch', '-z', @$concmd]; |
fff3a342 DM |
891 | |
892 | my $realcmd = sub { | |
893 | my $upid = shift; | |
894 | ||
5b4657d0 | 895 | syslog ('info', "starting lxc vnc proxy $upid\n"); |
fff3a342 | 896 | |
5b4657d0 | 897 | my $timeout = 10; |
fff3a342 DM |
898 | |
899 | my $cmd = ['/usr/bin/vncterm', '-rfbport', $port, | |
5b4657d0 | 900 | '-timeout', $timeout, '-authpath', $authpath, |
fff3a342 DM |
901 | '-perm', 'VM.Console']; |
902 | ||
bd0f4d6d DC |
903 | if ($param->{width}) { |
904 | push @$cmd, '-width', $param->{width}; | |
905 | } | |
906 | ||
907 | if ($param->{height}) { | |
908 | push @$cmd, '-height', $param->{height}; | |
909 | } | |
910 | ||
fff3a342 | 911 | if ($param->{websocket}) { |
5b4657d0 | 912 | $ENV{PVE_VNC_TICKET} = $ticket; # pass ticket to vncterm |
fff3a342 DM |
913 | push @$cmd, '-notls', '-listen', 'localhost'; |
914 | } | |
915 | ||
916 | push @$cmd, '-c', @$remcmd, @$shcmd; | |
917 | ||
37634d3d | 918 | run_command($cmd, keeplocale => 1); |
fff3a342 DM |
919 | |
920 | return; | |
921 | }; | |
922 | ||
923 | my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd); | |
924 | ||
925 | PVE::Tools::wait_for_vnc_port($port); | |
926 | ||
927 | return { | |
928 | user => $authuser, | |
929 | ticket => $ticket, | |
5b4657d0 DM |
930 | port => $port, |
931 | upid => $upid, | |
932 | cert => $sslcert, | |
fff3a342 DM |
933 | }; |
934 | }}); | |
935 | ||
a0226a00 DC |
936 | __PACKAGE__->register_method ({ |
937 | name => 'termproxy', | |
938 | path => '{vmid}/termproxy', | |
939 | method => 'POST', | |
940 | protected => 1, | |
941 | permissions => { | |
942 | check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]], | |
943 | }, | |
944 | description => "Creates a TCP proxy connection.", | |
945 | parameters => { | |
946 | additionalProperties => 0, | |
947 | properties => { | |
948 | node => get_standard_option('pve-node'), | |
949 | vmid => get_standard_option('pve-vmid'), | |
950 | }, | |
951 | }, | |
952 | returns => { | |
953 | additionalProperties => 0, | |
954 | properties => { | |
955 | user => { type => 'string' }, | |
956 | ticket => { type => 'string' }, | |
957 | port => { type => 'integer' }, | |
958 | upid => { type => 'string' }, | |
959 | }, | |
960 | }, | |
961 | code => sub { | |
962 | my ($param) = @_; | |
963 | ||
964 | my $rpcenv = PVE::RPCEnvironment::get(); | |
965 | ||
966 | my $authuser = $rpcenv->get_user(); | |
967 | ||
968 | my $vmid = $param->{vmid}; | |
969 | my $node = $param->{node}; | |
970 | ||
971 | my $authpath = "/vms/$vmid"; | |
972 | ||
973 | my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath); | |
974 | ||
975 | my ($remip, $family); | |
976 | ||
977 | if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) { | |
978 | ($remip, $family) = PVE::Cluster::remote_node_ip($node); | |
979 | } else { | |
980 | $family = PVE::Tools::get_host_address_family($node); | |
981 | } | |
982 | ||
983 | my $port = PVE::Tools::next_vnc_port($family); | |
984 | ||
985 | my $remcmd = $remip ? | |
986 | ['/usr/bin/ssh', '-e', 'none', '-t', $remip, '--'] : []; | |
987 | ||
988 | my $conf = PVE::LXC::Config->load_config($vmid, $node); | |
65213b67 | 989 | my $concmd = PVE::LXC::get_console_command($vmid, $conf, -1); |
a0226a00 DC |
990 | |
991 | my $shcmd = [ '/usr/bin/dtach', '-A', | |
992 | "/var/run/dtach/vzctlconsole$vmid", | |
993 | '-r', 'winch', '-z', @$concmd]; | |
994 | ||
995 | my $realcmd = sub { | |
996 | my $upid = shift; | |
997 | ||
998 | syslog ('info', "starting lxc termproxy $upid\n"); | |
999 | ||
1000 | my $cmd = ['/usr/bin/termproxy', $port, '--path', $authpath, | |
1001 | '--perm', 'VM.Console', '--']; | |
1002 | push @$cmd, @$remcmd, @$shcmd; | |
1003 | ||
1004 | PVE::Tools::run_command($cmd); | |
1005 | }; | |
1006 | ||
1007 | my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd, 1); | |
1008 | ||
1009 | PVE::Tools::wait_for_vnc_port($port); | |
1010 | ||
1011 | return { | |
1012 | user => $authuser, | |
1013 | ticket => $ticket, | |
1014 | port => $port, | |
1015 | upid => $upid, | |
1016 | }; | |
1017 | }}); | |
1018 | ||
fff3a342 DM |
1019 | __PACKAGE__->register_method({ |
1020 | name => 'vncwebsocket', | |
1021 | path => '{vmid}/vncwebsocket', | |
1022 | method => 'GET', | |
5b4657d0 | 1023 | permissions => { |
fff3a342 DM |
1024 | description => "You also need to pass a valid ticket (vncticket).", |
1025 | check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]], | |
1026 | }, | |
1027 | description => "Opens a weksocket for VNC traffic.", | |
1028 | parameters => { | |
1029 | additionalProperties => 0, | |
1030 | properties => { | |
1031 | node => get_standard_option('pve-node'), | |
1032 | vmid => get_standard_option('pve-vmid'), | |
1033 | vncticket => { | |
1034 | description => "Ticket from previous call to vncproxy.", | |
1035 | type => 'string', | |
1036 | maxLength => 512, | |
1037 | }, | |
1038 | port => { | |
1039 | description => "Port number returned by previous vncproxy call.", | |
1040 | type => 'integer', | |
1041 | minimum => 5900, | |
1042 | maximum => 5999, | |
1043 | }, | |
1044 | }, | |
1045 | }, | |
1046 | returns => { | |
1047 | type => "object", | |
1048 | properties => { | |
1049 | port => { type => 'string' }, | |
1050 | }, | |
1051 | }, | |
1052 | code => sub { | |
1053 | my ($param) = @_; | |
1054 | ||
1055 | my $rpcenv = PVE::RPCEnvironment::get(); | |
1056 | ||
1057 | my $authuser = $rpcenv->get_user(); | |
1058 | ||
1059 | my $authpath = "/vms/$param->{vmid}"; | |
1060 | ||
1061 | PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $authuser, $authpath); | |
1062 | ||
1063 | my $port = $param->{port}; | |
5b4657d0 | 1064 | |
fff3a342 DM |
1065 | return { port => $port }; |
1066 | }}); | |
1067 | ||
1068 | __PACKAGE__->register_method ({ | |
5b4657d0 DM |
1069 | name => 'spiceproxy', |
1070 | path => '{vmid}/spiceproxy', | |
fff3a342 DM |
1071 | method => 'POST', |
1072 | protected => 1, | |
1073 | proxyto => 'node', | |
1074 | permissions => { | |
1075 | check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]], | |
1076 | }, | |
1077 | description => "Returns a SPICE configuration to connect to the CT.", | |
1078 | parameters => { | |
1079 | additionalProperties => 0, | |
1080 | properties => { | |
1081 | node => get_standard_option('pve-node'), | |
1082 | vmid => get_standard_option('pve-vmid'), | |
1083 | proxy => get_standard_option('spice-proxy', { optional => 1 }), | |
1084 | }, | |
1085 | }, | |
1086 | returns => get_standard_option('remote-viewer-config'), | |
1087 | code => sub { | |
1088 | my ($param) = @_; | |
1089 | ||
1090 | my $vmid = $param->{vmid}; | |
1091 | my $node = $param->{node}; | |
1092 | my $proxy = $param->{proxy}; | |
1093 | ||
1094 | my $authpath = "/vms/$vmid"; | |
1095 | my $permissions = 'VM.Console'; | |
1096 | ||
67afe46e | 1097 | my $conf = PVE::LXC::Config->load_config($vmid); |
da4db334 TL |
1098 | |
1099 | die "CT $vmid not running\n" if !PVE::LXC::check_running($vmid); | |
1100 | ||
aca816ad DM |
1101 | my $concmd = PVE::LXC::get_console_command($vmid, $conf); |
1102 | ||
5b4657d0 DM |
1103 | my $shcmd = ['/usr/bin/dtach', '-A', |
1104 | "/var/run/dtach/vzctlconsole$vmid", | |
aca816ad | 1105 | '-r', 'winch', '-z', @$concmd]; |
fff3a342 DM |
1106 | |
1107 | my $title = "CT $vmid"; | |
1108 | ||
1109 | return PVE::API2Tools::run_spiceterm($authpath, $permissions, $vmid, $node, $proxy, $title, $shcmd); | |
1110 | }}); | |
5c752bbf | 1111 | |
5c752bbf | 1112 | |
0e0958a5 FG |
1113 | __PACKAGE__->register_method({ |
1114 | name => 'remote_migrate_vm', | |
1115 | path => '{vmid}/remote_migrate', | |
1116 | method => 'POST', | |
1117 | protected => 1, | |
1118 | proxyto => 'node', | |
1119 | description => "Migrate the container to another cluster. Creates a new migration task. EXPERIMENTAL feature!", | |
1120 | permissions => { | |
1121 | check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]], | |
1122 | }, | |
1123 | parameters => { | |
1124 | additionalProperties => 0, | |
1125 | properties => { | |
1126 | node => get_standard_option('pve-node'), | |
1127 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }), | |
1128 | 'target-vmid' => get_standard_option('pve-vmid', { optional => 1 }), | |
1129 | 'target-endpoint' => get_standard_option('proxmox-remote', { | |
1130 | description => "Remote target endpoint", | |
1131 | }), | |
1132 | online => { | |
1133 | type => 'boolean', | |
1134 | description => "Use online/live migration.", | |
1135 | optional => 1, | |
1136 | }, | |
1137 | restart => { | |
1138 | type => 'boolean', | |
1139 | description => "Use restart migration", | |
1140 | optional => 1, | |
1141 | }, | |
1142 | timeout => { | |
1143 | type => 'integer', | |
1144 | description => "Timeout in seconds for shutdown for restart migration", | |
1145 | optional => 1, | |
1146 | default => 180, | |
1147 | }, | |
1148 | delete => { | |
1149 | type => 'boolean', | |
1150 | description => "Delete the original CT and related data after successful migration. By default the original CT is kept on the source cluster in a stopped state.", | |
1151 | optional => 1, | |
1152 | default => 0, | |
1153 | }, | |
1154 | 'target-storage' => get_standard_option('pve-targetstorage', { | |
1155 | optional => 0, | |
1156 | }), | |
1157 | 'target-bridge' => { | |
1158 | type => 'string', | |
1159 | description => "Mapping from source to target bridges. Providing only a single bridge ID maps all source bridges to that bridge. Providing the special value '1' will map each source bridge to itself.", | |
1160 | format => 'bridge-pair-list', | |
1161 | }, | |
1162 | bwlimit => { | |
1163 | description => "Override I/O bandwidth limit (in KiB/s).", | |
1164 | optional => 1, | |
1165 | type => 'number', | |
1166 | minimum => '0', | |
1167 | default => 'migrate limit from datacenter or storage config', | |
1168 | }, | |
1169 | }, | |
1170 | }, | |
1171 | returns => { | |
1172 | type => 'string', | |
1173 | description => "the task ID.", | |
1174 | }, | |
1175 | code => sub { | |
1176 | my ($param) = @_; | |
1177 | ||
1178 | my $rpcenv = PVE::RPCEnvironment::get(); | |
1179 | my $authuser = $rpcenv->get_user(); | |
1180 | ||
1181 | my $source_vmid = extract_param($param, 'vmid'); | |
1182 | my $target_endpoint = extract_param($param, 'target-endpoint'); | |
1183 | my $target_vmid = extract_param($param, 'target-vmid') // $source_vmid; | |
1184 | ||
1185 | my $delete = extract_param($param, 'delete') // 0; | |
1186 | ||
1187 | PVE::Cluster::check_cfs_quorum(); | |
1188 | ||
1189 | # test if CT exists | |
1190 | my $conf = PVE::LXC::Config->load_config($source_vmid); | |
1191 | PVE::LXC::Config->check_lock($conf); | |
1192 | ||
1193 | # try to detect errors early | |
1194 | if (PVE::LXC::check_running($source_vmid)) { | |
1195 | die "can't migrate running container without --online or --restart\n" | |
1196 | if !$param->{online} && !$param->{restart}; | |
1197 | } | |
1198 | ||
1199 | raise_param_exc({ vmid => "cannot migrate HA-managed CT to remote cluster" }) | |
1200 | if PVE::HA::Config::vm_is_ha_managed($source_vmid); | |
1201 | ||
1202 | my $remote = PVE::JSONSchema::parse_property_string('proxmox-remote', $target_endpoint); | |
1203 | ||
1204 | # TODO: move this as helper somewhere appropriate? | |
1205 | my $conn_args = { | |
1206 | protocol => 'https', | |
1207 | host => $remote->{host}, | |
1208 | port => $remote->{port} // 8006, | |
1209 | apitoken => $remote->{apitoken}, | |
1210 | }; | |
1211 | ||
1212 | my $fp; | |
1213 | if ($fp = $remote->{fingerprint}) { | |
1214 | $conn_args->{cached_fingerprints} = { uc($fp) => 1 }; | |
1215 | } | |
1216 | ||
1217 | print "Establishing API connection with remote at '$remote->{host}'\n"; | |
1218 | ||
1219 | my $api_client = PVE::APIClient::LWP->new(%$conn_args); | |
1220 | ||
1221 | if (!defined($fp)) { | |
1222 | my $cert_info = $api_client->get("/nodes/localhost/certificates/info"); | |
1223 | foreach my $cert (@$cert_info) { | |
1224 | my $filename = $cert->{filename}; | |
1225 | next if $filename ne 'pveproxy-ssl.pem' && $filename ne 'pve-ssl.pem'; | |
1226 | $fp = $cert->{fingerprint} if !$fp || $filename eq 'pveproxy-ssl.pem'; | |
1227 | } | |
1228 | $conn_args->{cached_fingerprints} = { uc($fp) => 1 } | |
1229 | if defined($fp); | |
1230 | } | |
1231 | ||
1232 | my $storecfg = PVE::Storage::config(); | |
1233 | my $target_storage = extract_param($param, 'target-storage'); | |
1234 | my $storagemap = eval { PVE::JSONSchema::parse_idmap($target_storage, 'pve-storage-id') }; | |
1235 | raise_param_exc({ 'target-storage' => "failed to parse storage map: $@" }) | |
1236 | if $@; | |
1237 | ||
1238 | my $target_bridge = extract_param($param, 'target-bridge'); | |
1239 | my $bridgemap = eval { PVE::JSONSchema::parse_idmap($target_bridge, 'pve-bridge-id') }; | |
1240 | raise_param_exc({ 'target-bridge' => "failed to parse bridge map: $@" }) | |
1241 | if $@; | |
1242 | ||
1243 | die "remote migration requires explicit storage mapping!\n" | |
1244 | if $storagemap->{identity}; | |
1245 | ||
1246 | $param->{storagemap} = $storagemap; | |
1247 | $param->{bridgemap} = $bridgemap; | |
1248 | $param->{remote} = { | |
1249 | conn => $conn_args, # re-use fingerprint for tunnel | |
1250 | client => $api_client, | |
1251 | vmid => $target_vmid, | |
1252 | }; | |
1253 | $param->{migration_type} = 'websocket'; | |
1254 | $param->{delete} = $delete if $delete; | |
1255 | ||
1256 | my $cluster_status = $api_client->get("/cluster/status"); | |
1257 | my $target_node; | |
1258 | foreach my $entry (@$cluster_status) { | |
1259 | next if $entry->{type} ne 'node'; | |
1260 | if ($entry->{local}) { | |
1261 | $target_node = $entry->{name}; | |
1262 | last; | |
1263 | } | |
1264 | } | |
1265 | ||
1266 | die "couldn't determine endpoint's node name\n" | |
1267 | if !defined($target_node); | |
1268 | ||
1269 | my $realcmd = sub { | |
1270 | PVE::LXC::Migrate->migrate($target_node, $remote->{host}, $source_vmid, $param); | |
1271 | }; | |
1272 | ||
1273 | my $worker = sub { | |
1274 | return PVE::GuestHelpers::guest_migration_lock($source_vmid, 10, $realcmd); | |
1275 | }; | |
1276 | ||
1277 | return $rpcenv->fork_worker('vzmigrate', $source_vmid, $authuser, $worker); | |
1278 | }}); | |
1279 | ||
1280 | ||
5c752bbf | 1281 | __PACKAGE__->register_method({ |
52389a07 DM |
1282 | name => 'migrate_vm', |
1283 | path => '{vmid}/migrate', | |
5c752bbf DM |
1284 | method => 'POST', |
1285 | protected => 1, | |
1286 | proxyto => 'node', | |
52389a07 | 1287 | description => "Migrate the container to another node. Creates a new migration task.", |
5c752bbf | 1288 | permissions => { |
52389a07 | 1289 | check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]], |
5c752bbf DM |
1290 | }, |
1291 | parameters => { | |
1292 | additionalProperties => 0, | |
1293 | properties => { | |
1294 | node => get_standard_option('pve-node'), | |
68e8f3c5 DM |
1295 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }), |
1296 | target => get_standard_option('pve-node', { | |
1297 | description => "Target node.", | |
39bb88df | 1298 | completion => \&PVE::Cluster::complete_migration_target, |
68e8f3c5 | 1299 | }), |
e90ddc4c | 1300 | 'target-storage' => get_standard_option('pve-targetstorage'), |
52389a07 DM |
1301 | online => { |
1302 | type => 'boolean', | |
1303 | description => "Use online/live migration.", | |
1304 | optional => 1, | |
1305 | }, | |
00d8cdc0 DC |
1306 | restart => { |
1307 | type => 'boolean', | |
1308 | description => "Use restart migration", | |
1309 | optional => 1, | |
1310 | }, | |
1311 | timeout => { | |
1312 | type => 'integer', | |
1313 | description => "Timeout in seconds for shutdown for restart migration", | |
1314 | optional => 1, | |
1315 | default => 180, | |
1316 | }, | |
8ead60ef SI |
1317 | bwlimit => { |
1318 | description => "Override I/O bandwidth limit (in KiB/s).", | |
1319 | optional => 1, | |
1320 | type => 'number', | |
1321 | minimum => '0', | |
41e9b65c | 1322 | default => 'migrate limit from datacenter or storage config', |
8ead60ef | 1323 | }, |
5c752bbf DM |
1324 | }, |
1325 | }, | |
1326 | returns => { | |
1327 | type => 'string', | |
52389a07 | 1328 | description => "the task ID.", |
5c752bbf DM |
1329 | }, |
1330 | code => sub { | |
1331 | my ($param) = @_; | |
1332 | ||
1333 | my $rpcenv = PVE::RPCEnvironment::get(); | |
1334 | ||
1335 | my $authuser = $rpcenv->get_user(); | |
1336 | ||
52389a07 | 1337 | my $target = extract_param($param, 'target'); |
bb1ac2de | 1338 | |
52389a07 DM |
1339 | my $localnode = PVE::INotify::nodename(); |
1340 | raise_param_exc({ target => "target is local node."}) if $target eq $localnode; | |
bb1ac2de | 1341 | |
52389a07 | 1342 | PVE::Cluster::check_cfs_quorum(); |
5c752bbf | 1343 | |
52389a07 | 1344 | PVE::Cluster::check_node_exists($target); |
27916659 | 1345 | |
52389a07 | 1346 | my $targetip = PVE::Cluster::remote_node_ip($target); |
5c752bbf | 1347 | |
52389a07 | 1348 | my $vmid = extract_param($param, 'vmid'); |
5c752bbf | 1349 | |
52389a07 | 1350 | # test if VM exists |
67afe46e | 1351 | PVE::LXC::Config->load_config($vmid); |
5c752bbf | 1352 | |
52389a07 DM |
1353 | # try to detect errors early |
1354 | if (PVE::LXC::check_running($vmid)) { | |
00d8cdc0 DC |
1355 | die "can't migrate running container without --online or --restart\n" |
1356 | if !$param->{online} && !$param->{restart}; | |
5c752bbf | 1357 | } |
5c752bbf | 1358 | |
e90ddc4c FG |
1359 | if (my $targetstorage = delete $param->{'target-storage'}) { |
1360 | my $storecfg = PVE::Storage::config(); | |
1361 | my $storagemap = eval { PVE::JSONSchema::parse_idmap($targetstorage, 'pve-storage-id') }; | |
26115ef2 | 1362 | raise_param_exc({ 'target-storage' => "failed to parse storage map: $@" }) |
e90ddc4c FG |
1363 | if $@; |
1364 | ||
1365 | $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']) | |
1366 | if !defined($storagemap->{identity}); | |
1367 | ||
1368 | foreach my $target_sid (values %{$storagemap->{entries}}) { | |
1369 | $check_storage_access_migrate->($rpcenv, $authuser, $storecfg, $target_sid, $target); | |
1370 | } | |
1371 | ||
1372 | $check_storage_access_migrate->($rpcenv, $authuser, $storecfg, $storagemap->{default}, $target) | |
1373 | if $storagemap->{default}; | |
1374 | ||
1375 | $param->{storagemap} = $storagemap; | |
1376 | } | |
1377 | ||
5c752bbf DM |
1378 | if (PVE::HA::Config::vm_is_ha_managed($vmid) && $rpcenv->{type} ne 'ha') { |
1379 | ||
1380 | my $hacmd = sub { | |
1381 | my $upid = shift; | |
1382 | ||
1383 | my $service = "ct:$vmid"; | |
1384 | ||
52389a07 | 1385 | my $cmd = ['ha-manager', 'migrate', $service, $target]; |
5c752bbf | 1386 | |
545dd4e1 | 1387 | print "Requesting HA migration for CT $vmid to node $target\n"; |
5c752bbf DM |
1388 | |
1389 | PVE::Tools::run_command($cmd); | |
1390 | ||
1391 | return; | |
1392 | }; | |
1393 | ||
52389a07 | 1394 | return $rpcenv->fork_worker('hamigrate', $vmid, $authuser, $hacmd); |
5c752bbf DM |
1395 | |
1396 | } else { | |
1397 | ||
22557519 DM |
1398 | my $realcmd = sub { |
1399 | PVE::LXC::Migrate->migrate($target, $targetip, $vmid, $param); | |
1400 | }; | |
56462053 | 1401 | |
22557519 DM |
1402 | my $worker = sub { |
1403 | return PVE::GuestHelpers::guest_migration_lock($vmid, 10, $realcmd); | |
5c752bbf DM |
1404 | }; |
1405 | ||
22557519 | 1406 | return $rpcenv->fork_worker('vzmigrate', $vmid, $authuser, $worker); |
5c752bbf DM |
1407 | } |
1408 | }}); | |
1409 | ||
cc5392c8 WL |
1410 | __PACKAGE__->register_method({ |
1411 | name => 'vm_feature', | |
1412 | path => '{vmid}/feature', | |
1413 | method => 'GET', | |
1414 | proxyto => 'node', | |
1415 | protected => 1, | |
1416 | description => "Check if feature for virtual machine is available.", | |
1417 | permissions => { | |
1418 | check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]], | |
1419 | }, | |
1420 | parameters => { | |
1421 | additionalProperties => 0, | |
1422 | properties => { | |
1423 | node => get_standard_option('pve-node'), | |
1424 | vmid => get_standard_option('pve-vmid'), | |
1425 | feature => { | |
1426 | description => "Feature to check.", | |
1427 | type => 'string', | |
d53e5c58 | 1428 | enum => [ 'snapshot', 'clone', 'copy' ], |
cc5392c8 | 1429 | }, |
5ec3949c | 1430 | snapname => get_standard_option('pve-snapshot-name', { |
cc5392c8 WL |
1431 | optional => 1, |
1432 | }), | |
1433 | }, | |
1434 | }, | |
1435 | returns => { | |
1436 | type => "object", | |
1437 | properties => { | |
1438 | hasFeature => { type => 'boolean' }, | |
1439 | #nodes => { | |
1440 | #type => 'array', | |
1441 | #items => { type => 'string' }, | |
1442 | #} | |
1443 | }, | |
1444 | }, | |
1445 | code => sub { | |
1446 | my ($param) = @_; | |
1447 | ||
1448 | my $node = extract_param($param, 'node'); | |
1449 | ||
1450 | my $vmid = extract_param($param, 'vmid'); | |
1451 | ||
1452 | my $snapname = extract_param($param, 'snapname'); | |
1453 | ||
1454 | my $feature = extract_param($param, 'feature'); | |
1455 | ||
67afe46e | 1456 | my $conf = PVE::LXC::Config->load_config($vmid); |
cc5392c8 WL |
1457 | |
1458 | if($snapname){ | |
1459 | my $snap = $conf->{snapshots}->{$snapname}; | |
1460 | die "snapshot '$snapname' does not exist\n" if !defined($snap); | |
1461 | $conf = $snap; | |
1462 | } | |
ef241384 | 1463 | my $storage_cfg = PVE::Storage::config(); |
cc5392c8 | 1464 | #Maybe include later |
ef241384 | 1465 | #my $nodelist = PVE::LXC::shared_nodes($conf, $storage_cfg); |
4518000b | 1466 | my $hasFeature = PVE::LXC::Config->has_feature($feature, $conf, $storage_cfg, $snapname); |
cc5392c8 WL |
1467 | |
1468 | return { | |
1469 | hasFeature => $hasFeature, | |
1470 | #nodes => [ keys %$nodelist ], | |
1471 | }; | |
1472 | }}); | |
bb1ac2de DM |
1473 | |
1474 | __PACKAGE__->register_method({ | |
1475 | name => 'template', | |
1476 | path => '{vmid}/template', | |
1477 | method => 'POST', | |
1478 | protected => 1, | |
1479 | proxyto => 'node', | |
1480 | description => "Create a Template.", | |
1481 | permissions => { | |
1482 | description => "You need 'VM.Allocate' permissions on /vms/{vmid}", | |
1483 | check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']], | |
1484 | }, | |
1485 | parameters => { | |
1486 | additionalProperties => 0, | |
1487 | properties => { | |
1488 | node => get_standard_option('pve-node'), | |
68e8f3c5 | 1489 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }), |
bb1ac2de DM |
1490 | }, |
1491 | }, | |
1492 | returns => { type => 'null'}, | |
1493 | code => sub { | |
1494 | my ($param) = @_; | |
1495 | ||
1496 | my $rpcenv = PVE::RPCEnvironment::get(); | |
1497 | ||
1498 | my $authuser = $rpcenv->get_user(); | |
1499 | ||
1500 | my $node = extract_param($param, 'node'); | |
1501 | ||
1502 | my $vmid = extract_param($param, 'vmid'); | |
1503 | ||
1504 | my $updatefn = sub { | |
1505 | ||
67afe46e FG |
1506 | my $conf = PVE::LXC::Config->load_config($vmid); |
1507 | PVE::LXC::Config->check_lock($conf); | |
bb1ac2de DM |
1508 | |
1509 | die "unable to create template, because CT contains snapshots\n" | |
1510 | if $conf->{snapshots} && scalar(keys %{$conf->{snapshots}}); | |
1511 | ||
1512 | die "you can't convert a template to a template\n" | |
67afe46e | 1513 | if PVE::LXC::Config->is_template($conf); |
bb1ac2de DM |
1514 | |
1515 | die "you can't convert a CT to template if the CT is running\n" | |
1516 | if PVE::LXC::check_running($vmid); | |
1517 | ||
1518 | my $realcmd = sub { | |
1519 | PVE::LXC::template_create($vmid, $conf); | |
bb1ac2de | 1520 | |
c2182c49 | 1521 | $conf->{template} = 1; |
bb1ac2de | 1522 | |
c2182c49 WL |
1523 | PVE::LXC::Config->write_config($vmid, $conf); |
1524 | # and remove lxc config | |
1525 | PVE::LXC::update_lxc_config($vmid, $conf); | |
1526 | }; | |
bb1ac2de DM |
1527 | |
1528 | return $rpcenv->fork_worker('vztemplate', $vmid, $authuser, $realcmd); | |
1529 | }; | |
1530 | ||
67afe46e | 1531 | PVE::LXC::Config->lock_config($vmid, $updatefn); |
bb1ac2de DM |
1532 | |
1533 | return undef; | |
1534 | }}); | |
1535 | ||
c4a33727 DM |
1536 | __PACKAGE__->register_method({ |
1537 | name => 'clone_vm', | |
1538 | path => '{vmid}/clone', | |
1539 | method => 'POST', | |
1540 | protected => 1, | |
1541 | proxyto => 'node', | |
1542 | description => "Create a container clone/copy", | |
1543 | permissions => { | |
1544 | description => "You need 'VM.Clone' permissions on /vms/{vmid}, " . | |
1545 | "and 'VM.Allocate' permissions " . | |
1546 | "on /vms/{newid} (or on the VM pool /pool/{pool}). You also need " . | |
ee81952f | 1547 | "'Datastore.AllocateSpace' on any used storage, and 'SDN.Use' on any bridge.", |
c4a33727 DM |
1548 | check => |
1549 | [ 'and', | |
1550 | ['perm', '/vms/{vmid}', [ 'VM.Clone' ]], | |
1551 | [ 'or', | |
1552 | [ 'perm', '/vms/{newid}', ['VM.Allocate']], | |
1553 | [ 'perm', '/pool/{pool}', ['VM.Allocate'], require_param => 'pool'], | |
1554 | ], | |
1555 | ] | |
1556 | }, | |
1557 | parameters => { | |
1558 | additionalProperties => 0, | |
1559 | properties => { | |
1560 | node => get_standard_option('pve-node'), | |
1561 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }), | |
1562 | newid => get_standard_option('pve-vmid', { | |
1563 | completion => \&PVE::Cluster::complete_next_vmid, | |
1564 | description => 'VMID for the clone.' }), | |
1565 | hostname => { | |
1566 | optional => 1, | |
1567 | type => 'string', format => 'dns-name', | |
1568 | description => "Set a hostname for the new CT.", | |
1569 | }, | |
1570 | description => { | |
1571 | optional => 1, | |
1572 | type => 'string', | |
1573 | description => "Description for the new CT.", | |
1574 | }, | |
1575 | pool => { | |
1576 | optional => 1, | |
1577 | type => 'string', format => 'pve-poolid', | |
1578 | description => "Add the new CT to the specified pool.", | |
1579 | }, | |
5ec3949c | 1580 | snapname => get_standard_option('pve-snapshot-name', { |
c4a33727 DM |
1581 | optional => 1, |
1582 | }), | |
1583 | storage => get_standard_option('pve-storage-id', { | |
1584 | description => "Target storage for full clone.", | |
c4a33727 DM |
1585 | optional => 1, |
1586 | }), | |
1587 | full => { | |
1588 | optional => 1, | |
1589 | type => 'boolean', | |
c4b4cb83 | 1590 | description => "Create a full copy of all disks. This is always done when " . |
c4a33727 | 1591 | "you clone a normal CT. For CT templates, we try to create a linked clone by default.", |
c4a33727 | 1592 | }, |
411ae12c DM |
1593 | target => get_standard_option('pve-node', { |
1594 | description => "Target node. Only allowed if the original VM is on shared storage.", | |
1595 | optional => 1, | |
1596 | }), | |
8ead60ef SI |
1597 | bwlimit => { |
1598 | description => "Override I/O bandwidth limit (in KiB/s).", | |
1599 | optional => 1, | |
1600 | type => 'number', | |
1601 | minimum => '0', | |
41e9b65c | 1602 | default => 'clone limit from datacenter or storage config', |
8ead60ef | 1603 | }, |
c4a33727 DM |
1604 | }, |
1605 | }, | |
1606 | returns => { | |
1607 | type => 'string', | |
1608 | }, | |
1609 | code => sub { | |
1610 | my ($param) = @_; | |
1611 | ||
1612 | my $rpcenv = PVE::RPCEnvironment::get(); | |
59b0ce55 | 1613 | my $authuser = $rpcenv->get_user(); |
c4a33727 DM |
1614 | |
1615 | my $node = extract_param($param, 'node'); | |
c4a33727 | 1616 | my $vmid = extract_param($param, 'vmid'); |
c4a33727 | 1617 | my $newid = extract_param($param, 'newid'); |
c4a33727 | 1618 | my $pool = extract_param($param, 'pool'); |
c4a33727 DM |
1619 | if (defined($pool)) { |
1620 | $rpcenv->check_pool_exist($pool); | |
1621 | } | |
c4a33727 | 1622 | my $snapname = extract_param($param, 'snapname'); |
c4a33727 | 1623 | my $storage = extract_param($param, 'storage'); |
411ae12c | 1624 | my $target = extract_param($param, 'target'); |
c4a33727 DM |
1625 | my $localnode = PVE::INotify::nodename(); |
1626 | ||
59b0ce55 | 1627 | undef $target if $target && ($target eq $localnode || $target eq 'localhost'); |
411ae12c DM |
1628 | |
1629 | PVE::Cluster::check_node_exists($target) if $target; | |
1630 | ||
c4a33727 DM |
1631 | my $storecfg = PVE::Storage::config(); |
1632 | ||
1633 | if ($storage) { | |
1634 | # check if storage is enabled on local node | |
1635 | PVE::Storage::storage_check_enabled($storecfg, $storage); | |
411ae12c DM |
1636 | if ($target) { |
1637 | # check if storage is available on target node | |
a1c27f86 | 1638 | PVE::Storage::storage_check_enabled($storecfg, $storage, $target); |
411ae12c DM |
1639 | # clone only works if target storage is shared |
1640 | my $scfg = PVE::Storage::storage_config($storecfg, $storage); | |
1641 | die "can't clone to non-shared storage '$storage'\n" if !$scfg->{shared}; | |
1642 | } | |
c4a33727 DM |
1643 | } |
1644 | ||
1645 | PVE::Cluster::check_cfs_quorum(); | |
1646 | ||
db01d674 WB |
1647 | my $newconf = {}; |
1648 | my $mountpoints = {}; | |
1649 | my $fullclone = {}; | |
1650 | my $vollist = []; | |
411ae12c | 1651 | my $running; |
c4a33727 | 1652 | |
b062187a FG |
1653 | my $lock_and_reload = sub { |
1654 | my ($vmid, $code) = @_; | |
1655 | return PVE::LXC::Config->lock_config($vmid, sub { | |
1656 | my $conf = PVE::LXC::Config->load_config($vmid); | |
1657 | die "Lost 'create' config lock, aborting.\n" | |
1658 | if !PVE::LXC::Config->has_lock($conf, 'create'); | |
1659 | ||
1660 | return $code->($conf); | |
1661 | }); | |
1662 | }; | |
e7d553c7 | 1663 | |
cc1ffe7e | 1664 | my $src_conf = PVE::LXC::Config->set_lock($vmid, 'disk'); |
411ae12c | 1665 | |
becea45d DT |
1666 | eval { |
1667 | PVE::LXC::Config->create_and_lock_config($newid, 0); | |
1668 | }; | |
1669 | if (my $err = $@) { | |
1670 | eval { PVE::LXC::Config->remove_lock($vmid, 'disk') }; | |
1671 | warn "Failed to remove source CT config lock - $@\n" if $@; | |
e7d553c7 | 1672 | |
becea45d | 1673 | die $err; |
cc1ffe7e | 1674 | } |
c4a33727 | 1675 | |
cc1ffe7e | 1676 | eval { |
becea45d DT |
1677 | $running = PVE::LXC::check_running($vmid) || 0; |
1678 | ||
1679 | my $full = extract_param($param, 'full'); | |
1680 | if (!defined($full)) { | |
1681 | $full = !PVE::LXC::Config->is_template($src_conf); | |
1682 | } | |
1683 | ||
1684 | PVE::Firewall::clone_vmfw_conf($vmid, $newid); | |
1685 | ||
5da8f412 FG |
1686 | die "parameter 'storage' not allowed for linked clones\n" |
1687 | if defined($storage) && !$full; | |
1688 | ||
cc1ffe7e FG |
1689 | die "snapshot '$snapname' does not exist\n" |
1690 | if $snapname && !defined($src_conf->{snapshots}->{$snapname}); | |
c4a33727 | 1691 | |
cc1ffe7e | 1692 | my $src_conf = $snapname ? $src_conf->{snapshots}->{$snapname} : $src_conf; |
c4a33727 | 1693 | |
cc1ffe7e FG |
1694 | my $sharedvm = 1; |
1695 | for my $opt (sort keys %$src_conf) { | |
1696 | next if $opt =~ m/^unused\d+$/; | |
c4a33727 | 1697 | |
cc1ffe7e | 1698 | my $value = $src_conf->{$opt}; |
c4a33727 | 1699 | |
cc1ffe7e FG |
1700 | if (($opt eq 'rootfs') || ($opt =~ m/^mp\d+$/)) { |
1701 | my $mp = PVE::LXC::Config->parse_volume($opt, $value); | |
09687674 | 1702 | |
cc1ffe7e FG |
1703 | if ($mp->{type} eq 'volume') { |
1704 | my $volid = $mp->{volume}; | |
09687674 | 1705 | |
cc1ffe7e FG |
1706 | my ($sid, $volname) = PVE::Storage::parse_volume_id($volid); |
1707 | $sid = $storage if defined($storage); | |
1708 | my $scfg = PVE::Storage::storage_config($storecfg, $sid); | |
1709 | if (!$scfg->{shared}) { | |
1710 | $sharedvm = 0; | |
1711 | warn "found non-shared volume: $volid\n" if $target; | |
1712 | } | |
c4a33727 | 1713 | |
cc1ffe7e | 1714 | $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']); |
c4a33727 | 1715 | |
cc1ffe7e FG |
1716 | if ($full) { |
1717 | die "Cannot do full clones on a running container without snapshots\n" | |
1718 | if $running && !defined($snapname); | |
1719 | $fullclone->{$opt} = 1; | |
c4a33727 | 1720 | } else { |
cc1ffe7e FG |
1721 | # not full means clone instead of copy |
1722 | die "Linked clone feature for '$volid' is not available\n" | |
1723 | if !PVE::Storage::volume_has_feature($storecfg, 'clone', $volid, $snapname, $running, {'valid_target_formats' => ['raw', 'subvol']}); | |
c4a33727 | 1724 | } |
cc1ffe7e FG |
1725 | |
1726 | $mountpoints->{$opt} = $mp; | |
1727 | push @$vollist, $volid; | |
1728 | ||
c4a33727 | 1729 | } else { |
cc1ffe7e FG |
1730 | # TODO: allow bind mounts? |
1731 | die "unable to clone mountpoint '$opt' (type $mp->{type})\n"; | |
c4a33727 | 1732 | } |
cc1ffe7e FG |
1733 | } elsif ($opt =~ m/^net(\d+)$/) { |
1734 | # always change MAC! address | |
1735 | my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg'); | |
1736 | my $net = PVE::LXC::Config->parse_lxc_network($value); | |
1737 | $net->{hwaddr} = PVE::Tools::random_ether_addr($dc->{mac_prefix}); | |
1738 | $newconf->{$opt} = PVE::LXC::Config->print_lxc_network($net); | |
ee81952f FG |
1739 | |
1740 | PVE::LXC::check_bridge_access($rpcenv, $authuser, $newconf->{$opt}); | |
cc1ffe7e FG |
1741 | } else { |
1742 | # copy everything else | |
1743 | $newconf->{$opt} = $value; | |
db01d674 | 1744 | } |
cc1ffe7e FG |
1745 | } |
1746 | die "can't clone CT to node '$target' (CT uses local storage)\n" | |
1747 | if $target && !$sharedvm; | |
c4a33727 | 1748 | |
cc1ffe7e FG |
1749 | # Replace the 'disk' lock with a 'create' lock. |
1750 | $newconf->{lock} = 'create'; | |
db01d674 | 1751 | |
04a34c56 | 1752 | # delete all snapshot related config options |
a0167a5c | 1753 | delete $newconf->@{qw(snapshots parent snaptime snapstate)}; |
04a34c56 | 1754 | |
cc1ffe7e FG |
1755 | delete $newconf->{pending}; |
1756 | delete $newconf->{template}; | |
c4a33727 | 1757 | |
a0167a5c TL |
1758 | $newconf->{hostname} = $param->{hostname} if $param->{hostname}; |
1759 | $newconf->{description} = $param->{description} if $param->{description}; | |
c4a33727 | 1760 | |
b062187a | 1761 | $lock_and_reload->($newid, sub { |
cc1ffe7e FG |
1762 | PVE::LXC::Config->write_config($newid, $newconf); |
1763 | }); | |
1764 | }; | |
1765 | if (my $err = $@) { | |
1766 | eval { PVE::LXC::Config->remove_lock($vmid, 'disk') }; | |
1767 | warn "Failed to remove source CT config lock - $@\n" if $@; | |
1768 | ||
1769 | eval { | |
b062187a | 1770 | $lock_and_reload->($newid, sub { |
cc1ffe7e | 1771 | PVE::LXC::Config->destroy_config($newid); |
5eacc654 | 1772 | PVE::Firewall::remove_vmfw_conf($newid); |
7b290bf3 | 1773 | }); |
db01d674 | 1774 | }; |
cc1ffe7e | 1775 | warn "Failed to remove target CT config - $@\n" if $@; |
52d287d9 | 1776 | |
cc1ffe7e FG |
1777 | die $err; |
1778 | } | |
c4a33727 | 1779 | |
db01d674 WB |
1780 | my $update_conf = sub { |
1781 | my ($key, $value) = @_; | |
b062187a FG |
1782 | return $lock_and_reload->($newid, sub { |
1783 | my $conf = shift; | |
db01d674 WB |
1784 | $conf->{$key} = $value; |
1785 | PVE::LXC::Config->write_config($newid, $conf); | |
1786 | }); | |
1787 | }; | |
c4a33727 | 1788 | |
db01d674 WB |
1789 | my $realcmd = sub { |
1790 | my ($upid) = @_; | |
c4a33727 | 1791 | |
db01d674 | 1792 | my $newvollist = []; |
c4a33727 | 1793 | |
411ae12c DM |
1794 | my $verify_running = PVE::LXC::check_running($vmid) || 0; |
1795 | die "unexpected state change\n" if $verify_running != $running; | |
1796 | ||
db01d674 WB |
1797 | eval { |
1798 | local $SIG{INT} = | |
1799 | local $SIG{TERM} = | |
1800 | local $SIG{QUIT} = | |
1801 | local $SIG{HUP} = sub { die "interrupted by signal\n"; }; | |
c4a33727 | 1802 | |
db01d674 | 1803 | PVE::Storage::activate_volumes($storecfg, $vollist, $snapname); |
8ead60ef | 1804 | my $bwlimit = extract_param($param, 'bwlimit'); |
c4a33727 | 1805 | |
db01d674 WB |
1806 | foreach my $opt (keys %$mountpoints) { |
1807 | my $mp = $mountpoints->{$opt}; | |
1808 | my $volid = $mp->{volume}; | |
c4a33727 | 1809 | |
db01d674 WB |
1810 | my $newvolid; |
1811 | if ($fullclone->{$opt}) { | |
1812 | print "create full clone of mountpoint $opt ($volid)\n"; | |
8ead60ef SI |
1813 | my $source_storage = PVE::Storage::parse_volume_id($volid); |
1814 | my $target_storage = $storage // $source_storage; | |
1815 | my $clonelimit = PVE::Storage::get_bandwidth_limit('clone', [$source_storage, $target_storage], $bwlimit); | |
1816 | $newvolid = PVE::LXC::copy_volume($mp, $newid, $target_storage, $storecfg, $newconf, $snapname, $clonelimit); | |
db01d674 WB |
1817 | } else { |
1818 | print "create linked clone of mount point $opt ($volid)\n"; | |
1819 | $newvolid = PVE::Storage::vdisk_clone($storecfg, $volid, $newid, $snapname); | |
c4a33727 DM |
1820 | } |
1821 | ||
db01d674 WB |
1822 | push @$newvollist, $newvolid; |
1823 | $mp->{volume} = $newvolid; | |
c4a33727 | 1824 | |
db01d674 | 1825 | $update_conf->($opt, PVE::LXC::Config->print_ct_mountpoint($mp, $opt eq 'rootfs')); |
c4a33727 DM |
1826 | } |
1827 | ||
db01d674 | 1828 | PVE::AccessControl::add_vm_to_pool($newid, $pool) if $pool; |
8e08cd17 | 1829 | |
b062187a FG |
1830 | $lock_and_reload->($newid, sub { |
1831 | my $conf = shift; | |
1832 | my $rootdir = PVE::LXC::mount_all($newid, $storecfg, $conf, 1); | |
1833 | eval { | |
1834 | my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir); | |
1835 | $lxc_setup->post_clone_hook($conf); | |
1836 | }; | |
1837 | my $err = $@; | |
1838 | eval { PVE::LXC::umount_all($newid, $storecfg, $conf, 1); }; | |
1839 | if ($err) { | |
1840 | warn "$@\n" if $@; | |
1841 | die $err; | |
1842 | } else { | |
1843 | die $@ if $@; | |
7b290bf3 OB |
1844 | } |
1845 | }); | |
c4a33727 | 1846 | }; |
db01d674 | 1847 | my $err = $@; |
db01d674 WB |
1848 | # Unlock the source config in any case: |
1849 | eval { PVE::LXC::Config->remove_lock($vmid, 'disk') }; | |
1850 | warn $@ if $@; | |
c4a33727 | 1851 | |
db01d674 WB |
1852 | if ($err) { |
1853 | # Now cleanup the config & disks: | |
db01d674 WB |
1854 | sleep 1; # some storages like rbd need to wait before release volume - really? |
1855 | ||
1856 | foreach my $volid (@$newvollist) { | |
1857 | eval { PVE::Storage::vdisk_free($storecfg, $volid); }; | |
1858 | warn $@ if $@; | |
1859 | } | |
52d287d9 FG |
1860 | |
1861 | eval { | |
b062187a | 1862 | $lock_and_reload->($newid, sub { |
52d287d9 | 1863 | PVE::LXC::Config->destroy_config($newid); |
5eacc654 | 1864 | PVE::Firewall::remove_vmfw_conf($newid); |
52d287d9 FG |
1865 | }); |
1866 | }; | |
1867 | warn "Failed to remove target CT config - $@\n" if $@; | |
1868 | ||
db01d674 WB |
1869 | die "clone failed: $err"; |
1870 | } | |
1871 | ||
b062187a FG |
1872 | $lock_and_reload->($newid, sub { |
1873 | PVE::LXC::Config->remove_lock($newid, 'create'); | |
1874 | ||
1875 | if ($target) { | |
1876 | # always deactivate volumes - avoid lvm LVs to be active on several nodes | |
1877 | PVE::Storage::deactivate_volumes($storecfg, $vollist, $snapname) if !$running; | |
1878 | PVE::Storage::deactivate_volumes($storecfg, $newvollist); | |
1879 | ||
1880 | PVE::LXC::Config->move_config_to_node($newid, $target); | |
1881 | } | |
1882 | }); | |
1883 | ||
db01d674 | 1884 | return; |
c4a33727 DM |
1885 | }; |
1886 | ||
db01d674 | 1887 | return $rpcenv->fork_worker('vzclone', $vmid, $authuser, $realcmd); |
c4a33727 DM |
1888 | }}); |
1889 | ||
1890 | ||
985b18ed WL |
1891 | __PACKAGE__->register_method({ |
1892 | name => 'resize_vm', | |
1893 | path => '{vmid}/resize', | |
1894 | method => 'PUT', | |
1895 | protected => 1, | |
1896 | proxyto => 'node', | |
235dbdf3 | 1897 | description => "Resize a container mount point.", |
985b18ed WL |
1898 | permissions => { |
1899 | check => ['perm', '/vms/{vmid}', ['VM.Config.Disk'], any => 1], | |
1900 | }, | |
1901 | parameters => { | |
1902 | additionalProperties => 0, | |
b8c5a95f WB |
1903 | properties => { |
1904 | node => get_standard_option('pve-node'), | |
1905 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }), | |
1906 | disk => { | |
1907 | type => 'string', | |
1908 | description => "The disk you want to resize.", | |
5e5d76cf | 1909 | enum => [PVE::LXC::Config->valid_volume_keys()], |
b8c5a95f WB |
1910 | }, |
1911 | size => { | |
1912 | type => 'string', | |
1913 | pattern => '\+?\d+(\.\d+)?[KMGT]?', | |
1914 | description => "The new size. With the '+' sign the value is added to the actual size of the volume and without it, the value is taken as an absolute one. Shrinking disk size is not supported.", | |
1915 | }, | |
1916 | digest => { | |
1917 | type => 'string', | |
1918 | description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.', | |
1919 | maxLength => 40, | |
1920 | optional => 1, | |
1921 | } | |
1922 | }, | |
985b18ed | 1923 | }, |
9f3f7963 WL |
1924 | returns => { |
1925 | type => 'string', | |
1926 | description => "the task ID.", | |
1927 | }, | |
985b18ed WL |
1928 | code => sub { |
1929 | my ($param) = @_; | |
1930 | ||
1931 | my $rpcenv = PVE::RPCEnvironment::get(); | |
1932 | ||
1933 | my $authuser = $rpcenv->get_user(); | |
1934 | ||
1935 | my $node = extract_param($param, 'node'); | |
1936 | ||
1937 | my $vmid = extract_param($param, 'vmid'); | |
1938 | ||
1939 | my $digest = extract_param($param, 'digest'); | |
1940 | ||
1941 | my $sizestr = extract_param($param, 'size'); | |
1942 | my $ext = ($sizestr =~ s/^\+//); | |
f0595e61 FE |
1943 | my $request_size = PVE::JSONSchema::parse_size($sizestr); |
1944 | die "invalid size string" if !defined($request_size); | |
985b18ed WL |
1945 | |
1946 | die "no options specified\n" if !scalar(keys %$param); | |
1947 | ||
985b18ed WL |
1948 | my $storage_cfg = cfs_read_file("storage.cfg"); |
1949 | ||
f0595e61 | 1950 | my $load_and_check = sub { |
67afe46e FG |
1951 | my $conf = PVE::LXC::Config->load_config($vmid); |
1952 | PVE::LXC::Config->check_lock($conf); | |
985b18ed | 1953 | |
de41bced DC |
1954 | PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $conf, $param, [], $conf->{unprivileged}); |
1955 | ||
985b18ed WL |
1956 | PVE::Tools::assert_if_modified($digest, $conf->{digest}); |
1957 | ||
985b18ed | 1958 | my $disk = $param->{disk}; |
e4034859 | 1959 | my $mp = PVE::LXC::Config->parse_volume($disk, $conf->{$disk}); |
44a9face | 1960 | |
985b18ed WL |
1961 | my $volid = $mp->{volume}; |
1962 | ||
1963 | my (undef, undef, $owner, undef, undef, undef, $format) = | |
1964 | PVE::Storage::parse_volname($storage_cfg, $volid); | |
1965 | ||
235dbdf3 | 1966 | die "can't resize mount point owned by another container ($owner)" |
985b18ed WL |
1967 | if $vmid != $owner; |
1968 | ||
985b18ed WL |
1969 | my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid); |
1970 | ||
1971 | $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']); | |
1972 | ||
4e1e1791 WB |
1973 | PVE::Storage::activate_volumes($storage_cfg, [$volid]); |
1974 | ||
985b18ed | 1975 | my $size = PVE::Storage::volume_size_info($storage_cfg, $volid, 5); |
2e8bcfef | 1976 | |
16f6c7c6 | 1977 | die "Could not determine current size of volume '$volid'\n" if !defined($size); |
2e8bcfef | 1978 | |
f0595e61 | 1979 | my $newsize = $ext ? $size + $request_size : $request_size; |
985b18ed WL |
1980 | $newsize = int($newsize); |
1981 | ||
1982 | die "unable to shrink disk size\n" if $newsize < $size; | |
1983 | ||
5c36822a | 1984 | die "disk is already at specified size\n" if $size == $newsize; |
985b18ed | 1985 | |
f0595e61 FE |
1986 | return ($conf, $disk, $mp, $volid, $format, $newsize); |
1987 | }; | |
1988 | ||
1989 | my $code = sub { | |
1990 | my ($conf, $disk, $mp, $volid, $format, $newsize) = $load_and_check->(); | |
1991 | ||
1992 | my $running = PVE::LXC::check_running($vmid); | |
1993 | ||
985b18ed | 1994 | PVE::Cluster::log_msg('info', $authuser, "update CT $vmid: resize --disk $disk --size $sizestr"); |
9f3f7963 | 1995 | |
f0595e61 FE |
1996 | # Note: PVE::Storage::volume_resize doesn't do anything if $running=1, so |
1997 | # we pass 0 here (parameter only makes sense for qemu) | |
1998 | PVE::Storage::volume_resize($storage_cfg, $volid, $newsize, 0); | |
9f3f7963 | 1999 | |
f0595e61 FE |
2000 | $mp->{size} = $newsize; |
2001 | $conf->{$disk} = PVE::LXC::Config->print_ct_mountpoint($mp, $disk eq 'rootfs'); | |
9f3f7963 | 2002 | |
f0595e61 FE |
2003 | PVE::LXC::Config->write_config($vmid, $conf); |
2004 | ||
2005 | if ($format eq 'raw') { | |
2006 | # we need to ensure that the volume is mapped, if not needed this is a NOP | |
2007 | my $path = PVE::Storage::map_volume($storage_cfg, $volid); | |
2008 | $path = PVE::Storage::path($storage_cfg, $volid) if !defined($path); | |
2009 | if ($running) { | |
2010 | ||
2011 | $mp->{mp} = '/'; | |
2012 | my $use_loopdev = (PVE::LXC::mountpoint_mount_path($mp, $storage_cfg))[1]; | |
2013 | $path = PVE::LXC::query_loopdev($path) if $use_loopdev; | |
2014 | die "internal error: CT running but mount point not attached to a loop device" | |
2015 | if !$path; | |
2016 | PVE::Tools::run_command(['losetup', '--set-capacity', $path]) if $use_loopdev; | |
2017 | ||
2018 | # In order for resize2fs to know that we need online-resizing a mountpoint needs | |
2019 | # to be visible to it in its namespace. | |
2020 | # To not interfere with the rest of the system we unshare the current mount namespace, | |
2021 | # mount over /tmp and then run resize2fs. | |
2022 | ||
2023 | # interestingly we don't need to e2fsck on mounted systems... | |
2024 | my $quoted = PVE::Tools::shellquote($path); | |
2025 | my $cmd = "mount --make-rprivate / && mount $quoted /tmp && resize2fs $quoted"; | |
2026 | eval { | |
2027 | PVE::Tools::run_command(['unshare', '-m', '--', 'sh', '-c', $cmd]); | |
2028 | }; | |
2029 | warn "Failed to update the container's filesystem: $@\n" if $@; | |
2030 | } else { | |
2031 | eval { | |
2032 | PVE::Tools::run_command(['e2fsck', '-f', '-y', $path]); | |
2033 | PVE::Tools::run_command(['resize2fs', $path]); | |
2034 | }; | |
2035 | warn "Failed to update the container's filesystem: $@\n" if $@; | |
2036 | ||
2037 | # always un-map if not running, this is a NOP if not needed | |
2038 | PVE::Storage::unmap_volume($storage_cfg, $volid); | |
985b18ed | 2039 | } |
f0595e61 FE |
2040 | } |
2041 | }; | |
985b18ed | 2042 | |
f0595e61 FE |
2043 | my $worker = sub { |
2044 | PVE::LXC::Config->lock_config($vmid, $code);; | |
9f3f7963 | 2045 | }; |
985b18ed | 2046 | |
f0595e61 FE |
2047 | $load_and_check->(); # early checks before forking+locking |
2048 | ||
2049 | return $rpcenv->fork_worker('resize', $vmid, $authuser, $worker); | |
985b18ed WL |
2050 | }}); |
2051 | ||
3c0f6806 WB |
2052 | __PACKAGE__->register_method({ |
2053 | name => 'move_volume', | |
2054 | path => '{vmid}/move_volume', | |
2055 | method => 'POST', | |
2056 | protected => 1, | |
2057 | proxyto => 'node', | |
a337a832 | 2058 | description => "Move a rootfs-/mp-volume to a different storage or to a different container.", |
3c0f6806 WB |
2059 | permissions => { |
2060 | description => "You need 'VM.Config.Disk' permissions on /vms/{vmid}, " . | |
a337a832 AL |
2061 | "and 'Datastore.AllocateSpace' permissions on the storage. To move ". |
2062 | "a volume to another container, you need the permissions on the ". | |
2063 | "target container as well.", | |
d568e8db | 2064 | check => ['perm', '/vms/{vmid}', [ 'VM.Config.Disk' ]], |
3c0f6806 WB |
2065 | }, |
2066 | parameters => { | |
2067 | additionalProperties => 0, | |
2068 | properties => { | |
2069 | node => get_standard_option('pve-node'), | |
2070 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }), | |
a337a832 AL |
2071 | 'target-vmid' => get_standard_option('pve-vmid', { |
2072 | completion => \&PVE::LXC::complete_ctid, | |
2073 | optional => 1, | |
2074 | }), | |
3c0f6806 WB |
2075 | volume => { |
2076 | type => 'string', | |
a337a832 AL |
2077 | #TODO: check how to handle unused mount points as the mp parameter is not configured |
2078 | enum => [ PVE::LXC::Config->valid_volume_keys_with_unused() ], | |
3c0f6806 WB |
2079 | description => "Volume which will be moved.", |
2080 | }, | |
2081 | storage => get_standard_option('pve-storage-id', { | |
2082 | description => "Target Storage.", | |
2083 | completion => \&PVE::Storage::complete_storage_enabled, | |
a337a832 | 2084 | optional => 1, |
3c0f6806 WB |
2085 | }), |
2086 | delete => { | |
2087 | type => 'boolean', | |
d2f08c5a AL |
2088 | description => "Delete the original volume after successful copy. By default the " . |
2089 | "original is kept as an unused volume entry.", | |
3c0f6806 WB |
2090 | optional => 1, |
2091 | default => 0, | |
2092 | }, | |
2093 | digest => { | |
2094 | type => 'string', | |
d2f08c5a AL |
2095 | description => 'Prevent changes if current configuration file has different SHA1 " . |
2096 | "digest. This can be used to prevent concurrent modifications.', | |
3c0f6806 WB |
2097 | maxLength => 40, |
2098 | optional => 1, | |
8ead60ef SI |
2099 | }, |
2100 | bwlimit => { | |
2101 | description => "Override I/O bandwidth limit (in KiB/s).", | |
2102 | optional => 1, | |
2103 | type => 'number', | |
2104 | minimum => '0', | |
41e9b65c | 2105 | default => 'clone limit from datacenter or storage config', |
8ead60ef | 2106 | }, |
a337a832 AL |
2107 | 'target-volume' => { |
2108 | type => 'string', | |
2109 | description => "The config key the volume will be moved to. Default is the " . | |
2110 | "source volume key.", | |
2111 | enum => [PVE::LXC::Config->valid_volume_keys_with_unused()], | |
2112 | optional => 1, | |
2113 | }, | |
2114 | 'target-digest' => { | |
2115 | type => 'string', | |
2116 | description => 'Prevent changes if current configuration file of the target " . | |
2117 | "container has a different SHA1 digest. This can be used to prevent " . | |
2118 | "concurrent modifications.', | |
2119 | maxLength => 40, | |
2120 | optional => 1, | |
2121 | }, | |
3c0f6806 WB |
2122 | }, |
2123 | }, | |
2124 | returns => { | |
2125 | type => 'string', | |
2126 | }, | |
2127 | code => sub { | |
2128 | my ($param) = @_; | |
2129 | ||
2130 | my $rpcenv = PVE::RPCEnvironment::get(); | |
2131 | ||
2132 | my $authuser = $rpcenv->get_user(); | |
2133 | ||
2134 | my $vmid = extract_param($param, 'vmid'); | |
2135 | ||
a337a832 AL |
2136 | my $target_vmid = extract_param($param, 'target-vmid'); |
2137 | ||
3c0f6806 WB |
2138 | my $storage = extract_param($param, 'storage'); |
2139 | ||
2140 | my $mpkey = extract_param($param, 'volume'); | |
2141 | ||
a337a832 AL |
2142 | my $target_mpkey = extract_param($param, 'target-volume') // $mpkey; |
2143 | ||
2144 | my $digest = extract_param($param, 'digest'); | |
2145 | ||
2146 | my $target_digest = extract_param($param, 'target-digest'); | |
2147 | ||
3c0f6806 WB |
2148 | my $lockname = 'disk'; |
2149 | ||
2150 | my ($mpdata, $old_volid); | |
2151 | ||
a337a832 AL |
2152 | die "either set storage or target-vmid, but not both\n" |
2153 | if $storage && $target_vmid; | |
3c0f6806 | 2154 | |
a337a832 | 2155 | my $storecfg = PVE::Storage::config(); |
3c0f6806 | 2156 | |
a337a832 AL |
2157 | my $move_to_storage_checks = sub { |
2158 | PVE::LXC::Config->lock_config($vmid, sub { | |
2159 | my $conf = PVE::LXC::Config->load_config($vmid); | |
2160 | PVE::LXC::Config->check_lock($conf); | |
3c0f6806 | 2161 | |
a337a832 AL |
2162 | die "cannot move volumes of a running container\n" |
2163 | if PVE::LXC::check_running($vmid); | |
3c0f6806 | 2164 | |
a337a832 AL |
2165 | if ($mpkey =~ m/^unused\d+$/) { |
2166 | die "cannot move volume '$mpkey', only configured volumes can be moved to ". | |
2167 | "another storage\n"; | |
2168 | } | |
3c0f6806 | 2169 | |
a337a832 AL |
2170 | $mpdata = PVE::LXC::Config->parse_volume($mpkey, $conf->{$mpkey}); |
2171 | $old_volid = $mpdata->{volume}; | |
3c0f6806 | 2172 | |
a337a832 AL |
2173 | die "you can't move a volume with snapshots and delete the source\n" |
2174 | if $param->{delete} && PVE::LXC::Config->is_volume_in_use_by_snapshots($conf, $old_volid); | |
2175 | ||
2176 | PVE::Tools::assert_if_modified($digest, $conf->{digest}); | |
2177 | ||
2178 | PVE::LXC::Config->set_lock($vmid, $lockname); | |
2179 | }); | |
2180 | }; | |
2181 | ||
2182 | my $storage_realcmd = sub { | |
3c0f6806 | 2183 | eval { |
d2f08c5a AL |
2184 | PVE::Cluster::log_msg( |
2185 | 'info', | |
2186 | $authuser, | |
2187 | "move volume CT $vmid: move --volume $mpkey --storage $storage" | |
2188 | ); | |
3c0f6806 WB |
2189 | |
2190 | my $conf = PVE::LXC::Config->load_config($vmid); | |
2191 | my $storage_cfg = PVE::Storage::config(); | |
2192 | ||
2193 | my $new_volid; | |
2194 | ||
2195 | eval { | |
2196 | PVE::Storage::activate_volumes($storage_cfg, [ $old_volid ]); | |
8ead60ef SI |
2197 | my $bwlimit = extract_param($param, 'bwlimit'); |
2198 | my $source_storage = PVE::Storage::parse_volume_id($old_volid); | |
d2f08c5a AL |
2199 | my $movelimit = PVE::Storage::get_bandwidth_limit( |
2200 | 'move', | |
2201 | [$source_storage, $storage], | |
2202 | $bwlimit | |
2203 | ); | |
2204 | $new_volid = PVE::LXC::copy_volume( | |
2205 | $mpdata, | |
2206 | $vmid, | |
2207 | $storage, | |
2208 | $storage_cfg, | |
2209 | $conf, | |
2210 | undef, | |
2211 | $movelimit | |
2212 | ); | |
3bfbd900 FE |
2213 | if (PVE::LXC::Config->is_template($conf)) { |
2214 | PVE::Storage::activate_volumes($storage_cfg, [ $new_volid ]); | |
2215 | my $template_volid = PVE::Storage::vdisk_create_base($storage_cfg, $new_volid); | |
2216 | $mpdata->{volume} = $template_volid; | |
2217 | } else { | |
2218 | $mpdata->{volume} = $new_volid; | |
2219 | } | |
3c0f6806 WB |
2220 | |
2221 | PVE::LXC::Config->lock_config($vmid, sub { | |
2222 | my $digest = $conf->{digest}; | |
2223 | $conf = PVE::LXC::Config->load_config($vmid); | |
2224 | PVE::Tools::assert_if_modified($digest, $conf->{digest}); | |
2225 | ||
d2f08c5a AL |
2226 | $conf->{$mpkey} = PVE::LXC::Config->print_ct_mountpoint( |
2227 | $mpdata, | |
2228 | $mpkey eq 'rootfs' | |
2229 | ); | |
3c0f6806 WB |
2230 | |
2231 | PVE::LXC::Config->add_unused_volume($conf, $old_volid) if !$param->{delete}; | |
2232 | ||
2233 | PVE::LXC::Config->write_config($vmid, $conf); | |
2234 | }); | |
2235 | ||
2236 | eval { | |
2237 | # try to deactivate volumes - avoid lvm LVs to be active on several nodes | |
2238 | PVE::Storage::deactivate_volumes($storage_cfg, [ $new_volid ]) | |
2239 | }; | |
2240 | warn $@ if $@; | |
2241 | }; | |
2242 | if (my $err = $@) { | |
2243 | eval { | |
2244 | PVE::Storage::vdisk_free($storage_cfg, $new_volid) | |
2245 | if defined($new_volid); | |
2246 | }; | |
2247 | warn $@ if $@; | |
2248 | die $err; | |
2249 | } | |
2250 | ||
4be329cb DC |
2251 | my $deactivated = 0; |
2252 | eval { | |
2253 | PVE::Storage::deactivate_volumes($storage_cfg, [ $old_volid ]); | |
2254 | $deactivated = 1; | |
2255 | }; | |
2256 | warn $@ if $@; | |
2257 | ||
3c0f6806 | 2258 | if ($param->{delete}) { |
4be329cb DC |
2259 | my $removed = 0; |
2260 | if ($deactivated) { | |
2261 | eval { | |
2262 | PVE::Storage::vdisk_free($storage_cfg, $old_volid); | |
2263 | $removed = 1; | |
2264 | }; | |
2265 | warn $@ if $@; | |
2266 | } | |
2267 | if (!$removed) { | |
9abb0f8a FE |
2268 | PVE::LXC::Config->lock_config($vmid, sub { |
2269 | my $conf = PVE::LXC::Config->load_config($vmid); | |
2270 | PVE::LXC::Config->add_unused_volume($conf, $old_volid); | |
2271 | PVE::LXC::Config->write_config($vmid, $conf); | |
2272 | }); | |
2273 | } | |
3c0f6806 WB |
2274 | } |
2275 | }; | |
2276 | my $err = $@; | |
2277 | eval { PVE::LXC::Config->remove_lock($vmid, $lockname) }; | |
2278 | warn $@ if $@; | |
2279 | die $err if $err; | |
2280 | }; | |
a337a832 AL |
2281 | |
2282 | my $load_and_check_reassign_configs = sub { | |
2283 | my $vmlist = PVE::Cluster::get_vmlist()->{ids}; | |
2284 | ||
2285 | die "Cannot move to/from 'rootfs'\n" if $mpkey eq "rootfs" || $target_mpkey eq "rootfs"; | |
2286 | ||
2287 | if ($mpkey =~ m/^unused\d+$/ && $target_mpkey !~ m/^unused\d+$/) { | |
2288 | die "Moving an unused volume to a used one is not possible\n"; | |
2289 | } | |
2290 | die "could not find CT ${vmid}\n" if !exists($vmlist->{$vmid}); | |
27e28f79 | 2291 | die "could not find CT ${target_vmid}\n" if !exists($vmlist->{$target_vmid}); |
a337a832 | 2292 | |
27e28f79 FG |
2293 | my $source_node = $vmlist->{$vmid}->{node}; |
2294 | my $target_node = $vmlist->{$target_vmid}->{node}; | |
2295 | ||
2296 | die "Both containers need to be on the same node ($source_node != $target_node)\n" | |
2297 | if $source_node ne $target_node; | |
a337a832 AL |
2298 | |
2299 | my $source_conf = PVE::LXC::Config->load_config($vmid); | |
2300 | PVE::LXC::Config->check_lock($source_conf); | |
1e5a3948 TL |
2301 | my $target_conf; |
2302 | if ($target_vmid eq $vmid) { | |
2303 | $target_conf = $source_conf; | |
2304 | } else { | |
2305 | $target_conf = PVE::LXC::Config->load_config($target_vmid); | |
2306 | PVE::LXC::Config->check_lock($target_conf); | |
2307 | } | |
a337a832 | 2308 | |
27e28f79 | 2309 | die "Can't move volumes from or to template CT\n" |
a337a832 AL |
2310 | if ($source_conf->{template} || $target_conf->{template}); |
2311 | ||
2312 | if ($digest) { | |
2313 | eval { PVE::Tools::assert_if_modified($digest, $source_conf->{digest}) }; | |
2314 | die "Container ${vmid}: $@" if $@; | |
2315 | } | |
2316 | ||
2317 | if ($target_digest) { | |
2318 | eval { PVE::Tools::assert_if_modified($target_digest, $target_conf->{digest}) }; | |
2319 | die "Container ${target_vmid}: $@" if $@; | |
2320 | } | |
2321 | ||
2322 | die "volume '${mpkey}' for container '$vmid' does not exist\n" | |
2323 | if !defined($source_conf->{$mpkey}); | |
2324 | ||
2325 | die "Target volume key '${target_mpkey}' is already in use for container '$target_vmid'\n" | |
2326 | if exists $target_conf->{$target_mpkey}; | |
2327 | ||
3785fe32 TL |
2328 | my $drive = PVE::LXC::Config->parse_volume($mpkey, $source_conf->{$mpkey}); |
2329 | my $source_volid = $drive->{volume} or die "Volume '${mpkey}' has no associated image\n"; | |
a337a832 AL |
2330 | die "Cannot move volume used by a snapshot to another container\n" |
2331 | if PVE::LXC::Config->is_volume_in_use_by_snapshots($source_conf, $source_volid); | |
2332 | die "Storage does not support moving of this disk to another container\n" | |
2333 | if !PVE::Storage::volume_has_feature($storecfg, 'rename', $source_volid); | |
27e28f79 | 2334 | die "Cannot move a bindmount or device mount to another container\n" |
a337a832 | 2335 | if $drive->{type} ne "volume"; |
3785fe32 | 2336 | die "Cannot move in-use volume while the source CT is running - detach or shutdown first\n" |
a337a832 AL |
2337 | if PVE::LXC::check_running($vmid) && $mpkey !~ m/^unused\d+$/; |
2338 | ||
2339 | my $repl_conf = PVE::ReplicationConfig->new(); | |
27e28f79 FG |
2340 | if ($repl_conf->check_for_existing_jobs($target_vmid, 1)) { |
2341 | my ($storeid, undef) = PVE::Storage::parse_volume_id($source_volid); | |
2342 | my $format = (PVE::Storage::parse_volname($storecfg, $source_volid))[6]; | |
2343 | ||
2344 | die "Cannot move volume on storage '$storeid' to a replicated container - missing replication support\n" | |
2345 | if !PVE::Storage::storage_can_replicate($storecfg, $storeid, $format); | |
a337a832 | 2346 | } |
27e28f79 FG |
2347 | |
2348 | return ($source_conf, $target_conf, $drive); | |
3c0f6806 | 2349 | }; |
a337a832 | 2350 | |
3785fe32 | 2351 | my $logfunc = sub { print STDERR "$_[0]\n"; }; |
a337a832 AL |
2352 | |
2353 | my $volume_reassignfn = sub { | |
2354 | return PVE::LXC::Config->lock_config($vmid, sub { | |
2355 | return PVE::LXC::Config->lock_config($target_vmid, sub { | |
3785fe32 | 2356 | my ($source_conf, $target_conf, $drive) = $load_and_check_reassign_configs->(); |
27e28f79 | 2357 | my $source_volid = $drive->{volume}; |
a337a832 AL |
2358 | |
2359 | my $target_unused = $target_mpkey =~ m/^unused\d+$/; | |
2360 | ||
a337a832 | 2361 | print "moving volume '$mpkey' from container '$vmid' to '$target_vmid'\n"; |
27e28f79 | 2362 | |
a337a832 AL |
2363 | my ($storage, $source_volname) = PVE::Storage::parse_volume_id($source_volid); |
2364 | ||
2365 | my $fmt = (PVE::Storage::parse_volname($storecfg, $source_volid))[6]; | |
2366 | ||
2367 | my $new_volid = PVE::Storage::rename_volume( | |
2368 | $storecfg, | |
2369 | $source_volid, | |
2370 | $target_vmid, | |
2371 | ); | |
2372 | ||
27e28f79 | 2373 | $drive->{volume} = $new_volid; |
a337a832 AL |
2374 | |
2375 | delete $source_conf->{$mpkey}; | |
2376 | print "removing volume '${mpkey}' from container '${vmid}' config\n"; | |
2377 | PVE::LXC::Config->write_config($vmid, $source_conf); | |
2378 | ||
2379 | my $drive_string; | |
a337a832 AL |
2380 | if ($target_unused) { |
2381 | $drive_string = $new_volid; | |
2382 | } else { | |
27e28f79 | 2383 | $drive_string = PVE::LXC::Config->print_volume($target_mpkey, $drive); |
a337a832 AL |
2384 | } |
2385 | ||
2386 | if ($target_unused) { | |
2387 | $target_conf->{$target_mpkey} = $drive_string; | |
2388 | } else { | |
2389 | my $running = PVE::LXC::check_running($target_vmid); | |
2390 | my $param = { $target_mpkey => $drive_string }; | |
2391 | my $errors = PVE::LXC::Config->update_pct_config( | |
2392 | $target_vmid, | |
2393 | $target_conf, | |
2394 | $running, | |
2395 | $param | |
2396 | ); | |
3785fe32 | 2397 | $rpcenv->warn($errors->{$_}) for keys $errors->%*; |
a337a832 AL |
2398 | } |
2399 | ||
2400 | PVE::LXC::Config->write_config($target_vmid, $target_conf); | |
2401 | $target_conf = PVE::LXC::Config->load_config($target_vmid); | |
2402 | ||
2403 | PVE::LXC::update_lxc_config($target_vmid, $target_conf) if !$target_unused; | |
2404 | print "target container '$target_vmid' updated with '$target_mpkey'\n"; | |
2405 | ||
2406 | # remove possible replication snapshots | |
2407 | if (PVE::Storage::volume_has_feature($storecfg,'replicate', $source_volid)) { | |
2408 | eval { | |
2409 | PVE::Replication::prepare( | |
2410 | $storecfg, | |
2411 | [$new_volid], | |
2412 | undef, | |
2413 | 1, | |
2414 | undef, | |
2415 | $logfunc, | |
2416 | ) | |
2417 | }; | |
2418 | if (my $err = $@) { | |
2419 | $rpcenv->warn("Failed to remove replication snapshots on volume ". | |
2420 | "'${target_mpkey}'. Manual cleanup could be necessary. " . | |
2421 | "Error: ${err}\n"); | |
2422 | } | |
2423 | } | |
2424 | }); | |
2425 | }); | |
2426 | }; | |
2427 | ||
27e28f79 FG |
2428 | if ($target_vmid && $storage) { |
2429 | my $msg = "either set 'storage' or 'target-vmid', but not both"; | |
2430 | raise_param_exc({ 'target-vmid' => $msg, 'storage' => $msg }); | |
2431 | } elsif ($target_vmid) { | |
a337a832 AL |
2432 | $rpcenv->check_vm_perm($authuser, $target_vmid, undef, ['VM.Config.Disk']) |
2433 | if $authuser ne 'root@pam'; | |
2434 | ||
3785fe32 | 2435 | my (undef, undef, $drive) = $load_and_check_reassign_configs->(); |
d568e8db FG |
2436 | my $storeid = PVE::Storage::parse_volume_id($drive->{volume}); |
2437 | $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']); | |
a337a832 AL |
2438 | return $rpcenv->fork_worker( |
2439 | 'move_volume', | |
2440 | "${vmid}-${mpkey}>${target_vmid}-${target_mpkey}", | |
2441 | $authuser, | |
2442 | $volume_reassignfn | |
2443 | ); | |
2444 | } elsif ($storage) { | |
d568e8db | 2445 | $rpcenv->check($authuser, "/storage/$storage", ['Datastore.AllocateSpace']); |
a337a832 AL |
2446 | &$move_to_storage_checks(); |
2447 | my $task = eval { | |
2448 | $rpcenv->fork_worker('move_volume', $vmid, $authuser, $storage_realcmd); | |
2449 | }; | |
2450 | if (my $err = $@) { | |
2451 | eval { PVE::LXC::Config->remove_lock($vmid, $lockname) }; | |
2452 | warn $@ if $@; | |
2453 | die $err; | |
2454 | } | |
2455 | return $task; | |
2456 | } else { | |
27e28f79 FG |
2457 | my $msg = "both 'storage' and 'target-vmid' missing, either needs to be set"; |
2458 | raise_param_exc({ 'target-vmid' => $msg, 'storage' => $msg }); | |
3c0f6806 | 2459 | } |
3c0f6806 WB |
2460 | }}); |
2461 | ||
37c2dba8 OB |
2462 | __PACKAGE__->register_method({ |
2463 | name => 'vm_pending', | |
2464 | path => '{vmid}/pending', | |
2465 | method => 'GET', | |
2466 | proxyto => 'node', | |
2467 | description => 'Get container configuration, including pending changes.', | |
2468 | permissions => { | |
2469 | check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]], | |
2470 | }, | |
2471 | parameters => { | |
2472 | additionalProperties => 0, | |
2473 | properties => { | |
2474 | node => get_standard_option('pve-node'), | |
2475 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }), | |
2476 | }, | |
2477 | }, | |
2478 | returns => { | |
2479 | type => "array", | |
2480 | items => { | |
2481 | type => "object", | |
2482 | properties => { | |
2483 | key => { | |
2484 | description => 'Configuration option name.', | |
2485 | type => 'string', | |
2486 | }, | |
2487 | value => { | |
2488 | description => 'Current value.', | |
2489 | type => 'string', | |
2490 | optional => 1, | |
2491 | }, | |
2492 | pending => { | |
2493 | description => 'Pending value.', | |
2494 | type => 'string', | |
2495 | optional => 1, | |
2496 | }, | |
2497 | delete => { | |
2498 | description => "Indicates a pending delete request if present and not 0.", | |
2499 | type => 'integer', | |
2500 | minimum => 0, | |
2501 | maximum => 2, | |
2502 | optional => 1, | |
2503 | }, | |
2504 | }, | |
2505 | }, | |
2506 | }, | |
2507 | code => sub { | |
2508 | my ($param) = @_; | |
2509 | ||
2510 | my $conf = PVE::LXC::Config->load_config($param->{vmid}); | |
2511 | ||
2512 | my $pending_delete_hash = PVE::LXC::Config->parse_pending_delete($conf->{pending}->{delete}); | |
2513 | ||
f622e7dc | 2514 | return PVE::GuestHelpers::config_with_pending_array($conf, $pending_delete_hash); |
37c2dba8 OB |
2515 | }}); |
2516 | ||
3d56c9c0 LN |
2517 | __PACKAGE__->register_method({ |
2518 | name => 'ip', | |
2519 | path => '{vmid}/interfaces', | |
2520 | method => 'GET', | |
2521 | protected => 1, | |
2522 | permissions => { | |
2523 | check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]], | |
2524 | }, | |
2525 | description => 'Get IP addresses of the specified container interface.', | |
2526 | parameters => { | |
2527 | additionalProperties => 0, | |
2528 | properties => { | |
2529 | node => get_standard_option('pve-node'), | |
2530 | vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }), | |
2531 | }, | |
2532 | }, | |
2533 | returns => { | |
2534 | type => "array", | |
2535 | items => { | |
2536 | type => 'object', | |
2537 | properties => { | |
2538 | name => { | |
2539 | type => 'string', | |
2540 | description => 'The name of the interface', | |
2541 | optional => 0, | |
2542 | }, | |
2543 | hwaddr => { | |
2544 | type => 'string', | |
2545 | description => 'The MAC address of the interface', | |
2546 | optional => 0, | |
2547 | }, | |
2548 | inet => { | |
2549 | type => 'string', | |
2550 | description => 'The IPv4 address of the interface', | |
2551 | optional => 1, | |
2552 | }, | |
2553 | inet6 => { | |
2554 | type => 'string', | |
2555 | description => 'The IPv6 address of the interface', | |
2556 | optional => 1, | |
2557 | }, | |
2558 | } | |
2559 | }, | |
2560 | }, | |
2561 | code => sub { | |
2562 | my ($param) = @_; | |
2563 | ||
2564 | return PVE::LXC::get_interfaces($param->{vmid}); | |
2565 | }}); | |
2566 | ||
0e0958a5 FG |
2567 | __PACKAGE__->register_method({ |
2568 | name => 'mtunnel', | |
2569 | path => '{vmid}/mtunnel', | |
2570 | method => 'POST', | |
2571 | protected => 1, | |
2572 | description => 'Migration tunnel endpoint - only for internal use by CT migration.', | |
2573 | permissions => { | |
2574 | check => | |
2575 | [ 'and', | |
2576 | ['perm', '/vms/{vmid}', [ 'VM.Allocate' ]], | |
2577 | ['perm', '/', [ 'Sys.Incoming' ]], | |
2578 | ], | |
2579 | description => "You need 'VM.Allocate' permissions on '/vms/{vmid}' and Sys.Incoming" . | |
2580 | " on '/'. Further permission checks happen during the actual migration.", | |
2581 | }, | |
2582 | parameters => { | |
2583 | additionalProperties => 0, | |
2584 | properties => { | |
2585 | node => get_standard_option('pve-node'), | |
2586 | vmid => get_standard_option('pve-vmid'), | |
2587 | storages => { | |
2588 | type => 'string', | |
2589 | format => 'pve-storage-id-list', | |
2590 | optional => 1, | |
2591 | description => 'List of storages to check permission and availability. Will be checked again for all actually used storages during migration.', | |
2592 | }, | |
2593 | bridges => { | |
2594 | type => 'string', | |
2595 | format => 'pve-bridge-id-list', | |
2596 | optional => 1, | |
2597 | description => 'List of network bridges to check availability. Will be checked again for actually used bridges during migration.', | |
2598 | }, | |
2599 | }, | |
2600 | }, | |
2601 | returns => { | |
2602 | additionalProperties => 0, | |
2603 | properties => { | |
2604 | upid => { type => 'string' }, | |
2605 | ticket => { type => 'string' }, | |
2606 | socket => { type => 'string' }, | |
2607 | }, | |
2608 | }, | |
2609 | code => sub { | |
2610 | my ($param) = @_; | |
2611 | ||
2612 | my $rpcenv = PVE::RPCEnvironment::get(); | |
2613 | my $authuser = $rpcenv->get_user(); | |
2614 | ||
2615 | my $node = extract_param($param, 'node'); | |
2616 | my $vmid = extract_param($param, 'vmid'); | |
2617 | ||
2618 | my $storages = extract_param($param, 'storages'); | |
2619 | my $bridges = extract_param($param, 'bridges'); | |
2620 | ||
2621 | my $nodename = PVE::INotify::nodename(); | |
2622 | ||
2623 | raise_param_exc({ node => "node needs to be 'localhost' or local hostname '$nodename'" }) | |
2624 | if $node ne 'localhost' && $node ne $nodename; | |
2625 | ||
2626 | $node = $nodename; | |
2627 | ||
2628 | my $storecfg = PVE::Storage::config(); | |
2629 | foreach my $storeid (PVE::Tools::split_list($storages)) { | |
2630 | $check_storage_access_migrate->($rpcenv, $authuser, $storecfg, $storeid, $node); | |
2631 | } | |
2632 | ||
2633 | foreach my $bridge (PVE::Tools::split_list($bridges)) { | |
2634 | PVE::Network::read_bridge_mtu($bridge); | |
2635 | } | |
2636 | ||
2637 | PVE::Cluster::check_cfs_quorum(); | |
2638 | ||
2639 | my $socket_addr = "/run/pve/ct-$vmid.mtunnel"; | |
2640 | ||
2641 | my $lock = 'create'; | |
2642 | eval { PVE::LXC::Config->create_and_lock_config($vmid, 0, $lock); }; | |
2643 | ||
2644 | raise_param_exc({ vmid => "unable to create empty CT config - $@"}) | |
2645 | if $@; | |
2646 | ||
2647 | my $realcmd = sub { | |
2648 | my $state = { | |
2649 | storecfg => PVE::Storage::config(), | |
2650 | lock => $lock, | |
2651 | vmid => $vmid, | |
2652 | }; | |
2653 | ||
2654 | my $run_locked = sub { | |
2655 | my ($code, $params) = @_; | |
2656 | return PVE::LXC::Config->lock_config($state->{vmid}, sub { | |
2657 | my $conf = PVE::LXC::Config->load_config($state->{vmid}); | |
2658 | ||
2659 | $state->{conf} = $conf; | |
2660 | ||
2661 | die "Encountered wrong lock - aborting mtunnel command handling.\n" | |
2662 | if $state->{lock} && !PVE::LXC::Config->has_lock($conf, $state->{lock}); | |
2663 | ||
2664 | return $code->($params); | |
2665 | }); | |
2666 | }; | |
2667 | ||
2668 | my $cmd_desc = { | |
2669 | config => { | |
2670 | conf => { | |
2671 | type => 'string', | |
2672 | description => 'Full CT config, adapted for target cluster/node', | |
2673 | }, | |
2674 | 'firewall-config' => { | |
2675 | type => 'string', | |
2676 | description => 'CT firewall config', | |
2677 | optional => 1, | |
2678 | }, | |
2679 | }, | |
2680 | ticket => { | |
2681 | path => { | |
2682 | type => 'string', | |
2683 | description => 'socket path for which the ticket should be valid. must be known to current mtunnel instance.', | |
2684 | }, | |
2685 | }, | |
2686 | quit => { | |
2687 | cleanup => { | |
2688 | type => 'boolean', | |
2689 | description => 'remove CT config and volumes, aborting migration', | |
2690 | default => 0, | |
2691 | }, | |
2692 | }, | |
2693 | 'disk-import' => $PVE::StorageTunnel::cmd_schema->{'disk-import'}, | |
2694 | 'query-disk-import' => $PVE::StorageTunnel::cmd_schema->{'query-disk-import'}, | |
2695 | bwlimit => $PVE::StorageTunnel::cmd_schema->{bwlimit}, | |
2696 | }; | |
2697 | ||
2698 | my $cmd_handlers = { | |
2699 | 'version' => sub { | |
2700 | # compared against other end's version | |
2701 | # bump/reset for breaking changes | |
2702 | # bump/bump for opt-in changes | |
2703 | return { | |
2704 | api => $PVE::LXC::Migrate::WS_TUNNEL_VERSION, | |
2705 | age => 0, | |
2706 | }; | |
2707 | }, | |
2708 | 'config' => sub { | |
2709 | my ($params) = @_; | |
2710 | ||
2711 | # parse and write out VM FW config if given | |
2712 | if (my $fw_conf = $params->{'firewall-config'}) { | |
2713 | my ($path, $fh) = PVE::Tools::tempfile_contents($fw_conf, 700); | |
2714 | ||
2715 | my $empty_conf = { | |
2716 | rules => [], | |
2717 | options => {}, | |
2718 | aliases => {}, | |
2719 | ipset => {} , | |
2720 | ipset_comments => {}, | |
2721 | }; | |
2722 | my $cluster_fw_conf = PVE::Firewall::load_clusterfw_conf(); | |
2723 | ||
2724 | # TODO: add flag for strict parsing? | |
2725 | # TODO: add import sub that does all this given raw content? | |
2726 | my $vmfw_conf = PVE::Firewall::generic_fw_config_parser($path, $cluster_fw_conf, $empty_conf, 'vm'); | |
2727 | $vmfw_conf->{vmid} = $state->{vmid}; | |
2728 | PVE::Firewall::save_vmfw_conf($state->{vmid}, $vmfw_conf); | |
2729 | ||
2730 | $state->{cleanup}->{fw} = 1; | |
2731 | } | |
2732 | ||
2733 | my $conf_fn = "incoming/lxc/$state->{vmid}.conf"; | |
2734 | my $new_conf = PVE::LXC::Config::parse_pct_config($conf_fn, $params->{conf}, 1); | |
2735 | delete $new_conf->{lock}; | |
2736 | delete $new_conf->{digest}; | |
2737 | ||
2738 | my $unprivileged = delete $new_conf->{unprivileged}; | |
2739 | my $arch = delete $new_conf->{arch}; | |
2740 | ||
2741 | # TODO handle properly? | |
2742 | delete $new_conf->{snapshots}; | |
2743 | delete $new_conf->{parent}; | |
2744 | delete $new_conf->{pending}; | |
2745 | delete $new_conf->{lxc}; | |
2746 | ||
2747 | PVE::LXC::Config->remove_lock($state->{vmid}, 'create'); | |
2748 | ||
2749 | eval { | |
2750 | my $conf = { | |
2751 | unprivileged => $unprivileged, | |
2752 | arch => $arch, | |
2753 | }; | |
2754 | PVE::LXC::check_ct_modify_config_perm( | |
2755 | $rpcenv, | |
2756 | $authuser, | |
2757 | $state->{vmid}, | |
2758 | undef, | |
2759 | $conf, | |
2760 | $new_conf, | |
2761 | undef, | |
2762 | $unprivileged, | |
2763 | ); | |
2764 | my $errors = PVE::LXC::Config->update_pct_config( | |
2765 | $state->{vmid}, | |
2766 | $conf, | |
2767 | 0, | |
2768 | $new_conf, | |
2769 | [], | |
2770 | [], | |
2771 | ); | |
2772 | raise_param_exc($errors) if scalar(keys %$errors); | |
2773 | PVE::LXC::Config->write_config($state->{vmid}, $conf); | |
2774 | PVE::LXC::update_lxc_config($vmid, $conf); | |
2775 | }; | |
2776 | if (my $err = $@) { | |
2777 | # revert to locked previous config | |
2778 | my $conf = PVE::LXC::Config->load_config($state->{vmid}); | |
2779 | $conf->{lock} = 'create'; | |
2780 | PVE::LXC::Config->write_config($state->{vmid}, $conf); | |
2781 | ||
2782 | die $err; | |
2783 | } | |
2784 | ||
2785 | my $conf = PVE::LXC::Config->load_config($state->{vmid}); | |
2786 | $conf->{lock} = 'migrate'; | |
2787 | PVE::LXC::Config->write_config($state->{vmid}, $conf); | |
2788 | ||
2789 | $state->{lock} = 'migrate'; | |
2790 | ||
2791 | return; | |
2792 | }, | |
2793 | 'bwlimit' => sub { | |
2794 | my ($params) = @_; | |
2795 | return PVE::StorageTunnel::handle_bwlimit($params); | |
2796 | }, | |
2797 | 'disk-import' => sub { | |
2798 | my ($params) = @_; | |
2799 | ||
2800 | $check_storage_access_migrate->( | |
2801 | $rpcenv, | |
2802 | $authuser, | |
2803 | $state->{storecfg}, | |
2804 | $params->{storage}, | |
2805 | $node | |
2806 | ); | |
2807 | ||
2808 | $params->{unix} = "/run/pve/ct-$state->{vmid}.storage"; | |
2809 | ||
2810 | return PVE::StorageTunnel::handle_disk_import($state, $params); | |
2811 | }, | |
2812 | 'query-disk-import' => sub { | |
2813 | my ($params) = @_; | |
2814 | ||
2815 | return PVE::StorageTunnel::handle_query_disk_import($state, $params); | |
2816 | }, | |
2817 | 'unlock' => sub { | |
2818 | PVE::LXC::Config->remove_lock($state->{vmid}, $state->{lock}); | |
2819 | delete $state->{lock}; | |
2820 | return; | |
2821 | }, | |
2822 | 'start' => sub { | |
2823 | PVE::LXC::vm_start( | |
2824 | $state->{vmid}, | |
2825 | $state->{conf}, | |
2826 | 0 | |
2827 | ); | |
2828 | ||
2829 | return; | |
2830 | }, | |
2831 | 'stop' => sub { | |
2832 | PVE::LXC::vm_stop($state->{vmid}, 1, 10, 1); | |
2833 | return; | |
2834 | }, | |
2835 | 'ticket' => sub { | |
2836 | my ($params) = @_; | |
2837 | ||
2838 | my $path = $params->{path}; | |
2839 | ||
2840 | die "Not allowed to generate ticket for unknown socket '$path'\n" | |
2841 | if !defined($state->{sockets}->{$path}); | |
2842 | ||
2843 | return { ticket => PVE::AccessControl::assemble_tunnel_ticket($authuser, "/socket/$path") }; | |
2844 | }, | |
2845 | 'quit' => sub { | |
2846 | my ($params) = @_; | |
2847 | ||
2848 | if ($params->{cleanup}) { | |
2849 | if ($state->{cleanup}->{fw}) { | |
2850 | PVE::Firewall::remove_vmfw_conf($state->{vmid}); | |
2851 | } | |
2852 | ||
2853 | for my $volid (keys $state->{cleanup}->{volumes}->%*) { | |
2854 | print "freeing volume '$volid' as part of cleanup\n"; | |
2855 | eval { PVE::Storage::vdisk_free($state->{storecfg}, $volid) }; | |
2856 | warn $@ if $@; | |
2857 | } | |
2858 | ||
2859 | PVE::LXC::destroy_lxc_container( | |
2860 | $state->{storecfg}, | |
2861 | $state->{vmid}, | |
2862 | $state->{conf}, | |
2863 | undef, | |
2864 | 0, | |
2865 | ); | |
2866 | } | |
2867 | ||
2868 | print "switching to exit-mode, waiting for client to disconnect\n"; | |
2869 | $state->{exit} = 1; | |
2870 | return; | |
2871 | }, | |
2872 | }; | |
2873 | ||
2874 | $run_locked->(sub { | |
2875 | my $socket_addr = "/run/pve/ct-$state->{vmid}.mtunnel"; | |
2876 | unlink $socket_addr; | |
2877 | ||
2878 | $state->{socket} = IO::Socket::UNIX->new( | |
2879 | Type => SOCK_STREAM(), | |
2880 | Local => $socket_addr, | |
2881 | Listen => 1, | |
2882 | ); | |
2883 | ||
2884 | $state->{socket_uid} = getpwnam('www-data') | |
2885 | or die "Failed to resolve user 'www-data' to numeric UID\n"; | |
2886 | chown $state->{socket_uid}, -1, $socket_addr; | |
2887 | }); | |
2888 | ||
2889 | print "mtunnel started\n"; | |
2890 | ||
2891 | my $conn = eval { PVE::Tools::run_with_timeout(300, sub { $state->{socket}->accept() }) }; | |
2892 | if ($@) { | |
2893 | warn "Failed to accept tunnel connection - $@\n"; | |
2894 | ||
2895 | warn "Removing tunnel socket..\n"; | |
2896 | unlink $state->{socket}; | |
2897 | ||
2898 | warn "Removing temporary VM config..\n"; | |
2899 | $run_locked->(sub { | |
2900 | PVE::LXC::destroy_config($state->{vmid}); | |
2901 | }); | |
2902 | ||
2903 | die "Exiting mtunnel\n"; | |
2904 | } | |
2905 | ||
2906 | $state->{conn} = $conn; | |
2907 | ||
2908 | my $reply_err = sub { | |
2909 | my ($msg) = @_; | |
2910 | ||
2911 | my $reply = JSON::encode_json({ | |
2912 | success => JSON::false, | |
2913 | msg => $msg, | |
2914 | }); | |
2915 | $conn->print("$reply\n"); | |
2916 | $conn->flush(); | |
2917 | }; | |
2918 | ||
2919 | my $reply_ok = sub { | |
2920 | my ($res) = @_; | |
2921 | ||
2922 | $res->{success} = JSON::true; | |
2923 | my $reply = JSON::encode_json($res); | |
2924 | $conn->print("$reply\n"); | |
2925 | $conn->flush(); | |
2926 | }; | |
2927 | ||
2928 | while (my $line = <$conn>) { | |
2929 | chomp $line; | |
2930 | ||
2931 | # untaint, we validate below if needed | |
2932 | ($line) = $line =~ /^(.*)$/; | |
2933 | my $parsed = eval { JSON::decode_json($line) }; | |
2934 | if ($@) { | |
2935 | $reply_err->("failed to parse command - $@"); | |
2936 | next; | |
2937 | } | |
2938 | ||
2939 | my $cmd = delete $parsed->{cmd}; | |
2940 | if (!defined($cmd)) { | |
2941 | $reply_err->("'cmd' missing"); | |
2942 | } elsif ($state->{exit}) { | |
2943 | $reply_err->("tunnel is in exit-mode, processing '$cmd' cmd not possible"); | |
2944 | next; | |
2945 | } elsif (my $handler = $cmd_handlers->{$cmd}) { | |
2946 | print "received command '$cmd'\n"; | |
2947 | eval { | |
2948 | if ($cmd_desc->{$cmd}) { | |
2949 | PVE::JSONSchema::validate($parsed, $cmd_desc->{$cmd}); | |
2950 | } else { | |
2951 | $parsed = {}; | |
2952 | } | |
2953 | my $res = $run_locked->($handler, $parsed); | |
2954 | $reply_ok->($res); | |
2955 | }; | |
2956 | $reply_err->("failed to handle '$cmd' command - $@") | |
2957 | if $@; | |
2958 | } else { | |
2959 | $reply_err->("unknown command '$cmd' given"); | |
2960 | } | |
2961 | } | |
2962 | ||
2963 | if ($state->{exit}) { | |
2964 | print "mtunnel exited\n"; | |
2965 | } else { | |
2966 | die "mtunnel exited unexpectedly\n"; | |
2967 | } | |
2968 | }; | |
2969 | ||
2970 | my $ticket = PVE::AccessControl::assemble_tunnel_ticket($authuser, "/socket/$socket_addr"); | |
2971 | my $upid = $rpcenv->fork_worker('vzmtunnel', $vmid, $authuser, $realcmd); | |
2972 | ||
2973 | return { | |
2974 | ticket => $ticket, | |
2975 | upid => $upid, | |
2976 | socket => $socket_addr, | |
2977 | }; | |
2978 | }}); | |
2979 | ||
2980 | __PACKAGE__->register_method({ | |
2981 | name => 'mtunnelwebsocket', | |
2982 | path => '{vmid}/mtunnelwebsocket', | |
2983 | method => 'GET', | |
2984 | permissions => { | |
2985 | description => "You need to pass a ticket valid for the selected socket. Tickets can be created via the mtunnel API call, which will check permissions accordingly.", | |
2986 | user => 'all', # check inside | |
2987 | }, | |
2988 | description => 'Migration tunnel endpoint for websocket upgrade - only for internal use by VM migration.', | |
2989 | parameters => { | |
2990 | additionalProperties => 0, | |
2991 | properties => { | |
2992 | node => get_standard_option('pve-node'), | |
2993 | vmid => get_standard_option('pve-vmid'), | |
2994 | socket => { | |
2995 | type => "string", | |
2996 | description => "unix socket to forward to", | |
2997 | }, | |
2998 | ticket => { | |
2999 | type => "string", | |
3000 | description => "ticket return by initial 'mtunnel' API call, or retrieved via 'ticket' tunnel command", | |
3001 | }, | |
3002 | }, | |
3003 | }, | |
3004 | returns => { | |
3005 | type => "object", | |
3006 | properties => { | |
3007 | port => { type => 'string', optional => 1 }, | |
3008 | socket => { type => 'string', optional => 1 }, | |
3009 | }, | |
3010 | }, | |
3011 | code => sub { | |
3012 | my ($param) = @_; | |
3013 | ||
3014 | my $rpcenv = PVE::RPCEnvironment::get(); | |
3015 | my $authuser = $rpcenv->get_user(); | |
3016 | ||
3017 | my $nodename = PVE::INotify::nodename(); | |
3018 | my $node = extract_param($param, 'node'); | |
3019 | ||
3020 | raise_param_exc({ node => "node needs to be 'localhost' or local hostname '$nodename'" }) | |
3021 | if $node ne 'localhost' && $node ne $nodename; | |
3022 | ||
3023 | my $vmid = $param->{vmid}; | |
3024 | # check VM exists | |
3025 | PVE::LXC::Config->load_config($vmid); | |
3026 | ||
3027 | my $socket = $param->{socket}; | |
3028 | PVE::AccessControl::verify_tunnel_ticket($param->{ticket}, $authuser, "/socket/$socket"); | |
3029 | ||
3030 | return { socket => $socket }; | |
3031 | }}); | |
f76a2828 | 3032 | 1; |