[pve-container.git] / src / PVE / LXC / Setup.pm

package PVE::LXC::Setup;

use strict;
use warnings;

use POSIX;
use Cwd 'abs_path';

use PVE::Tools;

use PVE::LXC::Setup::Alpine;
use PVE::LXC::Setup::ArchLinux;
use PVE::LXC::Setup::CentOS;
use PVE::LXC::Setup::Debian;
use PVE::LXC::Setup::Devuan;
use PVE::LXC::Setup::Fedora;
use PVE::LXC::Setup::Gentoo;
use PVE::LXC::Setup::SUSE;
use PVE::LXC::Setup::Ubuntu;

my $plugins = {
    alpine    => 'PVE::LXC::Setup::Alpine',
    archlinux => 'PVE::LXC::Setup::ArchLinux',
    centos    => 'PVE::LXC::Setup::CentOS',
    debian    => 'PVE::LXC::Setup::Debian',
    devuan    => 'PVE::LXC::Setup::Devuan',
    fedora    => 'PVE::LXC::Setup::Fedora',
    gentoo    => 'PVE::LXC::Setup::Gentoo',
    opensuse  => 'PVE::LXC::Setup::SUSE',
    ubuntu    => 'PVE::LXC::Setup::Ubuntu',
};

# a map to allow supporting related distro flavours
my $plugin_alias = {
    'opensuse-leap' => 'opensuse',
    'opensuse-tumbleweed' => 'opensuse',
    arch => 'archlinux',
    sles => 'opensuse',
};

my $autodetect_type = sub {
    my ($self, $rootdir, $os_release) = @_;

    if (my $id = $os_release->{ID}) {
	return $id if $plugins->{$id};
	return $plugin_alias->{$id} if $plugin_alias->{$id};
	warn "unknown ID '$id' in /etc/os-release file, trying fallback detection\n";
    }

    # fallback compatibility checks

    my $lsb_fn = "$rootdir/etc/lsb-release";
    if (-f $lsb_fn) {
	my $data =  PVE::Tools::file_get_contents($lsb_fn);
	if ($data =~ m/^DISTRIB_ID=Ubuntu$/im) {
	    return 'ubuntu';
	}
    }

    if (-f "$rootdir/etc/debian_version") {
	return "debian";
    } elsif (-f "$rootdir/etc/devuan_version") {
	return "devuan";
    } elsif (-f  "$rootdir/etc/SuSE-brand" || -f "$rootdir/etc/SuSE-release") {
	return "opensuse";
    } elsif (-f  "$rootdir/etc/fedora-release") {
	return "fedora";
    } elsif (-f  "$rootdir/etc/centos-release" || -f "$rootdir/etc/redhat-release") {
	return "centos";
    } elsif (-f  "$rootdir/etc/arch-release") {
	return "archlinux";
    } elsif (-f  "$rootdir/etc/alpine-release") {
	return "alpine";
    } elsif (-f  "$rootdir/etc/gentoo-release") {
	return "gentoo";
    } elsif (-f "$rootdir/etc/os-release") {
	die "unable to detect OS distribution\n";
    } else {
	warn "/etc/os-release file not found and autodetection failed, falling back to 'unmanaged'\n";
	return "unmanaged";
    }
};

sub new {
    my ($class, $conf, $rootdir, $type) = @_;

    die "no root directory\n" if !$rootdir || $rootdir eq '/';

    my $self = bless { conf => $conf, rootdir => $rootdir}, $class;

    my $os_release = $self->get_ct_os_release();

    if ($conf->{ostype} && $conf->{ostype} eq 'unmanaged') {
	return $self;
    } elsif (!defined($type)) {
	# try to autodetect type
	$type = &$autodetect_type($self, $rootdir, $os_release);
	my $expected_type = $conf->{ostype} || $type;

	if ($type ne $expected_type) {
	    warn "WARNING: /etc not present in CT, is the rootfs mounted?\n"
		if ! -e "$rootdir/etc";
	    warn "got unexpected ostype ($type != $expected_type)\n"
	}
    }

    if ($type eq 'unmanaged') {
	$conf->{ostype} = $type;
	return $self;
    }

    my $plugin_class = $plugins->{$type} || die "no such OS type '$type'\n";

    my $plugin = $plugin_class->new($conf, $rootdir, $os_release);
    $self->{plugin} = $plugin;
    $self->{in_chroot} = 0;

    # Cache some host files we need access to:
    $plugin->{host_resolv_conf} = PVE::INotify::read_file('resolvconf');
    $plugin->{host_localtime} = abs_path('/etc/localtime');

    # pass on user namespace information:
    my ($id_map, $rootuid, $rootgid) = PVE::LXC::parse_id_maps($conf);
    if (@$id_map) {
	$plugin->{id_map} = $id_map;
	$plugin->{rootuid} = $rootuid;
	$plugin->{rootgid} = $rootgid;
    }

    return $self;
}

# Forks into a chroot and executes $sub
sub protected_call {
    my ($self, $sub) = @_;

    # avoid recursion:
    return $sub->() if $self->{in_chroot};

    pipe(my $res_in, my $res_out) or die "pipe failed: $!\n";

    my $child = fork();
    die "fork failed: $!\n" if !defined($child);

    if (!$child) {
	close($res_in);
	# avoid recursive forks
	$self->{in_chroot} = 1;
	eval {
	    my $rootdir = $self->{rootdir};
	    chroot($rootdir) or die "failed to change root to: $rootdir: $!\n";
	    chdir('/') or die "failed to change to root directory\n";
	    my $res = $sub->();
	    if (defined($res)) {
		print {$res_out} "$res";
		$res_out->flush();
	    }
	};
	if (my $err = $@) {
	    warn $err;
	    POSIX::_exit(1);
	}
	POSIX::_exit(0);
    }
    close($res_out);
    my $result = do { local $/ = undef; <$res_in> };
    while (waitpid($child, 0) != $child) {}
    if ($? != 0) {
	my $method = (caller(1))[3];
	die "error in setup task $method\n";
    }
    return $result;
}

sub template_fixup {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub { $self->{plugin}->template_fixup($self->{conf}) });
}
 
sub setup_network {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub { $self->{plugin}->setup_network($self->{conf}) });
}

sub set_hostname {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub { $self->{plugin}->set_hostname($self->{conf}) });
}

sub set_dns {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub { $self->{plugin}->set_dns($self->{conf}) });
}

sub set_timezone {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub { $self->{plugin}->set_timezone($self->{conf}) });
}

sub setup_init {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub { $self->{plugin}->setup_init($self->{conf}) });
}

sub set_user_password {
    my ($self, $user, $pw) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub { $self->{plugin}->set_user_password($self->{conf}, $user, $pw) });
}

my sub generate_ssh_key { # create temporary key in hosts' /run, then read and unlink
    my ($type, $comment) = @_;

    my $key_id = '';
    my $keygen_outfunc = sub {
	if ($_[0] =~ m/^((?:[0-9a-f]{2}:)+[0-9a-f]{2}|SHA256:[0-9a-z+\/]{43})\s+\Q$comment\E$/i) {
	    $key_id = $_[0];
	}
    };
    my $file = "/run/pve/.tmp$$.$type";
    PVE::Tools::run_command(
	['ssh-keygen', '-f', $file, '-t', $type, '-N', '', '-E', 'sha256', '-C', $comment],
	outfunc => $keygen_outfunc,
    );
    my ($private) = (PVE::Tools::file_get_contents($file) =~ /^(.*)$/sg); # untaint
    my ($public) = (PVE::Tools::file_get_contents("$file.pub") =~ /^(.*)$/sg); # untaint
    unlink $file, "$file.pub";

    return ($key_id, $private, $public);
}

sub rewrite_ssh_host_keys {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    my $plugin = $self->{plugin};

    return if ! -d "$self->{rootdir}/etc/ssh";

    my $keynames = {
	rsa => 'ssh_host_rsa_key',
	dsa => 'ssh_host_dsa_key',
	ecdsa => 'ssh_host_ecdsa_key',
	ed25519 => 'ssh_host_ed25519_key',
    };

    my $hostname = $self->{conf}->{hostname} || 'localhost';
    $hostname =~ s/\..*$//;

    my $keyfiles = [];
    for my $keytype (keys $keynames->%*) {
	my $basename = $keynames->{$keytype};
	print "Creating SSH host key '$basename' - this may take some time ...\n";
	my ($id, $private, $public) = generate_ssh_key($keytype, "root\@$hostname");
	print "done: $id\n";

	push $keyfiles->@*, ["/etc/ssh/$basename", $private, 0600], ["/etc/ssh/$basename.pub", $public, 0644];
    }

    $self->protected_call(sub { # write them now all to the CTs rootfs at once
	for my $file ($keyfiles->@*) {
	    $plugin->ct_file_set_contents($file->@*);
	}
    });
}

my $container_emulator_path = {
    'amd64' => '/usr/bin/qemu-x86_64-static',
    'arm64' => '/usr/bin/qemu-aarch64-static',
};

sub pre_start_hook {
    my ($self) = @_;

    return if !$self->{plugin}; # unmanaged

    my $host_arch = PVE::Tools::get_host_arch();

    # containers use different architecture names
    if ($host_arch eq 'x86_64') {
	$host_arch = 'amd64';
    } elsif ($host_arch eq 'aarch64') {
	$host_arch = 'arm64';
    } else {
	die "unsupported host architecture '$host_arch'\n";
    }

    my $container_arch = $self->{conf}->{arch};

    $container_arch = 'amd64' if $container_arch eq 'i386'; # always use 64 bit version
    $container_arch = 'arm64' if $container_arch eq 'armhf'; # always use 64 bit version

    my $emul;
    my $emul_data;

    if ($host_arch ne $container_arch) {
	if ($emul = $container_emulator_path->{$container_arch}) {
	    $emul_data = PVE::Tools::file_get_contents($emul, 10*1024*1024) if -f $emul;
	}
    }

    my $code = sub {
	if ($emul && $emul_data) {
	    $self->{plugin}->ct_file_set_contents($emul, $emul_data, 0755);
	}

	$self->{plugin}->pre_start_hook($self->{conf});
    };
    $self->protected_call($code);
}

sub post_clone_hook {
    my ($self, $conf) = @_;

    $self->protected_call(sub { $self->{plugin}->post_clone_hook($conf) });
}

sub post_create_hook {
    my ($self, $root_password, $ssh_keys) = @_;

    return if !$self->{plugin}; # unmanaged

    $self->protected_call(sub {
	$self->{plugin}->post_create_hook($self->{conf}, $root_password, $ssh_keys);
    });
    $self->rewrite_ssh_host_keys();
}

sub unified_cgroupv2_support {
    my ($self) = @_;

    $self->protected_call(sub { $self->{plugin}->unified_cgroupv2_support() });
}

# os-release(5):
#   (...) a newline-separated list of environment-like shell-compatible
#   variable assignments. (...) beyond mere variable assignments, no shell
#   features are supported (this means variable expansion is explicitly not
#   supported) (...). Variable assignment values must be enclosed in double or
#   single quotes *if* they include spaces, semicolons or other special
#   characters outside of A-Z, a-z, 0-9. Shell special characters ("$", quotes,
#   backslash, backtick) must be escaped with backslashes (...). All strings
#   should be in UTF-8 format, and non-printable characters should not be used.
#   It is not supported to concatenate multiple individually quoted strings.
#   Lines beginning with "#" shall be ignored as comments.
my $parse_os_release = sub {
    my ($data) = @_;
    my $variables = {};
    while (defined($data) && $data =~ /^(.+)$/gm) {
	next if $1 !~ /^\s*([a-zA-Z_][a-zA-Z0-9_]*)=(.*)$/;
	my ($var, $content) = ($1, $2);
	chomp $content;

	if ($content =~ /^'([^']*)'/) {
	    $variables->{$var} = $1;
	} elsif ($content =~ /^"((?:[^"\\]|\\.)*)"/) {
	    my $s = $1;
	    $s =~ s/(\\["'`nt\$\\])/"\"$1\""/eeg;
	    $variables->{$var} = $s;
	} elsif ($content =~ /^([A-Za-z0-9]*)/) {
	    $variables->{$var} = $1;
	}
    }
    return $variables;
};

sub get_ct_os_release {
    my ($self) = @_;

    my $data = $self->protected_call(sub {
	if (-f '/etc/os-release') {
	    return PVE::Tools::file_get_contents('/etc/os-release');
	} elsif (-f '/usr/lib/os-release') {
	    return PVE::Tools::file_get_contents('/usr/lib/os-release');
	}
	return undef;
    });

    return &$parse_os_release($data);
}

1;
Commit	Line	Data
7af97ad5	1	package PVE::LXC::Setup;
1c7f4f65 DM	2
	3	use strict;
	4	use warnings;
	5
21ec7304	6	use POSIX;
e6e308ae OB	7	use Cwd 'abs_path';
e6e308ae OB	8
21ec7304 TL	9	use PVE::Tools;
	10
	11	use PVE::LXC::Setup::Alpine;
	12	use PVE::LXC::Setup::ArchLinux;
81a6ec3f	13	use PVE::LXC::Setup::CentOS;
21ec7304 TL	14	use PVE::LXC::Setup::Debian;
21ec7304 TL	15	use PVE::LXC::Setup::Devuan;
b0143ab1	16	use PVE::LXC::Setup::Fedora;
ed027b58	17	use PVE::LXC::Setup::Gentoo;
21ec7304 TL	18	use PVE::LXC::Setup::SUSE;
21ec7304 TL	19	use PVE::LXC::Setup::Ubuntu;
1c7f4f65 DM	20
1c7f4f65 DM	21	my $plugins = {
21ec7304 TL	22	alpine => 'PVE::LXC::Setup::Alpine',
	23	archlinux => 'PVE::LXC::Setup::ArchLinux',
	24	centos => 'PVE::LXC::Setup::CentOS',
7af97ad5	25	debian => 'PVE::LXC::Setup::Debian',
151c5b73	26	devuan => 'PVE::LXC::Setup::Devuan',
b0143ab1	27	fedora => 'PVE::LXC::Setup::Fedora',
ed027b58	28	gentoo => 'PVE::LXC::Setup::Gentoo',
21ec7304 TL	29	opensuse => 'PVE::LXC::Setup::SUSE',
21ec7304 TL	30	ubuntu => 'PVE::LXC::Setup::Ubuntu',
1c7f4f65 DM	31	};
1c7f4f65 DM	32
934a30b0 TL	33	# a map to allow supporting related distro flavours
934a30b0 TL	34	my $plugin_alias = {
47447841	35	'opensuse-leap' => 'opensuse',
005e72bd	36	'opensuse-tumbleweed' => 'opensuse',
21ec7304 TL	37	arch => 'archlinux',
21ec7304 TL	38	sles => 'opensuse',
934a30b0 TL	39	};
934a30b0 TL	40
bdd4194c	41	my $autodetect_type = sub {
153747ff WB	42	my ($self, $rootdir, $os_release) = @_;
	43
	44	if (my $id = $os_release->{ID}) {
934a30b0 TL	45	return $id if $plugins->{$id};
934a30b0 TL	46	return $plugin_alias->{$id} if $plugin_alias->{$id};
5c81c821	47	warn "unknown ID '$id' in /etc/os-release file, trying fallback detection\n";
153747ff WB	48	}
	49
	50	# fallback compatibility checks
a8e58e9c DM	51
	52	my $lsb_fn = "$rootdir/etc/lsb-release";
	53	if (-f $lsb_fn) {
	54	my $data = PVE::Tools::file_get_contents($lsb_fn);
	55	if ($data =~ m/^DISTRIB_ID=Ubuntu$/im) {
	56	return 'ubuntu';
	57	}
75c7928e DM	58	}
	59
	60	if (-f "$rootdir/etc/debian_version") {
bdd4194c	61	return "debian";
151c5b73 TL	62	} elsif (-f "$rootdir/etc/devuan_version") {
151c5b73 TL	63	return "devuan";
fa7cb12b WB	64	} elsif (-f "$rootdir/etc/SuSE-brand" \|\| -f "$rootdir/etc/SuSE-release") {
fa7cb12b WB	65	return "opensuse";
b0143ab1 WB	66	} elsif (-f "$rootdir/etc/fedora-release") {
b0143ab1 WB	67	return "fedora";
81a6ec3f WB	68	} elsif (-f "$rootdir/etc/centos-release" \|\| -f "$rootdir/etc/redhat-release") {
81a6ec3f WB	69	return "centos";
c1d32b55 WB	70	} elsif (-f "$rootdir/etc/arch-release") {
c1d32b55 WB	71	return "archlinux";
a8700492 JV	72	} elsif (-f "$rootdir/etc/alpine-release") {
a8700492 JV	73	return "alpine";
ed027b58 WB	74	} elsif (-f "$rootdir/etc/gentoo-release") {
ed027b58 WB	75	return "gentoo";
5f94d5e5 AE	76	} elsif (-f "$rootdir/etc/os-release") {
	77	die "unable to detect OS distribution\n";
	78	} else {
	79	warn "/etc/os-release file not found and autodetection failed, falling back to 'unmanaged'\n";
	80	return "unmanaged";
bdd4194c	81	}
bdd4194c DM	82	};
bdd4194c DM	83
1c7f4f65	84	sub new {
5b4657d0	85	my ($class, $conf, $rootdir, $type) = @_;
1c7f4f65	86
5b4657d0 DM	87	die "no root directory\n" if !$rootdir \|\| $rootdir eq '/';
5b4657d0 DM	88
250b158c	89	my $self = bless { conf => $conf, rootdir => $rootdir}, $class;
1c7f4f65	90
153747ff WB	91	my $os_release = $self->get_ct_os_release();
153747ff WB	92
238b7e3e DM	93	if ($conf->{ostype} && $conf->{ostype} eq 'unmanaged') {
	94	return $self;
	95	} elsif (!defined($type)) {
bdd4194c	96	# try to autodetect type
153747ff	97	$type = &$autodetect_type($self, $rootdir, $os_release);
238b7e3e DM	98	my $expected_type = $conf->{ostype} \|\| $type;
238b7e3e DM	99
f9955be7 TL	100	if ($type ne $expected_type) {
	101	warn "WARNING: /etc not present in CT, is the rootfs mounted?\n"
	102	if ! -e "$rootdir/etc";
	103	warn "got unexpected ostype ($type != $expected_type)\n"
	104	}
bdd4194c	105	}
238b7e3e	106
5f94d5e5 AE	107	if ($type eq 'unmanaged') {
	108	$conf->{ostype} = $type;
	109	return $self;
	110	}
	111
1db602d0	112	my $plugin_class = $plugins->{$type} \|\| die "no such OS type '$type'\n";
1c7f4f65	113
153747ff	114	my $plugin = $plugin_class->new($conf, $rootdir, $os_release);
23d928a1	115	$self->{plugin} = $plugin;
f08b2779	116	$self->{in_chroot} = 0;
23d928a1 WB	117
	118	# Cache some host files we need access to:
	119	$plugin->{host_resolv_conf} = PVE::INotify::read_file('resolvconf');
e6e308ae	120	$plugin->{host_localtime} = abs_path('/etc/localtime');
c6a605f9 WB	121
	122	# pass on user namespace information:
	123	my ($id_map, $rootuid, $rootgid) = PVE::LXC::parse_id_maps($conf);
	124	if (@$id_map) {
	125	$plugin->{id_map} = $id_map;
	126	$plugin->{rootuid} = $rootuid;
	127	$plugin->{rootgid} = $rootgid;
	128	}
1db602d0	129
1c7f4f65 DM	130	return $self;
	131	}
	132
9ba0e0b5	133	# Forks into a chroot and executes $sub
f08b2779 WB	134	sub protected_call {
	135	my ($self, $sub) = @_;
	136
	137	# avoid recursion:
	138	return $sub->() if $self->{in_chroot};
	139
9ba0e0b5 WB	140	pipe(my $res_in, my $res_out) or die "pipe failed: $!\n";
9ba0e0b5 WB	141
f08b2779 WB	142	my $child = fork();
	143	die "fork failed: $!\n" if !defined($child);
	144
	145	if (!$child) {
9ba0e0b5	146	close($res_in);
f08b2779 WB	147	# avoid recursive forks
f08b2779 WB	148	$self->{in_chroot} = 1;
f08b2779	149	eval {
229ab7fa	150	my $rootdir = $self->{rootdir};
f08b2779 WB	151	chroot($rootdir) or die "failed to change root to: $rootdir: $!\n";
f08b2779 WB	152	chdir('/') or die "failed to change to root directory\n";
9ba0e0b5 WB	153	my $res = $sub->();
	154	if (defined($res)) {
	155	print {$res_out} "$res";
	156	$res_out->flush();
	157	}
f08b2779 WB	158	};
f08b2779 WB	159	if (my $err = $@) {
797e12e8	160	warn $err;
f08b2779 WB	161	POSIX::_exit(1);
	162	}
	163	POSIX::_exit(0);
	164	}
9ba0e0b5 WB	165	close($res_out);
9ba0e0b5 WB	166	my $result = do { local $/ = undef; <$res_in> };
f08b2779	167	while (waitpid($child, 0) != $child) {}
952de558 WB	168	if ($? != 0) {
	169	my $method = (caller(1))[3];
	170	die "error in setup task $method\n";
	171	}
9ba0e0b5	172	return $result;
f08b2779 WB	173	}
f08b2779 WB	174
142444d5 DM	175	sub template_fixup {
	176	my ($self) = @_;
	177
238b7e3e DM	178	return if !$self->{plugin}; # unmanaged
238b7e3e DM	179
1db602d0	180	$self->protected_call(sub { $self->{plugin}->template_fixup($self->{conf}) });
142444d5 DM	181	}
142444d5 DM	182
1c7f4f65	183	sub setup_network {
55fa4e09	184	my ($self) = @_;
1c7f4f65	185
238b7e3e DM	186	return if !$self->{plugin}; # unmanaged
238b7e3e DM	187
1db602d0	188	$self->protected_call(sub { $self->{plugin}->setup_network($self->{conf}) });
1c7f4f65 DM	189	}
	190
	191	sub set_hostname {
	192	my ($self) = @_;
	193
238b7e3e DM	194	return if !$self->{plugin}; # unmanaged
238b7e3e DM	195
1db602d0	196	$self->protected_call(sub { $self->{plugin}->set_hostname($self->{conf}) });
1c7f4f65 DM	197	}
1c7f4f65 DM	198
c325b32f DM	199	sub set_dns {
	200	my ($self) = @_;
	201
238b7e3e DM	202	return if !$self->{plugin}; # unmanaged
238b7e3e DM	203
1db602d0	204	$self->protected_call(sub { $self->{plugin}->set_dns($self->{conf}) });
c325b32f DM	205	}
c325b32f DM	206
e6e308ae OB	207	sub set_timezone {
	208	my ($self) = @_;
	209
	210	return if !$self->{plugin}; # unmanaged
1db602d0 TL	211
1db602d0 TL	212	$self->protected_call(sub { $self->{plugin}->set_timezone($self->{conf}) });
e6e308ae OB	213	}
e6e308ae OB	214
d66768a2 DM	215	sub setup_init {
	216	my ($self) = @_;
	217
238b7e3e DM	218	return if !$self->{plugin}; # unmanaged
238b7e3e DM	219
1db602d0	220	$self->protected_call(sub { $self->{plugin}->setup_init($self->{conf}) });
d66768a2 DM	221	}
d66768a2 DM	222
168d6b07 DM	223	sub set_user_password {
168d6b07 DM	224	my ($self, $user, $pw) = @_;
238b7e3e DM	225
	226	return if !$self->{plugin}; # unmanaged
	227
1db602d0	228	$self->protected_call(sub { $self->{plugin}->set_user_password($self->{conf}, $user, $pw) });
1c7f4f65 DM	229	}
1c7f4f65 DM	230
6d9173c3 TL	231	my sub generate_ssh_key { # create temporary key in hosts' /run, then read and unlink
	232	my ($type, $comment) = @_;
	233
	234	my $key_id = '';
	235	my $keygen_outfunc = sub {
	236	if ($_[0] =~ m/^((?:[0-9a-f]{2}:)+[0-9a-f]{2}\|SHA256:[0-9a-z+\/]{43})\s+\Q$comment\E$/i) {
	237	$key_id = $_[0];
	238	}
	239	};
	240	my $file = "/run/pve/.tmp$$.$type";
	241	PVE::Tools::run_command(
	242	['ssh-keygen', '-f', $file, '-t', $type, '-N', '', '-E', 'sha256', '-C', $comment],
	243	outfunc => $keygen_outfunc,
	244	);
	245	my ($private) = (PVE::Tools::file_get_contents($file) =~ /^(.*)$/sg); # untaint
	246	my ($public) = (PVE::Tools::file_get_contents("$file.pub") =~ /^(.*)$/sg); # untaint
	247	unlink $file, "$file.pub";
	248
	249	return ($key_id, $private, $public);
	250	}
	251
7ee31468 DM	252	sub rewrite_ssh_host_keys {
	253	my ($self) = @_;
	254
238b7e3e DM	255	return if !$self->{plugin}; # unmanaged
238b7e3e DM	256
797e12e8	257	my $plugin = $self->{plugin};
797e12e8	258
9cc77d55	259	return if ! -d "$self->{rootdir}/etc/ssh";
797e12e8 WB	260
797e12e8 WB	261	my $keynames = {
797e12e8 WB	262	rsa => 'ssh_host_rsa_key',
797e12e8 WB	263	dsa => 'ssh_host_dsa_key',
30e7205e	264	ecdsa => 'ssh_host_ecdsa_key',
797e12e8 WB	265	ed25519 => 'ssh_host_ed25519_key',
	266	};
	267
9cc77d55	268	my $hostname = $self->{conf}->{hostname} \|\| 'localhost';
797e12e8 WB	269	$hostname =~ s/\..*$//;
797e12e8 WB	270
6d9173c3 TL	271	my $keyfiles = [];
6d9173c3 TL	272	for my $keytype (keys $keynames->%*) {
797e12e8	273	my $basename = $keynames->{$keytype};
797e12e8	274	print "Creating SSH host key '$basename' - this may take some time ...\n";
6d9173c3 TL	275	my ($id, $private, $public) = generate_ssh_key($keytype, "root\@$hostname");
	276	print "done: $id\n";
	277
	278	push $keyfiles->@*, ["/etc/ssh/$basename", $private, 0600], ["/etc/ssh/$basename.pub", $public, 0644];
797e12e8 WB	279	}
797e12e8 WB	280
6d9173c3 TL	281	$self->protected_call(sub { # write them now all to the CTs rootfs at once
	282	for my $file ($keyfiles->@*) {
	283	$plugin->ct_file_set_contents($file->@*);
797e12e8	284	}
30e7205e	285	});
1db602d0	286	}
7ee31468	287
0c59b609 DM	288	my $container_emulator_path = {
	289	'amd64' => '/usr/bin/qemu-x86_64-static',
	290	'arm64' => '/usr/bin/qemu-aarch64-static',
	291	};
	292
d66768a2 DM	293	sub pre_start_hook {
	294	my ($self) = @_;
	295
238b7e3e DM	296	return if !$self->{plugin}; # unmanaged
238b7e3e DM	297
a0745b47	298	my $host_arch = PVE::Tools::get_host_arch();
0c59b609	299
11e1612f SR	300	# containers use different architecture names
	301	if ($host_arch eq 'x86_64') {
	302	$host_arch = 'amd64';
	303	} elsif ($host_arch eq 'aarch64') {
	304	$host_arch = 'arm64';
	305	} else {
	306	die "unsupported host architecture '$host_arch'\n";
	307	}
	308
0c59b609 DM	309	my $container_arch = $self->{conf}->{arch};
	310
	311	$container_arch = 'amd64' if $container_arch eq 'i386'; # always use 64 bit version
	312	$container_arch = 'arm64' if $container_arch eq 'armhf'; # always use 64 bit version
	313
	314	my $emul;
	315	my $emul_data;
	316
	317	if ($host_arch ne $container_arch) {
	318	if ($emul = $container_emulator_path->{$container_arch}) {
	319	$emul_data = PVE::Tools::file_get_contents($emul, 1010241024) if -f $emul;
	320	}
	321	}
	322
f08b2779	323	my $code = sub {
0c59b609 DM	324	if ($emul && $emul_data) {
	325	$self->{plugin}->ct_file_set_contents($emul, $emul_data, 0755);
	326	}
2988dbbc	327
f08b2779 WB	328	$self->{plugin}->pre_start_hook($self->{conf});
	329	};
	330	$self->protected_call($code);
d66768a2 DM	331	}
d66768a2 DM	332
64d4c144 OB	333	sub post_clone_hook {
	334	my ($self, $conf) = @_;
	335
1db602d0	336	$self->protected_call(sub { $self->{plugin}->post_clone_hook($conf) });
64d4c144 OB	337	}
64d4c144 OB	338
d66768a2	339	sub post_create_hook {
f36ce482	340	my ($self, $root_password, $ssh_keys) = @_;
1c7f4f65	341
238b7e3e DM	342	return if !$self->{plugin}; # unmanaged
238b7e3e DM	343
1db602d0	344	$self->protected_call(sub {
f36ce482	345	$self->{plugin}->post_create_hook($self->{conf}, $root_password, $ssh_keys);
1db602d0	346	});
797e12e8	347	$self->rewrite_ssh_host_keys();
1c7f4f65 DM	348	}
1c7f4f65 DM	349
42216b6b TL	350	sub unified_cgroupv2_support {
	351	my ($self) = @_;
	352
	353	$self->protected_call(sub { $self->{plugin}->unified_cgroupv2_support() });
	354	}
	355
153747ff WB	356	# os-release(5):
	357	# (...) a newline-separated list of environment-like shell-compatible
	358	# variable assignments. (...) beyond mere variable assignments, no shell
	359	# features are supported (this means variable expansion is explicitly not
	360	# supported) (...). Variable assignment values must be enclosed in double or
	361	# single quotes if they include spaces, semicolons or other special
	362	# characters outside of A-Z, a-z, 0-9. Shell special characters ("$", quotes,
	363	# backslash, backtick) must be escaped with backslashes (...). All strings
	364	# should be in UTF-8 format, and non-printable characters should not be used.
	365	# It is not supported to concatenate multiple individually quoted strings.
	366	# Lines beginning with "#" shall be ignored as comments.
	367	my $parse_os_release = sub {
	368	my ($data) = @_;
	369	my $variables = {};
	370	while (defined($data) && $data =~ /^(.+)$/gm) {
	371	next if $1 !~ /^\s([a-zA-Z_][a-zA-Z0-9_])=(.*)$/;
	372	my ($var, $content) = ($1, $2);
	373	chomp $content;
	374
	375	if ($content =~ /^'([^']*)'/) {
	376	$variables->{$var} = $1;
	377	} elsif ($content =~ /^"((?:[^"\\]\|\\.)*)"/) {
	378	my $s = $1;
	379	$s =~ s/(\\["'`nt\$\\])/"\"$1\""/eeg;
	380	$variables->{$var} = $s;
	381	} elsif ($content =~ /^([A-Za-z0-9]*)/) {
	382	$variables->{$var} = $1;
	383	}
	384	}
	385	return $variables;
	386	};
	387
	388	sub get_ct_os_release {
	389	my ($self) = @_;
	390
1db602d0	391	my $data = $self->protected_call(sub {
153747ff WB	392	if (-f '/etc/os-release') {
	393	return PVE::Tools::file_get_contents('/etc/os-release');
	394	} elsif (-f '/usr/lib/os-release') {
	395	return PVE::Tools::file_get_contents('/usr/lib/os-release');
	396	}
	397	return undef;
1db602d0	398	});
153747ff WB	399
	400	return &$parse_os_release($data);
	401	}
	402
1c7f4f65	403	1;