]>
Commit | Line | Data |
---|---|---|
1 | package PVE::Storage::PBSPlugin; | |
2 | ||
3 | # Plugin to access Proxmox Backup Server | |
4 | ||
5 | use strict; | |
6 | use warnings; | |
7 | ||
8 | use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC); | |
9 | use IO::File; | |
10 | use JSON; | |
11 | use MIME::Base64 qw(decode_base64); | |
12 | use POSIX qw(mktime strftime ENOENT); | |
13 | use POSIX::strptime; | |
14 | ||
15 | use PVE::APIClient::LWP; | |
16 | use PVE::JSONSchema qw(get_standard_option); | |
17 | use PVE::Network; | |
18 | use PVE::PBSClient; | |
19 | use PVE::Storage::Plugin; | |
20 | use PVE::Tools qw(run_command file_read_firstline trim dir_glob_regex dir_glob_foreach $IPV6RE); | |
21 | ||
22 | use base qw(PVE::Storage::Plugin); | |
23 | ||
24 | # Configuration | |
25 | ||
26 | sub type { | |
27 | return 'pbs'; | |
28 | } | |
29 | ||
30 | sub plugindata { | |
31 | return { | |
32 | content => [ {backup => 1, none => 1}, { backup => 1 }], | |
33 | }; | |
34 | } | |
35 | ||
36 | sub properties { | |
37 | return { | |
38 | datastore => { | |
39 | description => "Proxmox Backup Server datastore name.", | |
40 | type => 'string', | |
41 | }, | |
42 | # openssl s_client -connect <host>:8007 2>&1 |openssl x509 -fingerprint -sha256 | |
43 | fingerprint => get_standard_option('fingerprint-sha256'), | |
44 | 'encryption-key' => { | |
45 | description => "Encryption key. Use 'autogen' to generate one automatically without passphrase.", | |
46 | type => 'string', | |
47 | }, | |
48 | 'master-pubkey' => { | |
49 | description => "Base64-encoded, PEM-formatted public RSA key. Used to encrypt a copy of the encryption-key which will be added to each encrypted backup.", | |
50 | type => 'string', | |
51 | }, | |
52 | port => { | |
53 | description => "For non default port.", | |
54 | type => 'integer', | |
55 | minimum => 1, | |
56 | maximum => 65535, | |
57 | default => 8007, | |
58 | }, | |
59 | }; | |
60 | } | |
61 | ||
62 | sub options { | |
63 | return { | |
64 | server => { fixed => 1 }, | |
65 | datastore => { fixed => 1 }, | |
66 | namespace => { optional => 1 }, | |
67 | port => { optional => 1 }, | |
68 | nodes => { optional => 1}, | |
69 | disable => { optional => 1}, | |
70 | content => { optional => 1}, | |
71 | username => { optional => 1 }, | |
72 | password => { optional => 1 }, | |
73 | 'encryption-key' => { optional => 1 }, | |
74 | 'master-pubkey' => { optional => 1 }, | |
75 | maxfiles => { optional => 1 }, | |
76 | 'prune-backups' => { optional => 1 }, | |
77 | 'max-protected-backups' => { optional => 1 }, | |
78 | fingerprint => { optional => 1 }, | |
79 | }; | |
80 | } | |
81 | ||
82 | # Helpers | |
83 | ||
84 | sub pbs_password_file_name { | |
85 | my ($scfg, $storeid) = @_; | |
86 | ||
87 | return "/etc/pve/priv/storage/${storeid}.pw"; | |
88 | } | |
89 | ||
90 | sub pbs_set_password { | |
91 | my ($scfg, $storeid, $password) = @_; | |
92 | ||
93 | my $pwfile = pbs_password_file_name($scfg, $storeid); | |
94 | mkdir "/etc/pve/priv/storage"; | |
95 | ||
96 | PVE::Tools::file_set_contents($pwfile, "$password\n"); | |
97 | } | |
98 | ||
99 | sub pbs_delete_password { | |
100 | my ($scfg, $storeid) = @_; | |
101 | ||
102 | my $pwfile = pbs_password_file_name($scfg, $storeid); | |
103 | ||
104 | unlink $pwfile; | |
105 | } | |
106 | ||
107 | sub pbs_get_password { | |
108 | my ($scfg, $storeid) = @_; | |
109 | ||
110 | my $pwfile = pbs_password_file_name($scfg, $storeid); | |
111 | ||
112 | return PVE::Tools::file_read_firstline($pwfile); | |
113 | } | |
114 | ||
115 | sub pbs_encryption_key_file_name { | |
116 | my ($scfg, $storeid) = @_; | |
117 | ||
118 | return "/etc/pve/priv/storage/${storeid}.enc"; | |
119 | } | |
120 | ||
121 | sub pbs_set_encryption_key { | |
122 | my ($scfg, $storeid, $key) = @_; | |
123 | ||
124 | my $pwfile = pbs_encryption_key_file_name($scfg, $storeid); | |
125 | mkdir "/etc/pve/priv/storage"; | |
126 | ||
127 | PVE::Tools::file_set_contents($pwfile, "$key\n"); | |
128 | } | |
129 | ||
130 | sub pbs_delete_encryption_key { | |
131 | my ($scfg, $storeid) = @_; | |
132 | ||
133 | my $pwfile = pbs_encryption_key_file_name($scfg, $storeid); | |
134 | ||
135 | if (!unlink $pwfile) { | |
136 | return if $! == ENOENT; | |
137 | die "failed to delete encryption key! $!\n"; | |
138 | } | |
139 | delete $scfg->{'encryption-key'}; | |
140 | } | |
141 | ||
142 | sub pbs_get_encryption_key { | |
143 | my ($scfg, $storeid) = @_; | |
144 | ||
145 | my $pwfile = pbs_encryption_key_file_name($scfg, $storeid); | |
146 | ||
147 | return PVE::Tools::file_get_contents($pwfile); | |
148 | } | |
149 | ||
150 | # Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error. | |
151 | sub pbs_open_encryption_key { | |
152 | my ($scfg, $storeid) = @_; | |
153 | ||
154 | my $encryption_key_file = pbs_encryption_key_file_name($scfg, $storeid); | |
155 | ||
156 | my $keyfd; | |
157 | if (!open($keyfd, '<', $encryption_key_file)) { | |
158 | if ($! == ENOENT) { | |
159 | my $encryption_fp = $scfg->{'encryption-key'}; | |
160 | die "encryption configured ('$encryption_fp') but no encryption key file found!\n" | |
161 | if $encryption_fp; | |
162 | return undef; | |
163 | } | |
164 | die "failed to open encryption key: $encryption_key_file: $!\n"; | |
165 | } | |
166 | ||
167 | return $keyfd; | |
168 | } | |
169 | ||
170 | sub pbs_master_pubkey_file_name { | |
171 | my ($scfg, $storeid) = @_; | |
172 | ||
173 | return "/etc/pve/priv/storage/${storeid}.master.pem"; | |
174 | } | |
175 | ||
176 | sub pbs_set_master_pubkey { | |
177 | my ($scfg, $storeid, $key) = @_; | |
178 | ||
179 | my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid); | |
180 | mkdir "/etc/pve/priv/storage"; | |
181 | ||
182 | PVE::Tools::file_set_contents($pwfile, "$key\n"); | |
183 | } | |
184 | ||
185 | sub pbs_delete_master_pubkey { | |
186 | my ($scfg, $storeid) = @_; | |
187 | ||
188 | my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid); | |
189 | ||
190 | if (!unlink $pwfile) { | |
191 | return if $! == ENOENT; | |
192 | die "failed to delete master public key! $!\n"; | |
193 | } | |
194 | delete $scfg->{'master-pubkey'}; | |
195 | } | |
196 | ||
197 | sub pbs_get_master_pubkey { | |
198 | my ($scfg, $storeid) = @_; | |
199 | ||
200 | my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid); | |
201 | ||
202 | return PVE::Tools::file_get_contents($pwfile); | |
203 | } | |
204 | ||
205 | # Returns a file handle if there is a master key, or `undef` if there is not. Dies on error. | |
206 | sub pbs_open_master_pubkey { | |
207 | my ($scfg, $storeid) = @_; | |
208 | ||
209 | my $master_pubkey_file = pbs_master_pubkey_file_name($scfg, $storeid); | |
210 | ||
211 | my $keyfd; | |
212 | if (!open($keyfd, '<', $master_pubkey_file)) { | |
213 | if ($! == ENOENT) { | |
214 | die "master public key configured but no key file found!\n" | |
215 | if $scfg->{'master-pubkey'}; | |
216 | return undef; | |
217 | } | |
218 | die "failed to open master public key: $master_pubkey_file: $!\n"; | |
219 | } | |
220 | ||
221 | return $keyfd; | |
222 | } | |
223 | ||
224 | sub print_volid { | |
225 | my ($storeid, $btype, $bid, $btime) = @_; | |
226 | ||
227 | my $time_str = strftime("%FT%TZ", gmtime($btime)); | |
228 | my $volname = "backup/${btype}/${bid}/${time_str}"; | |
229 | ||
230 | return "${storeid}:${volname}"; | |
231 | } | |
232 | ||
233 | my sub ns : prototype($$) { | |
234 | my ($scfg, $name) = @_; | |
235 | my $ns = $scfg->{namespace}; | |
236 | return defined($ns) ? ($name, $ns) : (); | |
237 | } | |
238 | ||
239 | # essentially the inverse of print_volid | |
240 | my sub api_param_from_volname : prototype($$$) { | |
241 | my ($class, $scfg, $volname) = @_; | |
242 | ||
243 | my $name = ($class->parse_volname($volname))[1]; | |
244 | ||
245 | my ($btype, $bid, $timestr) = split('/', $name); | |
246 | ||
247 | my @tm = (POSIX::strptime($timestr, "%FT%TZ")); | |
248 | # expect sec, min, hour, mday, mon, year | |
249 | die "error parsing time from '$volname'" if grep { !defined($_) } @tm[0..5]; | |
250 | ||
251 | my $btime; | |
252 | { | |
253 | local $ENV{TZ} = 'UTC'; # $timestr is UTC | |
254 | ||
255 | # Fill in isdst to avoid undef warning. No daylight saving time for UTC. | |
256 | $tm[8] //= 0; | |
257 | ||
258 | my $since_epoch = mktime(@tm) or die "error converting time from '$volname'\n"; | |
259 | $btime = int($since_epoch); | |
260 | } | |
261 | ||
262 | return { | |
263 | (ns($scfg, 'ns')), | |
264 | 'backup-type' => $btype, | |
265 | 'backup-id' => $bid, | |
266 | 'backup-time' => $btime, | |
267 | }; | |
268 | } | |
269 | ||
270 | my $USE_CRYPT_PARAMS = { | |
271 | backup => 1, | |
272 | restore => 1, | |
273 | 'upload-log' => 1, | |
274 | }; | |
275 | ||
276 | my $USE_MASTER_KEY = { | |
277 | backup => 1, | |
278 | }; | |
279 | ||
280 | my sub do_raw_client_cmd { | |
281 | my ($scfg, $storeid, $client_cmd, $param, %opts) = @_; | |
282 | ||
283 | my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd}; | |
284 | my $use_master = $USE_MASTER_KEY->{$client_cmd}; | |
285 | ||
286 | my $client_exe = '/usr/bin/proxmox-backup-client'; | |
287 | die "executable not found '$client_exe'! Proxmox backup client not installed?\n" | |
288 | if ! -x $client_exe; | |
289 | ||
290 | my $repo = PVE::PBSClient::get_repository($scfg); | |
291 | ||
292 | my $userns_cmd = delete $opts{userns_cmd}; | |
293 | ||
294 | my $cmd = []; | |
295 | ||
296 | push @$cmd, @$userns_cmd if defined($userns_cmd); | |
297 | ||
298 | push @$cmd, $client_exe, $client_cmd; | |
299 | ||
300 | # This must live in the top scope to not get closed before the `run_command` | |
301 | my ($keyfd, $master_fd); | |
302 | if ($use_crypto) { | |
303 | if (defined($keyfd = pbs_open_encryption_key($scfg, $storeid))) { | |
304 | my $flags = fcntl($keyfd, F_GETFD, 0) | |
305 | // die "failed to get file descriptor flags: $!\n"; | |
306 | fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC) | |
307 | or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n"; | |
308 | push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd); | |
309 | if ($use_master && defined($master_fd = pbs_open_master_pubkey($scfg, $storeid))) { | |
310 | my $flags = fcntl($master_fd, F_GETFD, 0) | |
311 | // die "failed to get file descriptor flags: $!\n"; | |
312 | fcntl($master_fd, F_SETFD, $flags & ~FD_CLOEXEC) | |
313 | or die "failed to remove FD_CLOEXEC from master public key file descriptor\n"; | |
314 | push @$cmd, '--master-pubkey-fd='.fileno($master_fd); | |
315 | } | |
316 | } else { | |
317 | push @$cmd, '--crypt-mode=none'; | |
318 | } | |
319 | } | |
320 | ||
321 | push @$cmd, @$param if defined($param); | |
322 | ||
323 | push @$cmd, "--repository", $repo; | |
324 | if ($client_cmd ne 'status' && defined(my $ns = $scfg->{namespace})) { | |
325 | push @$cmd, '--ns', $ns; | |
326 | } | |
327 | ||
328 | local $ENV{PBS_PASSWORD} = pbs_get_password($scfg, $storeid); | |
329 | ||
330 | local $ENV{PBS_FINGERPRINT} = $scfg->{fingerprint}; | |
331 | ||
332 | # no ascii-art on task logs | |
333 | local $ENV{PROXMOX_OUTPUT_NO_BORDER} = 1; | |
334 | local $ENV{PROXMOX_OUTPUT_NO_HEADER} = 1; | |
335 | ||
336 | if (my $logfunc = $opts{logfunc}) { | |
337 | $logfunc->("run: " . join(' ', @$cmd)); | |
338 | } | |
339 | ||
340 | run_command($cmd, %opts); | |
341 | } | |
342 | ||
343 | # FIXME: External perl code should NOT have access to this. | |
344 | # | |
345 | # There should be separate functions to | |
346 | # - make backups | |
347 | # - restore backups | |
348 | # - restore files | |
349 | # with a sane API | |
350 | sub run_raw_client_cmd { | |
351 | my ($scfg, $storeid, $client_cmd, $param, %opts) = @_; | |
352 | return do_raw_client_cmd($scfg, $storeid, $client_cmd, $param, %opts); | |
353 | } | |
354 | ||
355 | sub run_client_cmd { | |
356 | my ($scfg, $storeid, $client_cmd, $param, $no_output) = @_; | |
357 | ||
358 | my $json_str = ''; | |
359 | my $outfunc = sub { $json_str .= "$_[0]\n" }; | |
360 | ||
361 | $param = [] if !defined($param); | |
362 | $param = [ $param ] if !ref($param); | |
363 | ||
364 | $param = [@$param, '--output-format=json'] if !$no_output; | |
365 | ||
366 | do_raw_client_cmd($scfg, $storeid, $client_cmd, $param, | |
367 | outfunc => $outfunc, errmsg => 'proxmox-backup-client failed'); | |
368 | ||
369 | return undef if $no_output; | |
370 | ||
371 | my $res = decode_json($json_str); | |
372 | ||
373 | return $res; | |
374 | } | |
375 | ||
376 | # Storage implementation | |
377 | ||
378 | sub extract_vzdump_config { | |
379 | my ($class, $scfg, $volname, $storeid) = @_; | |
380 | ||
381 | my ($vtype, $name, $vmid, undef, undef, undef, $format) = $class->parse_volname($volname); | |
382 | ||
383 | my $config = ''; | |
384 | my $outfunc = sub { $config .= "$_[0]\n" }; | |
385 | ||
386 | my $config_name; | |
387 | if ($format eq 'pbs-vm') { | |
388 | $config_name = 'qemu-server.conf'; | |
389 | } elsif ($format eq 'pbs-ct') { | |
390 | $config_name = 'pct.conf'; | |
391 | } else { | |
392 | die "unable to extract configuration for backup format '$format'\n"; | |
393 | } | |
394 | ||
395 | do_raw_client_cmd($scfg, $storeid, 'restore', [ $name, $config_name, '-' ], | |
396 | outfunc => $outfunc, errmsg => 'proxmox-backup-client failed'); | |
397 | ||
398 | return $config; | |
399 | } | |
400 | ||
401 | sub prune_backups { | |
402 | my ($class, $scfg, $storeid, $keep, $vmid, $type, $dryrun, $logfunc) = @_; | |
403 | ||
404 | $logfunc //= sub { print "$_[1]\n" }; | |
405 | ||
406 | $type = 'vm' if defined($type) && $type eq 'qemu'; | |
407 | $type = 'ct' if defined($type) && $type eq 'lxc'; | |
408 | ||
409 | my $backup_groups = {}; | |
410 | ||
411 | if (defined($vmid) && defined($type)) { | |
412 | # no need to get the list of volumes, we only got a single backup group anyway | |
413 | $backup_groups->{"$type/$vmid"} = 1; | |
414 | } else { | |
415 | my $backups = eval { $class->list_volumes($storeid, $scfg, $vmid, ['backup']) }; | |
416 | die "failed to get list of all backups to prune - $@" if $@; | |
417 | ||
418 | foreach my $backup (@{$backups}) { | |
419 | (my $backup_type = $backup->{format}) =~ s/^pbs-//; | |
420 | next if defined($type) && $backup_type ne $type; | |
421 | ||
422 | my $backup_group = "$backup_type/$backup->{vmid}"; | |
423 | $backup_groups->{$backup_group} = 1; | |
424 | } | |
425 | } | |
426 | ||
427 | my @param; | |
428 | ||
429 | my $keep_all = delete $keep->{'keep-all'}; | |
430 | ||
431 | if (!$keep_all) { | |
432 | foreach my $opt (keys %{$keep}) { | |
433 | next if $keep->{$opt} == 0; | |
434 | push @param, "--$opt"; | |
435 | push @param, "$keep->{$opt}"; | |
436 | } | |
437 | } else { # no need to pass anything to PBS | |
438 | $keep = { 'keep-all' => 1 }; | |
439 | } | |
440 | ||
441 | push @param, '--dry-run' if $dryrun; | |
442 | ||
443 | my $prune_list = []; | |
444 | my $failed; | |
445 | ||
446 | foreach my $backup_group (keys %{$backup_groups}) { | |
447 | $logfunc->('info', "running 'proxmox-backup-client prune' for '$backup_group'") | |
448 | if !$dryrun; | |
449 | eval { | |
450 | my $res = run_client_cmd($scfg, $storeid, 'prune', [ $backup_group, @param ]); | |
451 | ||
452 | foreach my $backup (@{$res}) { | |
453 | die "result from proxmox-backup-client is not as expected\n" | |
454 | if !defined($backup->{'backup-time'}) | |
455 | || !defined($backup->{'backup-type'}) | |
456 | || !defined($backup->{'backup-id'}) | |
457 | || !defined($backup->{'keep'}); | |
458 | ||
459 | my $ctime = $backup->{'backup-time'}; | |
460 | my $type = $backup->{'backup-type'}; | |
461 | my $vmid = $backup->{'backup-id'}; | |
462 | my $volid = print_volid($storeid, $type, $vmid, $ctime); | |
463 | ||
464 | my $mark = $backup->{keep} ? 'keep' : 'remove'; | |
465 | $mark = 'protected' if $backup->{protected}; | |
466 | ||
467 | push @{$prune_list}, { | |
468 | ctime => $ctime, | |
469 | mark => $mark, | |
470 | type => $type eq 'vm' ? 'qemu' : 'lxc', | |
471 | vmid => $vmid, | |
472 | volid => $volid, | |
473 | }; | |
474 | } | |
475 | }; | |
476 | if (my $err = $@) { | |
477 | $logfunc->('err', "prune '$backup_group': $err\n"); | |
478 | $failed = 1; | |
479 | } | |
480 | } | |
481 | die "error pruning backups - check log\n" if $failed; | |
482 | ||
483 | return $prune_list; | |
484 | } | |
485 | ||
486 | my $autogen_encryption_key = sub { | |
487 | my ($scfg, $storeid) = @_; | |
488 | my $encfile = pbs_encryption_key_file_name($scfg, $storeid); | |
489 | if (-f $encfile) { | |
490 | rename $encfile, "$encfile.old"; | |
491 | } | |
492 | my $cmd = ['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile]; | |
493 | run_command($cmd, errmsg => 'failed to create encryption key'); | |
494 | return PVE::Tools::file_get_contents($encfile); | |
495 | }; | |
496 | ||
497 | sub on_add_hook { | |
498 | my ($class, $storeid, $scfg, %param) = @_; | |
499 | ||
500 | my $res = {}; | |
501 | ||
502 | if (defined(my $password = $param{password})) { | |
503 | pbs_set_password($scfg, $storeid, $password); | |
504 | } else { | |
505 | pbs_delete_password($scfg, $storeid); | |
506 | } | |
507 | ||
508 | if (defined(my $encryption_key = $param{'encryption-key'})) { | |
509 | my $decoded_key; | |
510 | if ($encryption_key eq 'autogen') { | |
511 | $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid); | |
512 | $decoded_key = decode_json($res->{'encryption-key'}); | |
513 | } else { | |
514 | $decoded_key = eval { decode_json($encryption_key) }; | |
515 | if ($@ || !exists($decoded_key->{data})) { | |
516 | die "Value does not seems like a valid, JSON formatted encryption key!\n"; | |
517 | } | |
518 | pbs_set_encryption_key($scfg, $storeid, $encryption_key); | |
519 | $res->{'encryption-key'} = $encryption_key; | |
520 | } | |
521 | $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1; | |
522 | } else { | |
523 | pbs_delete_encryption_key($scfg, $storeid); | |
524 | } | |
525 | ||
526 | if (defined(my $master_key = delete $param{'master-pubkey'})) { | |
527 | die "'master-pubkey' can only be used together with 'encryption-key'\n" | |
528 | if !defined($scfg->{'encryption-key'}); | |
529 | ||
530 | my $decoded = decode_base64($master_key); | |
531 | pbs_set_master_pubkey($scfg, $storeid, $decoded); | |
532 | $scfg->{'master-pubkey'} = 1; | |
533 | } else { | |
534 | pbs_delete_master_pubkey($scfg, $storeid); | |
535 | } | |
536 | ||
537 | return $res; | |
538 | } | |
539 | ||
540 | sub on_update_hook { | |
541 | my ($class, $storeid, $scfg, %param) = @_; | |
542 | ||
543 | my $res = {}; | |
544 | ||
545 | if (exists($param{password})) { | |
546 | if (defined($param{password})) { | |
547 | pbs_set_password($scfg, $storeid, $param{password}); | |
548 | } else { | |
549 | pbs_delete_password($scfg, $storeid); | |
550 | } | |
551 | } | |
552 | ||
553 | if (exists($param{'encryption-key'})) { | |
554 | if (defined(my $encryption_key = delete($param{'encryption-key'}))) { | |
555 | my $decoded_key; | |
556 | if ($encryption_key eq 'autogen') { | |
557 | $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid); | |
558 | $decoded_key = decode_json($res->{'encryption-key'}); | |
559 | } else { | |
560 | $decoded_key = eval { decode_json($encryption_key) }; | |
561 | if ($@ || !exists($decoded_key->{data})) { | |
562 | die "Value does not seems like a valid, JSON formatted encryption key!\n"; | |
563 | } | |
564 | pbs_set_encryption_key($scfg, $storeid, $encryption_key); | |
565 | $res->{'encryption-key'} = $encryption_key; | |
566 | } | |
567 | $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1; | |
568 | } else { | |
569 | pbs_delete_encryption_key($scfg, $storeid); | |
570 | delete $scfg->{'encryption-key'}; | |
571 | } | |
572 | } | |
573 | ||
574 | if (exists($param{'master-pubkey'})) { | |
575 | if (defined(my $master_key = delete($param{'master-pubkey'}))) { | |
576 | my $decoded = decode_base64($master_key); | |
577 | ||
578 | pbs_set_master_pubkey($scfg, $storeid, $decoded); | |
579 | $scfg->{'master-pubkey'} = 1; | |
580 | } else { | |
581 | pbs_delete_master_pubkey($scfg, $storeid); | |
582 | } | |
583 | } | |
584 | ||
585 | return $res; | |
586 | } | |
587 | ||
588 | sub on_delete_hook { | |
589 | my ($class, $storeid, $scfg) = @_; | |
590 | ||
591 | pbs_delete_password($scfg, $storeid); | |
592 | pbs_delete_encryption_key($scfg, $storeid); | |
593 | pbs_delete_master_pubkey($scfg, $storeid); | |
594 | ||
595 | return; | |
596 | } | |
597 | ||
598 | sub parse_volname { | |
599 | my ($class, $volname) = @_; | |
600 | ||
601 | if ($volname =~ m!^backup/([^\s_]+)/([^\s_]+)/([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z)$!) { | |
602 | my $btype = $1; | |
603 | my $bid = $2; | |
604 | my $btime = $3; | |
605 | my $format = "pbs-$btype"; | |
606 | ||
607 | my $name = "$btype/$bid/$btime"; | |
608 | ||
609 | if ($bid =~ m/^\d+$/) { | |
610 | return ('backup', $name, $bid, undef, undef, undef, $format); | |
611 | } else { | |
612 | return ('backup', $name, undef, undef, undef, undef, $format); | |
613 | } | |
614 | } | |
615 | ||
616 | die "unable to parse PBS volume name '$volname'\n"; | |
617 | } | |
618 | ||
619 | sub path { | |
620 | my ($class, $scfg, $volname, $storeid, $snapname) = @_; | |
621 | ||
622 | die "volume snapshot is not possible on pbs storage" | |
623 | if defined($snapname); | |
624 | ||
625 | my ($vtype, $name, $vmid) = $class->parse_volname($volname); | |
626 | ||
627 | my $repo = PVE::PBSClient::get_repository($scfg); | |
628 | ||
629 | # artificial url - we currently do not use that anywhere | |
630 | my $path = "pbs://$repo/$name"; | |
631 | if (defined(my $ns = $scfg->{namespace})) { | |
632 | $ns =~ s|/|%2f|g; # other characters to escape aren't allowed in the namespace schema | |
633 | $path .= "?ns=$ns"; | |
634 | } | |
635 | ||
636 | return ($path, $vmid, $vtype); | |
637 | } | |
638 | ||
639 | sub create_base { | |
640 | my ($class, $storeid, $scfg, $volname) = @_; | |
641 | ||
642 | die "can't create base images in pbs storage\n"; | |
643 | } | |
644 | ||
645 | sub clone_image { | |
646 | my ($class, $scfg, $storeid, $volname, $vmid, $snap) = @_; | |
647 | ||
648 | die "can't clone images in pbs storage\n"; | |
649 | } | |
650 | ||
651 | sub alloc_image { | |
652 | my ($class, $storeid, $scfg, $vmid, $fmt, $name, $size) = @_; | |
653 | ||
654 | die "can't allocate space in pbs storage\n"; | |
655 | } | |
656 | ||
657 | sub free_image { | |
658 | my ($class, $storeid, $scfg, $volname, $isBase) = @_; | |
659 | ||
660 | my ($vtype, $name, $vmid) = $class->parse_volname($volname); | |
661 | ||
662 | run_client_cmd($scfg, $storeid, "forget", [ $name ], 1); | |
663 | ||
664 | return; | |
665 | } | |
666 | ||
667 | ||
668 | sub list_images { | |
669 | my ($class, $storeid, $scfg, $vmid, $vollist, $cache) = @_; | |
670 | ||
671 | my $res = []; | |
672 | ||
673 | return $res; | |
674 | } | |
675 | ||
676 | my sub snapshot_files_encrypted { | |
677 | my ($files) = @_; | |
678 | return 0 if !$files; | |
679 | ||
680 | my $any; | |
681 | my $all = 1; | |
682 | for my $file (@$files) { | |
683 | my $fn = $file->{filename}; | |
684 | next if $fn eq 'client.log.blob' || $fn eq 'index.json.blob'; | |
685 | ||
686 | my $crypt = $file->{'crypt-mode'}; | |
687 | ||
688 | $all = 0 if !$crypt || $crypt ne 'encrypt'; | |
689 | $any ||= defined($crypt) && $crypt eq 'encrypt'; | |
690 | } | |
691 | return $any && $all; | |
692 | } | |
693 | ||
694 | # TODO: use a client with native rust/proxmox-backup bindings to profit from | |
695 | # API schema checks and types | |
696 | my sub pbs_api_connect { | |
697 | my ($scfg, $password, $timeout) = @_; | |
698 | ||
699 | my $params = {}; | |
700 | ||
701 | my $user = $scfg->{username} // 'root@pam'; | |
702 | ||
703 | if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) { | |
704 | $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}"; | |
705 | } else { | |
706 | $params->{password} = $password; | |
707 | $params->{username} = $user; | |
708 | } | |
709 | ||
710 | if (my $fp = $scfg->{fingerprint}) { | |
711 | $params->{cached_fingerprints}->{uc($fp)} = 1; | |
712 | } | |
713 | ||
714 | my $conn = PVE::APIClient::LWP->new( | |
715 | %$params, | |
716 | host => $scfg->{server}, | |
717 | port => $scfg->{port} // 8007, | |
718 | timeout => ($timeout // 7), # cope with a 401 (3s api delay) and high latency | |
719 | cookie_name => 'PBSAuthCookie', | |
720 | ); | |
721 | ||
722 | return $conn; | |
723 | } | |
724 | ||
725 | sub list_volumes { | |
726 | my ($class, $storeid, $scfg, $vmid, $content_types) = @_; | |
727 | ||
728 | my $res = []; | |
729 | ||
730 | return $res if !grep { $_ eq 'backup' } @$content_types; | |
731 | ||
732 | my $password = pbs_get_password($scfg, $storeid); | |
733 | my $conn = pbs_api_connect($scfg, $password, 120); | |
734 | my $datastore = $scfg->{datastore}; | |
735 | ||
736 | my $param = {}; | |
737 | $param->{'backup-id'} = "$vmid" if defined($vmid); | |
738 | $param->{'ns'} = "$scfg->{namespace}" if defined($scfg->{namespace}); | |
739 | my $data = eval { $conn->get("/api2/json/admin/datastore/$datastore/snapshots", $param); }; | |
740 | die "error listing snapshots - $@" if $@; | |
741 | ||
742 | foreach my $item (@$data) { | |
743 | my $btype = $item->{"backup-type"}; | |
744 | my $bid = $item->{"backup-id"}; | |
745 | my $epoch = $item->{"backup-time"}; | |
746 | my $size = $item->{size} // 1; | |
747 | ||
748 | next if !($btype eq 'vm' || $btype eq 'ct'); | |
749 | next if $bid !~ m/^\d+$/; | |
750 | next if defined($vmid) && $bid ne $vmid; | |
751 | ||
752 | my $volid = print_volid($storeid, $btype, $bid, $epoch); | |
753 | ||
754 | my $info = { | |
755 | volid => $volid, | |
756 | format => "pbs-$btype", | |
757 | size => $size, | |
758 | content => 'backup', | |
759 | vmid => int($bid), | |
760 | ctime => $epoch, | |
761 | subtype => $btype eq 'vm' ? 'qemu' : 'lxc', # convert to PVE backup type | |
762 | }; | |
763 | ||
764 | $info->{verification} = $item->{verification} if defined($item->{verification}); | |
765 | $info->{notes} = $item->{comment} if defined($item->{comment}); | |
766 | $info->{protected} = 1 if $item->{protected}; | |
767 | if (defined($item->{fingerprint})) { | |
768 | $info->{encrypted} = $item->{fingerprint}; | |
769 | } elsif (snapshot_files_encrypted($item->{files})) { | |
770 | $info->{encrypted} = '1'; | |
771 | } | |
772 | ||
773 | push @$res, $info; | |
774 | } | |
775 | ||
776 | return $res; | |
777 | } | |
778 | ||
779 | sub status { | |
780 | my ($class, $storeid, $scfg, $cache) = @_; | |
781 | ||
782 | my $total = 0; | |
783 | my $free = 0; | |
784 | my $used = 0; | |
785 | my $active = 0; | |
786 | ||
787 | eval { | |
788 | my $res = run_client_cmd($scfg, $storeid, "status"); | |
789 | ||
790 | $active = 1; | |
791 | $total = $res->{total}; | |
792 | $used = $res->{used}; | |
793 | $free = $res->{avail}; | |
794 | }; | |
795 | if (my $err = $@) { | |
796 | warn $err; | |
797 | } | |
798 | ||
799 | return ($total, $free, $used, $active); | |
800 | } | |
801 | ||
802 | # can also be used for not (yet) added storages, pass $scfg with | |
803 | # { | |
804 | # server | |
805 | # user | |
806 | # port (optional default to 8007) | |
807 | # fingerprint (optional for trusted certs) | |
808 | # } | |
809 | sub scan_datastores { | |
810 | my ($scfg, $password) = @_; | |
811 | ||
812 | my $conn = pbs_api_connect($scfg, $password); | |
813 | ||
814 | my $response = eval { $conn->get('/api2/json/admin/datastore', {}) }; | |
815 | die "error fetching datastores - $@" if $@; | |
816 | ||
817 | return $response; | |
818 | } | |
819 | ||
820 | sub activate_storage { | |
821 | my ($class, $storeid, $scfg, $cache) = @_; | |
822 | ||
823 | my $password = pbs_get_password($scfg, $storeid); | |
824 | ||
825 | my $datastores = eval { scan_datastores($scfg, $password) }; | |
826 | die "$storeid: $@" if $@; | |
827 | ||
828 | my $datastore = $scfg->{datastore}; | |
829 | ||
830 | for my $ds (@$datastores) { | |
831 | if ($ds->{store} eq $datastore) { | |
832 | return 1; | |
833 | } | |
834 | } | |
835 | ||
836 | die "$storeid: Cannot find datastore '$datastore', check permissions and existence!\n"; | |
837 | } | |
838 | ||
839 | sub deactivate_storage { | |
840 | my ($class, $storeid, $scfg, $cache) = @_; | |
841 | return 1; | |
842 | } | |
843 | ||
844 | sub activate_volume { | |
845 | my ($class, $storeid, $scfg, $volname, $snapname, $cache) = @_; | |
846 | ||
847 | die "volume snapshot is not possible on pbs device" if $snapname; | |
848 | ||
849 | return 1; | |
850 | } | |
851 | ||
852 | sub deactivate_volume { | |
853 | my ($class, $storeid, $scfg, $volname, $snapname, $cache) = @_; | |
854 | ||
855 | die "volume snapshot is not possible on pbs device" if $snapname; | |
856 | ||
857 | return 1; | |
858 | } | |
859 | ||
860 | # FIXME remove on the next APIAGE reset. | |
861 | # Deprecated, use get_volume_attribute instead. | |
862 | sub get_volume_notes { | |
863 | my ($class, $scfg, $storeid, $volname, $timeout) = @_; | |
864 | ||
865 | my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname); | |
866 | ||
867 | my $data = run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "show", $name ]); | |
868 | ||
869 | return $data->{notes}; | |
870 | } | |
871 | ||
872 | # FIXME remove on the next APIAGE reset. | |
873 | # Deprecated, use update_volume_attribute instead. | |
874 | sub update_volume_notes { | |
875 | my ($class, $scfg, $storeid, $volname, $notes, $timeout) = @_; | |
876 | ||
877 | my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname); | |
878 | ||
879 | run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "update", $name, $notes ], 1); | |
880 | ||
881 | return undef; | |
882 | } | |
883 | ||
884 | sub get_volume_attribute { | |
885 | my ($class, $scfg, $storeid, $volname, $attribute) = @_; | |
886 | ||
887 | if ($attribute eq 'notes') { | |
888 | return $class->get_volume_notes($scfg, $storeid, $volname); | |
889 | } | |
890 | ||
891 | if ($attribute eq 'protected') { | |
892 | my $param = api_param_from_volname($class, $scfg, $volname); | |
893 | ||
894 | my $password = pbs_get_password($scfg, $storeid); | |
895 | my $conn = pbs_api_connect($scfg, $password); | |
896 | my $datastore = $scfg->{datastore}; | |
897 | ||
898 | my $res = eval { $conn->get("/api2/json/admin/datastore/$datastore/$attribute", $param); }; | |
899 | if (my $err = $@) { | |
900 | return if $err->{code} == 404; # not supported | |
901 | die $err; | |
902 | } | |
903 | return $res; | |
904 | } | |
905 | ||
906 | return; | |
907 | } | |
908 | ||
909 | sub update_volume_attribute { | |
910 | my ($class, $scfg, $storeid, $volname, $attribute, $value) = @_; | |
911 | ||
912 | if ($attribute eq 'notes') { | |
913 | return $class->update_volume_notes($scfg, $storeid, $volname, $value); | |
914 | } | |
915 | ||
916 | if ($attribute eq 'protected') { | |
917 | my $param = api_param_from_volname($class, $scfg, $volname); | |
918 | $param->{$attribute} = $value; | |
919 | ||
920 | my $password = pbs_get_password($scfg, $storeid); | |
921 | my $conn = pbs_api_connect($scfg, $password); | |
922 | my $datastore = $scfg->{datastore}; | |
923 | ||
924 | eval { $conn->put("/api2/json/admin/datastore/$datastore/$attribute", $param); }; | |
925 | if (my $err = $@) { | |
926 | die "Server is not recent enough to support feature '$attribute'\n" | |
927 | if $err->{code} == 404; | |
928 | die $err; | |
929 | } | |
930 | return; | |
931 | } | |
932 | ||
933 | die "attribute '$attribute' is not supported for storage type '$scfg->{type}'\n"; | |
934 | } | |
935 | ||
936 | sub volume_size_info { | |
937 | my ($class, $scfg, $storeid, $volname, $timeout) = @_; | |
938 | ||
939 | my ($vtype, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname); | |
940 | ||
941 | my $data = run_client_cmd($scfg, $storeid, "files", [ $name ]); | |
942 | ||
943 | my $size = 0; | |
944 | foreach my $info (@$data) { | |
945 | if ($info->{size} && $info->{size} =~ /^(\d+)$/) { # untaints | |
946 | $size += $1; | |
947 | } | |
948 | } | |
949 | ||
950 | my $used = $size; | |
951 | ||
952 | return wantarray ? ($size, $format, $used, undef) : $size; | |
953 | } | |
954 | ||
955 | sub volume_resize { | |
956 | my ($class, $scfg, $storeid, $volname, $size, $running) = @_; | |
957 | die "volume resize is not possible on pbs device"; | |
958 | } | |
959 | ||
960 | sub volume_snapshot { | |
961 | my ($class, $scfg, $storeid, $volname, $snap) = @_; | |
962 | die "volume snapshot is not possible on pbs device"; | |
963 | } | |
964 | ||
965 | sub volume_snapshot_rollback { | |
966 | my ($class, $scfg, $storeid, $volname, $snap) = @_; | |
967 | die "volume snapshot rollback is not possible on pbs device"; | |
968 | } | |
969 | ||
970 | sub volume_snapshot_delete { | |
971 | my ($class, $scfg, $storeid, $volname, $snap) = @_; | |
972 | die "volume snapshot delete is not possible on pbs device"; | |
973 | } | |
974 | ||
975 | sub volume_has_feature { | |
976 | my ($class, $scfg, $feature, $storeid, $volname, $snapname, $running) = @_; | |
977 | ||
978 | return undef; | |
979 | } | |
980 | ||
981 | 1; |