]> git.proxmox.com Git - pve-container.git/blob - src/PVE/API2/LXC.pm
projects / pve-container.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Expose ssh_keys feature over API
[pve-container.git] / src / PVE / API2 / LXC.pm
1 package PVE::API2::LXC;
2
3 use strict;
4 use warnings;
5
6 use PVE::SafeSyslog;
7 use PVE::Tools qw(extract_param run_command);
8 use PVE::Exception qw(raise raise_param_exc);
9 use PVE::INotify;
10 use PVE::Cluster qw(cfs_read_file);
11 use PVE::AccessControl;
12 use PVE::Firewall;
13 use PVE::Storage;
14 use PVE::RESTHandler;
15 use PVE::RPCEnvironment;
16 use PVE::LXC;
17 use PVE::LXC::Create;
18 use PVE::LXC::Migrate;
19 use PVE::API2::LXC::Config;
20 use PVE::API2::LXC::Status;
21 use PVE::API2::LXC::Snapshot;
22 use PVE::HA::Env::PVE2;
23 use PVE::HA::Config;
24 use PVE::JSONSchema qw(get_standard_option);
25 use base qw(PVE::RESTHandler);
26
27 use Data::Dumper; # fixme: remove
28
29 __PACKAGE__->register_method ({
30 subclass => "PVE::API2::LXC::Config",
31 path => '{vmid}/config',
32 });
33
34 __PACKAGE__->register_method ({
35 subclass => "PVE::API2::LXC::Status",
36 path => '{vmid}/status',
37 });
38
39 __PACKAGE__->register_method ({
40 subclass => "PVE::API2::LXC::Snapshot",
41 path => '{vmid}/snapshot',
42 });
43
44 __PACKAGE__->register_method ({
45 subclass => "PVE::API2::Firewall::CT",
46 path => '{vmid}/firewall',
47 });
48
49 __PACKAGE__->register_method({
50 name => 'vmlist',
51 path => '',
52 method => 'GET',
53 description => "LXC container index (per node).",
54 permissions => {
55 description => "Only list CTs where you have VM.Audit permissons on /vms/<vmid>.",
56 user => 'all',
57 },
58 proxyto => 'node',
59 protected => 1, # /proc files are only readable by root
60 parameters => {
61 additionalProperties => 0,
62 properties => {
63 node => get_standard_option('pve-node'),
64 },
65 },
66 returns => {
67 type => 'array',
68 items => {
69 type => "object",
70 properties => {},
71 },
72 links => [ { rel => 'child', href => "{vmid}" } ],
73 },
74 code => sub {
75 my ($param) = @_;
76
77 my $rpcenv = PVE::RPCEnvironment::get();
78 my $authuser = $rpcenv->get_user();
79
80 my $vmstatus = PVE::LXC::vmstatus();
81
82 my $res = [];
83 foreach my $vmid (keys %$vmstatus) {
84 next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
85
86 my $data = $vmstatus->{$vmid};
87 $data->{vmid} = $vmid;
88 push @$res, $data;
89 }
90
91 return $res;
92
93 }});
94
95 __PACKAGE__->register_method({
96 name => 'create_vm',
97 path => '',
98 method => 'POST',
99 description => "Create or restore a container.",
100 permissions => {
101 user => 'all', # check inside
102 description => "You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}. " .
103 "For restore, it is enough if the user has 'VM.Backup' permission and the VM already exists. " .
104 "You also need 'Datastore.AllocateSpace' permissions on the storage.",
105 },
106 protected => 1,
107 proxyto => 'node',
108 parameters => {
109 additionalProperties => 0,
110 properties => PVE::LXC::Config->json_config_properties({
111 node => get_standard_option('pve-node'),
112 vmid => get_standard_option('pve-vmid', { completion => \&PVE::Cluster::complete_next_vmid }),
113 ostemplate => {
114 description => "The OS template or backup file.",
115 type => 'string',
116 maxLength => 255,
117 completion => \&PVE::LXC::complete_os_templates,
118 },
119 password => {
120 optional => 1,
121 type => 'string',
122 description => "Sets root password inside container.",
123 minLength => 5,
124 },
125 storage => get_standard_option('pve-storage-id', {
126 description => "Default Storage.",
127 default => 'local',
128 optional => 1,
129 completion => \&PVE::Storage::complete_storage_enabled,
130 }),
131 force => {
132 optional => 1,
133 type => 'boolean',
134 description => "Allow to overwrite existing container.",
135 },
136 restore => {
137 optional => 1,
138 type => 'boolean',
139 description => "Mark this as restore task.",
140 },
141 pool => {
142 optional => 1,
143 type => 'string', format => 'pve-poolid',
144 description => "Add the VM to the specified pool.",
145 },
146 'ignore-unpack-errors' => {
147 optional => 1,
148 type => 'boolean',
149 description => "Ignore errors when extracting the template.",
150 },
151 'ssh-public-keys' => {
152 optional => 1,
153 type => 'string',
154 description => "Setup public SSH keys (one key per line, " .
155 "OpenSSH format).",
156 },
157 }),
158 },
159 returns => {
160 type => 'string',
161 },
162 code => sub {
163 my ($param) = @_;
164
165 my $rpcenv = PVE::RPCEnvironment::get();
166
167 my $authuser = $rpcenv->get_user();
168
169 my $node = extract_param($param, 'node');
170
171 my $vmid = extract_param($param, 'vmid');
172
173 my $ignore_unpack_errors = extract_param($param, 'ignore-unpack-errors');
174
175 my $basecfg_fn = PVE::LXC::Config->config_file($vmid);
176
177 my $same_container_exists = -f $basecfg_fn;
178
179 # 'unprivileged' is read-only, so we can't pass it to update_pct_config
180 my $unprivileged = extract_param($param, 'unprivileged');
181
182 my $restore = extract_param($param, 'restore');
183
184 if ($restore) {
185 # fixme: limit allowed parameters
186
187 }
188
189 my $force = extract_param($param, 'force');
190
191 if (!($same_container_exists && $restore && $force)) {
192 PVE::Cluster::check_vmid_unused($vmid);
193 } else {
194 my $conf = PVE::LXC::Config->load_config($vmid);
195 PVE::LXC::Config->check_protection($conf, "unable to restore CT $vmid");
196 }
197
198 my $password = extract_param($param, 'password');
199
200 my $ssh_keys = extract_param($param, 'ssh-public-keys');
201 PVE::Tools::validate_ssh_public_keys($ssh_keys);
202
203 my $pool = extract_param($param, 'pool');
204
205 if (defined($pool)) {
206 $rpcenv->check_pool_exist($pool);
207 $rpcenv->check_perm_modify($authuser, "/pool/$pool");
208 }
209
210 if ($rpcenv->check($authuser, "/vms/$vmid", ['VM.Allocate'], 1)) {
211 # OK
212 } elsif ($pool && $rpcenv->check($authuser, "/pool/$pool", ['VM.Allocate'], 1)) {
213 # OK
214 } elsif ($restore && $force && $same_container_exists &&
215 $rpcenv->check($authuser, "/vms/$vmid", ['VM.Backup'], 1)) {
216 # OK: user has VM.Backup permissions, and want to restore an existing VM
217 } else {
218 raise_perm_exc();
219 }
220
221 PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, $param, []);
222
223 my $storage = extract_param($param, 'storage') // 'local';
224
225 my $storage_cfg = cfs_read_file("storage.cfg");
226
227 my $ostemplate = extract_param($param, 'ostemplate');
228
229 my $archive;
230
231 if ($ostemplate eq '-') {
232 die "pipe requires cli environment\n"
233 if $rpcenv->{type} ne 'cli';
234 die "pipe can only be used with restore tasks\n"
235 if !$restore;
236 $archive = '-';
237 die "restore from pipe requires rootfs parameter\n" if !defined($param->{rootfs});
238 } else {
239 $rpcenv->check_volume_access($authuser, $storage_cfg, $vmid, $ostemplate);
240 $archive = PVE::Storage::abs_filesystem_path($storage_cfg, $ostemplate);
241 }
242
243 my $check_and_activate_storage = sub {
244 my ($sid) = @_;
245
246 my $scfg = PVE::Storage::storage_check_node($storage_cfg, $sid, $node);
247
248 raise_param_exc({ storage => "storage '$sid' does not support container directories"})
249 if !$scfg->{content}->{rootdir};
250
251 $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']);
252
253 PVE::Storage::activate_storage($storage_cfg, $sid);
254 };
255
256 my $conf = {};
257
258 my $no_disk_param = {};
259 foreach my $opt (keys %$param) {
260 my $value = $param->{$opt};
261 if ($opt eq 'rootfs' || $opt =~ m/^mp\d+$/) {
262 # allow to use simple numbers (add default storage in that case)
263 $param->{$opt} = "$storage:$value" if $value =~ m/^\d+(\.\d+)?$/;
264 } else {
265 $no_disk_param->{$opt} = $value;
266 }
267 }
268
269 # check storage access, activate storage
270 PVE::LXC::Config->foreach_mountpoint($param, sub {
271 my ($ms, $mountpoint) = @_;
272
273 my $volid = $mountpoint->{volume};
274 my $mp = $mountpoint->{mp};
275
276 if ($mountpoint->{type} ne 'volume') { # bind or device
277 die "Only root can pass arbitrary filesystem paths.\n"
278 if $authuser ne 'root@pam';
279 } else {
280 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
281 &$check_and_activate_storage($sid);
282 }
283 });
284
285 # check/activate default storage
286 &$check_and_activate_storage($storage) if !defined($param->{rootfs});
287
288 PVE::LXC::Config->update_pct_config($vmid, $conf, 0, $no_disk_param);
289
290 $conf->{unprivileged} = 1 if $unprivileged;
291
292 my $check_vmid_usage = sub {
293 if ($force) {
294 die "can't overwrite running container\n"
295 if PVE::LXC::check_running($vmid);
296 } else {
297 PVE::Cluster::check_vmid_unused($vmid);
298 }
299 };
300
301 my $code = sub {
302 &$check_vmid_usage(); # final check after locking
303
304 PVE::Cluster::check_cfs_quorum();
305 my $vollist = [];
306
307 eval {
308 if (!defined($param->{rootfs})) {
309 if ($restore) {
310 my (undef, $disksize) = PVE::LXC::Create::recover_config($archive);
311 die "unable to detect disk size - please specify rootfs (size)\n"
312 if !$disksize;
313 $disksize /= 1024 * 1024 * 1024; # create_disks expects GB as unit size
314 $param->{rootfs} = "$storage:$disksize";
315 } else {
316 $param->{rootfs} = "$storage:4"; # defaults to 4GB
317 }
318 }
319
320 $vollist = PVE::LXC::create_disks($storage_cfg, $vmid, $param, $conf);
321
322 PVE::LXC::Create::create_rootfs($storage_cfg, $vmid, $conf,
323 $archive, $password, $restore,
324 $ignore_unpack_errors, $ssh_keys);
325 # set some defaults
326 $conf->{hostname} ||= "CT$vmid";
327 $conf->{memory} ||= 512;
328 $conf->{swap} //= 512;
329 PVE::LXC::Config->write_config($vmid, $conf);
330 };
331 if (my $err = $@) {
332 PVE::LXC::destroy_disks($storage_cfg, $vollist);
333 PVE::LXC::destroy_config($vmid);
334 die $err;
335 }
336 PVE::AccessControl::add_vm_to_pool($vmid, $pool) if $pool;
337 };
338
339 my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
340
341 &$check_vmid_usage(); # first check before locking
342
343 return $rpcenv->fork_worker($restore ? 'vzrestore' : 'vzcreate',
344 $vmid, $authuser, $realcmd);
345
346 }});
347
348 __PACKAGE__->register_method({
349 name => 'vmdiridx',
350 path => '{vmid}',
351 method => 'GET',
352 proxyto => 'node',
353 description => "Directory index",
354 permissions => {
355 user => 'all',
356 },
357 parameters => {
358 additionalProperties => 0,
359 properties => {
360 node => get_standard_option('pve-node'),
361 vmid => get_standard_option('pve-vmid'),
362 },
363 },
364 returns => {
365 type => 'array',
366 items => {
367 type => "object",
368 properties => {
369 subdir => { type => 'string' },
370 },
371 },
372 links => [ { rel => 'child', href => "{subdir}" } ],
373 },
374 code => sub {
375 my ($param) = @_;
376
377 # test if VM exists
378 my $conf = PVE::LXC::Config->load_config($param->{vmid});
379
380 my $res = [
381 { subdir => 'config' },
382 { subdir => 'status' },
383 { subdir => 'vncproxy' },
384 { subdir => 'vncwebsocket' },
385 { subdir => 'spiceproxy' },
386 { subdir => 'migrate' },
387 { subdir => 'clone' },
388 # { subdir => 'initlog' },
389 { subdir => 'rrd' },
390 { subdir => 'rrddata' },
391 { subdir => 'firewall' },
392 { subdir => 'snapshot' },
393 { subdir => 'resize' },
394 ];
395
396 return $res;
397 }});
398
399
400 __PACKAGE__->register_method({
401 name => 'rrd',
402 path => '{vmid}/rrd',
403 method => 'GET',
404 protected => 1, # fixme: can we avoid that?
405 permissions => {
406 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
407 },
408 description => "Read VM RRD statistics (returns PNG)",
409 parameters => {
410 additionalProperties => 0,
411 properties => {
412 node => get_standard_option('pve-node'),
413 vmid => get_standard_option('pve-vmid'),
414 timeframe => {
415 description => "Specify the time frame you are interested in.",
416 type => 'string',
417 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
418 },
419 ds => {
420 description => "The list of datasources you want to display.",
421 type => 'string', format => 'pve-configid-list',
422 },
423 cf => {
424 description => "The RRD consolidation function",
425 type => 'string',
426 enum => [ 'AVERAGE', 'MAX' ],
427 optional => 1,
428 },
429 },
430 },
431 returns => {
432 type => "object",
433 properties => {
434 filename => { type => 'string' },
435 },
436 },
437 code => sub {
438 my ($param) = @_;
439
440 return PVE::Cluster::create_rrd_graph(
441 "pve2-vm/$param->{vmid}", $param->{timeframe},
442 $param->{ds}, $param->{cf});
443
444 }});
445
446 __PACKAGE__->register_method({
447 name => 'rrddata',
448 path => '{vmid}/rrddata',
449 method => 'GET',
450 protected => 1, # fixme: can we avoid that?
451 permissions => {
452 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
453 },
454 description => "Read VM RRD statistics",
455 parameters => {
456 additionalProperties => 0,
457 properties => {
458 node => get_standard_option('pve-node'),
459 vmid => get_standard_option('pve-vmid'),
460 timeframe => {
461 description => "Specify the time frame you are interested in.",
462 type => 'string',
463 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
464 },
465 cf => {
466 description => "The RRD consolidation function",
467 type => 'string',
468 enum => [ 'AVERAGE', 'MAX' ],
469 optional => 1,
470 },
471 },
472 },
473 returns => {
474 type => "array",
475 items => {
476 type => "object",
477 properties => {},
478 },
479 },
480 code => sub {
481 my ($param) = @_;
482
483 return PVE::Cluster::create_rrd_data(
484 "pve2-vm/$param->{vmid}", $param->{timeframe}, $param->{cf});
485 }});
486
487 __PACKAGE__->register_method({
488 name => 'destroy_vm',
489 path => '{vmid}',
490 method => 'DELETE',
491 protected => 1,
492 proxyto => 'node',
493 description => "Destroy the container (also delete all uses files).",
494 permissions => {
495 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
496 },
497 parameters => {
498 additionalProperties => 0,
499 properties => {
500 node => get_standard_option('pve-node'),
501 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }),
502 },
503 },
504 returns => {
505 type => 'string',
506 },
507 code => sub {
508 my ($param) = @_;
509
510 my $rpcenv = PVE::RPCEnvironment::get();
511
512 my $authuser = $rpcenv->get_user();
513
514 my $vmid = $param->{vmid};
515
516 # test if container exists
517 my $conf = PVE::LXC::Config->load_config($vmid);
518
519 my $storage_cfg = cfs_read_file("storage.cfg");
520
521 PVE::LXC::Config->check_protection($conf, "can't remove CT $vmid");
522
523 die "unable to remove CT $vmid - used in HA resources\n"
524 if PVE::HA::Config::vm_is_ha_managed($vmid);
525
526 my $running_error_msg = "unable to destroy CT $vmid - container is running\n";
527
528 die $running_error_msg if PVE::LXC::check_running($vmid); # check early
529
530 my $code = sub {
531 # reload config after lock
532 $conf = PVE::LXC::Config->load_config($vmid);
533 PVE::LXC::Config->check_lock($conf);
534
535 die $running_error_msg if PVE::LXC::check_running($vmid);
536
537 PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $conf);
538 PVE::AccessControl::remove_vm_access($vmid);
539 PVE::Firewall::remove_vmfw_conf($vmid);
540 };
541
542 my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
543
544 return $rpcenv->fork_worker('vzdestroy', $vmid, $authuser, $realcmd);
545 }});
546
547 my $sslcert;
548
549 __PACKAGE__->register_method ({
550 name => 'vncproxy',
551 path => '{vmid}/vncproxy',
552 method => 'POST',
553 protected => 1,
554 permissions => {
555 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
556 },
557 description => "Creates a TCP VNC proxy connections.",
558 parameters => {
559 additionalProperties => 0,
560 properties => {
561 node => get_standard_option('pve-node'),
562 vmid => get_standard_option('pve-vmid'),
563 websocket => {
564 optional => 1,
565 type => 'boolean',
566 description => "use websocket instead of standard VNC.",
567 },
568 },
569 },
570 returns => {
571 additionalProperties => 0,
572 properties => {
573 user => { type => 'string' },
574 ticket => { type => 'string' },
575 cert => { type => 'string' },
576 port => { type => 'integer' },
577 upid => { type => 'string' },
578 },
579 },
580 code => sub {
581 my ($param) = @_;
582
583 my $rpcenv = PVE::RPCEnvironment::get();
584
585 my $authuser = $rpcenv->get_user();
586
587 my $vmid = $param->{vmid};
588 my $node = $param->{node};
589
590 my $authpath = "/vms/$vmid";
591
592 my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath);
593
594 $sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192)
595 if !$sslcert;
596
597 my ($remip, $family);
598
599 if ($node ne PVE::INotify::nodename()) {
600 ($remip, $family) = PVE::Cluster::remote_node_ip($node);
601 } else {
602 $family = PVE::Tools::get_host_address_family($node);
603 }
604
605 my $port = PVE::Tools::next_vnc_port($family);
606
607 # NOTE: vncterm VNC traffic is already TLS encrypted,
608 # so we select the fastest chipher here (or 'none'?)
609 my $remcmd = $remip ?
610 ['/usr/bin/ssh', '-t', $remip] : [];
611
612 my $conf = PVE::LXC::Config->load_config($vmid, $node);
613 my $concmd = PVE::LXC::get_console_command($vmid, $conf);
614
615 my $shcmd = [ '/usr/bin/dtach', '-A',
616 "/var/run/dtach/vzctlconsole$vmid",
617 '-r', 'winch', '-z', @$concmd];
618
619 my $realcmd = sub {
620 my $upid = shift;
621
622 syslog ('info', "starting lxc vnc proxy $upid\n");
623
624 my $timeout = 10;
625
626 my $cmd = ['/usr/bin/vncterm', '-rfbport', $port,
627 '-timeout', $timeout, '-authpath', $authpath,
628 '-perm', 'VM.Console'];
629
630 if ($param->{websocket}) {
631 $ENV{PVE_VNC_TICKET} = $ticket; # pass ticket to vncterm
632 push @$cmd, '-notls', '-listen', 'localhost';
633 }
634
635 push @$cmd, '-c', @$remcmd, @$shcmd;
636
637 run_command($cmd);
638
639 return;
640 };
641
642 my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd);
643
644 PVE::Tools::wait_for_vnc_port($port);
645
646 return {
647 user => $authuser,
648 ticket => $ticket,
649 port => $port,
650 upid => $upid,
651 cert => $sslcert,
652 };
653 }});
654
655 __PACKAGE__->register_method({
656 name => 'vncwebsocket',
657 path => '{vmid}/vncwebsocket',
658 method => 'GET',
659 permissions => {
660 description => "You also need to pass a valid ticket (vncticket).",
661 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
662 },
663 description => "Opens a weksocket for VNC traffic.",
664 parameters => {
665 additionalProperties => 0,
666 properties => {
667 node => get_standard_option('pve-node'),
668 vmid => get_standard_option('pve-vmid'),
669 vncticket => {
670 description => "Ticket from previous call to vncproxy.",
671 type => 'string',
672 maxLength => 512,
673 },
674 port => {
675 description => "Port number returned by previous vncproxy call.",
676 type => 'integer',
677 minimum => 5900,
678 maximum => 5999,
679 },
680 },
681 },
682 returns => {
683 type => "object",
684 properties => {
685 port => { type => 'string' },
686 },
687 },
688 code => sub {
689 my ($param) = @_;
690
691 my $rpcenv = PVE::RPCEnvironment::get();
692
693 my $authuser = $rpcenv->get_user();
694
695 my $authpath = "/vms/$param->{vmid}";
696
697 PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $authuser, $authpath);
698
699 my $port = $param->{port};
700
701 return { port => $port };
702 }});
703
704 __PACKAGE__->register_method ({
705 name => 'spiceproxy',
706 path => '{vmid}/spiceproxy',
707 method => 'POST',
708 protected => 1,
709 proxyto => 'node',
710 permissions => {
711 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
712 },
713 description => "Returns a SPICE configuration to connect to the CT.",
714 parameters => {
715 additionalProperties => 0,
716 properties => {
717 node => get_standard_option('pve-node'),
718 vmid => get_standard_option('pve-vmid'),
719 proxy => get_standard_option('spice-proxy', { optional => 1 }),
720 },
721 },
722 returns => get_standard_option('remote-viewer-config'),
723 code => sub {
724 my ($param) = @_;
725
726 my $vmid = $param->{vmid};
727 my $node = $param->{node};
728 my $proxy = $param->{proxy};
729
730 my $authpath = "/vms/$vmid";
731 my $permissions = 'VM.Console';
732
733 my $conf = PVE::LXC::Config->load_config($vmid);
734
735 die "CT $vmid not running\n" if !PVE::LXC::check_running($vmid);
736
737 my $concmd = PVE::LXC::get_console_command($vmid, $conf);
738
739 my $shcmd = ['/usr/bin/dtach', '-A',
740 "/var/run/dtach/vzctlconsole$vmid",
741 '-r', 'winch', '-z', @$concmd];
742
743 my $title = "CT $vmid";
744
745 return PVE::API2Tools::run_spiceterm($authpath, $permissions, $vmid, $node, $proxy, $title, $shcmd);
746 }});
747
748
749 __PACKAGE__->register_method({
750 name => 'migrate_vm',
751 path => '{vmid}/migrate',
752 method => 'POST',
753 protected => 1,
754 proxyto => 'node',
755 description => "Migrate the container to another node. Creates a new migration task.",
756 permissions => {
757 check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]],
758 },
759 parameters => {
760 additionalProperties => 0,
761 properties => {
762 node => get_standard_option('pve-node'),
763 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
764 target => get_standard_option('pve-node', {
765 description => "Target node.",
766 completion => \&PVE::Cluster::complete_migration_target,
767 }),
768 online => {
769 type => 'boolean',
770 description => "Use online/live migration.",
771 optional => 1,
772 },
773 force => {
774 type => 'boolean',
775 description => "Force migration despite local bind / device" .
776 " mounts. WARNING: identical bind / device mounts need to ".
777 " be available on the target node.",
778 optional => 1,
779 },
780 },
781 },
782 returns => {
783 type => 'string',
784 description => "the task ID.",
785 },
786 code => sub {
787 my ($param) = @_;
788
789 my $rpcenv = PVE::RPCEnvironment::get();
790
791 my $authuser = $rpcenv->get_user();
792
793 my $target = extract_param($param, 'target');
794
795 my $localnode = PVE::INotify::nodename();
796 raise_param_exc({ target => "target is local node."}) if $target eq $localnode;
797
798 PVE::Cluster::check_cfs_quorum();
799
800 PVE::Cluster::check_node_exists($target);
801
802 my $targetip = PVE::Cluster::remote_node_ip($target);
803
804 my $vmid = extract_param($param, 'vmid');
805
806 # test if VM exists
807 PVE::LXC::Config->load_config($vmid);
808
809 # try to detect errors early
810 if (PVE::LXC::check_running($vmid)) {
811 die "can't migrate running container without --online\n"
812 if !$param->{online};
813 }
814
815 if (PVE::HA::Config::vm_is_ha_managed($vmid) && $rpcenv->{type} ne 'ha') {
816
817 my $hacmd = sub {
818 my $upid = shift;
819
820 my $service = "ct:$vmid";
821
822 my $cmd = ['ha-manager', 'migrate', $service, $target];
823
824 print "Executing HA migrate for CT $vmid to node $target\n";
825
826 PVE::Tools::run_command($cmd);
827
828 return;
829 };
830
831 return $rpcenv->fork_worker('hamigrate', $vmid, $authuser, $hacmd);
832
833 } else {
834
835 my $realcmd = sub {
836 my $upid = shift;
837
838 PVE::LXC::Migrate->migrate($target, $targetip, $vmid, $param);
839
840 return;
841 };
842
843 return $rpcenv->fork_worker('vzmigrate', $vmid, $authuser, $realcmd);
844 }
845 }});
846
847 __PACKAGE__->register_method({
848 name => 'vm_feature',
849 path => '{vmid}/feature',
850 method => 'GET',
851 proxyto => 'node',
852 protected => 1,
853 description => "Check if feature for virtual machine is available.",
854 permissions => {
855 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
856 },
857 parameters => {
858 additionalProperties => 0,
859 properties => {
860 node => get_standard_option('pve-node'),
861 vmid => get_standard_option('pve-vmid'),
862 feature => {
863 description => "Feature to check.",
864 type => 'string',
865 enum => [ 'snapshot' ],
866 },
867 snapname => get_standard_option('pve-lxc-snapshot-name', {
868 optional => 1,
869 }),
870 },
871 },
872 returns => {
873 type => "object",
874 properties => {
875 hasFeature => { type => 'boolean' },
876 #nodes => {
877 #type => 'array',
878 #items => { type => 'string' },
879 #}
880 },
881 },
882 code => sub {
883 my ($param) = @_;
884
885 my $node = extract_param($param, 'node');
886
887 my $vmid = extract_param($param, 'vmid');
888
889 my $snapname = extract_param($param, 'snapname');
890
891 my $feature = extract_param($param, 'feature');
892
893 my $conf = PVE::LXC::Config->load_config($vmid);
894
895 if($snapname){
896 my $snap = $conf->{snapshots}->{$snapname};
897 die "snapshot '$snapname' does not exist\n" if !defined($snap);
898 $conf = $snap;
899 }
900 my $storage_cfg = PVE::Storage::config();
901 #Maybe include later
902 #my $nodelist = PVE::LXC::shared_nodes($conf, $storage_cfg);
903 my $hasFeature = PVE::LXC::Config->has_feature($feature, $conf, $storage_cfg, $snapname);
904
905 return {
906 hasFeature => $hasFeature,
907 #nodes => [ keys %$nodelist ],
908 };
909 }});
910
911 __PACKAGE__->register_method({
912 name => 'template',
913 path => '{vmid}/template',
914 method => 'POST',
915 protected => 1,
916 proxyto => 'node',
917 description => "Create a Template.",
918 permissions => {
919 description => "You need 'VM.Allocate' permissions on /vms/{vmid}",
920 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
921 },
922 parameters => {
923 additionalProperties => 0,
924 properties => {
925 node => get_standard_option('pve-node'),
926 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }),
927 experimental => {
928 type => 'boolean',
929 description => "The template feature is experimental, set this " .
930 "flag if you know what you are doing.",
931 default => 0,
932 },
933 },
934 },
935 returns => { type => 'null'},
936 code => sub {
937 my ($param) = @_;
938
939 my $rpcenv = PVE::RPCEnvironment::get();
940
941 my $authuser = $rpcenv->get_user();
942
943 my $node = extract_param($param, 'node');
944
945 my $vmid = extract_param($param, 'vmid');
946
947 my $updatefn = sub {
948
949 my $conf = PVE::LXC::Config->load_config($vmid);
950 PVE::LXC::Config->check_lock($conf);
951
952 die "unable to create template, because CT contains snapshots\n"
953 if $conf->{snapshots} && scalar(keys %{$conf->{snapshots}});
954
955 die "you can't convert a template to a template\n"
956 if PVE::LXC::Config->is_template($conf);
957
958 die "you can't convert a CT to template if the CT is running\n"
959 if PVE::LXC::check_running($vmid);
960
961 my $realcmd = sub {
962 PVE::LXC::template_create($vmid, $conf);
963 };
964
965 $conf->{template} = 1;
966
967 PVE::LXC::Config->write_config($vmid, $conf);
968 # and remove lxc config
969 PVE::LXC::update_lxc_config(undef, $vmid, $conf);
970
971 return $rpcenv->fork_worker('vztemplate', $vmid, $authuser, $realcmd);
972 };
973
974 PVE::LXC::Config->lock_config($vmid, $updatefn);
975
976 return undef;
977 }});
978
979 __PACKAGE__->register_method({
980 name => 'clone_vm',
981 path => '{vmid}/clone',
982 method => 'POST',
983 protected => 1,
984 proxyto => 'node',
985 description => "Create a container clone/copy",
986 permissions => {
987 description => "You need 'VM.Clone' permissions on /vms/{vmid}, " .
988 "and 'VM.Allocate' permissions " .
989 "on /vms/{newid} (or on the VM pool /pool/{pool}). You also need " .
990 "'Datastore.AllocateSpace' on any used storage.",
991 check =>
992 [ 'and',
993 ['perm', '/vms/{vmid}', [ 'VM.Clone' ]],
994 [ 'or',
995 [ 'perm', '/vms/{newid}', ['VM.Allocate']],
996 [ 'perm', '/pool/{pool}', ['VM.Allocate'], require_param => 'pool'],
997 ],
998 ]
999 },
1000 parameters => {
1001 additionalProperties => 0,
1002 properties => {
1003 node => get_standard_option('pve-node'),
1004 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1005 newid => get_standard_option('pve-vmid', {
1006 completion => \&PVE::Cluster::complete_next_vmid,
1007 description => 'VMID for the clone.' }),
1008 hostname => {
1009 optional => 1,
1010 type => 'string', format => 'dns-name',
1011 description => "Set a hostname for the new CT.",
1012 },
1013 description => {
1014 optional => 1,
1015 type => 'string',
1016 description => "Description for the new CT.",
1017 },
1018 pool => {
1019 optional => 1,
1020 type => 'string', format => 'pve-poolid',
1021 description => "Add the new CT to the specified pool.",
1022 },
1023 snapname => get_standard_option('pve-lxc-snapshot-name', {
1024 optional => 1,
1025 }),
1026 storage => get_standard_option('pve-storage-id', {
1027 description => "Target storage for full clone.",
1028 requires => 'full',
1029 optional => 1,
1030 }),
1031 full => {
1032 optional => 1,
1033 type => 'boolean',
1034 description => "Create a full copy of all disk. This is always done when " .
1035 "you clone a normal CT. For CT templates, we try to create a linked clone by default.",
1036 default => 0,
1037 },
1038 experimental => {
1039 type => 'boolean',
1040 description => "The clone feature is experimental, set this " .
1041 "flag if you know what you are doing.",
1042 default => 0,
1043 },
1044 # target => get_standard_option('pve-node', {
1045 # description => "Target node. Only allowed if the original VM is on shared storage.",
1046 # optional => 1,
1047 # }),
1048 },
1049 },
1050 returns => {
1051 type => 'string',
1052 },
1053 code => sub {
1054 my ($param) = @_;
1055
1056 my $rpcenv = PVE::RPCEnvironment::get();
1057
1058 my $authuser = $rpcenv->get_user();
1059
1060 my $node = extract_param($param, 'node');
1061
1062 my $vmid = extract_param($param, 'vmid');
1063
1064 my $newid = extract_param($param, 'newid');
1065
1066 my $pool = extract_param($param, 'pool');
1067
1068 if (defined($pool)) {
1069 $rpcenv->check_pool_exist($pool);
1070 }
1071
1072 my $snapname = extract_param($param, 'snapname');
1073
1074 my $storage = extract_param($param, 'storage');
1075
1076 my $localnode = PVE::INotify::nodename();
1077
1078 my $storecfg = PVE::Storage::config();
1079
1080 if ($storage) {
1081 # check if storage is enabled on local node
1082 PVE::Storage::storage_check_enabled($storecfg, $storage);
1083 }
1084
1085 PVE::Cluster::check_cfs_quorum();
1086
1087 my $running = PVE::LXC::check_running($vmid) || 0;
1088
1089 my $clonefn = sub {
1090
1091 # do all tests after lock
1092 # we also try to do all tests before we fork the worker
1093 my $conf = PVE::LXC::Config->load_config($vmid);
1094
1095 PVE::LXC::Config->check_lock($conf);
1096
1097 my $verify_running = PVE::LXC::check_running($vmid) || 0;
1098
1099 die "unexpected state change\n" if $verify_running != $running;
1100
1101 die "snapshot '$snapname' does not exist\n"
1102 if $snapname && !defined( $conf->{snapshots}->{$snapname});
1103
1104 my $oldconf = $snapname ? $conf->{snapshots}->{$snapname} : $conf;
1105
1106 my $conffile = PVE::LXC::Config->config_file($newid);
1107 die "unable to create CT $newid: config file already exists\n"
1108 if -f $conffile;
1109
1110 my $newconf = { lock => 'clone' };
1111 my $mountpoints = {};
1112 my $fullclone = {};
1113 my $vollist = [];
1114
1115 foreach my $opt (keys %$oldconf) {
1116 my $value = $oldconf->{$opt};
1117
1118 # no need to copy unused images, because VMID(owner) changes anyways
1119 next if $opt =~ m/^unused\d+$/;
1120
1121 if (($opt eq 'rootfs') || ($opt =~ m/^mp\d+$/)) {
1122 my $mp = $opt eq 'rootfs' ?
1123 PVE::LXC::Config->parse_ct_rootfs($value) :
1124 PVE::LXC::Config->parse_ct_mountpoint($value);
1125
1126 if ($mp->{type} eq 'volume') {
1127 my $volid = $mp->{volume};
1128 if ($param->{full}) {
1129 die "fixme: full clone not implemented";
1130
1131 die "Full clone feature for '$volid' is not available\n"
1132 if !PVE::Storage::volume_has_feature($storecfg, 'copy', $volid, $snapname, $running);
1133 $fullclone->{$opt} = 1;
1134 } else {
1135 # not full means clone instead of copy
1136 die "Linked clone feature for '$volid' is not available\n"
1137 if !PVE::Storage::volume_has_feature($storecfg, 'clone', $volid, $snapname, $running);
1138 }
1139
1140 $mountpoints->{$opt} = $mp;
1141 push @$vollist, $volid;
1142
1143 } else {
1144 # TODO: allow bind mounts?
1145 die "unable to clone mountpint '$opt' (type $mp->{type})\n";
1146 }
1147
1148 } else {
1149 # copy everything else
1150 $newconf->{$opt} = $value;
1151 }
1152 }
1153
1154 delete $newconf->{template};
1155 if ($param->{hostname}) {
1156 $newconf->{hostname} = $param->{hostname};
1157 }
1158
1159 if ($param->{description}) {
1160 $newconf->{description} = $param->{description};
1161 }
1162
1163 # create empty/temp config - this fails if CT already exists on other node
1164 PVE::Tools::file_set_contents($conffile, "# ctclone temporary file\nlock: clone\n");
1165
1166 my $realcmd = sub {
1167 my $upid = shift;
1168
1169 my $newvollist = [];
1170
1171 eval {
1172 local $SIG{INT} = $SIG{TERM} = $SIG{QUIT} = $SIG{HUP} = sub { die "interrupted by signal\n"; };
1173
1174 PVE::Storage::activate_volumes($storecfg, $vollist, $snapname);
1175
1176 foreach my $opt (keys %$mountpoints) {
1177 my $mp = $mountpoints->{$opt};
1178 my $volid = $mp->{volume};
1179
1180 if ($fullclone->{$opt}) {
1181 die "fixme: full clone not implemented\n";
1182 } else {
1183 print "create linked clone of mountpoint $opt ($volid)\n";
1184 my $newvolid = PVE::Storage::vdisk_clone($storecfg, $volid, $newid, $snapname);
1185 push @$newvollist, $newvolid;
1186 $mp->{volume} = $newvolid;
1187
1188 $newconf->{$opt} = PVE::LXC::Config->print_ct_mountpoint($mp, $opt eq 'rootfs');
1189 PVE::LXC::Config->write_config($newid, $newconf);
1190 }
1191 }
1192
1193 delete $newconf->{lock};
1194 PVE::LXC::Config->write_config($newid, $newconf);
1195
1196 PVE::AccessControl::add_vm_to_pool($newid, $pool) if $pool;
1197 };
1198 if (my $err = $@) {
1199 unlink $conffile;
1200
1201 sleep 1; # some storage like rbd need to wait before release volume - really?
1202
1203 foreach my $volid (@$newvollist) {
1204 eval { PVE::Storage::vdisk_free($storecfg, $volid); };
1205 warn $@ if $@;
1206 }
1207 die "clone failed: $err";
1208 }
1209
1210 return;
1211 };
1212
1213 PVE::Firewall::clone_vmfw_conf($vmid, $newid);
1214
1215 return $rpcenv->fork_worker('vzclone', $vmid, $authuser, $realcmd);
1216
1217 };
1218
1219 return PVE::LXC::Config->lock_config($vmid, $clonefn);
1220 }});
1221
1222
1223 __PACKAGE__->register_method({
1224 name => 'resize_vm',
1225 path => '{vmid}/resize',
1226 method => 'PUT',
1227 protected => 1,
1228 proxyto => 'node',
1229 description => "Resize a container mountpoint.",
1230 permissions => {
1231 check => ['perm', '/vms/{vmid}', ['VM.Config.Disk'], any => 1],
1232 },
1233 parameters => {
1234 additionalProperties => 0,
1235 properties => {
1236 node => get_standard_option('pve-node'),
1237 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1238 disk => {
1239 type => 'string',
1240 description => "The disk you want to resize.",
1241 enum => [PVE::LXC::Config->mountpoint_names()],
1242 },
1243 size => {
1244 type => 'string',
1245 pattern => '\+?\d+(\.\d+)?[KMGT]?',
1246 description => "The new size. With the '+' sign the value is added to the actual size of the volume and without it, the value is taken as an absolute one. Shrinking disk size is not supported.",
1247 },
1248 digest => {
1249 type => 'string',
1250 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
1251 maxLength => 40,
1252 optional => 1,
1253 }
1254 },
1255 },
1256 returns => {
1257 type => 'string',
1258 description => "the task ID.",
1259 },
1260 code => sub {
1261 my ($param) = @_;
1262
1263 my $rpcenv = PVE::RPCEnvironment::get();
1264
1265 my $authuser = $rpcenv->get_user();
1266
1267 my $node = extract_param($param, 'node');
1268
1269 my $vmid = extract_param($param, 'vmid');
1270
1271 my $digest = extract_param($param, 'digest');
1272
1273 my $sizestr = extract_param($param, 'size');
1274 my $ext = ($sizestr =~ s/^\+//);
1275 my $newsize = PVE::JSONSchema::parse_size($sizestr);
1276 die "invalid size string" if !defined($newsize);
1277
1278 die "no options specified\n" if !scalar(keys %$param);
1279
1280 PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);
1281
1282 my $storage_cfg = cfs_read_file("storage.cfg");
1283
1284 my $code = sub {
1285
1286 my $conf = PVE::LXC::Config->load_config($vmid);
1287 PVE::LXC::Config->check_lock($conf);
1288
1289 PVE::Tools::assert_if_modified($digest, $conf->{digest});
1290
1291 my $running = PVE::LXC::check_running($vmid);
1292
1293 my $disk = $param->{disk};
1294 my $mp = $disk eq 'rootfs' ? PVE::LXC::Config->parse_ct_rootfs($conf->{$disk}) :
1295 PVE::LXC::Config->parse_ct_mountpoint($conf->{$disk});
1296
1297 my $volid = $mp->{volume};
1298
1299 my (undef, undef, $owner, undef, undef, undef, $format) =
1300 PVE::Storage::parse_volname($storage_cfg, $volid);
1301
1302 die "can't resize mountpoint owned by another container ($owner)"
1303 if $vmid != $owner;
1304
1305 die "can't resize volume: $disk if snapshot exists\n"
1306 if %{$conf->{snapshots}} && $format eq 'qcow2';
1307
1308 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid);
1309
1310 $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']);
1311
1312 PVE::Storage::activate_volumes($storage_cfg, [$volid]);
1313
1314 my $size = PVE::Storage::volume_size_info($storage_cfg, $volid, 5);
1315 $newsize += $size if $ext;
1316 $newsize = int($newsize);
1317
1318 die "unable to shrink disk size\n" if $newsize < $size;
1319
1320 return if $size == $newsize;
1321
1322 PVE::Cluster::log_msg('info', $authuser, "update CT $vmid: resize --disk $disk --size $sizestr");
1323 my $realcmd = sub {
1324 # Note: PVE::Storage::volume_resize doesn't do anything if $running=1, so
1325 # we pass 0 here (parameter only makes sense for qemu)
1326 PVE::Storage::volume_resize($storage_cfg, $volid, $newsize, 0);
1327
1328 $mp->{size} = $newsize;
1329 $conf->{$disk} = PVE::LXC::Config->print_ct_mountpoint($mp, $disk eq 'rootfs');
1330
1331 PVE::LXC::Config->write_config($vmid, $conf);
1332
1333 if ($format eq 'raw') {
1334 my $path = PVE::Storage::path($storage_cfg, $volid, undef);
1335 if ($running) {
1336
1337 $mp->{mp} = '/';
1338 my $use_loopdev = (PVE::LXC::mountpoint_mount_path($mp, $storage_cfg))[1];
1339 $path = PVE::LXC::query_loopdev($path) if $use_loopdev;
1340 die "internal error: CT running but mountpoint not attached to a loop device"
1341 if !$path;
1342 PVE::Tools::run_command(['losetup', '--set-capacity', $path]) if $use_loopdev;
1343
1344 # In order for resize2fs to know that we need online-resizing a mountpoint needs
1345 # to be visible to it in its namespace.
1346 # To not interfere with the rest of the system we unshare the current mount namespace,
1347 # mount over /tmp and then run resize2fs.
1348
1349 # interestingly we don't need to e2fsck on mounted systems...
1350 my $quoted = PVE::Tools::shellquote($path);
1351 my $cmd = "mount --make-rprivate / && mount $quoted /tmp && resize2fs $quoted";
1352 eval {
1353 PVE::Tools::run_command(['unshare', '-m', '--', 'sh', '-c', $cmd]);
1354 };
1355 warn "Failed to update the container's filesystem: $@\n" if $@;
1356 } else {
1357 eval {
1358 PVE::Tools::run_command(['e2fsck', '-f', '-y', $path]);
1359 PVE::Tools::run_command(['resize2fs', $path]);
1360 };
1361 warn "Failed to update the container's filesystem: $@\n" if $@;
1362 }
1363 }
1364 };
1365
1366 return $rpcenv->fork_worker('resize', $vmid, $authuser, $realcmd);
1367 };
1368
1369 return PVE::LXC::Config->lock_config($vmid, $code);;
1370 }});
1371
1372 1;
PVE Container Toolkit