1 package PVE
::LXC
::Config
;
6 use PVE
::AbstractConfig
;
7 use PVE
::Cluster
qw(cfs_register_file);
9 use PVE
::JSONSchema
qw(get_standard_option);
12 use base
qw(PVE::AbstractConfig);
14 my $nodename = PVE
::INotify
::nodename
();
15 my $lock_handles = {};
16 my $lockdir = "/run/lock/lxc";
18 mkdir "/etc/pve/nodes/$nodename/lxc";
19 my $MAX_MOUNT_POINTS = 256;
20 my $MAX_UNUSED_DISKS = $MAX_MOUNT_POINTS;
22 # BEGIN implemented abstract methods from PVE::AbstractConfig
28 sub __config_max_unused_disks
{
31 return $MAX_UNUSED_DISKS;
34 sub config_file_lock
{
35 my ($class, $vmid) = @_;
37 return "$lockdir/pve-config-${vmid}.lock";
41 my ($class, $vmid, $node) = @_;
43 $node = $nodename if !$node;
44 return "nodes/$node/lxc/$vmid.conf";
47 sub mountpoint_backup_enabled
{
48 my ($class, $mp_key, $mountpoint) = @_;
50 return 1 if $mp_key eq 'rootfs';
52 return 0 if $mountpoint->{type
} ne 'volume';
54 return 1 if $mountpoint->{backup
};
60 my ($class, $feature, $conf, $storecfg, $snapname, $running, $backup_only) = @_;
63 $class->foreach_mountpoint($conf, sub {
64 my ($ms, $mountpoint) = @_;
66 return if $err; # skip further test
67 return if $backup_only && !$class->mountpoint_backup_enabled($ms, $mountpoint);
70 if !PVE
::Storage
::volume_has_feature
($storecfg, $feature,
71 $mountpoint->{volume
},
78 sub __snapshot_save_vmstate
{
79 my ($class, $vmid, $conf, $snapname, $storecfg) = @_;
80 die "implement me - snapshot_save_vmstate\n";
83 sub __snapshot_check_running
{
84 my ($class, $vmid) = @_;
85 return PVE
::LXC
::check_running
($vmid);
88 sub __snapshot_check_freeze_needed
{
89 my ($class, $vmid, $config, $save_vmstate) = @_;
91 my $ret = $class->__snapshot_check_running($vmid);
95 sub __snapshot_freeze
{
96 my ($class, $vmid, $unfreeze) = @_;
99 eval { PVE
::Tools
::run_command
(['/usr/bin/lxc-unfreeze', '-n', $vmid]); };
102 PVE
::Tools
::run_command
(['/usr/bin/lxc-freeze', '-n', $vmid]);
103 PVE
::LXC
::sync_container_namespace
($vmid);
107 sub __snapshot_create_vol_snapshot
{
108 my ($class, $vmid, $ms, $mountpoint, $snapname) = @_;
110 my $storecfg = PVE
::Storage
::config
();
112 return if $snapname eq 'vzdump' &&
113 !$class->mountpoint_backup_enabled($ms, $mountpoint);
115 PVE
::Storage
::volume_snapshot
($storecfg, $mountpoint->{volume
}, $snapname);
118 sub __snapshot_delete_remove_drive
{
119 my ($class, $snap, $remove_drive) = @_;
121 if ($remove_drive eq 'vmstate') {
122 die "implement me - saving vmstate\n";
124 my $value = $snap->{$remove_drive};
125 my $mountpoint = $remove_drive eq 'rootfs' ?
$class->parse_ct_rootfs($value, 1) : $class->parse_ct_mountpoint($value, 1);
126 delete $snap->{$remove_drive};
128 $class->add_unused_volume($snap, $mountpoint->{volume
})
129 if ($mountpoint->{type
} eq 'volume');
133 sub __snapshot_delete_vmstate_file
{
134 my ($class, $snap, $force) = @_;
136 die "implement me - saving vmstate\n";
139 sub __snapshot_delete_vol_snapshot
{
140 my ($class, $vmid, $ms, $mountpoint, $snapname, $unused) = @_;
142 return if $snapname eq 'vzdump' &&
143 !$class->mountpoint_backup_enabled($ms, $mountpoint);
145 my $storecfg = PVE
::Storage
::config
();
146 PVE
::Storage
::volume_snapshot_delete
($storecfg, $mountpoint->{volume
}, $snapname);
147 push @$unused, $mountpoint->{volume
};
150 sub __snapshot_rollback_vol_possible
{
151 my ($class, $mountpoint, $snapname) = @_;
153 my $storecfg = PVE
::Storage
::config
();
154 PVE
::Storage
::volume_rollback_is_possible
($storecfg, $mountpoint->{volume
}, $snapname);
157 sub __snapshot_rollback_vol_rollback
{
158 my ($class, $mountpoint, $snapname) = @_;
160 my $storecfg = PVE
::Storage
::config
();
161 PVE
::Storage
::volume_snapshot_rollback
($storecfg, $mountpoint->{volume
}, $snapname);
164 sub __snapshot_rollback_vm_stop
{
165 my ($class, $vmid) = @_;
167 PVE
::LXC
::vm_stop
($vmid, 1)
168 if $class->__snapshot_check_running($vmid);
171 sub __snapshot_rollback_vm_start
{
172 my ($class, $vmid, $vmstate, $data);
174 die "implement me - save vmstate\n";
177 sub __snapshot_rollback_get_unused
{
178 my ($class, $conf, $snap) = @_;
182 $class->__snapshot_foreach_volume($conf, sub {
183 my ($vs, $volume) = @_;
185 return if $volume->{type
} ne 'volume';
188 my $volid = $volume->{volume
};
190 $class->__snapshot_foreach_volume($snap, sub {
191 my ($ms, $mountpoint) = @_;
194 return if ($mountpoint->{type
} ne 'volume');
197 if ($mountpoint->{volume
} && $mountpoint->{volume
} eq $volid);
200 push @$unused, $volid if !$found;
206 sub __snapshot_foreach_volume
{
207 my ($class, $conf, $func) = @_;
209 $class->foreach_mountpoint($conf, $func);
212 # END implemented abstract methods from PVE::AbstractConfig
214 # BEGIN JSON config code
216 cfs_register_file
('/lxc/', \
&parse_pct_config
, \
&write_pct_config
);
222 format
=> 'pve-lxc-mp-string',
223 format_description
=> 'volume',
224 description
=> 'Volume, device or directory to mount into the container.',
228 format
=> 'disk-size',
229 format_description
=> 'DiskSize',
230 description
=> 'Volume size (read only value).',
235 description
=> 'Explicitly enable or disable ACL support.',
240 description
=> 'Read-only mount point',
245 description
=> 'Enable user quotas inside the container (not supported with zfs subvolumes)',
250 description
=> 'Will include this volume to a storage replica job.',
256 description
=> 'Mark this non-volume mount point as available on multiple nodes (see \'nodes\')',
257 verbose_description
=> "Mark this non-volume mount point as available on all nodes.\n\nWARNING: This option does not share the mount point automatically, it assumes it is shared already!",
263 PVE
::JSONSchema
::register_standard_option
('pve-ct-rootfs', {
264 type
=> 'string', format
=> $rootfs_desc,
265 description
=> "Use volume as container root.",
269 PVE
::JSONSchema
::register_standard_option
('pve-lxc-snapshot-name', {
270 description
=> "The name of the snapshot.",
271 type
=> 'string', format
=> 'pve-configid',
275 my $features_desc = {
279 description
=> "Allow mounting file systems of specific types."
280 ." This should be a list of file system types as used with the mount command."
281 ." Note that this can have negative effects on the container's security."
282 ." With access to a loop device, mounting a file can circumvent the mknod"
283 ." permission of the devices cgroup, mounting an NFS file system can"
284 ." block the host's I/O completely and prevent it from rebooting, etc.",
285 format_description
=> 'fstype;fstype;...',
286 pattern
=> qr/[a-zA-Z0-9; ]+/,
292 description
=> "Allow nesting."
293 ." Best used with unprivileged containers with additional id mapping."
294 ." Note that this will expose procfs and sysfs contents of the host"
301 description
=> "For unprivileged containers only: Allow the use of the keyctl() system call."
302 ." This is required to use docker inside a container."
303 ." By default unprivileged containers will see this system call as non-existent."
304 ." This is mostly a workaround for systemd-networkd, as it will treat it as a fatal"
305 ." error when some keyctl() operations are denied by the kernel due to lacking permissions."
306 ." Essentially, you can choose between running systemd-networkd or docker.",
312 description
=> "Allow using 'fuse' file systems in a container."
313 ." Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.",
321 description
=> "Lock/unlock the VM.",
322 enum
=> [qw(backup disk migrate mounted rollback snapshot snapshot-delete)],
327 description
=> "Specifies whether a VM will be started during system bootup.",
330 startup
=> get_standard_option
('pve-startup-order'),
334 description
=> "Enable/disable Template.",
340 enum
=> ['amd64', 'i386', 'arm64', 'armhf'],
341 description
=> "OS architecture type.",
347 enum
=> [qw(debian ubuntu centos fedora opensuse archlinux alpine gentoo unmanaged)],
348 description
=> "OS type. This is used to setup configuration inside the container, and corresponds to lxc setup scripts in /usr/share/lxc/config/<ostype>.common.conf. Value 'unmanaged' can be used to skip and OS specific setup.",
353 description
=> "Attach a console device (/dev/console) to the container.",
359 description
=> "Specify the number of tty available to the container",
367 description
=> "The number of cores assigned to the container. A container can use all available cores by default.",
374 description
=> "Limit of CPU usage.\n\nNOTE: If the computer has 2 CPUs, it has a total of '2' CPU time. Value '0' indicates no CPU limit.",
382 description
=> "CPU weight for a VM. Argument is used in the kernel fair scheduler. The larger the number is, the more CPU time this VM gets. Number is relative to the weights of all the other running VMs.\n\nNOTE: You can disable fair-scheduler configuration by setting this to 0.",
390 description
=> "Amount of RAM for the VM in MB.",
397 description
=> "Amount of SWAP for the VM in MB.",
403 description
=> "Set a host name for the container.",
404 type
=> 'string', format
=> 'dns-name',
410 description
=> "Container description. Only used on the configuration web interface.",
414 type
=> 'string', format
=> 'dns-name-list',
415 description
=> "Sets DNS search domains for a container. Create will automatically use the setting from the host if you neither set searchdomain nor nameserver.",
419 type
=> 'string', format
=> 'address-list',
420 description
=> "Sets DNS server IP address for a container. Create will automatically use the setting from the host if you neither set searchdomain nor nameserver.",
422 rootfs
=> get_standard_option
('pve-ct-rootfs'),
425 type
=> 'string', format
=> 'pve-configid',
427 description
=> "Parent snapshot name. This is used internally, and should not be modified.",
431 description
=> "Timestamp for snapshots.",
437 description
=> "Console mode. By default, the console command tries to open a connection to one of the available tty devices. By setting cmode to 'console' it tries to attach to /dev/console instead. If you set cmode to 'shell', it simply invokes a shell inside the container (no login).",
439 enum
=> ['shell', 'console', 'tty'],
445 description
=> "Sets the protection flag of the container. This will prevent the CT or CT's disk remove/update operation.",
451 description
=> "Makes the container run as unprivileged user. (Should not be modified manually.)",
457 format
=> $features_desc,
458 description
=> "Allow containers access to advanced features.",
462 my $valid_lxc_conf_keys = {
463 'lxc.apparmor.profile' => 1,
464 'lxc.apparmor.allow_incomplete' => 1,
465 'lxc.apparmor.allow_nesting' => 1,
466 'lxc.apparmor.raw' => 1,
467 'lxc.selinux.context' => 1,
471 'lxc.signal.halt' => 1,
472 'lxc.signal.reboot' => 1,
473 'lxc.signal.stop' => 1,
476 'lxc.console.logfile' => 1,
477 'lxc.console.path' => 1,
479 'lxc.devtty.dir' => 1,
480 'lxc.hook.autodev' => 1,
483 'lxc.mount.fstab' => 1,
484 'lxc.mount.entry' => 1,
485 'lxc.mount.auto' => 1,
486 'lxc.rootfs.path' => 'lxc.rootfs.path is auto generated from rootfs',
487 'lxc.rootfs.mount' => 1,
488 'lxc.rootfs.options' => 'lxc.rootfs.options is not supported' .
489 ', please use mount point options in the "rootfs" key',
495 'lxc.seccomp.profile' => 1,
497 'lxc.hook.pre-start' => 1,
498 'lxc.hook.pre-mount' => 1,
499 'lxc.hook.mount' => 1,
500 'lxc.hook.start' => 1,
501 'lxc.hook.stop' => 1,
502 'lxc.hook.post-stop' => 1,
503 'lxc.hook.clone' => 1,
504 'lxc.hook.destroy' => 1,
505 'lxc.log.level' => 1,
507 'lxc.start.auto' => 1,
508 'lxc.start.delay' => 1,
509 'lxc.start.order' => 1,
511 'lxc.environment' => 1,
513 # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
514 'lxc.sysctl.fs.mqueue' => 1,
515 'lxc.sysctl.kernel.msgmax' => 1,
516 'lxc.sysctl.kernel.msgmnb' => 1,
517 'lxc.sysctl.kernel.msgmni' => 1,
518 'lxc.sysctl.kernel.sem' => 1,
519 'lxc.sysctl.kernel.shmall' => 1,
520 'lxc.sysctl.kernel.shmmax' => 1,
521 'lxc.sysctl.kernel.shmmni' => 1,
522 'lxc.sysctl.kernel.shm_rmid_forced' => 1,
525 my $deprecated_lxc_conf_keys = {
526 # Deprecated (removed with lxc 3.0):
527 'lxc.aa_profile' => 'lxc.apparmor.profile',
528 'lxc.aa_allow_incomplete' => 'lxc.apparmor.allow_incomplete',
529 'lxc.console' => 'lxc.console.path',
530 'lxc.devttydir' => 'lxc.tty.dir',
531 'lxc.haltsignal' => 'lxc.signal.halt',
532 'lxc.rebootsignal' => 'lxc.signal.reboot',
533 'lxc.stopsignal' => 'lxc.signal.stop',
534 'lxc.id_map' => 'lxc.idmap',
535 'lxc.init_cmd' => 'lxc.init.cmd',
536 'lxc.loglevel' => 'lxc.log.level',
537 'lxc.logfile' => 'lxc.log.file',
538 'lxc.mount' => 'lxc.mount.fstab',
539 'lxc.network.type' => 'lxc.net.INDEX.type',
540 'lxc.network.flags' => 'lxc.net.INDEX.flags',
541 'lxc.network.link' => 'lxc.net.INDEX.link',
542 'lxc.network.mtu' => 'lxc.net.INDEX.mtu',
543 'lxc.network.name' => 'lxc.net.INDEX.name',
544 'lxc.network.hwaddr' => 'lxc.net.INDEX.hwaddr',
545 'lxc.network.ipv4' => 'lxc.net.INDEX.ipv4.address',
546 'lxc.network.ipv4.gateway' => 'lxc.net.INDEX.ipv4.gateway',
547 'lxc.network.ipv6' => 'lxc.net.INDEX.ipv6.address',
548 'lxc.network.ipv6.gateway' => 'lxc.net.INDEX.ipv6.gateway',
549 'lxc.network.script.up' => 'lxc.net.INDEX.script.up',
550 'lxc.network.script.down' => 'lxc.net.INDEX.script.down',
551 'lxc.pts' => 'lxc.pty.max',
552 'lxc.se_context' => 'lxc.selinux.context',
553 'lxc.seccomp' => 'lxc.seccomp.profile',
554 'lxc.tty' => 'lxc.tty.max',
555 'lxc.utsname' => 'lxc.uts.name',
558 sub is_valid_lxc_conf_key
{
559 my ($vmid, $key) = @_;
560 if ($key =~ /^lxc\.limit\./) {
561 warn "vm $vmid - $key: lxc.limit.* was renamed to lxc.prlimit.*\n";
564 if (defined(my $new_name = $deprecated_lxc_conf_keys->{$key})) {
565 warn "vm $vmid - $key is deprecated and was renamed to $new_name\n";
568 my $validity = $valid_lxc_conf_keys->{$key};
569 return $validity if defined($validity);
570 return 1 if $key =~ /^lxc\.cgroup\./ # allow all cgroup values
571 || $key =~ /^lxc\.prlimit\./ # allow all prlimits
572 || $key =~ /^lxc\.net\./; # allow custom network definitions
576 our $netconf_desc = {
580 description
=> "Network interface type.",
585 format_description
=> 'string',
586 description
=> 'Name of the network device as seen from inside the container. (lxc.network.name)',
587 pattern
=> '[-_.\w\d]+',
591 format_description
=> 'bridge',
592 description
=> 'Bridge to attach the network device to.',
593 pattern
=> '[-_.\w\d]+',
598 format_description
=> "XX:XX:XX:XX:XX:XX",
599 description
=> 'The interface MAC address. This is dynamically allocated by default, but you can set that statically if needed, for example to always have the same link-local IPv6 address. (lxc.network.hwaddr)',
600 pattern
=> qr/(?:[a-f0-9]{2}:){5}[a-f0-9]{2}/i,
605 description
=> 'Maximum transfer unit of the interface. (lxc.network.mtu)',
606 minimum
=> 64, # minimum ethernet frame is 64 bytes
611 format
=> 'pve-ipv4-config',
612 format_description
=> '(IPv4/CIDR|dhcp|manual)',
613 description
=> 'IPv4 address in CIDR format.',
619 format_description
=> 'GatewayIPv4',
620 description
=> 'Default gateway for IPv4 traffic.',
625 format
=> 'pve-ipv6-config',
626 format_description
=> '(IPv6/CIDR|auto|dhcp|manual)',
627 description
=> 'IPv6 address in CIDR format.',
633 format_description
=> 'GatewayIPv6',
634 description
=> 'Default gateway for IPv6 traffic.',
639 description
=> "Controls whether this interface's firewall rules should be used.",
646 description
=> "VLAN tag for this interface.",
651 pattern
=> qr/\d+(?:;\d+)*/,
652 format_description
=> 'vlanid[;vlanid...]',
653 description
=> "VLAN ids to pass through the interface",
658 format_description
=> 'mbps',
659 description
=> "Apply rate limiting to the interface",
663 PVE
::JSONSchema
::register_format
('pve-lxc-network', $netconf_desc);
665 my $MAX_LXC_NETWORKS = 10;
666 for (my $i = 0; $i < $MAX_LXC_NETWORKS; $i++) {
667 $confdesc->{"net$i"} = {
669 type
=> 'string', format
=> $netconf_desc,
670 description
=> "Specifies network interfaces for the container.",
674 PVE
::JSONSchema
::register_format
('pve-lxc-mp-string', \
&verify_lxc_mp_string
);
675 sub verify_lxc_mp_string
{
676 my ($mp, $noerr) = @_;
680 # /. or /.. at the end
681 # ../ at the beginning
683 if($mp =~ m
@/\.\
.?
/@ ||
686 return undef if $noerr;
687 die "$mp contains illegal character sequences\n";
696 description
=> 'Whether to include the mount point in backups.',
697 verbose_description
=> 'Whether to include the mount point in backups '.
698 '(only used for volume mount points).',
703 format
=> 'pve-lxc-mp-string',
704 format_description
=> 'Path',
705 description
=> 'Path to the mount point as seen from inside the container '.
706 '(must not contain symlinks).',
707 verbose_description
=> "Path to the mount point as seen from inside the container.\n\n".
708 "NOTE: Must not contain any symlinks for security reasons."
711 PVE
::JSONSchema
::register_format
('pve-ct-mountpoint', $mp_desc);
715 type
=> 'string', format
=> 'pve-volume-id',
716 description
=> "Reference to unused volumes. This is used internally, and should not be modified manually.",
719 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
720 $confdesc->{"mp$i"} = {
722 type
=> 'string', format
=> $mp_desc,
723 description
=> "Use volume as container mount point.",
728 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
729 $confdesc->{"unused$i"} = $unuseddesc;
732 sub parse_pct_config
{
733 my ($filename, $raw) = @_;
735 return undef if !defined($raw);
738 digest
=> Digest
::SHA
::sha1_hex
($raw),
742 $filename =~ m
|/lxc/(\d
+).conf
$|
743 || die "got strange filename '$filename'";
751 my @lines = split(/\n/, $raw);
752 foreach my $line (@lines) {
753 next if $line =~ m/^\s*$/;
755 if ($line =~ m/^\[([a-z][a-z0-9_\-]+)\]\s*$/i) {
757 $conf->{description
} = $descr if $descr;
759 $conf = $res->{snapshots
}->{$section} = {};
763 if ($line =~ m/^\#(.*)\s*$/) {
764 $descr .= PVE
::Tools
::decode_text
($1) . "\n";
768 if ($line =~ m/^(lxc\.[a-z0-9_\-\.]+)(:|\s*=)\s*(.*?)\s*$/) {
771 my $validity = is_valid_lxc_conf_key
($vmid, $key);
772 if ($validity eq 1) {
773 push @{$conf->{lxc
}}, [$key, $value];
774 } elsif (my $errmsg = $validity) {
775 warn "vm $vmid - $key: $errmsg\n";
777 warn "vm $vmid - unable to parse config: $line\n";
779 } elsif ($line =~ m/^(description):\s*(.*\S)\s*$/) {
780 $descr .= PVE
::Tools
::decode_text
($2);
781 } elsif ($line =~ m/snapstate:\s*(prepare|delete)\s*$/) {
782 $conf->{snapstate
} = $1;
783 } elsif ($line =~ m/^([a-z][a-z_]*\d*):\s*(\S.*)\s*$/) {
786 eval { $value = PVE
::LXC
::Config-
>check_type($key, $value); };
787 warn "vm $vmid - unable to parse value of '$key' - $@" if $@;
788 $conf->{$key} = $value;
790 warn "vm $vmid - unable to parse config: $line\n";
794 $conf->{description
} = $descr if $descr;
796 delete $res->{snapstate
}; # just to be sure
801 sub write_pct_config
{
802 my ($filename, $conf) = @_;
804 delete $conf->{snapstate
}; # just to be sure
806 my $volidlist = PVE
::LXC
::Config-
>get_vm_volumes($conf);
807 my $used_volids = {};
808 foreach my $vid (@$volidlist) {
809 $used_volids->{$vid} = 1;
812 # remove 'unusedX' settings if the volume is still used
813 foreach my $key (keys %$conf) {
814 my $value = $conf->{$key};
815 if ($key =~ m/^unused/ && $used_volids->{$value}) {
816 delete $conf->{$key};
820 my $generate_raw_config = sub {
825 # add description as comment to top of file
826 my $descr = $conf->{description
} || '';
827 foreach my $cl (split(/\n/, $descr)) {
828 $raw .= '#' . PVE
::Tools
::encode_text
($cl) . "\n";
831 foreach my $key (sort keys %$conf) {
832 next if $key eq 'digest' || $key eq 'description' ||
833 $key eq 'pending' || $key eq 'snapshots' ||
834 $key eq 'snapname' || $key eq 'lxc';
835 my $value = $conf->{$key};
836 die "detected invalid newline inside property '$key'\n"
838 $raw .= "$key: $value\n";
841 if (my $lxcconf = $conf->{lxc
}) {
842 foreach my $entry (@$lxcconf) {
843 my ($k, $v) = @$entry;
851 my $raw = &$generate_raw_config($conf);
853 foreach my $snapname (sort keys %{$conf->{snapshots
}}) {
854 $raw .= "\n[$snapname]\n";
855 $raw .= &$generate_raw_config($conf->{snapshots
}->{$snapname});
861 sub update_pct_config
{
862 my ($class, $vmid, $conf, $running, $param, $delete) = @_;
871 my $pid = PVE
::LXC
::find_lxc_pid
($vmid);
872 $rootdir = "/proc/$pid/root";
875 my $hotplug_error = sub {
884 if (defined($delete)) {
885 foreach my $opt (@$delete) {
886 if (!exists($conf->{$opt})) {
891 if ($opt eq 'memory' || $opt eq 'rootfs') {
892 die "unable to delete required option '$opt'\n";
893 } elsif ($opt eq 'hostname') {
894 delete $conf->{$opt};
895 } elsif ($opt eq 'swap') {
896 delete $conf->{$opt};
897 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
898 "memory.memsw.limit_in_bytes", -1);
899 } elsif ($opt eq 'description' || $opt eq 'onboot' || $opt eq 'startup') {
900 delete $conf->{$opt};
901 } elsif ($opt eq 'nameserver' || $opt eq 'searchdomain' ||
902 $opt eq 'tty' || $opt eq 'console' || $opt eq 'cmode') {
903 next if $hotplug_error->($opt);
904 delete $conf->{$opt};
905 } elsif ($opt eq 'cores') {
906 delete $conf->{$opt}; # rest is handled by pvestatd
907 } elsif ($opt eq 'cpulimit') {
908 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.cfs_quota_us", -1);
909 delete $conf->{$opt};
910 } elsif ($opt eq 'cpuunits') {
911 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.shares", $confdesc->{cpuunits
}->{default});
912 delete $conf->{$opt};
913 } elsif ($opt =~ m/^net(\d)$/) {
914 delete $conf->{$opt};
917 PVE
::Network
::veth_delete
("veth${vmid}i$netid");
918 } elsif ($opt eq 'protection') {
919 delete $conf->{$opt};
920 } elsif ($opt =~ m/^unused(\d+)$/) {
921 next if $hotplug_error->($opt);
922 PVE
::LXC
::Config-
>check_protection($conf, "can't remove CT $vmid drive '$opt'");
923 push @deleted_volumes, $conf->{$opt};
924 delete $conf->{$opt};
925 } elsif ($opt =~ m/^mp(\d+)$/) {
926 next if $hotplug_error->($opt);
927 PVE
::LXC
::Config-
>check_protection($conf, "can't remove CT $vmid drive '$opt'");
928 my $mp = PVE
::LXC
::Config-
>parse_ct_mountpoint($conf->{$opt});
929 delete $conf->{$opt};
930 if ($mp->{type
} eq 'volume') {
931 PVE
::LXC
::Config-
>add_unused_volume($conf, $mp->{volume
});
933 } elsif ($opt eq 'unprivileged') {
934 die "unable to delete read-only option: '$opt'\n";
935 } elsif ($opt eq 'features') {
936 next if $hotplug_error->($opt);
937 delete $conf->{$opt};
939 die "implement me (delete: $opt)"
941 PVE
::LXC
::Config-
>write_config($vmid, $conf) if $running;
945 # There's no separate swap size to configure, there's memory and "total"
946 # memory (iow. memory+swap). This means we have to change them together.
947 my $wanted_memory = PVE
::Tools
::extract_param
($param, 'memory');
948 my $wanted_swap = PVE
::Tools
::extract_param
($param, 'swap');
949 if (defined($wanted_memory) || defined($wanted_swap)) {
951 my $old_memory = ($conf->{memory
} || 512);
952 my $old_swap = ($conf->{swap
} || 0);
954 $wanted_memory //= $old_memory;
955 $wanted_swap //= $old_swap;
957 my $total = $wanted_memory + $wanted_swap;
959 my $old_total = $old_memory + $old_swap;
960 if ($total > $old_total) {
961 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
962 "memory.memsw.limit_in_bytes",
963 int($total*1024*1024));
964 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
965 "memory.limit_in_bytes",
966 int($wanted_memory*1024*1024));
968 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
969 "memory.limit_in_bytes",
970 int($wanted_memory*1024*1024));
971 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
972 "memory.memsw.limit_in_bytes",
973 int($total*1024*1024));
976 $conf->{memory
} = $wanted_memory;
977 $conf->{swap
} = $wanted_swap;
979 PVE
::LXC
::Config-
>write_config($vmid, $conf) if $running;
982 my $storecfg = PVE
::Storage
::config
();
984 my $used_volids = {};
985 my $check_content_type = sub {
987 my $sid = PVE
::Storage
::parse_volume_id
($mp->{volume
});
988 my $storage_config = PVE
::Storage
::storage_config
($storecfg, $sid);
989 die "storage '$sid' does not allow content type 'rootdir' (Container)\n"
990 if !$storage_config->{content
}->{rootdir
};
993 my $rescan_volume = sub {
996 $mp->{size
} = PVE
::Storage
::volume_size_info
($storecfg, $mp->{volume
}, 5)
997 if !defined($mp->{size
});
999 warn "Could not rescan volume size - $@\n" if $@;
1002 foreach my $opt (keys %$param) {
1003 my $value = $param->{$opt};
1004 my $check_protection_msg = "can't update CT $vmid drive '$opt'";
1005 if ($opt eq 'hostname' || $opt eq 'arch') {
1006 $conf->{$opt} = $value;
1007 } elsif ($opt eq 'onboot') {
1008 $conf->{$opt} = $value ?
1 : 0;
1009 } elsif ($opt eq 'startup') {
1010 $conf->{$opt} = $value;
1011 } elsif ($opt eq 'tty' || $opt eq 'console' || $opt eq 'cmode') {
1012 next if $hotplug_error->($opt);
1013 $conf->{$opt} = $value;
1014 } elsif ($opt eq 'nameserver') {
1015 next if $hotplug_error->($opt);
1016 my $list = PVE
::LXC
::verify_nameserver_list
($value);
1017 $conf->{$opt} = $list;
1018 } elsif ($opt eq 'searchdomain') {
1019 next if $hotplug_error->($opt);
1020 my $list = PVE
::LXC
::verify_searchdomain_list
($value);
1021 $conf->{$opt} = $list;
1022 } elsif ($opt eq 'cores') {
1023 $conf->{$opt} = $value;# rest is handled by pvestatd
1024 } elsif ($opt eq 'cpulimit') {
1026 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.cfs_quota_us", -1);
1028 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.cfs_quota_us", int(100000*$value));
1030 $conf->{$opt} = $value;
1031 } elsif ($opt eq 'cpuunits') {
1032 $conf->{$opt} = $value;
1033 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.shares", $value);
1034 } elsif ($opt eq 'description') {
1035 $conf->{$opt} = $value;
1036 } elsif ($opt =~ m/^net(\d+)$/) {
1038 my $net = PVE
::LXC
::Config-
>parse_lxc_network($value);
1040 $conf->{$opt} = PVE
::LXC
::Config-
>print_lxc_network($net);
1042 PVE
::LXC
::update_net
($vmid, $conf, $opt, $net, $netid, $rootdir);
1044 } elsif ($opt eq 'protection') {
1045 $conf->{$opt} = $value ?
1 : 0;
1046 } elsif ($opt =~ m/^mp(\d+)$/) {
1047 next if $hotplug_error->($opt);
1048 PVE
::LXC
::Config-
>check_protection($conf, $check_protection_msg);
1049 my $old = $conf->{$opt};
1050 my $mp = PVE
::LXC
::Config-
>parse_ct_mountpoint($value);
1051 if ($mp->{type
} eq 'volume') {
1052 &$check_content_type($mp);
1053 $used_volids->{$mp->{volume
}} = 1;
1054 &$rescan_volume($mp);
1055 $conf->{$opt} = PVE
::LXC
::Config-
>print_ct_mountpoint($mp);
1057 $conf->{$opt} = $value;
1059 if (defined($old)) {
1060 my $mp = PVE
::LXC
::Config-
>parse_ct_mountpoint($old);
1061 if ($mp->{type
} eq 'volume') {
1062 PVE
::LXC
::Config-
>add_unused_volume($conf, $mp->{volume
});
1066 } elsif ($opt eq 'rootfs') {
1067 next if $hotplug_error->($opt);
1068 PVE
::LXC
::Config-
>check_protection($conf, $check_protection_msg);
1069 my $old = $conf->{$opt};
1070 my $mp = PVE
::LXC
::Config-
>parse_ct_rootfs($value);
1071 if ($mp->{type
} eq 'volume') {
1072 &$check_content_type($mp);
1073 $used_volids->{$mp->{volume
}} = 1;
1074 &$rescan_volume($mp);
1075 $conf->{$opt} = PVE
::LXC
::Config-
>print_ct_mountpoint($mp, 1);
1077 $conf->{$opt} = $value;
1079 if (defined($old)) {
1080 my $mp = PVE
::LXC
::Config-
>parse_ct_rootfs($old);
1081 if ($mp->{type
} eq 'volume') {
1082 PVE
::LXC
::Config-
>add_unused_volume($conf, $mp->{volume
});
1086 } elsif ($opt eq 'unprivileged') {
1087 die "unable to modify read-only option: '$opt'\n";
1088 } elsif ($opt eq 'ostype') {
1089 next if $hotplug_error->($opt);
1090 $conf->{$opt} = $value;
1091 } elsif ($opt eq 'features') {
1092 next if $hotplug_error->($opt);
1093 $conf->{$opt} = $value;
1095 die "implement me: $opt";
1098 PVE
::LXC
::Config-
>write_config($vmid, $conf) if $running;
1101 # Apply deletions and creations of new volumes
1102 if (@deleted_volumes) {
1103 my $storage_cfg = PVE
::Storage
::config
();
1104 foreach my $volume (@deleted_volumes) {
1105 next if $used_volids->{$volume}; # could have been re-added, too
1106 # also check for references in snapshots
1107 next if $class->is_volume_in_use($conf, $volume, 1);
1108 PVE
::LXC
::delete_mountpoint_volume
($storage_cfg, $vmid, $volume);
1113 my $storage_cfg = PVE
::Storage
::config
();
1114 PVE
::LXC
::create_disks
($storage_cfg, $vmid, $conf, $conf);
1117 # This should be the last thing we do here
1118 if ($running && scalar(@nohotplug)) {
1119 die "unable to modify " . join(',', @nohotplug) . " while container is running\n";
1124 my ($class, $key, $value) = @_;
1126 die "unknown setting '$key'\n" if !$confdesc->{$key};
1128 my $type = $confdesc->{$key}->{type
};
1130 if (!defined($value)) {
1131 die "got undefined value\n";
1134 if ($value =~ m/[\n\r]/) {
1135 die "property contains a line feed\n";
1138 if ($type eq 'boolean') {
1139 return 1 if ($value eq '1') || ($value =~ m/^(on|yes|true)$/i);
1140 return 0 if ($value eq '0') || ($value =~ m/^(off|no|false)$/i);
1141 die "type check ('boolean') failed - got '$value'\n";
1142 } elsif ($type eq 'integer') {
1143 return int($1) if $value =~ m/^(\d+)$/;
1144 die "type check ('integer') failed - got '$value'\n";
1145 } elsif ($type eq 'number') {
1146 return $value if $value =~ m/^(\d+)(\.\d+)?$/;
1147 die "type check ('number') failed - got '$value'\n";
1148 } elsif ($type eq 'string') {
1149 if (my $fmt = $confdesc->{$key}->{format
}) {
1150 PVE
::JSONSchema
::check_format
($fmt, $value);
1155 die "internal error"
1160 # add JSON properties for create and set function
1161 sub json_config_properties
{
1162 my ($class, $prop) = @_;
1164 foreach my $opt (keys %$confdesc) {
1165 next if $opt eq 'parent' || $opt eq 'snaptime';
1166 next if $prop->{$opt};
1167 $prop->{$opt} = $confdesc->{$opt};
1173 sub __parse_ct_mountpoint_full
{
1174 my ($class, $desc, $data, $noerr) = @_;
1179 eval { $res = PVE
::JSONSchema
::parse_property_string
($desc, $data) };
1181 return undef if $noerr;
1185 if (defined(my $size = $res->{size
})) {
1186 $size = PVE
::JSONSchema
::parse_size
($size);
1187 if (!defined($size)) {
1188 return undef if $noerr;
1189 die "invalid size: $size\n";
1191 $res->{size
} = $size;
1194 $res->{type
} = $class->classify_mountpoint($res->{volume
});
1199 sub parse_ct_rootfs
{
1200 my ($class, $data, $noerr) = @_;
1202 my $res = $class->__parse_ct_mountpoint_full($rootfs_desc, $data, $noerr);
1204 $res->{mp
} = '/' if defined($res);
1209 sub parse_ct_mountpoint
{
1210 my ($class, $data, $noerr) = @_;
1212 return $class->__parse_ct_mountpoint_full($mp_desc, $data, $noerr);
1215 sub print_ct_mountpoint
{
1216 my ($class, $info, $nomp) = @_;
1217 my $skip = [ 'type' ];
1218 push @$skip, 'mp' if $nomp;
1219 return PVE
::JSONSchema
::print_property_string
($info, $mp_desc, $skip);
1222 sub print_lxc_network
{
1223 my ($class, $net) = @_;
1224 return PVE
::JSONSchema
::print_property_string
($net, $netconf_desc);
1227 sub parse_lxc_network
{
1228 my ($class, $data) = @_;
1232 return $res if !$data;
1234 $res = PVE
::JSONSchema
::parse_property_string
($netconf_desc, $data);
1236 $res->{type
} = 'veth';
1237 if (!$res->{hwaddr
}) {
1238 my $dc = PVE
::Cluster
::cfs_read_file
('datacenter.cfg');
1239 $res->{hwaddr
} = PVE
::Tools
::random_ether_addr
($dc->{mac_prefix
});
1245 sub parse_features
{
1246 my ($class, $data) = @_;
1247 return {} if !$data;
1248 return PVE
::JSONSchema
::parse_property_string
($features_desc, $data);
1252 my ($class, $name) = @_;
1254 return defined($confdesc->{$name});
1256 # END JSON config code
1258 sub classify_mountpoint
{
1259 my ($class, $vol) = @_;
1260 if ($vol =~ m!^/!) {
1261 return 'device' if $vol =~ m!^/dev/!;
1267 my $is_volume_in_use = sub {
1268 my ($class, $config, $volid) = @_;
1271 $class->foreach_mountpoint($config, sub {
1272 my ($ms, $mountpoint) = @_;
1274 $used = $mountpoint->{type
} eq 'volume' && $mountpoint->{volume
} eq $volid;
1280 sub is_volume_in_use_by_snapshots
{
1281 my ($class, $config, $volid) = @_;
1283 if (my $snapshots = $config->{snapshots
}) {
1284 foreach my $snap (keys %$snapshots) {
1285 return 1 if $is_volume_in_use->($class, $snapshots->{$snap}, $volid);
1292 sub is_volume_in_use
{
1293 my ($class, $config, $volid, $include_snapshots) = @_;
1294 return 1 if $is_volume_in_use->($class, $config, $volid);
1295 return 1 if $include_snapshots && $class->is_volume_in_use_by_snapshots($config, $volid);
1299 sub has_dev_console
{
1300 my ($class, $conf) = @_;
1302 return !(defined($conf->{console
}) && !$conf->{console
});
1306 my ($class, $conf, $keyname) = @_;
1308 if (my $lxcconf = $conf->{lxc
}) {
1309 foreach my $entry (@$lxcconf) {
1310 my ($key, undef) = @$entry;
1311 return 1 if $key eq $keyname;
1319 my ($class, $conf) = @_;
1321 return $conf->{tty
} // $confdesc->{tty
}->{default};
1325 my ($class, $conf) = @_;
1327 return $conf->{cmode
} // $confdesc->{cmode
}->{default};
1330 sub mountpoint_names
{
1331 my ($class, $reverse) = @_;
1333 my @names = ('rootfs');
1335 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
1336 push @names, "mp$i";
1339 return $reverse ?
reverse @names : @names;
1342 sub foreach_mountpoint_full
{
1343 my ($class, $conf, $reverse, $func, @param) = @_;
1345 my $mps = [ grep { defined($conf->{$_}) } $class->mountpoint_names($reverse) ];
1346 foreach my $key (@$mps) {
1347 my $value = $conf->{$key};
1348 my $mountpoint = $key eq 'rootfs' ?
$class->parse_ct_rootfs($value, 1) : $class->parse_ct_mountpoint($value, 1);
1349 next if !defined($mountpoint);
1351 &$func($key, $mountpoint, @param);
1355 sub foreach_mountpoint
{
1356 my ($class, $conf, $func, @param) = @_;
1358 $class->foreach_mountpoint_full($conf, 0, $func, @param);
1361 sub foreach_mountpoint_reverse
{
1362 my ($class, $conf, $func, @param) = @_;
1364 $class->foreach_mountpoint_full($conf, 1, $func, @param);
1367 sub get_vm_volumes
{
1368 my ($class, $conf, $excludes) = @_;
1372 $class->foreach_mountpoint($conf, sub {
1373 my ($ms, $mountpoint) = @_;
1375 return if $excludes && $ms eq $excludes;
1377 my $volid = $mountpoint->{volume
};
1378 return if !$volid || $mountpoint->{type
} ne 'volume';
1380 my ($sid, $volname) = PVE
::Storage
::parse_volume_id
($volid, 1);
1383 push @$vollist, $volid;
1389 sub get_replicatable_volumes
{
1390 my ($class, $storecfg, $vmid, $conf, $cleanup, $noerr) = @_;
1394 my $test_volid = sub {
1395 my ($volid, $mountpoint) = @_;
1399 my $mptype = $mountpoint->{type
};
1400 my $replicate = $mountpoint->{replicate
} // 1;
1402 if ($mptype ne 'volume') {
1403 # skip bindmounts if replicate = 0 even for cleanup,
1404 # since bind mounts could not have been replicated ever
1405 return if !$replicate;
1406 die "unable to replicate mountpoint type '$mptype'\n";
1409 my ($storeid, $volname) = PVE
::Storage
::parse_volume_id
($volid, $noerr);
1410 return if !$storeid;
1412 my $scfg = PVE
::Storage
::storage_config
($storecfg, $storeid);
1413 return if $scfg->{shared
};
1415 my ($path, $owner, $vtype) = PVE
::Storage
::path
($storecfg, $volid);
1416 return if !$owner || ($owner != $vmid);
1418 die "unable to replicate volume '$volid', type '$vtype'\n" if $vtype ne 'images';
1420 return if !$cleanup && !$replicate;
1422 if (!PVE
::Storage
::volume_has_feature
($storecfg, 'replicate', $volid)) {
1423 return if $cleanup || $noerr;
1424 die "missing replicate feature on volume '$volid'\n";
1427 $volhash->{$volid} = 1;
1430 $class->foreach_mountpoint($conf, sub {
1431 my ($ms, $mountpoint) = @_;
1432 $test_volid->($mountpoint->{volume
}, $mountpoint);
1435 foreach my $snapname (keys %{$conf->{snapshots
}}) {
1436 my $snap = $conf->{snapshots
}->{$snapname};
1437 $class->foreach_mountpoint($snap, sub {
1438 my ($ms, $mountpoint) = @_;
1439 $test_volid->($mountpoint->{volume
}, $mountpoint);
1443 # add 'unusedX' volumes to volhash
1444 foreach my $key (keys %$conf) {
1445 if ($key =~ m/^unused/) {
1446 $test_volid->($conf->{$key}, { type
=> 'volume', replicate
=> 1 });