use warnings;
use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
-use HTTP::Request;
use IO::File;
use JSON;
-use LWP::UserAgent;
-use POSIX qw(strftime ENOENT);
+use MIME::Base64 qw(decode_base64);
+use POSIX qw(mktime strftime ENOENT);
+use POSIX::strptime;
+use PVE::APIClient::LWP;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Network;
+use PVE::PBSClient;
use PVE::Storage::Plugin;
use PVE::Tools qw(run_command file_read_firstline trim dir_glob_regex dir_glob_foreach $IPV6RE);
description => "Encryption key. Use 'autogen' to generate one automatically without passphrase.",
type => 'string',
},
+ 'master-pubkey' => {
+ description => "Base64-encoded, PEM-formatted public RSA key. Used to encrypt a copy of the encryption-key which will be added to each encrypted backup.",
+ type => 'string',
+ },
port => {
description => "For non default port.",
type => 'integer',
minimum => 1,
maximum => 65535,
default => 8007,
- }
+ },
};
}
return {
server => { fixed => 1 },
datastore => { fixed => 1 },
+ namespace => { optional => 1 },
port => { optional => 1 },
nodes => { optional => 1},
disable => { optional => 1},
username => { optional => 1 },
password => { optional => 1 },
'encryption-key' => { optional => 1 },
+ 'master-pubkey' => { optional => 1 },
maxfiles => { optional => 1 },
'prune-backups' => { optional => 1 },
+ 'max-protected-backups' => { optional => 1 },
fingerprint => { optional => 1 },
};
}
my $keyfd;
if (!open($keyfd, '<', $encryption_key_file)) {
- return undef if $! == ENOENT;
+ if ($! == ENOENT) {
+ my $encryption_fp = $scfg->{'encryption-key'};
+ die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
+ if $encryption_fp;
+ return undef;
+ }
die "failed to open encryption key: $encryption_key_file: $!\n";
}
return $keyfd;
}
+sub pbs_master_pubkey_file_name {
+ my ($scfg, $storeid) = @_;
+
+ return "/etc/pve/priv/storage/${storeid}.master.pem";
+}
+
+sub pbs_set_master_pubkey {
+ my ($scfg, $storeid, $key) = @_;
+
+ my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid);
+ mkdir "/etc/pve/priv/storage";
+
+ PVE::Tools::file_set_contents($pwfile, "$key\n");
+}
+
+sub pbs_delete_master_pubkey {
+ my ($scfg, $storeid) = @_;
+
+ my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid);
+
+ if (!unlink $pwfile) {
+ return if $! == ENOENT;
+ die "failed to delete master public key! $!\n";
+ }
+ delete $scfg->{'master-pubkey'};
+}
+
+sub pbs_get_master_pubkey {
+ my ($scfg, $storeid) = @_;
+
+ my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid);
+
+ return PVE::Tools::file_get_contents($pwfile);
+}
+
+# Returns a file handle if there is a master key, or `undef` if there is not. Dies on error.
+sub pbs_open_master_pubkey {
+ my ($scfg, $storeid) = @_;
+
+ my $master_pubkey_file = pbs_master_pubkey_file_name($scfg, $storeid);
+
+ my $keyfd;
+ if (!open($keyfd, '<', $master_pubkey_file)) {
+ if ($! == ENOENT) {
+ die "master public key configured but no key file found!\n"
+ if $scfg->{'master-pubkey'};
+ return undef;
+ }
+ die "failed to open master public key: $master_pubkey_file: $!\n";
+ }
+
+ return $keyfd;
+}
+
sub print_volid {
my ($storeid, $btype, $bid, $btime) = @_;
return "${storeid}:${volname}";
}
-my sub get_server_with_port {
- my ($scfg) = @_;
+my sub ns : prototype($$) {
+ my ($scfg, $name) = @_;
+ my $ns = $scfg->{namespace};
+ return defined($ns) ? ($name, $ns) : ();
+}
+
+# essentially the inverse of print_volid
+my sub api_param_from_volname : prototype($$$) {
+ my ($class, $scfg, $volname) = @_;
+
+ my $name = ($class->parse_volname($volname))[1];
+
+ my ($btype, $bid, $timestr) = split('/', $name);
+
+ my @tm = (POSIX::strptime($timestr, "%FT%TZ"));
+ # expect sec, min, hour, mday, mon, year
+ die "error parsing time from '$volname'" if grep { !defined($_) } @tm[0..5];
- my $server = $scfg->{server};
- $server = "[$server]" if $server =~ /^$IPV6RE$/;
+ my $btime;
+ {
+ local $ENV{TZ} = 'UTC'; # $timestr is UTC
- if (my $port = $scfg->{port}) {
- $server .= ":$port" if $port != 8007;
+ # Fill in isdst to avoid undef warning. No daylight saving time for UTC.
+ $tm[8] //= 0;
+
+ my $since_epoch = mktime(@tm) or die "error converting time from '$volname'\n";
+ $btime = int($since_epoch);
}
- return $server;
+
+ return {
+ (ns($scfg, 'ns')),
+ 'backup-type' => $btype,
+ 'backup-id' => $bid,
+ 'backup-time' => $btime,
+ };
}
my $USE_CRYPT_PARAMS = {
'upload-log' => 1,
};
+my $USE_MASTER_KEY = {
+ backup => 1,
+};
+
my sub do_raw_client_cmd {
my ($scfg, $storeid, $client_cmd, $param, %opts) = @_;
my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd};
+ my $use_master = $USE_MASTER_KEY->{$client_cmd};
my $client_exe = '/usr/bin/proxmox-backup-client';
die "executable not found '$client_exe'! Proxmox backup client not installed?\n"
if ! -x $client_exe;
- my $server = get_server_with_port($scfg);
- my $datastore = $scfg->{datastore};
- my $username = $scfg->{username} // 'root@pam';
+ my $repo = PVE::PBSClient::get_repository($scfg);
my $userns_cmd = delete $opts{userns_cmd};
push @$cmd, $client_exe, $client_cmd;
# This must live in the top scope to not get closed before the `run_command`
- my $keyfd;
+ my ($keyfd, $master_fd);
if ($use_crypto) {
if (defined($keyfd = pbs_open_encryption_key($scfg, $storeid))) {
my $flags = fcntl($keyfd, F_GETFD, 0)
fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC)
or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n";
push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd);
+ if ($use_master && defined($master_fd = pbs_open_master_pubkey($scfg, $storeid))) {
+ my $flags = fcntl($master_fd, F_GETFD, 0)
+ // die "failed to get file descriptor flags: $!\n";
+ fcntl($master_fd, F_SETFD, $flags & ~FD_CLOEXEC)
+ or die "failed to remove FD_CLOEXEC from master public key file descriptor\n";
+ push @$cmd, '--master-pubkey-fd='.fileno($master_fd);
+ }
} else {
push @$cmd, '--crypt-mode=none';
}
push @$cmd, @$param if defined($param);
- push @$cmd, "--repository", "$username\@$server:$datastore";
+ push @$cmd, "--repository", $repo;
+ if ($client_cmd ne 'status' && defined(my $ns = $scfg->{namespace})) {
+ push @$cmd, '--ns', $ns;
+ }
local $ENV{PBS_PASSWORD} = pbs_get_password($scfg, $storeid);
}
my @param;
- foreach my $opt (keys %{$keep}) {
- push @param, "--$opt";
- push @param, "$keep->{$opt}";
+
+ my $keep_all = delete $keep->{'keep-all'};
+
+ if (!$keep_all) {
+ foreach my $opt (keys %{$keep}) {
+ next if $keep->{$opt} == 0;
+ push @param, "--$opt";
+ push @param, "$keep->{$opt}";
+ }
+ } else { # no need to pass anything to PBS
+ $keep = { 'keep-all' => 1 };
}
push @param, '--dry-run' if $dryrun;
my $vmid = $backup->{'backup-id'};
my $volid = print_volid($storeid, $type, $vmid, $ctime);
+ my $mark = $backup->{keep} ? 'keep' : 'remove';
+ $mark = 'protected' if $backup->{protected};
+
push @{$prune_list}, {
ctime => $ctime,
- mark => $backup->{keep} ? 'keep' : 'remove',
+ mark => $mark,
type => $type eq 'vm' ? 'qemu' : 'lxc',
vmid => $vmid,
volid => $volid,
my $autogen_encryption_key = sub {
my ($scfg, $storeid) = @_;
my $encfile = pbs_encryption_key_file_name($scfg, $storeid);
+ if (-f $encfile) {
+ rename $encfile, "$encfile.old";
+ }
my $cmd = ['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile];
run_command($cmd, errmsg => 'failed to create encryption key');
return PVE::Tools::file_get_contents($encfile);
}
if (defined(my $encryption_key = $param{'encryption-key'})) {
+ my $decoded_key;
if ($encryption_key eq 'autogen') {
$res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid);
+ $decoded_key = decode_json($res->{'encryption-key'});
} else {
+ $decoded_key = eval { decode_json($encryption_key) };
+ if ($@ || !exists($decoded_key->{data})) {
+ die "Value does not seems like a valid, JSON formatted encryption key!\n";
+ }
pbs_set_encryption_key($scfg, $storeid, $encryption_key);
$res->{'encryption-key'} = $encryption_key;
}
- $scfg->{'encryption-key'} = 1;
+ $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1;
} else {
pbs_delete_encryption_key($scfg, $storeid);
}
+ if (defined(my $master_key = delete $param{'master-pubkey'})) {
+ die "'master-pubkey' can only be used together with 'encryption-key'\n"
+ if !defined($scfg->{'encryption-key'});
+
+ my $decoded = decode_base64($master_key);
+ pbs_set_master_pubkey($scfg, $storeid, $decoded);
+ $scfg->{'master-pubkey'} = 1;
+ } else {
+ pbs_delete_master_pubkey($scfg, $storeid);
+ }
+
return $res;
}
if (exists($param{'encryption-key'})) {
if (defined(my $encryption_key = delete($param{'encryption-key'}))) {
+ my $decoded_key;
if ($encryption_key eq 'autogen') {
$res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid);
+ $decoded_key = decode_json($res->{'encryption-key'});
} else {
+ $decoded_key = eval { decode_json($encryption_key) };
+ if ($@ || !exists($decoded_key->{data})) {
+ die "Value does not seems like a valid, JSON formatted encryption key!\n";
+ }
pbs_set_encryption_key($scfg, $storeid, $encryption_key);
$res->{'encryption-key'} = $encryption_key;
}
- $scfg->{'encryption-key'} = 1;
+ $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1;
} else {
pbs_delete_encryption_key($scfg, $storeid);
+ delete $scfg->{'encryption-key'};
+ }
+ }
+
+ if (exists($param{'master-pubkey'})) {
+ if (defined(my $master_key = delete($param{'master-pubkey'}))) {
+ my $decoded = decode_base64($master_key);
+
+ pbs_set_master_pubkey($scfg, $storeid, $decoded);
+ $scfg->{'master-pubkey'} = 1;
+ } else {
+ pbs_delete_master_pubkey($scfg, $storeid);
}
}
pbs_delete_password($scfg, $storeid);
pbs_delete_encryption_key($scfg, $storeid);
+ pbs_delete_master_pubkey($scfg, $storeid);
+
+ return;
}
sub parse_volname {
my ($vtype, $name, $vmid) = $class->parse_volname($volname);
- my $server = get_server_with_port($scfg);
- my $datastore = $scfg->{datastore};
- my $username = $scfg->{username} // 'root@pam';
+ my $repo = PVE::PBSClient::get_repository($scfg);
- # artifical url - we currently do not use that anywhere
- my $path = "pbs://$username\@$server:$datastore/$name";
+ # artificial url - we currently do not use that anywhere
+ my $path = "pbs://$repo/$name";
+ if (defined(my $ns = $scfg->{namespace})) {
+ $ns =~ s|/|%2f|g; # other characters to escape aren't allowed in the namespace schema
+ $path .= "?ns=$ns";
+ }
return ($path, $vmid, $vtype);
}
my ($vtype, $name, $vmid) = $class->parse_volname($volname);
run_client_cmd($scfg, $storeid, "forget", [ $name ], 1);
+
+ return;
}
return $res;
}
+my sub snapshot_files_encrypted {
+ my ($files) = @_;
+ return 0 if !$files;
+
+ my $any;
+ my $all = 1;
+ for my $file (@$files) {
+ my $fn = $file->{filename};
+ next if $fn eq 'client.log.blob' || $fn eq 'index.json.blob';
+
+ my $crypt = $file->{'crypt-mode'};
+
+ $all = 0 if !$crypt || $crypt ne 'encrypt';
+ $any ||= defined($crypt) && $crypt eq 'encrypt';
+ }
+ return $any && $all;
+}
+
+# TODO: use a client with native rust/proxmox-backup bindings to profit from
+# API schema checks and types
+my sub pbs_api_connect {
+ my ($scfg, $password) = @_;
+
+ my $params = {};
+
+ my $user = $scfg->{username} // 'root@pam';
+
+ if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) {
+ $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}";
+ } else {
+ $params->{password} = $password;
+ $params->{username} = $user;
+ }
+
+ if (my $fp = $scfg->{fingerprint}) {
+ $params->{cached_fingerprints}->{uc($fp)} = 1;
+ }
+
+ my $conn = PVE::APIClient::LWP->new(
+ %$params,
+ host => $scfg->{server},
+ port => $scfg->{port} // 8007,
+ timeout => 7, # cope with a 401 (3s api delay) and high latency
+ cookie_name => 'PBSAuthCookie',
+ );
+
+ return $conn;
+}
+
sub list_volumes {
my ($class, $storeid, $scfg, $vmid, $content_types) = @_;
return $res if !grep { $_ eq 'backup' } @$content_types;
- my $data = run_client_cmd($scfg, $storeid, "snapshots");
+ my $password = pbs_get_password($scfg, $storeid);
+ my $conn = pbs_api_connect($scfg, $password);
+ my $datastore = $scfg->{datastore};
+
+ my $param = {};
+ $param->{'backup-id'} = "$vmid" if defined($vmid);
+ $param->{'ns'} = "$scfg->{namespace}" if defined($scfg->{namespace});
+ my $data = eval { $conn->get("/api2/json/admin/datastore/$datastore/snapshots", $param); };
+ die "error listing snapshots - $@" if $@;
foreach my $item (@$data) {
my $btype = $item->{"backup-type"};
content => 'backup',
vmid => int($bid),
ctime => $epoch,
+ subtype => $btype eq 'vm' ? 'qemu' : 'lxc', # convert to PVE backup type
};
$info->{verification} = $item->{verification} if defined($item->{verification});
- $info->{comment} = $item->{comment} if defined($item->{comment});
+ $info->{notes} = $item->{comment} if defined($item->{comment});
+ $info->{protected} = 1 if $item->{protected};
+ if (defined($item->{fingerprint})) {
+ $info->{encrypted} = $item->{fingerprint};
+ } elsif (snapshot_files_encrypted($item->{files})) {
+ $info->{encrypted} = '1';
+ }
push @$res, $info;
}
return ($total, $free, $used, $active);
}
+# can also be used for not (yet) added storages, pass $scfg with
+# {
+# server
+# user
+# port (optional default to 8007)
+# fingerprint (optional for trusted certs)
+# }
+sub scan_datastores {
+ my ($scfg, $password) = @_;
+
+ my $conn = pbs_api_connect($scfg, $password);
+
+ my $response = eval { $conn->get('/api2/json/admin/datastore', {}) };
+ die "error fetching datastores - $@" if $@;
+
+ return $response;
+}
+
sub activate_storage {
my ($class, $storeid, $scfg, $cache) = @_;
- # a 'status' client command is to expensive here
- # TODO: use a dummy ping API call to ensure the PBS API daemon is available for real
- my $server = $scfg->{server};
- my $port = $scfg->{port} // 8007;
- PVE::Network::tcp_ping($server, $port, 2);
+ my $password = pbs_get_password($scfg, $storeid);
- return 1;
+ my $datastores = eval { scan_datastores($scfg, $password) };
+ die "$storeid: $@" if $@;
+
+ my $datastore = $scfg->{datastore};
+
+ for my $ds (@$datastores) {
+ if ($ds->{store} eq $datastore) {
+ return 1;
+ }
+ }
+
+ die "$storeid: Cannot find datastore '$datastore', check permissions and existence!\n";
}
sub deactivate_storage {
return 1;
}
+# FIXME remove on the next APIAGE reset.
+# Deprecated, use get_volume_attribute instead.
+sub get_volume_notes {
+ my ($class, $scfg, $storeid, $volname, $timeout) = @_;
+
+ my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname);
+
+ my $data = run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "show", $name ]);
+
+ return $data->{notes};
+}
+
+# FIXME remove on the next APIAGE reset.
+# Deprecated, use update_volume_attribute instead.
+sub update_volume_notes {
+ my ($class, $scfg, $storeid, $volname, $notes, $timeout) = @_;
+
+ my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname);
+
+ run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "update", $name, $notes ], 1);
+
+ return undef;
+}
+
+sub get_volume_attribute {
+ my ($class, $scfg, $storeid, $volname, $attribute) = @_;
+
+ if ($attribute eq 'notes') {
+ return $class->get_volume_notes($scfg, $storeid, $volname);
+ }
+
+ if ($attribute eq 'protected') {
+ my $param = api_param_from_volname($class, $scfg, $volname);
+
+ my $password = pbs_get_password($scfg, $storeid);
+ my $conn = pbs_api_connect($scfg, $password);
+ my $datastore = $scfg->{datastore};
+
+ my $res = eval { $conn->get("/api2/json/admin/datastore/$datastore/$attribute", $param); };
+ if (my $err = $@) {
+ return if $err->{code} == 404; # not supported
+ die $err;
+ }
+ return $res;
+ }
+
+ return;
+}
+
+sub update_volume_attribute {
+ my ($class, $scfg, $storeid, $volname, $attribute, $value) = @_;
+
+ if ($attribute eq 'notes') {
+ return $class->update_volume_notes($scfg, $storeid, $volname, $value);
+ }
+
+ if ($attribute eq 'protected') {
+ my $param = api_param_from_volname($class, $scfg, $volname);
+ $param->{$attribute} = $value;
+
+ my $password = pbs_get_password($scfg, $storeid);
+ my $conn = pbs_api_connect($scfg, $password);
+ my $datastore = $scfg->{datastore};
+
+ eval { $conn->put("/api2/json/admin/datastore/$datastore/$attribute", $param); };
+ if (my $err = $@) {
+ die "Server is not recent enough to support feature '$attribute'\n"
+ if $err->{code} == 404;
+ die $err;
+ }
+ return;
+ }
+
+ die "attribute '$attribute' is not supported for storage type '$scfg->{type}'\n";
+}
+
sub volume_size_info {
my ($class, $scfg, $storeid, $volname, $timeout) = @_;
my $size = 0;
foreach my $info (@$data) {
- $size += $info->{size} if $info->{size};
+ if ($info->{size} && $info->{size} =~ /^(\d+)$/) { # untaints
+ $size += $1;
+ }
}
my $used = $size;
projects / pve-storage.git / blobdiff