use strict;
use warnings;
-use POSIX qw(strftime);
-use IO::File;
+use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
use HTTP::Request;
-use LWP::UserAgent;
+use IO::File;
use JSON;
-use Data::Dumper; # fixme: remove
+use LWP::UserAgent;
+use POSIX qw(strftime ENOENT);
use PVE::Tools qw(run_command file_read_firstline trim dir_glob_regex dir_glob_foreach);
use PVE::Storage::Plugin;
},
# openssl s_client -connect <host>:8007 2>&1 |openssl x509 -fingerprint -sha256
fingerprint => get_standard_option('fingerprint-sha256'),
+ 'encryption-key' => {
+ description => "Encryption key. Use 'autogen' to generate one automatically without passphrase.",
+ type => 'string',
+ },
};
}
disable => { optional => 1},
content => { optional => 1},
username => { optional => 1 },
- password => { optional => 1},
+ password => { optional => 1 },
+ 'encryption-key' => { optional => 1 },
maxfiles => { optional => 1 },
fingerprint => { optional => 1 },
};
sub pbs_password_file_name {
my ($scfg, $storeid) = @_;
- return "/etc/pve/priv/${storeid}.pw";
+ return "/etc/pve/priv/storage/${storeid}.pw";
}
sub pbs_set_password {
my ($scfg, $storeid, $password) = @_;
my $pwfile = pbs_password_file_name($scfg, $storeid);
+ mkdir "/etc/pve/priv/storage";
PVE::Tools::file_set_contents($pwfile, "$password\n");
}
return PVE::Tools::file_read_firstline($pwfile);
}
+sub pbs_encryption_key_file_name {
+ my ($scfg, $storeid) = @_;
-sub run_raw_client_cmd {
- my ($scfg, $storeid, $client_cmd, $param, %opts) = @_;
+ return "/etc/pve/priv/storage/${storeid}.enc";
+}
+
+sub pbs_set_encryption_key {
+ my ($scfg, $storeid, $key) = @_;
+
+ my $pwfile = pbs_encryption_key_file_name($scfg, $storeid);
+ mkdir "/etc/pve/priv/storage";
+
+ PVE::Tools::file_set_contents($pwfile, "$key\n");
+}
+
+sub pbs_delete_encryption_key {
+ my ($scfg, $storeid) = @_;
+
+ my $pwfile = pbs_encryption_key_file_name($scfg, $storeid);
+
+ unlink $pwfile;
+}
+
+sub pbs_get_encryption_key {
+ my ($scfg, $storeid) = @_;
+
+ my $pwfile = pbs_encryption_key_file_name($scfg, $storeid);
+
+ return PVE::Tools::file_get_contents($pwfile);
+}
+
+# Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error.
+sub pbs_open_encryption_key {
+ my ($scfg, $storeid) = @_;
+
+ my $encryption_key_file = pbs_encryption_key_file_name($scfg, $storeid);
+
+ my $keyfd;
+ if (!open($keyfd, '<', $encryption_key_file)) {
+ return undef if $! == ENOENT;
+ die "failed to open encryption key: $encryption_key_file: $!\n";
+ }
+
+ return $keyfd;
+}
+
+sub print_volid {
+ my ($storeid, $btype, $bid, $btime) = @_;
+
+ my $time_str = strftime("%FT%TZ", gmtime($btime));
+ my $volname = "backup/${btype}/${bid}/${time_str}";
+
+ return "${storeid}:${volname}";
+}
+
+my sub do_raw_client_cmd {
+ my ($scfg, $storeid, $client_cmd, $param, $can_encrypt, %opts) = @_;
+
+ my $client_exe = '/usr/bin/proxmox-backup-client';
+ die "executable not found '$client_exe'! Proxmox backup client not installed?\n"
+ if ! -x $client_exe;
my $server = $scfg->{server};
my $datastore = $scfg->{datastore};
push @$cmd, @$userns_cmd if defined($userns_cmd);
- push @$cmd, "/usr/bin/proxmox-backup-client", $client_cmd;
+ push @$cmd, $client_exe, $client_cmd;
+
+ # This must live in the top scope to not get closed before the `run_command`
+ my $keyfd;
+ if ($can_encrypt) {
+ if (defined($keyfd = pbs_open_encryption_key($scfg, $storeid))) {
+ my $flags = fcntl($keyfd, F_GETFD, 0)
+ // die "failed to get file descriptor flags: $!\n";
+ fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC)
+ or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n";
+ push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd);
+ } else {
+ push @$cmd, '--crypt-mode=none';
+ }
+ }
push @$cmd, @$param if defined($param);
local $ENV{PBS_FINGERPRINT} = $scfg->{fingerprint};
+ # no ascii-art on task logs
+ local $ENV{PROXMOX_OUTPUT_NO_BORDER} = 1;
+ local $ENV{PROXMOX_OUTPUT_NO_HEADER} = 1;
+
if (my $logfunc = $opts{logfunc}) {
- $logfunc->("run bps command: " . join(' ', @$cmd));
+ $logfunc->("run: " . join(' ', @$cmd));
}
run_command($cmd, %opts);
}
+# FIXME: External perl code should NOT have access to this.
+#
+# There should be separate functions to
+# - make backups
+# - restore backups
+# - restore files
+# with a sane API
+sub run_raw_client_cmd{
+ my ($scfg, $storeid, $client_cmd, $param, %opts) = @_;
+ return do_raw_client_cmd($scfg, $storeid, $client_cmd, $param, 1, %opts);
+}
+
sub run_client_cmd {
my ($scfg, $storeid, $client_cmd, $param, $no_output) = @_;
$param = [@$param, '--output-format=json'] if !$no_output;
- run_raw_client_cmd($scfg, $storeid, $client_cmd, $param,
- outfunc => $outfunc, errmsg => 'proxmox-backup-client failed');
+ do_raw_client_cmd($scfg, $storeid, $client_cmd, $param, 0,
+ outfunc => $outfunc, errmsg => 'proxmox-backup-client failed');
return undef if $no_output;
die "unable to extract configuration for backup format '$format'\n";
}
- run_raw_client_cmd(undef, $scfg, $storeid, 'restore', [ $name, $config_name, '-' ],
- outfunc => $outfunc, errmsg => 'proxmox-backup-client failed');
+ do_raw_client_cmd($scfg, $storeid, 'restore', [ $name, $config_name, '-' ], 0,
+ outfunc => $outfunc, errmsg => 'proxmox-backup-client failed');
return $config;
}
+my $autogen_encryption_key = sub {
+ my ($scfg, $storeid) = @_;
+ my $encfile = pbs_encryption_key_file_name($scfg, $storeid);
+ run_command(['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile]);
+};
+
sub on_add_hook {
my ($class, $storeid, $scfg, %param) = @_;
- if (my $password = $param{password}) {
+ if (defined(my $password = $param{password})) {
pbs_set_password($scfg, $storeid, $password);
+ } else {
+ pbs_delete_password($scfg, $storeid);
+ }
+
+ if (defined(my $encryption_key = $param{'encryption-key'})) {
+ if ($encryption_key eq 'autogen') {
+ $autogen_encryption_key->($scfg, $storeid);
+ } else {
+ pbs_set_encryption_key($scfg, $storeid, $encryption_key);
+ }
+ } else {
+ pbs_delete_encryption_key($scfg, $storeid);
+ }
+}
+
+sub on_update_hook {
+ my ($class, $storeid, $scfg, %param) = @_;
+
+ if (exists($param{password})) {
+ if (defined($param{password})) {
+ pbs_set_password($scfg, $storeid, $param{password});
+ } else {
+ pbs_delete_password($scfg, $storeid);
+ }
+ }
+
+ if (exists($param{'encryption-key'})) {
+ if (defined(my $encryption_key = delete($param{'encryption-key'}))) {
+ if ($encryption_key eq 'autogen') {
+ $autogen_encryption_key->($scfg, $storeid);
+ } else {
+ pbs_set_encryption_key($scfg, $storeid, $encryption_key);
+ }
+ } else {
+ pbs_delete_encryption_key($scfg, $storeid);
+ }
}
}
my ($class, $storeid, $scfg) = @_;
pbs_delete_password($scfg, $storeid);
+ pbs_delete_encryption_key($scfg, $storeid);
}
sub parse_volname {
foreach my $item (@$data) {
my $btype = $item->{"backup-type"};
my $bid = $item->{"backup-id"};
- my $btime = $item->{"backup-time"};
+ my $epoch = $item->{"backup-time"};
my $size = $item->{size} // 1;
next if !($btype eq 'vm' || $btype eq 'ct');
next if $bid !~ m/^\d+$/;
+ next if defined($vmid) && $bid ne $vmid;
- $btime = strftime("%FT%TZ", gmtime($btime));
- my $volname = "backup/${btype}/${bid}/${btime}";
-
- my $volid = "$storeid:$volname";
+ my $volid = print_volid($storeid, $btype, $bid, $epoch);
- my $info = { volid => $volid , format => "pbs-$btype", size => $size, content => 'backup', vmid => int($bid) };
+ my $info = {
+ volid => $volid,
+ format => "pbs-$btype",
+ size => $size,
+ content => 'backup',
+ vmid => int($bid),
+ ctime => $epoch,
+ };
push @$res, $info;
}
sub activate_storage {
my ($class, $storeid, $scfg, $cache) = @_;
+
+ run_client_cmd($scfg, $storeid, "status");
+
return 1;
}