use strict;
use warnings;
+
use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
-use HTTP::Request;
use IO::File;
use JSON;
-use LWP::UserAgent;
use POSIX qw(strftime ENOENT);
-use PVE::Tools qw(run_command file_read_firstline trim dir_glob_regex dir_glob_foreach);
-use PVE::Storage::Plugin;
+use PVE::APIClient::LWP;
use PVE::JSONSchema qw(get_standard_option);
+use PVE::Network;
+use PVE::Storage::Plugin;
+use PVE::Tools qw(run_command file_read_firstline trim dir_glob_regex dir_glob_foreach $IPV6RE);
use base qw(PVE::Storage::Plugin);
sub properties {
return {
datastore => {
- description => "Proxmox backup server datastore name.",
+ description => "Proxmox Backup Server datastore name.",
type => 'string',
},
# openssl s_client -connect <host>:8007 2>&1 |openssl x509 -fingerprint -sha256
description => "Encryption key. Use 'autogen' to generate one automatically without passphrase.",
type => 'string',
},
+ port => {
+ description => "For non default port.",
+ type => 'integer',
+ minimum => 1,
+ maximum => 65535,
+ default => 8007,
+ },
};
}
return {
server => { fixed => 1 },
datastore => { fixed => 1 },
+ port => { optional => 1 },
nodes => { optional => 1},
disable => { optional => 1},
content => { optional => 1},
my $pwfile = pbs_encryption_key_file_name($scfg, $storeid);
- unlink $pwfile;
+ if (!unlink $pwfile) {
+ return if $! == ENOENT;
+ die "failed to delete encryption key! $!\n";
+ }
delete $scfg->{'encryption-key'};
}
return "${storeid}:${volname}";
}
+my sub get_server_with_port {
+ my ($scfg) = @_;
+
+ my $server = $scfg->{server};
+ $server = "[$server]" if $server =~ /^$IPV6RE$/;
+
+ if (my $port = $scfg->{port}) {
+ $server .= ":$port" if $port != 8007;
+ }
+ return $server;
+}
+
my $USE_CRYPT_PARAMS = {
backup => 1,
restore => 1,
die "executable not found '$client_exe'! Proxmox backup client not installed?\n"
if ! -x $client_exe;
- my $server = $scfg->{server};
+ my $server = get_server_with_port($scfg);
my $datastore = $scfg->{datastore};
my $username = $scfg->{username} // 'root@pam';
}
my @param;
- foreach my $opt (keys %{$keep}) {
- push @param, "--$opt";
- push @param, "$keep->{$opt}";
+
+ my $keep_all = delete $keep->{'keep-all'};
+
+ if (!$keep_all) {
+ foreach my $opt (keys %{$keep}) {
+ next if $keep->{$opt} == 0;
+ push @param, "--$opt";
+ push @param, "$keep->{$opt}";
+ }
+ } else { # no need to pass anything to PBS
+ $keep = { 'keep-all' => 1 };
}
push @param, '--dry-run' if $dryrun;
my $autogen_encryption_key = sub {
my ($scfg, $storeid) = @_;
my $encfile = pbs_encryption_key_file_name($scfg, $storeid);
- run_command(['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile]);
+ if (-f $encfile) {
+ rename $encfile, "$encfile.old";
+ }
+ my $cmd = ['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile];
+ run_command($cmd, errmsg => 'failed to create encryption key');
+ return PVE::Tools::file_get_contents($encfile);
};
sub on_add_hook {
my ($class, $storeid, $scfg, %param) = @_;
+ my $res = {};
+
if (defined(my $password = $param{password})) {
pbs_set_password($scfg, $storeid, $password);
} else {
}
if (defined(my $encryption_key = $param{'encryption-key'})) {
+ my $decoded_key;
if ($encryption_key eq 'autogen') {
- $autogen_encryption_key->($scfg, $storeid);
+ $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid);
+ $decoded_key = decode_json($res->{'encryption-key'});
} else {
+ $decoded_key = eval { decode_json($encryption_key) };
+ if ($@ || !exists($decoded_key->{data})) {
+ die "Value does not seems like a valid, JSON formatted encryption key!\n";
+ }
pbs_set_encryption_key($scfg, $storeid, $encryption_key);
+ $res->{'encryption-key'} = $encryption_key;
}
- $scfg->{'encryption-key'} = 1;
+ $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1;
} else {
pbs_delete_encryption_key($scfg, $storeid);
}
+
+ return $res;
}
sub on_update_hook {
my ($class, $storeid, $scfg, %param) = @_;
+ my $res = {};
+
if (exists($param{password})) {
if (defined($param{password})) {
pbs_set_password($scfg, $storeid, $param{password});
if (exists($param{'encryption-key'})) {
if (defined(my $encryption_key = delete($param{'encryption-key'}))) {
+ my $decoded_key;
if ($encryption_key eq 'autogen') {
- $autogen_encryption_key->($scfg, $storeid);
+ $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid);
+ $decoded_key = decode_json($res->{'encryption-key'});
} else {
+ $decoded_key = eval { decode_json($encryption_key) };
+ if ($@ || !exists($decoded_key->{data})) {
+ die "Value does not seems like a valid, JSON formatted encryption key!\n";
+ }
pbs_set_encryption_key($scfg, $storeid, $encryption_key);
+ $res->{'encryption-key'} = $encryption_key;
}
- $scfg->{'encryption-key'} = 1;
+ $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1;
} else {
pbs_delete_encryption_key($scfg, $storeid);
}
}
+
+ return $res;
}
sub on_delete_hook {
pbs_delete_password($scfg, $storeid);
pbs_delete_encryption_key($scfg, $storeid);
+
+ return;
}
sub parse_volname {
my ($vtype, $name, $vmid) = $class->parse_volname($volname);
- my $server = $scfg->{server};
+ my $server = get_server_with_port($scfg);
my $datastore = $scfg->{datastore};
my $username = $scfg->{username} // 'root@pam';
return $res;
}
+my sub snapshot_files_encrypted {
+ my ($files) = @_;
+ return 0 if !$files;
+
+ my $any;
+ my $all = 1;
+ for my $file (@$files) {
+ my $fn = $file->{filename};
+ next if $fn eq 'client.log.blob' || $fn eq 'index.json.blob';
+
+ my $crypt = $file->{'crypt-mode'};
+
+ $all = 0 if !$crypt || $crypt ne 'encrypt';
+ $any ||= $crypt eq 'encrypt';
+ }
+ return $any && $all;
+}
+
sub list_volumes {
my ($class, $storeid, $scfg, $vmid, $content_types) = @_;
ctime => $epoch,
};
+ $info->{verification} = $item->{verification} if defined($item->{verification});
+ $info->{notes} = $item->{comment} if defined($item->{comment});
+ if (defined($item->{fingerprint})) {
+ $info->{encrypted} = $item->{fingerprint};
+ } elsif (snapshot_files_encrypted($item->{files})) {
+ $info->{encrypted} = '1';
+ }
+
push @$res, $info;
}
return ($total, $free, $used, $active);
}
+# TODO: use a client with native rust/proxmox-backup bindings to profit from
+# API schema checks and types
+my sub pbs_api_connect {
+ my ($scfg, $password) = @_;
+
+ my $params = {};
+
+ my $user = $scfg->{username} // 'root@pam';
+
+ if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) {
+ $params->{apitoken} = "PBSAPIToken=${tokenid}=${password}";
+ } else {
+ $params->{password} = $password;
+ $params->{username} = $user;
+ }
+
+ if (my $fp = $scfg->{fingerprint}) {
+ $params->{cached_fingerprints}->{uc($fp)} = 1;
+ }
+
+ my $conn = PVE::APIClient::LWP->new(
+ %$params,
+ host => $scfg->{server},
+ port => $scfg->{port} // 8007,
+ timeout => 7, # cope with a 401 (3s api delay) and high latency
+ cookie_name => 'PBSAuthCookie',
+ );
+
+ return $conn;
+}
+
+# can also be used for not (yet) added storages, pass $scfg with
+# {
+# server
+# user
+# port (optional default to 8007)
+# fingerprint (optional for trusted certs)
+# }
+sub scan_datastores {
+ my ($scfg, $password) = @_;
+
+ my $conn = pbs_api_connect($scfg, $password);
+
+ my $response = eval { $conn->get('/api2/json/admin/datastore', {}) };
+ die "error fetching datastores - $@" if $@;
+
+ return $response;
+}
+
sub activate_storage {
my ($class, $storeid, $scfg, $cache) = @_;
- run_client_cmd($scfg, $storeid, "status");
+ # a 'status' client command is to expensive here
+ # TODO: use a dummy ping API call to ensure the PBS API daemon is available for real
+ my $server = $scfg->{server};
+ my $port = $scfg->{port} // 8007;
+ PVE::Network::tcp_ping($server, $port, 2);
return 1;
}
return 1;
}
+sub get_volume_notes {
+ my ($class, $scfg, $storeid, $volname, $timeout) = @_;
+
+ my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname);
+
+ my $data = run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "show", $name ]);
+
+ return $data->{notes};
+}
+
+sub update_volume_notes {
+ my ($class, $scfg, $storeid, $volname, $notes, $timeout) = @_;
+
+ my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname);
+
+ run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "update", $name, $notes ], 1);
+
+ return undef;
+}
+
sub volume_size_info {
my ($class, $scfg, $storeid, $volname, $timeout) = @_;
projects / pve-storage.git / blobdiff