use strict;
use warnings;
+use POSIX;
+use Fcntl;
+use File::Copy 'copy';
+use Term::ReadLine;
+
use PVE::SafeSyslog;
use PVE::Tools qw(extract_param);
use PVE::Cluster;
exit($status eq 'OK' ? 0 : -1);
};
+sub read_password {
+ my $term = new Term::ReadLine ('pct');
+ my $attribs = $term->Attribs;
+ $attribs->{redisplay_function} = $attribs->{shadow_redisplay};
+ my $input = $term->readline('Enter password: ');
+ my $conf = $term->readline('Retype password: ');
+ die "Passwords do not match.\n" if ($input ne $conf);
+ return $input;
+}
+
+sub string_param_file_mapping {
+ my ($name) = @_;
+
+ my $mapping = {
+ 'create_vm' => ['ssh-public-keys'],
+ };
+
+ return defined($mapping->{$name}) ? $mapping->{$name} : [];
+}
+
__PACKAGE__->register_method ({
name => 'unlock',
path => 'unlock',
my $vmid = $param->{vmid};
- PVE::LXC::lock_config($vmid, sub {
- my $conf = PVE::LXC::load_config($vmid);
- delete $conf->{lock};
- PVE::LXC::write_config($vmid, $conf);
- });
+ PVE::LXC::Config->remove_lock($vmid);
return undef;
}});
my ($param) = @_;
# test if container exists on this node
- my $conf = PVE::LXC::load_config($param->{vmid});
+ my $conf = PVE::LXC::Config->load_config($param->{vmid});
my $cmd = PVE::LXC::get_console_command($param->{vmid}, $conf);
exec(@$cmd);
code => sub {
my ($param) = @_;
+ my $vmid = $param->{vmid};
+
# test if container exists on this node
- PVE::LXC::load_config($param->{vmid});
+ PVE::LXC::Config->load_config($vmid);
+
+ die "Error: container '$vmid' not running!\n" if !PVE::LXC::check_running($vmid);
- exec('lxc-attach', '-n', $param->{vmid});
+ exec('lxc-attach', '-n', $vmid);
}});
__PACKAGE__->register_method ({
my ($param) = @_;
# test if container exists on this node
- PVE::LXC::load_config($param->{vmid});
+ PVE::LXC::Config->load_config($param->{vmid});
if (!@{$param->{'extra-args'}}) {
die "missing command";
optional => 1,
type => 'string',
description => "A volume on which to run the filesystem check",
- enum => [PVE::LXC::mountpoint_names()],
+ enum => [PVE::LXC::Config->mountpoint_names()],
},
},
},
# critical path: all of this will be done while the container is locked
my $do_fsck = sub {
- my $conf = PVE::LXC::load_config($vmid);
+ my $conf = PVE::LXC::Config->load_config($vmid);
my $storage_cfg = PVE::Storage::config();
defined($conf->{$device}) || die "cannot run command on unexisting mountpoint $device\n";
- my $mount_point = $device eq 'rootfs' ? PVE::LXC::parse_ct_rootfs($conf->{$device}) :
- PVE::LXC::parse_ct_mountpoint($conf->{$device});
+ my $mount_point = $device eq 'rootfs' ? PVE::LXC::Config->parse_ct_rootfs($conf->{$device}) :
+ PVE::LXC::Config->parse_ct_mountpoint($conf->{$device});
my $volid = $mount_point->{volume};
PVE::Tools::run_command($command);
};
- PVE::LXC::lock_config($vmid, $do_fsck);
+ PVE::LXC::Config->lock_config($vmid, $do_fsck);
+ return undef;
+ }});
+
+__PACKAGE__->register_method({
+ name => 'mount',
+ path => 'mount',
+ method => 'POST',
+ description => "Mount the container's filesystem on the host. " .
+ "This will hold a lock on the container and is meant for emergency maintenance only " .
+ "as it will prevent further operations on the container other than start and stop.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $vmid = extract_param($param, 'vmid');
+ my $storecfg = PVE::Storage::config();
+ PVE::LXC::Config->lock_config($vmid, sub {
+ my $conf = PVE::LXC::Config->set_lock($vmid, 'mounted');
+ PVE::LXC::mount_all($vmid, $storecfg, $conf);
+ });
+ return undef;
+ }});
+
+__PACKAGE__->register_method({
+ name => 'unmount',
+ path => 'unmount',
+ method => 'POST',
+ description => "Unmount the container's filesystem.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $vmid = extract_param($param, 'vmid');
+ my $storecfg = PVE::Storage::config();
+ PVE::LXC::Config->lock_config($vmid, sub {
+ my $conf = PVE::LXC::Config->load_config($vmid);
+ PVE::LXC::umount_all($vmid, $storecfg, $conf, 0);
+ PVE::LXC::Config->remove_lock($vmid, 'mounted');
+ });
return undef;
}});
+# File creation with specified ownership and permissions.
+# User and group can be names or decimal numbers.
+# Permissions are explicit (not affected by umask) and can be numeric with the
+# usual 0/0x prefixes for octal/hex.
+sub create_file {
+ my ($path, $perms, $user, $group) = @_;
+ my ($uid, $gid);
+ if (defined($user)) {
+ if ($user =~ /^\d+$/) {
+ $uid = int($user);
+ } else {
+ $uid = getpwnam($user) or die "failed to get uid for: $user\n"
+ }
+ }
+ if (defined($group)) {
+ if ($group =~ /^\d+$/) {
+ $gid = int($group);
+ } else {
+ $gid = getgrnam($group) or die "failed to get gid for: $group\n"
+ }
+ }
+
+ if (defined($perms)) {
+ $! = 0;
+ my ($mode, $unparsed) = POSIX::strtoul($perms, 0);
+ die "invalid mode: '$perms'\n" if $perms eq '' || $unparsed > 0 || $!;
+ $perms = $mode;
+ }
+
+ my $fd;
+ if (sysopen($fd, $path, O_WRONLY | O_CREAT | O_EXCL, 0)) {
+ $perms = 0666 & ~umask if !defined($perms);
+ } else {
+ # If the path previously existed then we do not care about left-over
+ # file descriptors even if the permissions/ownership is changed.
+ sysopen($fd, $path, O_WRONLY | O_CREAT | O_TRUNC)
+ or die "failed to create file: $path: $!\n";
+ }
+
+ my $trunc = 0;
+
+ if (defined($perms)) {
+ $trunc = 1;
+ chmod($perms, $fd);
+ }
+
+ if (defined($uid) || defined($gid)) {
+ $trunc = 1;
+ my ($fuid, $fgid) = (stat($fd))[4,5] if !defined($uid) || !defined($gid);
+ $uid = $fuid if !defined($uid);
+ $gid = $fgid if !defined($gid);
+ chown($uid, $gid, $fd)
+ or die "failed to change file owner: $!\n";
+ }
+ return $fd;
+}
+
+__PACKAGE__->register_method({
+ name => 'pull',
+ path => 'pull',
+ method => 'PUT',
+ description => "Copy a file from the container to the local system.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
+ path => {
+ type => 'string',
+ description => "Path to a file inside the container to pull.",
+ },
+ destination => {
+ type => 'string',
+ description => "Destination",
+ },
+ user => {
+ type => 'string',
+ description => 'Owner user name or id.',
+ optional => 1,
+ },
+ group => {
+ type => 'string',
+ description => 'Owner group name or id.',
+ optional => 1,
+ },
+ perms => {
+ type => 'string',
+ description => "File permissions to use (octal by default, prefix with '0x' for hexadecimal).",
+ optional => 1,
+ },
+ },
+ },
+ returns => {
+ type => 'string',
+ description => "the task ID.",
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $vmid = extract_param($param, 'vmid');
+ my $path = extract_param($param, 'path');
+ my $dest = extract_param($param, 'destination');
+
+ my $perms = extract_param($param, 'perms');
+ $perms = '0'.$perms if defined($perms) && $perms !~m/^0/;
+ my $user = extract_param($param, 'user');
+ my $group = extract_param($param, 'group');
+
+ my $code = sub {
+ my $running = PVE::LXC::check_running($vmid);
+ die "can only pull files from a running VM" if !$running;
+
+ my $realcmd = sub {
+ my $pid = PVE::LXC::find_lxc_pid($vmid);
+ # Avoid symlink issues by opening the files from inside the
+ # corresponding namespaces.
+ my $destfd = create_file($dest, $perms, $user, $group);
+
+ sysopen my $mntnsfd, "/proc/$pid/ns/mnt", O_RDONLY
+ or die "failed to open the container's mount namespace\n";
+ PVE::Tools::setns(fileno($mntnsfd), PVE::Tools::CLONE_NEWNS)
+ or die "failed to enter the container's mount namespace\n";
+ close($mntnsfd);
+ chdir('/') or die "failed to change to container root directory\n";
+
+ open my $srcfd, '<', $path
+ or die "failed to open $path: $!\n";
+
+ copy($srcfd, $destfd);
+ };
+
+ # This avoids having to setns() back to our namespace.
+ return $rpcenv->fork_worker('pull_file', $vmid, undef, $realcmd);
+ };
+
+ return PVE::LXC::Config->lock_config($vmid, $code);
+ }});
+
+__PACKAGE__->register_method({
+ name => 'push',
+ path => 'push',
+ method => 'PUT',
+ description => "Copy a local file to the container.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
+ file => {
+ type => 'string',
+ description => "Path to a local file.",
+ },
+ destination => {
+ type => 'string',
+ description => "Destination inside the container to write to.",
+ },
+ user => {
+ type => 'string',
+ description => 'Owner user name or id. When using a name it must exist inside the container.',
+ optional => 1,
+ },
+ group => {
+ type => 'string',
+ description => 'Owner group name or id. When using a name it must exist inside the container.',
+ optional => 1,
+ },
+ perms => {
+ type => 'string',
+ description => "File permissions to use (octal by default, prefix with '0x' for hexadecimal).",
+ optional => 1,
+ },
+ },
+ },
+ returns => {
+ type => 'string',
+ description => "the task ID.",
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $vmid = extract_param($param, 'vmid');
+ my $file = extract_param($param, 'file');
+ my $dest = extract_param($param, 'destination');
+
+ my $perms = extract_param($param, 'perms');
+ $perms = '0'.$perms if defined($perms) && $perms !~m/^0/;
+ my $user = extract_param($param, 'user');
+ my $group = extract_param($param, 'group');
+
+ my $code = sub {
+ my $running = PVE::LXC::check_running($vmid);
+ die "can only push files to a running VM" if !$running;
+
+ my $conf = PVE::LXC::Config->load_config($vmid);
+ my $unprivileged = $conf->{unprivileged};
+
+ my $realcmd = sub {
+ my $pid = PVE::LXC::find_lxc_pid($vmid);
+ # We open the file then enter the container's mount - and for
+ # unprivileged containers - user namespace and then create the
+ # file. This avoids symlink attacks as a symlink cannot point
+ # outside the namespace and our own access is equivalent to the
+ # container-local's root user. Also the user-passed -user and
+ # -group parameters will use the container-local's user and
+ # group names.
+ sysopen my $srcfd, $file, O_RDONLY
+ or die "failed to open $file for reading\n";
+
+ sysopen my $mntnsfd, "/proc/$pid/ns/mnt", O_RDONLY
+ or die "failed to open the container's mount namespace\n";
+ my $usernsfd;
+ if ($unprivileged) {
+ sysopen $usernsfd, "/proc/$pid/ns/user", O_RDONLY
+ or die "failed to open the container's user namespace\n";
+ }
+
+ PVE::Tools::setns(fileno($mntnsfd), PVE::Tools::CLONE_NEWNS)
+ or die "failed to enter the container's mount namespace\n";
+ close($mntnsfd);
+ chdir('/') or die "failed to change to container root directory\n";
+
+ if ($unprivileged) {
+ PVE::Tools::setns(fileno($usernsfd), PVE::Tools::CLONE_NEWUSER)
+ or die "failed to enter the container's user namespace\n";
+ close($usernsfd);
+ POSIX::setgid(0) or die "setgid failed: $!\n";
+ POSIX::setuid(0) or die "setuid failed: $!\n";
+ }
+
+ my $destfd = create_file($dest, $perms, $user, $group);
+ copy($srcfd, $destfd);
+ };
+
+ # This avoids having to setns() back to our namespace.
+ return $rpcenv->fork_worker('push_file', $vmid, undef, $realcmd);
+ };
+
+ return PVE::LXC::Config->lock_config($vmid, $code);
+ }});
+
our $cmddef = {
list=> [ 'PVE::API2::LXC', 'vmlist', [], { node => $nodename }, sub {
my $res = shift;
return if !scalar(@$res);
- my $format = "%-10s %-10s %-20s\n";
- printf($format, 'VMID', 'Status', 'Name');
+ my $format = "%-10s %-10s %-12s %-20s\n";
+ printf($format, 'VMID', 'Status', 'Lock', 'Name');
foreach my $d (sort {$a->{vmid} <=> $b->{vmid} } @$res) {
- printf($format, $d->{vmid}, $d->{status}, $d->{name});
+ printf($format, $d->{vmid}, $d->{status}, $d->{lock}, $d->{name});
}
}],
config => [ "PVE::API2::LXC::Config", 'vm_config', ['vmid'],
unlock => [ __PACKAGE__, 'unlock', ['vmid']],
exec => [ __PACKAGE__, 'exec', ['vmid', 'extra-args']],
fsck => [ __PACKAGE__, 'fsck', ['vmid']],
+
+ mount => [ __PACKAGE__, 'mount', ['vmid']],
+ unmount => [ __PACKAGE__, 'unmount', ['vmid']],
+ push => [ __PACKAGE__, 'push', ['vmid', 'file', 'destination']],
+ pull => [ __PACKAGE__, 'pull', ['vmid', 'path', 'destination']],
destroy => [ 'PVE::API2::LXC', 'destroy_vm', ['vmid'],
{ node => $nodename }, $upid_exit ],