X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FTools.pm;h=9046b4f2c4ef7953b60581024b1d3b1f4a42398a;hb=f52ecff957867ae699e4b1be4059a3af0b436e42;hp=406aa2aa7834bba3af1bd6796b196ab90408c385;hpb=9867ff7a8327fc2847de299caa05e94211859b12;p=pve-common.git diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm index 406aa2a..9046b4f 100644 --- a/src/PVE/Tools.pm +++ b/src/PVE/Tools.pm @@ -2,29 +2,33 @@ package PVE::Tools; use strict; use warnings; -use POSIX qw(EINTR EEXIST EOPNOTSUPP); -use IO::Socket::IP; -use Socket qw(AF_INET AF_INET6 AI_ALL AI_V4MAPPED); -use IO::Select; + +use Date::Format qw(time2str); +use Digest::MD5; +use Digest::SHA; +use Encode; +use Fcntl qw(:DEFAULT :flock); use File::Basename; use File::Path qw(make_path); use Filesys::Df (); # don't overwrite our df() -use IO::Pipe; -use IO::File; use IO::Dir; +use IO::File; use IO::Handle; +use IO::Pipe; +use IO::Select; +use IO::Socket::IP; use IPC::Open3; -use Fcntl qw(:DEFAULT :flock); -use base 'Exporter'; -use URI::Escape; -use Encode; -use Digest::SHA; -use Text::ParseWords; +use JSON; +use POSIX qw(EINTR EEXIST EOPNOTSUPP); +use Scalar::Util 'weaken'; +use Socket qw(AF_INET AF_INET6 AI_ALL AI_V4MAPPED AI_CANONNAME SOCK_DGRAM IPPROTO_TCP); use String::ShellQuote; +use Text::ParseWords; use Time::HiRes qw(usleep gettimeofday tv_interval alarm); -use Net::DBus qw(dbus_uint32 dbus_uint64); -use Net::DBus::Callback; -use Net::DBus::Reactor; +use URI::Escape; +use base 'Exporter'; + +use PVE::Syscall; # avoid warning when parsing long hex values with hex() no warnings 'portable'; # Support for 64-bit ints required @@ -45,9 +49,19 @@ template_replace safe_print trim extract_param +extract_sensitive_params file_copy +get_host_arch O_PATH O_TMPFILE +AT_EMPTY_PATH +AT_FDCWD +CLONE_NEWNS +CLONE_NEWUTS +CLONE_NEWIPC +CLONE_NEWUSER +CLONE_NEWPID +CLONE_NEWNET ); my $pvelogdir = "/var/log/pve"; @@ -74,6 +88,9 @@ our $IPV6RE = "(?:" . our $IPRE = "(?:$IPV4RE|$IPV6RE)"; +our $EMAIL_USER_RE = qr/[\w\+\-\~]+(\.[\w\+\-\~]+)*/; +our $EMAIL_RE = qr/$EMAIL_USER_RE@[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)*/; + use constant {CLONE_NEWNS => 0x00020000, CLONE_NEWUTS => 0x04000000, CLONE_NEWIPC => 0x08000000, @@ -82,8 +99,17 @@ use constant {CLONE_NEWNS => 0x00020000, CLONE_NEWNET => 0x40000000}; use constant {O_PATH => 0x00200000, + O_CLOEXEC => 0x00080000, O_TMPFILE => 0x00410000}; # This includes O_DIRECTORY +use constant {AT_EMPTY_PATH => 0x1000, + AT_FDCWD => -100}; + +# from +use constant {RENAME_NOREPLACE => (1 << 0), + RENAME_EXCHANGE => (1 << 1), + RENAME_WHITEOUT => (1 << 2)}; + sub run_with_timeout { my ($timeout, $code, @param) = @_; @@ -122,7 +148,12 @@ sub run_with_timeout { } # flock: we use one file handle per process, so lock file -# can be called multiple times and succeeds for the same process. +# can be nested multiple times and succeeds for the same process. +# +# Since this is the only way we lock now and we don't have the old +# 'lock(); code(); unlock();' pattern anymore we do not actually need to +# count how deep we're nesting. Therefore this hash now stores a weak reference +# to a boolean telling us whether we already have a lock. my $lock_handles = {}; @@ -133,58 +164,67 @@ sub lock_file_full { my $mode = $shared ? LOCK_SH : LOCK_EX; - my $lock_func = sub { - if (!$lock_handles->{$$}->{$filename}) { - my $fh = new IO::File(">>$filename") || - die "can't open file - $!\n"; - $lock_handles->{$$}->{$filename} = { fh => $fh, refcount => 0}; - } + my $lockhash = ($lock_handles->{$$} //= {}); - if (!flock($lock_handles->{$$}->{$filename}->{fh}, $mode|LOCK_NB)) { - print STDERR "trying to acquire lock..."; + # Returns a locked file handle. + my $get_locked_file = sub { + my $fh = IO::File->new(">>$filename") + or die "can't open file - $!\n"; + + if (!flock($fh, $mode|LOCK_NB)) { + print STDERR "trying to acquire lock...\n"; my $success; while(1) { - $success = flock($lock_handles->{$$}->{$filename}->{fh}, $mode); + $success = flock($fh, $mode); # try again on EINTR (see bug #273) if ($success || ($! != EINTR)) { last; } } - if (!$success) { - print STDERR " failed\n"; - die "can't acquire lock '$filename' - $!\n"; - } - print STDERR " OK\n"; - } - $lock_handles->{$$}->{$filename}->{refcount}++; + if (!$success) { + print STDERR " failed\n"; + die "can't acquire lock '$filename' - $!\n"; + } + print STDERR " OK\n"; + } + + return $fh; }; my $res; - - eval { run_with_timeout($timeout, $lock_func); }; - my $err = $@; - if ($err) { - $err = "can't lock file '$filename' - $err"; - } else { - eval { $res = &$code(@param) }; - $err = $@; - } - - if (my $fh = $lock_handles->{$$}->{$filename}->{fh}) { - my $refcount = --$lock_handles->{$$}->{$filename}->{refcount}; - if ($refcount <= 0) { - $lock_handles->{$$}->{$filename} = undef; - close ($fh); + my $checkptr = $lockhash->{$filename}; + my $check = 0; # This must not go out of scope before running the code. + my $local_fh; # This must stay local + if (!$checkptr || !$$checkptr) { + # We cannot create a weak reference in a single atomic step, so we first + # create a false-value, then create a reference to it, then weaken it, + # and after successfully locking the file we change the boolean value. + # + # The reason for this is that if an outer SIGALRM throws an exception + # between creating the reference and weakening it, a subsequent call to + # lock_file_full() will see a leftover full reference to a valid + # variable. This variable must be 0 in order for said call to attempt to + # lock the file anew. + # + # An externally triggered exception elsewhere in the code will cause the + # weak reference to become 'undef', and since the file handle is only + # stored in the local scope in $local_fh, the file will be closed by + # perl's cleanup routines as well. + # + # This still assumes that an IO::File handle can properly deal with such + # exceptions thrown during its own destruction, but that's up to perls + # guts now. + $lockhash->{$filename} = \$check; + weaken $lockhash->{$filename}; + $local_fh = eval { run_with_timeout($timeout, $get_locked_file) }; + if ($@) { + $@ = "can't lock file '$filename' - $@"; + return undef; } + $check = 1; } - - if ($err) { - $@ = $err; - return undef; - } - - $@ = undef; - + $res = eval { &$code(@param); }; + return undef if $@; return $res; } @@ -261,7 +301,8 @@ sub file_read_firstline { sub safe_read_from { my ($fh, $max, $oneline, $filename) = @_; - $max = 32768 if !$max; + # pmxcfs file size limit + $max = 512*1024 if !$max; my $subject = defined($filename) ? "file '$filename'" : 'input'; @@ -341,7 +382,7 @@ sub run_command { my $timeout; my $oldtimeout; my $pid; - my $exitcode; + my $exitcode = -1; my $outfunc; my $errfunc; @@ -351,6 +392,7 @@ sub run_command { my $afterfork; my $noerr; my $keeplocale; + my $quiet; eval { @@ -377,6 +419,8 @@ sub run_command { $noerr = $param{$p}; } elsif ($p eq 'keeplocale') { $keeplocale = $param{$p}; + } elsif ($p eq 'quiet') { + $quiet = $param{$p}; } else { die "got unknown parameter '$p' for run_command\n"; } @@ -466,12 +510,13 @@ sub run_command { if ($h eq $reader) { if ($outfunc || $logfunc) { eval { - $outlog .= $buf; - while ($outlog =~ s/^([^\010\r\n]*)(\r|\n|(\010)+|\r\n)//s) { - my $line = $1; + while ($buf =~ s/^([^\010\r\n]*)(?:\n|(?:\010)+|\r\n?)//) { + my $line = $outlog . $1; + $outlog = ''; &$outfunc($line) if $outfunc; &$logfunc($line) if $logfunc; } + $outlog .= $buf; }; my $err = $@; if ($err) { @@ -479,19 +524,20 @@ sub run_command { waitpid ($pid, 0); die $err; } - } else { + } elsif (!$quiet) { print $buf; *STDOUT->flush(); } } elsif ($h eq $error) { if ($errfunc || $logfunc) { eval { - $errlog .= $buf; - while ($errlog =~ s/^([^\010\r\n]*)(\r|\n|(\010)+|\r\n)//s) { - my $line = $1; + while ($buf =~ s/^([^\010\r\n]*)(?:\n|(?:\010)+|\r\n?)//) { + my $line = $errlog . $1; + $errlog = ''; &$errfunc($line) if $errfunc; &$logfunc($line) if $logfunc; } + $errlog .= $buf; }; my $err = $@; if ($err) { @@ -499,7 +545,7 @@ sub run_command { waitpid ($pid, 0); die $err; } - } else { + } elsif (!$quiet) { print STDERR $buf; *STDERR->flush(); } @@ -563,8 +609,66 @@ sub run_command { return $exitcode; } +# Run a command with a tcp socket as standard input. +sub pipe_socket_to_command { + my ($cmd, $ip, $port) = @_; + + my $params = { + Listen => 1, + ReuseAddr => 1, + Proto => &Socket::IPPROTO_TCP, + GetAddrInfoFlags => 0, + LocalAddr => $ip, + LocalPort => $port, + }; + my $socket = IO::Socket::IP->new(%$params) or die "failed to open socket: $!\n"; + + print "$ip\n$port\n"; # tell remote where to connect + *STDOUT->flush(); + + alarm 0; + local $SIG{ALRM} = sub { die "timed out waiting for client\n" }; + alarm 30; + my $client = $socket->accept; # Wait for a client + alarm 0; + close($socket); + + # We want that the command talks over the TCP socket and takes + # ownership of it, so that when it closes it the connection is + # terminated, so we need to be able to close the socket. So we + # can't really use PVE::Tools::run_command(). + my $pid = fork() // die "fork failed: $!\n"; + if (!$pid) { + POSIX::dup2(fileno($client), 0); + POSIX::dup2(fileno($client), 1); + close($client); + exec {$cmd->[0]} @$cmd or do { + warn "exec failed: $!\n"; + POSIX::_exit(1); + }; + } + + close($client); + if (waitpid($pid, 0) != $pid) { + kill(15 => $pid); # if we got interrupted terminate the child + my $count = 0; + while (waitpid($pid, POSIX::WNOHANG) != $pid) { + usleep(100000); + $count++; + kill(9 => $pid), last if $count > 300; # 30 second timeout + } + } + if (my $sig = ($? & 127)) { + die "got signal $sig\n"; + } elsif (my $exitcode = ($? >> 8)) { + die "exit code $exitcode\n"; + } + + return undef; +} + sub split_list { - my $listtxt = shift || ''; + my $listtxt = shift // ''; return split (/\0/, $listtxt) if $listtxt =~ m/\0/; @@ -594,7 +698,7 @@ sub template_replace { return $tmpl if !$tmpl; my $res = ''; - while ($tmpl =~ m/([^{]+)?({([^}]+)})?/g) { + while ($tmpl =~ m/([^{]+)?(\{([^}]+)\})?/g) { $res .= $1 if $1; $res .= ($data->{$3} || '-') if $2; } @@ -684,7 +788,7 @@ my $keymaphash = { 'pl' => ['Polish', 'pl', 'qwerty/pl.kmap.gz', 'pl', undef], 'pt' => ['Portuguese', 'pt', 'qwerty/pt-latin1.kmap.gz', 'pt', 'nodeadkeys'], 'pt-br' => ['Brazil-Portuguese', 'pt-br', 'qwerty/br-latin1.kmap.gz', 'br', 'nodeadkeys'], - #'ru' => ['Russian', 'ru', 'qwerty/ru.kmap.gz', 'ru', undef], # dont know? + #'ru' => ['Russian', 'ru', 'qwerty/ru.kmap.gz', 'ru', undef], # don't know? 'si' => ['Slovenian', 'sl', 'qwertz/slovene.kmap.gz', 'si', undef], 'se' => ['Swedish', 'sv', 'qwerty/se-latin1.kmap.gz', 'se', 'nodeadkeys'], #'th' => [], @@ -713,36 +817,59 @@ sub extract_param { return $res; } +# For extracting sensitive keys (e.g. password), to avoid writing them to www-data owned configs +sub extract_sensitive_params :prototype($$$) { + my ($param, $sensitive_list, $delete_list) = @_; + + my %delete = map { $_ => 1 } ($delete_list || [])->@*; + + my $sensitive = {}; + for my $opt (@$sensitive_list) { + # handle deletions as explicitly setting `undef`, so subs which only have $param but not + # $delete_list available can recognize them. Afterwards new values may override. + if (exists($delete{$opt})) { + $sensitive->{$opt} = undef; + } + + if (defined(my $value = extract_param($param, $opt))) { + $sensitive->{$opt} = $value; + } + } + + return $sensitive; +} + # Note: we use this to wait until vncterm/spiceterm is ready sub wait_for_vnc_port { - my ($port, $timeout) = @_; + my ($port, $family, $timeout) = @_; $timeout = 5 if !$timeout; my $sleeptime = 0; my $starttime = [gettimeofday]; my $elapsed; + my $cmd = ['/bin/ss', '-Htln', "sport = :$port"]; + push @$cmd, $family == AF_INET6 ? '-6' : '-4' if defined($family); + + my $found; while (($elapsed = tv_interval($starttime)) < $timeout) { - if (my $fh = IO::File->new ("/proc/net/tcp", "r")) { - while (defined (my $line = <$fh>)) { - if ($line =~ m/^\s*\d+:\s+([0-9A-Fa-f]{8}):([0-9A-Fa-f]{4})\s/) { - if ($port == hex($2)) { - close($fh); - return 1; - } - } + # -Htln = don't print header, tcp, listening sockets only, numeric ports + run_command($cmd, outfunc => sub { + my $line = shift; + if ($line =~ m/^LISTEN\s+\d+\s+\d+\s+\S+:(\d+)\s/) { + $found = 1 if ($port == $1); } - close($fh); - } + }); + return 1 if $found; $sleeptime += 100000 if $sleeptime < 1000000; usleep($sleeptime); } - return undef; + die "Timeout while waiting for port '$port' to get ready!\n"; } sub next_unused_port { - my ($range_start, $range_end, $family) = @_; + my ($range_start, $range_end, $family, $address) = @_; # We use a file to register allocated ports. # Those registrations expires after $expiretime. @@ -770,16 +897,18 @@ sub next_unused_port { } my $newport; + my %sockargs = (Listen => 5, + ReuseAddr => 1, + Family => $family, + Proto => IPPROTO_TCP, + GetAddrInfoFlags => 0); + $sockargs{LocalAddr} = $address if defined($address); for (my $p = $range_start; $p < $range_end; $p++) { next if $ports->{$p}; # reserved - my $sock = IO::Socket::IP->new(Listen => 5, - LocalPort => $p, - ReuseAddr => 1, - Family => $family, - Proto => 0, - GetAddrInfoFlags => 0); + $sockargs{LocalPort} = $p; + my $sock = IO::Socket::IP->new(%sockargs); if ($sock) { close($sock); @@ -808,71 +937,149 @@ sub next_unused_port { } sub next_migrate_port { - my ($family) = @_; - return next_unused_port(60000, 60050, $family); + my ($family, $address) = @_; + return next_unused_port(60000, 60050, $family, $address); } sub next_vnc_port { - my ($family) = @_; - return next_unused_port(5900, 6000, $family); + my ($family, $address) = @_; + return next_unused_port(5900, 6000, $family, $address); +} + +sub spice_port_range { + return (61000, 61999); } sub next_spice_port { - my ($family) = @_; - return next_unused_port(61000, 61099, $family); + my ($family, $address) = @_; + return next_unused_port(spice_port_range(), $family, $address); } -# NOTE: NFS syscall can't be interrupted, so alarm does -# not work to provide timeouts. -# from 'man nfs': "Only SIGKILL can interrupt a pending NFS operation" -# So fork() before using Filesys::Df -sub df { - my ($path, $timeout) = @_; +sub must_stringify { + my ($value) = @_; + eval { $value = "$value" }; + return "error turning value into a string: $@" if $@; + return $value; +} - my $res = { - total => 0, - used => 0, - avail => 0, - }; +# sigkill after $timeout a $sub running in a fork if it can't write a pipe +# the $sub has to return a single scalar +sub run_fork_with_timeout { + my ($timeout, $sub) = @_; + + my $res; + my $error; + my $pipe_out = IO::Pipe->new(); + + # disable pending alarms, save their remaining time + my $prev_alarm = alarm 0; + + # avoid leaving a zombie if the parent gets interrupted + my $sig_received; - my $pipe = IO::Pipe->new(); my $child = fork(); if (!defined($child)) { - warn "fork failed: $!\n"; + die "fork failed: $!\n"; return $res; } if (!$child) { - $pipe->writer(); + $pipe_out->writer(); + eval { - my $df = Filesys::Df::df($path, 1); - print {$pipe} "$df->{blocks}\n$df->{used}\n$df->{bavail}\n"; - $pipe->close(); + $res = $sub->(); + print {$pipe_out} encode_json({ result => $res }); + $pipe_out->flush(); }; if (my $err = $@) { - warn $err; + print {$pipe_out} encode_json({ error => must_stringify($err) }); + $pipe_out->flush(); POSIX::_exit(1); } POSIX::_exit(0); } - $pipe->reader(); + local $SIG{INT} = sub { $sig_received++; }; + local $SIG{TERM} = sub { + $error //= "interrupted by unexpected signal\n"; + kill('TERM', $child); + }; + + $pipe_out->reader(); my $readvalues = sub { - $res->{total} = int((<$pipe> =~ /^(\d*)$/)[0]); - $res->{used} = int((<$pipe> =~ /^(\d*)$/)[0]); - $res->{avail} = int((<$pipe> =~ /^(\d*)$/)[0]); + local $/ = undef; + my $child_res = decode_json(readline_nointr($pipe_out)); + $res = $child_res->{result}; + $error = $child_res->{error}; }; eval { - run_with_timeout($timeout, $readvalues); + if (defined($timeout)) { + run_with_timeout($timeout, $readvalues); + } else { + $readvalues->(); + } }; warn $@ if $@; - $pipe->close(); + $pipe_out->close(); kill('KILL', $child); waitpid($child, 0); + + alarm $prev_alarm; + die "interrupted by unexpected signal\n" if $sig_received; + + die $error if $error; return $res; } +sub run_fork { + my ($code) = @_; + return run_fork_with_timeout(undef, $code); +} + +# NOTE: NFS syscall can't be interrupted, so alarm does +# not work to provide timeouts. +# from 'man nfs': "Only SIGKILL can interrupt a pending NFS operation" +# So fork() before using Filesys::Df +sub df { + my ($path, $timeout) = @_; + + my $df = sub { return Filesys::Df::df($path, 1) }; + + my $res = eval { run_fork_with_timeout($timeout, $df) } // {}; + warn $@ if $@; + + # untaint, but be flexible: PB usage can result in scientific notation + my ($blocks, $used, $bavail) = map { defined($_) ? (/^([\d\.e\-+]+)$/) : 0 } + $res->@{qw(blocks used bavail)}; + + return { + total => $blocks, + used => $used, + avail => $bavail, + }; +} + +sub du { + my ($path, $timeout) = @_; + + my $size; + + $timeout //= 10; + + my $parser = sub { + my $line = shift; + + if ($line =~ m/^(\d+)\s+total$/) { + $size = $1; + } + }; + + run_command(['du', '-scb', $path], outfunc => $parser, timeout => $timeout); + + return $size; +} + # UPID helper # We use this to uniquely identify a process. # An 'Unique Process ID' has the following format: @@ -955,6 +1162,8 @@ sub upid_read_status { return 'OK'; } elsif ($line =~ m/^TASK ERROR: (.+)$/) { return $1; + } elsif ($line =~ m/^TASK (WARNINGS: \d+)$/) { + return $1; } else { return "unexpected status"; } @@ -977,6 +1186,8 @@ sub decode_text { return Encode::decode("utf8", uri_unescape($data)); } +# depreciated - do not use! +# we now decode all parameters by default sub decode_utf8_parameters { my ($param) = @_; @@ -1081,7 +1292,7 @@ sub dump_logfile { } sub dump_journal { - my ($start, $limit, $since, $until) = @_; + my ($start, $limit, $since, $until, $service) = @_; my $lines = []; my $count = 0; @@ -1100,6 +1311,7 @@ sub dump_journal { my $cmd = ['journalctl', '-o', 'short', '--no-pager']; + push @$cmd, '--unit', $service if $service; push @$cmd, '--since', $since if $since; push @$cmd, '--until', $until if $until; run_command($cmd, outfunc => $parser); @@ -1184,8 +1396,10 @@ sub unpack_sockaddr_in46 { sub getaddrinfo_all { my ($hostname, @opts) = @_; - my %hints = ( flags => AI_V4MAPPED | AI_ALL, - @opts ); + my %hints = ( + flags => AI_V4MAPPED | AI_ALL, + @opts, + ); my ($err, @res) = Socket::getaddrinfo($hostname, '0', \%hints); die "failed to get address info for: $hostname: $err\n" if $err; return @res; @@ -1197,6 +1411,24 @@ sub get_host_address_family { return $res[0]->{family}; } +# get the fully qualified domain name of a host +# same logic as hostname(1): The FQDN is the name getaddrinfo(3) returns, +# given a nodename as a parameter +sub get_fqdn { + my ($nodename) = @_; + + my $hints = { + flags => AI_CANONNAME, + socktype => SOCK_DGRAM + }; + + my ($err, @addrs) = Socket::getaddrinfo($nodename, undef, $hints); + + die "getaddrinfo: $err" if $err; + + return $addrs[0]->{canonname}; +} + # Parses any sane kind of host, or host+port pair: # The port is always optional and thus may be undef. sub parse_host_and_port { @@ -1210,70 +1442,103 @@ sub parse_host_and_port { return; # nothing } +sub setresuid($$$) { + my ($ruid, $euid, $suid) = @_; + return 0 == syscall(PVE::Syscall::setresuid, $ruid, $euid, $suid); +} + sub unshare($) { my ($flags) = @_; - return 0 == syscall(272, $flags); + return 0 == syscall(PVE::Syscall::unshare, $flags); } sub setns($$) { my ($fileno, $nstype) = @_; - return 0 == syscall(308, $fileno, $nstype); + return 0 == syscall(PVE::Syscall::setns, $fileno, $nstype); } sub syncfs($) { my ($fileno) = @_; - return 0 == syscall(306, $fileno); + return 0 == syscall(PVE::Syscall::syncfs, $fileno); +} + +sub fsync($) { + my ($fileno) = @_; + return 0 == syscall(PVE::Syscall::fsync, $fileno); +} + +sub renameat2($$$$$) { + my ($olddirfd, $oldpath, $newdirfd, $newpath, $flags) = @_; + return 0 == syscall(PVE::Syscall::renameat2, $olddirfd, $oldpath, $newdirfd, $newpath, $flags); } sub sync_mountpoint { my ($path) = @_; - sysopen my $fd, $path, O_PATH or die "failed to open $path: $!\n"; - my $result = syncfs(fileno($fd)); + sysopen my $fd, $path, O_RDONLY|O_CLOEXEC or die "failed to open $path: $!\n"; + my $syncfs_err; + if (!syncfs(fileno($fd))) { + $syncfs_err = "$!"; + } close($fd); - return $result; + die "syncfs '$path' failed - $syncfs_err\n" if defined $syncfs_err; } # support sending multi-part mail messages with a text and or a HTML part # mailto may be a single email string or an array of receivers sub sendmail { my ($mailto, $subject, $text, $html, $mailfrom, $author) = @_; - my $mail_re = qr/[^-a-zA-Z0-9+._@]/; $mailto = [ $mailto ] if !ref($mailto); - foreach (@$mailto) { - die "illegal character in mailto address\n" - if ($_ =~ $mail_re); + my $mailto_quoted = []; + for my $to (@$mailto) { + die "mailto does not look like a valid email address or username\n" + if $to !~ /^$EMAIL_RE$/ && $to !~ /^$EMAIL_USER_RE$/; + push @$mailto_quoted, shellquote($to); } my $rcvrtxt = join (', ', @$mailto); $mailfrom = $mailfrom || "root"; - die "illegal character in mailfrom address\n" - if $mailfrom =~ $mail_re; + die "mailfrom does not look like a valid email address or username\n" + if $mailfrom !~ /^$EMAIL_RE$/ && $mailfrom !~ /^$EMAIL_USER_RE$/; + my $mailfrom_quoted = shellquote($mailfrom); + + $author = $author // 'Proxmox VE'; + + open (MAIL, "|-", "sendmail", "-B", "8BITMIME", "-f", $mailfrom_quoted, + "--", @$mailto_quoted) || die "unable to open 'sendmail' - $!"; - $author = $author || 'Proxmox VE'; + my $date = time2str('%a, %d %b %Y %H:%M:%S %z', time()); - open (MAIL, "|-", "sendmail", "-B", "8BITMIME", "-f", $mailfrom, @$mailto) || - die "unable to open 'sendmail' - $!"; + my $is_multipart = $text && $html; # multipart spec see https://www.ietf.org/rfc/rfc1521.txt my $boundary = "----_=_NextPart_001_".int(time).$$; - print MAIL "Content-Type: multipart/alternative;\n"; - print MAIL "\tboundary=\"$boundary\"\n"; - print MAIL "MIME-Version: 1.0\n"; + if ($subject =~ /[^[:ascii:]]/) { + $subject = Encode::encode('MIME-Header', $subject); + } - print MAIL "FROM: $author <$mailfrom>\n"; - print MAIL "TO: $rcvrtxt\n"; - print MAIL "SUBJECT: $subject\n"; - print MAIL "\n"; - print MAIL "This is a multi-part message in MIME format.\n\n"; - print MAIL "--$boundary\n"; + if ($subject =~ /[^[:ascii:]]/ || $is_multipart) { + print MAIL "MIME-Version: 1.0\n"; + } + print MAIL "From: $author <$mailfrom>\n"; + print MAIL "To: $rcvrtxt\n"; + print MAIL "Date: $date\n"; + print MAIL "Subject: $subject\n"; + + if ($is_multipart) { + print MAIL "Content-Type: multipart/alternative;\n"; + print MAIL "\tboundary=\"$boundary\"\n"; + print MAIL "\n"; + print MAIL "This is a multi-part message in MIME format.\n\n"; + print MAIL "--$boundary\n"; + } if (defined($text)) { print MAIL "Content-Type: text/plain;\n"; - print MAIL "\tcharset=\"UTF8\"\n"; + print MAIL "\tcharset=\"UTF-8\"\n"; print MAIL "Content-Transfer-Encoding: 8bit\n"; print MAIL "\n"; @@ -1283,18 +1548,18 @@ sub sendmail { print MAIL $text; - print MAIL "\n--$boundary\n"; + print MAIL "\n--$boundary\n" if $is_multipart; } if (defined($html)) { print MAIL "Content-Type: text/html;\n"; - print MAIL "\tcharset=\"UTF8\"\n"; + print MAIL "\tcharset=\"UTF-8\"\n"; print MAIL "Content-Transfer-Encoding: 8bit\n"; print MAIL "\n"; print MAIL $html; - print MAIL "\n--$boundary--\n"; + print MAIL "\n--$boundary--\n" if $is_multipart; } close(MAIL); @@ -1354,7 +1619,7 @@ sub validate_ssh_public_keys { sub openat($$$;$) { my ($dirfd, $pathname, $flags, $mode) = @_; - my $fd = syscall(257, $dirfd, $pathname, $flags, $mode//0); + my $fd = syscall(PVE::Syscall::openat, $dirfd, $pathname, $flags, $mode//0); return undef if $fd < 0; # sysopen() doesn't deal with numeric file descriptors apparently # so we need to convert to a mode string for IO::Handle->new_from_fd @@ -1362,85 +1627,19 @@ sub openat($$$;$) { my $handle = IO::Handle->new_from_fd($fd, $flagstr); return $handle if $handle; my $err = $!; # save error before closing the raw fd - syscall(3, $fd); # close + syscall(PVE::Syscall::close, $fd); # close $! = $err; return undef; } sub mkdirat($$$) { my ($dirfd, $name, $mode) = @_; - return syscall(258, $dirfd, $name, $mode) == 0; + return syscall(PVE::Syscall::mkdirat, $dirfd, $name, $mode) == 0; } -# NOTE: This calls the dbus main loop and must not be used when another dbus -# main loop is being used as we need to wait for the JobRemoved signal. -# Polling the job status instead doesn't work because this doesn't give us the -# distinction between success and failure. -# -# Note that the description is mandatory for security reasons. -sub enter_systemd_scope { - my ($unit, $description, %extra) = @_; - die "missing description\n" if !defined($description); - - my $timeout = delete $extra{timeout}; - - $unit .= '.scope'; - my $properties = [ [PIDs => [dbus_uint32($$)]] ]; - - foreach my $key (keys %extra) { - if ($key eq 'Slice' || $key eq 'KillMode') { - push @$properties, [$key, $extra{$key}]; - } elsif ($key eq 'CPUShares') { - push @$properties, [$key, dbus_uint64($extra{$key})]; - } elsif ($key eq 'CPUQuota') { - push @$properties, ['CPUQuotaPerSecUSec', - dbus_uint64($extra{$key} * 10000)]; - } else { - die "Don't know how to encode $key for systemd scope\n"; - } - } - - my $job; - my $done = 0; - - my $bus = Net::DBus->system(); - my $reactor = Net::DBus::Reactor->main(); - - my $service = $bus->get_service('org.freedesktop.systemd1'); - my $if = $service->get_object('/org/freedesktop/systemd1', 'org.freedesktop.systemd1.Manager'); - # Connect to the JobRemoved signal since we want to wait for it to finish - my $sigid; - my $timer; - my $cleanup = sub { - my ($no_shutdown) = @_; - $if->disconnect_from_signal('JobRemoved', $sigid) if defined($if); - $if = undef; - $sigid = undef; - $reactor->remove_timeout($timer) if defined($timer); - $timer = undef; - return if $no_shutdown; - $reactor->shutdown(); - }; - - $sigid = $if->connect_to_signal('JobRemoved', sub { - my ($id, $removed_job, $signaled_unit, $result) = @_; - return if $signaled_unit ne $unit || $removed_job ne $job; - $cleanup->(0); - die "systemd job failed\n" if $result ne 'done'; - $done = 1; - }); - - my $on_timeout = sub { - $cleanup->(0); - die "systemd job timed out\n"; - }; - - $timer = $reactor->add_timeout($timeout * 1000, Net::DBus::Callback->new(method => $on_timeout)) - if defined($timeout); - $job = $if->StartTransientUnit($unit, 'fail', $properties, []); - $reactor->run(); - $cleanup->(1); - die "systemd job never completed\n" if !$done; +sub fchownat($$$$$) { + my ($dirfd, $pathname, $owner, $group, $flags) = @_; + return syscall(PVE::Syscall::fchownat, $dirfd, $pathname, $owner, $group, $flags) == 0; } my $salt_starter = time(); @@ -1457,4 +1656,294 @@ sub encrypt_pw { return crypt(encode("utf8", $pw), "\$5\$$salt\$"); } +# intended usage: convert_size($val, "kb" => "gb") +# we round up to the next integer by default +# E.g. `convert_size(1023, "b" => "kb")` returns 1 +# use $no_round_up to switch this off, above example would then return 0 +# this is also true for converting down e.g. 0.0005 gb to mb returns 1 +# (0 if $no_round_up is true) +# allowed formats for value: +# 1234 +# 1234. +# 1234.1234 +# .1234 +sub convert_size { + my ($value, $from, $to, $no_round_up) = @_; + + my $units = { + b => 0, + kb => 1, + mb => 2, + gb => 3, + tb => 4, + pb => 5, + }; + + die "no value given" + if !defined($value) || $value eq ""; + + $from = lc($from // ''); $to = lc($to // ''); + die "unknown 'from' and/or 'to' units ($from => $to)" + if !defined($units->{$from}) || !defined($units->{$to}); + + die "value '$value' is not a valid, positive number" + if $value !~ m/^(?:[0-9]+\.?[0-9]*|[0-9]*\.[0-9]+)$/; + + my $shift_amount = ($units->{$from} - $units->{$to}) * 10; + + $value *= 2**$shift_amount; + $value++ if !$no_round_up && ($value - int($value)) > 0.0; + + return int($value); +} + +# uninterruptible readline +# retries on EINTR +sub readline_nointr { + my ($fh) = @_; + my $line; + while (1) { + $line = <$fh>; + last if defined($line) || ($! != EINTR); + } + return $line; +} + +my $host_arch; +sub get_host_arch { + $host_arch = (POSIX::uname())[4] if !$host_arch; + return $host_arch; +} + +# Devices are: [ (12 bits minor) (12 bits major) (8 bits minor) ] +sub dev_t_major($) { + my ($dev_t) = @_; + return (int($dev_t) & 0xfff00) >> 8; +} + +sub dev_t_minor($) { + my ($dev_t) = @_; + $dev_t = int($dev_t); + return (($dev_t >> 12) & 0xfff00) | ($dev_t & 0xff); +} + +# Given an array of array refs [ \[a b c], \[a b b], \[e b a] ] +# Returns the intersection of elements as a single array [a b] +sub array_intersect { + my ($arrays) = @_; + + if (!ref($arrays->[0])) { + $arrays = [ grep { ref($_) eq 'ARRAY' } @_ ]; + } + + return [] if scalar(@$arrays) == 0; + return $arrays->[0] if scalar(@$arrays) == 1; + + my $array_unique = sub { + my %seen = (); + return grep { ! $seen{ $_ }++ } @_; + }; + + # base idea is to get all unique members from the first array, then + # check the common elements with the next (uniquely made) one, only keep + # those. Repeat for every array and at the end we only have those left + # which exist in all arrays + my $return_arr = [ $array_unique->(@{$arrays->[0]}) ]; + for my $i (1 .. $#$arrays) { + my %count = (); + # $return_arr is already unique, explicit at before the loop, implicit below. + foreach my $element (@$return_arr, $array_unique->(@{$arrays->[$i]})) { + $count{$element}++; + } + $return_arr = []; + foreach my $element (keys %count) { + push @$return_arr, $element if $count{$element} > 1; + } + last if scalar(@$return_arr) == 0; # empty intersection, early exit + } + + return $return_arr; +} + +sub open_tree($$$) { + my ($dfd, $pathname, $flags) = @_; + return PVE::Syscall::file_handle_result(syscall( + &PVE::Syscall::open_tree, + $dfd, + $pathname, + $flags, + )); +} + +sub move_mount($$$$$) { + my ($from_dirfd, $from_pathname, $to_dirfd, $to_pathname, $flags) = @_; + return 0 == syscall( + &PVE::Syscall::move_mount, + $from_dirfd, + $from_pathname, + $to_dirfd, + $to_pathname, + $flags, + ); +} + +sub fsopen($$) { + my ($fsname, $flags) = @_; + return PVE::Syscall::file_handle_result(syscall(&PVE::Syscall::fsopen, $fsname, $flags)); +} + +sub fsmount($$$) { + my ($fd, $flags, $mount_attrs) = @_; + return PVE::Syscall::file_handle_result(syscall( + &PVE::Syscall::fsmount, + $fd, + $flags, + $mount_attrs, + )); +} + +sub fspick($$$) { + my ($dirfd, $pathname, $flags) = @_; + return PVE::Syscall::file_handle_result(syscall( + &PVE::Syscall::fspick, + $dirfd, + $pathname, + $flags, + )); +} + +sub fsconfig($$$$$) { + my ($fd, $command, $key, $value, $aux) = @_; + return 0 == syscall(&PVE::Syscall::fsconfig, $fd, $command, $key, $value, $aux); +} + +# "raw" mount, old api, not for generic use (as it does not invoke any helpers). +# use for lower level stuff such as bind/remount/... or simple tmpfs mounts +sub mount($$$$$) { + my ($source, $target, $filesystemtype, $mountflags, $data) = @_; + return 0 == syscall( + &PVE::Syscall::mount, + $source, + $target, + $filesystemtype, + $mountflags, + $data, + ); +} + +sub safe_compare { + my ($left, $right, $cmp) = @_; + + return 0 if !defined($left) && !defined($right); + return -1 if !defined($left); + return 1 if !defined($right); + return $cmp->($left, $right); +} + + +# opts is a hash ref with the following known properties +# hash_required - if 1, at least one checksum has to be specified otherwise an error will be thrown +# http_proxy +# https_proxy +# verify_certificates - if 0 (false) we tell wget to ignore untrusted TLS certs. Default to true +# md5sum|sha(1|224|256|384|512)sum - the respective expected checksum string +sub download_file_from_url { + my ($dest, $url, $opts) = @_; + + my ($checksum_algorithm, $checksum_expected); + for ('sha512', 'sha384', 'sha256', 'sha224', 'sha1', 'md5') { + if (defined($opts->{"${_}sum"})) { + $checksum_algorithm = $_; + $checksum_expected = $opts->{"${_}sum"}; + last; + } + } + die "checksum required but not specified\n" if ($opts->{hash_required} && !$checksum_algorithm); + + print "downloading $url to $dest\n"; + + if (-f $dest && $checksum_algorithm) { + print "calculating checksum of existing file..."; + my $checksum_got = get_file_hash($checksum_algorithm, $dest); + + if (lc($checksum_got) eq lc($checksum_expected)) { + print "OK, got correct file already, no need to download\n"; + return; + } else { + # we could re-download, but may not be safe so just abort for now.. + print "\n"; # the front end expects the error to reside at the last line without any noise + die "checksum mismatch: got '$checksum_got' != expect '$checksum_expected', aborting\n"; + } + } + + my $tmpdest = "$dest.tmp.$$"; + eval { + local $SIG{INT} = sub { + unlink $tmpdest or warn "could not cleanup temporary file: $!"; + die "got interrupted by signal\n"; + }; + + { # limit the scope of the ENV change + local %ENV; + if ($opts->{http_proxy}) { + $ENV{http_proxy} = $opts->{http_proxy}; + } + if ($opts->{https_proxy}) { + $ENV{https_proxy} = $opts->{https_proxy}; + } + + my $cmd = ['wget', '--progress=dot:giga', '-O', $tmpdest, $url]; + + if (!($opts->{verify_certificates} // 1)) { # default to true + push @$cmd, '--no-check-certificate'; + } + + run_command($cmd, errmsg => "download failed"); + } + + if ($checksum_algorithm) { + print "calculating checksum..."; + + my $checksum_got = get_file_hash($checksum_algorithm, $tmpdest); + + if (lc($checksum_got) eq lc($checksum_expected)) { + print "OK, checksum verified\n"; + } else { + print "\n"; # the front end expects the error to reside at the last line without any noise + die "checksum mismatch: got '$checksum_got' != expect '$checksum_expected'\n"; + } + } + + rename($tmpdest, $dest) or die "unable to rename temporary file: $!\n"; + }; + if (my $err = $@) { + unlink $tmpdest or warn "could not cleanup temporary file: $!"; + die $err; + } + + print "download of '$url' to '$dest' finished\n"; +} + +sub get_file_hash { + my ($algorithm, $filename) = @_; + + my $algorithm_map = { + 'md5' => sub { Digest::MD5->new }, + 'sha1' => sub { Digest::SHA->new(1) }, + 'sha224' => sub { Digest::SHA->new(224) }, + 'sha256' => sub { Digest::SHA->new(256) }, + 'sha384' => sub { Digest::SHA->new(384) }, + 'sha512' => sub { Digest::SHA->new(512) }, + }; + + my $digester = $algorithm_map->{$algorithm}->() or die "unknown algorithm '$algorithm'\n"; + + open(my $fh, '<', $filename) or die "unable to open '$filename': $!\n"; + binmode($fh); + + my $digest = $digester->addfile($fh)->hexdigest; + + return lc($digest); +} + 1;