use std::sync::Arc;
use std::path::{Path, PathBuf};
+use std::pin::Pin;
use std::os::unix::io::AsRawFd;
use anyhow::{bail, format_err, Error};
use futures::*;
-use hyper;
+
use openssl::ssl::{SslMethod, SslAcceptor, SslFiletype};
use tokio_stream::wrappers::ReceiverStream;
+use serde_json::Value;
use proxmox::try_block;
use proxmox::api::RpcEnvironmentType;
use proxmox_backup::{
backup::DataStore,
server::{
+ auth::default_api_auth,
WorkerTask,
ApiConfig,
rest::*,
disks::{
DiskManage,
zfs_pool_stats,
+ get_pool_from_dataset,
},
logrotate::LogRotate,
socket::{
};
use proxmox_backup::api2::pull::do_sync_job;
+use proxmox_backup::api2::tape::backup::do_tape_backup_job;
use proxmox_backup::server::do_verification_job;
use proxmox_backup::server::do_prune_job;
let _ = csrf_secret(); // load with lazy_static
let mut config = ApiConfig::new(
- buildcfg::JS_DIR, &proxmox_backup::api2::ROUTER, RpcEnvironmentType::PUBLIC)?;
+ buildcfg::JS_DIR,
+ &proxmox_backup::api2::ROUTER,
+ RpcEnvironmentType::PUBLIC,
+ default_api_auth(),
+ )?;
config.add_alias("novnc", "/usr/share/novnc-pve");
config.add_alias("extjs", "/usr/share/javascript/extjs");
let rest_server = RestServer::new(config);
//openssl req -x509 -newkey rsa:4096 -keyout /etc/proxmox-backup/proxy.key -out /etc/proxmox-backup/proxy.pem -nodes
- let key_path = configdir!("/proxy.key");
- let cert_path = configdir!("/proxy.pem");
- let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
- acceptor.set_private_key_file(key_path, SslFiletype::PEM)
- .map_err(|err| format_err!("unable to read proxy key {} - {}", key_path, err))?;
- acceptor.set_certificate_chain_file(cert_path)
- .map_err(|err| format_err!("unable to read proxy cert {} - {}", cert_path, err))?;
- acceptor.check_private_key().unwrap();
-
- let acceptor = Arc::new(acceptor.build());
+ // we build the initial acceptor here as we cannot start if this fails - certificate reloads
+ // will be handled inside the accept loop and simply log an error if we cannot load the new
+ // certificate!
+ let acceptor = make_tls_acceptor()?;
+
+ // to renew the acceptor we just let a command-socket handler trigger a Notify:
+ let notify_tls_cert_reload = Arc::new(tokio::sync::Notify::new());
+ commando_sock.register_command(
+ "reload-certificate".to_string(),
+ {
+ let notify_tls_cert_reload = Arc::clone(¬ify_tls_cert_reload);
+ move |_value| -> Result<_, Error> {
+ notify_tls_cert_reload.notify_one();
+ Ok(Value::Null)
+ }
+ },
+ )?;
let server = daemon::create_daemon(
([0,0,0,0,0,0,0,0], 8007).into(),
- |listener, ready| {
+ move |listener, ready| {
- let connections = accept_connections(listener, acceptor, debug);
+ let connections = accept_connections(listener, acceptor, debug, notify_tls_cert_reload);
let connections = hyper::server::accept::from_stream(ReceiverStream::new(connections));
Ok(ready
Ok(())
}
+fn make_tls_acceptor() -> Result<Arc<SslAcceptor>, Error> {
+ let key_path = configdir!("/proxy.key");
+ let cert_path = configdir!("/proxy.pem");
+
+ let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ acceptor.set_private_key_file(key_path, SslFiletype::PEM)
+ .map_err(|err| format_err!("unable to read proxy key {} - {}", key_path, err))?;
+ acceptor.set_certificate_chain_file(cert_path)
+ .map_err(|err| format_err!("unable to read proxy cert {} - {}", cert_path, err))?;
+ acceptor.check_private_key().unwrap();
+
+ Ok(Arc::new(acceptor.build()))
+}
+
+type ClientStreamResult =
+ Result<std::pin::Pin<Box<tokio_openssl::SslStream<tokio::net::TcpStream>>>, Error>;
+const MAX_PENDING_ACCEPTS: usize = 1024;
+
fn accept_connections(
listener: tokio::net::TcpListener,
acceptor: Arc<openssl::ssl::SslAcceptor>,
debug: bool,
-) -> tokio::sync::mpsc::Receiver<Result<std::pin::Pin<Box<tokio_openssl::SslStream<tokio::net::TcpStream>>>, Error>> {
-
- const MAX_PENDING_ACCEPTS: usize = 1024;
+ notify_tls_cert_reload: Arc<tokio::sync::Notify>,
+) -> tokio::sync::mpsc::Receiver<ClientStreamResult> {
let (sender, receiver) = tokio::sync::mpsc::channel(MAX_PENDING_ACCEPTS);
+ tokio::spawn(accept_connection(listener, acceptor, debug, sender, notify_tls_cert_reload));
+
+ receiver
+}
+
+async fn accept_connection(
+ listener: tokio::net::TcpListener,
+ mut acceptor: Arc<openssl::ssl::SslAcceptor>,
+ debug: bool,
+ sender: tokio::sync::mpsc::Sender<ClientStreamResult>,
+ notify_tls_cert_reload: Arc<tokio::sync::Notify>,
+) {
let accept_counter = Arc::new(());
- tokio::spawn(async move {
- loop {
- match listener.accept().await {
+ // Note that these must not be moved out/modified directly, they get pinned in the loop and
+ // "rearmed" after waking up:
+ let mut reload_tls = notify_tls_cert_reload.notified();
+ let mut accept = listener.accept();
+
+ loop {
+ let sock;
+
+ // normally we'd use `tokio::pin!()` but we need this to happen outside the loop and we
+ // need to be able to "rearm" the futures:
+ let reload_tls_pin = unsafe { Pin::new_unchecked(&mut reload_tls) };
+ let accept_pin = unsafe { Pin::new_unchecked(&mut accept) };
+ tokio::select! {
+ _ = reload_tls_pin => {
+ // rearm the notification:
+ reload_tls = notify_tls_cert_reload.notified();
+
+ log::info!("reloading certificate");
+ match make_tls_acceptor() {
+ Err(err) => eprintln!("error reloading certificate: {}", err),
+ Ok(new_acceptor) => acceptor = new_acceptor,
+ }
+ continue;
+ }
+ res = accept_pin => match res {
Err(err) => {
eprintln!("error accepting tcp connection: {}", err);
+ continue;
}
- Ok((sock, _addr)) => {
- sock.set_nodelay(true).unwrap();
- let _ = set_tcp_keepalive(sock.as_raw_fd(), PROXMOX_BACKUP_TCP_KEEPALIVE_TIME);
- let acceptor = Arc::clone(&acceptor);
-
- let ssl = match openssl::ssl::Ssl::new(acceptor.context()) {
- Ok(ssl) => ssl,
- Err(err) => {
- eprintln!("failed to create Ssl object from Acceptor context - {}", err);
- continue;
- },
- };
- let stream = match tokio_openssl::SslStream::new(ssl, sock) {
- Ok(stream) => stream,
- Err(err) => {
- eprintln!("failed to create SslStream using ssl and connection socket - {}", err);
- continue;
- },
- };
-
- let mut stream = Box::pin(stream);
- let sender = sender.clone();
-
- if Arc::strong_count(&accept_counter) > MAX_PENDING_ACCEPTS {
- eprintln!("connection rejected - to many open connections");
- continue;
- }
+ Ok((new_sock, _addr)) => {
+ // rearm the accept future:
+ accept = listener.accept();
- let accept_counter = accept_counter.clone();
- tokio::spawn(async move {
- let accept_future = tokio::time::timeout(
- Duration::new(10, 0), stream.as_mut().accept());
-
- let result = accept_future.await;
-
- match result {
- Ok(Ok(())) => {
- if sender.send(Ok(stream)).await.is_err() && debug {
- eprintln!("detect closed connection channel");
- }
- }
- Ok(Err(err)) => {
- if debug {
- eprintln!("https handshake failed - {}", err);
- }
- }
- Err(_) => {
- if debug {
- eprintln!("https handshake timeout");
- }
- }
- }
-
- drop(accept_counter); // decrease reference count
- });
+ sock = new_sock;
}
}
+ };
+
+ sock.set_nodelay(true).unwrap();
+ let _ = set_tcp_keepalive(sock.as_raw_fd(), PROXMOX_BACKUP_TCP_KEEPALIVE_TIME);
+ let acceptor = Arc::clone(&acceptor);
+
+ let ssl = match openssl::ssl::Ssl::new(acceptor.context()) {
+ Ok(ssl) => ssl,
+ Err(err) => {
+ eprintln!("failed to create Ssl object from Acceptor context - {}", err);
+ continue;
+ },
+ };
+ let stream = match tokio_openssl::SslStream::new(ssl, sock) {
+ Ok(stream) => stream,
+ Err(err) => {
+ eprintln!("failed to create SslStream using ssl and connection socket - {}", err);
+ continue;
+ },
+ };
+
+ let mut stream = Box::pin(stream);
+ let sender = sender.clone();
+
+ if Arc::strong_count(&accept_counter) > MAX_PENDING_ACCEPTS {
+ eprintln!("connection rejected - to many open connections");
+ continue;
}
- });
- receiver
+ let accept_counter = Arc::clone(&accept_counter);
+ tokio::spawn(async move {
+ let accept_future = tokio::time::timeout(
+ Duration::new(10, 0), stream.as_mut().accept());
+
+ let result = accept_future.await;
+
+ match result {
+ Ok(Ok(())) => {
+ if sender.send(Ok(stream)).await.is_err() && debug {
+ eprintln!("detect closed connection channel");
+ }
+ }
+ Ok(Err(err)) => {
+ if debug {
+ eprintln!("https handshake failed - {}", err);
+ }
+ }
+ Err(_) => {
+ if debug {
+ eprintln!("https handshake timeout");
+ }
+ }
+ }
+
+ drop(accept_counter); // decrease reference count
+ });
+ }
}
fn start_stat_generator() {
schedule_datastore_prune().await;
schedule_datastore_sync_jobs().await;
schedule_datastore_verify_jobs().await;
+ schedule_tape_backup_jobs().await;
schedule_task_log_rotate().await;
Ok(())
}
}
+async fn schedule_tape_backup_jobs() {
+
+ use proxmox_backup::config::tape_job::{
+ self,
+ TapeBackupJobConfig,
+ };
+
+ let config = match tape_job::config() {
+ Err(err) => {
+ eprintln!("unable to read tape job config - {}", err);
+ return;
+ }
+ Ok((config, _digest)) => config,
+ };
+ for (job_id, (_, job_config)) in config.sections {
+ let job_config: TapeBackupJobConfig = match serde_json::from_value(job_config) {
+ Ok(c) => c,
+ Err(err) => {
+ eprintln!("tape backup job config from_value failed - {}", err);
+ continue;
+ }
+ };
+ let event_str = match job_config.schedule {
+ Some(ref event_str) => event_str.clone(),
+ None => continue,
+ };
+
+ let worker_type = "tape-backup-job";
+ let auth_id = Authid::root_auth_id().clone();
+ if check_schedule(worker_type, &event_str, &job_id) {
+ let job = match Job::new(&worker_type, &job_id) {
+ Ok(job) => job,
+ Err(_) => continue, // could not get lock
+ };
+ if let Err(err) = do_tape_backup_job(job, job_config.setup, &auth_id, Some(event_str)) {
+ eprintln!("unable to start tape backup job {} - {}", &job_id, err);
+ }
+ };
+ }
+}
+
+
async fn schedule_task_log_rotate() {
let worker_type = "logrotate";
// only care about the most recent daemon instance for each, proxy & api, as other older ones
// should not respond to new requests anyway, but only finish their current one and then exit.
let sock = server::our_ctrl_sock();
- let f1 = server::send_command(sock, serde_json::json!({
- "command": "api-access-log-reopen",
- }));
+ let f1 = server::send_command(sock, "{\"command\":\"api-access-log-reopen\"}\n");
let pid = server::read_pid(buildcfg::PROXMOX_BACKUP_API_PID_FN)?;
let sock = server::ctrl_sock_from_pid(pid);
- let f2 = server::send_command(sock, serde_json::json!({
- "command": "api-access-log-reopen",
- }));
+ let f2 = server::send_command(sock, "{\"command\":\"api-access-log-reopen\"}\n");
match futures::join!(f1, f2) {
(Err(e1), Err(e2)) => Err(format_err!("reopen commands failed, proxy: {}; api: {}", e1, e2)),
match datastore::config() {
Ok((config, _)) => {
let datastore_list: Vec<datastore::DataStoreConfig> =
- config.convert_to_typed_array("datastore").unwrap_or(Vec::new());
+ config.convert_to_typed_array("datastore").unwrap_or_default();
for config in datastore_list {
let mut device_stat = None;
match fs_type.as_str() {
"zfs" => {
- if let Some(pool) = source {
- match zfs_pool_stats(&pool) {
+ if let Some(source) = source {
+ let pool = get_pool_from_dataset(&source).unwrap_or(&source);
+ match zfs_pool_stats(pool) {
Ok(stat) => device_stat = stat,
Err(err) => eprintln!("zfs_pool_stats({:?}) failed - {}", pool, err),
}
projects / proxmox-backup.git / blobdiff