[pve-common.git] / src / PVE / PBSClient.pm

package PVE::PBSClient;
# utility functions for interaction with Proxmox Backup client CLI executable

use strict;
use warnings;

use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
use IO::File;
use JSON;
use POSIX qw(strftime ENOENT);

use PVE::JSONSchema qw(get_standard_option);
use PVE::Tools qw(run_command file_set_contents file_get_contents file_read_firstline);

sub new {
    my ($class, $scfg, $storeid, $sdir) = @_;

    die "no section config provided\n" if ref($scfg) eq '';
    die "undefined store id\n" if !defined($storeid);

    my $secret_dir = $sdir // '/etc/pve/priv/storage';

    my $self = bless {
	scfg => $scfg,
	storeid => $storeid,
	secret_dir => $secret_dir
    }, $class;
    return $self;
}

my sub password_file_name {
    my ($self) = @_;

    return "$self->{secret_dir}/$self->{storeid}.pw";
}

sub set_password {
    my ($self, $password) = @_;

    my $pwfile = password_file_name($self);
    mkdir $self->{secret_dir};

    PVE::Tools::file_set_contents($pwfile, "$password\n", 0600);
};

sub delete_password {
    my ($self) = @_;

    my $pwfile = password_file_name($self);

    unlink $pwfile or die "deleting password file failed - $!\n";
};

sub get_password {
    my ($self) = @_;

    my $pwfile = password_file_name($self);

    return PVE::Tools::file_read_firstline($pwfile);
}

sub encryption_key_file_name {
    my ($self) = @_;

    return "$self->{secret_dir}/$self->{storeid}.enc";
};

sub set_encryption_key {
    my ($self, $key) = @_;

    my $encfile = $self->encryption_key_file_name();
    mkdir $self->{secret_dir};

    PVE::Tools::file_set_contents($encfile, "$key\n", 0600);
};

sub delete_encryption_key {
    my ($self) = @_;

    my $encfile = $self->encryption_key_file_name();

    if (!unlink $encfile) {
	return if $! == ENOENT;
	die "failed to delete encryption key! $!\n";
    }
};

# Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error.
my sub open_encryption_key {
    my ($self) = @_;

    my $encryption_key_file = $self->encryption_key_file_name();

    my $keyfd;
    if (!open($keyfd, '<', $encryption_key_file)) {
	return undef if $! == ENOENT;
	die "failed to open encryption key: $encryption_key_file: $!\n";
    }

    return $keyfd;
}

my $USE_CRYPT_PARAMS = {
    backup => 1,
    restore => 1,
    'upload-log' => 1,
};

my sub do_raw_client_cmd {
    my ($self, $client_cmd, $param, %opts) = @_;

    my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd};

    my $client_exe = '/usr/bin/proxmox-backup-client';
    die "executable not found '$client_exe'! Proxmox backup client not installed?\n"
	if ! -x $client_exe;

    my $scfg = $self->{scfg};
    my $server = $scfg->{server};
    my $datastore = $scfg->{datastore};
    my $username = $scfg->{username} // 'root@pam';

    my $userns_cmd = delete $opts{userns_cmd};

    my $cmd = [];

    push @$cmd, @$userns_cmd if defined($userns_cmd);

    push @$cmd, $client_exe, $client_cmd;

    # This must live in the top scope to not get closed before the `run_command`
    my $keyfd;
    if ($use_crypto) {
	if (defined($keyfd = open_encryption_key($self))) {
	    my $flags = fcntl($keyfd, F_GETFD, 0)
		// die "failed to get file descriptor flags: $!\n";
	    fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC)
		or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n";
	    push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd);
	} else {
	    push @$cmd, '--crypt-mode=none';
	}
    }

    push @$cmd, @$param if defined($param);

    push @$cmd, "--repository", "$username\@$server:$datastore";

    local $ENV{PBS_PASSWORD} = $self->get_password();

    local $ENV{PBS_FINGERPRINT} = $scfg->{fingerprint};

    # no ascii-art on task logs
    local $ENV{PROXMOX_OUTPUT_NO_BORDER} = 1;
    local $ENV{PROXMOX_OUTPUT_NO_HEADER} = 1;

    if (my $logfunc = $opts{logfunc}) {
	$logfunc->("run: " . join(' ', @$cmd));
    }

    run_command($cmd, %opts);
}

my sub run_raw_client_cmd {
    my ($self, $client_cmd, $param, %opts) = @_;
    return do_raw_client_cmd($self, $client_cmd, $param, %opts);
}

my sub run_client_cmd {
    my ($self, $client_cmd, $param, $no_output) = @_;

    my $json_str = '';
    my $outfunc = sub { $json_str .= "$_[0]\n" };

    $param = [] if !defined($param);
    $param = [ $param ] if !ref($param);

    $param = [@$param, '--output-format=json'] if !$no_output;

    do_raw_client_cmd(
        $self,
        $client_cmd,
        $param,
        outfunc => $outfunc,
        errmsg => 'proxmox-backup-client failed'
    );

    return undef if $no_output;

    my $res = decode_json($json_str);

    return $res;
}

sub autogen_encryption_key {
    my ($self) = @_;
    my $encfile = $self->encryption_key_file_name();
    run_command(
        ['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile],
        errmsg => 'failed to create encryption key'
    );
    return file_get_contents($encfile);
};

# lists all snapshots, optionally limited to a specific group
sub get_snapshots {
    my ($self, $group) = @_;

    my $param = [];
    push @$param, $group if defined($group);

    return run_client_cmd($self, "snapshots", $param);
};

sub backup_tree {
    my ($self, $opts) = @_;

    my $type = delete $opts->{type};
    die "backup-type not provided\n" if !defined($type);
    my $id = delete $opts->{id};
    die "backup-id not provided\n" if !defined($id);
    my $root = delete $opts->{root};
    die "root dir not provided\n" if !defined($root);
    my $pxarname = delete $opts->{pxarname};
    die "archive name not provided\n" if !defined($pxarname);
    my $time = delete $opts->{time};

    my $param = [
	"$pxarname.pxar:$root",
	'--backup-type', $type,
	'--backup-id', $id,
    ];
    push @$param, '--backup-time', $time if defined($time);

    return run_raw_client_cmd($self, 'backup', $param, %$opts);
};

sub restore_pxar {
    my ($self, $snapshot, $pxarname, $target, $cmd_opts) = @_;

    die "snapshot not provided\n" if !defined($snapshot);
    die "archive name not provided\n" if !defined($pxarname);
    die "restore-target not provided\n" if !defined($target);

    my $param = [
	"$snapshot",
	"$pxarname.pxar",
	"$target",
	"--allow-existing-dirs", 0,
    ];
    $cmd_opts //= {};

    return run_raw_client_cmd($self, 'restore', $param, %$cmd_opts);
};

sub forget_snapshot {
    my ($self, $snapshot) = @_;

    die "snapshot not provided\n" if !defined($snapshot);

    return run_raw_client_cmd($self, 'forget', ["$snapshot"]);
};

sub prune_group {
    my ($self, $opts, $prune_opts, $group) = @_;

    die "group not provided\n" if !defined($group);

    # do nothing if no keep options specified for remote
    return [] if scalar(keys %$prune_opts) == 0;

    my $param = [];

    push @$param, "--quiet";

    if (defined($opts->{'dry-run'}) && $opts->{'dry-run'}) {
	push @$param, "--dry-run", $opts->{'dry-run'};
    }

    foreach my $keep_opt (keys %$prune_opts) {
	push @$param, "--$keep_opt", $prune_opts->{$keep_opt};
    }
    push @$param, "$group";

    return run_client_cmd($self, 'prune', $param);
};

sub status {
    my ($self) = @_;

    my $total = 0;
    my $free = 0;
    my $used = 0;
    my $active = 0;

    eval {
	my $res = run_client_cmd($self, "status");

	$active = 1;
	$total = $res->{total};
	$used = $res->{used};
	$free = $res->{avail};
    };
    if (my $err = $@) {
	warn $err;
    }

    return ($total, $free, $used, $active);
};

1;
Commit	Line	Data
0904f388	1	package PVE::PBSClient;
243568ca	2	# utility functions for interaction with Proxmox Backup client CLI executable
0904f388 SI	3
	4	use strict;
	5	use warnings;
243568ca	6
0904f388 SI	7	use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
	8	use IO::File;
	9	use JSON;
	10	use POSIX qw(strftime ENOENT);
	11
0904f388	12	use PVE::JSONSchema qw(get_standard_option);
243568ca	13	use PVE::Tools qw(run_command file_set_contents file_get_contents file_read_firstline);
0904f388 SI	14
	15	sub new {
	16	my ($class, $scfg, $storeid, $sdir) = @_;
	17
	18	die "no section config provided\n" if ref($scfg) eq '';
	19	die "undefined store id\n" if !defined($storeid);
	20
	21	my $secret_dir = $sdir // '/etc/pve/priv/storage';
	22
243568ca TL	23	my $self = bless {
	24	scfg => $scfg,
	25	storeid => $storeid,
	26	secret_dir => $secret_dir
	27	}, $class;
	28	return $self;
0904f388 SI	29	}
	30
	31	my sub password_file_name {
	32	my ($self) = @_;
	33
	34	return "$self->{secret_dir}/$self->{storeid}.pw";
	35	}
	36
	37	sub set_password {
	38	my ($self, $password) = @_;
	39
69a3a585	40	my $pwfile = password_file_name($self);
0904f388 SI	41	mkdir $self->{secret_dir};
	42
	43	PVE::Tools::file_set_contents($pwfile, "$password\n", 0600);
	44	};
	45
	46	sub delete_password {
	47	my ($self) = @_;
	48
69a3a585	49	my $pwfile = password_file_name($self);
0904f388	50
69a3a585	51	unlink $pwfile or die "deleting password file failed - $!\n";
0904f388 SI	52	};
	53
	54	sub get_password {
	55	my ($self) = @_;
	56
69a3a585	57	my $pwfile = password_file_name($self);
0904f388 SI	58
	59	return PVE::Tools::file_read_firstline($pwfile);
	60	}
	61
	62	sub encryption_key_file_name {
	63	my ($self) = @_;
	64
	65	return "$self->{secret_dir}/$self->{storeid}.enc";
	66	};
	67
	68	sub set_encryption_key {
	69	my ($self, $key) = @_;
	70
243568ca	71	my $encfile = $self->encryption_key_file_name();
0904f388 SI	72	mkdir $self->{secret_dir};
	73
	74	PVE::Tools::file_set_contents($encfile, "$key\n", 0600);
	75	};
	76
	77	sub delete_encryption_key {
	78	my ($self) = @_;
	79
243568ca	80	my $encfile = $self->encryption_key_file_name();
0904f388 SI	81
	82	if (!unlink $encfile) {
	83	return if $! == ENOENT;
	84	die "failed to delete encryption key! $!\n";
	85	}
	86	};
	87
	88	# Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error.
	89	my sub open_encryption_key {
	90	my ($self) = @_;
	91
243568ca	92	my $encryption_key_file = $self->encryption_key_file_name();
0904f388 SI	93
	94	my $keyfd;
	95	if (!open($keyfd, '<', $encryption_key_file)) {
	96	return undef if $! == ENOENT;
	97	die "failed to open encryption key: $encryption_key_file: $!\n";
	98	}
	99
	100	return $keyfd;
	101	}
	102
	103	my $USE_CRYPT_PARAMS = {
	104	backup => 1,
	105	restore => 1,
	106	'upload-log' => 1,
	107	};
	108
	109	my sub do_raw_client_cmd {
	110	my ($self, $client_cmd, $param, %opts) = @_;
	111
	112	my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd};
	113
	114	my $client_exe = '/usr/bin/proxmox-backup-client';
	115	die "executable not found '$client_exe'! Proxmox backup client not installed?\n"
	116	if ! -x $client_exe;
	117
	118	my $scfg = $self->{scfg};
	119	my $server = $scfg->{server};
	120	my $datastore = $scfg->{datastore};
	121	my $username = $scfg->{username} // 'root@pam';
	122
	123	my $userns_cmd = delete $opts{userns_cmd};
	124
	125	my $cmd = [];
	126
	127	push @$cmd, @$userns_cmd if defined($userns_cmd);
	128
	129	push @$cmd, $client_exe, $client_cmd;
	130
	131	# This must live in the top scope to not get closed before the `run_command`
	132	my $keyfd;
	133	if ($use_crypto) {
69a3a585	134	if (defined($keyfd = open_encryption_key($self))) {
0904f388 SI	135	my $flags = fcntl($keyfd, F_GETFD, 0)
	136	// die "failed to get file descriptor flags: $!\n";
	137	fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC)
	138	or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n";
	139	push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd);
	140	} else {
	141	push @$cmd, '--crypt-mode=none';
	142	}
	143	}
	144
	145	push @$cmd, @$param if defined($param);
	146
	147	push @$cmd, "--repository", "$username\@$server:$datastore";
	148
243568ca	149	local $ENV{PBS_PASSWORD} = $self->get_password();
0904f388 SI	150
	151	local $ENV{PBS_FINGERPRINT} = $scfg->{fingerprint};
	152
	153	# no ascii-art on task logs
	154	local $ENV{PROXMOX_OUTPUT_NO_BORDER} = 1;
	155	local $ENV{PROXMOX_OUTPUT_NO_HEADER} = 1;
	156
	157	if (my $logfunc = $opts{logfunc}) {
	158	$logfunc->("run: " . join(' ', @$cmd));
	159	}
	160
	161	run_command($cmd, %opts);
	162	}
	163
	164	my sub run_raw_client_cmd {
	165	my ($self, $client_cmd, $param, %opts) = @_;
69a3a585	166	return do_raw_client_cmd($self, $client_cmd, $param, %opts);
0904f388 SI	167	}
	168
	169	my sub run_client_cmd {
	170	my ($self, $client_cmd, $param, $no_output) = @_;
	171
	172	my $json_str = '';
	173	my $outfunc = sub { $json_str .= "$_[0]\n" };
	174
	175	$param = [] if !defined($param);
	176	$param = [ $param ] if !ref($param);
	177
	178	$param = [@$param, '--output-format=json'] if !$no_output;
	179
69a3a585 TL	180	do_raw_client_cmd(
69a3a585 TL	181	$self,
243568ca TL	182	$client_cmd,
	183	$param,
	184	outfunc => $outfunc,
	185	errmsg => 'proxmox-backup-client failed'
	186	);
0904f388 SI	187
	188	return undef if $no_output;
	189
	190	my $res = decode_json($json_str);
	191
	192	return $res;
	193	}
	194
	195	sub autogen_encryption_key {
	196	my ($self) = @_;
243568ca	197	my $encfile = $self->encryption_key_file_name();
0cc6c7e0 TL	198	run_command(
	199	['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile],
	200	errmsg => 'failed to create encryption key'
	201	);
	202	return file_get_contents($encfile);
0904f388 SI	203	};
0904f388 SI	204
2113c7e8	205	# lists all snapshots, optionally limited to a specific group
0904f388	206	sub get_snapshots {
2113c7e8	207	my ($self, $group) = @_;
0904f388 SI	208
0904f388 SI	209	my $param = [];
2113c7e8	210	push @$param, $group if defined($group);
0904f388	211
69a3a585	212	return run_client_cmd($self, "snapshots", $param);
0904f388 SI	213	};
	214
	215	sub backup_tree {
	216	my ($self, $opts) = @_;
	217
	218	my $type = delete $opts->{type};
	219	die "backup-type not provided\n" if !defined($type);
	220	my $id = delete $opts->{id};
	221	die "backup-id not provided\n" if !defined($id);
	222	my $root = delete $opts->{root};
	223	die "root dir not provided\n" if !defined($root);
	224	my $pxarname = delete $opts->{pxarname};
	225	die "archive name not provided\n" if !defined($pxarname);
	226	my $time = delete $opts->{time};
	227
ad6b3237 TL	228	my $param = [
	229	"$pxarname.pxar:$root",
	230	'--backup-type', $type,
	231	'--backup-id', $id,
	232	];
0904f388 SI	233	push @$param, '--backup-time', $time if defined($time);
0904f388 SI	234
69a3a585	235	return run_raw_client_cmd($self, 'backup', $param, %$opts);
0904f388 SI	236	};
	237
	238	sub restore_pxar {
8b88b2f6	239	my ($self, $snapshot, $pxarname, $target, $cmd_opts) = @_;
0904f388	240
0904f388	241	die "snapshot not provided\n" if !defined($snapshot);
0904f388	242	die "archive name not provided\n" if !defined($pxarname);
0904f388	243	die "restore-target not provided\n" if !defined($target);
0904f388	244
ad6b3237 TL	245	my $param = [
	246	"$snapshot",
	247	"$pxarname.pxar",
	248	"$target",
	249	"--allow-existing-dirs", 0,
	250	];
8b88b2f6	251	$cmd_opts //= {};
0904f388	252
69a3a585	253	return run_raw_client_cmd($self, 'restore', $param, %$cmd_opts);
0904f388 SI	254	};
	255
	256	sub forget_snapshot {
	257	my ($self, $snapshot) = @_;
	258
	259	die "snapshot not provided\n" if !defined($snapshot);
	260
69a3a585	261	return run_raw_client_cmd($self, 'forget', ["$snapshot"]);
0904f388 SI	262	};
	263
	264	sub prune_group {
	265	my ($self, $opts, $prune_opts, $group) = @_;
	266
	267	die "group not provided\n" if !defined($group);
	268
	269	# do nothing if no keep options specified for remote
	270	return [] if scalar(keys %$prune_opts) == 0;
	271
	272	my $param = [];
	273
	274	push @$param, "--quiet";
	275
	276	if (defined($opts->{'dry-run'}) && $opts->{'dry-run'}) {
	277	push @$param, "--dry-run", $opts->{'dry-run'};
	278	}
	279
	280	foreach my $keep_opt (keys %$prune_opts) {
	281	push @$param, "--$keep_opt", $prune_opts->{$keep_opt};
	282	}
	283	push @$param, "$group";
	284
69a3a585	285	return run_client_cmd($self, 'prune', $param);
0904f388 SI	286	};
	287
	288	sub status {
	289	my ($self) = @_;
	290
	291	my $total = 0;
	292	my $free = 0;
	293	my $used = 0;
	294	my $active = 0;
	295
	296	eval {
69a3a585	297	my $res = run_client_cmd($self, "status");
0904f388 SI	298
	299	$active = 1;
	300	$total = $res->{total};
	301	$used = $res->{used};
	302	$free = $res->{avail};
	303	};
	304	if (my $err = $@) {
	305	warn $err;
	306	}
	307
	308	return ($total, $free, $used, $active);
	309	};
	310
	311	1;