[pve-common.git] / src / PVE / PBSClient.pm

package PVE::PBSClient;
# utility functions for interaction with Proxmox Backup client CLI executable

use strict;
use warnings;

use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
use IO::File;
use JSON;
use POSIX qw(strftime ENOENT);

use PVE::JSONSchema qw(get_standard_option);
use PVE::Tools qw(run_command file_set_contents file_get_contents file_read_firstline $IPV6RE);

# returns a repository string suitable for proxmox-backup-client, pbs-restore, etc.
# $scfg must have the following structure:
# {
#     datastore
#     server
#     port        (optional defaults to 8007)
#     username    (optional defaults to 'root@pam')
# }
sub get_repository {
    my ($scfg) = @_;

    my $server = $scfg->{server};
    die "no server given\n" if !defined($server);

    $server = "[$server]" if $server =~ /^$IPV6RE$/;

    if (my $port = $scfg->{port}) {
	$server .= ":$port" if $port != 8007;
    }

    my $datastore = $scfg->{datastore};
    die "no datastore given\n" if !defined($datastore);

    my $username = $scfg->{username} // 'root@pam';

    return "$username\@$server:$datastore";
}

sub new {
    my ($class, $scfg, $storeid, $sdir) = @_;

    die "no section config provided\n" if ref($scfg) eq '';
    die "undefined store id\n" if !defined($storeid);

    my $secret_dir = $sdir // '/etc/pve/priv/storage';

    my $self = bless {
	scfg => $scfg,
	storeid => $storeid,
	secret_dir => $secret_dir
    }, $class;
    return $self;
}

my sub password_file_name {
    my ($self) = @_;

    return "$self->{secret_dir}/$self->{storeid}.pw";
}

sub set_password {
    my ($self, $password) = @_;

    my $pwfile = password_file_name($self);
    mkdir $self->{secret_dir};

    PVE::Tools::file_set_contents($pwfile, "$password\n", 0600);
};

sub delete_password {
    my ($self) = @_;

    my $pwfile = password_file_name($self);

    unlink $pwfile or die "deleting password file failed - $!\n";
};

sub get_password {
    my ($self) = @_;

    my $pwfile = password_file_name($self);

    return PVE::Tools::file_read_firstline($pwfile);
}

sub encryption_key_file_name {
    my ($self) = @_;

    return "$self->{secret_dir}/$self->{storeid}.enc";
};

sub set_encryption_key {
    my ($self, $key) = @_;

    my $encfile = $self->encryption_key_file_name();
    mkdir $self->{secret_dir};

    PVE::Tools::file_set_contents($encfile, "$key\n", 0600);
};

sub delete_encryption_key {
    my ($self) = @_;

    my $encfile = $self->encryption_key_file_name();

    if (!unlink $encfile) {
	return if $! == ENOENT;
	die "failed to delete encryption key! $!\n";
    }
};

# Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error.
my sub open_encryption_key {
    my ($self) = @_;

    my $encryption_key_file = $self->encryption_key_file_name();

    my $keyfd;
    if (!open($keyfd, '<', $encryption_key_file)) {
	return undef if $! == ENOENT;
	die "failed to open encryption key: $encryption_key_file: $!\n";
    }

    return $keyfd;
}

my $USE_CRYPT_PARAMS = {
    backup => 1,
    restore => 1,
    'upload-log' => 1,
};

my sub do_raw_client_cmd {
    my ($self, $client_cmd, $param, %opts) = @_;

    my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd};

    my $client_exe = (delete $opts{binary}) || 'proxmox-backup-client';
    $client_exe = "/usr/bin/$client_exe";
    die "executable not found '$client_exe'! proxmox-backup-client or proxmox-backup-file-restore not installed?\n"
	if ! -x $client_exe;

    my $scfg = $self->{scfg};
    my $repo = get_repository($scfg);

    my $userns_cmd = delete $opts{userns_cmd};

    my $cmd = [];

    push @$cmd, @$userns_cmd if defined($userns_cmd);

    push @$cmd, $client_exe, $client_cmd;

    # This must live in the top scope to not get closed before the `run_command`
    my $keyfd;
    if ($use_crypto) {
	if (defined($keyfd = open_encryption_key($self))) {
	    my $flags = fcntl($keyfd, F_GETFD, 0)
		// die "failed to get file descriptor flags: $!\n";
	    fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC)
		or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n";
	    push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd);
	} else {
	    push @$cmd, '--crypt-mode=none';
	}
    }

    push @$cmd, @$param if defined($param);

    push @$cmd, "--repository", $repo;

    local $ENV{PBS_PASSWORD} = $self->get_password();

    local $ENV{PBS_FINGERPRINT} = $scfg->{fingerprint};

    # no ascii-art on task logs
    local $ENV{PROXMOX_OUTPUT_NO_BORDER} = 1;
    local $ENV{PROXMOX_OUTPUT_NO_HEADER} = 1;

    if (my $logfunc = $opts{logfunc}) {
	$logfunc->("run: " . join(' ', @$cmd));
    }

    run_command($cmd, %opts);
}

my sub run_raw_client_cmd {
    my ($self, $client_cmd, $param, %opts) = @_;
    return do_raw_client_cmd($self, $client_cmd, $param, %opts);
}

my sub run_client_cmd {
    my ($self, $client_cmd, $param, $no_output, $binary) = @_;

    my $json_str = '';
    my $outfunc = sub { $json_str .= "$_[0]\n" };

    $binary //= 'proxmox-backup-client';

    $param = [] if !defined($param);
    $param = [ $param ] if !ref($param);

    $param = [@$param, '--output-format=json'] if !$no_output;

    do_raw_client_cmd(
	$self,
	$client_cmd,
	$param,
	outfunc => $outfunc,
	errmsg => "$binary failed",
	binary => $binary,
    );

    return undef if $no_output;

    my $res = decode_json($json_str);

    return $res;
}

sub autogen_encryption_key {
    my ($self) = @_;
    my $encfile = $self->encryption_key_file_name();
    run_command(
        ['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile],
        errmsg => 'failed to create encryption key'
    );
    return file_get_contents($encfile);
};

# lists all snapshots, optionally limited to a specific group
sub get_snapshots {
    my ($self, $group) = @_;

    my $param = [];
    push @$param, $group if defined($group);

    return run_client_cmd($self, "snapshots", $param);
};

# create a new PXAR backup of a FS directory tree - doesn't cross FS boundary
# by default.
sub backup_fs_tree {
    my ($self, $root, $id, $pxarname, $cmd_opts) = @_;

    die "backup-id not provided\n" if !defined($id);
    die "backup root dir not provided\n" if !defined($root);
    die "archive name not provided\n" if !defined($pxarname);

    my $param = [
	"$pxarname.pxar:$root",
	'--backup-type', 'host',
	'--backup-id', $id,
    ];

    $cmd_opts //= {};

    return run_raw_client_cmd($self, 'backup', $param, %$cmd_opts);
};

sub restore_pxar {
    my ($self, $snapshot, $pxarname, $target, $cmd_opts) = @_;

    die "snapshot not provided\n" if !defined($snapshot);
    die "archive name not provided\n" if !defined($pxarname);
    die "restore-target not provided\n" if !defined($target);

    my $param = [
	"$snapshot",
	"$pxarname.pxar",
	"$target",
	"--allow-existing-dirs", 0,
    ];
    $cmd_opts //= {};

    return run_raw_client_cmd($self, 'restore', $param, %$cmd_opts);
};

sub forget_snapshot {
    my ($self, $snapshot) = @_;

    die "snapshot not provided\n" if !defined($snapshot);

    return run_raw_client_cmd($self, 'forget', ["$snapshot"]);
};

sub prune_group {
    my ($self, $opts, $prune_opts, $group) = @_;

    die "group not provided\n" if !defined($group);

    # do nothing if no keep options specified for remote
    return [] if scalar(keys %$prune_opts) == 0;

    my $param = [];

    push @$param, "--quiet";

    if (defined($opts->{'dry-run'}) && $opts->{'dry-run'}) {
	push @$param, "--dry-run", $opts->{'dry-run'};
    }

    foreach my $keep_opt (keys %$prune_opts) {
	push @$param, "--$keep_opt", $prune_opts->{$keep_opt};
    }
    push @$param, "$group";

    return run_client_cmd($self, 'prune', $param);
};

sub status {
    my ($self) = @_;

    my $total = 0;
    my $free = 0;
    my $used = 0;
    my $active = 0;

    eval {
	my $res = run_client_cmd($self, "status");

	$active = 1;
	$total = $res->{total};
	$used = $res->{used};
	$free = $res->{avail};
    };
    if (my $err = $@) {
	warn $err;
    }

    return ($total, $free, $used, $active);
};

1;
Commit	Line	Data
0904f388	1	package PVE::PBSClient;
243568ca	2	# utility functions for interaction with Proxmox Backup client CLI executable
0904f388 SI	3
	4	use strict;
	5	use warnings;
243568ca	6
0904f388 SI	7	use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
	8	use IO::File;
	9	use JSON;
	10	use POSIX qw(strftime ENOENT);
	11
0904f388	12	use PVE::JSONSchema qw(get_standard_option);
5640c3db DC	13	use PVE::Tools qw(run_command file_set_contents file_get_contents file_read_firstline $IPV6RE);
	14
	15	# returns a repository string suitable for proxmox-backup-client, pbs-restore, etc.
	16	# $scfg must have the following structure:
	17	# {
	18	# datastore
	19	# server
	20	# port (optional defaults to 8007)
	21	# username (optional defaults to 'root@pam')
	22	# }
	23	sub get_repository {
	24	my ($scfg) = @_;
	25
	26	my $server = $scfg->{server};
	27	die "no server given\n" if !defined($server);
	28
	29	$server = "[$server]" if $server =~ /^$IPV6RE$/;
	30
	31	if (my $port = $scfg->{port}) {
	32	$server .= ":$port" if $port != 8007;
	33	}
	34
	35	my $datastore = $scfg->{datastore};
	36	die "no datastore given\n" if !defined($datastore);
	37
	38	my $username = $scfg->{username} // 'root@pam';
	39
	40	return "$username\@$server:$datastore";
	41	}
0904f388 SI	42
	43	sub new {
	44	my ($class, $scfg, $storeid, $sdir) = @_;
	45
	46	die "no section config provided\n" if ref($scfg) eq '';
	47	die "undefined store id\n" if !defined($storeid);
	48
	49	my $secret_dir = $sdir // '/etc/pve/priv/storage';
	50
243568ca TL	51	my $self = bless {
	52	scfg => $scfg,
	53	storeid => $storeid,
	54	secret_dir => $secret_dir
	55	}, $class;
	56	return $self;
0904f388 SI	57	}
	58
	59	my sub password_file_name {
	60	my ($self) = @_;
	61
	62	return "$self->{secret_dir}/$self->{storeid}.pw";
	63	}
	64
	65	sub set_password {
	66	my ($self, $password) = @_;
	67
69a3a585	68	my $pwfile = password_file_name($self);
0904f388 SI	69	mkdir $self->{secret_dir};
	70
	71	PVE::Tools::file_set_contents($pwfile, "$password\n", 0600);
	72	};
	73
	74	sub delete_password {
	75	my ($self) = @_;
	76
69a3a585	77	my $pwfile = password_file_name($self);
0904f388	78
69a3a585	79	unlink $pwfile or die "deleting password file failed - $!\n";
0904f388 SI	80	};
	81
	82	sub get_password {
	83	my ($self) = @_;
	84
69a3a585	85	my $pwfile = password_file_name($self);
0904f388 SI	86
	87	return PVE::Tools::file_read_firstline($pwfile);
	88	}
	89
	90	sub encryption_key_file_name {
	91	my ($self) = @_;
	92
	93	return "$self->{secret_dir}/$self->{storeid}.enc";
	94	};
	95
	96	sub set_encryption_key {
	97	my ($self, $key) = @_;
	98
243568ca	99	my $encfile = $self->encryption_key_file_name();
0904f388 SI	100	mkdir $self->{secret_dir};
	101
	102	PVE::Tools::file_set_contents($encfile, "$key\n", 0600);
	103	};
	104
	105	sub delete_encryption_key {
	106	my ($self) = @_;
	107
243568ca	108	my $encfile = $self->encryption_key_file_name();
0904f388 SI	109
	110	if (!unlink $encfile) {
	111	return if $! == ENOENT;
	112	die "failed to delete encryption key! $!\n";
	113	}
	114	};
	115
	116	# Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error.
	117	my sub open_encryption_key {
	118	my ($self) = @_;
	119
243568ca	120	my $encryption_key_file = $self->encryption_key_file_name();
0904f388 SI	121
	122	my $keyfd;
	123	if (!open($keyfd, '<', $encryption_key_file)) {
	124	return undef if $! == ENOENT;
	125	die "failed to open encryption key: $encryption_key_file: $!\n";
	126	}
	127
	128	return $keyfd;
	129	}
	130
	131	my $USE_CRYPT_PARAMS = {
	132	backup => 1,
	133	restore => 1,
	134	'upload-log' => 1,
	135	};
	136
	137	my sub do_raw_client_cmd {
	138	my ($self, $client_cmd, $param, %opts) = @_;
	139
	140	my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd};
	141
b15abdfe SR	142	my $client_exe = (delete $opts{binary}) \|\| 'proxmox-backup-client';
b15abdfe SR	143	$client_exe = "/usr/bin/$client_exe";
9f727e55	144	die "executable not found '$client_exe'! proxmox-backup-client or proxmox-backup-file-restore not installed?\n"
0904f388 SI	145	if ! -x $client_exe;
	146
	147	my $scfg = $self->{scfg};
5640c3db	148	my $repo = get_repository($scfg);
0904f388 SI	149
	150	my $userns_cmd = delete $opts{userns_cmd};
	151
	152	my $cmd = [];
	153
	154	push @$cmd, @$userns_cmd if defined($userns_cmd);
	155
	156	push @$cmd, $client_exe, $client_cmd;
	157
	158	# This must live in the top scope to not get closed before the `run_command`
	159	my $keyfd;
	160	if ($use_crypto) {
69a3a585	161	if (defined($keyfd = open_encryption_key($self))) {
0904f388 SI	162	my $flags = fcntl($keyfd, F_GETFD, 0)
	163	// die "failed to get file descriptor flags: $!\n";
	164	fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC)
	165	or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n";
	166	push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd);
	167	} else {
	168	push @$cmd, '--crypt-mode=none';
	169	}
	170	}
	171
	172	push @$cmd, @$param if defined($param);
	173
5640c3db	174	push @$cmd, "--repository", $repo;
0904f388	175
243568ca	176	local $ENV{PBS_PASSWORD} = $self->get_password();
0904f388 SI	177
	178	local $ENV{PBS_FINGERPRINT} = $scfg->{fingerprint};
	179
	180	# no ascii-art on task logs
	181	local $ENV{PROXMOX_OUTPUT_NO_BORDER} = 1;
	182	local $ENV{PROXMOX_OUTPUT_NO_HEADER} = 1;
	183
	184	if (my $logfunc = $opts{logfunc}) {
	185	$logfunc->("run: " . join(' ', @$cmd));
	186	}
	187
	188	run_command($cmd, %opts);
	189	}
	190
	191	my sub run_raw_client_cmd {
	192	my ($self, $client_cmd, $param, %opts) = @_;
69a3a585	193	return do_raw_client_cmd($self, $client_cmd, $param, %opts);
0904f388 SI	194	}
	195
	196	my sub run_client_cmd {
b15abdfe	197	my ($self, $client_cmd, $param, $no_output, $binary) = @_;
0904f388 SI	198
	199	my $json_str = '';
	200	my $outfunc = sub { $json_str .= "$_[0]\n" };
	201
b15abdfe SR	202	$binary //= 'proxmox-backup-client';
b15abdfe SR	203
0904f388 SI	204	$param = [] if !defined($param);
	205	$param = [ $param ] if !ref($param);
	206
	207	$param = [@$param, '--output-format=json'] if !$no_output;
	208
69a3a585	209	do_raw_client_cmd(
b15abdfe SR	210	$self,
	211	$client_cmd,
	212	$param,
	213	outfunc => $outfunc,
	214	errmsg => "$binary failed",
	215	binary => $binary,
243568ca	216	);
0904f388 SI	217
	218	return undef if $no_output;
	219
	220	my $res = decode_json($json_str);
	221
	222	return $res;
	223	}
	224
	225	sub autogen_encryption_key {
	226	my ($self) = @_;
243568ca	227	my $encfile = $self->encryption_key_file_name();
0cc6c7e0 TL	228	run_command(
	229	['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile],
	230	errmsg => 'failed to create encryption key'
	231	);
	232	return file_get_contents($encfile);
0904f388 SI	233	};
0904f388 SI	234
2113c7e8	235	# lists all snapshots, optionally limited to a specific group
0904f388	236	sub get_snapshots {
2113c7e8	237	my ($self, $group) = @_;
0904f388 SI	238
0904f388 SI	239	my $param = [];
2113c7e8	240	push @$param, $group if defined($group);
0904f388	241
69a3a585	242	return run_client_cmd($self, "snapshots", $param);
0904f388 SI	243	};
0904f388 SI	244
6674eb1e TL	245	# create a new PXAR backup of a FS directory tree - doesn't cross FS boundary
	246	# by default.
	247	sub backup_fs_tree {
	248	my ($self, $root, $id, $pxarname, $cmd_opts) = @_;
0904f388	249
0904f388	250	die "backup-id not provided\n" if !defined($id);
6674eb1e	251	die "backup root dir not provided\n" if !defined($root);
0904f388	252	die "archive name not provided\n" if !defined($pxarname);
0904f388	253
ad6b3237 TL	254	my $param = [
ad6b3237 TL	255	"$pxarname.pxar:$root",
6674eb1e	256	'--backup-type', 'host',
ad6b3237 TL	257	'--backup-id', $id,
ad6b3237 TL	258	];
0904f388	259
6674eb1e TL	260	$cmd_opts //= {};
	261
	262	return run_raw_client_cmd($self, 'backup', $param, %$cmd_opts);
0904f388 SI	263	};
	264
	265	sub restore_pxar {
8b88b2f6	266	my ($self, $snapshot, $pxarname, $target, $cmd_opts) = @_;
0904f388	267
0904f388	268	die "snapshot not provided\n" if !defined($snapshot);
0904f388	269	die "archive name not provided\n" if !defined($pxarname);
0904f388	270	die "restore-target not provided\n" if !defined($target);
0904f388	271
ad6b3237 TL	272	my $param = [
	273	"$snapshot",
	274	"$pxarname.pxar",
	275	"$target",
	276	"--allow-existing-dirs", 0,
	277	];
8b88b2f6	278	$cmd_opts //= {};
0904f388	279
69a3a585	280	return run_raw_client_cmd($self, 'restore', $param, %$cmd_opts);
0904f388 SI	281	};
	282
	283	sub forget_snapshot {
	284	my ($self, $snapshot) = @_;
	285
	286	die "snapshot not provided\n" if !defined($snapshot);
	287
69a3a585	288	return run_raw_client_cmd($self, 'forget', ["$snapshot"]);
0904f388 SI	289	};
	290
	291	sub prune_group {
	292	my ($self, $opts, $prune_opts, $group) = @_;
	293
	294	die "group not provided\n" if !defined($group);
	295
	296	# do nothing if no keep options specified for remote
	297	return [] if scalar(keys %$prune_opts) == 0;
	298
	299	my $param = [];
	300
	301	push @$param, "--quiet";
	302
	303	if (defined($opts->{'dry-run'}) && $opts->{'dry-run'}) {
	304	push @$param, "--dry-run", $opts->{'dry-run'};
	305	}
	306
	307	foreach my $keep_opt (keys %$prune_opts) {
	308	push @$param, "--$keep_opt", $prune_opts->{$keep_opt};
	309	}
	310	push @$param, "$group";
	311
69a3a585	312	return run_client_cmd($self, 'prune', $param);
0904f388 SI	313	};
	314
	315	sub status {
	316	my ($self) = @_;
	317
	318	my $total = 0;
	319	my $free = 0;
	320	my $used = 0;
	321	my $active = 0;
	322
	323	eval {
69a3a585	324	my $res = run_client_cmd($self, "status");
0904f388 SI	325
	326	$active = 1;
	327	$total = $res->{total};
	328	$used = $res->{used};
	329	$free = $res->{avail};
	330	};
	331	if (my $err = $@) {
	332	warn $err;
	333	}
	334
	335	return ($total, $free, $used, $active);
	336	};
	337
	338	1;