+sub validate_ssh_public_keys {
+ my ($raw) = @_;
+ my @lines = split(/\n/, $raw);
+
+ foreach my $line (@lines) {
+ next if $line =~ m/^\s*$/;
+ eval {
+ my ($filename, $handle) = tempfile_contents($line);
+ run_command(["ssh-keygen", "-l", "-f", $filename],
+ outfunc => sub {}, errfunc => sub {});
+ };
+ die "SSH public key validation error\n" if $@;
+ }
+}
+
+sub openat($$$;$) {
+ my ($dirfd, $pathname, $flags, $mode) = @_;
+ my $fd = syscall(PVE::Syscall::openat, $dirfd, $pathname, $flags, $mode//0);
+ return undef if $fd < 0;
+ # sysopen() doesn't deal with numeric file descriptors apparently
+ # so we need to convert to a mode string for IO::Handle->new_from_fd
+ my $flagstr = ($flags & O_RDWR) ? 'rw' : ($flags & O_WRONLY) ? 'w' : 'r';
+ my $handle = IO::Handle->new_from_fd($fd, $flagstr);
+ return $handle if $handle;
+ my $err = $!; # save error before closing the raw fd
+ syscall(PVE::Syscall::close, $fd); # close
+ $! = $err;
+ return undef;
+}
+
+sub mkdirat($$$) {
+ my ($dirfd, $name, $mode) = @_;
+ return syscall(PVE::Syscall::mkdirat, $dirfd, $name, $mode) == 0;
+}
+
+# NOTE: This calls the dbus main loop and must not be used when another dbus
+# main loop is being used as we need to wait for the JobRemoved signal.
+# Polling the job status instead doesn't work because this doesn't give us the
+# distinction between success and failure.
+#
+# Note that the description is mandatory for security reasons.
+sub enter_systemd_scope {
+ my ($unit, $description, %extra) = @_;
+ die "missing description\n" if !defined($description);
+
+ my $timeout = delete $extra{timeout};
+
+ $unit .= '.scope';
+ my $properties = [ [PIDs => [dbus_uint32($$)]] ];
+
+ foreach my $key (keys %extra) {
+ if ($key eq 'Slice' || $key eq 'KillMode') {
+ push @$properties, [$key, $extra{$key}];
+ } elsif ($key eq 'CPUShares') {
+ push @$properties, [$key, dbus_uint64($extra{$key})];
+ } elsif ($key eq 'CPUQuota') {
+ push @$properties, ['CPUQuotaPerSecUSec',
+ dbus_uint64($extra{$key} * 10000)];
+ } else {
+ die "Don't know how to encode $key for systemd scope\n";
+ }
+ }
+
+ my $job;
+ my $done = 0;
+
+ my $bus = Net::DBus->system();
+ my $reactor = Net::DBus::Reactor->main();
+
+ my $service = $bus->get_service('org.freedesktop.systemd1');
+ my $if = $service->get_object('/org/freedesktop/systemd1', 'org.freedesktop.systemd1.Manager');
+ # Connect to the JobRemoved signal since we want to wait for it to finish
+ my $sigid;
+ my $timer;
+ my $cleanup = sub {
+ my ($no_shutdown) = @_;
+ $if->disconnect_from_signal('JobRemoved', $sigid) if defined($if);
+ $if = undef;
+ $sigid = undef;
+ $reactor->remove_timeout($timer) if defined($timer);
+ $timer = undef;
+ return if $no_shutdown;
+ $reactor->shutdown();
+ };
+
+ $sigid = $if->connect_to_signal('JobRemoved', sub {
+ my ($id, $removed_job, $signaled_unit, $result) = @_;
+ return if $signaled_unit ne $unit || $removed_job ne $job;
+ $cleanup->(0);
+ die "systemd job failed\n" if $result ne 'done';
+ $done = 1;
+ });
+
+ my $on_timeout = sub {
+ $cleanup->(0);
+ die "systemd job timed out\n";
+ };
+
+ $timer = $reactor->add_timeout($timeout * 1000, Net::DBus::Callback->new(method => $on_timeout))
+ if defined($timeout);
+ $job = $if->StartTransientUnit($unit, 'fail', $properties, []);
+ $reactor->run();
+ $cleanup->(1);
+ die "systemd job never completed\n" if !$done;
+}
+
+my $salt_starter = time();
+
+sub encrypt_pw {
+ my ($pw) = @_;
+
+ $salt_starter++;
+ my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8);
+
+ # crypt does not want '+' in salt (see 'man crypt')
+ $salt =~ s/\+/X/g;
+
+ return crypt(encode("utf8", $pw), "\$5\$$salt\$");
+}
+
+# intended usage: convert_size($val, "kb" => "gb")
+# on reduction (converting to a bigger unit) we round up by default if
+# information got lost. E.g. `convert_size(1023, "b" => "kb")` returns 1
+# use $no_round_up to switch this off, above example would then return 0
+sub convert_size {
+ my ($value, $from, $to, $no_round_up) = @_;
+
+ my $units = {
+ b => 0,
+ kb => 1,
+ mb => 2,
+ gb => 3,
+ tb => 4,
+ pb => 5,
+ };
+
+ $from = lc($from); $to = lc($to);
+ die "unknown 'from' and/or 'to' units ($from => $to)"
+ if !(defined($units->{$from}) && defined($units->{$to}));
+
+ my $shift_amount = $units->{$from} - $units->{$to};
+
+ if ($shift_amount > 0) {
+ $value <<= ($shift_amount * 10);
+ } elsif ($shift_amount < 0) {
+ my $remainder = ($value & (1 << abs($shift_amount)*10) - 1);
+ $value >>= abs($shift_amount) * 10;
+ $value++ if $remainder && !$no_round_up;
+ }
+
+ return $value;
+}
+