]> git.proxmox.com Git - pve-container.git/blob - src/PVE/API2/LXC.pm
projects / pve-container.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
only recover id mapping on restore
[pve-container.git] / src / PVE / API2 / LXC.pm
1 package PVE::API2::LXC;
2
3 use strict;
4 use warnings;
5
6 use PVE::SafeSyslog;
7 use PVE::Tools qw(extract_param run_command);
8 use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
9 use PVE::INotify;
10 use PVE::Cluster qw(cfs_read_file);
11 use PVE::AccessControl;
12 use PVE::Firewall;
13 use PVE::Storage;
14 use PVE::RESTHandler;
15 use PVE::RPCEnvironment;
16 use PVE::ReplicationConfig;
17 use PVE::LXC;
18 use PVE::LXC::Create;
19 use PVE::LXC::Migrate;
20 use PVE::GuestHelpers;
21 use PVE::API2::LXC::Config;
22 use PVE::API2::LXC::Status;
23 use PVE::API2::LXC::Snapshot;
24 use PVE::JSONSchema qw(get_standard_option);
25 use base qw(PVE::RESTHandler);
26
27 BEGIN {
28 if (!$ENV{PVE_GENERATING_DOCS}) {
29 require PVE::HA::Env::PVE2;
30 import PVE::HA::Env::PVE2;
31 require PVE::HA::Config;
32 import PVE::HA::Config;
33 }
34 }
35
36 __PACKAGE__->register_method ({
37 subclass => "PVE::API2::LXC::Config",
38 path => '{vmid}/config',
39 });
40
41 __PACKAGE__->register_method ({
42 subclass => "PVE::API2::LXC::Status",
43 path => '{vmid}/status',
44 });
45
46 __PACKAGE__->register_method ({
47 subclass => "PVE::API2::LXC::Snapshot",
48 path => '{vmid}/snapshot',
49 });
50
51 __PACKAGE__->register_method ({
52 subclass => "PVE::API2::Firewall::CT",
53 path => '{vmid}/firewall',
54 });
55
56 __PACKAGE__->register_method({
57 name => 'vmlist',
58 path => '',
59 method => 'GET',
60 description => "LXC container index (per node).",
61 permissions => {
62 description => "Only list CTs where you have VM.Audit permissons on /vms/<vmid>.",
63 user => 'all',
64 },
65 proxyto => 'node',
66 protected => 1, # /proc files are only readable by root
67 parameters => {
68 additionalProperties => 0,
69 properties => {
70 node => get_standard_option('pve-node'),
71 },
72 },
73 returns => {
74 type => 'array',
75 items => {
76 type => "object",
77 properties => $PVE::LXC::vmstatus_return_properties,
78 },
79 links => [ { rel => 'child', href => "{vmid}" } ],
80 },
81 code => sub {
82 my ($param) = @_;
83
84 my $rpcenv = PVE::RPCEnvironment::get();
85 my $authuser = $rpcenv->get_user();
86
87 my $vmstatus = PVE::LXC::vmstatus();
88
89 my $res = [];
90 foreach my $vmid (keys %$vmstatus) {
91 next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
92
93 my $data = $vmstatus->{$vmid};
94 push @$res, $data;
95 }
96
97 return $res;
98
99 }});
100
101 __PACKAGE__->register_method({
102 name => 'create_vm',
103 path => '',
104 method => 'POST',
105 description => "Create or restore a container.",
106 permissions => {
107 user => 'all', # check inside
108 description => "You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}. " .
109 "For restore, it is enough if the user has 'VM.Backup' permission and the VM already exists. " .
110 "You also need 'Datastore.AllocateSpace' permissions on the storage.",
111 },
112 protected => 1,
113 proxyto => 'node',
114 parameters => {
115 additionalProperties => 0,
116 properties => PVE::LXC::Config->json_config_properties({
117 node => get_standard_option('pve-node'),
118 vmid => get_standard_option('pve-vmid', { completion => \&PVE::Cluster::complete_next_vmid }),
119 ostemplate => {
120 description => "The OS template or backup file.",
121 type => 'string',
122 maxLength => 255,
123 completion => \&PVE::LXC::complete_os_templates,
124 },
125 password => {
126 optional => 1,
127 type => 'string',
128 description => "Sets root password inside container.",
129 minLength => 5,
130 },
131 storage => get_standard_option('pve-storage-id', {
132 description => "Default Storage.",
133 default => 'local',
134 optional => 1,
135 completion => \&PVE::Storage::complete_storage_enabled,
136 }),
137 force => {
138 optional => 1,
139 type => 'boolean',
140 description => "Allow to overwrite existing container.",
141 },
142 restore => {
143 optional => 1,
144 type => 'boolean',
145 description => "Mark this as restore task.",
146 },
147 pool => {
148 optional => 1,
149 type => 'string', format => 'pve-poolid',
150 description => "Add the VM to the specified pool.",
151 },
152 'ignore-unpack-errors' => {
153 optional => 1,
154 type => 'boolean',
155 description => "Ignore errors when extracting the template.",
156 },
157 'ssh-public-keys' => {
158 optional => 1,
159 type => 'string',
160 description => "Setup public SSH keys (one key per line, " .
161 "OpenSSH format).",
162 },
163 bwlimit => {
164 description => "Override i/o bandwidth limit (in KiB/s).",
165 optional => 1,
166 type => 'number',
167 minimum => '0',
168 },
169 start => {
170 optional => 1,
171 type => 'boolean',
172 default => 0,
173 description => "Start the CT after its creation finished successfully.",
174 },
175 }),
176 },
177 returns => {
178 type => 'string',
179 },
180 code => sub {
181 my ($param) = @_;
182
183 my $rpcenv = PVE::RPCEnvironment::get();
184
185 my $authuser = $rpcenv->get_user();
186
187 my $node = extract_param($param, 'node');
188
189 my $vmid = extract_param($param, 'vmid');
190
191 my $ignore_unpack_errors = extract_param($param, 'ignore-unpack-errors');
192
193 my $bwlimit = extract_param($param, 'bwlimit');
194
195 my $start_after_create = extract_param($param, 'start');
196
197 my $basecfg_fn = PVE::LXC::Config->config_file($vmid);
198
199 my $same_container_exists = -f $basecfg_fn;
200
201 # 'unprivileged' is read-only, so we can't pass it to update_pct_config
202 my $unprivileged = extract_param($param, 'unprivileged');
203
204 my $restore = extract_param($param, 'restore');
205
206 if ($restore) {
207 # fixme: limit allowed parameters
208
209 }
210
211 my $force = extract_param($param, 'force');
212
213 if (!($same_container_exists && $restore && $force)) {
214 PVE::Cluster::check_vmid_unused($vmid);
215 } else {
216 my $conf = PVE::LXC::Config->load_config($vmid);
217 PVE::LXC::Config->check_protection($conf, "unable to restore CT $vmid");
218 }
219
220 my $password = extract_param($param, 'password');
221
222 my $ssh_keys = extract_param($param, 'ssh-public-keys');
223 PVE::Tools::validate_ssh_public_keys($ssh_keys) if defined($ssh_keys);
224
225 my $pool = extract_param($param, 'pool');
226
227 if (defined($pool)) {
228 $rpcenv->check_pool_exist($pool);
229 $rpcenv->check_perm_modify($authuser, "/pool/$pool");
230 }
231
232 if ($rpcenv->check($authuser, "/vms/$vmid", ['VM.Allocate'], 1)) {
233 # OK
234 } elsif ($pool && $rpcenv->check($authuser, "/pool/$pool", ['VM.Allocate'], 1)) {
235 # OK
236 } elsif ($restore && $force && $same_container_exists &&
237 $rpcenv->check($authuser, "/vms/$vmid", ['VM.Backup'], 1)) {
238 # OK: user has VM.Backup permissions, and want to restore an existing VM
239 } else {
240 raise_perm_exc();
241 }
242
243 my $ostemplate = extract_param($param, 'ostemplate');
244 my $storage = extract_param($param, 'storage') // 'local';
245
246 PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, $param, []);
247
248 my $storage_cfg = cfs_read_file("storage.cfg");
249
250
251 my $archive;
252
253 if ($ostemplate eq '-') {
254 die "pipe requires cli environment\n"
255 if $rpcenv->{type} ne 'cli';
256 die "pipe can only be used with restore tasks\n"
257 if !$restore;
258 $archive = '-';
259 die "restore from pipe requires rootfs parameter\n" if !defined($param->{rootfs});
260 } else {
261 PVE::Storage::check_volume_access($rpcenv, $authuser, $storage_cfg, $vmid, $ostemplate);
262 $archive = PVE::Storage::abs_filesystem_path($storage_cfg, $ostemplate);
263 }
264
265 my %used_storages;
266 my $check_and_activate_storage = sub {
267 my ($sid) = @_;
268
269 my $scfg = PVE::Storage::storage_check_node($storage_cfg, $sid, $node);
270
271 raise_param_exc({ storage => "storage '$sid' does not support container directories"})
272 if !$scfg->{content}->{rootdir};
273
274 $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']);
275
276 PVE::Storage::activate_storage($storage_cfg, $sid);
277
278 $used_storages{$sid} = 1;
279 };
280
281 my $conf = {};
282
283 my $is_root = $authuser eq 'root@pam';
284
285 my $no_disk_param = {};
286 my $mp_param = {};
287 my $storage_only_mode = 1;
288 foreach my $opt (keys %$param) {
289 my $value = $param->{$opt};
290 if ($opt eq 'rootfs' || $opt =~ m/^mp\d+$/) {
291 # allow to use simple numbers (add default storage in that case)
292 if ($value =~ m/^\d+(\.\d+)?$/) {
293 $mp_param->{$opt} = "$storage:$value";
294 } else {
295 $mp_param->{$opt} = $value;
296 }
297 $storage_only_mode = 0;
298 } elsif ($opt =~ m/^unused\d+$/) {
299 warn "ignoring '$opt', cannot create/restore with unused volume\n";
300 delete $param->{$opt};
301 } else {
302 $no_disk_param->{$opt} = $value;
303 }
304 }
305
306 die "mount points configured, but 'rootfs' not set - aborting\n"
307 if !$storage_only_mode && !defined($mp_param->{rootfs});
308
309 # check storage access, activate storage
310 my $delayed_mp_param = {};
311 PVE::LXC::Config->foreach_mountpoint($mp_param, sub {
312 my ($ms, $mountpoint) = @_;
313
314 my $volid = $mountpoint->{volume};
315 my $mp = $mountpoint->{mp};
316
317 if ($mountpoint->{type} ne 'volume') { # bind or device
318 die "Only root can pass arbitrary filesystem paths.\n"
319 if !$is_root;
320 } else {
321 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
322 &$check_and_activate_storage($sid);
323 }
324 });
325
326 # check/activate default storage
327 &$check_and_activate_storage($storage) if !defined($mp_param->{rootfs});
328
329 PVE::LXC::Config->update_pct_config($vmid, $conf, 0, $no_disk_param);
330
331 $conf->{unprivileged} = 1 if $unprivileged;
332
333 my $check_vmid_usage = sub {
334 if ($force) {
335 die "can't overwrite running container\n"
336 if PVE::LXC::check_running($vmid);
337 } else {
338 PVE::Cluster::check_vmid_unused($vmid);
339 }
340 };
341
342 my $code = sub {
343 &$check_vmid_usage(); # final check after locking
344 my $old_conf;
345
346 my $config_fn = PVE::LXC::Config->config_file($vmid);
347 if (-f $config_fn) {
348 die "container exists" if !$restore; # just to be sure
349 $old_conf = PVE::LXC::Config->load_config($vmid);
350 } else {
351 eval {
352 # try to create empty config on local node, we have an flock
353 PVE::LXC::Config->write_config($vmid, {});
354 };
355
356 # another node was faster, abort
357 die "Could not reserve ID $vmid, already taken\n" if $@;
358 }
359
360 PVE::Cluster::check_cfs_quorum();
361 my $vollist = [];
362 eval {
363 my $orig_mp_param; # only used if $restore
364 if ($restore) {
365 (my $orig_conf, $orig_mp_param) = PVE::LXC::Create::recover_config($archive);
366 if ($is_root) {
367 # When we're root call 'restore_configuration' with ristricted=0,
368 # causing it to restore the raw lxc entries, among which there may be
369 # 'lxc.idmap' entries. We need to make sure that the extracted contents
370 # of the container match up with the restored configuration afterwards:
371 $conf->{lxc} = [grep { $_->[0] eq 'lxc.idmap' } @{$orig_conf->{lxc}}];
372 }
373 }
374 if ($storage_only_mode) {
375 if ($restore) {
376 $mp_param = $orig_mp_param;
377 die "rootfs configuration could not be recovered, please check and specify manually!\n"
378 if !defined($mp_param->{rootfs});
379 PVE::LXC::Config->foreach_mountpoint($mp_param, sub {
380 my ($ms, $mountpoint) = @_;
381 my $type = $mountpoint->{type};
382 if ($type eq 'volume') {
383 die "unable to detect disk size - please specify $ms (size)\n"
384 if !defined($mountpoint->{size});
385 my $disksize = $mountpoint->{size} / (1024 * 1024 * 1024); # create_disks expects GB as unit size
386 delete $mountpoint->{size};
387 $mountpoint->{volume} = "$storage:$disksize";
388 $mp_param->{$ms} = PVE::LXC::Config->print_ct_mountpoint($mountpoint, $ms eq 'rootfs');
389 } else {
390 my $type = $mountpoint->{type};
391 die "restoring rootfs to $type mount is only possible by specifying -rootfs manually!\n"
392 if ($ms eq 'rootfs');
393 die "restoring '$ms' to $type mount is only possible for root\n"
394 if !$is_root;
395
396 if ($mountpoint->{backup}) {
397 warn "WARNING - unsupported configuration!\n";
398 warn "backup was enabled for $type mount point $ms ('$mountpoint->{mp}')\n";
399 warn "mount point configuration will be restored after archive extraction!\n";
400 warn "contained files will be restored to wrong directory!\n";
401 }
402 delete $mp_param->{$ms}; # actually delay bind/dev mps
403 $delayed_mp_param->{$ms} = PVE::LXC::Config->print_ct_mountpoint($mountpoint, $ms eq 'rootfs');
404 }
405 });
406 } else {
407 $mp_param->{rootfs} = "$storage:4"; # defaults to 4GB
408 }
409 }
410
411 $vollist = PVE::LXC::create_disks($storage_cfg, $vmid, $mp_param, $conf);
412
413 if (defined($old_conf)) {
414 # destroy old container volumes
415 PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $old_conf, {});
416 }
417
418 eval {
419 my $rootdir = PVE::LXC::mount_all($vmid, $storage_cfg, $conf, 1);
420 $bwlimit = PVE::Storage::get_bandwidth_limit('restore', [keys %used_storages], $bwlimit);
421 PVE::LXC::Create::restore_archive($archive, $rootdir, $conf, $ignore_unpack_errors, $bwlimit);
422
423 if ($restore) {
424 PVE::LXC::Create::restore_configuration($vmid, $rootdir, $conf, !$is_root);
425 } else {
426 my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir); # detect OS
427 PVE::LXC::Config->write_config($vmid, $conf); # safe config (after OS detection)
428 $lxc_setup->post_create_hook($password, $ssh_keys);
429 }
430 };
431 my $err = $@;
432 PVE::LXC::umount_all($vmid, $storage_cfg, $conf, $err ? 1 : 0);
433 PVE::Storage::deactivate_volumes($storage_cfg, PVE::LXC::Config->get_vm_volumes($conf));
434 die $err if $err;
435 # set some defaults
436 $conf->{hostname} ||= "CT$vmid";
437 $conf->{memory} ||= 512;
438 $conf->{swap} //= 512;
439 foreach my $mp (keys %$delayed_mp_param) {
440 $conf->{$mp} = $delayed_mp_param->{$mp};
441 }
442 PVE::LXC::Config->write_config($vmid, $conf);
443 };
444 if (my $err = $@) {
445 PVE::LXC::destroy_disks($storage_cfg, $vollist);
446 PVE::LXC::destroy_config($vmid);
447 die $err;
448 }
449 PVE::AccessControl::add_vm_to_pool($vmid, $pool) if $pool;
450
451 PVE::API2::LXC::Status->vm_start({ vmid => $vmid, node => $node })
452 if $start_after_create;
453 };
454
455 my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
456
457 &$check_vmid_usage(); # first check before locking
458
459 return $rpcenv->fork_worker($restore ? 'vzrestore' : 'vzcreate',
460 $vmid, $authuser, $realcmd);
461
462 }});
463
464 __PACKAGE__->register_method({
465 name => 'vmdiridx',
466 path => '{vmid}',
467 method => 'GET',
468 proxyto => 'node',
469 description => "Directory index",
470 permissions => {
471 user => 'all',
472 },
473 parameters => {
474 additionalProperties => 0,
475 properties => {
476 node => get_standard_option('pve-node'),
477 vmid => get_standard_option('pve-vmid'),
478 },
479 },
480 returns => {
481 type => 'array',
482 items => {
483 type => "object",
484 properties => {
485 subdir => { type => 'string' },
486 },
487 },
488 links => [ { rel => 'child', href => "{subdir}" } ],
489 },
490 code => sub {
491 my ($param) = @_;
492
493 # test if VM exists
494 my $conf = PVE::LXC::Config->load_config($param->{vmid});
495
496 my $res = [
497 { subdir => 'config' },
498 { subdir => 'status' },
499 { subdir => 'vncproxy' },
500 { subdir => 'termproxy' },
501 { subdir => 'vncwebsocket' },
502 { subdir => 'spiceproxy' },
503 { subdir => 'migrate' },
504 { subdir => 'clone' },
505 # { subdir => 'initlog' },
506 { subdir => 'rrd' },
507 { subdir => 'rrddata' },
508 { subdir => 'firewall' },
509 { subdir => 'snapshot' },
510 { subdir => 'resize' },
511 ];
512
513 return $res;
514 }});
515
516
517 __PACKAGE__->register_method({
518 name => 'rrd',
519 path => '{vmid}/rrd',
520 method => 'GET',
521 protected => 1, # fixme: can we avoid that?
522 permissions => {
523 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
524 },
525 description => "Read VM RRD statistics (returns PNG)",
526 parameters => {
527 additionalProperties => 0,
528 properties => {
529 node => get_standard_option('pve-node'),
530 vmid => get_standard_option('pve-vmid'),
531 timeframe => {
532 description => "Specify the time frame you are interested in.",
533 type => 'string',
534 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
535 },
536 ds => {
537 description => "The list of datasources you want to display.",
538 type => 'string', format => 'pve-configid-list',
539 },
540 cf => {
541 description => "The RRD consolidation function",
542 type => 'string',
543 enum => [ 'AVERAGE', 'MAX' ],
544 optional => 1,
545 },
546 },
547 },
548 returns => {
549 type => "object",
550 properties => {
551 filename => { type => 'string' },
552 },
553 },
554 code => sub {
555 my ($param) = @_;
556
557 return PVE::Cluster::create_rrd_graph(
558 "pve2-vm/$param->{vmid}", $param->{timeframe},
559 $param->{ds}, $param->{cf});
560
561 }});
562
563 __PACKAGE__->register_method({
564 name => 'rrddata',
565 path => '{vmid}/rrddata',
566 method => 'GET',
567 protected => 1, # fixme: can we avoid that?
568 permissions => {
569 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
570 },
571 description => "Read VM RRD statistics",
572 parameters => {
573 additionalProperties => 0,
574 properties => {
575 node => get_standard_option('pve-node'),
576 vmid => get_standard_option('pve-vmid'),
577 timeframe => {
578 description => "Specify the time frame you are interested in.",
579 type => 'string',
580 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
581 },
582 cf => {
583 description => "The RRD consolidation function",
584 type => 'string',
585 enum => [ 'AVERAGE', 'MAX' ],
586 optional => 1,
587 },
588 },
589 },
590 returns => {
591 type => "array",
592 items => {
593 type => "object",
594 properties => {},
595 },
596 },
597 code => sub {
598 my ($param) = @_;
599
600 return PVE::Cluster::create_rrd_data(
601 "pve2-vm/$param->{vmid}", $param->{timeframe}, $param->{cf});
602 }});
603
604 __PACKAGE__->register_method({
605 name => 'destroy_vm',
606 path => '{vmid}',
607 method => 'DELETE',
608 protected => 1,
609 proxyto => 'node',
610 description => "Destroy the container (also delete all uses files).",
611 permissions => {
612 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
613 },
614 parameters => {
615 additionalProperties => 0,
616 properties => {
617 node => get_standard_option('pve-node'),
618 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }),
619 },
620 },
621 returns => {
622 type => 'string',
623 },
624 code => sub {
625 my ($param) = @_;
626
627 my $rpcenv = PVE::RPCEnvironment::get();
628
629 my $authuser = $rpcenv->get_user();
630
631 my $vmid = $param->{vmid};
632
633 # test if container exists
634 my $conf = PVE::LXC::Config->load_config($vmid);
635
636 my $storage_cfg = cfs_read_file("storage.cfg");
637
638 PVE::LXC::Config->check_protection($conf, "can't remove CT $vmid");
639
640 die "unable to remove CT $vmid - used in HA resources\n"
641 if PVE::HA::Config::vm_is_ha_managed($vmid);
642
643 # do not allow destroy if there are replication jobs
644 my $repl_conf = PVE::ReplicationConfig->new();
645 $repl_conf->check_for_existing_jobs($vmid);
646
647 my $running_error_msg = "unable to destroy CT $vmid - container is running\n";
648
649 die $running_error_msg if PVE::LXC::check_running($vmid); # check early
650
651 my $code = sub {
652 # reload config after lock
653 $conf = PVE::LXC::Config->load_config($vmid);
654 PVE::LXC::Config->check_lock($conf);
655
656 die $running_error_msg if PVE::LXC::check_running($vmid);
657
658 PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $conf);
659 PVE::AccessControl::remove_vm_access($vmid);
660 PVE::Firewall::remove_vmfw_conf($vmid);
661 };
662
663 my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
664
665 return $rpcenv->fork_worker('vzdestroy', $vmid, $authuser, $realcmd);
666 }});
667
668 my $sslcert;
669
670 __PACKAGE__->register_method ({
671 name => 'vncproxy',
672 path => '{vmid}/vncproxy',
673 method => 'POST',
674 protected => 1,
675 permissions => {
676 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
677 },
678 description => "Creates a TCP VNC proxy connections.",
679 parameters => {
680 additionalProperties => 0,
681 properties => {
682 node => get_standard_option('pve-node'),
683 vmid => get_standard_option('pve-vmid'),
684 websocket => {
685 optional => 1,
686 type => 'boolean',
687 description => "use websocket instead of standard VNC.",
688 },
689 width => {
690 optional => 1,
691 description => "sets the width of the console in pixels.",
692 type => 'integer',
693 minimum => 16,
694 maximum => 4096,
695 },
696 height => {
697 optional => 1,
698 description => "sets the height of the console in pixels.",
699 type => 'integer',
700 minimum => 16,
701 maximum => 2160,
702 },
703 },
704 },
705 returns => {
706 additionalProperties => 0,
707 properties => {
708 user => { type => 'string' },
709 ticket => { type => 'string' },
710 cert => { type => 'string' },
711 port => { type => 'integer' },
712 upid => { type => 'string' },
713 },
714 },
715 code => sub {
716 my ($param) = @_;
717
718 my $rpcenv = PVE::RPCEnvironment::get();
719
720 my $authuser = $rpcenv->get_user();
721
722 my $vmid = $param->{vmid};
723 my $node = $param->{node};
724
725 my $authpath = "/vms/$vmid";
726
727 my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath);
728
729 $sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192)
730 if !$sslcert;
731
732 my ($remip, $family);
733
734 if ($node ne PVE::INotify::nodename()) {
735 ($remip, $family) = PVE::Cluster::remote_node_ip($node);
736 } else {
737 $family = PVE::Tools::get_host_address_family($node);
738 }
739
740 my $port = PVE::Tools::next_vnc_port($family);
741
742 # NOTE: vncterm VNC traffic is already TLS encrypted,
743 # so we select the fastest chipher here (or 'none'?)
744 my $remcmd = $remip ?
745 ['/usr/bin/ssh', '-e', 'none', '-t', $remip] : [];
746
747 my $conf = PVE::LXC::Config->load_config($vmid, $node);
748 my $concmd = PVE::LXC::get_console_command($vmid, $conf, -1);
749
750 my $shcmd = [ '/usr/bin/dtach', '-A',
751 "/var/run/dtach/vzctlconsole$vmid",
752 '-r', 'winch', '-z', @$concmd];
753
754 my $realcmd = sub {
755 my $upid = shift;
756
757 syslog ('info', "starting lxc vnc proxy $upid\n");
758
759 my $timeout = 10;
760
761 my $cmd = ['/usr/bin/vncterm', '-rfbport', $port,
762 '-timeout', $timeout, '-authpath', $authpath,
763 '-perm', 'VM.Console'];
764
765 if ($param->{width}) {
766 push @$cmd, '-width', $param->{width};
767 }
768
769 if ($param->{height}) {
770 push @$cmd, '-height', $param->{height};
771 }
772
773 if ($param->{websocket}) {
774 $ENV{PVE_VNC_TICKET} = $ticket; # pass ticket to vncterm
775 push @$cmd, '-notls', '-listen', 'localhost';
776 }
777
778 push @$cmd, '-c', @$remcmd, @$shcmd;
779
780 run_command($cmd, keeplocale => 1);
781
782 return;
783 };
784
785 my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd);
786
787 PVE::Tools::wait_for_vnc_port($port);
788
789 return {
790 user => $authuser,
791 ticket => $ticket,
792 port => $port,
793 upid => $upid,
794 cert => $sslcert,
795 };
796 }});
797
798 __PACKAGE__->register_method ({
799 name => 'termproxy',
800 path => '{vmid}/termproxy',
801 method => 'POST',
802 protected => 1,
803 permissions => {
804 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
805 },
806 description => "Creates a TCP proxy connection.",
807 parameters => {
808 additionalProperties => 0,
809 properties => {
810 node => get_standard_option('pve-node'),
811 vmid => get_standard_option('pve-vmid'),
812 },
813 },
814 returns => {
815 additionalProperties => 0,
816 properties => {
817 user => { type => 'string' },
818 ticket => { type => 'string' },
819 port => { type => 'integer' },
820 upid => { type => 'string' },
821 },
822 },
823 code => sub {
824 my ($param) = @_;
825
826 my $rpcenv = PVE::RPCEnvironment::get();
827
828 my $authuser = $rpcenv->get_user();
829
830 my $vmid = $param->{vmid};
831 my $node = $param->{node};
832
833 my $authpath = "/vms/$vmid";
834
835 my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath);
836
837 my ($remip, $family);
838
839 if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
840 ($remip, $family) = PVE::Cluster::remote_node_ip($node);
841 } else {
842 $family = PVE::Tools::get_host_address_family($node);
843 }
844
845 my $port = PVE::Tools::next_vnc_port($family);
846
847 my $remcmd = $remip ?
848 ['/usr/bin/ssh', '-e', 'none', '-t', $remip, '--'] : [];
849
850 my $conf = PVE::LXC::Config->load_config($vmid, $node);
851 my $concmd = PVE::LXC::get_console_command($vmid, $conf, -1);
852
853 my $shcmd = [ '/usr/bin/dtach', '-A',
854 "/var/run/dtach/vzctlconsole$vmid",
855 '-r', 'winch', '-z', @$concmd];
856
857 my $realcmd = sub {
858 my $upid = shift;
859
860 syslog ('info', "starting lxc termproxy $upid\n");
861
862 my $cmd = ['/usr/bin/termproxy', $port, '--path', $authpath,
863 '--perm', 'VM.Console', '--'];
864 push @$cmd, @$remcmd, @$shcmd;
865
866 PVE::Tools::run_command($cmd);
867 };
868
869 my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd, 1);
870
871 PVE::Tools::wait_for_vnc_port($port);
872
873 return {
874 user => $authuser,
875 ticket => $ticket,
876 port => $port,
877 upid => $upid,
878 };
879 }});
880
881 __PACKAGE__->register_method({
882 name => 'vncwebsocket',
883 path => '{vmid}/vncwebsocket',
884 method => 'GET',
885 permissions => {
886 description => "You also need to pass a valid ticket (vncticket).",
887 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
888 },
889 description => "Opens a weksocket for VNC traffic.",
890 parameters => {
891 additionalProperties => 0,
892 properties => {
893 node => get_standard_option('pve-node'),
894 vmid => get_standard_option('pve-vmid'),
895 vncticket => {
896 description => "Ticket from previous call to vncproxy.",
897 type => 'string',
898 maxLength => 512,
899 },
900 port => {
901 description => "Port number returned by previous vncproxy call.",
902 type => 'integer',
903 minimum => 5900,
904 maximum => 5999,
905 },
906 },
907 },
908 returns => {
909 type => "object",
910 properties => {
911 port => { type => 'string' },
912 },
913 },
914 code => sub {
915 my ($param) = @_;
916
917 my $rpcenv = PVE::RPCEnvironment::get();
918
919 my $authuser = $rpcenv->get_user();
920
921 my $authpath = "/vms/$param->{vmid}";
922
923 PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $authuser, $authpath);
924
925 my $port = $param->{port};
926
927 return { port => $port };
928 }});
929
930 __PACKAGE__->register_method ({
931 name => 'spiceproxy',
932 path => '{vmid}/spiceproxy',
933 method => 'POST',
934 protected => 1,
935 proxyto => 'node',
936 permissions => {
937 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
938 },
939 description => "Returns a SPICE configuration to connect to the CT.",
940 parameters => {
941 additionalProperties => 0,
942 properties => {
943 node => get_standard_option('pve-node'),
944 vmid => get_standard_option('pve-vmid'),
945 proxy => get_standard_option('spice-proxy', { optional => 1 }),
946 },
947 },
948 returns => get_standard_option('remote-viewer-config'),
949 code => sub {
950 my ($param) = @_;
951
952 my $vmid = $param->{vmid};
953 my $node = $param->{node};
954 my $proxy = $param->{proxy};
955
956 my $authpath = "/vms/$vmid";
957 my $permissions = 'VM.Console';
958
959 my $conf = PVE::LXC::Config->load_config($vmid);
960
961 die "CT $vmid not running\n" if !PVE::LXC::check_running($vmid);
962
963 my $concmd = PVE::LXC::get_console_command($vmid, $conf);
964
965 my $shcmd = ['/usr/bin/dtach', '-A',
966 "/var/run/dtach/vzctlconsole$vmid",
967 '-r', 'winch', '-z', @$concmd];
968
969 my $title = "CT $vmid";
970
971 return PVE::API2Tools::run_spiceterm($authpath, $permissions, $vmid, $node, $proxy, $title, $shcmd);
972 }});
973
974
975 __PACKAGE__->register_method({
976 name => 'migrate_vm',
977 path => '{vmid}/migrate',
978 method => 'POST',
979 protected => 1,
980 proxyto => 'node',
981 description => "Migrate the container to another node. Creates a new migration task.",
982 permissions => {
983 check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]],
984 },
985 parameters => {
986 additionalProperties => 0,
987 properties => {
988 node => get_standard_option('pve-node'),
989 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
990 target => get_standard_option('pve-node', {
991 description => "Target node.",
992 completion => \&PVE::Cluster::complete_migration_target,
993 }),
994 online => {
995 type => 'boolean',
996 description => "Use online/live migration.",
997 optional => 1,
998 },
999 restart => {
1000 type => 'boolean',
1001 description => "Use restart migration",
1002 optional => 1,
1003 },
1004 timeout => {
1005 type => 'integer',
1006 description => "Timeout in seconds for shutdown for restart migration",
1007 optional => 1,
1008 default => 180,
1009 },
1010 force => {
1011 type => 'boolean',
1012 description => "Force migration despite local bind / device" .
1013 " mounts. NOTE: deprecated, use 'shared' property of mount point instead.",
1014 optional => 1,
1015 },
1016 },
1017 },
1018 returns => {
1019 type => 'string',
1020 description => "the task ID.",
1021 },
1022 code => sub {
1023 my ($param) = @_;
1024
1025 my $rpcenv = PVE::RPCEnvironment::get();
1026
1027 my $authuser = $rpcenv->get_user();
1028
1029 my $target = extract_param($param, 'target');
1030
1031 my $localnode = PVE::INotify::nodename();
1032 raise_param_exc({ target => "target is local node."}) if $target eq $localnode;
1033
1034 PVE::Cluster::check_cfs_quorum();
1035
1036 PVE::Cluster::check_node_exists($target);
1037
1038 my $targetip = PVE::Cluster::remote_node_ip($target);
1039
1040 my $vmid = extract_param($param, 'vmid');
1041
1042 # test if VM exists
1043 PVE::LXC::Config->load_config($vmid);
1044
1045 # try to detect errors early
1046 if (PVE::LXC::check_running($vmid)) {
1047 die "can't migrate running container without --online or --restart\n"
1048 if !$param->{online} && !$param->{restart};
1049 }
1050
1051 if (PVE::HA::Config::vm_is_ha_managed($vmid) && $rpcenv->{type} ne 'ha') {
1052
1053 my $hacmd = sub {
1054 my $upid = shift;
1055
1056 my $service = "ct:$vmid";
1057
1058 my $cmd = ['ha-manager', 'migrate', $service, $target];
1059
1060 print "Requesting HA migration for CT $vmid to node $target\n";
1061
1062 PVE::Tools::run_command($cmd);
1063
1064 return;
1065 };
1066
1067 return $rpcenv->fork_worker('hamigrate', $vmid, $authuser, $hacmd);
1068
1069 } else {
1070
1071 my $realcmd = sub {
1072 PVE::LXC::Migrate->migrate($target, $targetip, $vmid, $param);
1073 };
1074
1075 my $worker = sub {
1076 return PVE::GuestHelpers::guest_migration_lock($vmid, 10, $realcmd);
1077 };
1078
1079 return $rpcenv->fork_worker('vzmigrate', $vmid, $authuser, $worker);
1080 }
1081 }});
1082
1083 __PACKAGE__->register_method({
1084 name => 'vm_feature',
1085 path => '{vmid}/feature',
1086 method => 'GET',
1087 proxyto => 'node',
1088 protected => 1,
1089 description => "Check if feature for virtual machine is available.",
1090 permissions => {
1091 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1092 },
1093 parameters => {
1094 additionalProperties => 0,
1095 properties => {
1096 node => get_standard_option('pve-node'),
1097 vmid => get_standard_option('pve-vmid'),
1098 feature => {
1099 description => "Feature to check.",
1100 type => 'string',
1101 enum => [ 'snapshot', 'clone', 'copy' ],
1102 },
1103 snapname => get_standard_option('pve-lxc-snapshot-name', {
1104 optional => 1,
1105 }),
1106 },
1107 },
1108 returns => {
1109 type => "object",
1110 properties => {
1111 hasFeature => { type => 'boolean' },
1112 #nodes => {
1113 #type => 'array',
1114 #items => { type => 'string' },
1115 #}
1116 },
1117 },
1118 code => sub {
1119 my ($param) = @_;
1120
1121 my $node = extract_param($param, 'node');
1122
1123 my $vmid = extract_param($param, 'vmid');
1124
1125 my $snapname = extract_param($param, 'snapname');
1126
1127 my $feature = extract_param($param, 'feature');
1128
1129 my $conf = PVE::LXC::Config->load_config($vmid);
1130
1131 if($snapname){
1132 my $snap = $conf->{snapshots}->{$snapname};
1133 die "snapshot '$snapname' does not exist\n" if !defined($snap);
1134 $conf = $snap;
1135 }
1136 my $storage_cfg = PVE::Storage::config();
1137 #Maybe include later
1138 #my $nodelist = PVE::LXC::shared_nodes($conf, $storage_cfg);
1139 my $hasFeature = PVE::LXC::Config->has_feature($feature, $conf, $storage_cfg, $snapname);
1140
1141 return {
1142 hasFeature => $hasFeature,
1143 #nodes => [ keys %$nodelist ],
1144 };
1145 }});
1146
1147 __PACKAGE__->register_method({
1148 name => 'template',
1149 path => '{vmid}/template',
1150 method => 'POST',
1151 protected => 1,
1152 proxyto => 'node',
1153 description => "Create a Template.",
1154 permissions => {
1155 description => "You need 'VM.Allocate' permissions on /vms/{vmid}",
1156 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
1157 },
1158 parameters => {
1159 additionalProperties => 0,
1160 properties => {
1161 node => get_standard_option('pve-node'),
1162 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }),
1163 },
1164 },
1165 returns => { type => 'null'},
1166 code => sub {
1167 my ($param) = @_;
1168
1169 my $rpcenv = PVE::RPCEnvironment::get();
1170
1171 my $authuser = $rpcenv->get_user();
1172
1173 my $node = extract_param($param, 'node');
1174
1175 my $vmid = extract_param($param, 'vmid');
1176
1177 my $updatefn = sub {
1178
1179 my $conf = PVE::LXC::Config->load_config($vmid);
1180 PVE::LXC::Config->check_lock($conf);
1181
1182 die "unable to create template, because CT contains snapshots\n"
1183 if $conf->{snapshots} && scalar(keys %{$conf->{snapshots}});
1184
1185 die "you can't convert a template to a template\n"
1186 if PVE::LXC::Config->is_template($conf);
1187
1188 die "you can't convert a CT to template if the CT is running\n"
1189 if PVE::LXC::check_running($vmid);
1190
1191 my $scfg = PVE::Storage::config();
1192 PVE::LXC::Config->foreach_mountpoint($conf, sub {
1193 my ($ms, $mp) = @_;
1194
1195 my ($sid) =PVE::Storage::parse_volume_id($mp->{volume}, 0);
1196 die "Directory storage '$sid' does not support container templates!\n"
1197 if $scfg->{ids}->{$sid}->{path};
1198 });
1199
1200 my $realcmd = sub {
1201 PVE::LXC::template_create($vmid, $conf);
1202
1203 $conf->{template} = 1;
1204
1205 PVE::LXC::Config->write_config($vmid, $conf);
1206 # and remove lxc config
1207 PVE::LXC::update_lxc_config($vmid, $conf);
1208 };
1209
1210 return $rpcenv->fork_worker('vztemplate', $vmid, $authuser, $realcmd);
1211 };
1212
1213 PVE::LXC::Config->lock_config($vmid, $updatefn);
1214
1215 return undef;
1216 }});
1217
1218 __PACKAGE__->register_method({
1219 name => 'clone_vm',
1220 path => '{vmid}/clone',
1221 method => 'POST',
1222 protected => 1,
1223 proxyto => 'node',
1224 description => "Create a container clone/copy",
1225 permissions => {
1226 description => "You need 'VM.Clone' permissions on /vms/{vmid}, " .
1227 "and 'VM.Allocate' permissions " .
1228 "on /vms/{newid} (or on the VM pool /pool/{pool}). You also need " .
1229 "'Datastore.AllocateSpace' on any used storage.",
1230 check =>
1231 [ 'and',
1232 ['perm', '/vms/{vmid}', [ 'VM.Clone' ]],
1233 [ 'or',
1234 [ 'perm', '/vms/{newid}', ['VM.Allocate']],
1235 [ 'perm', '/pool/{pool}', ['VM.Allocate'], require_param => 'pool'],
1236 ],
1237 ]
1238 },
1239 parameters => {
1240 additionalProperties => 0,
1241 properties => {
1242 node => get_standard_option('pve-node'),
1243 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1244 newid => get_standard_option('pve-vmid', {
1245 completion => \&PVE::Cluster::complete_next_vmid,
1246 description => 'VMID for the clone.' }),
1247 hostname => {
1248 optional => 1,
1249 type => 'string', format => 'dns-name',
1250 description => "Set a hostname for the new CT.",
1251 },
1252 description => {
1253 optional => 1,
1254 type => 'string',
1255 description => "Description for the new CT.",
1256 },
1257 pool => {
1258 optional => 1,
1259 type => 'string', format => 'pve-poolid',
1260 description => "Add the new CT to the specified pool.",
1261 },
1262 snapname => get_standard_option('pve-lxc-snapshot-name', {
1263 optional => 1,
1264 }),
1265 storage => get_standard_option('pve-storage-id', {
1266 description => "Target storage for full clone.",
1267 optional => 1,
1268 }),
1269 full => {
1270 optional => 1,
1271 type => 'boolean',
1272 description => "Create a full copy of all disks. This is always done when " .
1273 "you clone a normal CT. For CT templates, we try to create a linked clone by default.",
1274 },
1275 target => get_standard_option('pve-node', {
1276 description => "Target node. Only allowed if the original VM is on shared storage.",
1277 optional => 1,
1278 }),
1279 },
1280 },
1281 returns => {
1282 type => 'string',
1283 },
1284 code => sub {
1285 my ($param) = @_;
1286
1287 my $rpcenv = PVE::RPCEnvironment::get();
1288
1289 my $authuser = $rpcenv->get_user();
1290
1291 my $node = extract_param($param, 'node');
1292
1293 my $vmid = extract_param($param, 'vmid');
1294
1295 my $newid = extract_param($param, 'newid');
1296
1297 my $pool = extract_param($param, 'pool');
1298
1299 if (defined($pool)) {
1300 $rpcenv->check_pool_exist($pool);
1301 }
1302
1303 my $snapname = extract_param($param, 'snapname');
1304
1305 my $storage = extract_param($param, 'storage');
1306
1307 my $target = extract_param($param, 'target');
1308
1309 my $localnode = PVE::INotify::nodename();
1310
1311 undef $target if $target && ($target eq $localnode || $target eq 'localhost');
1312
1313 PVE::Cluster::check_node_exists($target) if $target;
1314
1315 my $storecfg = PVE::Storage::config();
1316
1317 if ($storage) {
1318 # check if storage is enabled on local node
1319 PVE::Storage::storage_check_enabled($storecfg, $storage);
1320 if ($target) {
1321 # check if storage is available on target node
1322 PVE::Storage::storage_check_node($storecfg, $storage, $target);
1323 # clone only works if target storage is shared
1324 my $scfg = PVE::Storage::storage_config($storecfg, $storage);
1325 die "can't clone to non-shared storage '$storage'\n" if !$scfg->{shared};
1326 }
1327 }
1328
1329 PVE::Cluster::check_cfs_quorum();
1330
1331 my $conffile;
1332 my $newconf = {};
1333 my $mountpoints = {};
1334 my $fullclone = {};
1335 my $vollist = [];
1336 my $running;
1337
1338 PVE::LXC::Config->lock_config($vmid, sub {
1339 my $src_conf = PVE::LXC::Config->set_lock($vmid, 'disk');
1340
1341 $running = PVE::LXC::check_running($vmid) || 0;
1342
1343 my $full = extract_param($param, 'full');
1344 if (!defined($full)) {
1345 $full = !PVE::LXC::Config->is_template($src_conf);
1346 }
1347 die "parameter 'storage' not allowed for linked clones\n" if defined($storage) && !$full;
1348
1349 eval {
1350 die "snapshot '$snapname' does not exist\n"
1351 if $snapname && !defined($src_conf->{snapshots}->{$snapname});
1352
1353
1354 my $src_conf = $snapname ? $src_conf->{snapshots}->{$snapname} : $src_conf;
1355
1356 $conffile = PVE::LXC::Config->config_file($newid);
1357 die "unable to create CT $newid: config file already exists\n"
1358 if -f $conffile;
1359
1360 my $sharedvm = 1;
1361 foreach my $opt (keys %$src_conf) {
1362 next if $opt =~ m/^unused\d+$/;
1363
1364 my $value = $src_conf->{$opt};
1365
1366 if (($opt eq 'rootfs') || ($opt =~ m/^mp\d+$/)) {
1367 my $mp = $opt eq 'rootfs' ?
1368 PVE::LXC::Config->parse_ct_rootfs($value) :
1369 PVE::LXC::Config->parse_ct_mountpoint($value);
1370
1371 if ($mp->{type} eq 'volume') {
1372 my $volid = $mp->{volume};
1373
1374 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
1375 $sid = $storage if defined($storage);
1376 my $scfg = PVE::Storage::storage_config($storecfg, $sid);
1377 if (!$scfg->{shared}) {
1378 $sharedvm = 0;
1379 warn "found non-shared volume: $volid\n" if $target;
1380 }
1381
1382 $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']);
1383
1384 if ($full) {
1385 die "Cannot do full clones on a running container without snapshots\n"
1386 if $running && !defined($snapname);
1387 $fullclone->{$opt} = 1;
1388 } else {
1389 # not full means clone instead of copy
1390 die "Linked clone feature for '$volid' is not available\n"
1391 if !PVE::Storage::volume_has_feature($storecfg, 'clone', $volid, $snapname, $running);
1392 }
1393
1394 $mountpoints->{$opt} = $mp;
1395 push @$vollist, $volid;
1396
1397 } else {
1398 # TODO: allow bind mounts?
1399 die "unable to clone mountpint '$opt' (type $mp->{type})\n";
1400 }
1401 } elsif ($opt =~ m/^net(\d+)$/) {
1402 # always change MAC! address
1403 my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');
1404 my $net = PVE::LXC::Config->parse_lxc_network($value);
1405 $net->{hwaddr} = PVE::Tools::random_ether_addr($dc->{mac_prefix});
1406 $newconf->{$opt} = PVE::LXC::Config->print_lxc_network($net);
1407 } else {
1408 # copy everything else
1409 $newconf->{$opt} = $value;
1410 }
1411 }
1412 die "can't clone CT to node '$target' (CT uses local storage)\n"
1413 if $target && !$sharedvm;
1414
1415 # Replace the 'disk' lock with a 'create' lock.
1416 $newconf->{lock} = 'create';
1417
1418 delete $newconf->{template};
1419 if ($param->{hostname}) {
1420 $newconf->{hostname} = $param->{hostname};
1421 }
1422
1423 if ($param->{description}) {
1424 $newconf->{description} = $param->{description};
1425 }
1426
1427 # create empty/temp config - this fails if CT already exists on other node
1428 PVE::LXC::Config->write_config($newid, $newconf);
1429 };
1430 if (my $err = $@) {
1431 eval { PVE::LXC::Config->remove_lock($vmid, 'disk') };
1432 warn $@ if $@;
1433 die $err;
1434 }
1435 });
1436
1437 my $update_conf = sub {
1438 my ($key, $value) = @_;
1439 return PVE::LXC::Config->lock_config($newid, sub {
1440 my $conf = PVE::LXC::Config->load_config($newid);
1441 die "Lost 'create' config lock, aborting.\n"
1442 if !PVE::LXC::Config->has_lock($conf, 'create');
1443 $conf->{$key} = $value;
1444 PVE::LXC::Config->write_config($newid, $conf);
1445 });
1446 };
1447
1448 my $realcmd = sub {
1449 my ($upid) = @_;
1450
1451 my $newvollist = [];
1452
1453 my $verify_running = PVE::LXC::check_running($vmid) || 0;
1454 die "unexpected state change\n" if $verify_running != $running;
1455
1456 eval {
1457 local $SIG{INT} =
1458 local $SIG{TERM} =
1459 local $SIG{QUIT} =
1460 local $SIG{HUP} = sub { die "interrupted by signal\n"; };
1461
1462 PVE::Storage::activate_volumes($storecfg, $vollist, $snapname);
1463
1464 foreach my $opt (keys %$mountpoints) {
1465 my $mp = $mountpoints->{$opt};
1466 my $volid = $mp->{volume};
1467
1468 my $newvolid;
1469 if ($fullclone->{$opt}) {
1470 print "create full clone of mountpoint $opt ($volid)\n";
1471 my $target_storage = $storage // PVE::Storage::parse_volume_id($volid);
1472 $newvolid = PVE::LXC::copy_volume($mp, $newid, $target_storage, $storecfg, $newconf, $snapname);
1473 } else {
1474 print "create linked clone of mount point $opt ($volid)\n";
1475 $newvolid = PVE::Storage::vdisk_clone($storecfg, $volid, $newid, $snapname);
1476 }
1477
1478 push @$newvollist, $newvolid;
1479 $mp->{volume} = $newvolid;
1480
1481 $update_conf->($opt, PVE::LXC::Config->print_ct_mountpoint($mp, $opt eq 'rootfs'));
1482 }
1483
1484 PVE::AccessControl::add_vm_to_pool($newid, $pool) if $pool;
1485 PVE::LXC::Config->remove_lock($newid, 'create');
1486
1487 if ($target) {
1488 # always deactivate volumes - avoid lvm LVs to be active on several nodes
1489 PVE::Storage::deactivate_volumes($storecfg, $vollist, $snapname) if !$running;
1490 PVE::Storage::deactivate_volumes($storecfg, $newvollist);
1491
1492 my $newconffile = PVE::LXC::Config->config_file($newid, $target);
1493 die "Failed to move config to node '$target' - rename failed: $!\n"
1494 if !rename($conffile, $newconffile);
1495 }
1496 };
1497 my $err = $@;
1498
1499 # Unlock the source config in any case:
1500 eval { PVE::LXC::Config->remove_lock($vmid, 'disk') };
1501 warn $@ if $@;
1502
1503 if ($err) {
1504 # Now cleanup the config & disks:
1505 unlink $conffile;
1506
1507 sleep 1; # some storages like rbd need to wait before release volume - really?
1508
1509 foreach my $volid (@$newvollist) {
1510 eval { PVE::Storage::vdisk_free($storecfg, $volid); };
1511 warn $@ if $@;
1512 }
1513 die "clone failed: $err";
1514 }
1515
1516 return;
1517 };
1518
1519 PVE::Firewall::clone_vmfw_conf($vmid, $newid);
1520 return $rpcenv->fork_worker('vzclone', $vmid, $authuser, $realcmd);
1521 }});
1522
1523
1524 __PACKAGE__->register_method({
1525 name => 'resize_vm',
1526 path => '{vmid}/resize',
1527 method => 'PUT',
1528 protected => 1,
1529 proxyto => 'node',
1530 description => "Resize a container mount point.",
1531 permissions => {
1532 check => ['perm', '/vms/{vmid}', ['VM.Config.Disk'], any => 1],
1533 },
1534 parameters => {
1535 additionalProperties => 0,
1536 properties => {
1537 node => get_standard_option('pve-node'),
1538 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1539 disk => {
1540 type => 'string',
1541 description => "The disk you want to resize.",
1542 enum => [PVE::LXC::Config->mountpoint_names()],
1543 },
1544 size => {
1545 type => 'string',
1546 pattern => '\+?\d+(\.\d+)?[KMGT]?',
1547 description => "The new size. With the '+' sign the value is added to the actual size of the volume and without it, the value is taken as an absolute one. Shrinking disk size is not supported.",
1548 },
1549 digest => {
1550 type => 'string',
1551 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
1552 maxLength => 40,
1553 optional => 1,
1554 }
1555 },
1556 },
1557 returns => {
1558 type => 'string',
1559 description => "the task ID.",
1560 },
1561 code => sub {
1562 my ($param) = @_;
1563
1564 my $rpcenv = PVE::RPCEnvironment::get();
1565
1566 my $authuser = $rpcenv->get_user();
1567
1568 my $node = extract_param($param, 'node');
1569
1570 my $vmid = extract_param($param, 'vmid');
1571
1572 my $digest = extract_param($param, 'digest');
1573
1574 my $sizestr = extract_param($param, 'size');
1575 my $ext = ($sizestr =~ s/^\+//);
1576 my $newsize = PVE::JSONSchema::parse_size($sizestr);
1577 die "invalid size string" if !defined($newsize);
1578
1579 die "no options specified\n" if !scalar(keys %$param);
1580
1581 PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);
1582
1583 my $storage_cfg = cfs_read_file("storage.cfg");
1584
1585 my $code = sub {
1586
1587 my $conf = PVE::LXC::Config->load_config($vmid);
1588 PVE::LXC::Config->check_lock($conf);
1589
1590 PVE::Tools::assert_if_modified($digest, $conf->{digest});
1591
1592 my $running = PVE::LXC::check_running($vmid);
1593
1594 my $disk = $param->{disk};
1595 my $mp = $disk eq 'rootfs' ? PVE::LXC::Config->parse_ct_rootfs($conf->{$disk}) :
1596 PVE::LXC::Config->parse_ct_mountpoint($conf->{$disk});
1597
1598 my $volid = $mp->{volume};
1599
1600 my (undef, undef, $owner, undef, undef, undef, $format) =
1601 PVE::Storage::parse_volname($storage_cfg, $volid);
1602
1603 die "can't resize mount point owned by another container ($owner)"
1604 if $vmid != $owner;
1605
1606 die "can't resize volume: $disk if snapshot exists\n"
1607 if %{$conf->{snapshots}} && $format eq 'qcow2';
1608
1609 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid);
1610
1611 $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']);
1612
1613 PVE::Storage::activate_volumes($storage_cfg, [$volid]);
1614
1615 my $size = PVE::Storage::volume_size_info($storage_cfg, $volid, 5);
1616 $newsize += $size if $ext;
1617 $newsize = int($newsize);
1618
1619 die "unable to shrink disk size\n" if $newsize < $size;
1620
1621 return if $size == $newsize;
1622
1623 PVE::Cluster::log_msg('info', $authuser, "update CT $vmid: resize --disk $disk --size $sizestr");
1624 my $realcmd = sub {
1625 # Note: PVE::Storage::volume_resize doesn't do anything if $running=1, so
1626 # we pass 0 here (parameter only makes sense for qemu)
1627 PVE::Storage::volume_resize($storage_cfg, $volid, $newsize, 0);
1628
1629 $mp->{size} = $newsize;
1630 $conf->{$disk} = PVE::LXC::Config->print_ct_mountpoint($mp, $disk eq 'rootfs');
1631
1632 PVE::LXC::Config->write_config($vmid, $conf);
1633
1634 if ($format eq 'raw') {
1635 my $path = PVE::Storage::path($storage_cfg, $volid, undef);
1636 if ($running) {
1637
1638 $mp->{mp} = '/';
1639 my $use_loopdev = (PVE::LXC::mountpoint_mount_path($mp, $storage_cfg))[1];
1640 $path = PVE::LXC::query_loopdev($path) if $use_loopdev;
1641 die "internal error: CT running but mount point not attached to a loop device"
1642 if !$path;
1643 PVE::Tools::run_command(['losetup', '--set-capacity', $path]) if $use_loopdev;
1644
1645 # In order for resize2fs to know that we need online-resizing a mountpoint needs
1646 # to be visible to it in its namespace.
1647 # To not interfere with the rest of the system we unshare the current mount namespace,
1648 # mount over /tmp and then run resize2fs.
1649
1650 # interestingly we don't need to e2fsck on mounted systems...
1651 my $quoted = PVE::Tools::shellquote($path);
1652 my $cmd = "mount --make-rprivate / && mount $quoted /tmp && resize2fs $quoted";
1653 eval {
1654 PVE::Tools::run_command(['unshare', '-m', '--', 'sh', '-c', $cmd]);
1655 };
1656 warn "Failed to update the container's filesystem: $@\n" if $@;
1657 } else {
1658 eval {
1659 PVE::Tools::run_command(['e2fsck', '-f', '-y', $path]);
1660 PVE::Tools::run_command(['resize2fs', $path]);
1661 };
1662 warn "Failed to update the container's filesystem: $@\n" if $@;
1663 }
1664 }
1665 };
1666
1667 return $rpcenv->fork_worker('resize', $vmid, $authuser, $realcmd);
1668 };
1669
1670 return PVE::LXC::Config->lock_config($vmid, $code);;
1671 }});
1672
1673 __PACKAGE__->register_method({
1674 name => 'move_volume',
1675 path => '{vmid}/move_volume',
1676 method => 'POST',
1677 protected => 1,
1678 proxyto => 'node',
1679 description => "Move a rootfs-/mp-volume to a different storage",
1680 permissions => {
1681 description => "You need 'VM.Config.Disk' permissions on /vms/{vmid}, " .
1682 "and 'Datastore.AllocateSpace' permissions on the storage.",
1683 check =>
1684 [ 'and',
1685 ['perm', '/vms/{vmid}', [ 'VM.Config.Disk' ]],
1686 ['perm', '/storage/{storage}', [ 'Datastore.AllocateSpace' ]],
1687 ],
1688 },
1689 parameters => {
1690 additionalProperties => 0,
1691 properties => {
1692 node => get_standard_option('pve-node'),
1693 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1694 volume => {
1695 type => 'string',
1696 enum => [ PVE::LXC::Config->mountpoint_names() ],
1697 description => "Volume which will be moved.",
1698 },
1699 storage => get_standard_option('pve-storage-id', {
1700 description => "Target Storage.",
1701 completion => \&PVE::Storage::complete_storage_enabled,
1702 }),
1703 delete => {
1704 type => 'boolean',
1705 description => "Delete the original volume after successful copy. By default the original is kept as an unused volume entry.",
1706 optional => 1,
1707 default => 0,
1708 },
1709 digest => {
1710 type => 'string',
1711 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
1712 maxLength => 40,
1713 optional => 1,
1714 }
1715 },
1716 },
1717 returns => {
1718 type => 'string',
1719 },
1720 code => sub {
1721 my ($param) = @_;
1722
1723 my $rpcenv = PVE::RPCEnvironment::get();
1724
1725 my $authuser = $rpcenv->get_user();
1726
1727 my $vmid = extract_param($param, 'vmid');
1728
1729 my $storage = extract_param($param, 'storage');
1730
1731 my $mpkey = extract_param($param, 'volume');
1732
1733 my $lockname = 'disk';
1734
1735 my ($mpdata, $old_volid);
1736
1737 PVE::LXC::Config->lock_config($vmid, sub {
1738 my $conf = PVE::LXC::Config->load_config($vmid);
1739 PVE::LXC::Config->check_lock($conf);
1740
1741 die "cannot move volumes of a running container\n" if PVE::LXC::check_running($vmid);
1742
1743 if ($mpkey eq 'rootfs') {
1744 $mpdata = PVE::LXC::Config->parse_ct_rootfs($conf->{$mpkey});
1745 } elsif ($mpkey =~ m/mp\d+/) {
1746 $mpdata = PVE::LXC::Config->parse_ct_mountpoint($conf->{$mpkey});
1747 } else {
1748 die "Can't parse $mpkey\n";
1749 }
1750 $old_volid = $mpdata->{volume};
1751
1752 die "you can't move a volume with snapshots and delete the source\n"
1753 if $param->{delete} && PVE::LXC::Config->is_volume_in_use_by_snapshots($conf, $old_volid);
1754
1755 PVE::Tools::assert_if_modified($param->{digest}, $conf->{digest});
1756
1757 PVE::LXC::Config->set_lock($vmid, $lockname);
1758 });
1759
1760 my $realcmd = sub {
1761 eval {
1762 PVE::Cluster::log_msg('info', $authuser, "move volume CT $vmid: move --volume $mpkey --storage $storage");
1763
1764 my $conf = PVE::LXC::Config->load_config($vmid);
1765 my $storage_cfg = PVE::Storage::config();
1766
1767 my $new_volid;
1768
1769 eval {
1770 PVE::Storage::activate_volumes($storage_cfg, [ $old_volid ]);
1771 $new_volid = PVE::LXC::copy_volume($mpdata, $vmid, $storage, $storage_cfg, $conf);
1772 $mpdata->{volume} = $new_volid;
1773
1774 PVE::LXC::Config->lock_config($vmid, sub {
1775 my $digest = $conf->{digest};
1776 $conf = PVE::LXC::Config->load_config($vmid);
1777 PVE::Tools::assert_if_modified($digest, $conf->{digest});
1778
1779 $conf->{$mpkey} = PVE::LXC::Config->print_ct_mountpoint($mpdata, $mpkey eq 'rootfs');
1780
1781 PVE::LXC::Config->add_unused_volume($conf, $old_volid) if !$param->{delete};
1782
1783 PVE::LXC::Config->write_config($vmid, $conf);
1784 });
1785
1786 eval {
1787 # try to deactivate volumes - avoid lvm LVs to be active on several nodes
1788 PVE::Storage::deactivate_volumes($storage_cfg, [ $new_volid ])
1789 };
1790 warn $@ if $@;
1791 };
1792 if (my $err = $@) {
1793 eval {
1794 PVE::Storage::vdisk_free($storage_cfg, $new_volid)
1795 if defined($new_volid);
1796 };
1797 warn $@ if $@;
1798 die $err;
1799 }
1800
1801 if ($param->{delete}) {
1802 eval {
1803 PVE::Storage::deactivate_volumes($storage_cfg, [ $old_volid ]);
1804 PVE::Storage::vdisk_free($storage_cfg, $old_volid);
1805 };
1806 warn $@ if $@;
1807 }
1808 };
1809 my $err = $@;
1810 eval { PVE::LXC::Config->remove_lock($vmid, $lockname) };
1811 warn $@ if $@;
1812 die $err if $err;
1813 };
1814 my $task = eval {
1815 $rpcenv->fork_worker('move_volume', $vmid, $authuser, $realcmd);
1816 };
1817 if (my $err = $@) {
1818 eval { PVE::LXC::Config->remove_lock($vmid, $lockname) };
1819 warn $@ if $@;
1820 die $err;
1821 }
1822 return $task;
1823 }});
1824
1825 1;
PVE Container Toolkit