]> git.proxmox.com Git - pve-container.git/blob - src/PVE/API2/LXC.pm
projects / pve-container.git / blob
? search:


b929481e3a0847b46d045388fc43142fa4896c9e
[pve-container.git] / src / PVE / API2 / LXC.pm
1 package PVE::API2::LXC;
2
3 use strict;
4 use warnings;
5
6 use PVE::SafeSyslog;
7 use PVE::Tools qw(extract_param run_command);
8 use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
9 use PVE::INotify;
10 use PVE::Cluster qw(cfs_read_file);
11 use PVE::RRD;
12 use PVE::DataCenterConfig;
13 use PVE::AccessControl;
14 use PVE::Firewall;
15 use PVE::Storage;
16 use PVE::RESTHandler;
17 use PVE::RPCEnvironment;
18 use PVE::ReplicationConfig;
19 use PVE::LXC;
20 use PVE::LXC::Create;
21 use PVE::LXC::Migrate;
22 use PVE::GuestHelpers;
23 use PVE::VZDump::Plugin;
24 use PVE::API2::LXC::Config;
25 use PVE::API2::LXC::Status;
26 use PVE::API2::LXC::Snapshot;
27 use PVE::JSONSchema qw(get_standard_option);
28 use base qw(PVE::RESTHandler);
29
30 BEGIN {
31 if (!$ENV{PVE_GENERATING_DOCS}) {
32 require PVE::HA::Env::PVE2;
33 import PVE::HA::Env::PVE2;
34 require PVE::HA::Config;
35 import PVE::HA::Config;
36 }
37 }
38
39 __PACKAGE__->register_method ({
40 subclass => "PVE::API2::LXC::Config",
41 path => '{vmid}/config',
42 });
43
44 __PACKAGE__->register_method ({
45 subclass => "PVE::API2::LXC::Status",
46 path => '{vmid}/status',
47 });
48
49 __PACKAGE__->register_method ({
50 subclass => "PVE::API2::LXC::Snapshot",
51 path => '{vmid}/snapshot',
52 });
53
54 __PACKAGE__->register_method ({
55 subclass => "PVE::API2::Firewall::CT",
56 path => '{vmid}/firewall',
57 });
58
59 __PACKAGE__->register_method({
60 name => 'vmlist',
61 path => '',
62 method => 'GET',
63 description => "LXC container index (per node).",
64 permissions => {
65 description => "Only list CTs where you have VM.Audit permissons on /vms/<vmid>.",
66 user => 'all',
67 },
68 proxyto => 'node',
69 protected => 1, # /proc files are only readable by root
70 parameters => {
71 additionalProperties => 0,
72 properties => {
73 node => get_standard_option('pve-node'),
74 },
75 },
76 returns => {
77 type => 'array',
78 items => {
79 type => "object",
80 properties => $PVE::LXC::vmstatus_return_properties,
81 },
82 links => [ { rel => 'child', href => "{vmid}" } ],
83 },
84 code => sub {
85 my ($param) = @_;
86
87 my $rpcenv = PVE::RPCEnvironment::get();
88 my $authuser = $rpcenv->get_user();
89
90 my $vmstatus = PVE::LXC::vmstatus();
91
92 my $res = [];
93 foreach my $vmid (keys %$vmstatus) {
94 next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
95
96 my $data = $vmstatus->{$vmid};
97 push @$res, $data;
98 }
99
100 return $res;
101
102 }});
103
104 __PACKAGE__->register_method({
105 name => 'create_vm',
106 path => '',
107 method => 'POST',
108 description => "Create or restore a container.",
109 permissions => {
110 user => 'all', # check inside
111 description => "You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}. " .
112 "For restore, it is enough if the user has 'VM.Backup' permission and the VM already exists. " .
113 "You also need 'Datastore.AllocateSpace' permissions on the storage.",
114 },
115 protected => 1,
116 proxyto => 'node',
117 parameters => {
118 additionalProperties => 0,
119 properties => PVE::LXC::Config->json_config_properties({
120 node => get_standard_option('pve-node'),
121 vmid => get_standard_option('pve-vmid', { completion => \&PVE::Cluster::complete_next_vmid }),
122 ostemplate => {
123 description => "The OS template or backup file.",
124 type => 'string',
125 maxLength => 255,
126 completion => \&PVE::LXC::complete_os_templates,
127 },
128 password => {
129 optional => 1,
130 type => 'string',
131 description => "Sets root password inside container.",
132 minLength => 5,
133 },
134 storage => get_standard_option('pve-storage-id', {
135 description => "Default Storage.",
136 default => 'local',
137 optional => 1,
138 completion => \&PVE::Storage::complete_storage_enabled,
139 }),
140 force => {
141 optional => 1,
142 type => 'boolean',
143 description => "Allow to overwrite existing container.",
144 },
145 restore => {
146 optional => 1,
147 type => 'boolean',
148 description => "Mark this as restore task.",
149 },
150 unique => {
151 optional => 1,
152 type => 'boolean',
153 description => "Assign a unique random ethernet address.",
154 requires => 'restore',
155 },
156 pool => {
157 optional => 1,
158 type => 'string', format => 'pve-poolid',
159 description => "Add the VM to the specified pool.",
160 },
161 'ignore-unpack-errors' => {
162 optional => 1,
163 type => 'boolean',
164 description => "Ignore errors when extracting the template.",
165 },
166 'ssh-public-keys' => {
167 optional => 1,
168 type => 'string',
169 description => "Setup public SSH keys (one key per line, " .
170 "OpenSSH format).",
171 },
172 bwlimit => {
173 description => "Override I/O bandwidth limit (in KiB/s).",
174 optional => 1,
175 type => 'number',
176 minimum => '0',
177 default => 'restore limit from datacenter or storage config',
178 },
179 start => {
180 optional => 1,
181 type => 'boolean',
182 default => 0,
183 description => "Start the CT after its creation finished successfully.",
184 },
185 }),
186 },
187 returns => {
188 type => 'string',
189 },
190 code => sub {
191 my ($param) = @_;
192
193 PVE::Cluster::check_cfs_quorum();
194
195 my $rpcenv = PVE::RPCEnvironment::get();
196 my $authuser = $rpcenv->get_user();
197
198 my $node = extract_param($param, 'node');
199 my $vmid = extract_param($param, 'vmid');
200 my $ignore_unpack_errors = extract_param($param, 'ignore-unpack-errors');
201 my $bwlimit = extract_param($param, 'bwlimit');
202 my $start_after_create = extract_param($param, 'start');
203
204 my $basecfg_fn = PVE::LXC::Config->config_file($vmid);
205 my $same_container_exists = -f $basecfg_fn;
206
207 # 'unprivileged' is read-only, so we can't pass it to update_pct_config
208 my $unprivileged = extract_param($param, 'unprivileged');
209 my $restore = extract_param($param, 'restore');
210 my $unique = extract_param($param, 'unique');
211
212 # used to skip firewall config restore if user lacks permission
213 my $skip_fw_config_restore = 0;
214
215 if ($restore) {
216 # fixme: limit allowed parameters
217 }
218
219 my $force = extract_param($param, 'force');
220
221 if (!($same_container_exists && $restore && $force)) {
222 PVE::Cluster::check_vmid_unused($vmid);
223 } else {
224 die "can't overwrite running container\n" if PVE::LXC::check_running($vmid);
225 my $conf = PVE::LXC::Config->load_config($vmid);
226 PVE::LXC::Config->check_protection($conf, "unable to restore CT $vmid");
227 }
228
229 my $password = extract_param($param, 'password');
230 my $ssh_keys = extract_param($param, 'ssh-public-keys');
231 PVE::Tools::validate_ssh_public_keys($ssh_keys) if defined($ssh_keys);
232
233 my $pool = extract_param($param, 'pool');
234 if (defined($pool)) {
235 $rpcenv->check_pool_exist($pool);
236 $rpcenv->check_perm_modify($authuser, "/pool/$pool");
237 }
238
239 if ($rpcenv->check($authuser, "/vms/$vmid", ['VM.Allocate'], 1)) {
240 # OK
241 } elsif ($pool && $rpcenv->check($authuser, "/pool/$pool", ['VM.Allocate'], 1)) {
242 # OK
243 } elsif ($restore && $force && $same_container_exists &&
244 $rpcenv->check($authuser, "/vms/$vmid", ['VM.Backup'], 1)) {
245 # OK: user has VM.Backup permissions, and want to restore an existing VM
246
247 # we don't want to restore a container-provided FW conf in this case
248 # since the user is lacking permission to configure the container's FW
249 $skip_fw_config_restore = 1;
250 } else {
251 raise_perm_exc();
252 }
253
254 my $ostemplate = extract_param($param, 'ostemplate');
255 my $storage = extract_param($param, 'storage') // 'local';
256
257 PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, $param, []);
258
259 my $storage_cfg = cfs_read_file("storage.cfg");
260
261 my $archive;
262 if ($ostemplate eq '-') {
263 die "pipe requires cli environment\n"
264 if $rpcenv->{type} ne 'cli';
265 die "pipe can only be used with restore tasks\n"
266 if !$restore;
267 $archive = '-';
268 die "restore from pipe requires rootfs parameter\n" if !defined($param->{rootfs});
269 } else {
270 PVE::Storage::check_volume_access($rpcenv, $authuser, $storage_cfg, $vmid, $ostemplate);
271 $archive = $ostemplate;
272 }
273
274 my %used_storages;
275 my $check_and_activate_storage = sub {
276 my ($sid) = @_;
277
278 my $scfg = PVE::Storage::storage_check_enabled($storage_cfg, $sid, $node);
279
280 raise_param_exc({ storage => "storage '$sid' does not support container directories"})
281 if !$scfg->{content}->{rootdir};
282
283 $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']);
284
285 PVE::Storage::activate_storage($storage_cfg, $sid);
286 $used_storages{$sid} = 1;
287 };
288
289 my $conf = {};
290
291 my $is_root = $authuser eq 'root@pam';
292
293 my $no_disk_param = {};
294 my $mp_param = {};
295 my $storage_only_mode = 1;
296 foreach my $opt (keys %$param) {
297 my $value = $param->{$opt};
298 if ($opt eq 'rootfs' || $opt =~ m/^mp\d+$/) {
299 # allow to use simple numbers (add default storage in that case)
300 if ($value =~ m/^\d+(\.\d+)?$/) {
301 $mp_param->{$opt} = "$storage:$value";
302 } else {
303 $mp_param->{$opt} = $value;
304 }
305 $storage_only_mode = 0;
306 } elsif ($opt =~ m/^unused\d+$/) {
307 warn "ignoring '$opt', cannot create/restore with unused volume\n";
308 delete $param->{$opt};
309 } else {
310 $no_disk_param->{$opt} = $value;
311 }
312 }
313
314 die "mount points configured, but 'rootfs' not set - aborting\n"
315 if !$storage_only_mode && !defined($mp_param->{rootfs});
316
317 # check storage access, activate storage
318 my $delayed_mp_param = {};
319 PVE::LXC::Config->foreach_volume($mp_param, sub {
320 my ($ms, $mountpoint) = @_;
321
322 my $volid = $mountpoint->{volume};
323 my $mp = $mountpoint->{mp};
324
325 if ($mountpoint->{type} ne 'volume') { # bind or device
326 die "Only root can pass arbitrary filesystem paths.\n"
327 if !$is_root;
328 } else {
329 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
330 &$check_and_activate_storage($sid);
331 }
332 });
333
334 # check/activate default storage
335 &$check_and_activate_storage($storage) if !defined($mp_param->{rootfs});
336
337 PVE::LXC::Config->update_pct_config($vmid, $conf, 0, $no_disk_param);
338
339 $conf->{unprivileged} = 1 if $unprivileged;
340
341 my $emsg = $restore ? "unable to restore CT $vmid -" : "unable to create CT $vmid -";
342
343 eval { PVE::LXC::Config->create_and_lock_config($vmid, $force) };
344 die "$emsg $@" if $@;
345
346 my $code = sub {
347 my $old_conf = PVE::LXC::Config->load_config($vmid);
348 my $was_template;
349
350 my $vollist = [];
351 eval {
352 my $orig_mp_param; # only used if $restore
353 if ($restore) {
354 die "can't overwrite running container\n" if PVE::LXC::check_running($vmid);
355 if ($archive ne '-') {
356 my $orig_conf;
357 print "recovering backed-up configuration from '$archive'\n";
358 ($orig_conf, $orig_mp_param) = PVE::LXC::Create::recover_config($storage_cfg, $archive, $vmid);
359
360 $was_template = delete $orig_conf->{template};
361
362 # When we're root call 'restore_configuration' with restricted=0,
363 # causing it to restore the raw lxc entries, among which there may be
364 # 'lxc.idmap' entries. We need to make sure that the extracted contents
365 # of the container match up with the restored configuration afterwards:
366 $conf->{lxc} = $orig_conf->{lxc} if $is_root;
367
368 $conf->{unprivileged} = $orig_conf->{unprivileged}
369 if !defined($unprivileged) && defined($orig_conf->{unprivileged});
370 }
371 }
372 if ($storage_only_mode) {
373 if ($restore) {
374 if (!defined($orig_mp_param)) {
375 print "recovering backed-up configuration from '$archive'\n";
376 (undef, $orig_mp_param) = PVE::LXC::Create::recover_config($storage_cfg, $archive, $vmid);
377 }
378 $mp_param = $orig_mp_param;
379 die "rootfs configuration could not be recovered, please check and specify manually!\n"
380 if !defined($mp_param->{rootfs});
381 PVE::LXC::Config->foreach_volume($mp_param, sub {
382 my ($ms, $mountpoint) = @_;
383 my $type = $mountpoint->{type};
384 if ($type eq 'volume') {
385 die "unable to detect disk size - please specify $ms (size)\n"
386 if !defined($mountpoint->{size});
387 my $disksize = $mountpoint->{size} / (1024 * 1024 * 1024); # create_disks expects GB as unit size
388 delete $mountpoint->{size};
389 $mountpoint->{volume} = "$storage:$disksize";
390 $mp_param->{$ms} = PVE::LXC::Config->print_ct_mountpoint($mountpoint, $ms eq 'rootfs');
391 } else {
392 my $type = $mountpoint->{type};
393 die "restoring rootfs to $type mount is only possible by specifying -rootfs manually!\n"
394 if ($ms eq 'rootfs');
395 die "restoring '$ms' to $type mount is only possible for root\n"
396 if !$is_root;
397
398 if ($mountpoint->{backup}) {
399 warn "WARNING - unsupported configuration!\n";
400 warn "backup was enabled for $type mount point $ms ('$mountpoint->{mp}')\n";
401 warn "mount point configuration will be restored after archive extraction!\n";
402 warn "contained files will be restored to wrong directory!\n";
403 }
404 delete $mp_param->{$ms}; # actually delay bind/dev mps
405 $delayed_mp_param->{$ms} = PVE::LXC::Config->print_ct_mountpoint($mountpoint, $ms eq 'rootfs');
406 }
407 });
408 } else {
409 $mp_param->{rootfs} = "$storage:4"; # defaults to 4GB
410 }
411 }
412
413 $vollist = PVE::LXC::create_disks($storage_cfg, $vmid, $mp_param, $conf);
414
415 # we always have the 'create' lock so check for more than 1 entry
416 if (scalar(keys %$old_conf) > 1) {
417 # destroy old container volumes
418 PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $old_conf, { lock => 'create' });
419 }
420
421 eval {
422 my $rootdir = PVE::LXC::mount_all($vmid, $storage_cfg, $conf, 1);
423 $bwlimit = PVE::Storage::get_bandwidth_limit('restore', [keys %used_storages], $bwlimit);
424 print "restoring '$archive' now..\n"
425 if $restore && $archive ne '-';
426 PVE::LXC::Create::restore_archive($storage_cfg, $archive, $rootdir, $conf, $ignore_unpack_errors, $bwlimit);
427
428 if ($restore) {
429 print "merging backed-up and given configuration..\n";
430 PVE::LXC::Create::restore_configuration($vmid, $storage_cfg, $archive, $rootdir, $conf, !$is_root, $unique, $skip_fw_config_restore);
431 my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
432 $lxc_setup->template_fixup($conf);
433 } else {
434 my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir); # detect OS
435 PVE::LXC::Config->write_config($vmid, $conf); # safe config (after OS detection)
436 $lxc_setup->post_create_hook($password, $ssh_keys);
437 }
438 };
439 my $err = $@;
440 PVE::LXC::umount_all($vmid, $storage_cfg, $conf, $err ? 1 : 0);
441 PVE::Storage::deactivate_volumes($storage_cfg, PVE::LXC::Config->get_vm_volumes($conf));
442 die $err if $err;
443 # set some defaults
444 $conf->{hostname} ||= "CT$vmid";
445 $conf->{memory} ||= 512;
446 $conf->{swap} //= 512;
447 foreach my $mp (keys %$delayed_mp_param) {
448 $conf->{$mp} = $delayed_mp_param->{$mp};
449 }
450 # If the template flag was set, we try to convert again to template after restore
451 if ($was_template) {
452 print STDERR "Convert restored container to template...\n";
453 PVE::LXC::template_create($vmid, $conf);
454 $conf->{template} = 1;
455 }
456 PVE::LXC::Config->write_config($vmid, $conf);
457 };
458 if (my $err = $@) {
459 PVE::LXC::destroy_disks($storage_cfg, $vollist);
460 eval { PVE::LXC::Config->destroy_config($vmid) };
461 warn $@ if $@;
462 die "$emsg $err";
463 }
464 PVE::AccessControl::add_vm_to_pool($vmid, $pool) if $pool;
465
466 PVE::API2::LXC::Status->vm_start({ vmid => $vmid, node => $node })
467 if $start_after_create;
468 };
469
470 my $workername = $restore ? 'vzrestore' : 'vzcreate';
471 my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
472
473 return $rpcenv->fork_worker($workername, $vmid, $authuser, $realcmd);
474 }});
475
476 __PACKAGE__->register_method({
477 name => 'vmdiridx',
478 path => '{vmid}',
479 method => 'GET',
480 proxyto => 'node',
481 description => "Directory index",
482 permissions => {
483 user => 'all',
484 },
485 parameters => {
486 additionalProperties => 0,
487 properties => {
488 node => get_standard_option('pve-node'),
489 vmid => get_standard_option('pve-vmid'),
490 },
491 },
492 returns => {
493 type => 'array',
494 items => {
495 type => "object",
496 properties => {
497 subdir => { type => 'string' },
498 },
499 },
500 links => [ { rel => 'child', href => "{subdir}" } ],
501 },
502 code => sub {
503 my ($param) = @_;
504
505 # test if VM exists
506 my $conf = PVE::LXC::Config->load_config($param->{vmid});
507
508 my $res = [
509 { subdir => 'config' },
510 { subdir => 'pending' },
511 { subdir => 'status' },
512 { subdir => 'vncproxy' },
513 { subdir => 'termproxy' },
514 { subdir => 'vncwebsocket' },
515 { subdir => 'spiceproxy' },
516 { subdir => 'migrate' },
517 { subdir => 'clone' },
518 # { subdir => 'initlog' },
519 { subdir => 'rrd' },
520 { subdir => 'rrddata' },
521 { subdir => 'firewall' },
522 { subdir => 'snapshot' },
523 { subdir => 'resize' },
524 ];
525
526 return $res;
527 }});
528
529
530 __PACKAGE__->register_method({
531 name => 'rrd',
532 path => '{vmid}/rrd',
533 method => 'GET',
534 protected => 1, # fixme: can we avoid that?
535 permissions => {
536 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
537 },
538 description => "Read VM RRD statistics (returns PNG)",
539 parameters => {
540 additionalProperties => 0,
541 properties => {
542 node => get_standard_option('pve-node'),
543 vmid => get_standard_option('pve-vmid'),
544 timeframe => {
545 description => "Specify the time frame you are interested in.",
546 type => 'string',
547 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
548 },
549 ds => {
550 description => "The list of datasources you want to display.",
551 type => 'string', format => 'pve-configid-list',
552 },
553 cf => {
554 description => "The RRD consolidation function",
555 type => 'string',
556 enum => [ 'AVERAGE', 'MAX' ],
557 optional => 1,
558 },
559 },
560 },
561 returns => {
562 type => "object",
563 properties => {
564 filename => { type => 'string' },
565 },
566 },
567 code => sub {
568 my ($param) = @_;
569
570 return PVE::RRD::create_rrd_graph(
571 "pve2-vm/$param->{vmid}", $param->{timeframe},
572 $param->{ds}, $param->{cf});
573
574 }});
575
576 __PACKAGE__->register_method({
577 name => 'rrddata',
578 path => '{vmid}/rrddata',
579 method => 'GET',
580 protected => 1, # fixme: can we avoid that?
581 permissions => {
582 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
583 },
584 description => "Read VM RRD statistics",
585 parameters => {
586 additionalProperties => 0,
587 properties => {
588 node => get_standard_option('pve-node'),
589 vmid => get_standard_option('pve-vmid'),
590 timeframe => {
591 description => "Specify the time frame you are interested in.",
592 type => 'string',
593 enum => [ 'hour', 'day', 'week', 'month', 'year' ],
594 },
595 cf => {
596 description => "The RRD consolidation function",
597 type => 'string',
598 enum => [ 'AVERAGE', 'MAX' ],
599 optional => 1,
600 },
601 },
602 },
603 returns => {
604 type => "array",
605 items => {
606 type => "object",
607 properties => {},
608 },
609 },
610 code => sub {
611 my ($param) = @_;
612
613 return PVE::RRD::create_rrd_data(
614 "pve2-vm/$param->{vmid}", $param->{timeframe}, $param->{cf});
615 }});
616
617 __PACKAGE__->register_method({
618 name => 'destroy_vm',
619 path => '{vmid}',
620 method => 'DELETE',
621 protected => 1,
622 proxyto => 'node',
623 description => "Destroy the container (also delete all uses files).",
624 permissions => {
625 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
626 },
627 parameters => {
628 additionalProperties => 0,
629 properties => {
630 node => get_standard_option('pve-node'),
631 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }),
632 force => {
633 type => 'boolean',
634 description => "Force destroy, even if running.",
635 default => 0,
636 optional => 1,
637 },
638 purge => {
639 type => 'boolean',
640 description => "Remove container from all related configurations."
641 ." For example, backup jobs, replication jobs or HA."
642 ." Related ACLs and Firewall entries will *always* be removed.",
643 default => 0,
644 optional => 1,
645 },
646 'destroy-unreferenced-disks' => {
647 type => 'boolean',
648 description => "If set, destroy additionally all disks with the VMID from all"
649 ." enabled storages which are not referenced in the config.",
650 optional => 1,
651 },
652 },
653 },
654 returns => {
655 type => 'string',
656 },
657 code => sub {
658 my ($param) = @_;
659
660 my $rpcenv = PVE::RPCEnvironment::get();
661 my $authuser = $rpcenv->get_user();
662 my $vmid = $param->{vmid};
663
664 # test if container exists
665
666 my $conf = PVE::LXC::Config->load_config($vmid);
667 my $early_checks = sub {
668 my ($conf) = @_;
669 PVE::LXC::Config->check_protection($conf, "can't remove CT $vmid");
670 PVE::LXC::Config->check_lock($conf);
671
672 my $ha_managed = PVE::HA::Config::service_is_configured("ct:$vmid");
673
674 if (!$param->{purge}) {
675 die "unable to remove CT $vmid - used in HA resources and purge parameter not set.\n"
676 if $ha_managed;
677
678 # do not allow destroy if there are replication jobs without purge
679 my $repl_conf = PVE::ReplicationConfig->new();
680 $repl_conf->check_for_existing_jobs($vmid);
681 }
682
683 return $ha_managed;
684 };
685
686 $early_checks->($conf);
687
688 my $running_error_msg = "unable to destroy CT $vmid - container is running\n";
689 die $running_error_msg if !$param->{force} && PVE::LXC::check_running($vmid); # check early
690
691 my $code = sub {
692 # reload config after lock
693 $conf = PVE::LXC::Config->load_config($vmid);
694 my $ha_managed = $early_checks->($conf);
695
696 if (PVE::LXC::check_running($vmid)) {
697 die $running_error_msg if !$param->{force};
698 warn "forced to stop CT $vmid before destroying!\n";
699 if (!$ha_managed) {
700 PVE::LXC::vm_stop($vmid, 1);
701 } else {
702 run_command(['ha-manager', 'crm-command', 'stop', "ct:$vmid", '120']);
703 }
704 }
705
706 my $storage_cfg = cfs_read_file("storage.cfg");
707 PVE::LXC::destroy_lxc_container(
708 $storage_cfg,
709 $vmid,
710 $conf,
711 { lock => 'destroyed' },
712 $param->{'destroy-unreferenced-disks'},
713 );
714
715 PVE::AccessControl::remove_vm_access($vmid);
716 PVE::Firewall::remove_vmfw_conf($vmid);
717 if ($param->{purge}) {
718 print "purging CT $vmid from related configurations..\n";
719 PVE::ReplicationConfig::remove_vmid_jobs($vmid);
720 PVE::VZDump::Plugin::remove_vmid_from_backup_jobs($vmid);
721
722 if ($ha_managed) {
723 PVE::HA::Config::delete_service_from_config("ct:$vmid");
724 print "NOTE: removed CT $vmid from HA resource configuration.\n";
725 }
726 }
727
728 # only now remove the zombie config, else we can have reuse race
729 PVE::LXC::Config->destroy_config($vmid);
730 };
731
732 my $realcmd = sub { PVE::LXC::Config->lock_config($vmid, $code); };
733
734 return $rpcenv->fork_worker('vzdestroy', $vmid, $authuser, $realcmd);
735 }});
736
737 my $sslcert;
738
739 __PACKAGE__->register_method ({
740 name => 'vncproxy',
741 path => '{vmid}/vncproxy',
742 method => 'POST',
743 protected => 1,
744 permissions => {
745 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
746 },
747 description => "Creates a TCP VNC proxy connections.",
748 parameters => {
749 additionalProperties => 0,
750 properties => {
751 node => get_standard_option('pve-node'),
752 vmid => get_standard_option('pve-vmid'),
753 websocket => {
754 optional => 1,
755 type => 'boolean',
756 description => "use websocket instead of standard VNC.",
757 },
758 width => {
759 optional => 1,
760 description => "sets the width of the console in pixels.",
761 type => 'integer',
762 minimum => 16,
763 maximum => 4096,
764 },
765 height => {
766 optional => 1,
767 description => "sets the height of the console in pixels.",
768 type => 'integer',
769 minimum => 16,
770 maximum => 2160,
771 },
772 },
773 },
774 returns => {
775 additionalProperties => 0,
776 properties => {
777 user => { type => 'string' },
778 ticket => { type => 'string' },
779 cert => { type => 'string' },
780 port => { type => 'integer' },
781 upid => { type => 'string' },
782 },
783 },
784 code => sub {
785 my ($param) = @_;
786
787 my $rpcenv = PVE::RPCEnvironment::get();
788
789 my $authuser = $rpcenv->get_user();
790
791 my $vmid = $param->{vmid};
792 my $node = $param->{node};
793
794 my $authpath = "/vms/$vmid";
795
796 my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath);
797
798 $sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192)
799 if !$sslcert;
800
801 my ($remip, $family);
802
803 if ($node ne PVE::INotify::nodename()) {
804 ($remip, $family) = PVE::Cluster::remote_node_ip($node);
805 } else {
806 $family = PVE::Tools::get_host_address_family($node);
807 }
808
809 my $port = PVE::Tools::next_vnc_port($family);
810
811 # NOTE: vncterm VNC traffic is already TLS encrypted,
812 # so we select the fastest chipher here (or 'none'?)
813 my $remcmd = $remip ?
814 ['/usr/bin/ssh', '-e', 'none', '-t', $remip] : [];
815
816 my $conf = PVE::LXC::Config->load_config($vmid, $node);
817 my $concmd = PVE::LXC::get_console_command($vmid, $conf, -1);
818
819 my $shcmd = [ '/usr/bin/dtach', '-A',
820 "/var/run/dtach/vzctlconsole$vmid",
821 '-r', 'winch', '-z', @$concmd];
822
823 my $realcmd = sub {
824 my $upid = shift;
825
826 syslog ('info', "starting lxc vnc proxy $upid\n");
827
828 my $timeout = 10;
829
830 my $cmd = ['/usr/bin/vncterm', '-rfbport', $port,
831 '-timeout', $timeout, '-authpath', $authpath,
832 '-perm', 'VM.Console'];
833
834 if ($param->{width}) {
835 push @$cmd, '-width', $param->{width};
836 }
837
838 if ($param->{height}) {
839 push @$cmd, '-height', $param->{height};
840 }
841
842 if ($param->{websocket}) {
843 $ENV{PVE_VNC_TICKET} = $ticket; # pass ticket to vncterm
844 push @$cmd, '-notls', '-listen', 'localhost';
845 }
846
847 push @$cmd, '-c', @$remcmd, @$shcmd;
848
849 run_command($cmd, keeplocale => 1);
850
851 return;
852 };
853
854 my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd);
855
856 PVE::Tools::wait_for_vnc_port($port);
857
858 return {
859 user => $authuser,
860 ticket => $ticket,
861 port => $port,
862 upid => $upid,
863 cert => $sslcert,
864 };
865 }});
866
867 __PACKAGE__->register_method ({
868 name => 'termproxy',
869 path => '{vmid}/termproxy',
870 method => 'POST',
871 protected => 1,
872 permissions => {
873 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
874 },
875 description => "Creates a TCP proxy connection.",
876 parameters => {
877 additionalProperties => 0,
878 properties => {
879 node => get_standard_option('pve-node'),
880 vmid => get_standard_option('pve-vmid'),
881 },
882 },
883 returns => {
884 additionalProperties => 0,
885 properties => {
886 user => { type => 'string' },
887 ticket => { type => 'string' },
888 port => { type => 'integer' },
889 upid => { type => 'string' },
890 },
891 },
892 code => sub {
893 my ($param) = @_;
894
895 my $rpcenv = PVE::RPCEnvironment::get();
896
897 my $authuser = $rpcenv->get_user();
898
899 my $vmid = $param->{vmid};
900 my $node = $param->{node};
901
902 my $authpath = "/vms/$vmid";
903
904 my $ticket = PVE::AccessControl::assemble_vnc_ticket($authuser, $authpath);
905
906 my ($remip, $family);
907
908 if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
909 ($remip, $family) = PVE::Cluster::remote_node_ip($node);
910 } else {
911 $family = PVE::Tools::get_host_address_family($node);
912 }
913
914 my $port = PVE::Tools::next_vnc_port($family);
915
916 my $remcmd = $remip ?
917 ['/usr/bin/ssh', '-e', 'none', '-t', $remip, '--'] : [];
918
919 my $conf = PVE::LXC::Config->load_config($vmid, $node);
920 my $concmd = PVE::LXC::get_console_command($vmid, $conf, -1);
921
922 my $shcmd = [ '/usr/bin/dtach', '-A',
923 "/var/run/dtach/vzctlconsole$vmid",
924 '-r', 'winch', '-z', @$concmd];
925
926 my $realcmd = sub {
927 my $upid = shift;
928
929 syslog ('info', "starting lxc termproxy $upid\n");
930
931 my $cmd = ['/usr/bin/termproxy', $port, '--path', $authpath,
932 '--perm', 'VM.Console', '--'];
933 push @$cmd, @$remcmd, @$shcmd;
934
935 PVE::Tools::run_command($cmd);
936 };
937
938 my $upid = $rpcenv->fork_worker('vncproxy', $vmid, $authuser, $realcmd, 1);
939
940 PVE::Tools::wait_for_vnc_port($port);
941
942 return {
943 user => $authuser,
944 ticket => $ticket,
945 port => $port,
946 upid => $upid,
947 };
948 }});
949
950 __PACKAGE__->register_method({
951 name => 'vncwebsocket',
952 path => '{vmid}/vncwebsocket',
953 method => 'GET',
954 permissions => {
955 description => "You also need to pass a valid ticket (vncticket).",
956 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
957 },
958 description => "Opens a weksocket for VNC traffic.",
959 parameters => {
960 additionalProperties => 0,
961 properties => {
962 node => get_standard_option('pve-node'),
963 vmid => get_standard_option('pve-vmid'),
964 vncticket => {
965 description => "Ticket from previous call to vncproxy.",
966 type => 'string',
967 maxLength => 512,
968 },
969 port => {
970 description => "Port number returned by previous vncproxy call.",
971 type => 'integer',
972 minimum => 5900,
973 maximum => 5999,
974 },
975 },
976 },
977 returns => {
978 type => "object",
979 properties => {
980 port => { type => 'string' },
981 },
982 },
983 code => sub {
984 my ($param) = @_;
985
986 my $rpcenv = PVE::RPCEnvironment::get();
987
988 my $authuser = $rpcenv->get_user();
989
990 my $authpath = "/vms/$param->{vmid}";
991
992 PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $authuser, $authpath);
993
994 my $port = $param->{port};
995
996 return { port => $port };
997 }});
998
999 __PACKAGE__->register_method ({
1000 name => 'spiceproxy',
1001 path => '{vmid}/spiceproxy',
1002 method => 'POST',
1003 protected => 1,
1004 proxyto => 'node',
1005 permissions => {
1006 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
1007 },
1008 description => "Returns a SPICE configuration to connect to the CT.",
1009 parameters => {
1010 additionalProperties => 0,
1011 properties => {
1012 node => get_standard_option('pve-node'),
1013 vmid => get_standard_option('pve-vmid'),
1014 proxy => get_standard_option('spice-proxy', { optional => 1 }),
1015 },
1016 },
1017 returns => get_standard_option('remote-viewer-config'),
1018 code => sub {
1019 my ($param) = @_;
1020
1021 my $vmid = $param->{vmid};
1022 my $node = $param->{node};
1023 my $proxy = $param->{proxy};
1024
1025 my $authpath = "/vms/$vmid";
1026 my $permissions = 'VM.Console';
1027
1028 my $conf = PVE::LXC::Config->load_config($vmid);
1029
1030 die "CT $vmid not running\n" if !PVE::LXC::check_running($vmid);
1031
1032 my $concmd = PVE::LXC::get_console_command($vmid, $conf);
1033
1034 my $shcmd = ['/usr/bin/dtach', '-A',
1035 "/var/run/dtach/vzctlconsole$vmid",
1036 '-r', 'winch', '-z', @$concmd];
1037
1038 my $title = "CT $vmid";
1039
1040 return PVE::API2Tools::run_spiceterm($authpath, $permissions, $vmid, $node, $proxy, $title, $shcmd);
1041 }});
1042
1043
1044 __PACKAGE__->register_method({
1045 name => 'migrate_vm',
1046 path => '{vmid}/migrate',
1047 method => 'POST',
1048 protected => 1,
1049 proxyto => 'node',
1050 description => "Migrate the container to another node. Creates a new migration task.",
1051 permissions => {
1052 check => ['perm', '/vms/{vmid}', [ 'VM.Migrate' ]],
1053 },
1054 parameters => {
1055 additionalProperties => 0,
1056 properties => {
1057 node => get_standard_option('pve-node'),
1058 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1059 target => get_standard_option('pve-node', {
1060 description => "Target node.",
1061 completion => \&PVE::Cluster::complete_migration_target,
1062 }),
1063 online => {
1064 type => 'boolean',
1065 description => "Use online/live migration.",
1066 optional => 1,
1067 },
1068 restart => {
1069 type => 'boolean',
1070 description => "Use restart migration",
1071 optional => 1,
1072 },
1073 timeout => {
1074 type => 'integer',
1075 description => "Timeout in seconds for shutdown for restart migration",
1076 optional => 1,
1077 default => 180,
1078 },
1079 bwlimit => {
1080 description => "Override I/O bandwidth limit (in KiB/s).",
1081 optional => 1,
1082 type => 'number',
1083 minimum => '0',
1084 default => 'migrate limit from datacenter or storage config',
1085 },
1086 },
1087 },
1088 returns => {
1089 type => 'string',
1090 description => "the task ID.",
1091 },
1092 code => sub {
1093 my ($param) = @_;
1094
1095 my $rpcenv = PVE::RPCEnvironment::get();
1096
1097 my $authuser = $rpcenv->get_user();
1098
1099 my $target = extract_param($param, 'target');
1100
1101 my $localnode = PVE::INotify::nodename();
1102 raise_param_exc({ target => "target is local node."}) if $target eq $localnode;
1103
1104 PVE::Cluster::check_cfs_quorum();
1105
1106 PVE::Cluster::check_node_exists($target);
1107
1108 my $targetip = PVE::Cluster::remote_node_ip($target);
1109
1110 my $vmid = extract_param($param, 'vmid');
1111
1112 # test if VM exists
1113 PVE::LXC::Config->load_config($vmid);
1114
1115 # try to detect errors early
1116 if (PVE::LXC::check_running($vmid)) {
1117 die "can't migrate running container without --online or --restart\n"
1118 if !$param->{online} && !$param->{restart};
1119 }
1120
1121 if (PVE::HA::Config::vm_is_ha_managed($vmid) && $rpcenv->{type} ne 'ha') {
1122
1123 my $hacmd = sub {
1124 my $upid = shift;
1125
1126 my $service = "ct:$vmid";
1127
1128 my $cmd = ['ha-manager', 'migrate', $service, $target];
1129
1130 print "Requesting HA migration for CT $vmid to node $target\n";
1131
1132 PVE::Tools::run_command($cmd);
1133
1134 return;
1135 };
1136
1137 return $rpcenv->fork_worker('hamigrate', $vmid, $authuser, $hacmd);
1138
1139 } else {
1140
1141 my $realcmd = sub {
1142 PVE::LXC::Migrate->migrate($target, $targetip, $vmid, $param);
1143 };
1144
1145 my $worker = sub {
1146 return PVE::GuestHelpers::guest_migration_lock($vmid, 10, $realcmd);
1147 };
1148
1149 return $rpcenv->fork_worker('vzmigrate', $vmid, $authuser, $worker);
1150 }
1151 }});
1152
1153 __PACKAGE__->register_method({
1154 name => 'vm_feature',
1155 path => '{vmid}/feature',
1156 method => 'GET',
1157 proxyto => 'node',
1158 protected => 1,
1159 description => "Check if feature for virtual machine is available.",
1160 permissions => {
1161 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1162 },
1163 parameters => {
1164 additionalProperties => 0,
1165 properties => {
1166 node => get_standard_option('pve-node'),
1167 vmid => get_standard_option('pve-vmid'),
1168 feature => {
1169 description => "Feature to check.",
1170 type => 'string',
1171 enum => [ 'snapshot', 'clone', 'copy' ],
1172 },
1173 snapname => get_standard_option('pve-snapshot-name', {
1174 optional => 1,
1175 }),
1176 },
1177 },
1178 returns => {
1179 type => "object",
1180 properties => {
1181 hasFeature => { type => 'boolean' },
1182 #nodes => {
1183 #type => 'array',
1184 #items => { type => 'string' },
1185 #}
1186 },
1187 },
1188 code => sub {
1189 my ($param) = @_;
1190
1191 my $node = extract_param($param, 'node');
1192
1193 my $vmid = extract_param($param, 'vmid');
1194
1195 my $snapname = extract_param($param, 'snapname');
1196
1197 my $feature = extract_param($param, 'feature');
1198
1199 my $conf = PVE::LXC::Config->load_config($vmid);
1200
1201 if($snapname){
1202 my $snap = $conf->{snapshots}->{$snapname};
1203 die "snapshot '$snapname' does not exist\n" if !defined($snap);
1204 $conf = $snap;
1205 }
1206 my $storage_cfg = PVE::Storage::config();
1207 #Maybe include later
1208 #my $nodelist = PVE::LXC::shared_nodes($conf, $storage_cfg);
1209 my $hasFeature = PVE::LXC::Config->has_feature($feature, $conf, $storage_cfg, $snapname);
1210
1211 return {
1212 hasFeature => $hasFeature,
1213 #nodes => [ keys %$nodelist ],
1214 };
1215 }});
1216
1217 __PACKAGE__->register_method({
1218 name => 'template',
1219 path => '{vmid}/template',
1220 method => 'POST',
1221 protected => 1,
1222 proxyto => 'node',
1223 description => "Create a Template.",
1224 permissions => {
1225 description => "You need 'VM.Allocate' permissions on /vms/{vmid}",
1226 check => [ 'perm', '/vms/{vmid}', ['VM.Allocate']],
1227 },
1228 parameters => {
1229 additionalProperties => 0,
1230 properties => {
1231 node => get_standard_option('pve-node'),
1232 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_stopped }),
1233 },
1234 },
1235 returns => { type => 'null'},
1236 code => sub {
1237 my ($param) = @_;
1238
1239 my $rpcenv = PVE::RPCEnvironment::get();
1240
1241 my $authuser = $rpcenv->get_user();
1242
1243 my $node = extract_param($param, 'node');
1244
1245 my $vmid = extract_param($param, 'vmid');
1246
1247 my $updatefn = sub {
1248
1249 my $conf = PVE::LXC::Config->load_config($vmid);
1250 PVE::LXC::Config->check_lock($conf);
1251
1252 die "unable to create template, because CT contains snapshots\n"
1253 if $conf->{snapshots} && scalar(keys %{$conf->{snapshots}});
1254
1255 die "you can't convert a template to a template\n"
1256 if PVE::LXC::Config->is_template($conf);
1257
1258 die "you can't convert a CT to template if the CT is running\n"
1259 if PVE::LXC::check_running($vmid);
1260
1261 my $realcmd = sub {
1262 PVE::LXC::template_create($vmid, $conf);
1263
1264 $conf->{template} = 1;
1265
1266 PVE::LXC::Config->write_config($vmid, $conf);
1267 # and remove lxc config
1268 PVE::LXC::update_lxc_config($vmid, $conf);
1269 };
1270
1271 return $rpcenv->fork_worker('vztemplate', $vmid, $authuser, $realcmd);
1272 };
1273
1274 PVE::LXC::Config->lock_config($vmid, $updatefn);
1275
1276 return undef;
1277 }});
1278
1279 __PACKAGE__->register_method({
1280 name => 'clone_vm',
1281 path => '{vmid}/clone',
1282 method => 'POST',
1283 protected => 1,
1284 proxyto => 'node',
1285 description => "Create a container clone/copy",
1286 permissions => {
1287 description => "You need 'VM.Clone' permissions on /vms/{vmid}, " .
1288 "and 'VM.Allocate' permissions " .
1289 "on /vms/{newid} (or on the VM pool /pool/{pool}). You also need " .
1290 "'Datastore.AllocateSpace' on any used storage.",
1291 check =>
1292 [ 'and',
1293 ['perm', '/vms/{vmid}', [ 'VM.Clone' ]],
1294 [ 'or',
1295 [ 'perm', '/vms/{newid}', ['VM.Allocate']],
1296 [ 'perm', '/pool/{pool}', ['VM.Allocate'], require_param => 'pool'],
1297 ],
1298 ]
1299 },
1300 parameters => {
1301 additionalProperties => 0,
1302 properties => {
1303 node => get_standard_option('pve-node'),
1304 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1305 newid => get_standard_option('pve-vmid', {
1306 completion => \&PVE::Cluster::complete_next_vmid,
1307 description => 'VMID for the clone.' }),
1308 hostname => {
1309 optional => 1,
1310 type => 'string', format => 'dns-name',
1311 description => "Set a hostname for the new CT.",
1312 },
1313 description => {
1314 optional => 1,
1315 type => 'string',
1316 description => "Description for the new CT.",
1317 },
1318 pool => {
1319 optional => 1,
1320 type => 'string', format => 'pve-poolid',
1321 description => "Add the new CT to the specified pool.",
1322 },
1323 snapname => get_standard_option('pve-snapshot-name', {
1324 optional => 1,
1325 }),
1326 storage => get_standard_option('pve-storage-id', {
1327 description => "Target storage for full clone.",
1328 optional => 1,
1329 }),
1330 full => {
1331 optional => 1,
1332 type => 'boolean',
1333 description => "Create a full copy of all disks. This is always done when " .
1334 "you clone a normal CT. For CT templates, we try to create a linked clone by default.",
1335 },
1336 target => get_standard_option('pve-node', {
1337 description => "Target node. Only allowed if the original VM is on shared storage.",
1338 optional => 1,
1339 }),
1340 bwlimit => {
1341 description => "Override I/O bandwidth limit (in KiB/s).",
1342 optional => 1,
1343 type => 'number',
1344 minimum => '0',
1345 default => 'clone limit from datacenter or storage config',
1346 },
1347 },
1348 },
1349 returns => {
1350 type => 'string',
1351 },
1352 code => sub {
1353 my ($param) = @_;
1354
1355 my $rpcenv = PVE::RPCEnvironment::get();
1356 my $authuser = $rpcenv->get_user();
1357
1358 my $node = extract_param($param, 'node');
1359 my $vmid = extract_param($param, 'vmid');
1360 my $newid = extract_param($param, 'newid');
1361 my $pool = extract_param($param, 'pool');
1362 if (defined($pool)) {
1363 $rpcenv->check_pool_exist($pool);
1364 }
1365 my $snapname = extract_param($param, 'snapname');
1366 my $storage = extract_param($param, 'storage');
1367 my $target = extract_param($param, 'target');
1368 my $localnode = PVE::INotify::nodename();
1369
1370 undef $target if $target && ($target eq $localnode || $target eq 'localhost');
1371
1372 PVE::Cluster::check_node_exists($target) if $target;
1373
1374 my $storecfg = PVE::Storage::config();
1375
1376 if ($storage) {
1377 # check if storage is enabled on local node
1378 PVE::Storage::storage_check_enabled($storecfg, $storage);
1379 if ($target) {
1380 # check if storage is available on target node
1381 PVE::Storage::storage_check_enabled($storecfg, $storage, $target);
1382 # clone only works if target storage is shared
1383 my $scfg = PVE::Storage::storage_config($storecfg, $storage);
1384 die "can't clone to non-shared storage '$storage'\n" if !$scfg->{shared};
1385 }
1386 }
1387
1388 PVE::Cluster::check_cfs_quorum();
1389
1390 my $newconf = {};
1391 my $mountpoints = {};
1392 my $fullclone = {};
1393 my $vollist = [];
1394 my $running;
1395
1396 PVE::LXC::Config->create_and_lock_config($newid, 0);
1397 PVE::Firewall::clone_vmfw_conf($vmid, $newid);
1398
1399 my $lock_and_reload = sub {
1400 my ($vmid, $code) = @_;
1401 return PVE::LXC::Config->lock_config($vmid, sub {
1402 my $conf = PVE::LXC::Config->load_config($vmid);
1403 die "Lost 'create' config lock, aborting.\n"
1404 if !PVE::LXC::Config->has_lock($conf, 'create');
1405
1406 return $code->($conf);
1407 });
1408 };
1409
1410 my $src_conf = PVE::LXC::Config->set_lock($vmid, 'disk');
1411
1412 $running = PVE::LXC::check_running($vmid) || 0;
1413
1414 my $full = extract_param($param, 'full');
1415 if (!defined($full)) {
1416 $full = !PVE::LXC::Config->is_template($src_conf);
1417 }
1418
1419 eval {
1420 die "parameter 'storage' not allowed for linked clones\n"
1421 if defined($storage) && !$full;
1422
1423 die "snapshot '$snapname' does not exist\n"
1424 if $snapname && !defined($src_conf->{snapshots}->{$snapname});
1425
1426 my $src_conf = $snapname ? $src_conf->{snapshots}->{$snapname} : $src_conf;
1427
1428 my $sharedvm = 1;
1429 for my $opt (sort keys %$src_conf) {
1430 next if $opt =~ m/^unused\d+$/;
1431
1432 my $value = $src_conf->{$opt};
1433
1434 if (($opt eq 'rootfs') || ($opt =~ m/^mp\d+$/)) {
1435 my $mp = PVE::LXC::Config->parse_volume($opt, $value);
1436
1437 if ($mp->{type} eq 'volume') {
1438 my $volid = $mp->{volume};
1439
1440 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
1441 $sid = $storage if defined($storage);
1442 my $scfg = PVE::Storage::storage_config($storecfg, $sid);
1443 if (!$scfg->{shared}) {
1444 $sharedvm = 0;
1445 warn "found non-shared volume: $volid\n" if $target;
1446 }
1447
1448 $rpcenv->check($authuser, "/storage/$sid", ['Datastore.AllocateSpace']);
1449
1450 if ($full) {
1451 die "Cannot do full clones on a running container without snapshots\n"
1452 if $running && !defined($snapname);
1453 $fullclone->{$opt} = 1;
1454 } else {
1455 # not full means clone instead of copy
1456 die "Linked clone feature for '$volid' is not available\n"
1457 if !PVE::Storage::volume_has_feature($storecfg, 'clone', $volid, $snapname, $running, {'valid_target_formats' => ['raw', 'subvol']});
1458 }
1459
1460 $mountpoints->{$opt} = $mp;
1461 push @$vollist, $volid;
1462
1463 } else {
1464 # TODO: allow bind mounts?
1465 die "unable to clone mountpoint '$opt' (type $mp->{type})\n";
1466 }
1467 } elsif ($opt =~ m/^net(\d+)$/) {
1468 # always change MAC! address
1469 my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');
1470 my $net = PVE::LXC::Config->parse_lxc_network($value);
1471 $net->{hwaddr} = PVE::Tools::random_ether_addr($dc->{mac_prefix});
1472 $newconf->{$opt} = PVE::LXC::Config->print_lxc_network($net);
1473 } else {
1474 # copy everything else
1475 $newconf->{$opt} = $value;
1476 }
1477 }
1478 die "can't clone CT to node '$target' (CT uses local storage)\n"
1479 if $target && !$sharedvm;
1480
1481 # Replace the 'disk' lock with a 'create' lock.
1482 $newconf->{lock} = 'create';
1483
1484 delete $newconf->{snapshots};
1485 delete $newconf->{pending};
1486 delete $newconf->{template};
1487 if ($param->{hostname}) {
1488 $newconf->{hostname} = $param->{hostname};
1489 }
1490
1491 if ($param->{description}) {
1492 $newconf->{description} = $param->{description};
1493 }
1494
1495 $lock_and_reload->($newid, sub {
1496 PVE::LXC::Config->write_config($newid, $newconf);
1497 });
1498 };
1499 if (my $err = $@) {
1500 eval { PVE::LXC::Config->remove_lock($vmid, 'disk') };
1501 warn "Failed to remove source CT config lock - $@\n" if $@;
1502
1503 eval {
1504 $lock_and_reload->($newid, sub {
1505 PVE::LXC::Config->destroy_config($newid);
1506 PVE::Firewall::remove_vmfw_conf($newid);
1507 });
1508 };
1509 warn "Failed to remove target CT config - $@\n" if $@;
1510
1511 die $err;
1512 }
1513
1514 my $update_conf = sub {
1515 my ($key, $value) = @_;
1516 return $lock_and_reload->($newid, sub {
1517 my $conf = shift;
1518 $conf->{$key} = $value;
1519 PVE::LXC::Config->write_config($newid, $conf);
1520 });
1521 };
1522
1523 my $realcmd = sub {
1524 my ($upid) = @_;
1525
1526 my $newvollist = [];
1527
1528 my $verify_running = PVE::LXC::check_running($vmid) || 0;
1529 die "unexpected state change\n" if $verify_running != $running;
1530
1531 eval {
1532 local $SIG{INT} =
1533 local $SIG{TERM} =
1534 local $SIG{QUIT} =
1535 local $SIG{HUP} = sub { die "interrupted by signal\n"; };
1536
1537 PVE::Storage::activate_volumes($storecfg, $vollist, $snapname);
1538 my $bwlimit = extract_param($param, 'bwlimit');
1539
1540 foreach my $opt (keys %$mountpoints) {
1541 my $mp = $mountpoints->{$opt};
1542 my $volid = $mp->{volume};
1543
1544 my $newvolid;
1545 if ($fullclone->{$opt}) {
1546 print "create full clone of mountpoint $opt ($volid)\n";
1547 my $source_storage = PVE::Storage::parse_volume_id($volid);
1548 my $target_storage = $storage // $source_storage;
1549 my $clonelimit = PVE::Storage::get_bandwidth_limit('clone', [$source_storage, $target_storage], $bwlimit);
1550 $newvolid = PVE::LXC::copy_volume($mp, $newid, $target_storage, $storecfg, $newconf, $snapname, $clonelimit);
1551 } else {
1552 print "create linked clone of mount point $opt ($volid)\n";
1553 $newvolid = PVE::Storage::vdisk_clone($storecfg, $volid, $newid, $snapname);
1554 }
1555
1556 push @$newvollist, $newvolid;
1557 $mp->{volume} = $newvolid;
1558
1559 $update_conf->($opt, PVE::LXC::Config->print_ct_mountpoint($mp, $opt eq 'rootfs'));
1560 }
1561
1562 PVE::AccessControl::add_vm_to_pool($newid, $pool) if $pool;
1563
1564 $lock_and_reload->($newid, sub {
1565 my $conf = shift;
1566 my $rootdir = PVE::LXC::mount_all($newid, $storecfg, $conf, 1);
1567 eval {
1568 my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
1569 $lxc_setup->post_clone_hook($conf);
1570 };
1571 my $err = $@;
1572 eval { PVE::LXC::umount_all($newid, $storecfg, $conf, 1); };
1573 if ($err) {
1574 warn "$@\n" if $@;
1575 die $err;
1576 } else {
1577 die $@ if $@;
1578 }
1579 });
1580 };
1581 my $err = $@;
1582 # Unlock the source config in any case:
1583 eval { PVE::LXC::Config->remove_lock($vmid, 'disk') };
1584 warn $@ if $@;
1585
1586 if ($err) {
1587 # Now cleanup the config & disks:
1588 sleep 1; # some storages like rbd need to wait before release volume - really?
1589
1590 foreach my $volid (@$newvollist) {
1591 eval { PVE::Storage::vdisk_free($storecfg, $volid); };
1592 warn $@ if $@;
1593 }
1594
1595 eval {
1596 $lock_and_reload->($newid, sub {
1597 PVE::LXC::Config->destroy_config($newid);
1598 PVE::Firewall::remove_vmfw_conf($newid);
1599 });
1600 };
1601 warn "Failed to remove target CT config - $@\n" if $@;
1602
1603 die "clone failed: $err";
1604 }
1605
1606 $lock_and_reload->($newid, sub {
1607 PVE::LXC::Config->remove_lock($newid, 'create');
1608
1609 if ($target) {
1610 # always deactivate volumes - avoid lvm LVs to be active on several nodes
1611 PVE::Storage::deactivate_volumes($storecfg, $vollist, $snapname) if !$running;
1612 PVE::Storage::deactivate_volumes($storecfg, $newvollist);
1613
1614 PVE::LXC::Config->move_config_to_node($newid, $target);
1615 }
1616 });
1617
1618 return;
1619 };
1620
1621 return $rpcenv->fork_worker('vzclone', $vmid, $authuser, $realcmd);
1622 }});
1623
1624
1625 __PACKAGE__->register_method({
1626 name => 'resize_vm',
1627 path => '{vmid}/resize',
1628 method => 'PUT',
1629 protected => 1,
1630 proxyto => 'node',
1631 description => "Resize a container mount point.",
1632 permissions => {
1633 check => ['perm', '/vms/{vmid}', ['VM.Config.Disk'], any => 1],
1634 },
1635 parameters => {
1636 additionalProperties => 0,
1637 properties => {
1638 node => get_standard_option('pve-node'),
1639 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1640 disk => {
1641 type => 'string',
1642 description => "The disk you want to resize.",
1643 enum => [PVE::LXC::Config->valid_volume_keys()],
1644 },
1645 size => {
1646 type => 'string',
1647 pattern => '\+?\d+(\.\d+)?[KMGT]?',
1648 description => "The new size. With the '+' sign the value is added to the actual size of the volume and without it, the value is taken as an absolute one. Shrinking disk size is not supported.",
1649 },
1650 digest => {
1651 type => 'string',
1652 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
1653 maxLength => 40,
1654 optional => 1,
1655 }
1656 },
1657 },
1658 returns => {
1659 type => 'string',
1660 description => "the task ID.",
1661 },
1662 code => sub {
1663 my ($param) = @_;
1664
1665 my $rpcenv = PVE::RPCEnvironment::get();
1666
1667 my $authuser = $rpcenv->get_user();
1668
1669 my $node = extract_param($param, 'node');
1670
1671 my $vmid = extract_param($param, 'vmid');
1672
1673 my $digest = extract_param($param, 'digest');
1674
1675 my $sizestr = extract_param($param, 'size');
1676 my $ext = ($sizestr =~ s/^\+//);
1677 my $newsize = PVE::JSONSchema::parse_size($sizestr);
1678 die "invalid size string" if !defined($newsize);
1679
1680 die "no options specified\n" if !scalar(keys %$param);
1681
1682 PVE::LXC::check_ct_modify_config_perm($rpcenv, $authuser, $vmid, undef, $param, []);
1683
1684 my $storage_cfg = cfs_read_file("storage.cfg");
1685
1686 my $code = sub {
1687
1688 my $conf = PVE::LXC::Config->load_config($vmid);
1689 PVE::LXC::Config->check_lock($conf);
1690
1691 PVE::Tools::assert_if_modified($digest, $conf->{digest});
1692
1693 my $running = PVE::LXC::check_running($vmid);
1694
1695 my $disk = $param->{disk};
1696 my $mp = PVE::LXC::Config->parse_volume($disk, $conf->{$disk});
1697
1698 my $volid = $mp->{volume};
1699
1700 my (undef, undef, $owner, undef, undef, undef, $format) =
1701 PVE::Storage::parse_volname($storage_cfg, $volid);
1702
1703 die "can't resize mount point owned by another container ($owner)"
1704 if $vmid != $owner;
1705
1706 die "can't resize volume: $disk if snapshot exists\n"
1707 if %{$conf->{snapshots}} && $format eq 'qcow2';
1708
1709 my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid);
1710
1711 $rpcenv->check($authuser, "/storage/$storeid", ['Datastore.AllocateSpace']);
1712
1713 PVE::Storage::activate_volumes($storage_cfg, [$volid]);
1714
1715 my $size = PVE::Storage::volume_size_info($storage_cfg, $volid, 5);
1716
1717 die "Could not determine current size of volume '$volid'\n" if !defined($size);
1718
1719 $newsize += $size if $ext;
1720 $newsize = int($newsize);
1721
1722 die "unable to shrink disk size\n" if $newsize < $size;
1723
1724 die "disk is already at specified size\n" if $size == $newsize;
1725
1726 PVE::Cluster::log_msg('info', $authuser, "update CT $vmid: resize --disk $disk --size $sizestr");
1727 my $realcmd = sub {
1728 # Note: PVE::Storage::volume_resize doesn't do anything if $running=1, so
1729 # we pass 0 here (parameter only makes sense for qemu)
1730 PVE::Storage::volume_resize($storage_cfg, $volid, $newsize, 0);
1731
1732 $mp->{size} = $newsize;
1733 $conf->{$disk} = PVE::LXC::Config->print_ct_mountpoint($mp, $disk eq 'rootfs');
1734
1735 PVE::LXC::Config->write_config($vmid, $conf);
1736
1737 if ($format eq 'raw') {
1738 # we need to ensure that the volume is mapped, if not needed this is a NOP
1739 my $path = PVE::Storage::map_volume($storage_cfg, $volid);
1740 $path = PVE::Storage::path($storage_cfg, $volid) if !defined($path);
1741 if ($running) {
1742
1743 $mp->{mp} = '/';
1744 my $use_loopdev = (PVE::LXC::mountpoint_mount_path($mp, $storage_cfg))[1];
1745 $path = PVE::LXC::query_loopdev($path) if $use_loopdev;
1746 die "internal error: CT running but mount point not attached to a loop device"
1747 if !$path;
1748 PVE::Tools::run_command(['losetup', '--set-capacity', $path]) if $use_loopdev;
1749
1750 # In order for resize2fs to know that we need online-resizing a mountpoint needs
1751 # to be visible to it in its namespace.
1752 # To not interfere with the rest of the system we unshare the current mount namespace,
1753 # mount over /tmp and then run resize2fs.
1754
1755 # interestingly we don't need to e2fsck on mounted systems...
1756 my $quoted = PVE::Tools::shellquote($path);
1757 my $cmd = "mount --make-rprivate / && mount $quoted /tmp && resize2fs $quoted";
1758 eval {
1759 PVE::Tools::run_command(['unshare', '-m', '--', 'sh', '-c', $cmd]);
1760 };
1761 warn "Failed to update the container's filesystem: $@\n" if $@;
1762 } else {
1763 eval {
1764 PVE::Tools::run_command(['e2fsck', '-f', '-y', $path]);
1765 PVE::Tools::run_command(['resize2fs', $path]);
1766 };
1767 warn "Failed to update the container's filesystem: $@\n" if $@;
1768
1769 # always un-map if not running, this is a NOP if not needed
1770 PVE::Storage::unmap_volume($storage_cfg, $volid);
1771 }
1772 }
1773 };
1774
1775 return $rpcenv->fork_worker('resize', $vmid, $authuser, $realcmd);
1776 };
1777
1778 return PVE::LXC::Config->lock_config($vmid, $code);;
1779 }});
1780
1781 __PACKAGE__->register_method({
1782 name => 'move_volume',
1783 path => '{vmid}/move_volume',
1784 method => 'POST',
1785 protected => 1,
1786 proxyto => 'node',
1787 description => "Move a rootfs-/mp-volume to a different storage",
1788 permissions => {
1789 description => "You need 'VM.Config.Disk' permissions on /vms/{vmid}, " .
1790 "and 'Datastore.AllocateSpace' permissions on the storage.",
1791 check =>
1792 [ 'and',
1793 ['perm', '/vms/{vmid}', [ 'VM.Config.Disk' ]],
1794 ['perm', '/storage/{storage}', [ 'Datastore.AllocateSpace' ]],
1795 ],
1796 },
1797 parameters => {
1798 additionalProperties => 0,
1799 properties => {
1800 node => get_standard_option('pve-node'),
1801 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1802 volume => {
1803 type => 'string',
1804 enum => [ PVE::LXC::Config->valid_volume_keys() ],
1805 description => "Volume which will be moved.",
1806 },
1807 storage => get_standard_option('pve-storage-id', {
1808 description => "Target Storage.",
1809 completion => \&PVE::Storage::complete_storage_enabled,
1810 }),
1811 delete => {
1812 type => 'boolean',
1813 description => "Delete the original volume after successful copy. By default the original is kept as an unused volume entry.",
1814 optional => 1,
1815 default => 0,
1816 },
1817 digest => {
1818 type => 'string',
1819 description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
1820 maxLength => 40,
1821 optional => 1,
1822 },
1823 bwlimit => {
1824 description => "Override I/O bandwidth limit (in KiB/s).",
1825 optional => 1,
1826 type => 'number',
1827 minimum => '0',
1828 default => 'clone limit from datacenter or storage config',
1829 },
1830 },
1831 },
1832 returns => {
1833 type => 'string',
1834 },
1835 code => sub {
1836 my ($param) = @_;
1837
1838 my $rpcenv = PVE::RPCEnvironment::get();
1839
1840 my $authuser = $rpcenv->get_user();
1841
1842 my $vmid = extract_param($param, 'vmid');
1843
1844 my $storage = extract_param($param, 'storage');
1845
1846 my $mpkey = extract_param($param, 'volume');
1847
1848 my $lockname = 'disk';
1849
1850 my ($mpdata, $old_volid);
1851
1852 PVE::LXC::Config->lock_config($vmid, sub {
1853 my $conf = PVE::LXC::Config->load_config($vmid);
1854 PVE::LXC::Config->check_lock($conf);
1855
1856 die "cannot move volumes of a running container\n" if PVE::LXC::check_running($vmid);
1857
1858 $mpdata = PVE::LXC::Config->parse_volume($mpkey, $conf->{$mpkey});
1859 $old_volid = $mpdata->{volume};
1860
1861 die "you can't move a volume with snapshots and delete the source\n"
1862 if $param->{delete} && PVE::LXC::Config->is_volume_in_use_by_snapshots($conf, $old_volid);
1863
1864 PVE::Tools::assert_if_modified($param->{digest}, $conf->{digest});
1865
1866 PVE::LXC::Config->set_lock($vmid, $lockname);
1867 });
1868
1869 my $realcmd = sub {
1870 eval {
1871 PVE::Cluster::log_msg('info', $authuser, "move volume CT $vmid: move --volume $mpkey --storage $storage");
1872
1873 my $conf = PVE::LXC::Config->load_config($vmid);
1874 my $storage_cfg = PVE::Storage::config();
1875
1876 my $new_volid;
1877
1878 eval {
1879 PVE::Storage::activate_volumes($storage_cfg, [ $old_volid ]);
1880 my $bwlimit = extract_param($param, 'bwlimit');
1881 my $source_storage = PVE::Storage::parse_volume_id($old_volid);
1882 my $movelimit = PVE::Storage::get_bandwidth_limit('move', [$source_storage, $storage], $bwlimit);
1883 $new_volid = PVE::LXC::copy_volume($mpdata, $vmid, $storage, $storage_cfg, $conf, undef, $movelimit);
1884 if (PVE::LXC::Config->is_template($conf)) {
1885 PVE::Storage::activate_volumes($storage_cfg, [ $new_volid ]);
1886 my $template_volid = PVE::Storage::vdisk_create_base($storage_cfg, $new_volid);
1887 $mpdata->{volume} = $template_volid;
1888 } else {
1889 $mpdata->{volume} = $new_volid;
1890 }
1891
1892 PVE::LXC::Config->lock_config($vmid, sub {
1893 my $digest = $conf->{digest};
1894 $conf = PVE::LXC::Config->load_config($vmid);
1895 PVE::Tools::assert_if_modified($digest, $conf->{digest});
1896
1897 $conf->{$mpkey} = PVE::LXC::Config->print_ct_mountpoint($mpdata, $mpkey eq 'rootfs');
1898
1899 PVE::LXC::Config->add_unused_volume($conf, $old_volid) if !$param->{delete};
1900
1901 PVE::LXC::Config->write_config($vmid, $conf);
1902 });
1903
1904 eval {
1905 # try to deactivate volumes - avoid lvm LVs to be active on several nodes
1906 PVE::Storage::deactivate_volumes($storage_cfg, [ $new_volid ])
1907 };
1908 warn $@ if $@;
1909 };
1910 if (my $err = $@) {
1911 eval {
1912 PVE::Storage::vdisk_free($storage_cfg, $new_volid)
1913 if defined($new_volid);
1914 };
1915 warn $@ if $@;
1916 die $err;
1917 }
1918
1919 if ($param->{delete}) {
1920 eval {
1921 PVE::Storage::deactivate_volumes($storage_cfg, [ $old_volid ]);
1922 PVE::Storage::vdisk_free($storage_cfg, $old_volid);
1923 };
1924 if (my $err = $@) {
1925 warn $err;
1926 PVE::LXC::Config->lock_config($vmid, sub {
1927 my $conf = PVE::LXC::Config->load_config($vmid);
1928 PVE::LXC::Config->add_unused_volume($conf, $old_volid);
1929 PVE::LXC::Config->write_config($vmid, $conf);
1930 });
1931 }
1932 }
1933 };
1934 my $err = $@;
1935 eval { PVE::LXC::Config->remove_lock($vmid, $lockname) };
1936 warn $@ if $@;
1937 die $err if $err;
1938 };
1939 my $task = eval {
1940 $rpcenv->fork_worker('move_volume', $vmid, $authuser, $realcmd);
1941 };
1942 if (my $err = $@) {
1943 eval { PVE::LXC::Config->remove_lock($vmid, $lockname) };
1944 warn $@ if $@;
1945 die $err;
1946 }
1947 return $task;
1948 }});
1949
1950 __PACKAGE__->register_method({
1951 name => 'vm_pending',
1952 path => '{vmid}/pending',
1953 method => 'GET',
1954 proxyto => 'node',
1955 description => 'Get container configuration, including pending changes.',
1956 permissions => {
1957 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1958 },
1959 parameters => {
1960 additionalProperties => 0,
1961 properties => {
1962 node => get_standard_option('pve-node'),
1963 vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid }),
1964 },
1965 },
1966 returns => {
1967 type => "array",
1968 items => {
1969 type => "object",
1970 properties => {
1971 key => {
1972 description => 'Configuration option name.',
1973 type => 'string',
1974 },
1975 value => {
1976 description => 'Current value.',
1977 type => 'string',
1978 optional => 1,
1979 },
1980 pending => {
1981 description => 'Pending value.',
1982 type => 'string',
1983 optional => 1,
1984 },
1985 delete => {
1986 description => "Indicates a pending delete request if present and not 0.",
1987 type => 'integer',
1988 minimum => 0,
1989 maximum => 2,
1990 optional => 1,
1991 },
1992 },
1993 },
1994 },
1995 code => sub {
1996 my ($param) = @_;
1997
1998 my $conf = PVE::LXC::Config->load_config($param->{vmid});
1999
2000 my $pending_delete_hash = PVE::LXC::Config->parse_pending_delete($conf->{pending}->{delete});
2001
2002 return PVE::GuestHelpers::config_with_pending_array($conf, $pending_delete_hash);
2003 }});
2004
2005 1;
PVE Container Toolkit