]> git.proxmox.com Git - pve-container.git/blob - src/PVE/LXC.pm
projects / pve-container.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
introduce internal mountpont 'type' property
[pve-container.git] / src / PVE / LXC.pm
1 package PVE::LXC;
2
3 use strict;
4 use warnings;
5 use POSIX qw(EINTR);
6
7 use File::Path;
8 use File::Spec;
9 use Cwd qw();
10 use Fcntl ':flock';
11
12 use PVE::Cluster qw(cfs_register_file cfs_read_file);
13 use PVE::Storage;
14 use PVE::SafeSyslog;
15 use PVE::INotify;
16 use PVE::JSONSchema qw(get_standard_option);
17 use PVE::Tools qw($IPV6RE $IPV4RE dir_glob_foreach);
18 use PVE::Network;
19 use PVE::AccessControl;
20 use PVE::ProcFSTools;
21 use Time::HiRes qw (gettimeofday);
22
23 use Data::Dumper;
24
25 my $nodename = PVE::INotify::nodename();
26
27 my $cpuinfo= PVE::ProcFSTools::read_cpuinfo();
28
29 our $COMMON_TAR_FLAGS = [ '--sparse', '--numeric-owner', '--acls',
30 '--xattrs',
31 '--xattrs-include=user.*',
32 '--xattrs-include=security.capability',
33 '--warning=no-xattr-write' ];
34
35 cfs_register_file('/lxc/', \&parse_pct_config, \&write_pct_config);
36
37 my $rootfs_desc = {
38 volume => {
39 type => 'string',
40 default_key => 1,
41 format_description => 'volume',
42 description => 'Volume, device or directory to mount into the container.',
43 },
44 backup => {
45 type => 'boolean',
46 format_description => '[1|0]',
47 description => 'Whether to include the mountpoint in backups.',
48 optional => 1,
49 },
50 size => {
51 type => 'string',
52 format => 'disk-size',
53 format_description => 'DiskSize',
54 description => 'Volume size (read only value).',
55 optional => 1,
56 },
57 };
58
59 PVE::JSONSchema::register_standard_option('pve-ct-rootfs', {
60 type => 'string', format => $rootfs_desc,
61 description => "Use volume as container root.",
62 optional => 1,
63 });
64
65 PVE::JSONSchema::register_standard_option('pve-lxc-snapshot-name', {
66 description => "The name of the snapshot.",
67 type => 'string', format => 'pve-configid',
68 maxLength => 40,
69 });
70
71 my $confdesc = {
72 lock => {
73 optional => 1,
74 type => 'string',
75 description => "Lock/unlock the VM.",
76 enum => [qw(migrate backup snapshot rollback)],
77 },
78 onboot => {
79 optional => 1,
80 type => 'boolean',
81 description => "Specifies whether a VM will be started during system bootup.",
82 default => 0,
83 },
84 startup => get_standard_option('pve-startup-order'),
85 template => {
86 optional => 1,
87 type => 'boolean',
88 description => "Enable/disable Template.",
89 default => 0,
90 },
91 arch => {
92 optional => 1,
93 type => 'string',
94 enum => ['amd64', 'i386'],
95 description => "OS architecture type.",
96 default => 'amd64',
97 },
98 ostype => {
99 optional => 1,
100 type => 'string',
101 enum => ['debian', 'ubuntu', 'centos', 'archlinux'],
102 description => "OS type. Corresponds to lxc setup scripts in /usr/share/lxc/config/<ostype>.common.conf.",
103 },
104 console => {
105 optional => 1,
106 type => 'boolean',
107 description => "Attach a console device (/dev/console) to the container.",
108 default => 1,
109 },
110 tty => {
111 optional => 1,
112 type => 'integer',
113 description => "Specify the number of tty available to the container",
114 minimum => 0,
115 maximum => 6,
116 default => 2,
117 },
118 cpulimit => {
119 optional => 1,
120 type => 'number',
121 description => "Limit of CPU usage. Note if the computer has 2 CPUs, it has total of '2' CPU time. Value '0' indicates no CPU limit.",
122 minimum => 0,
123 maximum => 128,
124 default => 0,
125 },
126 cpuunits => {
127 optional => 1,
128 type => 'integer',
129 description => "CPU weight for a VM. Argument is used in the kernel fair scheduler. The larger the number is, the more CPU time this VM gets. Number is relative to weights of all the other running VMs.\n\nNOTE: You can disable fair-scheduler configuration by setting this to 0.",
130 minimum => 0,
131 maximum => 500000,
132 default => 1024,
133 },
134 memory => {
135 optional => 1,
136 type => 'integer',
137 description => "Amount of RAM for the VM in MB.",
138 minimum => 16,
139 default => 512,
140 },
141 swap => {
142 optional => 1,
143 type => 'integer',
144 description => "Amount of SWAP for the VM in MB.",
145 minimum => 0,
146 default => 512,
147 },
148 hostname => {
149 optional => 1,
150 description => "Set a host name for the container.",
151 type => 'string', format => 'dns-name',
152 maxLength => 255,
153 },
154 description => {
155 optional => 1,
156 type => 'string',
157 description => "Container description. Only used on the configuration web interface.",
158 },
159 searchdomain => {
160 optional => 1,
161 type => 'string', format => 'dns-name-list',
162 description => "Sets DNS search domains for a container. Create will automatically use the setting from the host if you neither set searchdomain or nameserver.",
163 },
164 nameserver => {
165 optional => 1,
166 type => 'string', format => 'address-list',
167 description => "Sets DNS server IP address for a container. Create will automatically use the setting from the host if you neither set searchdomain or nameserver.",
168 },
169 rootfs => get_standard_option('pve-ct-rootfs'),
170 parent => {
171 optional => 1,
172 type => 'string', format => 'pve-configid',
173 maxLength => 40,
174 description => "Parent snapshot name. This is used internally, and should not be modified.",
175 },
176 snaptime => {
177 optional => 1,
178 description => "Timestamp for snapshots.",
179 type => 'integer',
180 minimum => 0,
181 },
182 cmode => {
183 optional => 1,
184 description => "Console mode. By default, the console command tries to open a connection to one of the available tty devices. By setting cmode to 'console' it tries to attach to /dev/console instead. If you set cmode to 'shell', it simply invokes a shell inside the container (no login).",
185 type => 'string',
186 enum => ['shell', 'console', 'tty'],
187 default => 'tty',
188 },
189 protection => {
190 optional => 1,
191 type => 'boolean',
192 description => "Sets the protection flag of the container. This will prevent the remove operation. This will prevent the CT or CT's disk remove/update operation.",
193 default => 0,
194 },
195 unprivileged => {
196 optional => 1,
197 type => 'boolean',
198 description => "Makes the container run as unprivileged user. (Should not be modified manually.)",
199 default => 0,
200 },
201 };
202
203 my $valid_lxc_conf_keys = {
204 'lxc.include' => 1,
205 'lxc.arch' => 1,
206 'lxc.utsname' => 1,
207 'lxc.haltsignal' => 1,
208 'lxc.rebootsignal' => 1,
209 'lxc.stopsignal' => 1,
210 'lxc.init_cmd' => 1,
211 'lxc.network.type' => 1,
212 'lxc.network.flags' => 1,
213 'lxc.network.link' => 1,
214 'lxc.network.mtu' => 1,
215 'lxc.network.name' => 1,
216 'lxc.network.hwaddr' => 1,
217 'lxc.network.ipv4' => 1,
218 'lxc.network.ipv4.gateway' => 1,
219 'lxc.network.ipv6' => 1,
220 'lxc.network.ipv6.gateway' => 1,
221 'lxc.network.script.up' => 1,
222 'lxc.network.script.down' => 1,
223 'lxc.pts' => 1,
224 'lxc.console.logfile' => 1,
225 'lxc.console' => 1,
226 'lxc.tty' => 1,
227 'lxc.devttydir' => 1,
228 'lxc.hook.autodev' => 1,
229 'lxc.autodev' => 1,
230 'lxc.kmsg' => 1,
231 'lxc.mount' => 1,
232 'lxc.mount.entry' => 1,
233 'lxc.mount.auto' => 1,
234 'lxc.rootfs' => 1,
235 'lxc.rootfs.mount' => 1,
236 'lxc.rootfs.options' => 1,
237 # lxc.cgroup.*
238 'lxc.cap.drop' => 1,
239 'lxc.cap.keep' => 1,
240 'lxc.aa_profile' => 1,
241 'lxc.aa_allow_incomplete' => 1,
242 'lxc.se_context' => 1,
243 'lxc.seccomp' => 1,
244 'lxc.id_map' => 1,
245 'lxc.hook.pre-start' => 1,
246 'lxc.hook.pre-mount' => 1,
247 'lxc.hook.mount' => 1,
248 'lxc.hook.start' => 1,
249 'lxc.hook.stop' => 1,
250 'lxc.hook.post-stop' => 1,
251 'lxc.hook.clone' => 1,
252 'lxc.hook.destroy' => 1,
253 'lxc.loglevel' => 1,
254 'lxc.logfile' => 1,
255 'lxc.start.auto' => 1,
256 'lxc.start.delay' => 1,
257 'lxc.start.order' => 1,
258 'lxc.group' => 1,
259 'lxc.environment' => 1,
260 'lxc.' => 1,
261 'lxc.' => 1,
262 'lxc.' => 1,
263 'lxc.' => 1,
264 };
265
266 my $netconf_desc = {
267 type => {
268 type => 'string',
269 optional => 1,
270 description => "Network interface type.",
271 enum => [qw(veth)],
272 },
273 name => {
274 type => 'string',
275 format_description => 'String',
276 description => 'Name of the network device as seen from inside the container. (lxc.network.name)',
277 pattern => '[-_.\w\d]+',
278 },
279 bridge => {
280 type => 'string',
281 format_description => 'vmbr<Number>',
282 description => 'Bridge to attach the network device to.',
283 pattern => '[-_.\w\d]+',
284 optional => 1,
285 },
286 hwaddr => {
287 type => 'string',
288 format_description => 'MAC',
289 description => 'Bridge to attach the network device to. (lxc.network.hwaddr)',
290 pattern => qr/(?:[a-f0-9]{2}:){5}[a-f0-9]{2}/i,
291 optional => 1,
292 },
293 mtu => {
294 type => 'integer',
295 format_description => 'Number',
296 description => 'Maximum transfer unit of the interface. (lxc.network.mtu)',
297 minimum => 64, # minimum ethernet frame is 64 bytes
298 optional => 1,
299 },
300 ip => {
301 type => 'string',
302 format => 'pve-ipv4-config',
303 format_description => 'IPv4Format/CIDR',
304 description => 'IPv4 address in CIDR format.',
305 optional => 1,
306 },
307 gw => {
308 type => 'string',
309 format => 'ipv4',
310 format_description => 'GatewayIPv4',
311 description => 'Default gateway for IPv4 traffic.',
312 optional => 1,
313 },
314 ip6 => {
315 type => 'string',
316 format => 'pve-ipv6-config',
317 format_description => 'IPv6Format/CIDR',
318 description => 'IPv6 address in CIDR format.',
319 optional => 1,
320 },
321 gw6 => {
322 type => 'string',
323 format => 'ipv6',
324 format_description => 'GatewayIPv6',
325 description => 'Default gateway for IPv6 traffic.',
326 optional => 1,
327 },
328 firewall => {
329 type => 'boolean',
330 format_description => '[1|0]',
331 description => "Controls whether this interface's firewall rules should be used.",
332 optional => 1,
333 },
334 tag => {
335 type => 'integer',
336 format_description => 'VlanNo',
337 minimum => '2',
338 maximum => '4094',
339 description => "VLAN tag foro this interface.",
340 optional => 1,
341 },
342 };
343 PVE::JSONSchema::register_format('pve-lxc-network', $netconf_desc);
344
345 my $MAX_LXC_NETWORKS = 10;
346 for (my $i = 0; $i < $MAX_LXC_NETWORKS; $i++) {
347 $confdesc->{"net$i"} = {
348 optional => 1,
349 type => 'string', format => $netconf_desc,
350 description => "Specifies network interfaces for the container.",
351 };
352 }
353
354 my $mp_desc = {
355 %$rootfs_desc,
356 mp => {
357 type => 'string',
358 format_description => 'Path',
359 description => 'Path to the mountpoint as seen from inside the container.',
360 optional => 1,
361 },
362 };
363 PVE::JSONSchema::register_format('pve-ct-mountpoint', $mp_desc);
364
365 my $unuseddesc = {
366 optional => 1,
367 type => 'string', format => 'pve-volume-id',
368 description => "Reference to unused volumes.",
369 };
370
371 my $MAX_MOUNT_POINTS = 10;
372 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
373 $confdesc->{"mp$i"} = {
374 optional => 1,
375 type => 'string', format => $mp_desc,
376 description => "Use volume as container mount point (experimental feature).",
377 optional => 1,
378 };
379 }
380
381 my $MAX_UNUSED_DISKS = $MAX_MOUNT_POINTS;
382 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
383 $confdesc->{"unused$i"} = $unuseddesc;
384 }
385
386 sub write_pct_config {
387 my ($filename, $conf) = @_;
388
389 delete $conf->{snapstate}; # just to be sure
390
391 my $generate_raw_config = sub {
392 my ($conf) = @_;
393
394 my $raw = '';
395
396 # add description as comment to top of file
397 my $descr = $conf->{description} || '';
398 foreach my $cl (split(/\n/, $descr)) {
399 $raw .= '#' . PVE::Tools::encode_text($cl) . "\n";
400 }
401
402 foreach my $key (sort keys %$conf) {
403 next if $key eq 'digest' || $key eq 'description' || $key eq 'pending' ||
404 $key eq 'snapshots' || $key eq 'snapname' || $key eq 'lxc';
405 my $value = $conf->{$key};
406 die "detected invalid newline inside property '$key'\n" if $value =~ m/\n/;
407 $raw .= "$key: $value\n";
408 }
409
410 if (my $lxcconf = $conf->{lxc}) {
411 foreach my $entry (@$lxcconf) {
412 my ($k, $v) = @$entry;
413 $raw .= "$k: $v\n";
414 }
415 }
416
417 return $raw;
418 };
419
420 my $raw = &$generate_raw_config($conf);
421
422 foreach my $snapname (sort keys %{$conf->{snapshots}}) {
423 $raw .= "\n[$snapname]\n";
424 $raw .= &$generate_raw_config($conf->{snapshots}->{$snapname});
425 }
426
427 return $raw;
428 }
429
430 sub check_type {
431 my ($key, $value) = @_;
432
433 die "unknown setting '$key'\n" if !$confdesc->{$key};
434
435 my $type = $confdesc->{$key}->{type};
436
437 if (!defined($value)) {
438 die "got undefined value\n";
439 }
440
441 if ($value =~ m/[\n\r]/) {
442 die "property contains a line feed\n";
443 }
444
445 if ($type eq 'boolean') {
446 return 1 if ($value eq '1') || ($value =~ m/^(on|yes|true)$/i);
447 return 0 if ($value eq '0') || ($value =~ m/^(off|no|false)$/i);
448 die "type check ('boolean') failed - got '$value'\n";
449 } elsif ($type eq 'integer') {
450 return int($1) if $value =~ m/^(\d+)$/;
451 die "type check ('integer') failed - got '$value'\n";
452 } elsif ($type eq 'number') {
453 return $value if $value =~ m/^(\d+)(\.\d+)?$/;
454 die "type check ('number') failed - got '$value'\n";
455 } elsif ($type eq 'string') {
456 if (my $fmt = $confdesc->{$key}->{format}) {
457 PVE::JSONSchema::check_format($fmt, $value);
458 return $value;
459 }
460 return $value;
461 } else {
462 die "internal error"
463 }
464 }
465
466 sub parse_pct_config {
467 my ($filename, $raw) = @_;
468
469 return undef if !defined($raw);
470
471 my $res = {
472 digest => Digest::SHA::sha1_hex($raw),
473 snapshots => {},
474 };
475
476 $filename =~ m|/lxc/(\d+).conf$|
477 || die "got strange filename '$filename'";
478
479 my $vmid = $1;
480
481 my $conf = $res;
482 my $descr = '';
483 my $section = '';
484
485 my @lines = split(/\n/, $raw);
486 foreach my $line (@lines) {
487 next if $line =~ m/^\s*$/;
488
489 if ($line =~ m/^\[([a-z][a-z0-9_\-]+)\]\s*$/i) {
490 $section = $1;
491 $conf->{description} = $descr if $descr;
492 $descr = '';
493 $conf = $res->{snapshots}->{$section} = {};
494 next;
495 }
496
497 if ($line =~ m/^\#(.*)\s*$/) {
498 $descr .= PVE::Tools::decode_text($1) . "\n";
499 next;
500 }
501
502 if ($line =~ m/^(lxc\.[a-z0-9_\-\.]+)(:|\s*=)\s*(.*?)\s*$/) {
503 my $key = $1;
504 my $value = $3;
505 if ($valid_lxc_conf_keys->{$key} || $key =~ m/^lxc\.cgroup\./) {
506 push @{$conf->{lxc}}, [$key, $value];
507 } else {
508 warn "vm $vmid - unable to parse config: $line\n";
509 }
510 } elsif ($line =~ m/^(description):\s*(.*\S)\s*$/) {
511 $descr .= PVE::Tools::decode_text($2);
512 } elsif ($line =~ m/snapstate:\s*(prepare|delete)\s*$/) {
513 $conf->{snapstate} = $1;
514 } elsif ($line =~ m/^([a-z][a-z_]*\d*):\s*(\S.*)\s*$/) {
515 my $key = $1;
516 my $value = $2;
517 eval { $value = check_type($key, $value); };
518 warn "vm $vmid - unable to parse value of '$key' - $@" if $@;
519 $conf->{$key} = $value;
520 } else {
521 warn "vm $vmid - unable to parse config: $line\n";
522 }
523 }
524
525 $conf->{description} = $descr if $descr;
526
527 delete $res->{snapstate}; # just to be sure
528
529 return $res;
530 }
531
532 sub config_list {
533 my $vmlist = PVE::Cluster::get_vmlist();
534 my $res = {};
535 return $res if !$vmlist || !$vmlist->{ids};
536 my $ids = $vmlist->{ids};
537
538 foreach my $vmid (keys %$ids) {
539 next if !$vmid; # skip CT0
540 my $d = $ids->{$vmid};
541 next if !$d->{node} || $d->{node} ne $nodename;
542 next if !$d->{type} || $d->{type} ne 'lxc';
543 $res->{$vmid}->{type} = 'lxc';
544 }
545 return $res;
546 }
547
548 sub cfs_config_path {
549 my ($vmid, $node) = @_;
550
551 $node = $nodename if !$node;
552 return "nodes/$node/lxc/$vmid.conf";
553 }
554
555 sub config_file {
556 my ($vmid, $node) = @_;
557
558 my $cfspath = cfs_config_path($vmid, $node);
559 return "/etc/pve/$cfspath";
560 }
561
562 sub load_config {
563 my ($vmid, $node) = @_;
564
565 $node = $nodename if !$node;
566 my $cfspath = cfs_config_path($vmid, $node);
567
568 my $conf = PVE::Cluster::cfs_read_file($cfspath);
569 die "container $vmid does not exists\n" if !defined($conf);
570
571 return $conf;
572 }
573
574 sub create_config {
575 my ($vmid, $conf) = @_;
576
577 my $dir = "/etc/pve/nodes/$nodename/lxc";
578 mkdir $dir;
579
580 write_config($vmid, $conf);
581 }
582
583 sub destroy_config {
584 my ($vmid) = @_;
585
586 unlink config_file($vmid, $nodename);
587 }
588
589 sub write_config {
590 my ($vmid, $conf) = @_;
591
592 my $cfspath = cfs_config_path($vmid);
593
594 PVE::Cluster::cfs_write_file($cfspath, $conf);
595 }
596
597 # flock: we use one file handle per process, so lock file
598 # can be called multiple times and succeeds for the same process.
599
600 my $lock_handles = {};
601 my $lockdir = "/run/lock/lxc";
602
603 sub lock_filename {
604 my ($vmid) = @_;
605
606 return "$lockdir/pve-config-${vmid}.lock";
607 }
608
609 sub lock_aquire {
610 my ($vmid, $timeout) = @_;
611
612 $timeout = 10 if !$timeout;
613 my $mode = LOCK_EX;
614
615 my $filename = lock_filename($vmid);
616
617 mkdir $lockdir if !-d $lockdir;
618
619 my $lock_func = sub {
620 if (!$lock_handles->{$$}->{$filename}) {
621 my $fh = new IO::File(">>$filename") ||
622 die "can't open file - $!\n";
623 $lock_handles->{$$}->{$filename} = { fh => $fh, refcount => 0};
624 }
625
626 if (!flock($lock_handles->{$$}->{$filename}->{fh}, $mode |LOCK_NB)) {
627 print STDERR "trying to aquire lock...";
628 my $success;
629 while(1) {
630 $success = flock($lock_handles->{$$}->{$filename}->{fh}, $mode);
631 # try again on EINTR (see bug #273)
632 if ($success || ($! != EINTR)) {
633 last;
634 }
635 }
636 if (!$success) {
637 print STDERR " failed\n";
638 die "can't aquire lock - $!\n";
639 }
640
641 print STDERR " OK\n";
642 }
643
644 $lock_handles->{$$}->{$filename}->{refcount}++;
645 };
646
647 eval { PVE::Tools::run_with_timeout($timeout, $lock_func); };
648 my $err = $@;
649 if ($err) {
650 die "can't lock file '$filename' - $err";
651 }
652 }
653
654 sub lock_release {
655 my ($vmid) = @_;
656
657 my $filename = lock_filename($vmid);
658
659 if (my $fh = $lock_handles->{$$}->{$filename}->{fh}) {
660 my $refcount = --$lock_handles->{$$}->{$filename}->{refcount};
661 if ($refcount <= 0) {
662 $lock_handles->{$$}->{$filename} = undef;
663 close ($fh);
664 }
665 }
666 }
667
668 sub lock_container {
669 my ($vmid, $timeout, $code, @param) = @_;
670
671 my $res;
672
673 lock_aquire($vmid, $timeout);
674 eval { $res = &$code(@param) };
675 my $err = $@;
676 lock_release($vmid);
677
678 die $err if $err;
679
680 return $res;
681 }
682
683 sub option_exists {
684 my ($name) = @_;
685
686 return defined($confdesc->{$name});
687 }
688
689 # add JSON properties for create and set function
690 sub json_config_properties {
691 my $prop = shift;
692
693 foreach my $opt (keys %$confdesc) {
694 next if $opt eq 'parent' || $opt eq 'snaptime';
695 next if $prop->{$opt};
696 $prop->{$opt} = $confdesc->{$opt};
697 }
698
699 return $prop;
700 }
701
702 sub json_config_properties_no_rootfs {
703 my $prop = shift;
704
705 foreach my $opt (keys %$confdesc) {
706 next if $prop->{$opt};
707 next if $opt eq 'parent' || $opt eq 'snaptime' || $opt eq 'rootfs';
708 $prop->{$opt} = $confdesc->{$opt};
709 }
710
711 return $prop;
712 }
713
714 # container status helpers
715
716 sub list_active_containers {
717
718 my $filename = "/proc/net/unix";
719
720 # similar test is used by lcxcontainers.c: list_active_containers
721 my $res = {};
722
723 my $fh = IO::File->new ($filename, "r");
724 return $res if !$fh;
725
726 while (defined(my $line = <$fh>)) {
727 if ($line =~ m/^[a-f0-9]+:\s\S+\s\S+\s\S+\s\S+\s\S+\s\d+\s(\S+)$/) {
728 my $path = $1;
729 if ($path =~ m!^@/var/lib/lxc/(\d+)/command$!) {
730 $res->{$1} = 1;
731 }
732 }
733 }
734
735 close($fh);
736
737 return $res;
738 }
739
740 # warning: this is slow
741 sub check_running {
742 my ($vmid) = @_;
743
744 my $active_hash = list_active_containers();
745
746 return 1 if defined($active_hash->{$vmid});
747
748 return undef;
749 }
750
751 sub get_container_disk_usage {
752 my ($vmid, $pid) = @_;
753
754 return PVE::Tools::df("/proc/$pid/root/", 1);
755 }
756
757 my $last_proc_vmid_stat;
758
759 my $parse_cpuacct_stat = sub {
760 my ($vmid) = @_;
761
762 my $raw = read_cgroup_value('cpuacct', $vmid, 'cpuacct.stat', 1);
763
764 my $stat = {};
765
766 if ($raw =~ m/^user (\d+)\nsystem (\d+)\n/) {
767
768 $stat->{utime} = $1;
769 $stat->{stime} = $2;
770
771 }
772
773 return $stat;
774 };
775
776 sub vmstatus {
777 my ($opt_vmid) = @_;
778
779 my $list = $opt_vmid ? { $opt_vmid => { type => 'lxc' }} : config_list();
780
781 my $active_hash = list_active_containers();
782
783 my $cpucount = $cpuinfo->{cpus} || 1;
784
785 my $cdtime = gettimeofday;
786
787 my $uptime = (PVE::ProcFSTools::read_proc_uptime(1))[0];
788
789 foreach my $vmid (keys %$list) {
790 my $d = $list->{$vmid};
791
792 eval { $d->{pid} = find_lxc_pid($vmid) if defined($active_hash->{$vmid}); };
793 warn $@ if $@; # ignore errors (consider them stopped)
794
795 $d->{status} = $d->{pid} ? 'running' : 'stopped';
796
797 my $cfspath = cfs_config_path($vmid);
798 my $conf = PVE::Cluster::cfs_read_file($cfspath) || {};
799
800 $d->{name} = $conf->{'hostname'} || "CT$vmid";
801 $d->{name} =~ s/[\s]//g;
802
803 $d->{cpus} = $conf->{cpulimit} || $cpucount;
804
805 if ($d->{pid}) {
806 my $res = get_container_disk_usage($vmid, $d->{pid});
807 $d->{disk} = $res->{used};
808 $d->{maxdisk} = $res->{total};
809 } else {
810 $d->{disk} = 0;
811 # use 4GB by default ??
812 if (my $rootfs = $conf->{rootfs}) {
813 my $rootinfo = parse_ct_mountpoint($rootfs);
814 $d->{maxdisk} = int(($rootinfo->{size} || 4)*1024*1024)*1024;
815 } else {
816 $d->{maxdisk} = 4*1024*1024*1024;
817 }
818 }
819
820 $d->{mem} = 0;
821 $d->{swap} = 0;
822 $d->{maxmem} = ($conf->{memory}||512)*1024*1024;
823 $d->{maxswap} = ($conf->{swap}//0)*1024*1024;
824
825 $d->{uptime} = 0;
826 $d->{cpu} = 0;
827
828 $d->{netout} = 0;
829 $d->{netin} = 0;
830
831 $d->{diskread} = 0;
832 $d->{diskwrite} = 0;
833
834 $d->{template} = is_template($conf);
835 }
836
837 foreach my $vmid (keys %$list) {
838 my $d = $list->{$vmid};
839 my $pid = $d->{pid};
840
841 next if !$pid; # skip stopped CTs
842
843 my $ctime = (stat("/proc/$pid"))[10]; # 10 = ctime
844 $d->{uptime} = time - $ctime; # the method lxcfs uses
845
846 $d->{mem} = read_cgroup_value('memory', $vmid, 'memory.usage_in_bytes');
847 $d->{swap} = read_cgroup_value('memory', $vmid, 'memory.memsw.usage_in_bytes') - $d->{mem};
848
849 my $blkio_bytes = read_cgroup_value('blkio', $vmid, 'blkio.throttle.io_service_bytes', 1);
850 my @bytes = split(/\n/, $blkio_bytes);
851 foreach my $byte (@bytes) {
852 if (my ($key, $value) = $byte =~ /(Read|Write)\s+(\d+)/) {
853 $d->{diskread} = $2 if $key eq 'Read';
854 $d->{diskwrite} = $2 if $key eq 'Write';
855 }
856 }
857
858 my $pstat = &$parse_cpuacct_stat($vmid);
859
860 my $used = $pstat->{utime} + $pstat->{stime};
861
862 my $old = $last_proc_vmid_stat->{$vmid};
863 if (!$old) {
864 $last_proc_vmid_stat->{$vmid} = {
865 time => $cdtime,
866 used => $used,
867 cpu => 0,
868 };
869 next;
870 }
871
872 my $dtime = ($cdtime - $old->{time}) * $cpucount * $cpuinfo->{user_hz};
873
874 if ($dtime > 1000) {
875 my $dutime = $used - $old->{used};
876
877 $d->{cpu} = (($dutime/$dtime)* $cpucount) / $d->{cpus};
878 $last_proc_vmid_stat->{$vmid} = {
879 time => $cdtime,
880 used => $used,
881 cpu => $d->{cpu},
882 };
883 } else {
884 $d->{cpu} = $old->{cpu};
885 }
886 }
887
888 my $netdev = PVE::ProcFSTools::read_proc_net_dev();
889
890 foreach my $dev (keys %$netdev) {
891 next if $dev !~ m/^veth([1-9]\d*)i/;
892 my $vmid = $1;
893 my $d = $list->{$vmid};
894
895 next if !$d;
896
897 $d->{netout} += $netdev->{$dev}->{receive};
898 $d->{netin} += $netdev->{$dev}->{transmit};
899
900 }
901
902 return $list;
903 }
904
905 sub classify_mountpoint {
906 my ($vol) = @_;
907 if ($vol =~ m!^/!) {
908 return 'device' if $vol =~ m!^/dev/!;
909 return 'bind';
910 }
911 return 'volume';
912 }
913
914 sub parse_ct_mountpoint {
915 my ($data, $noerr) = @_;
916
917 $data //= '';
918
919 my $res;
920 eval { $res = PVE::JSONSchema::parse_property_string($mp_desc, $data) };
921 if ($@) {
922 return undef if $noerr;
923 die $@;
924 }
925
926 if (defined(my $size = $res->{size})) {
927 $size = PVE::JSONSchema::parse_size($size);
928 if (!defined($size)) {
929 return undef if $noerr;
930 die "invalid size: $size\n";
931 }
932 $res->{size} = $size;
933 }
934
935 $res->{type} = classify_mountpoint($res->{volume});
936
937 return $res;
938 }
939
940 sub print_ct_mountpoint {
941 my ($info, $nomp) = @_;
942 my $skip = [ 'type' ];
943 push @$skip, 'mp' if $nomp;
944 return PVE::JSONSchema::print_property_string($info, $mp_desc, $skip);
945 }
946
947 sub print_lxc_network {
948 my $net = shift;
949 return PVE::JSONSchema::print_property_string($net, $netconf_desc);
950 }
951
952 sub parse_lxc_network {
953 my ($data) = @_;
954
955 my $res = {};
956
957 return $res if !$data;
958
959 $res = PVE::JSONSchema::parse_property_string($netconf_desc, $data);
960
961 $res->{type} = 'veth';
962 $res->{hwaddr} = PVE::Tools::random_ether_addr() if !$res->{hwaddr};
963
964 return $res;
965 }
966
967 sub read_cgroup_value {
968 my ($group, $vmid, $name, $full) = @_;
969
970 my $path = "/sys/fs/cgroup/$group/lxc/$vmid/$name";
971
972 return PVE::Tools::file_get_contents($path) if $full;
973
974 return PVE::Tools::file_read_firstline($path);
975 }
976
977 sub write_cgroup_value {
978 my ($group, $vmid, $name, $value) = @_;
979
980 my $path = "/sys/fs/cgroup/$group/lxc/$vmid/$name";
981 PVE::ProcFSTools::write_proc_entry($path, $value) if -e $path;
982
983 }
984
985 sub find_lxc_console_pids {
986
987 my $res = {};
988
989 PVE::Tools::dir_glob_foreach('/proc', '\d+', sub {
990 my ($pid) = @_;
991
992 my $cmdline = PVE::Tools::file_read_firstline("/proc/$pid/cmdline");
993 return if !$cmdline;
994
995 my @args = split(/\0/, $cmdline);
996
997 # serach for lxc-console -n <vmid>
998 return if scalar(@args) != 3;
999 return if $args[1] ne '-n';
1000 return if $args[2] !~ m/^\d+$/;
1001 return if $args[0] !~ m|^(/usr/bin/)?lxc-console$|;
1002
1003 my $vmid = $args[2];
1004
1005 push @{$res->{$vmid}}, $pid;
1006 });
1007
1008 return $res;
1009 }
1010
1011 sub find_lxc_pid {
1012 my ($vmid) = @_;
1013
1014 my $pid = undef;
1015 my $parser = sub {
1016 my $line = shift;
1017 $pid = $1 if $line =~ m/^PID:\s+(\d+)$/;
1018 };
1019 PVE::Tools::run_command(['lxc-info', '-n', $vmid, '-p'], outfunc => $parser);
1020
1021 die "unable to get PID for CT $vmid (not running?)\n" if !$pid;
1022
1023 return $pid;
1024 }
1025
1026 # Note: we cannot use Net:IP, because that only allows strict
1027 # CIDR networks
1028 sub parse_ipv4_cidr {
1029 my ($cidr, $noerr) = @_;
1030
1031 if ($cidr =~ m!^($IPV4RE)(?:/(\d+))$! && ($2 > 7) && ($2 <= 32)) {
1032 return { address => $1, netmask => $PVE::Network::ipv4_reverse_mask->[$2] };
1033 }
1034
1035 return undef if $noerr;
1036
1037 die "unable to parse ipv4 address/mask\n";
1038 }
1039
1040 sub check_lock {
1041 my ($conf) = @_;
1042
1043 die "VM is locked ($conf->{'lock'})\n" if $conf->{'lock'};
1044 }
1045
1046 sub check_protection {
1047 my ($vm_conf, $err_msg) = @_;
1048
1049 if ($vm_conf->{protection}) {
1050 die "$err_msg - protection mode enabled\n";
1051 }
1052 }
1053
1054 sub update_lxc_config {
1055 my ($storage_cfg, $vmid, $conf) = @_;
1056
1057 my $dir = "/var/lib/lxc/$vmid";
1058
1059 if ($conf->{template}) {
1060
1061 unlink "$dir/config";
1062
1063 return;
1064 }
1065
1066 my $raw = '';
1067
1068 die "missing 'arch' - internal error" if !$conf->{arch};
1069 $raw .= "lxc.arch = $conf->{arch}\n";
1070
1071 my $unprivileged = $conf->{unprivileged};
1072 my $custom_idmap = grep { $_->[0] eq 'lxc.id_map' } @{$conf->{lxc}};
1073
1074 my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error";
1075 if ($ostype =~ /^(?:debian | ubuntu | centos | archlinux)$/x) {
1076 $raw .= "lxc.include = /usr/share/lxc/config/$ostype.common.conf\n";
1077 if ($unprivileged || $custom_idmap) {
1078 $raw .= "lxc.include = /usr/share/lxc/config/$ostype.userns.conf\n"
1079 }
1080 } else {
1081 die "implement me";
1082 }
1083
1084 $raw .= "lxc.start.unshare = 1\n";
1085
1086 # Should we read them from /etc/subuid?
1087 if ($unprivileged && !$custom_idmap) {
1088 $raw .= "lxc.id_map = u 0 100000 65536\n";
1089 $raw .= "lxc.id_map = g 0 100000 65536\n";
1090 }
1091
1092 if (!has_dev_console($conf)) {
1093 $raw .= "lxc.console = none\n";
1094 $raw .= "lxc.cgroup.devices.deny = c 5:1 rwm\n";
1095 }
1096
1097 my $ttycount = get_tty_count($conf);
1098 $raw .= "lxc.tty = $ttycount\n";
1099
1100 # some init scripts expects a linux terminal (turnkey).
1101 $raw .= "lxc.environment = TERM=linux\n";
1102
1103 my $utsname = $conf->{hostname} || "CT$vmid";
1104 $raw .= "lxc.utsname = $utsname\n";
1105
1106 my $memory = $conf->{memory} || 512;
1107 my $swap = $conf->{swap} // 0;
1108
1109 my $lxcmem = int($memory*1024*1024);
1110 $raw .= "lxc.cgroup.memory.limit_in_bytes = $lxcmem\n";
1111 $raw .= "lxc.cgroup.memory.kmem.limit_in_bytes = $lxcmem\n";
1112
1113 my $lxcswap = int(($memory + $swap)*1024*1024);
1114 $raw .= "lxc.cgroup.memory.memsw.limit_in_bytes = $lxcswap\n";
1115
1116 if (my $cpulimit = $conf->{cpulimit}) {
1117 $raw .= "lxc.cgroup.cpu.cfs_period_us = 100000\n";
1118 my $value = int(100000*$cpulimit);
1119 $raw .= "lxc.cgroup.cpu.cfs_quota_us = $value\n";
1120 }
1121
1122 my $shares = $conf->{cpuunits} || 1024;
1123 $raw .= "lxc.cgroup.cpu.shares = $shares\n";
1124
1125 my $mountpoint = parse_ct_mountpoint($conf->{rootfs});
1126 $mountpoint->{mp} = '/';
1127
1128 $raw .= "lxc.rootfs = $dir/rootfs\n";
1129 $raw .= "lxc.hook.stop = /usr/lib/x86_64-linux-gnu/lxc/hooks/unmount-namespace\n";
1130
1131 my $netcount = 0;
1132 foreach my $k (keys %$conf) {
1133 next if $k !~ m/^net(\d+)$/;
1134 my $ind = $1;
1135 my $d = parse_lxc_network($conf->{$k});
1136 $netcount++;
1137 $raw .= "lxc.network.type = veth\n";
1138 $raw .= "lxc.network.veth.pair = veth${vmid}i${ind}\n";
1139 $raw .= "lxc.network.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
1140 $raw .= "lxc.network.name = $d->{name}\n" if defined($d->{name});
1141 $raw .= "lxc.network.mtu = $d->{mtu}\n" if defined($d->{mtu});
1142 }
1143
1144 if (my $lxcconf = $conf->{lxc}) {
1145 foreach my $entry (@$lxcconf) {
1146 my ($k, $v) = @$entry;
1147 $netcount++ if $k eq 'lxc.network.type';
1148 $raw .= "$k = $v\n";
1149 }
1150 }
1151
1152 $raw .= "lxc.network.type = empty\n" if !$netcount;
1153
1154 File::Path::mkpath("$dir/rootfs");
1155
1156 PVE::Tools::file_set_contents("$dir/config", $raw);
1157 }
1158
1159 # verify and cleanup nameserver list (replace \0 with ' ')
1160 sub verify_nameserver_list {
1161 my ($nameserver_list) = @_;
1162
1163 my @list = ();
1164 foreach my $server (PVE::Tools::split_list($nameserver_list)) {
1165 PVE::JSONSchema::pve_verify_ip($server);
1166 push @list, $server;
1167 }
1168
1169 return join(' ', @list);
1170 }
1171
1172 sub verify_searchdomain_list {
1173 my ($searchdomain_list) = @_;
1174
1175 my @list = ();
1176 foreach my $server (PVE::Tools::split_list($searchdomain_list)) {
1177 # todo: should we add checks for valid dns domains?
1178 push @list, $server;
1179 }
1180
1181 return join(' ', @list);
1182 }
1183
1184 sub add_unused_volume {
1185 my ($config, $volid) = @_;
1186
1187 my $key;
1188 for (my $ind = $MAX_UNUSED_DISKS - 1; $ind >= 0; $ind--) {
1189 my $test = "unused$ind";
1190 if (my $vid = $config->{$test}) {
1191 return if $vid eq $volid; # do not add duplicates
1192 } else {
1193 $key = $test;
1194 }
1195 }
1196
1197 die "To many unused volume - please delete them first.\n" if !$key;
1198
1199 $config->{$key} = $volid;
1200
1201 return $key;
1202 }
1203
1204 sub update_pct_config {
1205 my ($vmid, $conf, $running, $param, $delete) = @_;
1206
1207 my @nohotplug;
1208
1209 my $new_disks = 0;
1210 my @deleted_volumes;
1211
1212 my $rootdir;
1213 if ($running) {
1214 my $pid = find_lxc_pid($vmid);
1215 $rootdir = "/proc/$pid/root";
1216 }
1217
1218 my $hotplug_error = sub {
1219 if ($running) {
1220 push @nohotplug, @_;
1221 return 1;
1222 } else {
1223 return 0;
1224 }
1225 };
1226
1227 if (defined($delete)) {
1228 foreach my $opt (@$delete) {
1229 if ($opt eq 'hostname' || $opt eq 'memory' || $opt eq 'rootfs') {
1230 die "unable to delete required option '$opt'\n";
1231 } elsif ($opt eq 'swap') {
1232 delete $conf->{$opt};
1233 write_cgroup_value("memory", $vmid, "memory.memsw.limit_in_bytes", -1);
1234 } elsif ($opt eq 'description' || $opt eq 'onboot' || $opt eq 'startup') {
1235 delete $conf->{$opt};
1236 } elsif ($opt eq 'nameserver' || $opt eq 'searchdomain' ||
1237 $opt eq 'tty' || $opt eq 'console' || $opt eq 'cmode') {
1238 next if $hotplug_error->($opt);
1239 delete $conf->{$opt};
1240 } elsif ($opt =~ m/^net(\d)$/) {
1241 delete $conf->{$opt};
1242 next if !$running;
1243 my $netid = $1;
1244 PVE::Network::veth_delete("veth${vmid}i$netid");
1245 } elsif ($opt eq 'protection') {
1246 delete $conf->{$opt};
1247 } elsif ($opt =~ m/^unused(\d+)$/) {
1248 next if $hotplug_error->($opt);
1249 check_protection($conf, "can't remove CT $vmid drive '$opt'");
1250 push @deleted_volumes, $conf->{$opt};
1251 delete $conf->{$opt};
1252 } elsif ($opt =~ m/^mp(\d+)$/) {
1253 next if $hotplug_error->($opt);
1254 check_protection($conf, "can't remove CT $vmid drive '$opt'");
1255 my $mountpoint = parse_ct_mountpoint($conf->{$opt});
1256 if ($mountpoint->{type} eq 'volume') {
1257 add_unused_volume($conf, $mountpoint->{volume})
1258 }
1259 delete $conf->{$opt};
1260 } elsif ($opt eq 'unprivileged') {
1261 die "unable to delete read-only option: '$opt'\n";
1262 } else {
1263 die "implement me"
1264 }
1265 write_config($vmid, $conf) if $running;
1266 }
1267 }
1268
1269 # There's no separate swap size to configure, there's memory and "total"
1270 # memory (iow. memory+swap). This means we have to change them together.
1271 my $wanted_memory = PVE::Tools::extract_param($param, 'memory');
1272 my $wanted_swap = PVE::Tools::extract_param($param, 'swap');
1273 if (defined($wanted_memory) || defined($wanted_swap)) {
1274
1275 $wanted_memory //= ($conf->{memory} || 512);
1276 $wanted_swap //= ($conf->{swap} || 0);
1277
1278 my $total = $wanted_memory + $wanted_swap;
1279 if ($running) {
1280 write_cgroup_value("memory", $vmid, "memory.limit_in_bytes", int($wanted_memory*1024*1024));
1281 write_cgroup_value("memory", $vmid, "memory.memsw.limit_in_bytes", int($total*1024*1024));
1282 }
1283 $conf->{memory} = $wanted_memory;
1284 $conf->{swap} = $wanted_swap;
1285
1286 write_config($vmid, $conf) if $running;
1287 }
1288
1289 foreach my $opt (keys %$param) {
1290 my $value = $param->{$opt};
1291 if ($opt eq 'hostname') {
1292 $conf->{$opt} = $value;
1293 } elsif ($opt eq 'onboot') {
1294 $conf->{$opt} = $value ? 1 : 0;
1295 } elsif ($opt eq 'startup') {
1296 $conf->{$opt} = $value;
1297 } elsif ($opt eq 'tty' || $opt eq 'console' || $opt eq 'cmode') {
1298 next if $hotplug_error->($opt);
1299 $conf->{$opt} = $value;
1300 } elsif ($opt eq 'nameserver') {
1301 next if $hotplug_error->($opt);
1302 my $list = verify_nameserver_list($value);
1303 $conf->{$opt} = $list;
1304 } elsif ($opt eq 'searchdomain') {
1305 next if $hotplug_error->($opt);
1306 my $list = verify_searchdomain_list($value);
1307 $conf->{$opt} = $list;
1308 } elsif ($opt eq 'cpulimit') {
1309 next if $hotplug_error->($opt); # FIXME: hotplug
1310 $conf->{$opt} = $value;
1311 } elsif ($opt eq 'cpuunits') {
1312 $conf->{$opt} = $value;
1313 write_cgroup_value("cpu", $vmid, "cpu.shares", $value);
1314 } elsif ($opt eq 'description') {
1315 $conf->{$opt} = PVE::Tools::encode_text($value);
1316 } elsif ($opt =~ m/^net(\d+)$/) {
1317 my $netid = $1;
1318 my $net = parse_lxc_network($value);
1319 if (!$running) {
1320 $conf->{$opt} = print_lxc_network($net);
1321 } else {
1322 update_net($vmid, $conf, $opt, $net, $netid, $rootdir);
1323 }
1324 } elsif ($opt eq 'protection') {
1325 $conf->{$opt} = $value ? 1 : 0;
1326 } elsif ($opt =~ m/^mp(\d+)$/) {
1327 next if $hotplug_error->($opt);
1328 check_protection($conf, "can't update CT $vmid drive '$opt'");
1329 $conf->{$opt} = $value;
1330 $new_disks = 1;
1331 } elsif ($opt eq 'rootfs') {
1332 check_protection($conf, "can't update CT $vmid drive '$opt'");
1333 die "implement me: $opt";
1334 } elsif ($opt eq 'unprivileged') {
1335 die "unable to modify read-only option: '$opt'\n";
1336 } else {
1337 die "implement me: $opt";
1338 }
1339 write_config($vmid, $conf) if $running;
1340 }
1341
1342 if (@deleted_volumes) {
1343 my $storage_cfg = PVE::Storage::config();
1344 foreach my $volume (@deleted_volumes) {
1345 delete_mountpoint_volume($storage_cfg, $vmid, $volume);
1346 }
1347 }
1348
1349 if ($new_disks) {
1350 my $storage_cfg = PVE::Storage::config();
1351 create_disks($storage_cfg, $vmid, $conf, $conf);
1352 }
1353
1354 # This should be the last thing we do here
1355 if ($running && scalar(@nohotplug)) {
1356 die "unable to modify " . join(',', @nohotplug) . " while container is running\n";
1357 }
1358 }
1359
1360 sub has_dev_console {
1361 my ($conf) = @_;
1362
1363 return !(defined($conf->{console}) && !$conf->{console});
1364 }
1365
1366 sub get_tty_count {
1367 my ($conf) = @_;
1368
1369 return $conf->{tty} // $confdesc->{tty}->{default};
1370 }
1371
1372 sub get_cmode {
1373 my ($conf) = @_;
1374
1375 return $conf->{cmode} // $confdesc->{cmode}->{default};
1376 }
1377
1378 sub get_console_command {
1379 my ($vmid, $conf) = @_;
1380
1381 my $cmode = get_cmode($conf);
1382
1383 if ($cmode eq 'console') {
1384 return ['lxc-console', '-n', $vmid, '-t', 0];
1385 } elsif ($cmode eq 'tty') {
1386 return ['lxc-console', '-n', $vmid];
1387 } elsif ($cmode eq 'shell') {
1388 return ['lxc-attach', '--clear-env', '-n', $vmid];
1389 } else {
1390 die "internal error";
1391 }
1392 }
1393
1394 sub get_primary_ips {
1395 my ($conf) = @_;
1396
1397 # return data from net0
1398
1399 return undef if !defined($conf->{net0});
1400 my $net = parse_lxc_network($conf->{net0});
1401
1402 my $ipv4 = $net->{ip};
1403 if ($ipv4) {
1404 if ($ipv4 =~ /^(dhcp|manual)$/) {
1405 $ipv4 = undef
1406 } else {
1407 $ipv4 =~ s!/\d+$!!;
1408 }
1409 }
1410 my $ipv6 = $net->{ip6};
1411 if ($ipv6) {
1412 if ($ipv6 =~ /^(auto|dhcp|manual)$/) {
1413 $ipv6 = undef;
1414 } else {
1415 $ipv6 =~ s!/\d+$!!;
1416 }
1417 }
1418
1419 return ($ipv4, $ipv6);
1420 }
1421
1422 sub delete_mountpoint_volume {
1423 my ($storage_cfg, $vmid, $volume) = @_;
1424
1425 return if classify_mountpoint($volume) ne 'volume';
1426
1427 my ($vtype, $name, $owner) = PVE::Storage::parse_volname($storage_cfg, $volume);
1428 PVE::Storage::vdisk_free($storage_cfg, $volume) if $vmid == $owner;
1429 }
1430
1431 sub destroy_lxc_container {
1432 my ($storage_cfg, $vmid, $conf) = @_;
1433
1434 foreach_mountpoint($conf, sub {
1435 my ($ms, $mountpoint) = @_;
1436 delete_mountpoint_volume($storage_cfg, $vmid, $mountpoint->{volume});
1437 });
1438
1439 rmdir "/var/lib/lxc/$vmid/rootfs";
1440 unlink "/var/lib/lxc/$vmid/config";
1441 rmdir "/var/lib/lxc/$vmid";
1442 destroy_config($vmid);
1443
1444 #my $cmd = ['lxc-destroy', '-n', $vmid ];
1445 #PVE::Tools::run_command($cmd);
1446 }
1447
1448 sub vm_stop_cleanup {
1449 my ($storage_cfg, $vmid, $conf, $keepActive) = @_;
1450
1451 eval {
1452 if (!$keepActive) {
1453
1454 my $vollist = get_vm_volumes($conf);
1455 PVE::Storage::deactivate_volumes($storage_cfg, $vollist);
1456 }
1457 };
1458 warn $@ if $@; # avoid errors - just warn
1459 }
1460
1461 my $safe_num_ne = sub {
1462 my ($a, $b) = @_;
1463
1464 return 0 if !defined($a) && !defined($b);
1465 return 1 if !defined($a);
1466 return 1 if !defined($b);
1467
1468 return $a != $b;
1469 };
1470
1471 my $safe_string_ne = sub {
1472 my ($a, $b) = @_;
1473
1474 return 0 if !defined($a) && !defined($b);
1475 return 1 if !defined($a);
1476 return 1 if !defined($b);
1477
1478 return $a ne $b;
1479 };
1480
1481 sub update_net {
1482 my ($vmid, $conf, $opt, $newnet, $netid, $rootdir) = @_;
1483
1484 if ($newnet->{type} ne 'veth') {
1485 # for when there are physical interfaces
1486 die "cannot update interface of type $newnet->{type}";
1487 }
1488
1489 my $veth = "veth${vmid}i${netid}";
1490 my $eth = $newnet->{name};
1491
1492 if (my $oldnetcfg = $conf->{$opt}) {
1493 my $oldnet = parse_lxc_network($oldnetcfg);
1494
1495 if (&$safe_string_ne($oldnet->{hwaddr}, $newnet->{hwaddr}) ||
1496 &$safe_string_ne($oldnet->{name}, $newnet->{name})) {
1497
1498 PVE::Network::veth_delete($veth);
1499 delete $conf->{$opt};
1500 write_config($vmid, $conf);
1501
1502 hotplug_net($vmid, $conf, $opt, $newnet, $netid);
1503
1504 } elsif (&$safe_string_ne($oldnet->{bridge}, $newnet->{bridge}) ||
1505 &$safe_num_ne($oldnet->{tag}, $newnet->{tag}) ||
1506 &$safe_num_ne($oldnet->{firewall}, $newnet->{firewall})) {
1507
1508 if ($oldnet->{bridge}) {
1509 PVE::Network::tap_unplug($veth);
1510 foreach (qw(bridge tag firewall)) {
1511 delete $oldnet->{$_};
1512 }
1513 $conf->{$opt} = print_lxc_network($oldnet);
1514 write_config($vmid, $conf);
1515 }
1516
1517 PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall});
1518 foreach (qw(bridge tag firewall)) {
1519 $oldnet->{$_} = $newnet->{$_} if $newnet->{$_};
1520 }
1521 $conf->{$opt} = print_lxc_network($oldnet);
1522 write_config($vmid, $conf);
1523 }
1524 } else {
1525 hotplug_net($vmid, $conf, $opt, $newnet, $netid);
1526 }
1527
1528 update_ipconfig($vmid, $conf, $opt, $eth, $newnet, $rootdir);
1529 }
1530
1531 sub hotplug_net {
1532 my ($vmid, $conf, $opt, $newnet, $netid) = @_;
1533
1534 my $veth = "veth${vmid}i${netid}";
1535 my $vethpeer = $veth . "p";
1536 my $eth = $newnet->{name};
1537
1538 PVE::Network::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
1539 PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall});
1540
1541 # attach peer in container
1542 my $cmd = ['lxc-device', '-n', $vmid, 'add', $vethpeer, "$eth" ];
1543 PVE::Tools::run_command($cmd);
1544
1545 # link up peer in container
1546 $cmd = ['lxc-attach', '-n', $vmid, '-s', 'NETWORK', '--', '/sbin/ip', 'link', 'set', $eth ,'up' ];
1547 PVE::Tools::run_command($cmd);
1548
1549 my $done = { type => 'veth' };
1550 foreach (qw(bridge tag firewall hwaddr name)) {
1551 $done->{$_} = $newnet->{$_} if $newnet->{$_};
1552 }
1553 $conf->{$opt} = print_lxc_network($done);
1554
1555 write_config($vmid, $conf);
1556 }
1557
1558 sub update_ipconfig {
1559 my ($vmid, $conf, $opt, $eth, $newnet, $rootdir) = @_;
1560
1561 my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
1562
1563 my $optdata = parse_lxc_network($conf->{$opt});
1564 my $deleted = [];
1565 my $added = [];
1566 my $nscmd = sub {
1567 my $cmdargs = shift;
1568 PVE::Tools::run_command(['lxc-attach', '-n', $vmid, '-s', 'NETWORK', '--', @_], %$cmdargs);
1569 };
1570 my $ipcmd = sub { &$nscmd({}, '/sbin/ip', @_) };
1571
1572 my $change_ip_config = sub {
1573 my ($ipversion) = @_;
1574
1575 my $family_opt = "-$ipversion";
1576 my $suffix = $ipversion == 4 ? '' : $ipversion;
1577 my $gw= "gw$suffix";
1578 my $ip= "ip$suffix";
1579
1580 my $newip = $newnet->{$ip};
1581 my $newgw = $newnet->{$gw};
1582 my $oldip = $optdata->{$ip};
1583
1584 my $change_ip = &$safe_string_ne($oldip, $newip);
1585 my $change_gw = &$safe_string_ne($optdata->{$gw}, $newgw);
1586
1587 return if !$change_ip && !$change_gw;
1588
1589 # step 1: add new IP, if this fails we cancel
1590 my $is_real_ip = ($newip && $newip !~ /^(?:auto|dhcp|manual)$/);
1591 if ($change_ip && $is_real_ip) {
1592 eval { &$ipcmd($family_opt, 'addr', 'add', $newip, 'dev', $eth); };
1593 if (my $err = $@) {
1594 warn $err;
1595 return;
1596 }
1597 }
1598
1599 # step 2: replace gateway
1600 # If this fails we delete the added IP and cancel.
1601 # If it succeeds we save the config and delete the old IP, ignoring
1602 # errors. The config is then saved.
1603 # Note: 'ip route replace' can add
1604 if ($change_gw) {
1605 if ($newgw) {
1606 eval {
1607 if ($is_real_ip && !PVE::Network::is_ip_in_cidr($newgw, $newip, $ipversion)) {
1608 &$ipcmd($family_opt, 'route', 'add', $newgw, 'dev', $eth);
1609 }
1610 &$ipcmd($family_opt, 'route', 'replace', 'default', 'via', $newgw);
1611 };
1612 if (my $err = $@) {
1613 warn $err;
1614 # the route was not replaced, the old IP is still available
1615 # rollback (delete new IP) and cancel
1616 if ($change_ip) {
1617 eval { &$ipcmd($family_opt, 'addr', 'del', $newip, 'dev', $eth); };
1618 warn $@ if $@; # no need to die here
1619 }
1620 return;
1621 }
1622 } else {
1623 eval { &$ipcmd($family_opt, 'route', 'del', 'default'); };
1624 # if the route was not deleted, the guest might have deleted it manually
1625 # warn and continue
1626 warn $@ if $@;
1627 }
1628 }
1629
1630 # from this point on we save the configuration
1631 # step 3: delete old IP ignoring errors
1632 if ($change_ip && $oldip && $oldip !~ /^(?:auto|dhcp)$/) {
1633 # We need to enable promote_secondaries, otherwise our newly added
1634 # address will be removed along with the old one.
1635 my $promote = 0;
1636 eval {
1637 if ($ipversion == 4) {
1638 &$nscmd({ outfunc => sub { $promote = int(shift) } },
1639 'cat', "/proc/sys/net/ipv4/conf/$eth/promote_secondaries");
1640 &$nscmd({}, 'sysctl', "net.ipv4.conf.$eth.promote_secondaries=1");
1641 }
1642 &$ipcmd($family_opt, 'addr', 'del', $oldip, 'dev', $eth);
1643 };
1644 warn $@ if $@; # no need to die here
1645
1646 if ($ipversion == 4) {
1647 &$nscmd({}, 'sysctl', "net.ipv4.conf.$eth.promote_secondaries=$promote");
1648 }
1649 }
1650
1651 foreach my $property ($ip, $gw) {
1652 if ($newnet->{$property}) {
1653 $optdata->{$property} = $newnet->{$property};
1654 } else {
1655 delete $optdata->{$property};
1656 }
1657 }
1658 $conf->{$opt} = print_lxc_network($optdata);
1659 write_config($vmid, $conf);
1660 $lxc_setup->setup_network($conf);
1661 };
1662
1663 &$change_ip_config(4);
1664 &$change_ip_config(6);
1665
1666 }
1667
1668 # Internal snapshots
1669
1670 # NOTE: Snapshot create/delete involves several non-atomic
1671 # action, and can take a long time.
1672 # So we try to avoid locking the file and use 'lock' variable
1673 # inside the config file instead.
1674
1675 my $snapshot_copy_config = sub {
1676 my ($source, $dest) = @_;
1677
1678 foreach my $k (keys %$source) {
1679 next if $k eq 'snapshots';
1680 next if $k eq 'snapstate';
1681 next if $k eq 'snaptime';
1682 next if $k eq 'vmstate';
1683 next if $k eq 'lock';
1684 next if $k eq 'digest';
1685 next if $k eq 'description';
1686
1687 $dest->{$k} = $source->{$k};
1688 }
1689 };
1690
1691 my $snapshot_prepare = sub {
1692 my ($vmid, $snapname, $comment) = @_;
1693
1694 my $snap;
1695
1696 my $updatefn = sub {
1697
1698 my $conf = load_config($vmid);
1699
1700 die "you can't take a snapshot if it's a template\n"
1701 if is_template($conf);
1702
1703 check_lock($conf);
1704
1705 $conf->{lock} = 'snapshot';
1706
1707 die "snapshot name '$snapname' already used\n"
1708 if defined($conf->{snapshots}->{$snapname});
1709
1710 my $storecfg = PVE::Storage::config();
1711 die "snapshot feature is not available\n" if !has_feature('snapshot', $conf, $storecfg);
1712
1713 $snap = $conf->{snapshots}->{$snapname} = {};
1714
1715 &$snapshot_copy_config($conf, $snap);
1716
1717 $snap->{'snapstate'} = "prepare";
1718 $snap->{'snaptime'} = time();
1719 $snap->{'description'} = $comment if $comment;
1720 $conf->{snapshots}->{$snapname} = $snap;
1721
1722 write_config($vmid, $conf);
1723 };
1724
1725 lock_container($vmid, 10, $updatefn);
1726
1727 return $snap;
1728 };
1729
1730 my $snapshot_commit = sub {
1731 my ($vmid, $snapname) = @_;
1732
1733 my $updatefn = sub {
1734
1735 my $conf = load_config($vmid);
1736
1737 die "missing snapshot lock\n"
1738 if !($conf->{lock} && $conf->{lock} eq 'snapshot');
1739
1740 die "snapshot '$snapname' does not exist\n"
1741 if !defined($conf->{snapshots}->{$snapname});
1742
1743 die "wrong snapshot state\n"
1744 if !($conf->{snapshots}->{$snapname}->{'snapstate'} &&
1745 $conf->{snapshots}->{$snapname}->{'snapstate'} eq "prepare");
1746
1747 delete $conf->{snapshots}->{$snapname}->{'snapstate'};
1748 delete $conf->{lock};
1749 $conf->{parent} = $snapname;
1750
1751 write_config($vmid, $conf);
1752 };
1753
1754 lock_container($vmid, 10 ,$updatefn);
1755 };
1756
1757 sub has_feature {
1758 my ($feature, $conf, $storecfg, $snapname) = @_;
1759
1760 my $err;
1761
1762 foreach_mountpoint($conf, sub {
1763 my ($ms, $mountpoint) = @_;
1764
1765 return if $err; # skip further test
1766
1767 $err = 1 if !PVE::Storage::volume_has_feature($storecfg, $feature, $mountpoint->{volume}, $snapname);
1768
1769 # TODO: implement support for mountpoints
1770 die "unable to handle mountpoint '$ms' - feature not implemented\n"
1771 if $ms ne 'rootfs';
1772 });
1773
1774 return $err ? 0 : 1;
1775 }
1776
1777 sub snapshot_create {
1778 my ($vmid, $snapname, $comment) = @_;
1779
1780 my $snap = &$snapshot_prepare($vmid, $snapname, $comment);
1781
1782 my $conf = load_config($vmid);
1783
1784 my $running = check_running($vmid);
1785 eval {
1786 if ($running) {
1787 PVE::Tools::run_command(['/usr/bin/lxc-freeze', '-n', $vmid]);
1788 PVE::Tools::run_command(['/bin/sync']);
1789 };
1790
1791 my $storecfg = PVE::Storage::config();
1792 my $rootinfo = parse_ct_mountpoint($conf->{rootfs});
1793 my $volid = $rootinfo->{volume};
1794
1795 if ($running) {
1796 PVE::Tools::run_command(['/usr/bin/lxc-unfreeze', '-n', $vmid]);
1797 };
1798
1799 PVE::Storage::volume_snapshot($storecfg, $volid, $snapname);
1800 &$snapshot_commit($vmid, $snapname);
1801 };
1802 if(my $err = $@) {
1803 snapshot_delete($vmid, $snapname, 1);
1804 die "$err\n";
1805 }
1806 }
1807
1808 sub snapshot_delete {
1809 my ($vmid, $snapname, $force) = @_;
1810
1811 my $snap;
1812
1813 my $conf;
1814
1815 my $updatefn = sub {
1816
1817 $conf = load_config($vmid);
1818
1819 die "you can't delete a snapshot if vm is a template\n"
1820 if is_template($conf);
1821
1822 $snap = $conf->{snapshots}->{$snapname};
1823
1824 check_lock($conf);
1825
1826 die "snapshot '$snapname' does not exist\n" if !defined($snap);
1827
1828 $snap->{snapstate} = 'delete';
1829
1830 write_config($vmid, $conf);
1831 };
1832
1833 lock_container($vmid, 10, $updatefn);
1834
1835 my $storecfg = PVE::Storage::config();
1836
1837 my $del_snap = sub {
1838
1839 check_lock($conf);
1840
1841 if ($conf->{parent} eq $snapname) {
1842 if ($conf->{snapshots}->{$snapname}->{snapname}) {
1843 $conf->{parent} = $conf->{snapshots}->{$snapname}->{parent};
1844 } else {
1845 delete $conf->{parent};
1846 }
1847 }
1848
1849 delete $conf->{snapshots}->{$snapname};
1850
1851 write_config($vmid, $conf);
1852 };
1853
1854 my $rootfs = $conf->{snapshots}->{$snapname}->{rootfs};
1855 my $rootinfo = parse_ct_mountpoint($rootfs);
1856 my $volid = $rootinfo->{volume};
1857
1858 eval {
1859 PVE::Storage::volume_snapshot_delete($storecfg, $volid, $snapname);
1860 };
1861 my $err = $@;
1862
1863 if(!$err || ($err && $force)) {
1864 lock_container($vmid, 10, $del_snap);
1865 if ($err) {
1866 die "Can't delete snapshot: $vmid $snapname $err\n";
1867 }
1868 }
1869 }
1870
1871 sub snapshot_rollback {
1872 my ($vmid, $snapname) = @_;
1873
1874 my $storecfg = PVE::Storage::config();
1875
1876 my $conf = load_config($vmid);
1877
1878 die "you can't rollback if vm is a template\n" if is_template($conf);
1879
1880 my $snap = $conf->{snapshots}->{$snapname};
1881
1882 die "snapshot '$snapname' does not exist\n" if !defined($snap);
1883
1884 my $rootfs = $snap->{rootfs};
1885 my $rootinfo = parse_ct_mountpoint($rootfs);
1886 my $volid = $rootinfo->{volume};
1887
1888 PVE::Storage::volume_rollback_is_possible($storecfg, $volid, $snapname);
1889
1890 my $updatefn = sub {
1891
1892 die "unable to rollback to incomplete snapshot (snapstate = $snap->{snapstate})\n"
1893 if $snap->{snapstate};
1894
1895 check_lock($conf);
1896
1897 system("lxc-stop -n $vmid --kill") if check_running($vmid);
1898
1899 die "unable to rollback vm $vmid: vm is running\n"
1900 if check_running($vmid);
1901
1902 $conf->{lock} = 'rollback';
1903
1904 my $forcemachine;
1905
1906 # copy snapshot config to current config
1907
1908 my $tmp_conf = $conf;
1909 &$snapshot_copy_config($tmp_conf->{snapshots}->{$snapname}, $conf);
1910 $conf->{snapshots} = $tmp_conf->{snapshots};
1911 delete $conf->{snaptime};
1912 delete $conf->{snapname};
1913 $conf->{parent} = $snapname;
1914
1915 write_config($vmid, $conf);
1916 };
1917
1918 my $unlockfn = sub {
1919 delete $conf->{lock};
1920 write_config($vmid, $conf);
1921 };
1922
1923 lock_container($vmid, 10, $updatefn);
1924
1925 PVE::Storage::volume_snapshot_rollback($storecfg, $volid, $snapname);
1926
1927 lock_container($vmid, 5, $unlockfn);
1928 }
1929
1930 sub template_create {
1931 my ($vmid, $conf) = @_;
1932
1933 my $storecfg = PVE::Storage::config();
1934
1935 my $rootinfo = parse_ct_mountpoint($conf->{rootfs});
1936 my $volid = $rootinfo->{volume};
1937
1938 die "Template feature is not available for '$volid'\n"
1939 if !PVE::Storage::volume_has_feature($storecfg, 'template', $volid);
1940
1941 PVE::Storage::activate_volumes($storecfg, [$volid]);
1942
1943 my $template_volid = PVE::Storage::vdisk_create_base($storecfg, $volid);
1944 $rootinfo->{volume} = $template_volid;
1945 $conf->{rootfs} = print_ct_mountpoint($rootinfo, 1);
1946
1947 write_config($vmid, $conf);
1948 }
1949
1950 sub is_template {
1951 my ($conf) = @_;
1952
1953 return 1 if defined $conf->{template} && $conf->{template} == 1;
1954 }
1955
1956 sub mountpoint_names {
1957 my ($reverse) = @_;
1958
1959 my @names = ('rootfs');
1960
1961 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
1962 push @names, "mp$i";
1963 }
1964
1965 return $reverse ? reverse @names : @names;
1966 }
1967
1968 # The container might have *different* symlinks than the host. realpath/abs_path
1969 # use the actual filesystem to resolve links.
1970 sub sanitize_mountpoint {
1971 my ($mp) = @_;
1972 $mp = '/' . $mp; # we always start with a slash
1973 $mp =~ s@/{2,}@/@g; # collapse sequences of slashes
1974 $mp =~ s@/\./@@g; # collapse /./
1975 $mp =~ s@/\.(/)?$@$1@; # collapse a trailing /. or /./
1976 $mp =~ s@(.*)/[^/]+/\.\./@$1/@g; # collapse /../ without regard for symlinks
1977 $mp =~ s@/\.\.(/)?$@$1@; # collapse trailing /.. or /../ disregarding symlinks
1978 return $mp;
1979 }
1980
1981 sub foreach_mountpoint_full {
1982 my ($conf, $reverse, $func) = @_;
1983
1984 foreach my $key (mountpoint_names($reverse)) {
1985 my $value = $conf->{$key};
1986 next if !defined($value);
1987 my $mountpoint = parse_ct_mountpoint($value, 1);
1988 next if !defined($mountpoint);
1989
1990 # just to be sure: rootfs is /
1991 my $path = $key eq 'rootfs' ? '/' : $mountpoint->{mp};
1992 $mountpoint->{mp} = sanitize_mountpoint($path);
1993
1994 $path = $mountpoint->{volume};
1995 $mountpoint->{volume} = sanitize_mountpoint($path) if $path =~ m|^/|;
1996
1997 &$func($key, $mountpoint);
1998 }
1999 }
2000
2001 sub foreach_mountpoint {
2002 my ($conf, $func) = @_;
2003
2004 foreach_mountpoint_full($conf, 0, $func);
2005 }
2006
2007 sub foreach_mountpoint_reverse {
2008 my ($conf, $func) = @_;
2009
2010 foreach_mountpoint_full($conf, 1, $func);
2011 }
2012
2013 sub check_ct_modify_config_perm {
2014 my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
2015
2016 return 1 if $authuser ne 'root@pam';
2017
2018 foreach my $opt (@$key_list) {
2019
2020 if ($opt eq 'cpus' || $opt eq 'cpuunits' || $opt eq 'cpulimit') {
2021 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.CPU']);
2022 } elsif ($opt eq 'rootfs' || $opt =~ /^mp\d+$/) {
2023 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
2024 } elsif ($opt eq 'memory' || $opt eq 'swap') {
2025 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
2026 } elsif ($opt =~ m/^net\d+$/ || $opt eq 'nameserver' ||
2027 $opt eq 'searchdomain' || $opt eq 'hostname') {
2028 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
2029 } else {
2030 $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
2031 }
2032 }
2033
2034 return 1;
2035 }
2036
2037 sub umount_all {
2038 my ($vmid, $storage_cfg, $conf, $noerr) = @_;
2039
2040 my $rootdir = "/var/lib/lxc/$vmid/rootfs";
2041 my $volid_list = get_vm_volumes($conf);
2042
2043 foreach_mountpoint_reverse($conf, sub {
2044 my ($ms, $mountpoint) = @_;
2045
2046 my $volid = $mountpoint->{volume};
2047 my $mount = $mountpoint->{mp};
2048
2049 return if !$volid || !$mount;
2050
2051 my $mount_path = "$rootdir/$mount";
2052 $mount_path =~ s!/+!/!g;
2053
2054 return if !PVE::ProcFSTools::is_mounted($mount_path);
2055
2056 eval {
2057 PVE::Tools::run_command(['umount', '-d', $mount_path]);
2058 };
2059 if (my $err = $@) {
2060 if ($noerr) {
2061 warn $err;
2062 } else {
2063 die $err;
2064 }
2065 }
2066 });
2067 }
2068
2069 sub mount_all {
2070 my ($vmid, $storage_cfg, $conf) = @_;
2071
2072 my $rootdir = "/var/lib/lxc/$vmid/rootfs";
2073 File::Path::make_path($rootdir);
2074
2075 my $volid_list = get_vm_volumes($conf);
2076 PVE::Storage::activate_volumes($storage_cfg, $volid_list);
2077
2078 eval {
2079 foreach_mountpoint($conf, sub {
2080 my ($ms, $mountpoint) = @_;
2081
2082 my $volid = $mountpoint->{volume};
2083 my $mount = $mountpoint->{mp};
2084
2085 return if !$volid || !$mount;
2086
2087 my $image_path = PVE::Storage::path($storage_cfg, $volid);
2088 my ($vtype, undef, undef, undef, undef, $isBase, $format) =
2089 PVE::Storage::parse_volname($storage_cfg, $volid);
2090
2091 die "unable to mount base volume - internal error" if $isBase;
2092
2093 mountpoint_mount($mountpoint, $rootdir, $storage_cfg);
2094 });
2095 };
2096 if (my $err = $@) {
2097 warn "mounting container failed - $err";
2098 umount_all($vmid, $storage_cfg, $conf, 1);
2099 }
2100
2101 return $rootdir;
2102 }
2103
2104
2105 sub mountpoint_mount_path {
2106 my ($mountpoint, $storage_cfg, $snapname) = @_;
2107
2108 return mountpoint_mount($mountpoint, undef, $storage_cfg, $snapname);
2109 }
2110
2111 my $check_mount_path = sub {
2112 my ($path) = @_;
2113 $path = File::Spec->canonpath($path);
2114 my $real = Cwd::realpath($path);
2115 if ($real ne $path) {
2116 die "mount path modified by symlink: $path != $real";
2117 }
2118 };
2119
2120 sub query_loopdev {
2121 my ($path) = @_;
2122 my $found;
2123 my $parser = sub {
2124 my $line = shift;
2125 if ($line =~ m@^(/dev/loop\d+):@) {
2126 $found = $1;
2127 }
2128 };
2129 my $cmd = ['losetup', '--associated', $path];
2130 PVE::Tools::run_command($cmd, outfunc => $parser);
2131 return $found;
2132 }
2133
2134 # use $rootdir = undef to just return the corresponding mount path
2135 sub mountpoint_mount {
2136 my ($mountpoint, $rootdir, $storage_cfg, $snapname) = @_;
2137
2138 my $volid = $mountpoint->{volume};
2139 my $mount = $mountpoint->{mp};
2140 my $type = $mountpoint->{type};
2141
2142 return if !$volid || !$mount;
2143
2144 my $mount_path;
2145
2146 if (defined($rootdir)) {
2147 $rootdir =~ s!/+$!!;
2148 $mount_path = "$rootdir/$mount";
2149 $mount_path =~ s!/+!/!g;
2150 &$check_mount_path($mount_path);
2151 File::Path::mkpath($mount_path);
2152 }
2153
2154 my ($storage, $volname) = PVE::Storage::parse_volume_id($volid, 1);
2155
2156 die "unknown snapshot path for '$volid'" if !$storage && defined($snapname);
2157
2158 if ($storage) {
2159
2160 my $scfg = PVE::Storage::storage_config($storage_cfg, $storage);
2161 my $path = PVE::Storage::path($storage_cfg, $volid, $snapname);
2162
2163 my ($vtype, undef, undef, undef, undef, $isBase, $format) =
2164 PVE::Storage::parse_volname($storage_cfg, $volid);
2165
2166 $format = 'iso' if $vtype eq 'iso'; # allow to handle iso files
2167
2168 if ($format eq 'subvol') {
2169 if ($mount_path) {
2170 if ($snapname) {
2171 if ($scfg->{type} ne 'zfspool') {
2172 die "cannot mount subvol snapshots for storage type '$scfg->{type}'\n";
2173 }
2174 }
2175 PVE::Tools::run_command(['mount', '-o', 'bind', $path, $mount_path]);
2176 }
2177 return wantarray ? ($path, 0) : $path;
2178 } elsif ($format eq 'raw' || $format eq 'iso') {
2179 my $use_loopdev = 0;
2180 my @extra_opts;
2181 if ($scfg->{path}) {
2182 push @extra_opts, '-o', 'loop';
2183 $use_loopdev = 1;
2184 } elsif ($scfg->{type} eq 'drbd' || $scfg->{type} eq 'lvm' || $scfg->{type} eq 'rbd') {
2185 # do nothing
2186 } else {
2187 die "unsupported storage type '$scfg->{type}'\n";
2188 }
2189 if ($mount_path) {
2190 if ($format eq 'iso') {
2191 PVE::Tools::run_command(['mount', '-o', 'ro', @extra_opts, $path, $mount_path]);
2192 } elsif ($isBase || defined($snapname)) {
2193 PVE::Tools::run_command(['mount', '-o', 'ro,noload', @extra_opts, $path, $mount_path]);
2194 } else {
2195 PVE::Tools::run_command(['mount', @extra_opts, $path, $mount_path]);
2196 }
2197 }
2198 return wantarray ? ($path, $use_loopdev) : $path;
2199 } else {
2200 die "unsupported image format '$format'\n";
2201 }
2202 } elsif ($type eq 'device') {
2203 PVE::Tools::run_command(['mount', $volid, $mount_path]) if $mount_path;
2204 return wantarray ? ($volid, 0) : $volid;
2205 } elsif ($type eq 'bind' && -d $volid) {
2206 &$check_mount_path($volid);
2207 PVE::Tools::run_command(['mount', '-o', 'bind', $volid, $mount_path]) if $mount_path;
2208 return wantarray ? ($volid, 0) : $volid;
2209 }
2210
2211 die "unsupported storage";
2212 }
2213
2214 sub get_vm_volumes {
2215 my ($conf, $excludes) = @_;
2216
2217 my $vollist = [];
2218
2219 foreach_mountpoint($conf, sub {
2220 my ($ms, $mountpoint) = @_;
2221
2222 return if $excludes && $ms eq $excludes;
2223
2224 my $volid = $mountpoint->{volume};
2225
2226 return if !$volid || $mountpoint->{type} ne 'volume';
2227
2228 my ($sid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
2229 return if !$sid;
2230
2231 push @$vollist, $volid;
2232 });
2233
2234 return $vollist;
2235 }
2236
2237 sub mkfs {
2238 my ($dev, $rootuid, $rootgid) = @_;
2239
2240 PVE::Tools::run_command(['mkfs.ext4', '-O', 'mmp',
2241 '-E', "root_owner=$rootuid:$rootgid",
2242 $dev]);
2243 }
2244
2245 sub format_disk {
2246 my ($storage_cfg, $volid, $rootuid, $rootgid) = @_;
2247
2248 if ($volid =~ m!^/dev/.+!) {
2249 mkfs($volid);
2250 return;
2251 }
2252
2253 my ($storage, $volname) = PVE::Storage::parse_volume_id($volid, 1);
2254
2255 die "cannot format volume '$volid' with no storage\n" if !$storage;
2256
2257 PVE::Storage::activate_volumes($storage_cfg, [$volid]);
2258
2259 my $path = PVE::Storage::path($storage_cfg, $volid);
2260
2261 my ($vtype, undef, undef, undef, undef, $isBase, $format) =
2262 PVE::Storage::parse_volname($storage_cfg, $volid);
2263
2264 die "cannot format volume '$volid' (format == $format)\n"
2265 if $format ne 'raw';
2266
2267 mkfs($path, $rootuid, $rootgid);
2268 }
2269
2270 sub destroy_disks {
2271 my ($storecfg, $vollist) = @_;
2272
2273 foreach my $volid (@$vollist) {
2274 eval { PVE::Storage::vdisk_free($storecfg, $volid); };
2275 warn $@ if $@;
2276 }
2277 }
2278
2279 sub create_disks {
2280 my ($storecfg, $vmid, $settings, $conf) = @_;
2281
2282 my $vollist = [];
2283
2284 eval {
2285 my (undef, $rootuid, $rootgid) = PVE::LXC::parse_id_maps($conf);
2286 my $chown_vollist = [];
2287
2288 foreach_mountpoint($settings, sub {
2289 my ($ms, $mountpoint) = @_;
2290
2291 my $volid = $mountpoint->{volume};
2292 my $mp = $mountpoint->{mp};
2293
2294 my ($storage, $volname) = PVE::Storage::parse_volume_id($volid, 1);
2295
2296 return if !$storage;
2297
2298 if ($volid =~ m/^([^:\s]+):(\d+(\.\d+)?)$/) {
2299 my ($storeid, $size_gb) = ($1, $2);
2300
2301 my $size_kb = int(${size_gb}*1024) * 1024;
2302
2303 my $scfg = PVE::Storage::storage_config($storecfg, $storage);
2304 # fixme: use better naming ct-$vmid-disk-X.raw?
2305
2306 if ($scfg->{type} eq 'dir' || $scfg->{type} eq 'nfs') {
2307 if ($size_kb > 0) {
2308 $volid = PVE::Storage::vdisk_alloc($storecfg, $storage, $vmid, 'raw',
2309 undef, $size_kb);
2310 format_disk($storecfg, $volid, $rootuid, $rootgid);
2311 } else {
2312 $volid = PVE::Storage::vdisk_alloc($storecfg, $storage, $vmid, 'subvol',
2313 undef, 0);
2314 push @$chown_vollist, $volid;
2315 }
2316 } elsif ($scfg->{type} eq 'zfspool') {
2317
2318 $volid = PVE::Storage::vdisk_alloc($storecfg, $storage, $vmid, 'subvol',
2319 undef, $size_kb);
2320 push @$chown_vollist, $volid;
2321 } elsif ($scfg->{type} eq 'drbd' || $scfg->{type} eq 'lvm') {
2322
2323 $volid = PVE::Storage::vdisk_alloc($storecfg, $storage, $vmid, 'raw', undef, $size_kb);
2324 format_disk($storecfg, $volid, $rootuid, $rootgid);
2325
2326 } elsif ($scfg->{type} eq 'rbd') {
2327
2328 die "krbd option must be enabled on storage type '$scfg->{type}'\n" if !$scfg->{krbd};
2329 $volid = PVE::Storage::vdisk_alloc($storecfg, $storage, $vmid, 'raw', undef, $size_kb);
2330 format_disk($storecfg, $volid, $rootuid, $rootgid);
2331 } else {
2332 die "unable to create containers on storage type '$scfg->{type}'\n";
2333 }
2334 push @$vollist, $volid;
2335 my $new_mountpoint = { volume => $volid, size => $size_kb*1024, mp => $mp };
2336 $conf->{$ms} = print_ct_mountpoint($new_mountpoint, $ms eq 'rootfs');
2337 } else {
2338 # use specified/existing volid
2339 }
2340 });
2341
2342 PVE::Storage::activate_volumes($storecfg, $chown_vollist, undef);
2343 foreach my $volid (@$chown_vollist) {
2344 my $path = PVE::Storage::path($storecfg, $volid, undef);
2345 chown($rootuid, $rootgid, $path);
2346 }
2347 PVE::Storage::deactivate_volumes($storecfg, $chown_vollist, undef);
2348 };
2349 # free allocated images on error
2350 if (my $err = $@) {
2351 destroy_disks($storecfg, $vollist);
2352 die $err;
2353 }
2354 return $vollist;
2355 }
2356
2357 # bash completion helper
2358
2359 sub complete_os_templates {
2360 my ($cmdname, $pname, $cvalue) = @_;
2361
2362 my $cfg = PVE::Storage::config();
2363
2364 my $storeid;
2365
2366 if ($cvalue =~ m/^([^:]+):/) {
2367 $storeid = $1;
2368 }
2369
2370 my $vtype = $cmdname eq 'restore' ? 'backup' : 'vztmpl';
2371 my $data = PVE::Storage::template_list($cfg, $storeid, $vtype);
2372
2373 my $res = [];
2374 foreach my $id (keys %$data) {
2375 foreach my $item (@{$data->{$id}}) {
2376 push @$res, $item->{volid} if defined($item->{volid});
2377 }
2378 }
2379
2380 return $res;
2381 }
2382
2383 my $complete_ctid_full = sub {
2384 my ($running) = @_;
2385
2386 my $idlist = vmstatus();
2387
2388 my $active_hash = list_active_containers();
2389
2390 my $res = [];
2391
2392 foreach my $id (keys %$idlist) {
2393 my $d = $idlist->{$id};
2394 if (defined($running)) {
2395 next if $d->{template};
2396 next if $running && !$active_hash->{$id};
2397 next if !$running && $active_hash->{$id};
2398 }
2399 push @$res, $id;
2400
2401 }
2402 return $res;
2403 };
2404
2405 sub complete_ctid {
2406 return &$complete_ctid_full();
2407 }
2408
2409 sub complete_ctid_stopped {
2410 return &$complete_ctid_full(0);
2411 }
2412
2413 sub complete_ctid_running {
2414 return &$complete_ctid_full(1);
2415 }
2416
2417 sub parse_id_maps {
2418 my ($conf) = @_;
2419
2420 my $id_map = [];
2421 my $rootuid = 0;
2422 my $rootgid = 0;
2423
2424 my $lxc = $conf->{lxc};
2425 foreach my $entry (@$lxc) {
2426 my ($key, $value) = @$entry;
2427 next if $key ne 'lxc.id_map';
2428 if ($value =~ /^([ug])\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
2429 my ($type, $ct, $host, $length) = ($1, $2, $3, $4);
2430 push @$id_map, [$type, $ct, $host, $length];
2431 if ($ct == 0) {
2432 $rootuid = $host if $type eq 'u';
2433 $rootgid = $host if $type eq 'g';
2434 }
2435 } else {
2436 die "failed to parse id_map: $value\n";
2437 }
2438 }
2439
2440 if (!@$id_map && $conf->{unprivileged}) {
2441 # Should we read them from /etc/subuid?
2442 $id_map = [ ['u', '0', '100000', '65536'],
2443 ['g', '0', '100000', '65536'] ];
2444 $rootuid = $rootgid = 100000;
2445 }
2446
2447 return ($id_map, $rootuid, $rootgid);
2448 }
2449
2450 sub userns_command {
2451 my ($id_map) = @_;
2452 if (@$id_map) {
2453 return ['lxc-usernsexec', (map { ('-m', join(':', @$_)) } @$id_map), '--'];
2454 }
2455 return [];
2456 }
2457
2458 1;
PVE Container Toolkit