1 package PVE
::LXC
::Config
;
6 use PVE
::AbstractConfig
;
7 use PVE
::Cluster
qw(cfs_register_file);
10 use PVE
::JSONSchema
qw(get_standard_option);
13 use base
qw(PVE::AbstractConfig);
15 my $nodename = PVE
::INotify
::nodename
();
16 my $lock_handles = {};
17 my $lockdir = "/run/lock/lxc";
19 mkdir "/etc/pve/nodes/$nodename/lxc";
20 my $MAX_MOUNT_POINTS = 256;
21 my $MAX_UNUSED_DISKS = $MAX_MOUNT_POINTS;
23 # BEGIN implemented abstract methods from PVE::AbstractConfig
29 sub __config_max_unused_disks
{
32 return $MAX_UNUSED_DISKS;
35 sub config_file_lock
{
36 my ($class, $vmid) = @_;
38 return "$lockdir/pve-config-${vmid}.lock";
42 my ($class, $vmid, $node) = @_;
44 $node = $nodename if !$node;
45 return "nodes/$node/lxc/$vmid.conf";
48 sub mountpoint_backup_enabled
{
49 my ($class, $mp_key, $mountpoint) = @_;
51 return 1 if $mp_key eq 'rootfs';
53 return 0 if $mountpoint->{type
} ne 'volume';
55 return 1 if $mountpoint->{backup
};
61 my ($class, $feature, $conf, $storecfg, $snapname, $running, $backup_only) = @_;
64 $class->foreach_mountpoint($conf, sub {
65 my ($ms, $mountpoint) = @_;
67 return if $err; # skip further test
68 return if $backup_only && !$class->mountpoint_backup_enabled($ms, $mountpoint);
71 if !PVE
::Storage
::volume_has_feature
($storecfg, $feature,
72 $mountpoint->{volume
},
79 sub __snapshot_save_vmstate
{
80 my ($class, $vmid, $conf, $snapname, $storecfg) = @_;
81 die "implement me - snapshot_save_vmstate\n";
84 sub __snapshot_check_running
{
85 my ($class, $vmid) = @_;
86 return PVE
::LXC
::check_running
($vmid);
89 sub __snapshot_check_freeze_needed
{
90 my ($class, $vmid, $config, $save_vmstate) = @_;
92 my $ret = $class->__snapshot_check_running($vmid);
96 sub __snapshot_freeze
{
97 my ($class, $vmid, $unfreeze) = @_;
100 eval { PVE
::Tools
::run_command
(['/usr/bin/lxc-unfreeze', '-n', $vmid]); };
103 PVE
::Tools
::run_command
(['/usr/bin/lxc-freeze', '-n', $vmid]);
104 PVE
::LXC
::sync_container_namespace
($vmid);
108 sub __snapshot_create_vol_snapshot
{
109 my ($class, $vmid, $ms, $mountpoint, $snapname) = @_;
111 my $storecfg = PVE
::Storage
::config
();
113 return if $snapname eq 'vzdump' &&
114 !$class->mountpoint_backup_enabled($ms, $mountpoint);
116 PVE
::Storage
::volume_snapshot
($storecfg, $mountpoint->{volume
}, $snapname);
119 sub __snapshot_delete_remove_drive
{
120 my ($class, $snap, $remove_drive) = @_;
122 if ($remove_drive eq 'vmstate') {
123 die "implement me - saving vmstate\n";
125 my $value = $snap->{$remove_drive};
126 my $mountpoint = $remove_drive eq 'rootfs' ?
$class->parse_ct_rootfs($value, 1) : $class->parse_ct_mountpoint($value, 1);
127 delete $snap->{$remove_drive};
129 $class->add_unused_volume($snap, $mountpoint->{volume
})
130 if ($mountpoint->{type
} eq 'volume');
134 sub __snapshot_delete_vmstate_file
{
135 my ($class, $snap, $force) = @_;
137 die "implement me - saving vmstate\n";
140 sub __snapshot_delete_vol_snapshot
{
141 my ($class, $vmid, $ms, $mountpoint, $snapname, $unused) = @_;
143 return if $snapname eq 'vzdump' &&
144 !$class->mountpoint_backup_enabled($ms, $mountpoint);
146 my $storecfg = PVE
::Storage
::config
();
147 PVE
::Storage
::volume_snapshot_delete
($storecfg, $mountpoint->{volume
}, $snapname);
148 push @$unused, $mountpoint->{volume
};
151 sub __snapshot_rollback_vol_possible
{
152 my ($class, $mountpoint, $snapname) = @_;
154 my $storecfg = PVE
::Storage
::config
();
155 PVE
::Storage
::volume_rollback_is_possible
($storecfg, $mountpoint->{volume
}, $snapname);
158 sub __snapshot_rollback_vol_rollback
{
159 my ($class, $mountpoint, $snapname) = @_;
161 my $storecfg = PVE
::Storage
::config
();
162 PVE
::Storage
::volume_snapshot_rollback
($storecfg, $mountpoint->{volume
}, $snapname);
165 sub __snapshot_rollback_vm_stop
{
166 my ($class, $vmid) = @_;
168 PVE
::LXC
::vm_stop
($vmid, 1)
169 if $class->__snapshot_check_running($vmid);
172 sub __snapshot_rollback_vm_start
{
173 my ($class, $vmid, $vmstate, $data);
175 die "implement me - save vmstate\n";
178 sub __snapshot_rollback_get_unused
{
179 my ($class, $conf, $snap) = @_;
183 $class->__snapshot_foreach_volume($conf, sub {
184 my ($vs, $volume) = @_;
186 return if $volume->{type
} ne 'volume';
189 my $volid = $volume->{volume
};
191 $class->__snapshot_foreach_volume($snap, sub {
192 my ($ms, $mountpoint) = @_;
195 return if ($mountpoint->{type
} ne 'volume');
198 if ($mountpoint->{volume
} && $mountpoint->{volume
} eq $volid);
201 push @$unused, $volid if !$found;
207 sub __snapshot_foreach_volume
{
208 my ($class, $conf, $func) = @_;
210 $class->foreach_mountpoint($conf, $func);
213 # END implemented abstract methods from PVE::AbstractConfig
215 # BEGIN JSON config code
217 cfs_register_file
('/lxc/', \
&parse_pct_config
, \
&write_pct_config
);
223 format
=> 'pve-lxc-mp-string',
224 format_description
=> 'volume',
225 description
=> 'Volume, device or directory to mount into the container.',
229 format
=> 'disk-size',
230 format_description
=> 'DiskSize',
231 description
=> 'Volume size (read only value).',
236 description
=> 'Explicitly enable or disable ACL support.',
241 description
=> 'Read-only mount point',
246 description
=> 'Enable user quotas inside the container (not supported with zfs subvolumes)',
251 description
=> 'Will include this volume to a storage replica job.',
257 description
=> 'Mark this non-volume mount point as available on multiple nodes (see \'nodes\')',
258 verbose_description
=> "Mark this non-volume mount point as available on all nodes.\n\nWARNING: This option does not share the mount point automatically, it assumes it is shared already!",
264 PVE
::JSONSchema
::register_standard_option
('pve-ct-rootfs', {
265 type
=> 'string', format
=> $rootfs_desc,
266 description
=> "Use volume as container root.",
270 my $features_desc = {
274 description
=> "Allow mounting file systems of specific types."
275 ." This should be a list of file system types as used with the mount command."
276 ." Note that this can have negative effects on the container's security."
277 ." With access to a loop device, mounting a file can circumvent the mknod"
278 ." permission of the devices cgroup, mounting an NFS file system can"
279 ." block the host's I/O completely and prevent it from rebooting, etc.",
280 format_description
=> 'fstype;fstype;...',
281 pattern
=> qr/[a-zA-Z0-9_; ]+/,
287 description
=> "Allow nesting."
288 ." Best used with unprivileged containers with additional id mapping."
289 ." Note that this will expose procfs and sysfs contents of the host"
296 description
=> "For unprivileged containers only: Allow the use of the keyctl() system call."
297 ." This is required to use docker inside a container."
298 ." By default unprivileged containers will see this system call as non-existent."
299 ." This is mostly a workaround for systemd-networkd, as it will treat it as a fatal"
300 ." error when some keyctl() operations are denied by the kernel due to lacking permissions."
301 ." Essentially, you can choose between running systemd-networkd or docker.",
307 description
=> "Allow using 'fuse' file systems in a container."
308 ." Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.",
316 description
=> "Lock/unlock the VM.",
317 enum
=> [qw(backup disk migrate mounted rollback snapshot snapshot-delete)],
322 description
=> "Specifies whether a VM will be started during system bootup.",
325 startup
=> get_standard_option
('pve-startup-order'),
329 description
=> "Enable/disable Template.",
335 enum
=> ['amd64', 'i386', 'arm64', 'armhf'],
336 description
=> "OS architecture type.",
342 enum
=> [qw(debian ubuntu centos fedora opensuse archlinux alpine gentoo unmanaged)],
343 description
=> "OS type. This is used to setup configuration inside the container, and corresponds to lxc setup scripts in /usr/share/lxc/config/<ostype>.common.conf. Value 'unmanaged' can be used to skip and OS specific setup.",
348 description
=> "Attach a console device (/dev/console) to the container.",
354 description
=> "Specify the number of tty available to the container",
362 description
=> "The number of cores assigned to the container. A container can use all available cores by default.",
369 description
=> "Limit of CPU usage.\n\nNOTE: If the computer has 2 CPUs, it has a total of '2' CPU time. Value '0' indicates no CPU limit.",
377 description
=> "CPU weight for a VM. Argument is used in the kernel fair scheduler. The larger the number is, the more CPU time this VM gets. Number is relative to the weights of all the other running VMs.\n\nNOTE: You can disable fair-scheduler configuration by setting this to 0.",
385 description
=> "Amount of RAM for the VM in MB.",
392 description
=> "Amount of SWAP for the VM in MB.",
398 description
=> "Set a host name for the container.",
399 type
=> 'string', format
=> 'dns-name',
405 description
=> "Container description. Only used on the configuration web interface.",
409 type
=> 'string', format
=> 'dns-name-list',
410 description
=> "Sets DNS search domains for a container. Create will automatically use the setting from the host if you neither set searchdomain nor nameserver.",
414 type
=> 'string', format
=> 'address-list',
415 description
=> "Sets DNS server IP address for a container. Create will automatically use the setting from the host if you neither set searchdomain nor nameserver.",
417 rootfs
=> get_standard_option
('pve-ct-rootfs'),
420 type
=> 'string', format
=> 'pve-configid',
422 description
=> "Parent snapshot name. This is used internally, and should not be modified.",
426 description
=> "Timestamp for snapshots.",
432 description
=> "Console mode. By default, the console command tries to open a connection to one of the available tty devices. By setting cmode to 'console' it tries to attach to /dev/console instead. If you set cmode to 'shell', it simply invokes a shell inside the container (no login).",
434 enum
=> ['shell', 'console', 'tty'],
440 description
=> "Sets the protection flag of the container. This will prevent the CT or CT's disk remove/update operation.",
446 description
=> "Makes the container run as unprivileged user. (Should not be modified manually.)",
452 format
=> $features_desc,
453 description
=> "Allow containers access to advanced features.",
458 format
=> 'pve-volume-id',
459 description
=> 'Script that will be exectued during various steps in the containers lifetime.',
463 my $valid_lxc_conf_keys = {
464 'lxc.apparmor.profile' => 1,
465 'lxc.apparmor.allow_incomplete' => 1,
466 'lxc.apparmor.allow_nesting' => 1,
467 'lxc.apparmor.raw' => 1,
468 'lxc.selinux.context' => 1,
472 'lxc.signal.halt' => 1,
473 'lxc.signal.reboot' => 1,
474 'lxc.signal.stop' => 1,
477 'lxc.console.logfile' => 1,
478 'lxc.console.path' => 1,
480 'lxc.devtty.dir' => 1,
481 'lxc.hook.autodev' => 1,
484 'lxc.mount.fstab' => 1,
485 'lxc.mount.entry' => 1,
486 'lxc.mount.auto' => 1,
487 'lxc.rootfs.path' => 'lxc.rootfs.path is auto generated from rootfs',
488 'lxc.rootfs.mount' => 1,
489 'lxc.rootfs.options' => 'lxc.rootfs.options is not supported' .
490 ', please use mount point options in the "rootfs" key',
496 'lxc.seccomp.profile' => 1,
498 'lxc.hook.pre-start' => 1,
499 'lxc.hook.pre-mount' => 1,
500 'lxc.hook.mount' => 1,
501 'lxc.hook.start' => 1,
502 'lxc.hook.stop' => 1,
503 'lxc.hook.post-stop' => 1,
504 'lxc.hook.clone' => 1,
505 'lxc.hook.destroy' => 1,
506 'lxc.log.level' => 1,
508 'lxc.start.auto' => 1,
509 'lxc.start.delay' => 1,
510 'lxc.start.order' => 1,
512 'lxc.environment' => 1,
514 # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
515 'lxc.sysctl.fs.mqueue' => 1,
516 'lxc.sysctl.kernel.msgmax' => 1,
517 'lxc.sysctl.kernel.msgmnb' => 1,
518 'lxc.sysctl.kernel.msgmni' => 1,
519 'lxc.sysctl.kernel.sem' => 1,
520 'lxc.sysctl.kernel.shmall' => 1,
521 'lxc.sysctl.kernel.shmmax' => 1,
522 'lxc.sysctl.kernel.shmmni' => 1,
523 'lxc.sysctl.kernel.shm_rmid_forced' => 1,
526 my $deprecated_lxc_conf_keys = {
527 # Deprecated (removed with lxc 3.0):
528 'lxc.aa_profile' => 'lxc.apparmor.profile',
529 'lxc.aa_allow_incomplete' => 'lxc.apparmor.allow_incomplete',
530 'lxc.console' => 'lxc.console.path',
531 'lxc.devttydir' => 'lxc.tty.dir',
532 'lxc.haltsignal' => 'lxc.signal.halt',
533 'lxc.rebootsignal' => 'lxc.signal.reboot',
534 'lxc.stopsignal' => 'lxc.signal.stop',
535 'lxc.id_map' => 'lxc.idmap',
536 'lxc.init_cmd' => 'lxc.init.cmd',
537 'lxc.loglevel' => 'lxc.log.level',
538 'lxc.logfile' => 'lxc.log.file',
539 'lxc.mount' => 'lxc.mount.fstab',
540 'lxc.network.type' => 'lxc.net.INDEX.type',
541 'lxc.network.flags' => 'lxc.net.INDEX.flags',
542 'lxc.network.link' => 'lxc.net.INDEX.link',
543 'lxc.network.mtu' => 'lxc.net.INDEX.mtu',
544 'lxc.network.name' => 'lxc.net.INDEX.name',
545 'lxc.network.hwaddr' => 'lxc.net.INDEX.hwaddr',
546 'lxc.network.ipv4' => 'lxc.net.INDEX.ipv4.address',
547 'lxc.network.ipv4.gateway' => 'lxc.net.INDEX.ipv4.gateway',
548 'lxc.network.ipv6' => 'lxc.net.INDEX.ipv6.address',
549 'lxc.network.ipv6.gateway' => 'lxc.net.INDEX.ipv6.gateway',
550 'lxc.network.script.up' => 'lxc.net.INDEX.script.up',
551 'lxc.network.script.down' => 'lxc.net.INDEX.script.down',
552 'lxc.pts' => 'lxc.pty.max',
553 'lxc.se_context' => 'lxc.selinux.context',
554 'lxc.seccomp' => 'lxc.seccomp.profile',
555 'lxc.tty' => 'lxc.tty.max',
556 'lxc.utsname' => 'lxc.uts.name',
559 sub is_valid_lxc_conf_key
{
560 my ($vmid, $key) = @_;
561 if ($key =~ /^lxc\.limit\./) {
562 warn "vm $vmid - $key: lxc.limit.* was renamed to lxc.prlimit.*\n";
565 if (defined(my $new_name = $deprecated_lxc_conf_keys->{$key})) {
566 warn "vm $vmid - $key is deprecated and was renamed to $new_name\n";
569 my $validity = $valid_lxc_conf_keys->{$key};
570 return $validity if defined($validity);
571 return 1 if $key =~ /^lxc\.cgroup\./ # allow all cgroup values
572 || $key =~ /^lxc\.prlimit\./ # allow all prlimits
573 || $key =~ /^lxc\.net\./; # allow custom network definitions
577 our $netconf_desc = {
581 description
=> "Network interface type.",
586 format_description
=> 'string',
587 description
=> 'Name of the network device as seen from inside the container. (lxc.network.name)',
588 pattern
=> '[-_.\w\d]+',
592 format_description
=> 'bridge',
593 description
=> 'Bridge to attach the network device to.',
594 pattern
=> '[-_.\w\d]+',
597 hwaddr
=> get_standard_option
('mac-addr', {
598 description
=> 'The interface MAC address. This is dynamically allocated by default, but you can set that statically if needed, for example to always have the same link-local IPv6 address. (lxc.network.hwaddr)',
602 description
=> 'Maximum transfer unit of the interface. (lxc.network.mtu)',
603 minimum
=> 64, # minimum ethernet frame is 64 bytes
608 format
=> 'pve-ipv4-config',
609 format_description
=> '(IPv4/CIDR|dhcp|manual)',
610 description
=> 'IPv4 address in CIDR format.',
616 format_description
=> 'GatewayIPv4',
617 description
=> 'Default gateway for IPv4 traffic.',
622 format
=> 'pve-ipv6-config',
623 format_description
=> '(IPv6/CIDR|auto|dhcp|manual)',
624 description
=> 'IPv6 address in CIDR format.',
630 format_description
=> 'GatewayIPv6',
631 description
=> 'Default gateway for IPv6 traffic.',
636 description
=> "Controls whether this interface's firewall rules should be used.",
643 description
=> "VLAN tag for this interface.",
648 pattern
=> qr/\d+(?:;\d+)*/,
649 format_description
=> 'vlanid[;vlanid...]',
650 description
=> "VLAN ids to pass through the interface",
655 format_description
=> 'mbps',
656 description
=> "Apply rate limiting to the interface",
660 PVE
::JSONSchema
::register_format
('pve-lxc-network', $netconf_desc);
662 my $MAX_LXC_NETWORKS = 10;
663 for (my $i = 0; $i < $MAX_LXC_NETWORKS; $i++) {
664 $confdesc->{"net$i"} = {
666 type
=> 'string', format
=> $netconf_desc,
667 description
=> "Specifies network interfaces for the container.",
671 PVE
::JSONSchema
::register_format
('pve-lxc-mp-string', \
&verify_lxc_mp_string
);
672 sub verify_lxc_mp_string
{
673 my ($mp, $noerr) = @_;
677 # /. or /.. at the end
678 # ../ at the beginning
680 if($mp =~ m
@/\.\
.?
/@ ||
683 return undef if $noerr;
684 die "$mp contains illegal character sequences\n";
693 description
=> 'Whether to include the mount point in backups.',
694 verbose_description
=> 'Whether to include the mount point in backups '.
695 '(only used for volume mount points).',
700 format
=> 'pve-lxc-mp-string',
701 format_description
=> 'Path',
702 description
=> 'Path to the mount point as seen from inside the container '.
703 '(must not contain symlinks).',
704 verbose_description
=> "Path to the mount point as seen from inside the container.\n\n".
705 "NOTE: Must not contain any symlinks for security reasons."
708 PVE
::JSONSchema
::register_format
('pve-ct-mountpoint', $mp_desc);
712 type
=> 'string', format
=> 'pve-volume-id',
713 description
=> "Reference to unused volumes. This is used internally, and should not be modified manually.",
716 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
717 $confdesc->{"mp$i"} = {
719 type
=> 'string', format
=> $mp_desc,
720 description
=> "Use volume as container mount point.",
725 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
726 $confdesc->{"unused$i"} = $unuseddesc;
729 sub parse_pct_config
{
730 my ($filename, $raw) = @_;
732 return undef if !defined($raw);
735 digest
=> Digest
::SHA
::sha1_hex
($raw),
739 $filename =~ m
|/lxc/(\d
+).conf
$|
740 || die "got strange filename '$filename'";
748 my @lines = split(/\n/, $raw);
749 foreach my $line (@lines) {
750 next if $line =~ m/^\s*$/;
752 if ($line =~ m/^\[([a-z][a-z0-9_\-]+)\]\s*$/i) {
754 $conf->{description
} = $descr if $descr;
756 $conf = $res->{snapshots
}->{$section} = {};
760 if ($line =~ m/^\#(.*)\s*$/) {
761 $descr .= PVE
::Tools
::decode_text
($1) . "\n";
765 if ($line =~ m/^(lxc\.[a-z0-9_\-\.]+)(:|\s*=)\s*(.*?)\s*$/) {
768 my $validity = is_valid_lxc_conf_key
($vmid, $key);
769 if ($validity eq 1) {
770 push @{$conf->{lxc
}}, [$key, $value];
771 } elsif (my $errmsg = $validity) {
772 warn "vm $vmid - $key: $errmsg\n";
774 warn "vm $vmid - unable to parse config: $line\n";
776 } elsif ($line =~ m/^(description):\s*(.*\S)\s*$/) {
777 $descr .= PVE
::Tools
::decode_text
($2);
778 } elsif ($line =~ m/snapstate:\s*(prepare|delete)\s*$/) {
779 $conf->{snapstate
} = $1;
780 } elsif ($line =~ m/^([a-z][a-z_]*\d*):\s*(\S.*)\s*$/) {
783 eval { $value = PVE
::LXC
::Config-
>check_type($key, $value); };
784 warn "vm $vmid - unable to parse value of '$key' - $@" if $@;
785 $conf->{$key} = $value;
787 warn "vm $vmid - unable to parse config: $line\n";
791 $conf->{description
} = $descr if $descr;
793 delete $res->{snapstate
}; # just to be sure
798 sub write_pct_config
{
799 my ($filename, $conf) = @_;
801 delete $conf->{snapstate
}; # just to be sure
803 my $volidlist = PVE
::LXC
::Config-
>get_vm_volumes($conf);
804 my $used_volids = {};
805 foreach my $vid (@$volidlist) {
806 $used_volids->{$vid} = 1;
809 # remove 'unusedX' settings if the volume is still used
810 foreach my $key (keys %$conf) {
811 my $value = $conf->{$key};
812 if ($key =~ m/^unused/ && $used_volids->{$value}) {
813 delete $conf->{$key};
817 my $generate_raw_config = sub {
822 # add description as comment to top of file
823 my $descr = $conf->{description
} || '';
824 foreach my $cl (split(/\n/, $descr)) {
825 $raw .= '#' . PVE
::Tools
::encode_text
($cl) . "\n";
828 foreach my $key (sort keys %$conf) {
829 next if $key eq 'digest' || $key eq 'description' ||
830 $key eq 'pending' || $key eq 'snapshots' ||
831 $key eq 'snapname' || $key eq 'lxc';
832 my $value = $conf->{$key};
833 die "detected invalid newline inside property '$key'\n"
835 $raw .= "$key: $value\n";
838 if (my $lxcconf = $conf->{lxc
}) {
839 foreach my $entry (@$lxcconf) {
840 my ($k, $v) = @$entry;
848 my $raw = &$generate_raw_config($conf);
850 foreach my $snapname (sort keys %{$conf->{snapshots
}}) {
851 $raw .= "\n[$snapname]\n";
852 $raw .= &$generate_raw_config($conf->{snapshots
}->{$snapname});
858 sub update_pct_config
{
859 my ($class, $vmid, $conf, $running, $param, $delete) = @_;
868 my $pid = PVE
::LXC
::find_lxc_pid
($vmid);
869 $rootdir = "/proc/$pid/root";
872 my $hotplug_error = sub {
881 if (defined($delete)) {
882 foreach my $opt (@$delete) {
883 if (!exists($conf->{$opt})) {
888 if ($opt eq 'memory' || $opt eq 'rootfs') {
889 die "unable to delete required option '$opt'\n";
890 } elsif ($opt eq 'hostname') {
891 delete $conf->{$opt};
892 } elsif ($opt eq 'swap') {
893 delete $conf->{$opt};
894 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
895 "memory.memsw.limit_in_bytes", -1);
896 } elsif ($opt eq 'description' || $opt eq 'onboot' || $opt eq 'startup' || $opt eq 'hookscript') {
897 delete $conf->{$opt};
898 } elsif ($opt eq 'nameserver' || $opt eq 'searchdomain' ||
899 $opt eq 'tty' || $opt eq 'console' || $opt eq 'cmode') {
900 next if $hotplug_error->($opt);
901 delete $conf->{$opt};
902 } elsif ($opt eq 'cores') {
903 delete $conf->{$opt}; # rest is handled by pvestatd
904 } elsif ($opt eq 'cpulimit') {
905 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.cfs_quota_us", -1);
906 delete $conf->{$opt};
907 } elsif ($opt eq 'cpuunits') {
908 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.shares", $confdesc->{cpuunits
}->{default});
909 delete $conf->{$opt};
910 } elsif ($opt =~ m/^net(\d)$/) {
911 delete $conf->{$opt};
914 PVE
::Network
::veth_delete
("veth${vmid}i$netid");
915 } elsif ($opt eq 'protection') {
916 delete $conf->{$opt};
917 } elsif ($opt =~ m/^unused(\d+)$/) {
918 next if $hotplug_error->($opt);
919 PVE
::LXC
::Config-
>check_protection($conf, "can't remove CT $vmid drive '$opt'");
920 push @deleted_volumes, $conf->{$opt};
921 delete $conf->{$opt};
922 } elsif ($opt =~ m/^mp(\d+)$/) {
923 next if $hotplug_error->($opt);
924 PVE
::LXC
::Config-
>check_protection($conf, "can't remove CT $vmid drive '$opt'");
925 my $mp = PVE
::LXC
::Config-
>parse_ct_mountpoint($conf->{$opt});
926 delete $conf->{$opt};
927 if ($mp->{type
} eq 'volume') {
928 PVE
::LXC
::Config-
>add_unused_volume($conf, $mp->{volume
});
930 } elsif ($opt eq 'unprivileged') {
931 die "unable to delete read-only option: '$opt'\n";
932 } elsif ($opt eq 'features') {
933 next if $hotplug_error->($opt);
934 delete $conf->{$opt};
936 die "implement me (delete: $opt)"
938 PVE
::LXC
::Config-
>write_config($vmid, $conf) if $running;
942 # There's no separate swap size to configure, there's memory and "total"
943 # memory (iow. memory+swap). This means we have to change them together.
944 my $wanted_memory = PVE
::Tools
::extract_param
($param, 'memory');
945 my $wanted_swap = PVE
::Tools
::extract_param
($param, 'swap');
946 if (defined($wanted_memory) || defined($wanted_swap)) {
948 my $old_memory = ($conf->{memory
} || 512);
949 my $old_swap = ($conf->{swap
} || 0);
951 $wanted_memory //= $old_memory;
952 $wanted_swap //= $old_swap;
954 my $total = $wanted_memory + $wanted_swap;
956 my $old_total = $old_memory + $old_swap;
957 if ($total > $old_total) {
958 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
959 "memory.memsw.limit_in_bytes",
960 int($total*1024*1024));
961 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
962 "memory.limit_in_bytes",
963 int($wanted_memory*1024*1024));
965 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
966 "memory.limit_in_bytes",
967 int($wanted_memory*1024*1024));
968 PVE
::LXC
::write_cgroup_value
("memory", $vmid,
969 "memory.memsw.limit_in_bytes",
970 int($total*1024*1024));
973 $conf->{memory
} = $wanted_memory;
974 $conf->{swap
} = $wanted_swap;
976 PVE
::LXC
::Config-
>write_config($vmid, $conf) if $running;
979 my $storecfg = PVE
::Storage
::config
();
981 my $used_volids = {};
982 my $check_content_type = sub {
984 my $sid = PVE
::Storage
::parse_volume_id
($mp->{volume
});
985 my $storage_config = PVE
::Storage
::storage_config
($storecfg, $sid);
986 die "storage '$sid' does not allow content type 'rootdir' (Container)\n"
987 if !$storage_config->{content
}->{rootdir
};
990 my $rescan_volume = sub {
993 $mp->{size
} = PVE
::Storage
::volume_size_info
($storecfg, $mp->{volume
}, 5)
994 if !defined($mp->{size
});
996 warn "Could not rescan volume size - $@\n" if $@;
999 foreach my $opt (keys %$param) {
1000 my $value = $param->{$opt};
1001 my $check_protection_msg = "can't update CT $vmid drive '$opt'";
1002 if ($opt eq 'hostname' || $opt eq 'arch') {
1003 $conf->{$opt} = $value;
1004 } elsif ($opt eq 'onboot') {
1005 $conf->{$opt} = $value ?
1 : 0;
1006 } elsif ($opt eq 'startup') {
1007 $conf->{$opt} = $value;
1008 } elsif ($opt eq 'tty' || $opt eq 'console' || $opt eq 'cmode') {
1009 next if $hotplug_error->($opt);
1010 $conf->{$opt} = $value;
1011 } elsif ($opt eq 'nameserver') {
1012 next if $hotplug_error->($opt);
1013 my $list = PVE
::LXC
::verify_nameserver_list
($value);
1014 $conf->{$opt} = $list;
1015 } elsif ($opt eq 'searchdomain') {
1016 next if $hotplug_error->($opt);
1017 my $list = PVE
::LXC
::verify_searchdomain_list
($value);
1018 $conf->{$opt} = $list;
1019 } elsif ($opt eq 'cores') {
1020 $conf->{$opt} = $value;# rest is handled by pvestatd
1021 } elsif ($opt eq 'cpulimit') {
1023 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.cfs_quota_us", -1);
1025 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.cfs_quota_us", int(100000*$value));
1027 $conf->{$opt} = $value;
1028 } elsif ($opt eq 'cpuunits') {
1029 $conf->{$opt} = $value;
1030 PVE
::LXC
::write_cgroup_value
("cpu", $vmid, "cpu.shares", $value);
1031 } elsif ($opt eq 'description') {
1032 $conf->{$opt} = $value;
1033 } elsif ($opt =~ m/^net(\d+)$/) {
1035 my $net = PVE
::LXC
::Config-
>parse_lxc_network($value);
1037 $conf->{$opt} = PVE
::LXC
::Config-
>print_lxc_network($net);
1039 PVE
::LXC
::update_net
($vmid, $conf, $opt, $net, $netid, $rootdir);
1041 } elsif ($opt eq 'protection') {
1042 $conf->{$opt} = $value ?
1 : 0;
1043 } elsif ($opt =~ m/^mp(\d+)$/) {
1044 next if $hotplug_error->($opt);
1045 PVE
::LXC
::Config-
>check_protection($conf, $check_protection_msg);
1046 my $old = $conf->{$opt};
1047 my $mp = PVE
::LXC
::Config-
>parse_ct_mountpoint($value);
1048 if ($mp->{type
} eq 'volume') {
1049 &$check_content_type($mp);
1050 $used_volids->{$mp->{volume
}} = 1;
1051 &$rescan_volume($mp);
1052 $conf->{$opt} = PVE
::LXC
::Config-
>print_ct_mountpoint($mp);
1054 $conf->{$opt} = $value;
1056 if (defined($old)) {
1057 my $mp = PVE
::LXC
::Config-
>parse_ct_mountpoint($old);
1058 if ($mp->{type
} eq 'volume') {
1059 PVE
::LXC
::Config-
>add_unused_volume($conf, $mp->{volume
});
1063 } elsif ($opt eq 'rootfs') {
1064 next if $hotplug_error->($opt);
1065 PVE
::LXC
::Config-
>check_protection($conf, $check_protection_msg);
1066 my $old = $conf->{$opt};
1067 my $mp = PVE
::LXC
::Config-
>parse_ct_rootfs($value);
1068 if ($mp->{type
} eq 'volume') {
1069 &$check_content_type($mp);
1070 $used_volids->{$mp->{volume
}} = 1;
1071 &$rescan_volume($mp);
1072 $conf->{$opt} = PVE
::LXC
::Config-
>print_ct_mountpoint($mp, 1);
1074 $conf->{$opt} = $value;
1076 if (defined($old)) {
1077 my $mp = PVE
::LXC
::Config-
>parse_ct_rootfs($old);
1078 if ($mp->{type
} eq 'volume') {
1079 PVE
::LXC
::Config-
>add_unused_volume($conf, $mp->{volume
});
1083 } elsif ($opt eq 'unprivileged') {
1084 die "unable to modify read-only option: '$opt'\n";
1085 } elsif ($opt eq 'ostype') {
1086 next if $hotplug_error->($opt);
1087 $conf->{$opt} = $value;
1088 } elsif ($opt eq 'features') {
1089 next if $hotplug_error->($opt);
1090 $conf->{$opt} = $value;
1091 } elsif ($opt eq 'hookscript') {
1092 PVE
::GuestHelpers
::check_hookscript
($value);
1093 $conf->{$opt} = $value;
1095 die "implement me: $opt";
1098 PVE
::LXC
::Config-
>write_config($vmid, $conf) if $running;
1101 # Apply deletions and creations of new volumes
1102 if (@deleted_volumes) {
1103 my $storage_cfg = PVE
::Storage
::config
();
1104 foreach my $volume (@deleted_volumes) {
1105 next if $used_volids->{$volume}; # could have been re-added, too
1106 # also check for references in snapshots
1107 next if $class->is_volume_in_use($conf, $volume, 1);
1108 PVE
::LXC
::delete_mountpoint_volume
($storage_cfg, $vmid, $volume);
1113 my $storage_cfg = PVE
::Storage
::config
();
1114 PVE
::LXC
::create_disks
($storage_cfg, $vmid, $conf, $conf);
1117 # This should be the last thing we do here
1118 if ($running && scalar(@nohotplug)) {
1119 die "unable to modify " . join(',', @nohotplug) . " while container is running\n";
1124 my ($class, $key, $value) = @_;
1126 die "unknown setting '$key'\n" if !$confdesc->{$key};
1128 my $type = $confdesc->{$key}->{type
};
1130 if (!defined($value)) {
1131 die "got undefined value\n";
1134 if ($value =~ m/[\n\r]/) {
1135 die "property contains a line feed\n";
1138 if ($type eq 'boolean') {
1139 return 1 if ($value eq '1') || ($value =~ m/^(on|yes|true)$/i);
1140 return 0 if ($value eq '0') || ($value =~ m/^(off|no|false)$/i);
1141 die "type check ('boolean') failed - got '$value'\n";
1142 } elsif ($type eq 'integer') {
1143 return int($1) if $value =~ m/^(\d+)$/;
1144 die "type check ('integer') failed - got '$value'\n";
1145 } elsif ($type eq 'number') {
1146 return $value if $value =~ m/^(\d+)(\.\d+)?$/;
1147 die "type check ('number') failed - got '$value'\n";
1148 } elsif ($type eq 'string') {
1149 if (my $fmt = $confdesc->{$key}->{format
}) {
1150 PVE
::JSONSchema
::check_format
($fmt, $value);
1155 die "internal error"
1160 # add JSON properties for create and set function
1161 sub json_config_properties
{
1162 my ($class, $prop) = @_;
1164 foreach my $opt (keys %$confdesc) {
1165 next if $opt eq 'parent' || $opt eq 'snaptime';
1166 next if $prop->{$opt};
1167 $prop->{$opt} = $confdesc->{$opt};
1173 sub __parse_ct_mountpoint_full
{
1174 my ($class, $desc, $data, $noerr) = @_;
1179 eval { $res = PVE
::JSONSchema
::parse_property_string
($desc, $data) };
1181 return undef if $noerr;
1185 if (defined(my $size = $res->{size
})) {
1186 $size = PVE
::JSONSchema
::parse_size
($size);
1187 if (!defined($size)) {
1188 return undef if $noerr;
1189 die "invalid size: $size\n";
1191 $res->{size
} = $size;
1194 $res->{type
} = $class->classify_mountpoint($res->{volume
});
1199 sub parse_ct_rootfs
{
1200 my ($class, $data, $noerr) = @_;
1202 my $res = $class->__parse_ct_mountpoint_full($rootfs_desc, $data, $noerr);
1204 $res->{mp
} = '/' if defined($res);
1209 sub parse_ct_mountpoint
{
1210 my ($class, $data, $noerr) = @_;
1212 return $class->__parse_ct_mountpoint_full($mp_desc, $data, $noerr);
1215 sub print_ct_mountpoint
{
1216 my ($class, $info, $nomp) = @_;
1217 my $skip = [ 'type' ];
1218 push @$skip, 'mp' if $nomp;
1219 return PVE
::JSONSchema
::print_property_string
($info, $mp_desc, $skip);
1222 sub print_lxc_network
{
1223 my ($class, $net) = @_;
1224 return PVE
::JSONSchema
::print_property_string
($net, $netconf_desc);
1227 sub parse_lxc_network
{
1228 my ($class, $data) = @_;
1232 return $res if !$data;
1234 $res = PVE
::JSONSchema
::parse_property_string
($netconf_desc, $data);
1236 $res->{type
} = 'veth';
1237 if (!$res->{hwaddr
}) {
1238 my $dc = PVE
::Cluster
::cfs_read_file
('datacenter.cfg');
1239 $res->{hwaddr
} = PVE
::Tools
::random_ether_addr
($dc->{mac_prefix
});
1245 sub parse_features
{
1246 my ($class, $data) = @_;
1247 return {} if !$data;
1248 return PVE
::JSONSchema
::parse_property_string
($features_desc, $data);
1252 my ($class, $name) = @_;
1254 return defined($confdesc->{$name});
1256 # END JSON config code
1258 sub classify_mountpoint
{
1259 my ($class, $vol) = @_;
1260 if ($vol =~ m!^/!) {
1261 return 'device' if $vol =~ m!^/dev/!;
1267 my $is_volume_in_use = sub {
1268 my ($class, $config, $volid) = @_;
1271 $class->foreach_mountpoint($config, sub {
1272 my ($ms, $mountpoint) = @_;
1274 $used = $mountpoint->{type
} eq 'volume' && $mountpoint->{volume
} eq $volid;
1280 sub is_volume_in_use_by_snapshots
{
1281 my ($class, $config, $volid) = @_;
1283 if (my $snapshots = $config->{snapshots
}) {
1284 foreach my $snap (keys %$snapshots) {
1285 return 1 if $is_volume_in_use->($class, $snapshots->{$snap}, $volid);
1292 sub is_volume_in_use
{
1293 my ($class, $config, $volid, $include_snapshots) = @_;
1294 return 1 if $is_volume_in_use->($class, $config, $volid);
1295 return 1 if $include_snapshots && $class->is_volume_in_use_by_snapshots($config, $volid);
1299 sub has_dev_console
{
1300 my ($class, $conf) = @_;
1302 return !(defined($conf->{console
}) && !$conf->{console
});
1306 my ($class, $conf, $keyname) = @_;
1308 if (my $lxcconf = $conf->{lxc
}) {
1309 foreach my $entry (@$lxcconf) {
1310 my ($key, undef) = @$entry;
1311 return 1 if $key eq $keyname;
1319 my ($class, $conf) = @_;
1321 return $conf->{tty
} // $confdesc->{tty
}->{default};
1325 my ($class, $conf) = @_;
1327 return $conf->{cmode
} // $confdesc->{cmode
}->{default};
1330 sub mountpoint_names
{
1331 my ($class, $reverse) = @_;
1333 my @names = ('rootfs');
1335 for (my $i = 0; $i < $MAX_MOUNT_POINTS; $i++) {
1336 push @names, "mp$i";
1339 return $reverse ?
reverse @names : @names;
1342 sub foreach_mountpoint_full
{
1343 my ($class, $conf, $reverse, $func, @param) = @_;
1345 my $mps = [ grep { defined($conf->{$_}) } $class->mountpoint_names($reverse) ];
1346 foreach my $key (@$mps) {
1347 my $value = $conf->{$key};
1348 my $mountpoint = $key eq 'rootfs' ?
$class->parse_ct_rootfs($value, 1) : $class->parse_ct_mountpoint($value, 1);
1349 next if !defined($mountpoint);
1351 &$func($key, $mountpoint, @param);
1355 sub foreach_mountpoint
{
1356 my ($class, $conf, $func, @param) = @_;
1358 $class->foreach_mountpoint_full($conf, 0, $func, @param);
1361 sub foreach_mountpoint_reverse
{
1362 my ($class, $conf, $func, @param) = @_;
1364 $class->foreach_mountpoint_full($conf, 1, $func, @param);
1367 sub get_vm_volumes
{
1368 my ($class, $conf, $excludes) = @_;
1372 $class->foreach_mountpoint($conf, sub {
1373 my ($ms, $mountpoint) = @_;
1375 return if $excludes && $ms eq $excludes;
1377 my $volid = $mountpoint->{volume
};
1378 return if !$volid || $mountpoint->{type
} ne 'volume';
1380 my ($sid, $volname) = PVE
::Storage
::parse_volume_id
($volid, 1);
1383 push @$vollist, $volid;
1389 sub get_replicatable_volumes
{
1390 my ($class, $storecfg, $vmid, $conf, $cleanup, $noerr) = @_;
1394 my $test_volid = sub {
1395 my ($volid, $mountpoint) = @_;
1399 my $mptype = $mountpoint->{type
};
1400 my $replicate = $mountpoint->{replicate
} // 1;
1402 if ($mptype ne 'volume') {
1403 # skip bindmounts if replicate = 0 even for cleanup,
1404 # since bind mounts could not have been replicated ever
1405 return if !$replicate;
1406 die "unable to replicate mountpoint type '$mptype'\n";
1409 my ($storeid, $volname) = PVE
::Storage
::parse_volume_id
($volid, $noerr);
1410 return if !$storeid;
1412 my $scfg = PVE
::Storage
::storage_config
($storecfg, $storeid);
1413 return if $scfg->{shared
};
1415 my ($path, $owner, $vtype) = PVE
::Storage
::path
($storecfg, $volid);
1416 return if !$owner || ($owner != $vmid);
1418 die "unable to replicate volume '$volid', type '$vtype'\n" if $vtype ne 'images';
1420 return if !$cleanup && !$replicate;
1422 if (!PVE
::Storage
::volume_has_feature
($storecfg, 'replicate', $volid)) {
1423 return if $cleanup || $noerr;
1424 die "missing replicate feature on volume '$volid'\n";
1427 $volhash->{$volid} = 1;
1430 $class->foreach_mountpoint($conf, sub {
1431 my ($ms, $mountpoint) = @_;
1432 $test_volid->($mountpoint->{volume
}, $mountpoint);
1435 foreach my $snapname (keys %{$conf->{snapshots
}}) {
1436 my $snap = $conf->{snapshots
}->{$snapname};
1437 $class->foreach_mountpoint($snap, sub {
1438 my ($ms, $mountpoint) = @_;
1439 $test_volid->($mountpoint->{volume
}, $mountpoint);
1443 # add 'unusedX' volumes to volhash
1444 foreach my $key (keys %$conf) {
1445 if ($key =~ m/^unused/) {
1446 $test_volid->($conf->{$key}, { type
=> 'volume', replicate
=> 1 });