X-Git-Url: https://git.proxmox.com/?p=pve-container.git;a=blobdiff_plain;f=src%2FPVE%2FLXC%2FConfig.pm;h=cde244539b0f134cbaa22e2bac37fab940563702;hp=8e1645c2a3e24d82629246d5d46e419998f03f5d;hb=5a63f1c5d3b995dd682a70e7fbd1364240e09278;hpb=5cd09d82aeee5779ac86e8e3c571680da4051af8 diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm index 8e1645c..cde2445 100644 --- a/src/PVE/LXC/Config.pm +++ b/src/PVE/LXC/Config.pm @@ -8,7 +8,6 @@ use PVE::Cluster qw(cfs_register_file); use PVE::INotify; use PVE::JSONSchema qw(get_standard_option); use PVE::Tools; -use PVE::ReplicationTools; use base qw(PVE::AbstractConfig); @@ -17,7 +16,7 @@ my $lock_handles = {}; my $lockdir = "/run/lock/lxc"; mkdir $lockdir; mkdir "/etc/pve/nodes/$nodename/lxc"; -my $MAX_MOUNT_POINTS = 10; +my $MAX_MOUNT_POINTS = 256; my $MAX_UNUSED_DISKS = $MAX_MOUNT_POINTS; # BEGIN implemented abstract methods from PVE::AbstractConfig @@ -165,12 +164,12 @@ sub __snapshot_rollback_vol_rollback { sub __snapshot_rollback_vm_stop { my ($class, $vmid) = @_; - PVE::Tools::run_command(['/usr/bin/lxc-stop', '-n', $vmid, '--kill']) + PVE::LXC::vm_stop($vmid, 1) if $class->__snapshot_check_running($vmid); } sub __snapshot_rollback_vm_start { - my ($class, $vmid, $vmstate, $forcemachine); + my ($class, $vmid, $vmstate, $data); die "implement me - save vmstate\n"; } @@ -246,7 +245,7 @@ my $rootfs_desc = { description => 'Enable user quotas inside the container (not supported with zfs subvolumes)', optional => 1, }, - replica => { + replicate => { type => 'boolean', description => 'Will include this volume to a storage replica job.', optional => 1, @@ -273,12 +272,47 @@ PVE::JSONSchema::register_standard_option('pve-lxc-snapshot-name', { maxLength => 40, }); +my $features_desc = { + mount => { + optional => 1, + type => 'string', + description => "Allow mounting file systems of specific types." + ." This should be a list of file system types as used with the mount command." + ." Note that this can have negative effects on the container's security." + ." With access to a loop device, mounting a file can circumvent the mknod" + ." permission of the devices cgroup, mounting an NFS file system can" + ." block the host's I/O completely and prevent it from rebooting, etc.", + format_description => 'fstype;fstype;...', + pattern => qr/[a-zA-Z0-9; ]+/, + }, + nesting => { + optional => 1, + type => 'boolean', + default => 0, + description => "Allow nesting." + ." Best used with unprivileged containers with additional id mapping." + ." Note that this will expose procfs and sysfs contents of the host" + ." to the guest.", + }, + keyctl => { + optional => 1, + type => 'boolean', + default => 0, + description => "For unprivileged containers only: Allow the use of the keyctl() system call." + ." This is required to use docker inside a container." + ." By default unprivileged containers will see this system call as non-existent." + ." This is mostly a workaround for systemd-networkd, as it will treat it as a fatal" + ." error when some keyctl() operations are denied by the kernel due to lacking permissions." + ." Essentially, you can choose between running systemd-networkd or docker.", + }, +}; + my $confdesc = { lock => { optional => 1, type => 'string', description => "Lock/unlock the VM.", - enum => [qw(migrate backup snapshot rollback)], + enum => [qw(backup disk migrate mounted rollback snapshot snapshot-delete)], }, onboot => { optional => 1, @@ -296,7 +330,7 @@ my $confdesc = { arch => { optional => 1, type => 'string', - enum => ['amd64', 'i386'], + enum => ['amd64', 'i386', 'arm64', 'armhf'], description => "OS architecture type.", default => 'amd64', }, @@ -391,31 +425,6 @@ my $confdesc = { type => 'integer', minimum => 0, }, - replica => { - optional => 1, - description => "Storage replica for local storage.", - type => 'boolean', - default => 0, - }, - replica_rate_limit => { - optional => 1, - description => "Storage replica rate limit in KBytes/s.", - type => 'integer', - minimum => 1, - }, - replica_target => { - optional => 1, - description => "Storage replica target node.", - type => 'string', - }, - replica_interval => { - optional => 1, - description => "Storage replica sync interval.", - type => 'integer', - minimum => 1, - maximum => 1440, - default => 15, - }, cmode => { optional => 1, description => "Console mode. By default, the console command tries to open a connection to one of the available tty devices. By setting cmode to 'console' it tries to attach to /dev/console instead. If you set cmode to 'shell', it simply invokes a shell inside the container (no login).", @@ -435,52 +444,48 @@ my $confdesc = { description => "Makes the container run as unprivileged user. (Should not be modified manually.)", default => 0, }, + features => { + optional => 1, + type => 'string', + format => $features_desc, + description => "Allow containers access to advanced features.", + }, }; my $valid_lxc_conf_keys = { + 'lxc.apparmor.profile' => 1, + 'lxc.apparmor.allow_incomplete' => 1, + 'lxc.apparmor.allow_nesting' => 1, + 'lxc.apparmor.raw' => 1, + 'lxc.selinux.context' => 1, 'lxc.include' => 1, 'lxc.arch' => 1, - 'lxc.utsname' => 1, - 'lxc.haltsignal' => 1, - 'lxc.rebootsignal' => 1, - 'lxc.stopsignal' => 1, - 'lxc.init_cmd' => 1, - 'lxc.network.type' => 1, - 'lxc.network.flags' => 1, - 'lxc.network.link' => 1, - 'lxc.network.mtu' => 1, - 'lxc.network.name' => 1, - 'lxc.network.hwaddr' => 1, - 'lxc.network.ipv4' => 1, - 'lxc.network.ipv4.gateway' => 1, - 'lxc.network.ipv6' => 1, - 'lxc.network.ipv6.gateway' => 1, - 'lxc.network.script.up' => 1, - 'lxc.network.script.down' => 1, - 'lxc.pts' => 1, + 'lxc.uts.name' => 1, + 'lxc.signal.halt' => 1, + 'lxc.signal.reboot' => 1, + 'lxc.signal.stop' => 1, + 'lxc.init.cmd' => 1, + 'lxc.pty.max' => 1, 'lxc.console.logfile' => 1, - 'lxc.console' => 1, - 'lxc.tty' => 1, - 'lxc.devttydir' => 1, + 'lxc.console.path' => 1, + 'lxc.tty.max' => 1, + 'lxc.devtty.dir' => 1, 'lxc.hook.autodev' => 1, 'lxc.autodev' => 1, 'lxc.kmsg' => 1, - 'lxc.mount' => 1, + 'lxc.mount.fstab' => 1, 'lxc.mount.entry' => 1, 'lxc.mount.auto' => 1, - 'lxc.rootfs' => 'lxc.rootfs is auto generated from rootfs', + 'lxc.rootfs.path' => 'lxc.rootfs.path is auto generated from rootfs', 'lxc.rootfs.mount' => 1, 'lxc.rootfs.options' => 'lxc.rootfs.options is not supported' . ', please use mount point options in the "rootfs" key', # lxc.cgroup.* - # lxc.limit.* + # lxc.prlimit.* 'lxc.cap.drop' => 1, 'lxc.cap.keep' => 1, - 'lxc.aa_profile' => 1, - 'lxc.aa_allow_incomplete' => 1, - 'lxc.se_context' => 1, - 'lxc.seccomp' => 1, - 'lxc.id_map' => 1, + 'lxc.seccomp.profile' => 1, + 'lxc.idmap' => 1, 'lxc.hook.pre-start' => 1, 'lxc.hook.pre-mount' => 1, 'lxc.hook.mount' => 1, @@ -489,8 +494,8 @@ my $valid_lxc_conf_keys = { 'lxc.hook.post-stop' => 1, 'lxc.hook.clone' => 1, 'lxc.hook.destroy' => 1, - 'lxc.loglevel' => 1, - 'lxc.logfile' => 1, + 'lxc.log.level' => 1, + 'lxc.log.file' => 1, 'lxc.start.auto' => 1, 'lxc.start.delay' => 1, 'lxc.start.order' => 1, @@ -498,6 +503,57 @@ my $valid_lxc_conf_keys = { 'lxc.environment' => 1, }; +my $deprecated_lxc_conf_keys = { + # Deprecated (removed with lxc 3.0): + 'lxc.aa_profile' => 'lxc.apparmor.profile', + 'lxc.aa_allow_incomplete' => 'lxc.apparmor.allow_incomplete', + 'lxc.console' => 'lxc.console.path', + 'lxc.devttydir' => 'lxc.tty.dir', + 'lxc.haltsignal' => 'lxc.signal.halt', + 'lxc.rebootsignal' => 'lxc.signal.reboot', + 'lxc.stopsignal' => 'lxc.signal.stop', + 'lxc.id_map' => 'lxc.idmap', + 'lxc.init_cmd' => 'lxc.init.cmd', + 'lxc.loglevel' => 'lxc.log.level', + 'lxc.logfile' => 'lxc.log.file', + 'lxc.mount' => 'lxc.mount.fstab', + 'lxc.network.type' => 'lxc.net.INDEX.type', + 'lxc.network.flags' => 'lxc.net.INDEX.flags', + 'lxc.network.link' => 'lxc.net.INDEX.link', + 'lxc.network.mtu' => 'lxc.net.INDEX.mtu', + 'lxc.network.name' => 'lxc.net.INDEX.name', + 'lxc.network.hwaddr' => 'lxc.net.INDEX.hwaddr', + 'lxc.network.ipv4' => 'lxc.net.INDEX.ipv4.address', + 'lxc.network.ipv4.gateway' => 'lxc.net.INDEX.ipv4.gateway', + 'lxc.network.ipv6' => 'lxc.net.INDEX.ipv6.address', + 'lxc.network.ipv6.gateway' => 'lxc.net.INDEX.ipv6.gateway', + 'lxc.network.script.up' => 'lxc.net.INDEX.script.up', + 'lxc.network.script.down' => 'lxc.net.INDEX.script.down', + 'lxc.pts' => 'lxc.pty.max', + 'lxc.se_context' => 'lxc.selinux.context', + 'lxc.seccomp' => 'lxc.seccomp.profile', + 'lxc.tty' => 'lxc.tty.max', + 'lxc.utsname' => 'lxc.uts.name', +}; + +sub is_valid_lxc_conf_key { + my ($vmid, $key) = @_; + if ($key =~ /^lxc\.limit\./) { + warn "vm $vmid - $key: lxc.limit.* was renamed to lxc.prlimit.*\n"; + return 1; + } + if (defined(my $new_name = $deprecated_lxc_conf_keys->{$key})) { + warn "vm $vmid - $key is deprecated and was renamed to $new_name\n"; + return 1; + } + my $validity = $valid_lxc_conf_keys->{$key}; + return $validity if defined($validity); + return 1 if $key =~ /^lxc\.cgroup\./ # allow all cgroup values + || $key =~ /^lxc\.prlimit\./ # allow all prlimits + || $key =~ /^lxc\.net\./; # allow custom network definitions + return 0; +} + our $netconf_desc = { type => { type => 'string', @@ -534,7 +590,7 @@ our $netconf_desc = { ip => { type => 'string', format => 'pve-ipv4-config', - format_description => 'IPv4Format/CIDR', + format_description => '(IPv4/CIDR|dhcp|manual)', description => 'IPv4 address in CIDR format.', optional => 1, }, @@ -548,7 +604,7 @@ our $netconf_desc = { ip6 => { type => 'string', format => 'pve-ipv6-config', - format_description => 'IPv6Format/CIDR', + format_description => '(IPv6/CIDR|auto|dhcp|manual)', description => 'IPv6 address in CIDR format.', optional => 1, }, @@ -693,8 +749,8 @@ sub parse_pct_config { if ($line =~ m/^(lxc\.[a-z0-9_\-\.]+)(:|\s*=)\s*(.*?)\s*$/) { my $key = $1; my $value = $3; - my $validity = $valid_lxc_conf_keys->{$key} || 0; - if ($validity eq 1 || $key =~ m/^lxc\.(?:cgroup|limit)\./) { + my $validity = is_valid_lxc_conf_key($vmid, $key); + if ($validity eq 1) { push @{$conf->{lxc}}, [$key, $value]; } elsif (my $errmsg = $validity) { warn "vm $vmid - $key: $errmsg\n"; @@ -857,15 +913,9 @@ sub update_pct_config { } } elsif ($opt eq 'unprivileged') { die "unable to delete read-only option: '$opt'\n"; - } elsif ($opt eq "replica" || $opt eq "replica_target") { - delete $conf->{$opt}; - delete $conf->{replica} if $opt eq "replica_target"; - - # job_remove required updated lxc conf - PVE::ReplicationTools::job_remove($vmid); - } elsif ($opt eq "replica_interval" || $opt eq "replica_rate_limit") { + } elsif ($opt eq 'features') { + next if $hotplug_error->($opt); delete $conf->{$opt}; - PVE::ReplicationTools::update_conf($vmid, $opt, $param->{$opt}); } else { die "implement me (delete: $opt)" } @@ -910,20 +960,29 @@ sub update_pct_config { PVE::LXC::Config->write_config($vmid, $conf) if $running; } + my $storecfg = PVE::Storage::config(); + my $used_volids = {}; my $check_content_type = sub { my ($mp) = @_; my $sid = PVE::Storage::parse_volume_id($mp->{volume}); - my $scfg = PVE::Storage::config(); - my $storage_config = PVE::Storage::storage_config($scfg, $sid); + my $storage_config = PVE::Storage::storage_config($storecfg, $sid); die "storage '$sid' does not allow content type 'rootdir' (Container)\n" if !$storage_config->{content}->{rootdir}; }; + my $rescan_volume = sub { + my ($mp) = @_; + eval { + $mp->{size} = PVE::Storage::volume_size_info($storecfg, $mp->{volume}, 5) + if !defined($mp->{size}); + }; + warn "Could not rescan volume size - $@\n" if $@; + }; + foreach my $opt (keys %$param) { my $value = $param->{$opt}; my $check_protection_msg = "can't update CT $vmid drive '$opt'"; - my $update; if ($opt eq 'hostname' || $opt eq 'arch') { $conf->{$opt} = $value; } elsif ($opt eq 'onboot') { @@ -954,7 +1013,7 @@ sub update_pct_config { $conf->{$opt} = $value; PVE::LXC::write_cgroup_value("cpu", $vmid, "cpu.shares", $value); } elsif ($opt eq 'description') { - $conf->{$opt} = PVE::Tools::encode_text($value); + $conf->{$opt} = $value; } elsif ($opt =~ m/^net(\d+)$/) { my $netid = $1; my $net = PVE::LXC::Config->parse_lxc_network($value); @@ -973,8 +1032,11 @@ sub update_pct_config { if ($mp->{type} eq 'volume') { &$check_content_type($mp); $used_volids->{$mp->{volume}} = 1; + &$rescan_volume($mp); + $conf->{$opt} = PVE::LXC::Config->print_ct_mountpoint($mp); + } else { + $conf->{$opt} = $value; } - $conf->{$opt} = $value; if (defined($old)) { my $mp = PVE::LXC::Config->parse_ct_mountpoint($old); if ($mp->{type} eq 'volume') { @@ -986,11 +1048,14 @@ sub update_pct_config { next if $hotplug_error->($opt); PVE::LXC::Config->check_protection($conf, $check_protection_msg); my $old = $conf->{$opt}; - $conf->{$opt} = $value; my $mp = PVE::LXC::Config->parse_ct_rootfs($value); if ($mp->{type} eq 'volume') { &$check_content_type($mp); $used_volids->{$mp->{volume}} = 1; + &$rescan_volume($mp); + $conf->{$opt} = PVE::LXC::Config->print_ct_mountpoint($mp, 1); + } else { + $conf->{$opt} = $value; } if (defined($old)) { my $mp = PVE::LXC::Config->parse_ct_rootfs($old); @@ -1004,33 +1069,14 @@ sub update_pct_config { } elsif ($opt eq 'ostype') { next if $hotplug_error->($opt); $conf->{$opt} = $value; - } elsif ($opt eq "replica") { - die "Not all volumes are syncable, please check your config\n" - if !PVE::ReplicationTools::check_guest_volumes_syncable($conf, 'lxc'); - $conf->{$opt} = $param->{$opt}; - die "replica_target is required\n" if !$conf->{replica_target} - && !$param->{replica_target}; - if ($param->{replica}) { - PVE::ReplicationTools::job_enable($vmid); - } else { - PVE::ReplicationTools::job_disable($vmid); - } - $update = 1; - } elsif ($opt eq "replica_interval" || $opt eq "replica_rate_limit") { - $conf->{$opt} = $param->{$opt}; - PVE::ReplicationTools::update_conf($vmid, $opt, $param->{$opt}); - $update = 1; - } elsif ($opt eq "replica_target") { - die "Node: $param->{$opt} does not exists in Cluster.\n" - if !PVE::Cluster::check_node_exists($param->{$opt}); - $update = 1; - PVE::ReplicationTools::update_conf($vmid, $opt, $param->{$opt}) - if defined($conf->{$opt}); - $conf->{$opt} = $param->{$opt}; + } elsif ($opt eq 'features') { + next if $hotplug_error->($opt); + $conf->{$opt} = $value; } else { die "implement me: $opt"; } - PVE::LXC::Config->write_config($vmid, $conf) if $running || $update; + + PVE::LXC::Config->write_config($vmid, $conf) if $running; } # Apply deletions and creations of new volumes @@ -1177,6 +1223,12 @@ sub parse_lxc_network { return $res; } +sub parse_features { + my ($class, $data) = @_; + return {} if !$data; + return PVE::JSONSchema::parse_property_string($features_desc, $data); +} + sub option_exists { my ($class, $name) = @_; @@ -1193,8 +1245,8 @@ sub classify_mountpoint { return 'volume'; } -sub is_volume_in_use { - my ($class, $config, $volid, $include_snapshots) = @_; +my $is_volume_in_use = sub { + my ($class, $config, $volid) = @_; my $used = 0; $class->foreach_mountpoint($config, sub { @@ -1203,14 +1255,26 @@ sub is_volume_in_use { $used = $mountpoint->{type} eq 'volume' && $mountpoint->{volume} eq $volid; }); - my $snapshots = $config->{snapshots}; - if ($include_snapshots && $snapshots) { + return $used; +}; + +sub is_volume_in_use_by_snapshots { + my ($class, $config, $volid) = @_; + + if (my $snapshots = $config->{snapshots}) { foreach my $snap (keys %$snapshots) { - $used ||= $class->is_volume_in_use($snapshots->{$snap}, $volid); + return 1 if $is_volume_in_use->($class, $snapshots->{$snap}, $volid); } } - return $used; + return 0; +}; + +sub is_volume_in_use { + my ($class, $config, $volid, $include_snapshots) = @_; + return 1 if $is_volume_in_use->($class, $config, $volid); + return 1 if $include_snapshots && $class->is_volume_in_use_by_snapshots($config, $volid); + return 0; } sub has_dev_console { @@ -1259,9 +1323,9 @@ sub mountpoint_names { sub foreach_mountpoint_full { my ($class, $conf, $reverse, $func, @param) = @_; - foreach my $key ($class->mountpoint_names($reverse)) { + my $mps = [ grep { defined($conf->{$_}) } $class->mountpoint_names($reverse) ]; + foreach my $key (@$mps) { my $value = $conf->{$key}; - next if !defined($value); my $mountpoint = $key eq 'rootfs' ? $class->parse_ct_rootfs($value, 1) : $class->parse_ct_mountpoint($value, 1); next if !defined($mountpoint); @@ -1303,4 +1367,68 @@ sub get_vm_volumes { return $vollist; } -return 1; +sub get_replicatable_volumes { + my ($class, $storecfg, $vmid, $conf, $cleanup, $noerr) = @_; + + my $volhash = {}; + + my $test_volid = sub { + my ($volid, $mountpoint) = @_; + + return if !$volid; + + my $mptype = $mountpoint->{type}; + my $replicate = $mountpoint->{replicate} // 1; + + if ($mptype ne 'volume') { + # skip bindmounts if replicate = 0 even for cleanup, + # since bind mounts could not have been replicated ever + return if !$replicate; + die "unable to replicate mountpoint type '$mptype'\n"; + } + + my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid, $noerr); + return if !$storeid; + + my $scfg = PVE::Storage::storage_config($storecfg, $storeid); + return if $scfg->{shared}; + + my ($path, $owner, $vtype) = PVE::Storage::path($storecfg, $volid); + return if !$owner || ($owner != $vmid); + + die "unable to replicate volume '$volid', type '$vtype'\n" if $vtype ne 'images'; + + return if !$cleanup && !$replicate; + + if (!PVE::Storage::volume_has_feature($storecfg, 'replicate', $volid)) { + return if $cleanup || $noerr; + die "missing replicate feature on volume '$volid'\n"; + } + + $volhash->{$volid} = 1; + }; + + $class->foreach_mountpoint($conf, sub { + my ($ms, $mountpoint) = @_; + $test_volid->($mountpoint->{volume}, $mountpoint); + }); + + foreach my $snapname (keys %{$conf->{snapshots}}) { + my $snap = $conf->{snapshots}->{$snapname}; + $class->foreach_mountpoint($snap, sub { + my ($ms, $mountpoint) = @_; + $test_volid->($mountpoint->{volume}, $mountpoint); + }); + } + + # add 'unusedX' volumes to volhash + foreach my $key (keys %$conf) { + if ($key =~ m/^unused/) { + $test_volid->($conf->{$key}, { type => 'volume', replicate => 1 }); + } + } + + return $volhash; +} + +1;