my $restore = extract_param($param, 'restore');
my $unique = extract_param($param, 'unique');
+ # used to skip firewall config restore if user lacks permission
+ my $skip_fw_config_restore = 0;
+
if ($restore) {
# fixme: limit allowed parameters
}
} elsif ($restore && $force && $same_container_exists &&
$rpcenv->check($authuser, "/vms/$vmid", ['VM.Backup'], 1)) {
# OK: user has VM.Backup permissions, and want to restore an existing VM
+
+ # we don't want to restore a container-provided FW conf in this case
+ # since the user is lacking permission to configure the container's FW
+ $skip_fw_config_restore = 1;
} else {
raise_perm_exc();
}
PVE::LXC::Create::restore_archive($archive, $rootdir, $conf, $ignore_unpack_errors, $bwlimit);
if ($restore) {
- PVE::LXC::Create::restore_configuration($vmid, $rootdir, $conf, !$is_root, $unique);
+ PVE::LXC::Create::restore_configuration($vmid, $rootdir, $conf, !$is_root, $unique, $skip_fw_config_restore);
} else {
my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir); # detect OS
PVE::LXC::Config->write_config($vmid, $conf); # safe config (after OS detection)
}
sub restore_configuration {
- my ($vmid, $rootdir, $conf, $restricted, $unique) = @_;
+ my ($vmid, $rootdir, $conf, $restricted, $unique, $skip_fw) = @_;
# restore: try to extract configuration from archive
}
unlink($pct_cfg_fn);
- if (-f $pct_fwcfg_fn) {
+ # note: this file is possibly from the container itself in backups
+ # created prior to pve-container 2.0-40 (PVE 5.x) / 3.0-5 (PVE 6.x)
+ # only copy non-empty, non-symlink files, and only if the user is
+ # allowed to modify the firewall config anyways
+ if (-f $pct_fwcfg_fn && ! -l $pct_fwcfg_fn && -s $pct_fwcfg_fn) {
my $pve_firewall_dir = '/etc/pve/firewall';
- mkdir $pve_firewall_dir; # make sure the directory exists
- PVE::Tools::file_copy($pct_fwcfg_fn, "${pve_firewall_dir}/$vmid.fw");
+ my $pct_fwcfg_target = "${pve_firewall_dir}/${vmid}.fw";
+ if ($skip_fw) {
+ warn "ignoring firewall config from backup archive's '$pct_fwcfg_fn', lacking API permission to modify firewall.\n";
+ warn "old firewall configuration in '$pct_fwcfg_target' left in place!\n"
+ if -e $pct_fwcfg_target;
+ } else {
+ mkdir $pve_firewall_dir; # make sure the directory exists
+ PVE::Tools::file_copy($pct_fwcfg_fn, $pct_fwcfg_target);
+ }
unlink $pct_fwcfg_fn;
}