--- /dev/null
+include ../../defines.mk
+
+SOURCES=pvestatd.pm pveproxy.pm
+
+.PHONY: install
+install: ${SOURCES}
+ install -d -m 0755 ${PERLLIBDIR}/PVE/Service
+ for i in ${SOURCES}; do install -D -m 0644 $$i ${PERLLIBDIR}/PVE/Service/$$i; done
+
+clean:
--- /dev/null
+package PVE::Service::pveproxy;
+
+use strict;
+use warnings;
+
+use PVE::SafeSyslog;
+use PVE::Daemon;
+use HTTP::Response;
+use Encode;
+use URI;
+use URI::QueryParam;
+use File::Find;
+use Data::Dumper;
+use PVE::API2Tools;
+use PVE::API2;
+use PVE::API2::Formatter::Standard;
+use PVE::API2::Formatter::HTML;
+use PVE::HTTPServer;
+
+use PVE::ExtJSIndex;
+use PVE::ExtJSIndex5;
+use PVE::NoVncIndex;
+use PVE::TouchIndex;
+
+use PVE::Tools;
+
+use base qw(PVE::Daemon);
+
+my $cmdline = [$0, @ARGV];
+
+my %daemon_options = (
+ max_workers => 3,
+ restart_on_error => 5,
+ stop_wait_time => 15,
+ leave_children_open_on_reload => 1,
+ setuid => 'www-data',
+ setgid => 'www-data',
+ pidfile => '/var/run/pveproxy/pveproxy.pid',
+);
+
+my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options);
+
+sub add_dirs {
+ my ($result_hash, $alias, $subdir) = @_;
+
+ $result_hash->{$alias} = $subdir;
+
+ my $wanted = sub {
+ my $dir = $File::Find::dir;
+ if ($dir =~m!^$subdir(.*)$!) {
+ my $name = "$alias$1/";
+ $result_hash->{$name} = "$dir/";
+ }
+ };
+
+ find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
+}
+
+sub init {
+ my ($self) = @_;
+
+ # we use same ALLOW/DENY/POLICY as pveproxy
+ my $proxyconf = PVE::API2Tools::read_proxy_config();
+
+ my $accept_lock_fn = "/var/lock/pveproxy.lck";
+
+ my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
+ die "unable to open lock file '${accept_lock_fn}' - $!\n";
+
+ my $family = PVE::Tools::get_host_address_family($self->{nodename});
+ my $socket = $self->create_reusable_socket(8006, undef, $family);
+
+ my $dirs = {};
+
+ add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/');
+ add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/');
+ add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
+ add_dirs($dirs, '/pve2/ext5/', '/usr/share/pve-manager/ext5/');
+ add_dirs($dirs, '/pve2/manager5/', '/usr/share/pve-manager/manager5/');
+ add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
+ add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
+ add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/');
+ add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
+ add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/');
+
+ $self->{server_config} = {
+ base_handler_class => 'PVE::API2',
+ keep_alive => 100,
+ max_conn => 500,
+ max_requests => 1000,
+ lockfile => $accept_lock_fn,
+ socket => $socket,
+ lockfh => $lockfh,
+ debug => $self->{debug},
+ trusted_env => 0, # not trusted, anyone can connect
+ logfile => '/var/log/pveproxy/access.log',
+ allow_from => $proxyconf->{ALLOW_FROM},
+ deny_from => $proxyconf->{DENY_FROM},
+ policy => $proxyconf->{POLICY},
+ ssl => {
+ # Note: older versions are considered insecure, for example
+ # search for "Poodle"-Attac
+ method => 'tlsv1',
+ sslv2 => 0,
+ sslv3 => 0,
+ cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
+ key_file => '/etc/pve/local/pve-ssl.key',
+ cert_file => '/etc/pve/local/pve-ssl.pem',
+ },
+ # Note: there is no authentication for those pages and dirs!
+ pages => {
+ '/' => \&get_index,
+ # avoid authentication when accessing favicon
+ '/favicon.ico' => {
+ file => '/usr/share/pve-manager/images/favicon.ico',
+ },
+ },
+ dirs => $dirs,
+ };
+}
+
+sub run {
+ my ($self) = @_;
+
+ my $server = PVE::HTTPServer->new(%{$self->{server_config}});
+ $server->run();
+}
+
+$daemon->register_start_command();
+$daemon->register_restart_command(1);
+$daemon->register_stop_command();
+$daemon->register_status_command();
+
+our $cmddef = {
+ start => [ __PACKAGE__, 'start', []],
+ restart => [ __PACKAGE__, 'restart', []],
+ stop => [ __PACKAGE__, 'stop', []],
+ status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ],
+};
+
+sub is_phone {
+ my ($ua) = @_;
+
+ return 0 if !$ua;
+
+ return 1 if $ua =~ m/(iPhone|iPod|Windows Phone)/;
+
+ if ($ua =~ m/Mobile(\/|\s)/) {
+ return 1 if $ua =~ m/(BlackBerry|BB)/;
+ return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/);
+ }
+
+ return 0;
+}
+
+# NOTE: Requests to those pages are not authenticated
+# so we must be very careful here
+
+sub get_index {
+ my ($server, $r, $args) = @_;
+
+ my $lang = 'en';
+ my $username;
+ my $token = 'null';
+
+ if (my $cookie = $r->header('Cookie')) {
+ if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) {
+ if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) {
+ $lang = $newlang;
+ }
+ }
+ my $ticket = PVE::REST::extract_auth_cookie($cookie);
+ if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) {
+ $token = PVE::AccessControl::assemble_csrf_prevention_token($username);
+ }
+ }
+
+ $username = '' if !$username;
+
+ my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0;
+
+ if (defined($args->{mobile})) {
+ $mobile = $args->{mobile} ? 1 : 0;
+ }
+
+ my $ext5;
+ if (defined($args->{ext5})) {
+ $ext5 = $args->{ext5} ? 1 : 0;
+ }
+
+ my $page;
+
+ if (defined($args->{console}) && $args->{novnc}) {
+ $page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console});
+ } elsif ($mobile) {
+ $page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console});
+ } elsif ($ext5) {
+ $page = PVE::ExtJSIndex5::get_index($lang, $username, $token, $args->{console});
+ } else {
+ $page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console});
+ }
+ my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8");
+ my $resp = HTTP::Response->new(200, "OK", $headers, $page);
+
+ return $resp;
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+pveproxy - the PVE API proxy server
+
+=head1 SYNOPSIS
+
+=include synopsis
+
+=head1 DESCRIPTION
+
+This is the REST API proxy server, listening on port 8006. This is usually
+started as service using:
+
+ # service pveproxy start
+
+=head1 Host based access control
+
+It is possible to configure apache2 like access control lists. Values are read
+from file /etc/default/pveproxy. For example:
+
+ ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
+ DENY_FROM="all"
+ POLICY="allow"
+
+IP addresses can be specified using any syntax understoop by Net::IP. The
+name 'all' is an alias for '0/0'.
+
+The default policy is 'allow'.
+
+ Match | POLICY=deny | POLICY=allow
+ ---------------------------|-------------|------------
+ Match Allow only | allow | allow
+ Match Deny only | deny | deny
+ No match | deny | allow
+ Match Both Allow & Deny | deny | allow
+
+=head1 SSL Cipher Suite
+
+You can define the chiper list in /etc/default/pveproxy, for example
+
+ CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
+
+Above is the default. See the ciphers(1) man page from the openssl
+package for list of all available options.
+
+=head1 FILES
+
+ /etc/default/pveproxy
+
+=include pve_copyright
perl -I.. -T ./pvedaemon printmanpod >$@
pveproxy.1.pod: pveproxy
- perl -I.. -T ./pveproxy printmanpod >$@
+ perl -I.. -T -e "use PVE::Service::pveproxy; PVE::Service::pveproxy->generate_pod_manpage();" >$@
+
+pveproxy.bash-completion:
+ perl -I.. -T -e "use PVE::Service::pveproxy; PVE::Service::pveproxy->generate_bash_completions();" >$@
spiceproxy.1.pod: spiceproxy
perl -I.. -T ./spiceproxy printmanpod >$@
gcc $< -o $@ -g -O2 -Wall -ldl -lc
.PHONY: install
-install: ${SCRIPTS} ${MANS} pvemailforward vzdump.bash-completion pvestatd.bash-completion
+install: ${SCRIPTS} ${MANS} pvemailforward vzdump.bash-completion pvestatd.bash-completion pveproxy.bash-completion
perl -I.. -T -e "use PVE::CLI::vzdump; PVE::CLI::vzdump->verify_api();"
+ perl -I.. -T -e "use PVE::Service::pvestatd; PVE::Service::pvestatd->verify_api();"
+ perl -I.. -T -e "use PVE::Service::pveproxy; PVE::Service::pveproxy->verify_api();"
perl -I.. ./pvesh verifyapi
install -d ${BINDIR}
install -m 0755 ${SCRIPTS} ${BINDIR}
install -m 0644 pvesubscription.1.pod ${PODDIR}
install -m 0644 -D vzdump.bash-completion ${BASHCOMPLDIR}/vzdump
install -m 0644 -D pvestatd.bash-completion ${BASHCOMPLDIR}/pvestatd
+ install -m 0644 -D pveproxy.bash-completion ${BASHCOMPLDIR}/pveproxy
set -e && for i in ${SUBDIRS}; do ${MAKE} -C $$i $@; done
.PHONY: distclean
use strict;
use warnings;
-use PVE::SafeSyslog;
-use PVE::Daemon;
-use HTTP::Response;
-use Encode;
-use URI;
-use URI::QueryParam;
-use File::Find;
-use Data::Dumper;
-use PVE::API2Tools;
-use PVE::API2;
-use PVE::API2::Formatter::Standard;
-use PVE::API2::Formatter::HTML;
-use PVE::HTTPServer;
-
-use PVE::ExtJSIndex;
-use PVE::ExtJSIndex5;
-use PVE::NoVncIndex;
-use PVE::TouchIndex;
-
-use PVE::Tools;
-
-use base qw(PVE::Daemon);
+use PVE::Service::pveproxy;
$SIG{'__WARN__'} = sub {
my $err = $@;
$@ = $err;
};
-my $cmdline = [$0, @ARGV];
-
-my %daemon_options = (
- max_workers => 3,
- restart_on_error => 5,
- stop_wait_time => 15,
- leave_children_open_on_reload => 1,
- setuid => 'www-data',
- setgid => 'www-data',
- pidfile => '/var/run/pveproxy/pveproxy.pid',
-);
-
-my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options);
-
-sub prepare {
+my $prepare = sub {
my $rundir="/var/run/pveproxy";
if (mkdir($rundir, 0700)) { # only works at first start if we are root)
my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
chown($uid, $gid, $rundir);
}
-}
-
-sub add_dirs {
- my ($result_hash, $alias, $subdir) = @_;
-
- $result_hash->{$alias} = $subdir;
-
- my $wanted = sub {
- my $dir = $File::Find::dir;
- if ($dir =~m!^$subdir(.*)$!) {
- my $name = "$alias$1/";
- $result_hash->{$name} = "$dir/";
- }
- };
-
- find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
-}
-
-sub init {
- my ($self) = @_;
-
- # we use same ALLOW/DENY/POLICY as pveproxy
- my $proxyconf = PVE::API2Tools::read_proxy_config();
-
- my $accept_lock_fn = "/var/lock/pveproxy.lck";
-
- my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
- die "unable to open lock file '${accept_lock_fn}' - $!\n";
-
- my $family = PVE::Tools::get_host_address_family($self->{nodename});
- my $socket = $self->create_reusable_socket(8006, undef, $family);
-
- my $dirs = {};
-
- add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/');
- add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/');
- add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
- add_dirs($dirs, '/pve2/ext5/', '/usr/share/pve-manager/ext5/');
- add_dirs($dirs, '/pve2/manager5/', '/usr/share/pve-manager/manager5/');
- add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
- add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
- add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/');
- add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
- add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/');
-
- $self->{server_config} = {
- base_handler_class => 'PVE::API2',
- keep_alive => 100,
- max_conn => 500,
- max_requests => 1000,
- lockfile => $accept_lock_fn,
- socket => $socket,
- lockfh => $lockfh,
- debug => $self->{debug},
- trusted_env => 0, # not trusted, anyone can connect
- logfile => '/var/log/pveproxy/access.log',
- allow_from => $proxyconf->{ALLOW_FROM},
- deny_from => $proxyconf->{DENY_FROM},
- policy => $proxyconf->{POLICY},
- ssl => {
- # Note: older versions are considered insecure, for example
- # search for "Poodle"-Attac
- method => 'tlsv1',
- sslv2 => 0,
- sslv3 => 0,
- cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
- key_file => '/etc/pve/local/pve-ssl.key',
- cert_file => '/etc/pve/local/pve-ssl.pem',
- },
- # Note: there is no authentication for those pages and dirs!
- pages => {
- '/' => \&get_index,
- # avoid authentication when accessing favicon
- '/favicon.ico' => {
- file => '/usr/share/pve-manager/images/favicon.ico',
- },
- },
- dirs => $dirs,
- };
-}
-
-sub run {
- my ($self) = @_;
-
- my $server = PVE::HTTPServer->new(%{$self->{server_config}});
- $server->run();
-}
-
-$daemon->register_start_command();
-$daemon->register_restart_command(1);
-$daemon->register_stop_command();
-$daemon->register_status_command();
-
-my $cmddef = {
- start => [ __PACKAGE__, 'start', []],
- restart => [ __PACKAGE__, 'restart', []],
- stop => [ __PACKAGE__, 'stop', []],
- status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ],
};
-my $cmd = shift;
-
-PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0, \&prepare);
-
-exit (0);
-
-sub is_phone {
- my ($ua) = @_;
-
- return 0 if !$ua;
-
- return 1 if $ua =~ m/(iPhone|iPod|Windows Phone)/;
-
- if ($ua =~ m/Mobile(\/|\s)/) {
- return 1 if $ua =~ m/(BlackBerry|BB)/;
- return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/);
- }
-
- return 0;
-}
-
-# NOTE: Requests to those pages are not authenticated
-# so we must be very careful here
-
-sub get_index {
- my ($server, $r, $args) = @_;
-
- my $lang = 'en';
- my $username;
- my $token = 'null';
-
- if (my $cookie = $r->header('Cookie')) {
- if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) {
- if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) {
- $lang = $newlang;
- }
- }
- my $ticket = PVE::REST::extract_auth_cookie($cookie);
- if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) {
- $token = PVE::AccessControl::assemble_csrf_prevention_token($username);
- }
- }
-
- $username = '' if !$username;
-
- my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0;
-
- if (defined($args->{mobile})) {
- $mobile = $args->{mobile} ? 1 : 0;
- }
-
- my $ext5;
- if (defined($args->{ext5})) {
- $ext5 = $args->{ext5} ? 1 : 0;
- }
-
- my $page;
-
- if (defined($args->{console}) && $args->{novnc}) {
- $page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console});
- } elsif ($mobile) {
- $page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console});
- } elsif ($ext5) {
- $page = PVE::ExtJSIndex5::get_index($lang, $username, $token, $args->{console});
- } else {
- $page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console});
- }
- my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8");
- my $resp = HTTP::Response->new(200, "OK", $headers, $page);
-
- return $resp;
-}
-
-__END__
-
-=head1 NAME
-
-pveproxy - the PVE API proxy server
-
-=head1 SYNOPSIS
-
-=include synopsis
-
-=head1 DESCRIPTION
-
-This is the REST API proxy server, listening on port 8006. This is usually
-started as service using:
-
- # service pveproxy start
-
-=head1 Host based access control
-
-It is possible to configure apache2 like access control lists. Values are read
-from file /etc/default/pveproxy. For example:
-
- ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
- DENY_FROM="all"
- POLICY="allow"
-
-IP addresses can be specified using any syntax understoop by Net::IP. The
-name 'all' is an alias for '0/0'.
-
-The default policy is 'allow'.
-
- Match | POLICY=deny | POLICY=allow
- ---------------------------|-------------|------------
- Match Allow only | allow | allow
- Match Deny only | deny | deny
- No match | deny | allow
- Match Both Allow & Deny | deny | allow
-
-=head1 SSL Cipher Suite
-
-You can define the chiper list in /etc/default/pveproxy, for example
-
- CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
-
-Above is the default. See the ciphers(1) man page from the openssl
-package for list of all available options.
-
-=head1 FILES
-
- /etc/default/pveproxy
-
-=include pve_copyright
+PVE::Service::pveproxy->run_cli(undef, undef, $prepare);