]>
Commit | Line | Data |
---|---|---|
271fe394 DM |
1 | package PVE::Storage::PBSPlugin; |
2 | ||
3 | # Plugin to access Proxmox Backup Server | |
4 | ||
5 | use strict; | |
6 | use warnings; | |
4133e6e2 | 7 | |
76bb5feb | 8 | use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC); |
76bb5feb | 9 | use IO::File; |
271fe394 | 10 | use JSON; |
c56f7a71 | 11 | use MIME::Base64 qw(decode_base64); |
bfba9626 FE |
12 | use POSIX qw(mktime strftime ENOENT); |
13 | use POSIX::strptime; | |
271fe394 | 14 | |
2f9eb6dc | 15 | use PVE::APIClient::LWP; |
271fe394 | 16 | use PVE::JSONSchema qw(get_standard_option); |
4133e6e2 | 17 | use PVE::Network; |
53003cb5 | 18 | use PVE::PBSClient; |
4133e6e2 TL |
19 | use PVE::Storage::Plugin; |
20 | use PVE::Tools qw(run_command file_read_firstline trim dir_glob_regex dir_glob_foreach $IPV6RE); | |
271fe394 DM |
21 | |
22 | use base qw(PVE::Storage::Plugin); | |
23 | ||
24 | # Configuration | |
25 | ||
26 | sub type { | |
27 | return 'pbs'; | |
28 | } | |
29 | ||
30 | sub plugindata { | |
31 | return { | |
32 | content => [ {backup => 1, none => 1}, { backup => 1 }], | |
33 | }; | |
34 | } | |
35 | ||
36 | sub properties { | |
37 | return { | |
38 | datastore => { | |
4133e6e2 | 39 | description => "Proxmox Backup Server datastore name.", |
271fe394 DM |
40 | type => 'string', |
41 | }, | |
42 | # openssl s_client -connect <host>:8007 2>&1 |openssl x509 -fingerprint -sha256 | |
43 | fingerprint => get_standard_option('fingerprint-sha256'), | |
ce2e2733 | 44 | 'encryption-key' => { |
1aeb322b | 45 | description => "Encryption key. Use 'autogen' to generate one automatically without passphrase.", |
76bb5feb WB |
46 | type => 'string', |
47 | }, | |
c56f7a71 | 48 | 'master-pubkey' => { |
5b955999 | 49 | description => "Base64-encoded, PEM-formatted public RSA key. Used to encrypt a copy of the encryption-key which will be added to each encrypted backup.", |
c56f7a71 FG |
50 | type => 'string', |
51 | }, | |
4133e6e2 TL |
52 | port => { |
53 | description => "For non default port.", | |
54 | type => 'integer', | |
55 | minimum => 1, | |
56 | maximum => 65535, | |
57 | default => 8007, | |
2f9eb6dc | 58 | }, |
271fe394 DM |
59 | }; |
60 | } | |
61 | ||
62 | sub options { | |
63 | return { | |
64 | server => { fixed => 1 }, | |
65 | datastore => { fixed => 1 }, | |
4133e6e2 | 66 | port => { optional => 1 }, |
271fe394 DM |
67 | nodes => { optional => 1}, |
68 | disable => { optional => 1}, | |
69 | content => { optional => 1}, | |
70 | username => { optional => 1 }, | |
ce2e2733 TL |
71 | password => { optional => 1 }, |
72 | 'encryption-key' => { optional => 1 }, | |
c56f7a71 | 73 | 'master-pubkey' => { optional => 1 }, |
271fe394 | 74 | maxfiles => { optional => 1 }, |
3353698f | 75 | 'prune-backups' => { optional => 1 }, |
8009417d | 76 | 'max-protected-backups' => { optional => 1 }, |
271fe394 DM |
77 | fingerprint => { optional => 1 }, |
78 | }; | |
79 | } | |
80 | ||
81 | # Helpers | |
82 | ||
83 | sub pbs_password_file_name { | |
84 | my ($scfg, $storeid) = @_; | |
85 | ||
462537a2 | 86 | return "/etc/pve/priv/storage/${storeid}.pw"; |
271fe394 DM |
87 | } |
88 | ||
89 | sub pbs_set_password { | |
90 | my ($scfg, $storeid, $password) = @_; | |
91 | ||
92 | my $pwfile = pbs_password_file_name($scfg, $storeid); | |
9e34813f | 93 | mkdir "/etc/pve/priv/storage"; |
271fe394 DM |
94 | |
95 | PVE::Tools::file_set_contents($pwfile, "$password\n"); | |
96 | } | |
97 | ||
98 | sub pbs_delete_password { | |
99 | my ($scfg, $storeid) = @_; | |
100 | ||
101 | my $pwfile = pbs_password_file_name($scfg, $storeid); | |
102 | ||
103 | unlink $pwfile; | |
104 | } | |
105 | ||
106 | sub pbs_get_password { | |
107 | my ($scfg, $storeid) = @_; | |
108 | ||
109 | my $pwfile = pbs_password_file_name($scfg, $storeid); | |
110 | ||
111 | return PVE::Tools::file_read_firstline($pwfile); | |
112 | } | |
113 | ||
76bb5feb WB |
114 | sub pbs_encryption_key_file_name { |
115 | my ($scfg, $storeid) = @_; | |
116 | ||
117 | return "/etc/pve/priv/storage/${storeid}.enc"; | |
118 | } | |
119 | ||
120 | sub pbs_set_encryption_key { | |
121 | my ($scfg, $storeid, $key) = @_; | |
122 | ||
123 | my $pwfile = pbs_encryption_key_file_name($scfg, $storeid); | |
124 | mkdir "/etc/pve/priv/storage"; | |
125 | ||
126 | PVE::Tools::file_set_contents($pwfile, "$key\n"); | |
127 | } | |
128 | ||
129 | sub pbs_delete_encryption_key { | |
130 | my ($scfg, $storeid) = @_; | |
131 | ||
132 | my $pwfile = pbs_encryption_key_file_name($scfg, $storeid); | |
133 | ||
4ef17e1f TL |
134 | if (!unlink $pwfile) { |
135 | return if $! == ENOENT; | |
136 | die "failed to delete encryption key! $!\n"; | |
137 | } | |
18cf6c9f | 138 | delete $scfg->{'encryption-key'}; |
76bb5feb WB |
139 | } |
140 | ||
141 | sub pbs_get_encryption_key { | |
142 | my ($scfg, $storeid) = @_; | |
143 | ||
144 | my $pwfile = pbs_encryption_key_file_name($scfg, $storeid); | |
145 | ||
146 | return PVE::Tools::file_get_contents($pwfile); | |
147 | } | |
148 | ||
149 | # Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error. | |
150 | sub pbs_open_encryption_key { | |
151 | my ($scfg, $storeid) = @_; | |
152 | ||
153 | my $encryption_key_file = pbs_encryption_key_file_name($scfg, $storeid); | |
154 | ||
155 | my $keyfd; | |
156 | if (!open($keyfd, '<', $encryption_key_file)) { | |
157 | return undef if $! == ENOENT; | |
158 | die "failed to open encryption key: $encryption_key_file: $!\n"; | |
159 | } | |
160 | ||
161 | return $keyfd; | |
162 | } | |
163 | ||
c56f7a71 FG |
164 | sub pbs_master_pubkey_file_name { |
165 | my ($scfg, $storeid) = @_; | |
166 | ||
167 | return "/etc/pve/priv/storage/${storeid}.master.pem"; | |
168 | } | |
169 | ||
170 | sub pbs_set_master_pubkey { | |
171 | my ($scfg, $storeid, $key) = @_; | |
172 | ||
173 | my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid); | |
174 | mkdir "/etc/pve/priv/storage"; | |
175 | ||
176 | PVE::Tools::file_set_contents($pwfile, "$key\n"); | |
177 | } | |
178 | ||
179 | sub pbs_delete_master_pubkey { | |
180 | my ($scfg, $storeid) = @_; | |
181 | ||
182 | my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid); | |
183 | ||
184 | if (!unlink $pwfile) { | |
185 | return if $! == ENOENT; | |
186 | die "failed to delete master public key! $!\n"; | |
187 | } | |
188 | delete $scfg->{'master-pubkey'}; | |
189 | } | |
190 | ||
191 | sub pbs_get_master_pubkey { | |
192 | my ($scfg, $storeid) = @_; | |
193 | ||
194 | my $pwfile = pbs_master_pubkey_file_name($scfg, $storeid); | |
195 | ||
196 | return PVE::Tools::file_get_contents($pwfile); | |
197 | } | |
198 | ||
199 | # Returns a file handle if there is a master key, or `undef` if there is not. Dies on error. | |
200 | sub pbs_open_master_pubkey { | |
201 | my ($scfg, $storeid) = @_; | |
202 | ||
203 | my $master_pubkey_file = pbs_master_pubkey_file_name($scfg, $storeid); | |
204 | ||
205 | my $keyfd; | |
206 | if (!open($keyfd, '<', $master_pubkey_file)) { | |
207 | return undef if $! == ENOENT; | |
208 | die "failed to open master public key: $master_pubkey_file: $!\n"; | |
209 | } | |
210 | ||
211 | return $keyfd; | |
212 | } | |
213 | ||
8602fd56 FE |
214 | sub print_volid { |
215 | my ($storeid, $btype, $bid, $btime) = @_; | |
216 | ||
217 | my $time_str = strftime("%FT%TZ", gmtime($btime)); | |
218 | my $volname = "backup/${btype}/${bid}/${time_str}"; | |
219 | ||
220 | return "${storeid}:${volname}"; | |
221 | } | |
271fe394 | 222 | |
bfba9626 FE |
223 | # essentially the inverse of print_volid |
224 | sub api_param_from_volname { | |
225 | my ($class, $volname) = @_; | |
226 | ||
227 | my $name = ($class->parse_volname($volname))[1]; | |
228 | ||
229 | my ($btype, $bid, $timestr) = split('/', $name); | |
230 | ||
231 | my @tm = (POSIX::strptime($timestr, "%FT%TZ")); | |
232 | # expect sec, min, hour, mday, mon, year | |
233 | die "error parsing time from '$volname'" if grep { !defined($_) } @tm[0..5]; | |
234 | ||
235 | my $btime; | |
236 | { | |
237 | local $ENV{TZ} = 'UTC'; # $timestr is UTC | |
238 | ||
239 | # Fill in isdst to avoid undef warning. No daylight saving time for UTC. | |
240 | $tm[8] //= 0; | |
241 | ||
242 | my $since_epoch = mktime(@tm) or die "error converting time from '$volname'\n"; | |
243 | $btime = int($since_epoch); | |
244 | } | |
245 | ||
246 | return { | |
247 | 'backup-type' => $btype, | |
248 | 'backup-id' => $bid, | |
249 | 'backup-time' => $btime, | |
250 | }; | |
251 | } | |
252 | ||
02cc5e10 WB |
253 | my $USE_CRYPT_PARAMS = { |
254 | backup => 1, | |
255 | restore => 1, | |
256 | 'upload-log' => 1, | |
257 | }; | |
258 | ||
c56f7a71 FG |
259 | my $USE_MASTER_KEY = { |
260 | backup => 1, | |
261 | }; | |
262 | ||
76bb5feb | 263 | my sub do_raw_client_cmd { |
02cc5e10 WB |
264 | my ($scfg, $storeid, $client_cmd, $param, %opts) = @_; |
265 | ||
266 | my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd}; | |
c56f7a71 | 267 | my $use_master = $USE_MASTER_KEY->{$client_cmd}; |
271fe394 | 268 | |
1574a590 TL |
269 | my $client_exe = '/usr/bin/proxmox-backup-client'; |
270 | die "executable not found '$client_exe'! Proxmox backup client not installed?\n" | |
271 | if ! -x $client_exe; | |
272 | ||
53003cb5 | 273 | my $repo = PVE::PBSClient::get_repository($scfg); |
271fe394 DM |
274 | |
275 | my $userns_cmd = delete $opts{userns_cmd}; | |
276 | ||
277 | my $cmd = []; | |
278 | ||
279 | push @$cmd, @$userns_cmd if defined($userns_cmd); | |
280 | ||
1574a590 | 281 | push @$cmd, $client_exe, $client_cmd; |
271fe394 | 282 | |
76bb5feb | 283 | # This must live in the top scope to not get closed before the `run_command` |
c56f7a71 | 284 | my ($keyfd, $master_fd); |
02cc5e10 | 285 | if ($use_crypto) { |
76bb5feb WB |
286 | if (defined($keyfd = pbs_open_encryption_key($scfg, $storeid))) { |
287 | my $flags = fcntl($keyfd, F_GETFD, 0) | |
288 | // die "failed to get file descriptor flags: $!\n"; | |
289 | fcntl($keyfd, F_SETFD, $flags & ~FD_CLOEXEC) | |
290 | or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n"; | |
291 | push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd); | |
c56f7a71 FG |
292 | if ($use_master && defined($master_fd = pbs_open_master_pubkey($scfg, $storeid))) { |
293 | my $flags = fcntl($master_fd, F_GETFD, 0) | |
294 | // die "failed to get file descriptor flags: $!\n"; | |
295 | fcntl($master_fd, F_SETFD, $flags & ~FD_CLOEXEC) | |
296 | or die "failed to remove FD_CLOEXEC from master public key file descriptor\n"; | |
297 | push @$cmd, '--master-pubkey-fd='.fileno($master_fd); | |
298 | } | |
76bb5feb WB |
299 | } else { |
300 | push @$cmd, '--crypt-mode=none'; | |
301 | } | |
302 | } | |
303 | ||
271fe394 DM |
304 | push @$cmd, @$param if defined($param); |
305 | ||
53003cb5 | 306 | push @$cmd, "--repository", $repo; |
271fe394 DM |
307 | |
308 | local $ENV{PBS_PASSWORD} = pbs_get_password($scfg, $storeid); | |
309 | ||
310 | local $ENV{PBS_FINGERPRINT} = $scfg->{fingerprint}; | |
311 | ||
8b4c2a7e DM |
312 | # no ascii-art on task logs |
313 | local $ENV{PROXMOX_OUTPUT_NO_BORDER} = 1; | |
314 | local $ENV{PROXMOX_OUTPUT_NO_HEADER} = 1; | |
315 | ||
271fe394 | 316 | if (my $logfunc = $opts{logfunc}) { |
e6d1edcb | 317 | $logfunc->("run: " . join(' ', @$cmd)); |
271fe394 DM |
318 | } |
319 | ||
320 | run_command($cmd, %opts); | |
321 | } | |
322 | ||
76bb5feb WB |
323 | # FIXME: External perl code should NOT have access to this. |
324 | # | |
325 | # There should be separate functions to | |
326 | # - make backups | |
327 | # - restore backups | |
328 | # - restore files | |
329 | # with a sane API | |
02cc5e10 | 330 | sub run_raw_client_cmd { |
76bb5feb | 331 | my ($scfg, $storeid, $client_cmd, $param, %opts) = @_; |
02cc5e10 | 332 | return do_raw_client_cmd($scfg, $storeid, $client_cmd, $param, %opts); |
76bb5feb WB |
333 | } |
334 | ||
271fe394 DM |
335 | sub run_client_cmd { |
336 | my ($scfg, $storeid, $client_cmd, $param, $no_output) = @_; | |
337 | ||
338 | my $json_str = ''; | |
fee2ece3 | 339 | my $outfunc = sub { $json_str .= "$_[0]\n" }; |
271fe394 DM |
340 | |
341 | $param = [] if !defined($param); | |
342 | $param = [ $param ] if !ref($param); | |
343 | ||
344 | $param = [@$param, '--output-format=json'] if !$no_output; | |
345 | ||
02cc5e10 | 346 | do_raw_client_cmd($scfg, $storeid, $client_cmd, $param, |
76bb5feb | 347 | outfunc => $outfunc, errmsg => 'proxmox-backup-client failed'); |
271fe394 DM |
348 | |
349 | return undef if $no_output; | |
350 | ||
351 | my $res = decode_json($json_str); | |
352 | ||
353 | return $res; | |
354 | } | |
355 | ||
356 | # Storage implementation | |
357 | ||
c855ac15 DM |
358 | sub extract_vzdump_config { |
359 | my ($class, $scfg, $volname, $storeid) = @_; | |
360 | ||
361 | my ($vtype, $name, $vmid, undef, undef, undef, $format) = $class->parse_volname($volname); | |
362 | ||
363 | my $config = ''; | |
fee2ece3 | 364 | my $outfunc = sub { $config .= "$_[0]\n" }; |
c855ac15 DM |
365 | |
366 | my $config_name; | |
367 | if ($format eq 'pbs-vm') { | |
368 | $config_name = 'qemu-server.conf'; | |
369 | } elsif ($format eq 'pbs-ct') { | |
370 | $config_name = 'pct.conf'; | |
371 | } else { | |
372 | die "unable to extract configuration for backup format '$format'\n"; | |
373 | } | |
374 | ||
02cc5e10 | 375 | do_raw_client_cmd($scfg, $storeid, 'restore', [ $name, $config_name, '-' ], |
76bb5feb | 376 | outfunc => $outfunc, errmsg => 'proxmox-backup-client failed'); |
c855ac15 DM |
377 | |
378 | return $config; | |
379 | } | |
380 | ||
8f26b391 FE |
381 | sub prune_backups { |
382 | my ($class, $scfg, $storeid, $keep, $vmid, $type, $dryrun, $logfunc) = @_; | |
383 | ||
384 | $logfunc //= sub { print "$_[1]\n" }; | |
385 | ||
386 | my $backups = $class->list_volumes($storeid, $scfg, $vmid, ['backup']); | |
387 | ||
388 | $type = 'vm' if defined($type) && $type eq 'qemu'; | |
389 | $type = 'ct' if defined($type) && $type eq 'lxc'; | |
390 | ||
391 | my $backup_groups = {}; | |
392 | foreach my $backup (@{$backups}) { | |
393 | (my $backup_type = $backup->{format}) =~ s/^pbs-//; | |
394 | ||
395 | next if defined($type) && $backup_type ne $type; | |
396 | ||
397 | my $backup_group = "$backup_type/$backup->{vmid}"; | |
398 | $backup_groups->{$backup_group} = 1; | |
399 | } | |
400 | ||
401 | my @param; | |
1b87f013 FE |
402 | |
403 | my $keep_all = delete $keep->{'keep-all'}; | |
404 | ||
405 | if (!$keep_all) { | |
406 | foreach my $opt (keys %{$keep}) { | |
407 | next if $keep->{$opt} == 0; | |
408 | push @param, "--$opt"; | |
409 | push @param, "$keep->{$opt}"; | |
410 | } | |
411 | } else { # no need to pass anything to PBS | |
412 | $keep = { 'keep-all' => 1 }; | |
8f26b391 FE |
413 | } |
414 | ||
415 | push @param, '--dry-run' if $dryrun; | |
416 | ||
417 | my $prune_list = []; | |
418 | my $failed; | |
419 | ||
420 | foreach my $backup_group (keys %{$backup_groups}) { | |
421 | $logfunc->('info', "running 'proxmox-backup-client prune' for '$backup_group'") | |
422 | if !$dryrun; | |
423 | eval { | |
424 | my $res = run_client_cmd($scfg, $storeid, 'prune', [ $backup_group, @param ]); | |
425 | ||
426 | foreach my $backup (@{$res}) { | |
427 | die "result from proxmox-backup-client is not as expected\n" | |
428 | if !defined($backup->{'backup-time'}) | |
429 | || !defined($backup->{'backup-type'}) | |
430 | || !defined($backup->{'backup-id'}) | |
431 | || !defined($backup->{'keep'}); | |
432 | ||
433 | my $ctime = $backup->{'backup-time'}; | |
434 | my $type = $backup->{'backup-type'}; | |
435 | my $vmid = $backup->{'backup-id'}; | |
436 | my $volid = print_volid($storeid, $type, $vmid, $ctime); | |
437 | ||
bfba9626 FE |
438 | my $mark = $backup->{keep} ? 'keep' : 'remove'; |
439 | $mark = 'protected' if $backup->{protected}; | |
440 | ||
8f26b391 FE |
441 | push @{$prune_list}, { |
442 | ctime => $ctime, | |
bfba9626 | 443 | mark => $mark, |
8f26b391 FE |
444 | type => $type eq 'vm' ? 'qemu' : 'lxc', |
445 | vmid => $vmid, | |
446 | volid => $volid, | |
447 | }; | |
448 | } | |
449 | }; | |
450 | if (my $err = $@) { | |
451 | $logfunc->('err', "prune '$backup_group': $err\n"); | |
452 | $failed = 1; | |
453 | } | |
454 | } | |
455 | die "error pruning backups - check log\n" if $failed; | |
456 | ||
457 | return $prune_list; | |
458 | } | |
459 | ||
1aeb322b TL |
460 | my $autogen_encryption_key = sub { |
461 | my ($scfg, $storeid) = @_; | |
462 | my $encfile = pbs_encryption_key_file_name($scfg, $storeid); | |
478609d3 TL |
463 | if (-f $encfile) { |
464 | rename $encfile, "$encfile.old"; | |
465 | } | |
4558cb6e TL |
466 | my $cmd = ['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile]; |
467 | run_command($cmd, errmsg => 'failed to create encryption key'); | |
468 | return PVE::Tools::file_get_contents($encfile); | |
1aeb322b TL |
469 | }; |
470 | ||
271fe394 DM |
471 | sub on_add_hook { |
472 | my ($class, $storeid, $scfg, %param) = @_; | |
473 | ||
0b6b98d1 TL |
474 | my $res = {}; |
475 | ||
76bb5feb WB |
476 | if (defined(my $password = $param{password})) { |
477 | pbs_set_password($scfg, $storeid, $password); | |
b494636a DM |
478 | } else { |
479 | pbs_delete_password($scfg, $storeid); | |
480 | } | |
76bb5feb | 481 | |
ce2e2733 | 482 | if (defined(my $encryption_key = $param{'encryption-key'})) { |
d2c47b38 | 483 | my $decoded_key; |
1aeb322b | 484 | if ($encryption_key eq 'autogen') { |
0b6b98d1 | 485 | $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid); |
3cc2eb73 | 486 | $decoded_key = decode_json($res->{'encryption-key'}); |
1aeb322b | 487 | } else { |
d2c47b38 TL |
488 | $decoded_key = eval { decode_json($encryption_key) }; |
489 | if ($@ || !exists($decoded_key->{data})) { | |
490 | die "Value does not seems like a valid, JSON formatted encryption key!\n"; | |
491 | } | |
1aeb322b | 492 | pbs_set_encryption_key($scfg, $storeid, $encryption_key); |
0b6b98d1 | 493 | $res->{'encryption-key'} = $encryption_key; |
1aeb322b | 494 | } |
3cc2eb73 | 495 | $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1; |
76bb5feb WB |
496 | } else { |
497 | pbs_delete_encryption_key($scfg, $storeid); | |
498 | } | |
0b6b98d1 | 499 | |
c56f7a71 FG |
500 | if (defined(my $master_key = delete $param{'master-pubkey'})) { |
501 | die "'master-pubkey' can only be used together with 'encryption-key'\n" | |
502 | if !defined($scfg->{'encryption-key'}); | |
503 | ||
504 | my $decoded = decode_base64($master_key); | |
505 | pbs_set_master_pubkey($scfg, $storeid, $decoded); | |
506 | $scfg->{'master-pubkey'} = 1; | |
507 | } else { | |
508 | pbs_delete_master_pubkey($scfg, $storeid); | |
509 | } | |
510 | ||
0b6b98d1 | 511 | return $res; |
b494636a DM |
512 | } |
513 | ||
514 | sub on_update_hook { | |
515 | my ($class, $storeid, $scfg, %param) = @_; | |
516 | ||
0b6b98d1 TL |
517 | my $res = {}; |
518 | ||
76bb5feb WB |
519 | if (exists($param{password})) { |
520 | if (defined($param{password})) { | |
521 | pbs_set_password($scfg, $storeid, $param{password}); | |
522 | } else { | |
523 | pbs_delete_password($scfg, $storeid); | |
524 | } | |
525 | } | |
b494636a | 526 | |
ce2e2733 TL |
527 | if (exists($param{'encryption-key'})) { |
528 | if (defined(my $encryption_key = delete($param{'encryption-key'}))) { | |
d2c47b38 | 529 | my $decoded_key; |
1aeb322b | 530 | if ($encryption_key eq 'autogen') { |
0b6b98d1 | 531 | $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid); |
3cc2eb73 | 532 | $decoded_key = decode_json($res->{'encryption-key'}); |
1aeb322b | 533 | } else { |
d2c47b38 TL |
534 | $decoded_key = eval { decode_json($encryption_key) }; |
535 | if ($@ || !exists($decoded_key->{data})) { | |
536 | die "Value does not seems like a valid, JSON formatted encryption key!\n"; | |
537 | } | |
1aeb322b | 538 | pbs_set_encryption_key($scfg, $storeid, $encryption_key); |
0b6b98d1 | 539 | $res->{'encryption-key'} = $encryption_key; |
1aeb322b | 540 | } |
3cc2eb73 | 541 | $scfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1; |
76bb5feb WB |
542 | } else { |
543 | pbs_delete_encryption_key($scfg, $storeid); | |
c56f7a71 FG |
544 | delete $scfg->{'encryption-key'}; |
545 | } | |
546 | } | |
547 | ||
548 | if (exists($param{'master-pubkey'})) { | |
549 | if (defined(my $master_key = delete($param{'master-pubkey'}))) { | |
550 | my $decoded = decode_base64($master_key); | |
551 | ||
552 | pbs_set_master_pubkey($scfg, $storeid, $decoded); | |
553 | $scfg->{'master-pubkey'} = 1; | |
554 | } else { | |
555 | pbs_delete_master_pubkey($scfg, $storeid); | |
76bb5feb | 556 | } |
271fe394 | 557 | } |
0b6b98d1 TL |
558 | |
559 | return $res; | |
271fe394 DM |
560 | } |
561 | ||
562 | sub on_delete_hook { | |
563 | my ($class, $storeid, $scfg) = @_; | |
564 | ||
565 | pbs_delete_password($scfg, $storeid); | |
76bb5feb | 566 | pbs_delete_encryption_key($scfg, $storeid); |
c56f7a71 | 567 | pbs_delete_master_pubkey($scfg, $storeid); |
f3ccd0ef FE |
568 | |
569 | return; | |
271fe394 DM |
570 | } |
571 | ||
572 | sub parse_volname { | |
573 | my ($class, $volname) = @_; | |
574 | ||
575 | if ($volname =~ m!^backup/([^\s_]+)/([^\s_]+)/([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z)$!) { | |
576 | my $btype = $1; | |
577 | my $bid = $2; | |
578 | my $btime = $3; | |
579 | my $format = "pbs-$btype"; | |
580 | ||
581 | my $name = "$btype/$bid/$btime"; | |
582 | ||
583 | if ($bid =~ m/^\d+$/) { | |
584 | return ('backup', $name, $bid, undef, undef, undef, $format); | |
585 | } else { | |
586 | return ('backup', $name, undef, undef, undef, undef, $format); | |
587 | } | |
588 | } | |
589 | ||
590 | die "unable to parse PBS volume name '$volname'\n"; | |
591 | } | |
592 | ||
593 | sub path { | |
594 | my ($class, $scfg, $volname, $storeid, $snapname) = @_; | |
595 | ||
596 | die "volume snapshot is not possible on pbs storage" | |
597 | if defined($snapname); | |
598 | ||
599 | my ($vtype, $name, $vmid) = $class->parse_volname($volname); | |
600 | ||
53003cb5 | 601 | my $repo = PVE::PBSClient::get_repository($scfg); |
271fe394 | 602 | |
ffc31266 | 603 | # artificial url - we currently do not use that anywhere |
53003cb5 | 604 | my $path = "pbs://$repo/$name"; |
271fe394 DM |
605 | |
606 | return ($path, $vmid, $vtype); | |
607 | } | |
608 | ||
609 | sub create_base { | |
610 | my ($class, $storeid, $scfg, $volname) = @_; | |
611 | ||
612 | die "can't create base images in pbs storage\n"; | |
613 | } | |
614 | ||
615 | sub clone_image { | |
616 | my ($class, $scfg, $storeid, $volname, $vmid, $snap) = @_; | |
617 | ||
618 | die "can't clone images in pbs storage\n"; | |
619 | } | |
620 | ||
621 | sub alloc_image { | |
622 | my ($class, $storeid, $scfg, $vmid, $fmt, $name, $size) = @_; | |
623 | ||
624 | die "can't allocate space in pbs storage\n"; | |
625 | } | |
626 | ||
627 | sub free_image { | |
628 | my ($class, $storeid, $scfg, $volname, $isBase) = @_; | |
629 | ||
630 | my ($vtype, $name, $vmid) = $class->parse_volname($volname); | |
631 | ||
632 | run_client_cmd($scfg, $storeid, "forget", [ $name ], 1); | |
7ae13a34 FE |
633 | |
634 | return; | |
271fe394 DM |
635 | } |
636 | ||
637 | ||
638 | sub list_images { | |
639 | my ($class, $storeid, $scfg, $vmid, $vollist, $cache) = @_; | |
640 | ||
641 | my $res = []; | |
642 | ||
643 | return $res; | |
644 | } | |
645 | ||
878fe017 TL |
646 | my sub snapshot_files_encrypted { |
647 | my ($files) = @_; | |
648 | return 0 if !$files; | |
649 | ||
650 | my $any; | |
651 | my $all = 1; | |
652 | for my $file (@$files) { | |
653 | my $fn = $file->{filename}; | |
654 | next if $fn eq 'client.log.blob' || $fn eq 'index.json.blob'; | |
655 | ||
656 | my $crypt = $file->{'crypt-mode'}; | |
657 | ||
658 | $all = 0 if !$crypt || $crypt ne 'encrypt'; | |
dfa374d3 | 659 | $any ||= defined($crypt) && $crypt eq 'encrypt'; |
878fe017 TL |
660 | } |
661 | return $any && $all; | |
662 | } | |
663 | ||
271fe394 DM |
664 | sub list_volumes { |
665 | my ($class, $storeid, $scfg, $vmid, $content_types) = @_; | |
666 | ||
667 | my $res = []; | |
668 | ||
669 | return $res if !grep { $_ eq 'backup' } @$content_types; | |
670 | ||
671 | my $data = run_client_cmd($scfg, $storeid, "snapshots"); | |
672 | ||
673 | foreach my $item (@$data) { | |
674 | my $btype = $item->{"backup-type"}; | |
675 | my $bid = $item->{"backup-id"}; | |
545e127e | 676 | my $epoch = $item->{"backup-time"}; |
271fe394 DM |
677 | my $size = $item->{size} // 1; |
678 | ||
679 | next if !($btype eq 'vm' || $btype eq 'ct'); | |
680 | next if $bid !~ m/^\d+$/; | |
ddf7fdaa | 681 | next if defined($vmid) && $bid ne $vmid; |
271fe394 | 682 | |
8602fd56 | 683 | my $volid = print_volid($storeid, $btype, $bid, $epoch); |
271fe394 | 684 | |
545e127e | 685 | my $info = { |
c05b1a8c TL |
686 | volid => $volid, |
687 | format => "pbs-$btype", | |
688 | size => $size, | |
689 | content => 'backup', | |
690 | vmid => int($bid), | |
691 | ctime => $epoch, | |
c66e0b8a | 692 | subtype => $btype eq 'vm' ? 'qemu' : 'lxc', # convert to PVE backup type |
545e127e | 693 | }; |
271fe394 | 694 | |
9778e5c2 | 695 | $info->{verification} = $item->{verification} if defined($item->{verification}); |
6fef456c | 696 | $info->{notes} = $item->{comment} if defined($item->{comment}); |
bfba9626 | 697 | $info->{protected} = 1 if $item->{protected}; |
878fe017 TL |
698 | if (defined($item->{fingerprint})) { |
699 | $info->{encrypted} = $item->{fingerprint}; | |
700 | } elsif (snapshot_files_encrypted($item->{files})) { | |
701 | $info->{encrypted} = '1'; | |
702 | } | |
9778e5c2 | 703 | |
271fe394 DM |
704 | push @$res, $info; |
705 | } | |
706 | ||
707 | return $res; | |
708 | } | |
709 | ||
710 | sub status { | |
711 | my ($class, $storeid, $scfg, $cache) = @_; | |
712 | ||
713 | my $total = 0; | |
714 | my $free = 0; | |
715 | my $used = 0; | |
716 | my $active = 0; | |
717 | ||
718 | eval { | |
719 | my $res = run_client_cmd($scfg, $storeid, "status"); | |
720 | ||
721 | $active = 1; | |
722 | $total = $res->{total}; | |
723 | $used = $res->{used}; | |
f155c912 TL |
724 | $free = $res->{avail}; |
725 | }; | |
271fe394 DM |
726 | if (my $err = $@) { |
727 | warn $err; | |
728 | } | |
729 | ||
730 | return ($total, $free, $used, $active); | |
731 | } | |
732 | ||
2f9eb6dc TL |
733 | # TODO: use a client with native rust/proxmox-backup bindings to profit from |
734 | # API schema checks and types | |
735 | my sub pbs_api_connect { | |
736 | my ($scfg, $password) = @_; | |
737 | ||
738 | my $params = {}; | |
739 | ||
740 | my $user = $scfg->{username} // 'root@pam'; | |
741 | ||
742 | if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) { | |
ab90c3b1 | 743 | $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}"; |
2f9eb6dc TL |
744 | } else { |
745 | $params->{password} = $password; | |
746 | $params->{username} = $user; | |
747 | } | |
748 | ||
749 | if (my $fp = $scfg->{fingerprint}) { | |
750 | $params->{cached_fingerprints}->{uc($fp)} = 1; | |
751 | } | |
752 | ||
753 | my $conn = PVE::APIClient::LWP->new( | |
754 | %$params, | |
755 | host => $scfg->{server}, | |
756 | port => $scfg->{port} // 8007, | |
757 | timeout => 7, # cope with a 401 (3s api delay) and high latency | |
758 | cookie_name => 'PBSAuthCookie', | |
759 | ); | |
760 | ||
761 | return $conn; | |
762 | } | |
763 | ||
8b62ac6a TL |
764 | # can also be used for not (yet) added storages, pass $scfg with |
765 | # { | |
766 | # server | |
767 | # user | |
768 | # port (optional default to 8007) | |
769 | # fingerprint (optional for trusted certs) | |
770 | # } | |
771 | sub scan_datastores { | |
772 | my ($scfg, $password) = @_; | |
773 | ||
774 | my $conn = pbs_api_connect($scfg, $password); | |
775 | ||
776 | my $response = eval { $conn->get('/api2/json/admin/datastore', {}) }; | |
777 | die "error fetching datastores - $@" if $@; | |
778 | ||
779 | return $response; | |
780 | } | |
781 | ||
271fe394 DM |
782 | sub activate_storage { |
783 | my ($class, $storeid, $scfg, $cache) = @_; | |
bb0a0f96 | 784 | |
2cd10f58 | 785 | my $password = pbs_get_password($scfg, $storeid); |
bb0a0f96 | 786 | |
2cd10f58 TL |
787 | my $datastores = eval { scan_datastores($scfg, $password) }; |
788 | die "$storeid: $@" if $@; | |
789 | ||
790 | my $datastore = $scfg->{datastore}; | |
791 | ||
792 | for my $ds (@$datastores) { | |
793 | if ($ds->{store} eq $datastore) { | |
794 | return 1; | |
795 | } | |
796 | } | |
797 | ||
ffc31266 | 798 | die "$storeid: Cannot find datastore '$datastore', check permissions and existence!\n"; |
271fe394 DM |
799 | } |
800 | ||
801 | sub deactivate_storage { | |
802 | my ($class, $storeid, $scfg, $cache) = @_; | |
803 | return 1; | |
804 | } | |
805 | ||
806 | sub activate_volume { | |
807 | my ($class, $storeid, $scfg, $volname, $snapname, $cache) = @_; | |
808 | ||
809 | die "volume snapshot is not possible on pbs device" if $snapname; | |
810 | ||
811 | return 1; | |
812 | } | |
813 | ||
814 | sub deactivate_volume { | |
815 | my ($class, $storeid, $scfg, $volname, $snapname, $cache) = @_; | |
816 | ||
817 | die "volume snapshot is not possible on pbs device" if $snapname; | |
818 | ||
819 | return 1; | |
820 | } | |
821 | ||
f1de8281 FE |
822 | # FIXME remove on the next APIAGE reset. |
823 | # Deprecated, use get_volume_attribute instead. | |
45e93e6d DC |
824 | sub get_volume_notes { |
825 | my ($class, $scfg, $storeid, $volname, $timeout) = @_; | |
826 | ||
827 | my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname); | |
828 | ||
829 | my $data = run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "show", $name ]); | |
830 | ||
831 | return $data->{notes}; | |
832 | } | |
833 | ||
f1de8281 FE |
834 | # FIXME remove on the next APIAGE reset. |
835 | # Deprecated, use update_volume_attribute instead. | |
45e93e6d DC |
836 | sub update_volume_notes { |
837 | my ($class, $scfg, $storeid, $volname, $notes, $timeout) = @_; | |
838 | ||
839 | my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname); | |
840 | ||
841 | run_client_cmd($scfg, $storeid, "snapshot", [ "notes", "update", $name, $notes ], 1); | |
842 | ||
843 | return undef; | |
844 | } | |
845 | ||
f1de8281 FE |
846 | sub get_volume_attribute { |
847 | my ($class, $scfg, $storeid, $volname, $attribute) = @_; | |
848 | ||
849 | if ($attribute eq 'notes') { | |
850 | return $class->get_volume_notes($scfg, $storeid, $volname); | |
851 | } | |
852 | ||
bfba9626 FE |
853 | if ($attribute eq 'protected') { |
854 | my $param = $class->api_param_from_volname($volname); | |
855 | ||
856 | my $password = pbs_get_password($scfg, $storeid); | |
857 | my $conn = pbs_api_connect($scfg, $password); | |
858 | my $datastore = $scfg->{datastore}; | |
859 | ||
860 | my $res = eval { $conn->get("/api2/json/admin/datastore/$datastore/$attribute", $param); }; | |
861 | if (my $err = $@) { | |
862 | return if $err->{code} == 404; # not supported | |
863 | die $err; | |
864 | } | |
865 | return $res; | |
866 | } | |
867 | ||
f1de8281 FE |
868 | return; |
869 | } | |
870 | ||
871 | sub update_volume_attribute { | |
872 | my ($class, $scfg, $storeid, $volname, $attribute, $value) = @_; | |
873 | ||
874 | if ($attribute eq 'notes') { | |
875 | return $class->update_volume_notes($scfg, $storeid, $volname, $value); | |
876 | } | |
877 | ||
bfba9626 FE |
878 | if ($attribute eq 'protected') { |
879 | my $param = $class->api_param_from_volname($volname); | |
880 | $param->{$attribute} = $value; | |
881 | ||
882 | my $password = pbs_get_password($scfg, $storeid); | |
883 | my $conn = pbs_api_connect($scfg, $password); | |
884 | my $datastore = $scfg->{datastore}; | |
885 | ||
904f06a8 FE |
886 | eval { $conn->put("/api2/json/admin/datastore/$datastore/$attribute", $param); }; |
887 | if (my $err = $@) { | |
888 | die "Server is not recent enough to support feature '$attribute'\n" | |
889 | if $err->{code} == 404; | |
890 | die $err; | |
891 | } | |
bfba9626 FE |
892 | return; |
893 | } | |
894 | ||
f1de8281 FE |
895 | die "attribute '$attribute' is not supported for storage type '$scfg->{type}'\n"; |
896 | } | |
897 | ||
271fe394 DM |
898 | sub volume_size_info { |
899 | my ($class, $scfg, $storeid, $volname, $timeout) = @_; | |
900 | ||
901 | my ($vtype, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname); | |
902 | ||
903 | my $data = run_client_cmd($scfg, $storeid, "files", [ $name ]); | |
904 | ||
905 | my $size = 0; | |
906 | foreach my $info (@$data) { | |
d4e00f2b | 907 | if ($info->{size} && $info->{size} =~ /^(\d+)$/) { # untaints |
ac598d85 SI |
908 | $size += $1; |
909 | } | |
271fe394 DM |
910 | } |
911 | ||
912 | my $used = $size; | |
913 | ||
914 | return wantarray ? ($size, $format, $used, undef) : $size; | |
915 | } | |
916 | ||
917 | sub volume_resize { | |
918 | my ($class, $scfg, $storeid, $volname, $size, $running) = @_; | |
919 | die "volume resize is not possible on pbs device"; | |
920 | } | |
921 | ||
922 | sub volume_snapshot { | |
923 | my ($class, $scfg, $storeid, $volname, $snap) = @_; | |
924 | die "volume snapshot is not possible on pbs device"; | |
925 | } | |
926 | ||
927 | sub volume_snapshot_rollback { | |
928 | my ($class, $scfg, $storeid, $volname, $snap) = @_; | |
929 | die "volume snapshot rollback is not possible on pbs device"; | |
930 | } | |
931 | ||
932 | sub volume_snapshot_delete { | |
933 | my ($class, $scfg, $storeid, $volname, $snap) = @_; | |
934 | die "volume snapshot delete is not possible on pbs device"; | |
935 | } | |
936 | ||
937 | sub volume_has_feature { | |
938 | my ($class, $scfg, $feature, $storeid, $volname, $snapname, $running) = @_; | |
939 | ||
940 | return undef; | |
941 | } | |
942 | ||
943 | 1; |