1 package PVE
::Storage
::PBSPlugin
;
3 # Plugin to access Proxmox Backup Server
8 use Fcntl
qw(F_GETFD F_SETFD FD_CLOEXEC);
11 use POSIX
qw(strftime ENOENT);
13 use PVE
::APIClient
::LWP
;
14 use PVE
::JSONSchema
qw(get_standard_option);
17 use PVE
::Storage
::Plugin
;
18 use PVE
::Tools
qw(run_command file_read_firstline trim dir_glob_regex dir_glob_foreach $IPV6RE);
20 use base
qw(PVE::Storage::Plugin);
30 content
=> [ {backup
=> 1, none
=> 1}, { backup
=> 1 }],
37 description
=> "Proxmox Backup Server datastore name.",
40 # openssl s_client -connect <host>:8007 2>&1 |openssl x509 -fingerprint -sha256
41 fingerprint
=> get_standard_option
('fingerprint-sha256'),
43 description
=> "Encryption key. Use 'autogen' to generate one automatically without passphrase.",
47 description
=> "For non default port.",
58 server
=> { fixed
=> 1 },
59 datastore
=> { fixed
=> 1 },
60 port
=> { optional
=> 1 },
61 nodes
=> { optional
=> 1},
62 disable
=> { optional
=> 1},
63 content
=> { optional
=> 1},
64 username
=> { optional
=> 1 },
65 password
=> { optional
=> 1 },
66 'encryption-key' => { optional
=> 1 },
67 maxfiles
=> { optional
=> 1 },
68 'prune-backups' => { optional
=> 1 },
69 fingerprint
=> { optional
=> 1 },
75 sub pbs_password_file_name
{
76 my ($scfg, $storeid) = @_;
78 return "/etc/pve/priv/storage/${storeid}.pw";
81 sub pbs_set_password
{
82 my ($scfg, $storeid, $password) = @_;
84 my $pwfile = pbs_password_file_name
($scfg, $storeid);
85 mkdir "/etc/pve/priv/storage";
87 PVE
::Tools
::file_set_contents
($pwfile, "$password\n");
90 sub pbs_delete_password
{
91 my ($scfg, $storeid) = @_;
93 my $pwfile = pbs_password_file_name
($scfg, $storeid);
98 sub pbs_get_password
{
99 my ($scfg, $storeid) = @_;
101 my $pwfile = pbs_password_file_name
($scfg, $storeid);
103 return PVE
::Tools
::file_read_firstline
($pwfile);
106 sub pbs_encryption_key_file_name
{
107 my ($scfg, $storeid) = @_;
109 return "/etc/pve/priv/storage/${storeid}.enc";
112 sub pbs_set_encryption_key
{
113 my ($scfg, $storeid, $key) = @_;
115 my $pwfile = pbs_encryption_key_file_name
($scfg, $storeid);
116 mkdir "/etc/pve/priv/storage";
118 PVE
::Tools
::file_set_contents
($pwfile, "$key\n");
121 sub pbs_delete_encryption_key
{
122 my ($scfg, $storeid) = @_;
124 my $pwfile = pbs_encryption_key_file_name
($scfg, $storeid);
126 if (!unlink $pwfile) {
127 return if $! == ENOENT
;
128 die "failed to delete encryption key! $!\n";
130 delete $scfg->{'encryption-key'};
133 sub pbs_get_encryption_key
{
134 my ($scfg, $storeid) = @_;
136 my $pwfile = pbs_encryption_key_file_name
($scfg, $storeid);
138 return PVE
::Tools
::file_get_contents
($pwfile);
141 # Returns a file handle if there is an encryption key, or `undef` if there is not. Dies on error.
142 sub pbs_open_encryption_key
{
143 my ($scfg, $storeid) = @_;
145 my $encryption_key_file = pbs_encryption_key_file_name
($scfg, $storeid);
148 if (!open($keyfd, '<', $encryption_key_file)) {
149 return undef if $! == ENOENT
;
150 die "failed to open encryption key: $encryption_key_file: $!\n";
157 my ($storeid, $btype, $bid, $btime) = @_;
159 my $time_str = strftime
("%FT%TZ", gmtime($btime));
160 my $volname = "backup/${btype}/${bid}/${time_str}";
162 return "${storeid}:${volname}";
165 my $USE_CRYPT_PARAMS = {
171 my sub do_raw_client_cmd
{
172 my ($scfg, $storeid, $client_cmd, $param, %opts) = @_;
174 my $use_crypto = $USE_CRYPT_PARAMS->{$client_cmd};
176 my $client_exe = '/usr/bin/proxmox-backup-client';
177 die "executable not found '$client_exe'! Proxmox backup client not installed?\n"
180 my $repo = PVE
::PBSClient
::get_repository
($scfg);
182 my $userns_cmd = delete $opts{userns_cmd
};
186 push @$cmd, @$userns_cmd if defined($userns_cmd);
188 push @$cmd, $client_exe, $client_cmd;
190 # This must live in the top scope to not get closed before the `run_command`
193 if (defined($keyfd = pbs_open_encryption_key
($scfg, $storeid))) {
194 my $flags = fcntl($keyfd, F_GETFD
, 0)
195 // die "failed to get file descriptor flags: $!\n";
196 fcntl($keyfd, F_SETFD
, $flags & ~FD_CLOEXEC
)
197 or die "failed to remove FD_CLOEXEC from encryption key file descriptor\n";
198 push @$cmd, '--crypt-mode=encrypt', '--keyfd='.fileno($keyfd);
200 push @$cmd, '--crypt-mode=none';
204 push @$cmd, @$param if defined($param);
206 push @$cmd, "--repository", $repo;
208 local $ENV{PBS_PASSWORD
} = pbs_get_password
($scfg, $storeid);
210 local $ENV{PBS_FINGERPRINT
} = $scfg->{fingerprint
};
212 # no ascii-art on task logs
213 local $ENV{PROXMOX_OUTPUT_NO_BORDER
} = 1;
214 local $ENV{PROXMOX_OUTPUT_NO_HEADER
} = 1;
216 if (my $logfunc = $opts{logfunc
}) {
217 $logfunc->("run: " . join(' ', @$cmd));
220 run_command
($cmd, %opts);
223 # FIXME: External perl code should NOT have access to this.
225 # There should be separate functions to
230 sub run_raw_client_cmd
{
231 my ($scfg, $storeid, $client_cmd, $param, %opts) = @_;
232 return do_raw_client_cmd
($scfg, $storeid, $client_cmd, $param, %opts);
236 my ($scfg, $storeid, $client_cmd, $param, $no_output) = @_;
239 my $outfunc = sub { $json_str .= "$_[0]\n" };
241 $param = [] if !defined($param);
242 $param = [ $param ] if !ref($param);
244 $param = [@$param, '--output-format=json'] if !$no_output;
246 do_raw_client_cmd
($scfg, $storeid, $client_cmd, $param,
247 outfunc
=> $outfunc, errmsg
=> 'proxmox-backup-client failed');
249 return undef if $no_output;
251 my $res = decode_json
($json_str);
256 # Storage implementation
258 sub extract_vzdump_config
{
259 my ($class, $scfg, $volname, $storeid) = @_;
261 my ($vtype, $name, $vmid, undef, undef, undef, $format) = $class->parse_volname($volname);
264 my $outfunc = sub { $config .= "$_[0]\n" };
267 if ($format eq 'pbs-vm') {
268 $config_name = 'qemu-server.conf';
269 } elsif ($format eq 'pbs-ct') {
270 $config_name = 'pct.conf';
272 die "unable to extract configuration for backup format '$format'\n";
275 do_raw_client_cmd
($scfg, $storeid, 'restore', [ $name, $config_name, '-' ],
276 outfunc
=> $outfunc, errmsg
=> 'proxmox-backup-client failed');
282 my ($class, $scfg, $storeid, $keep, $vmid, $type, $dryrun, $logfunc) = @_;
284 $logfunc //= sub { print "$_[1]\n" };
286 my $backups = $class->list_volumes($storeid, $scfg, $vmid, ['backup']);
288 $type = 'vm' if defined($type) && $type eq 'qemu';
289 $type = 'ct' if defined($type) && $type eq 'lxc';
291 my $backup_groups = {};
292 foreach my $backup (@{$backups}) {
293 (my $backup_type = $backup->{format
}) =~ s/^pbs-//;
295 next if defined($type) && $backup_type ne $type;
297 my $backup_group = "$backup_type/$backup->{vmid}";
298 $backup_groups->{$backup_group} = 1;
303 my $keep_all = delete $keep->{'keep-all'};
306 foreach my $opt (keys %{$keep}) {
307 next if $keep->{$opt} == 0;
308 push @param, "--$opt";
309 push @param, "$keep->{$opt}";
311 } else { # no need to pass anything to PBS
312 $keep = { 'keep-all' => 1 };
315 push @param, '--dry-run' if $dryrun;
320 foreach my $backup_group (keys %{$backup_groups}) {
321 $logfunc->('info', "running 'proxmox-backup-client prune' for '$backup_group'")
324 my $res = run_client_cmd
($scfg, $storeid, 'prune', [ $backup_group, @param ]);
326 foreach my $backup (@{$res}) {
327 die "result from proxmox-backup-client is not as expected\n"
328 if !defined($backup->{'backup-time'})
329 || !defined($backup->{'backup-type'})
330 || !defined($backup->{'backup-id'})
331 || !defined($backup->{'keep'});
333 my $ctime = $backup->{'backup-time'};
334 my $type = $backup->{'backup-type'};
335 my $vmid = $backup->{'backup-id'};
336 my $volid = print_volid
($storeid, $type, $vmid, $ctime);
338 push @{$prune_list}, {
340 mark
=> $backup->{keep
} ?
'keep' : 'remove',
341 type
=> $type eq 'vm' ?
'qemu' : 'lxc',
348 $logfunc->('err', "prune '$backup_group': $err\n");
352 die "error pruning backups - check log\n" if $failed;
357 my $autogen_encryption_key = sub {
358 my ($scfg, $storeid) = @_;
359 my $encfile = pbs_encryption_key_file_name
($scfg, $storeid);
361 rename $encfile, "$encfile.old";
363 my $cmd = ['proxmox-backup-client', 'key', 'create', '--kdf', 'none', $encfile];
364 run_command
($cmd, errmsg
=> 'failed to create encryption key');
365 return PVE
::Tools
::file_get_contents
($encfile);
369 my ($class, $storeid, $scfg, %param) = @_;
373 if (defined(my $password = $param{password
})) {
374 pbs_set_password
($scfg, $storeid, $password);
376 pbs_delete_password
($scfg, $storeid);
379 if (defined(my $encryption_key = $param{'encryption-key'})) {
381 if ($encryption_key eq 'autogen') {
382 $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid);
383 $decoded_key = decode_json
($res->{'encryption-key'});
385 $decoded_key = eval { decode_json
($encryption_key) };
386 if ($@ || !exists($decoded_key->{data
})) {
387 die "Value does not seems like a valid, JSON formatted encryption key!\n";
389 pbs_set_encryption_key
($scfg, $storeid, $encryption_key);
390 $res->{'encryption-key'} = $encryption_key;
392 $scfg->{'encryption-key'} = $decoded_key->{fingerprint
} || 1;
394 pbs_delete_encryption_key
($scfg, $storeid);
401 my ($class, $storeid, $scfg, %param) = @_;
405 if (exists($param{password
})) {
406 if (defined($param{password
})) {
407 pbs_set_password
($scfg, $storeid, $param{password
});
409 pbs_delete_password
($scfg, $storeid);
413 if (exists($param{'encryption-key'})) {
414 if (defined(my $encryption_key = delete($param{'encryption-key'}))) {
416 if ($encryption_key eq 'autogen') {
417 $res->{'encryption-key'} = $autogen_encryption_key->($scfg, $storeid);
418 $decoded_key = decode_json
($res->{'encryption-key'});
420 $decoded_key = eval { decode_json
($encryption_key) };
421 if ($@ || !exists($decoded_key->{data
})) {
422 die "Value does not seems like a valid, JSON formatted encryption key!\n";
424 pbs_set_encryption_key
($scfg, $storeid, $encryption_key);
425 $res->{'encryption-key'} = $encryption_key;
427 $scfg->{'encryption-key'} = $decoded_key->{fingerprint
} || 1;
429 pbs_delete_encryption_key
($scfg, $storeid);
437 my ($class, $storeid, $scfg) = @_;
439 pbs_delete_password
($scfg, $storeid);
440 pbs_delete_encryption_key
($scfg, $storeid);
446 my ($class, $volname) = @_;
448 if ($volname =~ m!^backup/([^\s_]+)/([^\s_]+)/([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z)$!) {
452 my $format = "pbs-$btype";
454 my $name = "$btype/$bid/$btime";
456 if ($bid =~ m/^\d+$/) {
457 return ('backup', $name, $bid, undef, undef, undef, $format);
459 return ('backup', $name, undef, undef, undef, undef, $format);
463 die "unable to parse PBS volume name '$volname'\n";
467 my ($class, $scfg, $volname, $storeid, $snapname) = @_;
469 die "volume snapshot is not possible on pbs storage"
470 if defined($snapname);
472 my ($vtype, $name, $vmid) = $class->parse_volname($volname);
474 my $repo = PVE
::PBSClient
::get_repository
($scfg);
476 # artifical url - we currently do not use that anywhere
477 my $path = "pbs://$repo/$name";
479 return ($path, $vmid, $vtype);
483 my ($class, $storeid, $scfg, $volname) = @_;
485 die "can't create base images in pbs storage\n";
489 my ($class, $scfg, $storeid, $volname, $vmid, $snap) = @_;
491 die "can't clone images in pbs storage\n";
495 my ($class, $storeid, $scfg, $vmid, $fmt, $name, $size) = @_;
497 die "can't allocate space in pbs storage\n";
501 my ($class, $storeid, $scfg, $volname, $isBase) = @_;
503 my ($vtype, $name, $vmid) = $class->parse_volname($volname);
505 run_client_cmd
($scfg, $storeid, "forget", [ $name ], 1);
510 my ($class, $storeid, $scfg, $vmid, $vollist, $cache) = @_;
517 my sub snapshot_files_encrypted
{
523 for my $file (@$files) {
524 my $fn = $file->{filename
};
525 next if $fn eq 'client.log.blob' || $fn eq 'index.json.blob';
527 my $crypt = $file->{'crypt-mode'};
529 $all = 0 if !$crypt || $crypt ne 'encrypt';
530 $any ||= defined($crypt) && $crypt eq 'encrypt';
536 my ($class, $storeid, $scfg, $vmid, $content_types) = @_;
540 return $res if !grep { $_ eq 'backup' } @$content_types;
542 my $data = run_client_cmd
($scfg, $storeid, "snapshots");
544 foreach my $item (@$data) {
545 my $btype = $item->{"backup-type"};
546 my $bid = $item->{"backup-id"};
547 my $epoch = $item->{"backup-time"};
548 my $size = $item->{size
} // 1;
550 next if !($btype eq 'vm' || $btype eq 'ct');
551 next if $bid !~ m/^\d+$/;
552 next if defined($vmid) && $bid ne $vmid;
554 my $volid = print_volid
($storeid, $btype, $bid, $epoch);
558 format
=> "pbs-$btype",
565 $info->{verification
} = $item->{verification
} if defined($item->{verification
});
566 $info->{notes
} = $item->{comment
} if defined($item->{comment
});
567 if (defined($item->{fingerprint
})) {
568 $info->{encrypted
} = $item->{fingerprint
};
569 } elsif (snapshot_files_encrypted
($item->{files
})) {
570 $info->{encrypted
} = '1';
580 my ($class, $storeid, $scfg, $cache) = @_;
588 my $res = run_client_cmd
($scfg, $storeid, "status");
591 $total = $res->{total
};
592 $used = $res->{used
};
593 $free = $res->{avail
};
599 return ($total, $free, $used, $active);
602 # TODO: use a client with native rust/proxmox-backup bindings to profit from
603 # API schema checks and types
604 my sub pbs_api_connect
{
605 my ($scfg, $password) = @_;
609 my $user = $scfg->{username
} // 'root@pam';
611 if (my $tokenid = PVE
::AccessControl
::pve_verify_tokenid
($user, 1)) {
612 $params->{apitoken
} = "PBSAPIToken=${tokenid}:${password}";
614 $params->{password
} = $password;
615 $params->{username
} = $user;
618 if (my $fp = $scfg->{fingerprint
}) {
619 $params->{cached_fingerprints
}->{uc($fp)} = 1;
622 my $conn = PVE
::APIClient
::LWP-
>new(
624 host
=> $scfg->{server
},
625 port
=> $scfg->{port
} // 8007,
626 timeout
=> 7, # cope with a 401 (3s api delay) and high latency
627 cookie_name
=> 'PBSAuthCookie',
633 # can also be used for not (yet) added storages, pass $scfg with
637 # port (optional default to 8007)
638 # fingerprint (optional for trusted certs)
640 sub scan_datastores
{
641 my ($scfg, $password) = @_;
643 my $conn = pbs_api_connect
($scfg, $password);
645 my $response = eval { $conn->get('/api2/json/admin/datastore', {}) };
646 die "error fetching datastores - $@" if $@;
651 sub activate_storage
{
652 my ($class, $storeid, $scfg, $cache) = @_;
654 my $password = pbs_get_password
($scfg, $storeid);
656 my $datastores = eval { scan_datastores
($scfg, $password) };
657 die "$storeid: $@" if $@;
659 my $datastore = $scfg->{datastore
};
661 for my $ds (@$datastores) {
662 if ($ds->{store
} eq $datastore) {
667 die "$storeid: Cannot find datastore '$datastore', check permissions and existance!\n";
670 sub deactivate_storage
{
671 my ($class, $storeid, $scfg, $cache) = @_;
675 sub activate_volume
{
676 my ($class, $storeid, $scfg, $volname, $snapname, $cache) = @_;
678 die "volume snapshot is not possible on pbs device" if $snapname;
683 sub deactivate_volume
{
684 my ($class, $storeid, $scfg, $volname, $snapname, $cache) = @_;
686 die "volume snapshot is not possible on pbs device" if $snapname;
691 sub get_volume_notes
{
692 my ($class, $scfg, $storeid, $volname, $timeout) = @_;
694 my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname);
696 my $data = run_client_cmd
($scfg, $storeid, "snapshot", [ "notes", "show", $name ]);
698 return $data->{notes
};
701 sub update_volume_notes
{
702 my ($class, $scfg, $storeid, $volname, $notes, $timeout) = @_;
704 my (undef, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname);
706 run_client_cmd
($scfg, $storeid, "snapshot", [ "notes", "update", $name, $notes ], 1);
711 sub volume_size_info
{
712 my ($class, $scfg, $storeid, $volname, $timeout) = @_;
714 my ($vtype, $name, undef, undef, undef, undef, $format) = $class->parse_volname($volname);
716 my $data = run_client_cmd
($scfg, $storeid, "files", [ $name ]);
719 foreach my $info (@$data) {
720 $size += $info->{size
} if $info->{size
};
725 return wantarray ?
($size, $format, $used, undef) : $size;
729 my ($class, $scfg, $storeid, $volname, $size, $running) = @_;
730 die "volume resize is not possible on pbs device";
733 sub volume_snapshot
{
734 my ($class, $scfg, $storeid, $volname, $snap) = @_;
735 die "volume snapshot is not possible on pbs device";
738 sub volume_snapshot_rollback
{
739 my ($class, $scfg, $storeid, $volname, $snap) = @_;
740 die "volume snapshot rollback is not possible on pbs device";
743 sub volume_snapshot_delete
{
744 my ($class, $scfg, $storeid, $volname, $snap) = @_;
745 die "volume snapshot delete is not possible on pbs device";
748 sub volume_has_feature
{
749 my ($class, $scfg, $feature, $storeid, $volname, $snapname, $running) = @_;