From: Jakob Klocker <j.klocker@proxmox.com>
To: pbs-devel@lists.proxmox.com
Cc: Jakob Klocker <j.klocker@proxmox.com>
Subject: [PATCH proxmox-backup 1/2] fix #6990: server: drop verify state on non-decrypt pull job
Date: Thu, 9 Jul 2026 14:21:34 +0200 [thread overview]
Message-ID: <20260709122136.352839-2-j.klocker@proxmox.com> (raw)
In-Reply-To: <20260709122136.352839-1-j.klocker@proxmox.com>
On a non-decrypt pull the source manifest is written to the target
as-is, so the target inherits the source's verify_state flag instead of
being verified independently on its own storage. Because a snapshot
carrying a verify_state is skipped by verify jobs, the target's copy can
never be checked.
The decrypt path already drops verify_state; do the same on the
non-decrypt path when the snapshot is newly pulled or re-synced due to
corruption. Also factor the manifest blob encoding and writing into a
helper, shared by both paths.
Link: https://bugzilla.proxmox.com/show_bug.cgi?id=6990
Signed-off-by: Jakob Klocker <j.klocker@proxmox.com>
---
src/server/pull.rs | 42 ++++++++++++++++++++++++++++--------------
1 file changed, 28 insertions(+), 14 deletions(-)
diff --git a/src/server/pull.rs b/src/server/pull.rs
index e86a9c329..f8107911e 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -745,7 +745,8 @@ async fn pull_snapshot<'a>(
};
let mut manifest_data = tmp_manifest_blob.raw_data().to_vec();
- let manifest = BackupManifest::try_from(tmp_manifest_blob).with_context(|| prefix.clone())?;
+ let mut manifest =
+ BackupManifest::try_from(tmp_manifest_blob).with_context(|| prefix.clone())?;
if ignore_not_verified_or_encrypted(
&manifest,
@@ -885,19 +886,15 @@ async fn pull_snapshot<'a>(
new_manifest.set_sync_source_signature(expected.bytes())?;
}
- let manifest_string = new_manifest.to_string(None)?;
- let manifest_blob = DataBlob::encode(manifest_string.as_bytes(), None, true)?;
- // update contents to be uploaded to backend
- manifest_data = manifest_blob.raw_data().to_vec();
-
- let mut tmp_manifest_file = OpenOptions::new()
- .write(true)
- .truncate(true) // clear pre-existing manifest content
- .open(&tmp_manifest_name)
- .await?;
- tmp_manifest_file.write_all(&manifest_data).await?;
- tmp_manifest_file.flush().await?;
- nix::unistd::fsync(tmp_manifest_file.as_raw_fd())?;
+ manifest_data = write_manifest_blob(&new_manifest, &tmp_manifest_name).await?;
+ } else if (is_new || corrupt) && manifest.unprotected.get("verify_state").is_some() {
+ // the manifest is copied as-is on the non-decrypted path, drop verify_state explicitly
+ if let Some(unprotected) = manifest.unprotected.as_object_mut() {
+ unprotected.remove("verify_state");
+ } else {
+ bail!("Encountered unexpected manifest without 'unprotected' section.");
+ }
+ manifest_data = write_manifest_blob(&manifest, &tmp_manifest_name).await?;
}
if let Err(err) = std::fs::rename(&tmp_manifest_name, &manifest_name) {
@@ -927,6 +924,23 @@ async fn pull_snapshot<'a>(
Ok(Some(sync_stats))
}
+async fn write_manifest_blob(
+ manifest: &BackupManifest,
+ path: &std::path::Path,
+) -> Result<Vec<u8>, Error> {
+ let manifest_blob = DataBlob::encode(manifest.to_string(None)?.as_bytes(), None, true)?;
+ let manifest_data = manifest_blob.raw_data().to_vec();
+ let mut manifest_file = OpenOptions::new()
+ .write(true)
+ .truncate(true)
+ .open(path)
+ .await?;
+ manifest_file.write_all(&manifest_data).await?;
+ manifest_file.flush().await?;
+ nix::unistd::fsync(manifest_file.as_raw_fd())?;
+ Ok(manifest_data)
+}
+
/// Check if the decryption key should be used to decrypt the snapshot during
/// pull based on given pull parameter, source and optionally already present
/// target manifest.
--
2.47.3
next prev parent reply other threads:[~2026-07-09 12:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 12:21 [PATCH proxmox-backup 0/2] fix #6990: server: drop verify state on push & pull job Jakob Klocker
2026-07-09 12:21 ` Jakob Klocker [this message]
2026-07-09 12:21 ` [PATCH proxmox-backup 2/2] fix #6990: server: drop verify state on push job Jakob Klocker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260709122136.352839-2-j.klocker@proxmox.com \
--to=j.klocker@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.