public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup v3 03/15] pbs-config: use proxmox-product-config::replace_secret_config()
Date: Wed,  1 Jul 2026 16:04:00 +0200	[thread overview]
Message-ID: <20260701140412.200920-4-c.ebner@proxmox.com> (raw)
In-Reply-To: <20260701140412.200920-1-c.ebner@proxmox.com>

Instead of using the pbs-config local implementation, use the product
general implementation, dropping the local one instead.

Since proxmox-product-config::replace_secret_config() requires the
api- and priv-user to be initialized, any calling codepath must
guarantee to have run proxmox-product-config::init() once, so do
that for proxmox-tape as well, while proxy, api and manager are
already initializing it.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
 pbs-config/Cargo.toml           |  1 +
 pbs-config/src/lib.rs           | 17 -----------------
 pbs-config/src/notifications.rs |  5 ++++-
 src/bin/proxmox-tape.rs         |  8 ++++++++
 src/tape/encryption_keys.rs     |  3 ++-
 5 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/pbs-config/Cargo.toml b/pbs-config/Cargo.toml
index 04687cb59..d07b4de89 100644
--- a/pbs-config/Cargo.toml
+++ b/pbs-config/Cargo.toml
@@ -23,6 +23,7 @@ proxmox-http.workspace = true
 proxmox-lang.workspace = true
 proxmox-notify.workspace = true
 proxmox-router = { workspace = true, default-features = false }
+proxmox-product-config.workspace = true
 proxmox-s3-client.workspace = true
 proxmox-schema.workspace = true
 proxmox-section-config.workspace = true
diff --git a/pbs-config/src/lib.rs b/pbs-config/src/lib.rs
index a194d70ac..1d32d23e2 100644
--- a/pbs-config/src/lib.rs
+++ b/pbs-config/src/lib.rs
@@ -139,23 +139,6 @@ pub fn replace_backup_config<P: AsRef<std::path::Path>>(path: P, data: &[u8]) ->
     Ok(())
 }
 
-/// Atomically write data to file owned by "root:root" with permission "0600"
-///
-/// Only the superuser can read and write those files.
-pub fn replace_secret_config<P: AsRef<std::path::Path>>(path: P, data: &[u8]) -> Result<(), Error> {
-    let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
-    // set the correct owner/group/permissions while saving file
-    // owner(rw) = root, group(r)= root
-    let options = proxmox_sys::fs::CreateOptions::new()
-        .perm(mode)
-        .owner(nix::unistd::ROOT)
-        .group(nix::unistd::Gid::from_raw(0));
-
-    proxmox_sys::fs::replace_file(path, data, options, true)?;
-
-    Ok(())
-}
-
 /// Detect modified configuration files
 ///
 /// This function fails with a reasonable error message if checksums do not match.
diff --git a/pbs-config/src/notifications.rs b/pbs-config/src/notifications.rs
index 3ee019f23..cbdbcee7a 100644
--- a/pbs-config/src/notifications.rs
+++ b/pbs-config/src/notifications.rs
@@ -35,7 +35,10 @@ pub fn config() -> Result<Config, Error> {
 pub fn save_config(config: Config) -> Result<(), Error> {
     let (cfg, priv_cfg) = config.write()?;
     crate::replace_backup_config(NOTIFICATION_CONFIG_PATH, cfg.as_bytes())?;
-    crate::replace_secret_config(NOTIFICATION_PRIV_CONFIG_PATH, priv_cfg.as_bytes())?;
+    proxmox_product_config::replace_secret_config(
+        NOTIFICATION_PRIV_CONFIG_PATH,
+        priv_cfg.as_bytes(),
+    )?;
 
     Ok(())
 }
diff --git a/src/bin/proxmox-tape.rs b/src/bin/proxmox-tape.rs
index 1d26b31e8..8e52bc5d0 100644
--- a/src/bin/proxmox-tape.rs
+++ b/src/bin/proxmox-tape.rs
@@ -1116,5 +1116,13 @@ fn main() {
     let mut rpcenv = CliEnvironment::new();
     rpcenv.set_auth_id(Some(String::from("root@pam")));
 
+    if let Err(err) = proxmox_lang::try_block!({
+        proxmox_product_config::init(pbs_config::backup_user()?, pbs_config::priv_user()?);
+        Ok::<(), Error>(())
+    }) {
+        eprintln!("Failed on product config init: {err}");
+        std::process::exit(-1);
+    }
+
     proxmox_async::runtime::main(run_async_cli_command(cmd_def, rpcenv));
 }
diff --git a/src/tape/encryption_keys.rs b/src/tape/encryption_keys.rs
index 42e4931a5..1af7decaa 100644
--- a/src/tape/encryption_keys.rs
+++ b/src/tape/encryption_keys.rs
@@ -18,8 +18,9 @@ use serde::{Deserialize, Serialize};
 use proxmox_sys::fs::file_read_optional_string;
 
 use pbs_api_types::Fingerprint;
-use pbs_config::{open_backup_lockfile, replace_backup_config, replace_secret_config};
+use pbs_config::{open_backup_lockfile, replace_backup_config};
 use pbs_key_config::KeyConfig;
+use proxmox_product_config::replace_secret_config;
 
 mod hex_key {
     use hex::FromHex;
-- 
2.47.3





  parent reply	other threads:[~2026-07-01 14:04 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 14:03 [PATCH proxmox-backup v3 00/15] fix 7642: avoid expensive uid/gid lookups for lock- and config-files Christian Ebner
2026-07-01 14:03 ` [PATCH proxmox-backup v3 01/15] bin: api: early init proxmox-product-config Christian Ebner
2026-07-01 14:03 ` [PATCH proxmox-backup v3 02/15] bin: daily update: refactor to use proxmox-product-config Christian Ebner
2026-07-01 14:04 ` Christian Ebner [this message]
2026-07-01 14:04 ` [PATCH proxmox-backup v3 04/15] pbs-config: use proxmox-product-config::replace_config() Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 05/15] fix #7642: avoid expensive user lookups on file locking Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 06/15] pbs-config: use proxmox-product-config helpers Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 07/15] pbs-config: drop backup_group helper, use users gid instead Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 08/15] pbs-datastore: use proxmox-product-config cached backup user Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 09/15] pbs-datastore: use general helpers for file lock create options Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 10/15] server: auth helpers: use proxmox-product-config create options helpers Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 11/15] api: subscription: use proxmox-product-config create options Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 12/15] tape: use proxmox-product-config helper for user lookup Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 13/15] tape: use proxmox-product-config lock file create options Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 14/15] tape: use proxmox-product-config to generate " Christian Ebner
2026-07-01 14:04 ` [PATCH proxmox-backup v3 15/15] tree-wide: use proxmox-product-config::get_api_user for user lookup Christian Ebner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701140412.200920-4-c.ebner@proxmox.com \
    --to=c.ebner@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal