From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 79E461FF163 for ; Thu, 7 Nov 2024 17:59:43 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8027C35B80; Thu, 7 Nov 2024 17:59:43 +0100 (CET) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Thu, 7 Nov 2024 17:51:38 +0100 Message-Id: <20241107165146.125935-27-f.ebner@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241107165146.125935-1-f.ebner@proxmox.com> References: <20241107165146.125935-1-f.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.057 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [RFC container v3 26/34] backup: implement backup for external providers X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" The filesystem structure is made available as a directory in a consistent manner (with details depending on the vzdump backup mode) just like for regular backup via tar. The backup_container() method of the backup provider is executed in a user namespace with the container's ID mapping applied. This allows the backup provider to see the container's filesystem from the container's perspective. The 'prepare' phase of the backup hook is executed right before and allows the backup provider to prepare for the (usually) unprivileged execution context in the user namespace. The backup provider needs to back up the guest and firewall configuration and the filesystem structure of the container, honoring file exclusions and the bandwidth limit. Signed-off-by: Fiona Ebner --- Changes in v3: * pass in config as raw data instead of file name * run backup_container() method in user namespace associated to the container * warn if backing up privileged container to external provider src/PVE/VZDump/LXC.pm | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/src/PVE/VZDump/LXC.pm b/src/PVE/VZDump/LXC.pm index 1928548..d201d8a 100644 --- a/src/PVE/VZDump/LXC.pm +++ b/src/PVE/VZDump/LXC.pm @@ -14,6 +14,7 @@ use PVE::LXC::Config; use PVE::LXC; use PVE::Storage; use PVE::Tools; +use PVE::Env; use PVE::VZDump; use base qw (PVE::VZDump::Plugin); @@ -124,6 +125,7 @@ sub prepare { my ($id_map, $root_uid, $root_gid) = PVE::LXC::parse_id_maps($conf); $task->{userns_cmd} = PVE::LXC::userns_command($id_map); + $task->{id_map} = $id_map; $task->{root_uid} = $root_uid; $task->{root_gid} = $root_gid; @@ -373,7 +375,41 @@ sub archive { my $userns_cmd = $task->{userns_cmd}; my $findexcl = $self->{vzdump}->{findexcl}; - if ($self->{vzdump}->{opts}->{pbs}) { + if (my $backup_provider = $self->{vzdump}->{'backup-provider'}) { + $self->loginfo("starting external backup via " . $backup_provider->provider_name()); + + if (!scalar($task->{id_map}->@*) || $task->{root_uid} == 0 || $task->{root_gid} == 0) { + $self->log("warn", "external backup of privileged container can only be restored as" + ." unprivileged which might not work in all cases"); + } + + my ($mechanism) = $backup_provider->backup_get_mechanism($vmid, 'lxc'); + die "mechanism '$mechanism' requested by backup provider is not supported for containers\n" + if $mechanism ne 'directory'; + + my $guest_config = PVE::Tools::file_get_contents("$tmpdir/etc/vzdump/pct.conf"); + my $firewall_file = "$tmpdir/etc/vzdump/pct.fw"; + + my $info = { + directory => $snapdir, + sources => [@sources], + 'backup-user-id' => $task->{root_uid}, + }; + $info->{'firewall-config'} = PVE::Tools::file_get_contents($firewall_file) + if -e $firewall_file; + $info->{'bandwidth-limit'} = $opts->{bwlimit} * 1024 if $opts->{bwlimit}; + + $backup_provider->backup_hook('prepare', $vmid, 'lxc', $info); + + if (scalar($task->{id_map}->@*)) { + PVE::Env::run_in_userns( + sub { $backup_provider->backup_container($vmid, $guest_config, $findexcl, $info); }, + $task->{id_map}, + ); + } else { + $backup_provider->backup_container($vmid, $guest_config, $findexcl, $info); + } + } elsif ($self->{vzdump}->{opts}->{pbs}) { my $param = []; push @$param, "pct.conf:$tmpdir/etc/vzdump/pct.conf"; -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel