Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
pve-manager
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Administrator
pve-manager
Commits
e61ef871
Commit
e61ef871
authored
Feb 07, 2012
by
Dietmar Maurer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add permissions for openvz create/update
parent
b865665a
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
93 additions
and
29 deletions
+93
-29
OpenVZ.pm
PVE/API2/OpenVZ.pm
+93
-29
No files found.
PVE/API2/OpenVZ.pm
View file @
e61ef871
...
...
@@ -5,13 +5,13 @@ use warnings;
use
File::
Basename
;
use
File::
Path
;
use
POSIX
qw (LONG_MAX);
use
Cwd
'
abs_path
';
use
PVE::
SafeSyslog
;
use
PVE::
Tools
qw(extract_param run_command)
;
use
PVE::
Exception
qw(raise raise_param_exc)
;
use
PVE::
INotify
;
use
PVE::
Cluster
qw(cfs_lock_file cfs_read_file)
;
use
PVE::
Cluster
qw(cfs_lock_file cfs_read_file cfs_write_file)
;
use
PVE::
AccessControl
;
use
PVE::
Storage
;
use
PVE::
RESTHandler
;
use
PVE::
RPCEnvironment
;
...
...
@@ -59,6 +59,30 @@ CPUUNITS="1000"
CPUS="1"
__EOD
my
$check_ct_modify_config_perm
=
sub
{
my
(
$rpcenv
,
$authuser
,
$vmid
,
$pool
,
$key_list
)
=
@_
;
return
1
if
$authuser
ne
'
root@pam
';
foreach
my
$opt
(
@$key_list
)
{
if
(
$opt
eq
'
cpus
'
||
$opt
eq
'
cpuunits
'
||
$opt
eq
'
cpulimit
')
{
$rpcenv
->
check_vm_perm
(
$authuser
,
$vmid
,
$pool
,
['
VM.Config.CPU
']);
}
elsif
(
$opt
eq
'
disk
'
||
$opt
eq
'
quotatime
'
||
$opt
eq
'
quotaugidlimit
')
{
$rpcenv
->
check_vm_perm
(
$authuser
,
$vmid
,
$pool
,
['
VM.Config.Disk
']);
}
elsif
(
$opt
eq
'
memory
'
||
$opt
eq
'
swap
')
{
$rpcenv
->
check_vm_perm
(
$authuser
,
$vmid
,
$pool
,
['
VM.Config.Memory
']);
}
elsif
(
$opt
eq
'
netif
'
||
$opt
eq
'
ip_address
'
||
$opt
eq
'
nameserver
'
||
$opt
eq
'
searchdomain
'
||
$opt
eq
'
hostname
')
{
$rpcenv
->
check_vm_perm
(
$authuser
,
$vmid
,
$pool
,
['
VM.Config.Network
']);
}
else
{
$rpcenv
->
check_vm_perm
(
$authuser
,
$vmid
,
$pool
,
['
VM.Config.Options
']);
}
}
return
1
;
};
__PACKAGE__
->
register_method
({
name
=>
'
vmlist
',
path
=>
'',
...
...
@@ -198,6 +222,13 @@ __PACKAGE__->register_method({
path
=>
'',
method
=>
'
POST
',
description
=>
"
Create or restore a container.
",
permissions
=>
{
description
=>
"
You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}, and 'Datastore.AllocateSpace' on the storage.
",
check
=>
[
'
or
',
[
'
perm
',
'
/vms/{vmid}
',
['
VM.Allocate
']],
[
'
perm
',
'
/pool/{pool}
',
['
VM.Allocate
'],
require_param
=>
'
pool
'],
],
},
protected
=>
1
,
proxyto
=>
'
node
',
parameters
=>
{
...
...
@@ -230,6 +261,11 @@ __PACKAGE__->register_method({
type
=>
'
boolean
',
description
=>
"
Mark this as restore task.
",
},
pool
=>
{
optional
=>
1
,
type
=>
'
string
',
format
=>
'
pve-poolid
',
description
=>
"
Add the VM to the specified pool.
",
},
}),
},
returns
=>
{
...
...
@@ -240,7 +276,7 @@ __PACKAGE__->register_method({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$node
=
extract_param
(
$param
,
'
node
');
...
...
@@ -250,6 +286,8 @@ __PACKAGE__->register_method({
my
$storage
=
extract_param
(
$param
,
'
storage
')
||
'
local
';
my
$pool
=
extract_param
(
$param
,
'
pool
');
my
$storage_cfg
=
cfs_read_file
("
storage.cfg
");
my
$scfg
=
PVE::Storage::
storage_check_node
(
$storage_cfg
,
$storage
,
$node
);
...
...
@@ -259,10 +297,28 @@ __PACKAGE__->register_method({
my
$private
=
PVE::Storage::
get_private_dir
(
$storage_cfg
,
$storage
,
$vmid
);
if
(
defined
(
$pool
))
{
$rpcenv
->
check_pool_exist
(
$pool
);
$rpcenv
->
check_perm_modify
(
$authuser
,
"
/pool/
$pool
");
}
$rpcenv
->
check
(
$authuser
,
"
/storage/
$storage
",
['
Datastore.AllocateSpace
']);
&
$check_ct_modify_config_perm
(
$rpcenv
,
$authuser
,
$vmid
,
$pool
,
[
keys
%
$param
]);
PVE::Storage::
activate_storage
(
$storage_cfg
,
$storage
);
my
$conf
=
PVE::OpenVZ::
parse_ovz_config
("
/tmp/openvz/
$vmid
.conf
",
$pve_base_ovz_config
);
my
$addVMtoPoolFn
=
sub
{
my
$usercfg
=
cfs_read_file
("
user.cfg
");
if
(
my
$data
=
$usercfg
->
{
pools
}
->
{
$pool
})
{
$data
->
{
vms
}
->
{
$vmid
}
=
1
;
$usercfg
->
{
vms
}
->
{
$vmid
}
=
$pool
;
cfs_write_file
("
user.cfg
",
$usercfg
);
}
};
my
$code
=
sub
{
my
$basecfg_fn
=
PVE::OpenVZ::
config_file
(
$vmid
);
...
...
@@ -284,14 +340,7 @@ __PACKAGE__->register_method({
if
!
$param
->
{
restore
};
$archive
=
'
-
';
}
else
{
if
(
PVE::Storage::
parse_volume_id
(
$ostemplate
,
1
))
{
$archive
=
PVE::Storage::
path
(
$storage_cfg
,
$ostemplate
);
}
else
{
raise_param_exc
({
archive
=>
"
Only root can pass arbitrary paths.
"
})
if
$user
ne
'
root@pam
';
$archive
=
abs_path
(
$ostemplate
);
}
$archive
=
$rpcenv
->
check_volume_access
(
$authuser
,
$storage_cfg
,
$vmid
,
$ostemplate
);
die
"
can't find file '
$archive
'
\n
"
if
!
-
f
$archive
;
}
...
...
@@ -346,15 +395,25 @@ __PACKAGE__->register_method({
PVE::OpenVZ::
set_rootpasswd
(
$private
,
$password
)
if
defined
(
$password
);
}
PVE::AccessControl::
lock_user_config
(
$addVMtoPoolFn
,
"
can't add VM to pool
")
if
$pool
;
};
return
$rpcenv
->
fork_worker
(
$param
->
{
restore
}
?
'
vzrestore
'
:
'
vzcreate
',
$vmid
,
$user
,
$realcmd
);
$vmid
,
$
auth
user
,
$realcmd
);
};
return
PVE::OpenVZ::
lock_container
(
$vmid
,
$code
);
}});
my
$vm_config_perm_list
=
[
'
VM.Config.Disk
',
'
VM.Config.CPU
',
'
VM.Config.Memory
',
'
VM.Config.Network
',
'
VM.Config.Options
',
];
__PACKAGE__
->
register_method
({
name
=>
'
update_vm
',
path
=>
'
{vmid}/config
',
...
...
@@ -362,6 +421,9 @@ __PACKAGE__->register_method({
protected
=>
1
,
proxyto
=>
'
node
',
description
=>
"
Set virtual machine options.
",
permissions
=>
{
check
=>
['
perm
',
'
/vms/{vmid}
',
$vm_config_perm_list
,
any
=>
1
],
},
parameters
=>
{
additionalProperties
=>
0
,
properties
=>
PVE::OpenVZ::
json_config_properties
(
...
...
@@ -382,7 +444,7 @@ __PACKAGE__->register_method({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$node
=
extract_param
(
$param
,
'
node
');
...
...
@@ -392,6 +454,8 @@ __PACKAGE__->register_method({
die
"
no options specified
\n
"
if
!
scalar
(
keys
%
$param
);
&
$check_ct_modify_config_perm
(
$rpcenv
,
$authuser
,
$vmid
,
undef
,
[
keys
%
$param
]);
my
$code
=
sub
{
my
$conf
=
PVE::OpenVZ::
load_config
(
$vmid
);
...
...
@@ -404,7 +468,7 @@ __PACKAGE__->register_method({
my
$cmd
=
['
vzctl
',
'
--skiplock
',
'
set
',
$vmid
,
@$changes
,
'
--save
'];
PVE::Cluster::
log_msg
('
info
',
$user
,
"
update CT
$vmid
:
"
.
join
('
',
@$changes
));
PVE::Cluster::
log_msg
('
info
',
$
auth
user
,
"
update CT
$vmid
:
"
.
join
('
',
@$changes
));
run_command
(
$cmd
);
};
...
...
@@ -593,7 +657,7 @@ __PACKAGE__->register_method({
my
(
$param
)
=
@_
;
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$vmid
=
$param
->
{
vmid
};
...
...
@@ -712,7 +776,7 @@ __PACKAGE__->register_method({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$vmid
=
$param
->
{
vmid
};
...
...
@@ -725,7 +789,7 @@ __PACKAGE__->register_method({
run_command
(
$cmd
);
};
return
$rpcenv
->
fork_worker
('
vzdestroy
',
$vmid
,
$user
,
$realcmd
);
return
$rpcenv
->
fork_worker
('
vzdestroy
',
$vmid
,
$
auth
user
,
$realcmd
);
}});
my
$sslcert
;
...
...
@@ -761,14 +825,14 @@ __PACKAGE__->register_method ({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$vmid
=
$param
->
{
vmid
};
my
$node
=
$param
->
{
node
};
my
$authpath
=
"
/vms/
$vmid
";
my
$ticket
=
PVE::AccessControl::
assemble_vnc_ticket
(
$user
,
$authpath
);
my
$ticket
=
PVE::AccessControl::
assemble_vnc_ticket
(
$
auth
user
,
$authpath
);
$sslcert
=
PVE::Tools::
file_get_contents
("
/etc/pve/pve-root-ca.pem
",
8192
)
if
!
$sslcert
;
...
...
@@ -804,10 +868,10 @@ __PACKAGE__->register_method ({
return
;
};
my
$upid
=
$rpcenv
->
fork_worker
('
vncproxy
',
$vmid
,
$user
,
$realcmd
);
my
$upid
=
$rpcenv
->
fork_worker
('
vncproxy
',
$vmid
,
$
auth
user
,
$realcmd
);
return
{
user
=>
$user
,
user
=>
$
auth
user
,
ticket
=>
$ticket
,
port
=>
$port
,
upid
=>
$upid
,
...
...
@@ -963,7 +1027,7 @@ __PACKAGE__->register_method({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$node
=
extract_param
(
$param
,
'
node
');
...
...
@@ -983,7 +1047,7 @@ __PACKAGE__->register_method({
return
;
};
return
$rpcenv
->
fork_worker
('
vzstart
',
$vmid
,
$user
,
$realcmd
);
return
$rpcenv
->
fork_worker
('
vzstart
',
$vmid
,
$
auth
user
,
$realcmd
);
}});
__PACKAGE__
->
register_method
({
...
...
@@ -1011,7 +1075,7 @@ __PACKAGE__->register_method({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$node
=
extract_param
(
$param
,
'
node
');
...
...
@@ -1030,7 +1094,7 @@ __PACKAGE__->register_method({
return
;
};
my
$upid
=
$rpcenv
->
fork_worker
('
vzstop
',
$vmid
,
$user
,
$realcmd
);
my
$upid
=
$rpcenv
->
fork_worker
('
vzstop
',
$vmid
,
$
auth
user
,
$realcmd
);
return
$upid
;
}});
...
...
@@ -1073,7 +1137,7 @@ __PACKAGE__->register_method({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$node
=
extract_param
(
$param
,
'
node
');
...
...
@@ -1106,7 +1170,7 @@ __PACKAGE__->register_method({
return
;
};
my
$upid
=
$rpcenv
->
fork_worker
('
vzshutdown
',
$vmid
,
$user
,
$realcmd
);
my
$upid
=
$rpcenv
->
fork_worker
('
vzshutdown
',
$vmid
,
$
auth
user
,
$realcmd
);
return
$upid
;
}});
...
...
@@ -1143,7 +1207,7 @@ __PACKAGE__->register_method({
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$user
=
$rpcenv
->
get_user
();
my
$
auth
user
=
$rpcenv
->
get_user
();
my
$target
=
extract_param
(
$param
,
'
target
');
...
...
@@ -1175,7 +1239,7 @@ __PACKAGE__->register_method({
return
;
};
my
$upid
=
$rpcenv
->
fork_worker
('
vzmigrate
',
$vmid
,
$user
,
$realcmd
);
my
$upid
=
$rpcenv
->
fork_worker
('
vzmigrate
',
$vmid
,
$
auth
user
,
$realcmd
);
return
$upid
;
}});
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment