1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623 |
- #
- # The Qubes OS Project, http://www.qubes-os.org
- #
- # Copyright (C) 2013-2015 Marek Marczykowski-Górecki
- # <marmarek@invisiblethingslab.com>
- # Copyright (C) 2013 Olivier Médoc <o_medoc@yahoo.fr>
- #
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of the GNU General Public License
- # as published by the Free Software Foundation; either version 2
- # of the License, or (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>
- #
- #
- from __future__ import unicode_literals
- import itertools
- import logging
- import functools
- import termios
- from qubes.utils import size_to_human
- import sys
- import stat
- import os
- import fcntl
- import subprocess
- import re
- import shutil
- import tempfile
- import time
- import grp
- import pwd
- import errno
- import datetime
- from multiprocessing import Queue, Process
- import qubes
- import qubes.core2migration
- import qubes.storage
- import qubes.storage.file
- import qubes.vm.templatevm
- QUEUE_ERROR = "ERROR"
- QUEUE_FINISHED = "FINISHED"
- HEADER_FILENAME = 'backup-header'
- DEFAULT_CRYPTO_ALGORITHM = 'aes-256-cbc'
- # 'scrypt' is not exactly HMAC algorithm, but a tool we use to
- # integrity-protect the data
- DEFAULT_HMAC_ALGORITHM = 'scrypt'
- DEFAULT_COMPRESSION_FILTER = 'gzip'
- CURRENT_BACKUP_FORMAT_VERSION = '4'
- # Maximum size of error message get from process stderr (including VM process)
- MAX_STDERR_BYTES = 1024
- # header + qubes.xml max size
- HEADER_QUBES_XML_MAX_SIZE = 1024 * 1024
- # hmac file max size - regardless of backup format version!
- HMAC_MAX_SIZE = 4096
- BLKSIZE = 512
- _re_alphanum = re.compile(r'^[A-Za-z0-9-]*$')
- class BackupCanceledError(qubes.exc.QubesException):
- def __init__(self, msg, tmpdir=None):
- super(BackupCanceledError, self).__init__(msg)
- self.tmpdir = tmpdir
- class BackupHeader(object):
- '''Structure describing backup-header file included as the first file in
- backup archive
- '''
- header_keys = {
- 'version': 'version',
- 'encrypted': 'encrypted',
- 'compressed': 'compressed',
- 'compression-filter': 'compression_filter',
- 'crypto-algorithm': 'crypto_algorithm',
- 'hmac-algorithm': 'hmac_algorithm',
- 'backup-id': 'backup_id'
- }
- bool_options = ['encrypted', 'compressed']
- int_options = ['version']
- def __init__(self,
- header_data=None,
- version=None,
- encrypted=None,
- compressed=None,
- compression_filter=None,
- hmac_algorithm=None,
- crypto_algorithm=None,
- backup_id=None):
- # repeat the list to help code completion...
- self.version = version
- self.encrypted = encrypted
- self.compressed = compressed
- # Options introduced in backup format 3+, which always have a header,
- # so no need for fallback in function parameter
- self.compression_filter = compression_filter
- self.hmac_algorithm = hmac_algorithm
- self.crypto_algorithm = crypto_algorithm
- self.backup_id = backup_id
- if header_data is not None:
- self.load(header_data)
- def load(self, untrusted_header_text):
- """Parse backup header file.
- :param untrusted_header_text: header content
- :type untrusted_header_text: basestring
- .. warning::
- This function may be exposed to not yet verified header,
- so is security critical.
- """
- try:
- untrusted_header_text = untrusted_header_text.decode('ascii')
- except UnicodeDecodeError:
- raise qubes.exc.QubesException(
- "Non-ASCII characters in backup header")
- for untrusted_line in untrusted_header_text.splitlines():
- if untrusted_line.count('=') != 1:
- raise qubes.exc.QubesException("Invalid backup header")
- key, value = untrusted_line.strip().split('=', 1)
- if not _re_alphanum.match(key):
- raise qubes.exc.QubesException("Invalid backup header (key)")
- if key not in self.header_keys.keys():
- # Ignoring unknown option
- continue
- if not _re_alphanum.match(value):
- raise qubes.exc.QubesException("Invalid backup header (value)")
- if getattr(self, self.header_keys[key]) is not None:
- raise qubes.exc.QubesException(
- "Duplicated header line: {}".format(key))
- if key in self.bool_options:
- value = value.lower() in ["1", "true", "yes"]
- elif key in self.int_options:
- value = int(value)
- setattr(self, self.header_keys[key], value)
- self.validate()
- def validate(self):
- if self.version == 1:
- # header not really present
- pass
- elif self.version in [2, 3, 4]:
- expected_attrs = ['version', 'encrypted', 'compressed',
- 'hmac_algorithm']
- if self.encrypted:
- expected_attrs += ['crypto_algorithm']
- if self.version >= 3 and self.compressed:
- expected_attrs += ['compression_filter']
- if self.version >= 4:
- expected_attrs += ['backup_id']
- for key in expected_attrs:
- if getattr(self, key) is None:
- raise qubes.exc.QubesException(
- "Backup header lack '{}' info".format(key))
- else:
- raise qubes.exc.QubesException(
- "Unsupported backup version {}".format(self.version))
- def save(self, filename):
- with open(filename, "w") as f:
- # make sure 'version' is the first key
- f.write('version={}\n'.format(self.version))
- for key, attr in self.header_keys.items():
- if key == 'version':
- continue
- if getattr(self, attr) is None:
- continue
- f.write("{!s}={!s}\n".format(key, getattr(self, attr)))
- class SendWorker(Process):
- def __init__(self, queue, base_dir, backup_stdout):
- super(SendWorker, self).__init__()
- self.queue = queue
- self.base_dir = base_dir
- self.backup_stdout = backup_stdout
- self.log = logging.getLogger('qubes.backup')
- def run(self):
- self.log.debug("Started sending thread")
- self.log.debug("Moving to temporary dir".format(self.base_dir))
- os.chdir(self.base_dir)
- for filename in iter(self.queue.get, None):
- if filename in (QUEUE_FINISHED, QUEUE_ERROR):
- break
- self.log.debug("Sending file {}".format(filename))
- # This tar used for sending data out need to be as simple, as
- # simple, as featureless as possible. It will not be
- # verified before untaring.
- tar_final_cmd = ["tar", "-cO", "--posix",
- "-C", self.base_dir, filename]
- final_proc = subprocess.Popen(tar_final_cmd,
- stdin=subprocess.PIPE,
- stdout=self.backup_stdout)
- if final_proc.wait() >= 2:
- if self.queue.full():
- # if queue is already full, remove some entry to wake up
- # main thread, so it will be able to notice error
- self.queue.get()
- # handle only exit code 2 (tar fatal error) or
- # greater (call failed?)
- raise qubes.exc.QubesException(
- "ERROR: Failed to write the backup, out of disk space? "
- "Check console output or ~/.xsession-errors for details.")
- # Delete the file as we don't need it anymore
- self.log.debug("Removing file {}".format(filename))
- os.remove(filename)
- self.log.debug("Finished sending thread")
- def launch_proc_with_pty(args, stdin=None, stdout=None, stderr=None, echo=True):
- """Similar to pty.fork, but handle stdin/stdout according to parameters
- instead of connecting to the pty
- :return tuple (subprocess.Popen, pty_master)
- """
- def set_ctty(ctty_fd, master_fd):
- os.setsid()
- os.close(master_fd)
- fcntl.ioctl(ctty_fd, termios.TIOCSCTTY, 0)
- if not echo:
- termios_p = termios.tcgetattr(ctty_fd)
- # termios_p.c_lflags
- termios_p[3] &= ~termios.ECHO
- termios.tcsetattr(ctty_fd, termios.TCSANOW, termios_p)
- (pty_master, pty_slave) = os.openpty()
- p = subprocess.Popen(args, stdin=stdin, stdout=stdout, stderr=stderr,
- preexec_fn=lambda: set_ctty(pty_slave, pty_master))
- os.close(pty_slave)
- return p, os.fdopen(pty_master, 'wb+', buffering=0)
- def launch_scrypt(action, input_name, output_name, passphrase):
- '''
- Launch 'scrypt' process, pass passphrase to it and return
- subprocess.Popen object.
- :param action: 'enc' or 'dec'
- :param input_name: input path or '-' for stdin
- :param output_name: output path or '-' for stdout
- :param passphrase: passphrase
- :return: subprocess.Popen object
- '''
- command_line = ['scrypt', action, input_name, output_name]
- (p, pty) = launch_proc_with_pty(command_line,
- stdin=subprocess.PIPE if input_name == '-' else None,
- stdout=subprocess.PIPE if output_name == '-' else None,
- stderr=subprocess.PIPE,
- echo=False)
- if action == 'enc':
- prompts = (b'Please enter passphrase: ', b'Please confirm passphrase: ')
- else:
- prompts = (b'Please enter passphrase: ',)
- for prompt in prompts:
- actual_prompt = p.stderr.read(len(prompt))
- if actual_prompt != prompt:
- raise qubes.exc.QubesException(
- 'Unexpected prompt from scrypt: {}'.format(actual_prompt))
- pty.write(passphrase.encode('utf-8') + b'\n')
- pty.flush()
- # save it here, so garbage collector would not close it (which would kill
- # the child)
- p.pty = pty
- return p
- class Backup(object):
- '''Backup operation manager. Usage:
- >>> app = qubes.Qubes()
- >>> # optional - you can use 'None' to use default list (based on
- >>> # vm.include_in_backups property)
- >>> vms = [app.domains[name] for name in ['my-vm1', 'my-vm2', 'my-vm3']]
- >>> exclude_vms = []
- >>> options = {
- >>> 'encrypted': True,
- >>> 'compressed': True,
- >>> 'passphrase': 'This is very weak backup passphrase',
- >>> 'target_vm': app.domains['sys-usb'],
- >>> 'target_dir': '/media/disk',
- >>> }
- >>> backup_op = Backup(app, vms, exclude_vms, **options)
- >>> print(backup_op.get_backup_summary())
- >>> backup_op.backup_do()
- See attributes of this object for all available options.
- '''
- class FileToBackup(object):
- def __init__(self, file_path, subdir=None, name=None):
- sz = qubes.storage.file.get_disk_usage(file_path)
- if subdir is None:
- abs_file_path = os.path.abspath(file_path)
- abs_base_dir = os.path.abspath(
- qubes.config.system_path["qubes_base_dir"]) + '/'
- abs_file_dir = os.path.dirname(abs_file_path) + '/'
- (nothing, directory, subdir) = abs_file_dir.partition(abs_base_dir)
- assert nothing == ""
- assert directory == abs_base_dir
- else:
- if len(subdir) > 0 and not subdir.endswith('/'):
- subdir += '/'
- #: real path to the file
- self.path = file_path
- #: size of the file
- self.size = sz
- #: directory in backup archive where file should be placed
- self.subdir = subdir
- #: use this name in the archive (aka rename)
- self.name = os.path.basename(file_path)
- if name is not None:
- self.name = name
- class VMToBackup(object):
- def __init__(self, vm, files, subdir):
- self.vm = vm
- self.files = files
- self.subdir = subdir
- @property
- def size(self):
- return functools.reduce(lambda x, y: x + y.size, self.files, 0)
- def __init__(self, app, vms_list=None, exclude_list=None, **kwargs):
- """
- If vms = None, include all (sensible) VMs;
- exclude_list is always applied
- """
- super(Backup, self).__init__()
- #: progress of the backup - bytes handled of the current VM
- self.chunk_size = 100 * 1024 * 1024
- self._current_vm_bytes = 0
- #: progress of the backup - bytes handled of finished VMs
- self._done_vms_bytes = 0
- #: total backup size (set by :py:meth:`get_files_to_backup`)
- self.total_backup_bytes = 0
- #: application object
- self.app = app
- #: directory for temporary files - set after creating the directory
- self.tmpdir = None
- # Backup settings - defaults
- #: should the backup be encrypted?
- self.encrypted = True
- #: should the backup be compressed?
- self.compressed = True
- #: what passphrase should be used to intergrity protect (and encrypt)
- #: the backup; required
- self.passphrase = None
- #: custom hmac algorithm
- self.hmac_algorithm = DEFAULT_HMAC_ALGORITHM
- #: custom encryption algorithm
- self.crypto_algorithm = DEFAULT_CRYPTO_ALGORITHM
- #: custom compression filter; a program which process stdin to stdout
- self.compression_filter = DEFAULT_COMPRESSION_FILTER
- #: VM to which backup should be sent (if any)
- self.target_vm = None
- #: directory to save backup in (either in dom0 or target VM,
- #: depending on :py:attr:`target_vm`
- self.target_dir = None
- #: callback for progress reporting. Will be called with one argument
- #: - progress in percents
- self.progress_callback = None
- #: backup ID, needs to be unique (for a given user),
- #: not necessary unpredictable; automatically generated
- self.backup_id = datetime.datetime.now().strftime(
- '%Y%m%dT%H%M%S-' + str(os.getpid()))
- for key, value in kwargs.items():
- if hasattr(self, key):
- setattr(self, key, value)
- else:
- raise AttributeError(key)
- #: whether backup was canceled
- self.canceled = False
- #: list of PIDs to kill on backup cancel
- self.processes_to_kill_on_cancel = []
- self.log = logging.getLogger('qubes.backup')
- if not self.encrypted:
- self.log.warning('\'encrypted\' option is ignored, backup is '
- 'always encrypted')
- if exclude_list is None:
- exclude_list = []
- if vms_list is None:
- vms_list = [vm for vm in app.domains if vm.include_in_backups]
- # Apply exclude list
- self.vms_for_backup = [vm for vm in vms_list
- if vm.name not in exclude_list]
- self._files_to_backup = self.get_files_to_backup()
- def __del__(self):
- if self.tmpdir and os.path.exists(self.tmpdir):
- shutil.rmtree(self.tmpdir)
- def cancel(self):
- """Cancel running backup operation. Can be called from another thread.
- """
- self.canceled = True
- for proc in self.processes_to_kill_on_cancel:
- try:
- proc.terminate()
- except OSError:
- pass
- def get_files_to_backup(self):
- files_to_backup = {}
- for vm in self.vms_for_backup:
- if vm.qid == 0:
- # handle dom0 later
- continue
- if self.encrypted:
- subdir = 'vm%d/' % vm.qid
- else:
- subdir = None
- vm_files = []
- if vm.volumes['private'] is not None:
- path_to_private_img = vm.storage.export('private')
- vm_files.append(self.FileToBackup(path_to_private_img, subdir,
- 'private.img'))
- vm_files.append(self.FileToBackup(vm.icon_path, subdir))
- vm_files.extend(self.FileToBackup(i, subdir)
- for i in vm.fire_event('backup-get-files'))
- # TODO: drop after merging firewall.xml into qubes.xml
- firewall_conf = os.path.join(vm.dir_path, vm.firewall_conf)
- if os.path.exists(firewall_conf):
- vm_files.append(self.FileToBackup(firewall_conf, subdir))
- if vm.updateable:
- path_to_root_img = vm.storage.export('root')
- vm_files.append(self.FileToBackup(path_to_root_img, subdir,
- 'root.img'))
- files_to_backup[vm.qid] = self.VMToBackup(vm, vm_files, subdir)
- # Dom0 user home
- if 0 in [vm.qid for vm in self.vms_for_backup]:
- local_user = grp.getgrnam('qubes').gr_mem[0]
- home_dir = pwd.getpwnam(local_user).pw_dir
- # Home dir should have only user-owned files, so fix it now
- # to prevent permissions problems - some root-owned files can
- # left after 'sudo bash' and similar commands
- subprocess.check_call(['sudo', 'chown', '-R', local_user, home_dir])
- home_to_backup = [
- self.FileToBackup(home_dir, 'dom0-home/')]
- vm_files = home_to_backup
- files_to_backup[0] = self.VMToBackup(self.app.domains[0],
- vm_files,
- os.path.join('dom0-home', os.path.basename(home_dir)))
- self.total_backup_bytes = functools.reduce(
- lambda x, y: x + y.size, files_to_backup.values(), 0)
- return files_to_backup
- def get_backup_summary(self):
- summary = ""
- fields_to_display = [
- {"name": "VM", "width": 16},
- {"name": "type", "width": 12},
- {"name": "size", "width": 12}
- ]
- # Display the header
- for f in fields_to_display:
- fmt = "{{0:-^{0}}}-+".format(f["width"] + 1)
- summary += fmt.format('-')
- summary += "\n"
- for f in fields_to_display:
- fmt = "{{0:>{0}}} |".format(f["width"] + 1)
- summary += fmt.format(f["name"])
- summary += "\n"
- for f in fields_to_display:
- fmt = "{{0:-^{0}}}-+".format(f["width"] + 1)
- summary += fmt.format('-')
- summary += "\n"
- files_to_backup = self._files_to_backup
- for qid, vm_info in files_to_backup.items():
- s = ""
- fmt = "{{0:>{0}}} |".format(fields_to_display[0]["width"] + 1)
- s += fmt.format(vm_info['vm'].name)
- fmt = "{{0:>{0}}} |".format(fields_to_display[1]["width"] + 1)
- if qid == 0:
- s += fmt.format("User home")
- elif isinstance(vm_info['vm'], qubes.vm.templatevm.TemplateVM):
- s += fmt.format("Template VM")
- else:
- s += fmt.format("VM" + (" + Sys" if vm_info['vm'].updateable
- else ""))
- vm_size = vm_info['size']
- fmt = "{{0:>{0}}} |".format(fields_to_display[2]["width"] + 1)
- s += fmt.format(size_to_human(vm_size))
- if qid != 0 and vm_info['vm'].is_running():
- s += " <-- The VM is running, please shut it down before proceeding " \
- "with the backup!"
- summary += s + "\n"
- for f in fields_to_display:
- fmt = "{{0:-^{0}}}-+".format(f["width"] + 1)
- summary += fmt.format('-')
- summary += "\n"
- fmt = "{{0:>{0}}} |".format(fields_to_display[0]["width"] + 1)
- summary += fmt.format("Total size:")
- fmt = "{{0:>{0}}} |".format(
- fields_to_display[1]["width"] + 1 + 2 + fields_to_display[2][
- "width"] + 1)
- summary += fmt.format(size_to_human(self.total_backup_bytes))
- summary += "\n"
- for f in fields_to_display:
- fmt = "{{0:-^{0}}}-+".format(f["width"] + 1)
- summary += fmt.format('-')
- summary += "\n"
- vms_not_for_backup = [vm.name for vm in self.app.domains
- if vm not in self.vms_for_backup]
- summary += "VMs not selected for backup:\n - " + "\n - ".join(
- sorted(vms_not_for_backup))
- return summary
- def prepare_backup_header(self):
- header_file_path = os.path.join(self.tmpdir, HEADER_FILENAME)
- backup_header = BackupHeader(
- version=CURRENT_BACKUP_FORMAT_VERSION,
- hmac_algorithm=self.hmac_algorithm,
- crypto_algorithm=self.crypto_algorithm,
- encrypted=self.encrypted,
- compressed=self.compressed,
- compression_filter=self.compression_filter,
- backup_id=self.backup_id,
- )
- backup_header.save(header_file_path)
- # Start encrypt, scrypt will also handle integrity
- # protection
- scrypt_passphrase = u'{filename}!{passphrase}'.format(
- filename=HEADER_FILENAME, passphrase=self.passphrase)
- scrypt = launch_scrypt(
- 'enc', header_file_path, header_file_path + '.hmac',
- scrypt_passphrase)
- if scrypt.wait() != 0:
- raise qubes.exc.QubesException(
- "Failed to compute hmac of header file: "
- + scrypt.stderr.read())
- return HEADER_FILENAME, HEADER_FILENAME + ".hmac"
- @staticmethod
- def _queue_put_with_check(proc, vmproc, queue, element):
- if queue.full():
- if not proc.is_alive():
- if vmproc:
- message = ("Failed to write the backup, VM output:\n" +
- vmproc.stderr.read())
- else:
- message = "Failed to write the backup. Out of disk space?"
- raise qubes.exc.QubesException(message)
- queue.put(element)
- def _send_progress_update(self):
- if callable(self.progress_callback):
- progress = (
- 100 * (self._done_vms_bytes + self._current_vm_bytes) /
- self.total_backup_bytes)
- self.progress_callback(progress)
- def _add_vm_progress(self, bytes_done):
- self._current_vm_bytes += bytes_done
- self._send_progress_update()
- def backup_do(self):
- if self.passphrase is None:
- raise qubes.exc.QubesException("No passphrase set")
- qubes_xml = self.app.store
- self.tmpdir = tempfile.mkdtemp()
- shutil.copy(qubes_xml, os.path.join(self.tmpdir, 'qubes.xml'))
- qubes_xml = os.path.join(self.tmpdir, 'qubes.xml')
- backup_app = qubes.Qubes(qubes_xml)
- files_to_backup = self._files_to_backup
- # make sure backup_content isn't set initially
- for vm in backup_app.domains:
- vm.features['backup-content'] = False
- for qid, vm_info in files_to_backup.items():
- if qid != 0 and vm_info.vm.is_running():
- raise qubes.exc.QubesVMNotHaltedError(vm_info.vm)
- # VM is included in the backup
- backup_app.domains[qid].features['backup-content'] = True
- backup_app.domains[qid].features['backup-path'] = vm_info.subdir
- backup_app.domains[qid].features['backup-size'] = vm_info.size
- backup_app.save()
- vmproc = None
- tar_sparse = None
- if self.target_vm is not None:
- # Prepare the backup target (Qubes service call)
- # If APPVM, STDOUT is a PIPE
- vmproc = self.target_vm.run_service('qubes.Backup',
- passio_popen=True, passio_stderr=True)
- vmproc.stdin.write((self.target_dir.
- replace("\r", "").replace("\n", "") + "\n").encode())
- vmproc.stdin.flush()
- backup_stdout = vmproc.stdin
- self.processes_to_kill_on_cancel.append(vmproc)
- else:
- # Prepare the backup target (local file)
- if os.path.isdir(self.target_dir):
- backup_target = self.target_dir + "/qubes-{0}". \
- format(time.strftime("%Y-%m-%dT%H%M%S"))
- else:
- backup_target = self.target_dir
- # Create the target directory
- if not os.path.exists(os.path.dirname(self.target_dir)):
- raise qubes.exc.QubesException(
- "ERROR: the backup directory for {0} does not exists".
- format(self.target_dir))
- # If not APPVM, STDOUT is a local file
- backup_stdout = open(backup_target, 'wb')
- # Tar with tape length does not deals well with stdout
- # (close stdout between two tapes)
- # For this reason, we will use named pipes instead
- self.log.debug("Working in {}".format(self.tmpdir))
- backup_pipe = os.path.join(self.tmpdir, "backup_pipe")
- self.log.debug("Creating pipe in: {}".format(backup_pipe))
- os.mkfifo(backup_pipe)
- self.log.debug("Will backup: {}".format(files_to_backup))
- header_files = self.prepare_backup_header()
- # Setup worker to send encrypted data chunks to the backup_target
- to_send = Queue(10)
- send_proc = SendWorker(to_send, self.tmpdir, backup_stdout)
- send_proc.start()
- for f in header_files:
- to_send.put(f)
- qubes_xml_info = self.VMToBackup(
- None,
- [self.FileToBackup(qubes_xml, '')],
- ''
- )
- for vm_info in itertools.chain([qubes_xml_info],
- files_to_backup.values()):
- for file_info in vm_info.files:
- self.log.debug("Backing up {}".format(file_info))
- backup_tempfile = os.path.join(
- self.tmpdir, file_info.subdir,
- file_info.name)
- self.log.debug("Using temporary location: {}".format(
- backup_tempfile))
- # Ensure the temporary directory exists
- if not os.path.isdir(os.path.dirname(backup_tempfile)):
- os.makedirs(os.path.dirname(backup_tempfile))
- # The first tar cmd can use any complex feature as we want.
- # Files will be verified before untaring this.
- # Prefix the path in archive with filename["subdir"] to have it
- # verified during untar
- tar_cmdline = (["tar", "-Pc", '--sparse',
- "-f", backup_pipe,
- '-C', os.path.dirname(file_info.path)] +
- (['--dereference'] if
- file_info.subdir != "dom0-home/" else []) +
- ['--xform=s:^%s:%s\\0:' % (
- os.path.basename(file_info.path),
- file_info.subdir),
- os.path.basename(file_info.path)
- ])
- file_stat = os.stat(file_info.path)
- if stat.S_ISBLK(file_stat.st_mode) or \
- file_info.name != os.path.basename(file_info.path):
- # tar doesn't handle content of block device, use our
- # writer
- # also use our tar writer when renaming file
- assert not stat.S_ISDIR(file_stat.st_mode),\
- "Renaming directories not supported"
- tar_cmdline = ['python3', '-m', 'qubes.tarwriter',
- '--override-name=%s' % (
- os.path.join(file_info.subdir, os.path.basename(
- file_info.name))),
- file_info.path,
- backup_pipe]
- if self.compressed:
- tar_cmdline.insert(-2,
- "--use-compress-program=%s" % self.compression_filter)
- self.log.debug(" ".join(tar_cmdline))
- # Pipe: tar-sparse | scrypt | tar | backup_target
- # TODO: log handle stderr
- tar_sparse = subprocess.Popen(
- tar_cmdline)
- self.processes_to_kill_on_cancel.append(tar_sparse)
- # Wait for compressor (tar) process to finish or for any
- # error of other subprocesses
- i = 0
- pipe = open(backup_pipe, 'rb')
- run_error = "paused"
- while run_error == "paused":
- # Prepare a first chunk
- chunkfile = backup_tempfile + ".%03d.enc" % i
- i += 1
- # Start encrypt, scrypt will also handle integrity
- # protection
- scrypt_passphrase = \
- u'{backup_id}!{filename}!{passphrase}'.format(
- backup_id=self.backup_id,
- filename=os.path.relpath(chunkfile[:-4],
- self.tmpdir),
- passphrase=self.passphrase)
- scrypt = launch_scrypt(
- "enc", "-", chunkfile, scrypt_passphrase)
- run_error = handle_streams(
- pipe,
- {'backup_target': scrypt.stdin},
- {'vmproc': vmproc,
- 'addproc': tar_sparse,
- 'scrypt': scrypt,
- },
- self.chunk_size,
- self._add_vm_progress
- )
- self.log.debug(
- "Wait_backup_feedback returned: {}".format(run_error))
- if self.canceled:
- try:
- tar_sparse.terminate()
- except OSError:
- pass
- tar_sparse.wait()
- to_send.put(QUEUE_ERROR)
- send_proc.join()
- shutil.rmtree(self.tmpdir)
- raise BackupCanceledError("Backup canceled")
- if run_error and run_error != "size_limit":
- send_proc.terminate()
- if run_error == "VM" and vmproc:
- raise qubes.exc.QubesException(
- "Failed to write the backup, VM output:\n" +
- vmproc.stderr.read(MAX_STDERR_BYTES))
- else:
- raise qubes.exc.QubesException(
- "Failed to perform backup: error in " +
- run_error)
- scrypt.stdin.close()
- scrypt.wait()
- self.log.debug("scrypt return code: {}".format(
- scrypt.poll()))
- # Send the chunk to the backup target
- self._queue_put_with_check(
- send_proc, vmproc, to_send,
- os.path.relpath(chunkfile, self.tmpdir))
- if tar_sparse.poll() is None or run_error == "size_limit":
- run_error = "paused"
- else:
- self.processes_to_kill_on_cancel.remove(tar_sparse)
- self.log.debug(
- "Finished tar sparse with exit code {}".format(
- tar_sparse.poll()))
- pipe.close()
- # This VM done, update progress
- self._done_vms_bytes += vm_info.size
- self._current_vm_bytes = 0
- self._send_progress_update()
- # Save date of last backup
- if vm_info.vm:
- vm_info.vm.backup_timestamp = datetime.datetime.now()
- self._queue_put_with_check(send_proc, vmproc, to_send, QUEUE_FINISHED)
- send_proc.join()
- shutil.rmtree(self.tmpdir)
- if self.canceled:
- raise BackupCanceledError("Backup canceled")
- if send_proc.exitcode != 0:
- raise qubes.exc.QubesException(
- "Failed to send backup: error in the sending process")
- if vmproc:
- self.log.debug("VMProc1 proc return code: {}".format(vmproc.poll()))
- if tar_sparse is not None:
- self.log.debug("Sparse1 proc return code: {}".format(
- tar_sparse.poll()))
- vmproc.stdin.close()
- self.app.save()
- def handle_streams(stream_in, streams_out, processes, size_limit=None,
- progress_callback=None):
- '''
- Copy stream_in to all streams_out and monitor all mentioned processes.
- If any of them terminate with non-zero code, interrupt the process. Copy
- at most `size_limit` data (if given).
- :param stream_in: file-like object to read data from
- :param streams_out: dict of file-like objects to write data to
- :param processes: dict of subprocess.Popen objects to monitor
- :param size_limit: int maximum data amount to process
- :param progress_callback: callable function to report progress, will be
- given copied data size (it should accumulate internally)
- :return: failed process name, failed stream name, "size_limit" or None (
- no error)
- '''
- buffer_size = 409600
- bytes_copied = 0
- while True:
- if size_limit:
- to_copy = min(buffer_size, size_limit - bytes_copied)
- if to_copy <= 0:
- return "size_limit"
- else:
- to_copy = buffer_size
- buf = stream_in.read(to_copy)
- if not len(buf):
- # done
- return None
- if callable(progress_callback):
- progress_callback(len(buf))
- for name, stream in streams_out.items():
- if stream is None:
- continue
- try:
- stream.write(buf)
- except IOError:
- return name
- bytes_copied += len(buf)
- for name, proc in processes.items():
- if proc is None:
- continue
- if proc.poll():
- return name
- class ExtractWorker2(Process):
- def __init__(self, queue, base_dir, passphrase, encrypted,
- progress_callback, vmproc=None,
- compressed=False, crypto_algorithm=DEFAULT_CRYPTO_ALGORITHM,
- verify_only=False, relocate=None):
- super(ExtractWorker2, self).__init__()
- #: queue with files to extract
- self.queue = queue
- #: paths on the queue are relative to this dir
- self.base_dir = base_dir
- #: passphrase to decrypt/authenticate data
- self.passphrase = passphrase
- #: extract those files/directories to alternative locations (truncate,
- # but not unlink target beforehand); if specific file is in the map,
- # redirect it accordingly, otherwise check if the whole directory is
- # there
- self.relocate = relocate
- #: is the backup encrypted?
- self.encrypted = encrypted
- #: is the backup compressed?
- self.compressed = compressed
- #: what crypto algorithm is used for encryption?
- self.crypto_algorithm = crypto_algorithm
- #: only verify integrity, don't extract anything
- self.verify_only = verify_only
- #: progress
- self.blocks_backedup = 0
- #: inner tar layer extraction (subprocess.Popen instance)
- self.tar2_process = None
- #: current inner tar archive name
- self.tar2_current_file = None
- #: set size of this file when tar report it on stderr (adjust LVM
- # volume size)
- self.adjust_output_size = None
- #: decompressor subprocess.Popen instance
- self.decompressor_process = None
- #: decryptor subprocess.Popen instance
- self.decryptor_process = None
- #: callback reporting progress to UI
- self.progress_callback = progress_callback
- #: process (subprocess.Popen instance) feeding the data into
- # extraction tool
- self.vmproc = vmproc
- #: pipe to feed the data into tar (use pipe instead of stdin,
- # as stdin is used for tar control commands)
- self.restore_pipe = os.path.join(self.base_dir, "restore_pipe")
- self.log = logging.getLogger('qubes.backup.extract')
- self.log.debug("Creating pipe in: {}".format(self.restore_pipe))
- os.mkfifo(self.restore_pipe)
- self.stderr_encoding = sys.stderr.encoding or 'utf-8'
- def collect_tar_output(self):
- if not self.tar2_process.stderr:
- return
- if self.tar2_process.poll() is None:
- try:
- new_lines = self.tar2_process.stderr \
- .read(MAX_STDERR_BYTES).splitlines()
- except IOError as e:
- if e.errno == errno.EAGAIN:
- return
- else:
- raise
- else:
- new_lines = self.tar2_process.stderr.readlines()
- new_lines = map(lambda x: x.decode(self.stderr_encoding), new_lines)
- msg_re = re.compile(r".*#[0-9].*restore_pipe")
- debug_msg = filter(msg_re.match, new_lines)
- self.log.debug('tar2_stderr: {}'.format('\n'.join(debug_msg)))
- new_lines = filter(lambda x: not msg_re.match(x), new_lines)
- if self.adjust_output_size:
- # search for first file size reported by tar, after setting
- # self.adjust_output_size (so don't look at self.tar2_stderr)
- # this is used only when extracting single-file archive, so don't
- # bother with checking file name
- file_size_re = re.compile(r"^[^ ]+ [^ ]+/[^ ]+ *([0-9]+) .*")
- for line in new_lines:
- match = file_size_re.match(line)
- if match:
- file_size = match.groups()[0]
- self.resize_lvm(self.adjust_output_size, file_size)
- self.adjust_output_size = None
- self.tar2_stderr += new_lines
- def resize_lvm(self, dev, size):
- # FIXME: HACK
- try:
- subprocess.check_call(
- ['sudo', 'lvresize', '-f', '-L', str(size) + 'B', dev],
- stdout=open(os.devnull, 'w'), stderr=subprocess.STDOUT)
- except subprocess.CalledProcessError as e:
- if e.returncode == 3:
- # already at the right size
- pass
- else:
- raise
- def run(self):
- try:
- self.__run__()
- except Exception as e:
- # Cleanup children
- for process in [self.decompressor_process,
- self.decryptor_process,
- self.tar2_process]:
- if process:
- try:
- process.terminate()
- except OSError:
- pass
- process.wait()
- self.log.error("ERROR: " + str(e))
- raise
- def handle_dir_relocations(self, dirname):
- ''' Relocate files in given director when it's already extracted
- :param dirname: directory path to handle (relative to backup root),
- without trailing slash
- '''
- for old, new in self.relocate:
- if not old.startswith(dirname + '/'):
- continue
- # if directory is relocated too (most likely is), the file
- # is extracted there
- if dirname in self.relocate:
- old = old.replace(dirname, self.relocate[dirname], 1)
- try:
- stat_buf = os.stat(new)
- if stat.S_ISBLK(stat_buf.st_mode):
- # output file is block device (LVM) - adjust its
- # size, otherwise it may fail
- # from lack of space
- self.resize_lvm(new, stat_buf.st_size)
- except OSError: # ENOENT
- pass
- subprocess.check_call(
- ['dd', 'if='+old, 'of='+new, 'conv=sparse'])
- os.unlink(old)
- def cleanup_tar2(self, wait=True, terminate=False):
- if self.tar2_process is None:
- return
- if terminate:
- self.tar2_process.terminate()
- if wait:
- self.tar2_process.wait()
- elif self.tar2_process.poll() is None:
- return
- if self.tar2_process.returncode != 0:
- self.collect_tar_output()
- self.log.error(
- "ERROR: unable to extract files for {0}, tar "
- "output:\n {1}".
- format(self.tar2_current_file,
- "\n ".join(self.tar2_stderr)))
- else:
- # Finished extracting the tar file
- self.collect_tar_output()
- self.tar2_process = None
- # if that was whole-directory archive, handle
- # relocated files now
- inner_name = os.path.splitext(self.tar2_current_file)[0]\
- .replace(self.base_dir + '/', '')
- if os.path.basename(inner_name) == '.':
- self.handle_dir_relocations(
- os.path.dirname(inner_name))
- self.tar2_current_file = None
- self.adjust_output_size = None
- def __run__(self):
- self.log.debug("Started sending thread")
- self.log.debug("Moving to dir " + self.base_dir)
- os.chdir(self.base_dir)
- filename = None
- for filename in iter(self.queue.get, None):
- if filename in (QUEUE_FINISHED, QUEUE_ERROR):
- break
- self.log.debug("Extracting file " + filename)
- if filename.endswith('.000'):
- # next file
- self.cleanup_tar2(wait=True, terminate=False)
- inner_name = filename.rstrip('.000').replace(
- self.base_dir + '/', '')
- redirect_stdout = None
- if self.relocate and inner_name in self.relocate:
- # TODO: add `dd conv=sparse` when removing tar layer
- tar2_cmdline = ['tar',
- '-%sMvvOf' % ("t" if self.verify_only else "x"),
- self.restore_pipe,
- inner_name]
- output_file = self.relocate[inner_name]
- try:
- stat_buf = os.stat(output_file)
- if stat.S_ISBLK(stat_buf.st_mode):
- # output file is block device (LVM) - adjust its
- # size during extraction, otherwise it may fail
- # from lack of space
- self.adjust_output_size = output_file
- except OSError: # ENOENT
- pass
- redirect_stdout = open(output_file, 'w')
- elif self.relocate and \
- os.path.dirname(inner_name) in self.relocate:
- tar2_cmdline = ['tar',
- '-%sMf' % ("t" if self.verify_only else "x"),
- self.restore_pipe,
- '-C', self.relocate[os.path.dirname(inner_name)],
- # strip all directories - leave only final filename
- '--strip-components', str(inner_name.count(os.sep)),
- inner_name]
- else:
- tar2_cmdline = ['tar',
- '-%sMkf' % ("t" if self.verify_only else "x"),
- self.restore_pipe,
- inner_name]
- self.log.debug("Running command " + str(tar2_cmdline))
- self.tar2_process = subprocess.Popen(tar2_cmdline,
- stdin=subprocess.PIPE, stderr=subprocess.PIPE,
- stdout=redirect_stdout)
- fcntl.fcntl(self.tar2_process.stderr.fileno(), fcntl.F_SETFL,
- fcntl.fcntl(self.tar2_process.stderr.fileno(),
- fcntl.F_GETFL) | os.O_NONBLOCK)
- self.tar2_stderr = []
- elif not self.tar2_process:
- # Extracting of the current archive failed, skip to the next
- # archive
- os.remove(filename)
- continue
- else:
- self.collect_tar_output()
- self.log.debug("Releasing next chunck")
- self.tar2_process.stdin.write("\n")
- self.tar2_process.stdin.flush()
- self.tar2_current_file = filename
- pipe = open(self.restore_pipe, 'wb')
- monitor_processes = {
- 'vmproc': self.vmproc,
- 'addproc': self.tar2_process,
- }
- if self.encrypted:
- # Start decrypt
- self.decryptor_process = subprocess.Popen(
- ["openssl", "enc",
- "-d",
- "-" + self.crypto_algorithm,
- "-pass",
- "pass:" + self.passphrase] +
- (["-z"] if self.compressed else []),
- stdin=open(filename, 'rb'),
- stdout=subprocess.PIPE)
- in_stream = self.decryptor_process.stdout
- monitor_processes['decryptor'] = self.decryptor_process
- elif self.compressed:
- self.decompressor_process = subprocess.Popen(
- ["gzip", "-d"],
- stdin=open(filename, 'rb'),
- stdout=subprocess.PIPE)
- in_stream = self.decompressor_process.stdout
- monitor_processes['decompresor'] = self.decompressor_process
- else:
- in_stream = open(filename, 'rb')
- run_error = handle_streams(
- in_stream,
- {'target': pipe},
- monitor_processes,
- progress_callback=self.progress_callback)
- try:
- pipe.close()
- except IOError as e:
- if e.errno == errno.EPIPE:
- self.log.debug(
- "Got EPIPE while closing pipe to "
- "the inner tar process")
- # ignore the error
- else:
- raise
- if run_error:
- if run_error == "target":
- self.collect_tar_output()
- details = "\n".join(self.tar2_stderr)
- else:
- details = "%s failed" % run_error
- self.log.error("Error while processing '{}': {}".format(
- self.tar2_current_file, details))
- self.cleanup_tar2(wait=True, terminate=True)
- # Delete the file as we don't need it anymore
- self.log.debug("Removing file " + filename)
- os.remove(filename)
- os.unlink(self.restore_pipe)
- self.cleanup_tar2(wait=True, terminate=(filename == QUEUE_ERROR))
- self.log.debug("Finished extracting thread")
- class ExtractWorker3(ExtractWorker2):
- def __init__(self, queue, base_dir, passphrase, encrypted,
- progress_callback, vmproc=None,
- compressed=False, crypto_algorithm=DEFAULT_CRYPTO_ALGORITHM,
- compression_filter=None, verify_only=False, relocate=None):
- super(ExtractWorker3, self).__init__(queue, base_dir, passphrase,
- encrypted,
- progress_callback, vmproc,
- compressed, crypto_algorithm,
- verify_only, relocate)
- self.compression_filter = compression_filter
- os.unlink(self.restore_pipe)
- def __run__(self):
- self.log.debug("Started sending thread")
- self.log.debug("Moving to dir " + self.base_dir)
- os.chdir(self.base_dir)
- filename = None
- input_pipe = None
- for filename in iter(self.queue.get, None):
- if filename in (QUEUE_FINISHED, QUEUE_ERROR):
- break
- self.log.debug("Extracting file " + filename)
- if filename.endswith('.000'):
- # next file
- if self.tar2_process is not None:
- input_pipe.close()
- self.cleanup_tar2(wait=True, terminate=False)
- inner_name = filename.rstrip('.000').replace(
- self.base_dir + '/', '')
- redirect_stdout = None
- if self.relocate and inner_name in self.relocate:
- # TODO: add dd conv=sparse when removing tar layer
- tar2_cmdline = ['tar',
- '-%svvO' % ("t" if self.verify_only else "x"),
- inner_name]
- output_file = self.relocate[inner_name]
- try:
- stat_buf = os.stat(output_file)
- if stat.S_ISBLK(stat_buf.st_mode):
- # output file is block device (LVM) - adjust its
- # size during extraction, otherwise it may fail
- # from lack of space
- self.adjust_output_size = output_file
- except OSError: # ENOENT
- pass
- redirect_stdout = open(output_file, 'w')
- elif self.relocate and \
- os.path.dirname(inner_name) in self.relocate:
- tar2_cmdline = ['tar',
- '-%s' % ("t" if self.verify_only else "x"),
- '-C', self.relocate[os.path.dirname(inner_name)],
- # strip all directories - leave only final filename
- '--strip-components', str(inner_name.count(os.sep)),
- inner_name]
- else:
- tar2_cmdline = ['tar',
- '-%sk' % ("t" if self.verify_only else "x"),
- inner_name]
- if self.compressed:
- if self.compression_filter:
- tar2_cmdline.insert(-1,
- "--use-compress-program=%s" %
- self.compression_filter)
- else:
- tar2_cmdline.insert(-1, "--use-compress-program=%s" %
- DEFAULT_COMPRESSION_FILTER)
- self.log.debug("Running command " + str(tar2_cmdline))
- if self.encrypted:
- # Start decrypt
- self.decryptor_process = subprocess.Popen(
- ["openssl", "enc",
- "-d",
- "-" + self.crypto_algorithm,
- "-pass",
- "pass:" + self.passphrase],
- stdin=subprocess.PIPE,
- stdout=subprocess.PIPE)
- self.tar2_process = subprocess.Popen(
- tar2_cmdline,
- stdin=self.decryptor_process.stdout,
- stdout=redirect_stdout,
- stderr=subprocess.PIPE)
- input_pipe = self.decryptor_process.stdin
- else:
- self.tar2_process = subprocess.Popen(
- tar2_cmdline,
- stdin=subprocess.PIPE,
- stdout=redirect_stdout,
- stderr=subprocess.PIPE)
- input_pipe = self.tar2_process.stdin
- fcntl.fcntl(self.tar2_process.stderr.fileno(), fcntl.F_SETFL,
- fcntl.fcntl(self.tar2_process.stderr.fileno(),
- fcntl.F_GETFL) | os.O_NONBLOCK)
- self.tar2_stderr = []
- elif not self.tar2_process:
- # Extracting of the current archive failed, skip to the next
- # archive
- os.remove(filename)
- continue
- else:
- (basename, ext) = os.path.splitext(self.tar2_current_file)
- previous_chunk_number = int(ext[1:])
- expected_filename = basename + '.%03d' % (
- previous_chunk_number+1)
- if expected_filename != filename:
- self.cleanup_tar2(wait=True, terminate=True)
- self.log.error(
- 'Unexpected file in archive: {}, expected {}'.format(
- filename, expected_filename))
- os.remove(filename)
- continue
- self.log.debug("Releasing next chunck")
- self.tar2_current_file = filename
- run_error = handle_streams(
- open(filename, 'rb'),
- {'target': input_pipe},
- {'vmproc': self.vmproc,
- 'addproc': self.tar2_process,
- 'decryptor': self.decryptor_process,
- },
- progress_callback=self.progress_callback)
- if run_error:
- if run_error == "target":
- self.collect_tar_output()
- details = "\n".join(self.tar2_stderr)
- else:
- details = "%s failed" % run_error
- if self.decryptor_process:
- self.decryptor_process.terminate()
- self.decryptor_process.wait()
- self.decryptor_process = None
- self.log.error("Error while processing '{}': {}".format(
- self.tar2_current_file, details))
- self.cleanup_tar2(wait=True, terminate=True)
- # Delete the file as we don't need it anymore
- self.log.debug("Removing file " + filename)
- os.remove(filename)
- if self.tar2_process is not None:
- input_pipe.close()
- if filename == QUEUE_ERROR:
- if self.decryptor_process:
- self.decryptor_process.terminate()
- self.decryptor_process.wait()
- self.decryptor_process = None
- self.cleanup_tar2(terminate=(filename == QUEUE_ERROR))
- self.log.debug("Finished extracting thread")
- def get_supported_hmac_algo(hmac_algorithm=None):
- # Start with provided default
- if hmac_algorithm:
- yield hmac_algorithm
- if hmac_algorithm != 'scrypt':
- yield 'scrypt'
- proc = subprocess.Popen(['openssl', 'list-message-digest-algorithms'],
- stdout=subprocess.PIPE)
- for algo in proc.stdout.readlines():
- algo = algo.decode('ascii')
- if '=>' in algo:
- continue
- yield algo.strip()
- proc.wait()
- class BackupRestoreOptions(object):
- def __init__(self):
- #: use default NetVM if the one referenced in backup do not exists on
- # the host
- self.use_default_netvm = True
- #: set NetVM to "none" if the one referenced in backup do not exists
- # on the host
- self.use_none_netvm = False
- #: set template to default if the one referenced in backup do not
- # exists on the host
- self.use_default_template = True
- #: use default kernel if the one referenced in backup do not exists
- # on the host
- self.use_default_kernel = True
- #: restore dom0 home
- self.dom0_home = True
- #: dictionary how what templates should be used instead of those
- # referenced in backup
- self.replace_template = {}
- #: restore dom0 home even if username is different
- self.ignore_username_mismatch = False
- #: do not restore data, only verify backup integrity
- self.verify_only = False
- #: automatically rename VM during restore, when it would conflict
- # with existing one
- self.rename_conflicting = True
- #: list of VM names to exclude
- self.exclude = []
- #: restore VMs into selected storage pool
- self.override_pool = None
- class BackupRestore(object):
- """Usage:
- >>> restore_op = BackupRestore(...)
- >>> # adjust restore_op.options here
- >>> restore_info = restore_op.get_restore_info()
- >>> # manipulate restore_info to select VMs to restore here
- >>> restore_op.restore_do(restore_info)
- """
- class VMToRestore(object):
- #: VM excluded from restore by user
- EXCLUDED = object()
- #: VM with such name already exists on the host
- ALREADY_EXISTS = object()
- #: NetVM used by the VM does not exists on the host
- MISSING_NETVM = object()
- #: TemplateVM used by the VM does not exists on the host
- MISSING_TEMPLATE = object()
- #: Kernel used by the VM does not exists on the host
- MISSING_KERNEL = object()
- def __init__(self, vm):
- self.vm = vm
- if 'backup-path' in vm.features:
- self.subdir = vm.features['backup-path']
- else:
- self.subdir = None
- if 'backup-size' in vm.features and vm.features['backup-size']:
- self.size = int(vm.features['backup-size'])
- else:
- self.size = 0
- self.problems = set()
- if hasattr(vm, 'template') and vm.template:
- self.template = vm.template.name
- else:
- self.template = None
- if vm.netvm:
- self.netvm = vm.netvm.name
- else:
- self.netvm = None
- self.name = vm.name
- self.orig_template = None
- self.restored_vm = None
- @property
- def good_to_go(self):
- return len(self.problems) == 0
- class Dom0ToRestore(VMToRestore):
- #: backup was performed on system with different dom0 username
- USERNAME_MISMATCH = object()
- def __init__(self, vm, subdir=None):
- super(BackupRestore.Dom0ToRestore, self).__init__(vm)
- if subdir:
- self.subdir = subdir
- self.username = os.path.basename(subdir)
- def __init__(self, app, backup_location, backup_vm, passphrase):
- super(BackupRestore, self).__init__()
- #: qubes.Qubes instance
- self.app = app
- #: options how the backup should be restored
- self.options = BackupRestoreOptions()
- #: VM from which backup should be retrieved
- self.backup_vm = backup_vm
- if backup_vm and backup_vm.qid == 0:
- self.backup_vm = None
- #: backup path, inside VM pointed by :py:attr:`backup_vm`
- self.backup_location = backup_location
- #: passphrase protecting backup integrity and optionally decryption
- self.passphrase = passphrase
- #: temporary directory used to extract the data before moving to the
- # final location; should be on the same filesystem as /var/lib/qubes
- self.tmpdir = tempfile.mkdtemp(prefix="restore", dir="/var/tmp")
- #: list of processes (Popen objects) to kill on cancel
- self.processes_to_kill_on_cancel = []
- #: is the backup operation canceled
- self.canceled = False
- #: report restore progress, called with one argument - percents of
- # data restored
- # FIXME: convert to float [0,1]
- self.progress_callback = None
- self.log = logging.getLogger('qubes.backup')
- #: basic information about the backup
- self.header_data = self._retrieve_backup_header()
- #: VMs included in the backup
- self.backup_app = self._process_qubes_xml()
- def cancel(self):
- """Cancel running backup operation. Can be called from another thread.
- """
- self.canceled = True
- for proc in self.processes_to_kill_on_cancel:
- try:
- proc.terminate()
- except OSError:
- pass
- def _start_retrieval_process(self, filelist, limit_count, limit_bytes):
- """Retrieve backup stream and extract it to :py:attr:`tmpdir`
- :param filelist: list of files to extract; listing directory name
- will extract the whole directory; use empty list to extract the whole
- archive
- :param limit_count: maximum number of files to extract
- :param limit_bytes: maximum size of extracted data
- :return: a touple of (Popen object of started process, file-like
- object for reading extracted files list, file-like object for reading
- errors)
- """
- vmproc = None
- if self.backup_vm is not None:
- # If APPVM, STDOUT is a PIPE
- vmproc = self.backup_vm.run_service('qubes.Restore',
- passio_popen=True, passio_stderr=True)
- vmproc.stdin.write(
- (self.backup_location.replace("\r", "").replace("\n",
- "") + "\n").encode())
- vmproc.stdin.flush()
- # Send to tar2qfile the VMs that should be extracted
- vmproc.stdin.write((" ".join(filelist) + "\n").encode())
- vmproc.stdin.flush()
- self.processes_to_kill_on_cancel.append(vmproc)
- backup_stdin = vmproc.stdout
- tar1_command = ['/usr/libexec/qubes/qfile-dom0-unpacker',
- str(os.getuid()), self.tmpdir, '-v']
- else:
- backup_stdin = open(self.backup_location, 'rb')
- tar1_command = ['tar',
- '-ixv',
- '-C', self.tmpdir] + filelist
- tar1_env = os.environ.copy()
- tar1_env['UPDATES_MAX_BYTES'] = str(limit_bytes)
- tar1_env['UPDATES_MAX_FILES'] = str(limit_count)
- self.log.debug("Run command" + str(tar1_command))
- command = subprocess.Popen(
- tar1_command,
- stdin=backup_stdin,
- stdout=vmproc.stdin if vmproc else subprocess.PIPE,
- stderr=subprocess.PIPE,
- env=tar1_env)
- self.processes_to_kill_on_cancel.append(command)
- # qfile-dom0-unpacker output filelist on stderr
- # and have stdout connected to the VM), while tar output filelist
- # on stdout
- if self.backup_vm:
- filelist_pipe = command.stderr
- # let qfile-dom0-unpacker hold the only open FD to the write end of
- # pipe, otherwise qrexec-client will not receive EOF when
- # qfile-dom0-unpacker terminates
- vmproc.stdin.close()
- else:
- filelist_pipe = command.stdout
- if self.backup_vm:
- error_pipe = vmproc.stderr
- else:
- error_pipe = command.stderr
- return command, filelist_pipe, error_pipe
- def _verify_hmac(self, filename, hmacfile, algorithm=None):
- def load_hmac(hmac_text):
- if any(ord(x) not in range(128) for x in hmac_text):
- raise qubes.exc.QubesException(
- "Invalid content of {}".format(hmacfile))
- hmac_text = hmac_text.strip().split("=")
- if len(hmac_text) > 1:
- hmac_text = hmac_text[1].strip()
- else:
- raise qubes.exc.QubesException(
- "ERROR: invalid hmac file content")
- return hmac_text
- if algorithm is None:
- algorithm = self.header_data.hmac_algorithm
- passphrase = self.passphrase.encode('utf-8')
- self.log.debug("Verifying file {}".format(filename))
- if os.stat(os.path.join(self.tmpdir, hmacfile)).st_size > \
- HMAC_MAX_SIZE:
- raise qubes.exc.QubesException('HMAC file {} too large'.format(
- hmacfile))
- if hmacfile != filename + ".hmac":
- raise qubes.exc.QubesException(
- "ERROR: expected hmac for {}, but got {}".
- format(filename, hmacfile))
- if algorithm == 'scrypt':
- # in case of 'scrypt' _verify_hmac is only used for backup header
- assert filename == HEADER_FILENAME
- self._verify_and_decrypt(hmacfile, HEADER_FILENAME + '.dec')
- if open(os.path.join(self.tmpdir, filename), 'rb').read() != \
- open(os.path.join(self.tmpdir, filename + '.dec'),
- 'rb').read():
- raise qubes.exc.QubesException(
- 'Invalid hmac on {}'.format(filename))
- else:
- return True
- hmac_proc = subprocess.Popen(
- ["openssl", "dgst", "-" + algorithm, "-hmac", passphrase],
- stdin=open(os.path.join(self.tmpdir, filename), 'rb'),
- stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- hmac_stdout, hmac_stderr = hmac_proc.communicate()
- if len(hmac_stderr) > 0:
- raise qubes.exc.QubesException(
- "ERROR: verify file {0}: {1}".format(filename, hmac_stderr))
- else:
- self.log.debug("Loading hmac for file {}".format(filename))
- hmac = load_hmac(open(os.path.join(self.tmpdir, hmacfile),
- 'r', encoding='ascii').read())
- if len(hmac) > 0 and load_hmac(hmac_stdout.decode('ascii')) == hmac:
- os.unlink(os.path.join(self.tmpdir, hmacfile))
- self.log.debug(
- "File verification OK -> Sending file {}".format(filename))
- return True
- else:
- raise qubes.exc.QubesException(
- "ERROR: invalid hmac for file {0}: {1}. "
- "Is the passphrase correct?".
- format(filename, load_hmac(hmac_stdout.decode('ascii'))))
- def _verify_and_decrypt(self, filename, output=None):
- assert filename.endswith('.enc') or filename.endswith('.hmac')
- fullname = os.path.join(self.tmpdir, filename)
- (origname, _) = os.path.splitext(filename)
- if output:
- fulloutput = os.path.join(self.tmpdir, output)
- else:
- fulloutput = os.path.join(self.tmpdir, origname)
- if origname == HEADER_FILENAME:
- passphrase = u'{filename}!{passphrase}'.format(
- filename=origname,
- passphrase=self.passphrase)
- else:
- passphrase = u'{backup_id}!{filename}!{passphrase}'.format(
- backup_id=self.header_data.backup_id,
- filename=origname,
- passphrase=self.passphrase)
- p = launch_scrypt('dec', fullname, fulloutput, passphrase)
- (_, stderr) = p.communicate()
- if p.returncode != 0:
- os.unlink(fulloutput)
- raise qubes.exc.QubesException('failed to decrypt {}: {}'.format(
- fullname, stderr))
- # encrypted file is no longer needed
- os.unlink(fullname)
- return origname
- def _retrieve_backup_header_files(self, files, allow_none=False):
- (retrieve_proc, filelist_pipe, error_pipe) = \
- self._start_retrieval_process(
- files, len(files), 1024 * 1024)
- filelist = filelist_pipe.read()
- retrieve_proc_returncode = retrieve_proc.wait()
- if retrieve_proc in self.processes_to_kill_on_cancel:
- self.processes_to_kill_on_cancel.remove(retrieve_proc)
- extract_stderr = error_pipe.read(MAX_STDERR_BYTES)
- # wait for other processes (if any)
- for proc in self.processes_to_kill_on_cancel:
- if proc.wait() != 0:
- raise qubes.exc.QubesException(
- "Backup header retrieval failed (exit code {})".format(
- proc.wait())
- )
- if retrieve_proc_returncode != 0:
- if not filelist and 'Not found in archive' in extract_stderr:
- if allow_none:
- return None
- else:
- raise qubes.exc.QubesException(
- "unable to read the qubes backup file {0} ({1}): {2}".format(
- self.backup_location,
- retrieve_proc.wait(),
- extract_stderr
- ))
- actual_files = filelist.decode('ascii').splitlines()
- if sorted(actual_files) != sorted(files):
- raise qubes.exc.QubesException(
- 'unexpected files in archive: got {!r}, expected {!r}'.format(
- actual_files, files
- ))
- for f in files:
- if not os.path.exists(os.path.join(self.tmpdir, f)):
- if allow_none:
- return None
- else:
- raise qubes.exc.QubesException(
- 'Unable to retrieve file {} from backup {}: {}'.format(
- f, self.backup_location, extract_stderr
- )
- )
- return files
- def _retrieve_backup_header(self):
- """Retrieve backup header and qubes.xml. Only backup header is
- analyzed, qubes.xml is left as-is
- (not even verified/decrypted/uncompressed)
- :return header_data
- :rtype :py:class:`BackupHeader`
- """
- if not self.backup_vm and os.path.exists(
- os.path.join(self.backup_location, 'qubes.xml')):
- # backup format version 1 doesn't have header
- header_data = BackupHeader()
- header_data.version = 1
- return header_data
- header_files = self._retrieve_backup_header_files(
- ['backup-header', 'backup-header.hmac'], allow_none=True)
- if not header_files:
- # R2-Beta3 didn't have backup header, so if none is found,
- # assume it's version=2 and use values present at that time
- header_data = BackupHeader(
- version=2,
- # place explicitly this value, because it is what format_version
- # 2 have
- hmac_algorithm='SHA1',
- crypto_algorithm='aes-256-cbc',
- # TODO: set encrypted to something...
- )
- else:
- filename = HEADER_FILENAME
- hmacfile = HEADER_FILENAME + '.hmac'
- self.log.debug("Got backup header and hmac: {}, {}".format(
- filename, hmacfile))
- file_ok = False
- hmac_algorithm = DEFAULT_HMAC_ALGORITHM
- for hmac_algo in get_supported_hmac_algo(hmac_algorithm):
- try:
- if self._verify_hmac(filename, hmacfile, hmac_algo):
- file_ok = True
- break
- except qubes.exc.QubesException as e:
- self.log.debug(
- 'Failed to verify {} using {}: {}'.format(
- hmacfile, hmac_algo, str(e)))
- # Ignore exception here, try the next algo
- pass
- if not file_ok:
- raise qubes.exc.QubesException(
- "Corrupted backup header (hmac verification "
- "failed). Is the password correct?")
- filename = os.path.join(self.tmpdir, filename)
- header_data = BackupHeader(open(filename, 'rb').read())
- os.unlink(filename)
- return header_data
- def _start_inner_extraction_worker(self, queue, relocate):
- """Start a worker process, extracting inner layer of bacup archive,
- extract them to :py:attr:`tmpdir`.
- End the data by pushing QUEUE_FINISHED or QUEUE_ERROR to the queue.
- :param queue :py:class:`Queue` object to handle files from
- """
- # Setup worker to extract encrypted data chunks to the restore dirs
- # Create the process here to pass it options extracted from
- # backup header
- extractor_params = {
- 'queue': queue,
- 'base_dir': self.tmpdir,
- 'passphrase': self.passphrase,
- 'encrypted': self.header_data.encrypted,
- 'compressed': self.header_data.compressed,
- 'crypto_algorithm': self.header_data.crypto_algorithm,
- 'verify_only': self.options.verify_only,
- 'progress_callback': self.progress_callback,
- 'relocate': relocate,
- }
- self.log.debug('Starting extraction worker in {}, file relocation '
- 'map: {!r}'.format(self.tmpdir, relocate))
- format_version = self.header_data.version
- if format_version == 2:
- extract_proc = ExtractWorker2(**extractor_params)
- elif format_version in [3, 4]:
- extractor_params['compression_filter'] = \
- self.header_data.compression_filter
- if format_version == 4:
- # encryption already handled
- extractor_params['encrypted'] = False
- extract_proc = ExtractWorker3(**extractor_params)
- else:
- raise NotImplementedError(
- "Backup format version %d not supported" % format_version)
- extract_proc.start()
- return extract_proc
- def _process_qubes_xml(self):
- """Verify, unpack and load qubes.xml. Possibly convert its format if
- necessary. It expect that :py:attr:`header_data` is already populated,
- and :py:meth:`retrieve_backup_header` was called.
- """
- if self.header_data.version == 1:
- backup_app = qubes.core2migration.Core2Qubes(
- os.path.join(self.backup_location, 'qubes.xml'),
- offline_mode=True)
- return backup_app
- else:
- if self.header_data.version in [2, 3]:
- self._retrieve_backup_header_files(
- ['qubes.xml.000', 'qubes.xml.000.hmac'])
- self._verify_hmac("qubes.xml.000", "qubes.xml.000.hmac")
- else:
- self._retrieve_backup_header_files(['qubes.xml.000.enc'])
- self._verify_and_decrypt('qubes.xml.000.enc')
- queue = Queue()
- queue.put("qubes.xml.000")
- queue.put(QUEUE_FINISHED)
- extract_proc = self._start_inner_extraction_worker(queue, None)
- extract_proc.join()
- if extract_proc.exitcode != 0:
- raise qubes.exc.QubesException(
- "unable to extract the qubes backup. "
- "Check extracting process errors.")
- if self.header_data.version in [2, 3]:
- backup_app = qubes.core2migration.Core2Qubes(
- os.path.join(self.tmpdir, 'qubes.xml'), offline_mode=True)
- else:
- backup_app = qubes.Qubes(os.path.join(self.tmpdir, 'qubes.xml'),
- offline_mode=True)
- # Not needed anymore - all the data stored in backup_app
- os.unlink(os.path.join(self.tmpdir, 'qubes.xml'))
- return backup_app
- def _restore_vm_dirs(self, vms_dirs, vms_size, relocate):
- # Currently each VM consists of at most 7 archives (count
- # file_to_backup calls in backup_prepare()), but add some safety
- # margin for further extensions. Each archive is divided into 100MB
- # chunks. Additionally each file have own hmac file. So assume upper
- # limit as 2*(10*COUNT_OF_VMS+TOTAL_SIZE/100MB)
- limit_count = str(2 * (10 * len(vms_dirs) +
- int(vms_size / (100 * 1024 * 1024))))
- self.log.debug("Working in temporary dir:" + self.tmpdir)
- self.log.info(
- "Extracting data: " + size_to_human(vms_size) + " to restore")
- # retrieve backup from the backup stream (either VM, or dom0 file)
- (retrieve_proc, filelist_pipe, error_pipe) = \
- self._start_retrieval_process(
- vms_dirs, limit_count, vms_size)
- to_extract = Queue()
- # extract data retrieved by retrieve_proc
- extract_proc = self._start_inner_extraction_worker(
- to_extract, relocate)
- try:
- filename = None
- hmacfile = None
- nextfile = None
- while True:
- if self.canceled:
- break
- if not extract_proc.is_alive():
- retrieve_proc.terminate()
- retrieve_proc.wait()
- if retrieve_proc in self.processes_to_kill_on_cancel:
- self.processes_to_kill_on_cancel.remove(retrieve_proc)
- # wait for other processes (if any)
- for proc in self.processes_to_kill_on_cancel:
- proc.wait()
- break
- if nextfile is not None:
- filename = nextfile
- else:
- filename = filelist_pipe.readline().decode('ascii').strip()
- self.log.debug("Getting new file:" + filename)
- if not filename or filename == "EOF":
- break
- # if reading archive directly with tar, wait for next filename -
- # tar prints filename before processing it, so wait for
- # the next one to be sure that whole file was extracted
- if not self.backup_vm:
- nextfile = filelist_pipe.readline().decode('ascii').strip()
- if self.header_data.version in [2, 3]:
- if not self.backup_vm:
- hmacfile = nextfile
- nextfile = filelist_pipe.readline().\
- decode('ascii').strip()
- else:
- hmacfile = filelist_pipe.readline().\
- decode('ascii').strip()
- if self.canceled:
- break
- self.log.debug("Getting hmac:" + hmacfile)
- if not hmacfile or hmacfile == "EOF":
- # Premature end of archive, either of tar1_command or
- # vmproc exited with error
- break
- else: # self.header_data.version == 4
- if not filename.endswith('.enc'):
- raise qubes.exc.QubesException(
- 'Invalid file extension found in archive: {}'.
- format(filename))
- if not any(map(lambda x: filename.startswith(x), vms_dirs)):
- self.log.debug("Ignoring VM not selected for restore")
- os.unlink(os.path.join(self.tmpdir, filename))
- if hmacfile:
- os.unlink(os.path.join(self.tmpdir, hmacfile))
- continue
- if self.header_data.version in [2, 3]:
- self._verify_hmac(filename, hmacfile)
- else:
- # _verify_and_decrypt will write output to a file with
- # '.enc' extension cut off. This is safe because:
- # - `scrypt` tool will override output, so if the file was
- # already there (received from the VM), it will be removed
- # - incoming archive extraction will refuse to override
- # existing file, so if `scrypt` already created one,
- # it can not be manipulated by the VM
- # - when the file is retrieved from the VM, it appears at
- # the final form - if it's visible, VM have no longer
- # influence over its content
- #
- # This all means that if the file was correctly verified
- # + decrypted, we will surely access the right file
- filename = self._verify_and_decrypt(filename)
- to_extract.put(os.path.join(self.tmpdir, filename))
- if self.canceled:
- raise BackupCanceledError("Restore canceled",
- tmpdir=self.tmpdir)
- if retrieve_proc.wait() != 0:
- raise qubes.exc.QubesException(
- "unable to read the qubes backup file {0}: {1}"
- .format(self.backup_location, error_pipe.read(
- MAX_STDERR_BYTES)))
- # wait for other processes (if any)
- for proc in self.processes_to_kill_on_cancel:
- proc.wait()
- if proc.returncode != 0:
- raise qubes.exc.QubesException(
- "Backup completed, but VM receiving it reported an error "
- "(exit code {})".format(proc.returncode))
- if filename and filename != "EOF":
- raise qubes.exc.QubesException(
- "Premature end of archive, the last file was %s" % filename)
- except:
- to_extract.put(QUEUE_ERROR)
- extract_proc.join()
- raise
- else:
- to_extract.put(QUEUE_FINISHED)
- self.log.debug("Waiting for the extraction process to finish...")
- extract_proc.join()
- self.log.debug("Extraction process finished with code: {}".format(
- extract_proc.exitcode))
- if extract_proc.exitcode != 0:
- raise qubes.exc.QubesException(
- "unable to extract the qubes backup. "
- "Check extracting process errors.")
- def generate_new_name_for_conflicting_vm(self, orig_name, restore_info):
- number = 1
- if len(orig_name) > 29:
- orig_name = orig_name[0:29]
- new_name = orig_name
- while (new_name in restore_info.keys() or
- new_name in map(lambda x: x.name,
- restore_info.values()) or
- new_name in self.app.domains):
- new_name = str('{}{}'.format(orig_name, number))
- number += 1
- if number == 100:
- # give up
- return None
- return new_name
- def restore_info_verify(self, restore_info):
- for vm in restore_info.keys():
- if vm in ['dom0']:
- continue
- vm_info = restore_info[vm]
- assert isinstance(vm_info, self.VMToRestore)
- vm_info.problems.clear()
- if vm in self.options.exclude:
- vm_info.problems.add(self.VMToRestore.EXCLUDED)
- if not self.options.verify_only and \
- vm_info.name in self.app.domains:
- if self.options.rename_conflicting:
- new_name = self.generate_new_name_for_conflicting_vm(
- vm, restore_info
- )
- if new_name is not None:
- vm_info.name = new_name
- else:
- vm_info.problems.add(self.VMToRestore.ALREADY_EXISTS)
- else:
- vm_info.problems.add(self.VMToRestore.ALREADY_EXISTS)
- # check template
- if vm_info.template:
- template_name = vm_info.template
- try:
- host_template = self.app.domains[template_name]
- except KeyError:
- host_template = None
- if not host_template \
- or not isinstance(host_template,
- qubes.vm.templatevm.TemplateVM):
- # Maybe the (custom) template is in the backup?
- if not (template_name in restore_info.keys() and
- restore_info[template_name].good_to_go and
- isinstance(restore_info[template_name].vm,
- qubes.vm.templatevm.TemplateVM)):
- if self.options.use_default_template and \
- self.app.default_template:
- if vm_info.orig_template is None:
- vm_info.orig_template = template_name
- vm_info.template = self.app.default_template.name
- else:
- vm_info.problems.add(
- self.VMToRestore.MISSING_TEMPLATE)
- # check netvm
- if not vm_info.vm.property_is_default('netvm') and vm_info.netvm:
- netvm_name = vm_info.netvm
- try:
- netvm_on_host = self.app.domains[netvm_name]
- except KeyError:
- netvm_on_host = None
- # No netvm on the host?
- if not ((netvm_on_host is not None)
- and netvm_on_host.provides_network):
- # Maybe the (custom) netvm is in the backup?
- if not (netvm_name in restore_info.keys() and
- restore_info[netvm_name].good_to_go and
- restore_info[netvm_name].vm.provides_network):
- if self.options.use_default_netvm:
- vm_info.vm.netvm = qubes.property.DEFAULT
- elif self.options.use_none_netvm:
- vm_info.netvm = None
- else:
- vm_info.problems.add(self.VMToRestore.MISSING_NETVM)
- # check kernel
- if hasattr(vm_info.vm, 'kernel'):
- installed_kernels = os.listdir(os.path.join(
- qubes.config.qubes_base_dir,
- qubes.config.system_path['qubes_kernels_base_dir']))
- # if uses default kernel - do not validate it
- # allow kernel=None only for HVM,
- # otherwise require valid kernel
- if not (vm_info.vm.property_is_default('kernel')
- or (not vm_info.vm.kernel and vm_info.vm.hvm)
- or vm_info.vm.kernel in installed_kernels):
- if self.options.use_default_kernel:
- vm_info.vm.kernel = qubes.property.DEFAULT
- else:
- vm_info.problems.add(self.VMToRestore.MISSING_KERNEL)
- return restore_info
- def _is_vm_included_in_backup_v1(self, check_vm):
- if check_vm.qid == 0:
- return os.path.exists(
- os.path.join(self.backup_location, 'dom0-home'))
- # DisposableVM
- if check_vm.dir_path is None:
- return False
- backup_vm_dir_path = check_vm.dir_path.replace(
- qubes.config.system_path["qubes_base_dir"], self.backup_location)
- if os.path.exists(backup_vm_dir_path):
- return True
- else:
- return False
- @staticmethod
- def _is_vm_included_in_backup_v2(check_vm):
- if 'backup-content' in check_vm.features:
- return check_vm.features['backup-content']
- else:
- return False
- def _find_template_name(self, template):
- if template in self.options.replace_template:
- return self.options.replace_template[template]
- return template
- def _is_vm_included_in_backup(self, vm):
- if self.header_data.version == 1:
- return self._is_vm_included_in_backup_v1(vm)
- elif self.header_data.version in [2, 3, 4]:
- return self._is_vm_included_in_backup_v2(vm)
- else:
- raise qubes.exc.QubesException(
- "Unknown backup format version: {}".format(
- self.header_data.version))
- def get_restore_info(self):
- # Format versions:
- # 1 - Qubes R1, Qubes R2 beta1, beta2
- # 2 - Qubes R2 beta3+
- vms_to_restore = {}
- for vm in self.backup_app.domains:
- if vm.qid == 0:
- # Handle dom0 as special case later
- continue
- if self._is_vm_included_in_backup(vm):
- self.log.debug("{} is included in backup".format(vm.name))
- vms_to_restore[vm.name] = self.VMToRestore(vm)
- if hasattr(vm, 'template'):
- templatevm_name = self._find_template_name(
- vm.template.name)
- vms_to_restore[vm.name].template = templatevm_name
- # Set to None to not confuse QubesVm object from backup
- # collection with host collection (further in clone_attrs).
- vm.netvm = None
- vms_to_restore = self.restore_info_verify(vms_to_restore)
- # ...and dom0 home
- if self.options.dom0_home and \
- self._is_vm_included_in_backup(self.backup_app.domains[0]):
- vm = self.backup_app.domains[0]
- if self.header_data.version == 1:
- subdir = os.listdir(os.path.join(self.backup_location,
- 'dom0-home'))[0]
- else:
- subdir = None
- vms_to_restore['dom0'] = self.Dom0ToRestore(vm, subdir)
- local_user = grp.getgrnam('qubes').gr_mem[0]
- if vms_to_restore['dom0'].username != local_user:
- if not self.options.ignore_username_mismatch:
- vms_to_restore['dom0'].problems.add(
- self.Dom0ToRestore.USERNAME_MISMATCH)
- return vms_to_restore
- @staticmethod
- def get_restore_summary(restore_info):
- fields = {
- "qid": {"func": "vm.qid"},
- "name": {"func": "('[' if isinstance(vm, qubes.vm.templatevm.TemplateVM) else '')\
- + ('{' if vm.provides_network else '')\
- + vm.name \
- + (']' if isinstance(vm, qubes.vm.templatevm.TemplateVM) else '')\
- + ('}' if vm.provides_network else '')"},
- "type": {"func": "'Tpl' if isinstance(vm, qubes.vm.templatevm.TemplateVM) else \
- 'App' if isinstance(vm, qubes.vm.appvm.AppVM) else \
- vm.__class__.__name__.replace('VM','')"},
- "updbl": {"func": "'Yes' if vm.updateable else ''"},
- "template": {"func": "'n/a' if not hasattr(vm, 'template') "
- "else vm_info.template"},
- "netvm": {"func": "('*' if vm.property_is_default('netvm') else '') +\
- vm_info.netvm if vm_info.netvm is not None "
- "else '-'"},
- "label": {"func": "vm.label.name"},
- }
- fields_to_display = ["name", "type", "template", "updbl",
- "netvm", "label"]
- # First calculate the maximum width of each field we want to display
- total_width = 0
- for f in fields_to_display:
- fields[f]["max_width"] = len(f)
- for vm_info in restore_info.values():
- if vm_info.vm:
- # noinspection PyUnusedLocal
- vm = vm_info.vm
- l = len(str(eval(fields[f]["func"])))
- if l > fields[f]["max_width"]:
- fields[f]["max_width"] = l
- total_width += fields[f]["max_width"]
- summary = ""
- summary += "The following VMs are included in the backup:\n"
- summary += "\n"
- # Display the header
- for f in fields_to_display:
- # noinspection PyTypeChecker
- fmt = "{{0:-^{0}}}-+".format(fields[f]["max_width"] + 1)
- summary += fmt.format('-')
- summary += "\n"
- for f in fields_to_display:
- # noinspection PyTypeChecker
- fmt = "{{0:>{0}}} |".format(fields[f]["max_width"] + 1)
- summary += fmt.format(f)
- summary += "\n"
- for f in fields_to_display:
- # noinspection PyTypeChecker
- fmt = "{{0:-^{0}}}-+".format(fields[f]["max_width"] + 1)
- summary += fmt.format('-')
- summary += "\n"
- for vm_info in restore_info.values():
- assert isinstance(vm_info, BackupRestore.VMToRestore)
- # Skip non-VM here
- if not vm_info.vm:
- continue
- # noinspection PyUnusedLocal
- vm = vm_info.vm
- s = ""
- for f in fields_to_display:
- # noinspection PyTypeChecker
- fmt = "{{0:>{0}}} |".format(fields[f]["max_width"] + 1)
- s += fmt.format(eval(fields[f]["func"]))
- if BackupRestore.VMToRestore.EXCLUDED in vm_info.problems:
- s += " <-- Excluded from restore"
- elif BackupRestore.VMToRestore.ALREADY_EXISTS in vm_info.problems:
- s += " <-- A VM with the same name already exists on the host!"
- elif BackupRestore.VMToRestore.MISSING_TEMPLATE in \
- vm_info.problems:
- s += " <-- No matching template on the host " \
- "or in the backup found!"
- elif BackupRestore.VMToRestore.MISSING_NETVM in \
- vm_info.problems:
- s += " <-- No matching netvm on the host " \
- "or in the backup found!"
- else:
- if vm_info.orig_template:
- s += " <-- Original template was '{}'".format(
- vm_info.orig_template)
- if vm_info.name != vm_info.vm.name:
- s += " <-- Will be renamed to '{}'".format(
- vm_info.name)
- summary += s + "\n"
- if 'dom0' in restore_info.keys():
- s = ""
- for f in fields_to_display:
- # noinspection PyTypeChecker
- fmt = "{{0:>{0}}} |".format(fields[f]["max_width"] + 1)
- if f == "name":
- s += fmt.format("Dom0")
- elif f == "type":
- s += fmt.format("Home")
- else:
- s += fmt.format("")
- if BackupRestore.Dom0ToRestore.USERNAME_MISMATCH in \
- restore_info['dom0'].problems:
- s += " <-- username in backup and dom0 mismatch"
- summary += s + "\n"
- return summary
- def _restore_vm_dir_v1(self, src_dir, dst_dir):
- backup_src_dir = src_dir.replace(
- qubes.config.system_path["qubes_base_dir"], self.backup_location)
- # We prefer to use Linux's cp, because it nicely handles sparse files
- cp_retcode = subprocess.call(
- ["cp", "-rp", "--reflink=auto", backup_src_dir, dst_dir])
- if cp_retcode != 0:
- raise qubes.exc.QubesException(
- "*** Error while copying file {0} to {1}".format(backup_src_dir,
- dst_dir))
- @staticmethod
- def _templates_first(vms):
- def key_function(instance):
- if isinstance(instance, qubes.vm.BaseVM):
- return isinstance(instance, qubes.vm.templatevm.TemplateVM)
- elif hasattr(instance, 'vm'):
- return key_function(instance.vm)
- else:
- return 0
- return sorted(vms,
- key=key_function,
- reverse=True)
- def restore_do(self, restore_info):
- '''
- High level workflow:
- 1. Create VMs object in host collection (qubes.xml)
- 2. Create them on disk (vm.create_on_disk)
- 3. Restore VM data, overriding/converting VM files
- 4. Apply possible fixups and save qubes.xml
- :param restore_info:
- :return:
- '''
- # FIXME handle locking
- restore_info = self.restore_info_verify(restore_info)
- self._restore_vms_metadata(restore_info)
- # Perform VM restoration in backup order
- vms_dirs = []
- relocate = {}
- vms_size = 0
- for vm_info in self._templates_first(restore_info.values()):
- vm = vm_info.restored_vm
- if vm:
- vms_size += int(vm_info.size)
- vms_dirs.append(vm_info.subdir)
- relocate[vm_info.subdir.rstrip('/')] = vm.dir_path
- for name, volume in vm.volumes.items():
- if not volume.save_on_stop:
- continue
- export_path = vm.storage.export(name)
- backup_path = os.path.join(
- vm_info.vm.dir_path, name + '.img')
- if backup_path != export_path:
- relocate[
- os.path.join(vm_info.subdir, name + '.img')] = \
- export_path
- if self.header_data.version >= 2:
- if 'dom0' in restore_info.keys() and \
- restore_info['dom0'].good_to_go:
- vms_dirs.append(os.path.dirname(restore_info['dom0'].subdir))
- vms_size += restore_info['dom0'].size
- try:
- self._restore_vm_dirs(vms_dirs=vms_dirs, vms_size=vms_size,
- relocate=relocate)
- except qubes.exc.QubesException:
- if self.options.verify_only:
- raise
- else:
- self.log.warning(
- "Some errors occurred during data extraction, "
- "continuing anyway to restore at least some "
- "VMs")
- else:
- for vm_info in self._templates_first(restore_info.values()):
- vm = vm_info.restored_vm
- if vm:
- try:
- self._restore_vm_dir_v1(vm_info.vm.dir_path,
- os.path.dirname(vm.dir_path))
- except qubes.exc.QubesException as e:
- if self.options.verify_only:
- raise
- else:
- self.log.error(
- "Failed to restore VM '{}': {}".format(
- vm.name, str(e)))
- vm.remove_from_disk()
- del self.app.domains[vm]
- if self.options.verify_only:
- self.log.warning(
- "Backup verification not supported for this backup format.")
- if self.options.verify_only:
- shutil.rmtree(self.tmpdir)
- return
- for vm_info in self._templates_first(restore_info.values()):
- if not vm_info.restored_vm:
- continue
- try:
- vm_info.restored_vm.fire_event('domain-restore')
- except Exception as err:
- self.log.error("ERROR during appmenu restore: "
- "{0}".format(err))
- self.log.warning(
- "*** VM '{0}' will not have appmenus".format(vm_info.name))
- try:
- vm_info.restored_vm.storage.verify()
- except Exception as err:
- self.log.error("ERROR: {0}".format(err))
- if vm_info.restored_vm:
- vm_info.restored_vm.remove_from_disk()
- del self.app.domains[vm_info.restored_vm]
- self.app.save()
- if self.canceled:
- if self.header_data.version >= 2:
- raise BackupCanceledError("Restore canceled",
- tmpdir=self.tmpdir)
- else:
- raise BackupCanceledError("Restore canceled")
- # ... and dom0 home as last step
- if 'dom0' in restore_info.keys() and restore_info['dom0'].good_to_go:
- backup_path = restore_info['dom0'].subdir
- local_user = grp.getgrnam('qubes').gr_mem[0]
- home_dir = pwd.getpwnam(local_user).pw_dir
- if self.header_data.version == 1:
- backup_dom0_home_dir = os.path.join(self.backup_location,
- backup_path)
- else:
- backup_dom0_home_dir = os.path.join(self.tmpdir, backup_path)
- restore_home_backupdir = "home-pre-restore-{0}".format(
- time.strftime("%Y-%m-%d-%H%M%S"))
- self.log.info(
- "Restoring home of user '{0}'...".format(local_user))
- self.log.info(
- "Existing files/dirs backed up in '{0}' dir".format(
- restore_home_backupdir))
- os.mkdir(home_dir + '/' + restore_home_backupdir)
- for f in os.listdir(backup_dom0_home_dir):
- home_file = home_dir + '/' + f
- if os.path.exists(home_file):
- os.rename(home_file,
- home_dir + '/' + restore_home_backupdir + '/' + f)
- if self.header_data.version == 1:
- subprocess.call(
- ["cp", "-nrp", "--reflink=auto",
- backup_dom0_home_dir + '/' + f, home_file])
- elif self.header_data.version >= 2:
- shutil.move(backup_dom0_home_dir + '/' + f, home_file)
- retcode = subprocess.call(['sudo', 'chown', '-R',
- local_user, home_dir])
- if retcode != 0:
- self.log.error("*** Error while setting home directory owner")
- shutil.rmtree(self.tmpdir)
- self.log.info("-> Done. Please install updates for all the restored "
- "templates.")
- def _restore_vms_metadata(self, restore_info):
- vms = {}
- for vm_info in restore_info.values():
- assert isinstance(vm_info, self.VMToRestore)
- if not vm_info.vm:
- continue
- if not vm_info.good_to_go:
- continue
- vm = vm_info.vm
- vms[vm.name] = vm
- # First load templates, then other VMs
- for vm in self._templates_first(vms.values()):
- if self.canceled:
- # only break the loop to save qubes.xml
- # with already restored VMs
- break
- self.log.info("-> Restoring {0}...".format(vm.name))
- kwargs = {}
- if hasattr(vm, 'template'):
- template = restore_info[vm.name].template
- # handle potentially renamed template
- if template in restore_info \
- and restore_info[template].good_to_go:
- template = restore_info[template].name
- kwargs['template'] = template
- new_vm = None
- vm_name = restore_info[vm.name].name
- try:
- # first only minimal set, later clone_properties
- # will be called
- cls = self.app.get_vm_class(vm.__class__.__name__)
- new_vm = self.app.add_new_vm(
- cls,
- name=vm_name,
- label=vm.label,
- installed_by_rpm=False,
- **kwargs)
- if os.path.exists(new_vm.dir_path):
- move_to_path = tempfile.mkdtemp('', os.path.basename(
- new_vm.dir_path), os.path.dirname(new_vm.dir_path))
- try:
- os.rename(new_vm.dir_path, move_to_path)
- self.log.warning(
- "*** Directory {} already exists! It has "
- "been moved to {}".format(new_vm.dir_path,
- move_to_path))
- except OSError:
- self.log.error(
- "*** Directory {} already exists and "
- "cannot be moved!".format(new_vm.dir_path))
- self.log.warning("Skipping VM {}...".format(
- vm.name))
- continue
- except Exception as err:
- self.log.error("ERROR: {0}".format(err))
- self.log.warning("*** Skipping VM: {0}".format(vm.name))
- if new_vm:
- del self.app.domains[new_vm.qid]
- continue
- # remove no longer needed backup metadata
- if 'backup-content' in vm.features:
- del vm.features['backup-content']
- del vm.features['backup-size']
- del vm.features['backup-path']
- try:
- # exclude VM references - handled manually according to
- # restore options
- proplist = [prop for prop in new_vm.property_list()
- if prop.clone and prop.__name__ not in
- ['template', 'netvm', 'dispvm_netvm']]
- new_vm.clone_properties(vm, proplist=proplist)
- except Exception as err:
- self.log.error("ERROR: {0}".format(err))
- self.log.warning("*** Some VM property will not be "
- "restored")
- if not self.options.verify_only:
- try:
- # have it here, to (maybe) patch storage config before
- # creating child VMs (template first)
- # TODO: adjust volumes config - especially size
- new_vm.create_on_disk(pool=self.options.override_pool)
- except qubes.exc.QubesException as e:
- self.log.warning("Failed to create VM {}: {}".format(
- vm.name, str(e)))
- del self.app.domains[new_vm]
- continue
- restore_info[vm.name].restored_vm = new_vm
- # Set network dependencies - only non-default netvm setting
- for vm in vms.values():
- vm_info = restore_info[vm.name]
- vm_name = vm_info.name
- try:
- host_vm = self.app.domains[vm_name]
- except KeyError:
- # Failed/skipped VM
- continue
- if not vm.property_is_default('netvm'):
- if vm_info.netvm in restore_info:
- host_vm.netvm = restore_info[vm_info.netvm].name
- else:
- host_vm.netvm = vm_info.netvm
- # vim:sw=4:et:
|