245 lines
5.4 KiB
Bash
Executable File
245 lines
5.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
|
|
# ---------------------------
|
|
# Logging / trap helpers
|
|
# ---------------------------
|
|
|
|
_ts() { date '+%F %T'; }
|
|
|
|
_is_tty() { [[ -t 1 ]]; }
|
|
|
|
_color() {
|
|
local code="$1"; shift
|
|
if _is_tty; then printf "\033[%sm%s\033[0m" "$code" "$*"; else printf "%s" "$*"; fi
|
|
}
|
|
|
|
log() { echo "[$(_ts)] $*"; }
|
|
info() { log "$(_color '36' 'INFO:') $*"; }
|
|
warn() { log "$(_color '33' 'WARN:') $*"; }
|
|
err() { log "$(_color '31' 'ERROR:') $*"; }
|
|
|
|
die() { err "$*"; exit 1; }
|
|
|
|
on_error() {
|
|
local lineno="$1" cmd="$2" code="$3"
|
|
err "Failed at line ${lineno}: ${cmd} (exit=${code})"
|
|
exit 1
|
|
}
|
|
|
|
setup_traps() {
|
|
trap 'on_error "$LINENO" "$BASH_COMMAND" "$?"' ERR
|
|
}
|
|
|
|
need_cmd() {
|
|
local c
|
|
for c in "$@"; do
|
|
command -v "$c" >/dev/null 2>&1 || die "Missing command: $c"
|
|
done
|
|
}
|
|
|
|
# ---------------------------
|
|
# Proxmox helpers
|
|
# ---------------------------
|
|
|
|
pve_storage_exists() {
|
|
local st="$1"
|
|
pvesm status --storage "$st" >/dev/null 2>&1
|
|
}
|
|
|
|
pve_bridge_exists() {
|
|
local br="$1"
|
|
[[ -d "/sys/class/net/${br}/bridge" ]]
|
|
}
|
|
|
|
# Ensure Debian 12 template. Return "storage:vztmpl/xxx.tar.zst"
|
|
pve_template_ensure_debian12() {
|
|
local store="$1"
|
|
local tpl="debian-12-standard_12.12-1_amd64.tar.zst"
|
|
|
|
need_cmd pveam awk grep
|
|
|
|
# Some storages (like local-zfs) don't support templates in pveam
|
|
if ! pveam list "$store" >/dev/null 2>&1; then
|
|
warn "pveam storage '${store}' not available for templates; falling back to 'local'"
|
|
store="local"
|
|
fi
|
|
|
|
pveam update >/dev/null
|
|
|
|
# If not available locally, download
|
|
if ! pveam list "$store" | awk '{print $2}' | grep -qx "$tpl"; then
|
|
info "Downloading CT template to ${store}: ${tpl}"
|
|
pveam download "$store" "$tpl" >/dev/null
|
|
fi
|
|
|
|
echo "${store}:vztmpl/${tpl}"
|
|
}
|
|
|
|
# Build net0 string with optional VLAN tag
|
|
pve_build_net0() {
|
|
local bridge="$1"
|
|
local ip="$2"
|
|
local vlan="${3:-}"
|
|
|
|
if [[ "$ip" == "dhcp" ]]; then
|
|
if [[ -n "$vlan" ]]; then
|
|
echo "name=eth0,bridge=${bridge},ip=dhcp,tag=${vlan}"
|
|
else
|
|
echo "name=eth0,bridge=${bridge},ip=dhcp"
|
|
fi
|
|
else
|
|
# static CIDR
|
|
if [[ -n "$vlan" ]]; then
|
|
echo "name=eth0,bridge=${bridge},ip=${ip},tag=${vlan}"
|
|
else
|
|
echo "name=eth0,bridge=${bridge},ip=${ip}"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
pct_exec() {
|
|
local ctid="$1"; shift
|
|
# run a command inside CT with bash -lc
|
|
pct exec "$ctid" -- bash -lc "$*"
|
|
}
|
|
|
|
# Wait until CT has an IPv4 on eth0. Returns IP or empty.
|
|
pct_wait_for_ip() {
|
|
local ctid="$1"
|
|
local tries="${2:-60}"
|
|
local delay="${3:-1}"
|
|
|
|
local ip=""
|
|
while (( tries > 0 )); do
|
|
ip="$(pct exec "$ctid" -- bash -lc "ip -4 -o addr show dev eth0 2>/dev/null | awk '{print \$4}' | cut -d/ -f1 | head -n1" 2>/dev/null || true)"
|
|
if [[ -n "$ip" ]]; then
|
|
echo "$ip"
|
|
return 0
|
|
fi
|
|
sleep "$delay"
|
|
((tries--))
|
|
done
|
|
echo ""
|
|
return 1
|
|
}
|
|
|
|
# ---------------------------
|
|
# CTID strategy (your request)
|
|
# ---------------------------
|
|
# Customer-safe CTID:
|
|
# CTID = (unix_time - 1000000000)
|
|
# This is stable until 2038 and avoids collisions with typical low VMIDs.
|
|
|
|
customer_ctid_from_time() {
|
|
local now
|
|
now="$(date +%s)"
|
|
echo $(( now - 1000000000 ))
|
|
}
|
|
|
|
# Check if a VMID exists cluster-wide using pvesh.
|
|
# If pvesh fails (permissions/API), we still have a fallback.
|
|
pve_vmid_exists_cluster() {
|
|
local vmid="$1"
|
|
need_cmd pvesh python3
|
|
|
|
# pvesh returns JSON; we parse safely in python
|
|
local json
|
|
json="$(pvesh get /cluster/resources --type vm --output-format json 2>/dev/null || true)"
|
|
[[ -n "$json" ]] || return 1
|
|
|
|
python3 - "$vmid" <<'PY' 2>/dev/null
|
|
import sys, json
|
|
vmid = int(sys.argv[1])
|
|
data = json.load(sys.stdin)
|
|
for r in data:
|
|
if int(r.get("vmid", -1)) == vmid:
|
|
sys.exit(0)
|
|
sys.exit(1)
|
|
PY
|
|
}
|
|
|
|
# Select a CTID that does NOT exist cluster-wide.
|
|
pve_select_customer_ctid() {
|
|
local ctid
|
|
ctid="$(customer_ctid_from_time)"
|
|
|
|
# If cluster check works, avoid collisions.
|
|
if pve_vmid_exists_cluster "$ctid"; then
|
|
# extremely unlikely, but add +1..+60 tries
|
|
local i
|
|
for i in $(seq 1 60); do
|
|
if ! pve_vmid_exists_cluster "$((ctid+i))"; then
|
|
echo "$((ctid+i))"
|
|
return 0
|
|
fi
|
|
done
|
|
die "CTID selection failed: all candidates busy"
|
|
fi
|
|
|
|
echo "$ctid"
|
|
}
|
|
|
|
# ---------------------------
|
|
# Secrets (no 'tr: broken pipe')
|
|
# ---------------------------
|
|
|
|
_rand_hex() {
|
|
local nbytes="${1:-32}"
|
|
if command -v openssl >/dev/null 2>&1; then
|
|
openssl rand -hex "$nbytes"
|
|
return 0
|
|
fi
|
|
if command -v python3 >/dev/null 2>&1; then
|
|
python3 - <<PY
|
|
import secrets
|
|
print(secrets.token_hex(${nbytes}))
|
|
PY
|
|
return 0
|
|
fi
|
|
|
|
# last resort: avoid pipefail by disabling locally
|
|
(
|
|
set +o pipefail
|
|
LC_ALL=C tr -dc 'a-f0-9' </dev/urandom | head -c $((nbytes*2))
|
|
)
|
|
}
|
|
|
|
_rand_b64url() {
|
|
local nbytes="${1:-32}"
|
|
if command -v python3 >/dev/null 2>&1; then
|
|
python3 - <<PY
|
|
import secrets
|
|
print(secrets.token_urlsafe(${nbytes}))
|
|
PY
|
|
return 0
|
|
fi
|
|
# fallback
|
|
(
|
|
set +o pipefail
|
|
LC_ALL=C tr -dc 'A-Za-z0-9_-'
|
|
) </dev/urandom | head -c $((nbytes*2))
|
|
}
|
|
|
|
json_escape() {
|
|
python3 - <<'PY'
|
|
import json,sys
|
|
print(json.dumps(sys.stdin.read())[1:-1])
|
|
PY
|
|
}
|
|
|
|
emit_result_json() {
|
|
# Arguments are key=value pairs; prints a single JSON object
|
|
# Example: emit_result_json "CTID=123" "CT_IP=1.2.3.4"
|
|
python3 - "$@" <<'PY'
|
|
import sys, json
|
|
obj={}
|
|
for kv in sys.argv[1:]:
|
|
if "=" not in kv:
|
|
continue
|
|
k,v = kv.split("=",1)
|
|
obj[k]=v
|
|
print(json.dumps(obj, ensure_ascii=False))
|
|
PY
|
|
}
|