[pve-devel] [RFC v6 qemu-server] VM protection mode

[Alen Grizonic]

v6 changes:

- disk removal prevention -> added unused disk removal prevention
- protection option removal prevention
- changed man page message
- added common check_protection subroutine
---
 PVE/API2/Qemu.pm  | 15 +++++++++++++--
 PVE/QemuServer.pm |  2 +-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index fabd490..2d6db1b 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -206,6 +206,14 @@ my $check_vm_modify_config_perm = sub {
     return 1;
 };
 
+my $check_protection = sub {
+    my ($vm_conf, $err_msg) = @_;
+
+    if ($vm_conf->{protection}) {
+	die "$err_msg - protection mode enabled\n";
+    }
+};
+
 __PACKAGE__->register_method({
     name => 'vmlist',
     path => '',
@@ -889,6 +897,7 @@ my $update_vm_api  = sub {
 		$modified->{$opt} = 1;
 		$conf = PVE::QemuServer::load_config($vmid); # update/reload
 		if ($opt =~ m/^unused/) {
+		    &$check_protection($conf, "can't remove VM $vmid storage");
 		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
 		    my $drive = PVE::QemuServer::parse_drive($opt, $conf->{$opt});
 		    if (PVE::QemuServer::try_deallocate_drive($storecfg, $vmid, $conf, $opt, $drive, $rpcenv, $authuser)) {
@@ -896,11 +905,14 @@ my $update_vm_api  = sub {
 			PVE::QemuServer::update_config_nolock($vmid, $conf, 1);
 		    }
 		} elsif (PVE::QemuServer::valid_drivename($opt)) {
+		    &$check_protection($conf, "can't remove VM $vmid storage");
 		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
 		    PVE::QemuServer::vmconfig_register_unused_drive($storecfg, $vmid, $conf, PVE::QemuServer::parse_drive($opt, $conf->{pending}->{$opt}))
 			if defined($conf->{pending}->{$opt});
 		    PVE::QemuServer::vmconfig_delete_pending_option($conf, $opt, $force);
 		    PVE::QemuServer::update_config_nolock($vmid, $conf, 1);
+		} elsif ($opt eq 'protection') {
+		    &$check_protection($conf, "can't delete VM $vmid protection option");
 		} else {
 		    PVE::QemuServer::vmconfig_delete_pending_option($conf, $opt, $force);
 		    PVE::QemuServer::update_config_nolock($vmid, $conf, 1);
@@ -1144,8 +1156,7 @@ __PACKAGE__->register_method({
 
 	my $storecfg = PVE::Storage::config();
 
-	die  "can't remove VM $vmid - protection mode enabled\n"
-	    if $conf->{protection};
+	&$check_protection($conf, "can't remove VM $vmid");
 
 	die "unable to remove VM $vmid - used in HA resources\n"
 	    if PVE::HA::Config::vm_is_ha_managed($vmid);
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index be4d3d9..009b447 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -387,7 +387,7 @@ EODESCR
     protection => {
 	optional => 1,
 	type => 'boolean',
-	description => "Sets the protection flag of the VM. This will prevent the remove operation.",
+	description => "Sets the protection flag of the VM. This will prevent the VM or VM's disk remove operation.",
 	default => 0,
     },
 };
-- 
2.1.4