bump version to 1.0.3-1

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

Cargo.toml

@@ -1,7 +1,16 @@
 [package]
 name = "proxmox-backup"
-version = "0.9.7"
+version = "1.0.3"
-authors = ["Dietmar Maurer <dietmar@proxmox.com>"]
+authors = [
+    "Dietmar Maurer <dietmar@proxmox.com>",
+    "Dominik Csapak <d.csapak@proxmox.com>",
+    "Christian Ebner <c.ebner@proxmox.com>",
+    "Fabian Grünbichler <f.gruenbichler@proxmox.com>",
+    "Stefan Reiter <s.reiter@proxmox.com>",
+    "Thomas Lamprecht <t.lamprecht@proxmox.com>",
+    "Wolfgang Bumiller <w.bumiller@proxmox.com>",
+    "Proxmox Support Team <support@proxmox.com>",
+]
 edition = "2018"
 license = "AGPL-3"
 description = "Proxmox Backup"
@@ -37,8 +46,9 @@ pam = "0.7"
 pam-sys = "0.5"
 percent-encoding = "2.1"
 pin-utils = "0.1.0"
+pin-project = "0.4"
 pathpatterns = "0.1.2"
-proxmox = { version = "0.7.0", features = [ "sortable-macro", "api-macro", "websocket" ] }
+proxmox = { version = "0.7.1", features = [ "sortable-macro", "api-macro", "websocket" ] }
 #proxmox = { git = "git://git.proxmox.com/git/proxmox", version = "0.1.2", features = [ "sortable-macro", "api-macro" ] }
 #proxmox = { path = "../proxmox/proxmox", features = [ "sortable-macro", "api-macro", "websocket" ] }
 proxmox-fuse = "0.1.0"

debian/changelog

@@ -1,3 +1,84 @@
+rust-proxmox-backup (1.0.3-1) unstable; urgency=medium
+
+  * client: inform user when automatically using the default encryption key
+
+  * ui: UserView: render name as 'Firstname Lastname'
+
+  * proxmox-backup-manager: add versions command
+
+  * pxar: fix anchored exclusion at archive root
+
+  * pxar: include .pxarexclude files in the archive
+
+  * client: expose all-file-systems option
+
+  * api: make expensive parts of datastore status opt-in
+
+  * api: include datastore ID in invalid owner errors
+
+  * garbage collection: treat .bad files like regular chunks to ensure they
+    are removed if not referenced anymore
+
+  * client: fix issues with encoded UPID strings
+
+  * encryption: add fingerprint to key config
+
+  * client: add 'key show' command
+
+  * fix #3139: add key fingerprint to backup snapshot manifest and check it
+    when loading with a key
+
+  * ui: add snapshot/file fingerprint tooltip
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 24 Nov 2020 08:55:47 +0100
+
+rust-proxmox-backup (1.0.1-1) unstable; urgency=medium
+
+  * ui: datastore summary: drop 'removed bytes' display
+
+  * ui: datastore add: set default schedule
+
+  * prune sim: make backup schedule a form, bind update button to its validity
+
+  * daemon: add workaround for race in reloading and systemd 'ready' notification
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 11 Nov 2020 10:18:12 +0100
+
+rust-proxmox-backup (1.0.0-1) unstable; urgency=medium
+
+  * fix #3121: forbid removing used remotes
+
+  * docs: backup-client: encryption: discuss paperkey command
+
+  * pxar: log when skipping mount points
+
+  * ui: show also parent ACLs which affect a datastore in its panel
+
+  * api: node/apt: add versions call
+
+  * ui: make Datastore a selectable panel again. Show a datastore summary
+    list, and provide unfiltered access to all sync and verify jobs.
+
+  * ui: add help tool-button to various paneös
+
+  * ui: set various onlineHelp buttons
+
+  * zfs: mount new zpools created via API under /mnt/datastore/<id>
+
+  * ui: move disks/directory views to its own tab panel
+
+  * fix #3060: continue sync if we cannot aquire the group lock
+
+  * HttpsConnector: include destination on connect errors
+
+  * fix #3060:: improve get_owner error handling
+
+  * remote.cfg: rename userid to 'auth-id'
+
+  * verify: log/warn on invalid owner
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 10 Nov 2020 14:36:13 +0100
+
 rust-proxmox-backup (0.9.7-1) unstable; urgency=medium
 
   * ui: add remote store selector

debian/control

@@ -33,11 +33,12 @@ Build-Depends: debhelper (>= 11),
  librust-pam-sys-0.5+default-dev,
  librust-pathpatterns-0.1+default-dev (>= 0.1.2-~~),
  librust-percent-encoding-2+default-dev (>= 2.1-~~),
+ librust-pin-project-0.4+default-dev,
  librust-pin-utils-0.1+default-dev,
- librust-proxmox-0.7+api-macro-dev,
+ librust-proxmox-0.7+api-macro-dev (>= 0.7.1-~~),
- librust-proxmox-0.7+default-dev,
+ librust-proxmox-0.7+default-dev (>= 0.7.1-~~),
- librust-proxmox-0.7+sortable-macro-dev,
+ librust-proxmox-0.7+sortable-macro-dev (>= 0.7.1-~~),
- librust-proxmox-0.7+websocket-dev,
+ librust-proxmox-0.7+websocket-dev (>= 0.7.1-~~),
  librust-proxmox-fuse-0.1+default-dev,
  librust-pxar-0.6+default-dev (>= 0.6.1-~~),
  librust-pxar-0.6+futures-io-dev (>= 0.6.1-~~),
@@ -78,7 +79,7 @@ Build-Depends: debhelper (>= 11),
  uuid-dev,
  debhelper (>= 12~),
  bash-completion,
- pve-eslint,
+ pve-eslint (>= 7.12.1-1),
  python3-docutils,
  python3-pygments,
  rsync,
@@ -104,7 +105,9 @@ Depends: fonts-font-awesome,
          libjs-extjs (>= 6.0.1),
          libzstd1 (>= 1.3.8),
          lvm2,
+         openssh-server,
          pbs-i18n,
+         postfix | mail-transport-agent,
          proxmox-backup-docs,
          proxmox-mini-journalreader,
          proxmox-widget-toolkit (>= 2.3-6),
@@ -113,6 +116,7 @@ Depends: fonts-font-awesome,
          ${misc:Depends},
          ${shlibs:Depends},
 Recommends: zfsutils-linux,
+            ifupdown2,
 Description: Proxmox Backup Server daemon with tools and GUI
  This package contains the Proxmox Backup Server daemons and related
  tools. This includes a web-based graphical user interface.

debian/control.in

@@ -4,7 +4,9 @@ Depends: fonts-font-awesome,
          libjs-extjs (>= 6.0.1),
          libzstd1 (>= 1.3.8),
          lvm2,
+         openssh-server,
          pbs-i18n,
+         postfix | mail-transport-agent,
          proxmox-backup-docs,
          proxmox-mini-journalreader,
          proxmox-widget-toolkit (>= 2.3-6),
@@ -13,6 +15,7 @@ Depends: fonts-font-awesome,
          ${misc:Depends},
          ${shlibs:Depends},
 Recommends: zfsutils-linux,
+            ifupdown2,
 Description: Proxmox Backup Server daemon with tools and GUI
  This package contains the Proxmox Backup Server daemons and related
  tools. This includes a web-based graphical user interface.

debian/debcargo.toml

@@ -14,7 +14,7 @@ section = "admin"
 build_depends = [
   "debhelper (>= 12~)",
   "bash-completion",
-  "pve-eslint",
+  "pve-eslint (>= 7.12.1-1)",
   "python3-docutils",
   "python3-pygments",
   "rsync",

debian/lintian-overrides

@@ -1,2 +1,2 @@
-proxmox-backup-server: package-installs-apt-sources etc/apt/sources.list.d/pbstest-beta.list
+proxmox-backup-server: package-installs-apt-sources etc/apt/sources.list.d/pbs-enterprise.list
 proxmox-backup-server: systemd-service-file-refers-to-unusual-wantedby-target lib/systemd/system/proxmox-backup-banner.service getty.target

debian/postinst

@@ -28,6 +28,15 @@ case "$1" in
 		if dpkg --compare-versions "$2" 'le' '0.9.5-1'; then
 			chown --quiet backup:backup /var/log/proxmox-backup/api/auth.log || true
 		fi
+		if dpkg --compare-versions "$2" 'le' '0.9.7-1'; then
+			if [ -e /etc/proxmox-backup/remote.cfg ]; then
+				echo "NOTE: Switching over remote.cfg to new field names.."
+				flock -w 30 /etc/proxmox-backup/.remote.lck \
+				    sed -i \
+				        -e 's/^\s\+userid /\tauth-id /g' \
+				        /etc/proxmox-backup/remote.cfg || true
+			fi
+		fi
 	fi
 	# FIXME: Remove in future version once we're sure no broken entries remain in anyone's files
 	if grep -q -e ':termproxy::[^@]\+: ' /var/log/proxmox-backup/tasks/active; then

debian/proxmox-backup-server.install

@@ -3,7 +3,7 @@ etc/proxmox-backup.service /lib/systemd/system/
 etc/proxmox-backup-banner.service /lib/systemd/system/
 etc/proxmox-backup-daily-update.service /lib/systemd/system/
 etc/proxmox-backup-daily-update.timer /lib/systemd/system/
-etc/pbstest-beta.list /etc/apt/sources.list.d/
+etc/pbs-enterprise.list /etc/apt/sources.list.d/
 usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-api
 usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-proxy
 usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-backup-banner

debian/proxmox-backup-server.maintscript

@@ -0,0 +1 @@
+rm_conffile /etc/apt/sources.list.d/pbstest-beta.list 1.0.0~ proxmox-backup-server

docs/Makefile

@@ -17,6 +17,7 @@ MANUAL_PAGES := 			\
 PRUNE_SIMULATOR_FILES := 					\
 	prune-simulator/index.html				\
 	prune-simulator/documentation.html			\
+	prune-simulator/clear-trigger.png			\
 	prune-simulator/prune-simulator.js
 
 # Sphinx documentation setup

docs/_ext/proxmox-scanrefs.py

@@ -44,7 +44,7 @@ def scan_extjs_files(wwwdir="../www"): # a bit rough i know, but we can optimize
                 js_files.append(os.path.join(root, filename))
     for js_file in js_files:
         fd = open(js_file).read()
-        allmatch = re.findall("onlineHelp:\s*[\'\"](.*?)[\'\"]", fd, re.M)
+        allmatch = re.findall("(?:onlineHelp:|get_help_tool\s*\()\s*[\'\"](.*?)[\'\"]", fd, re.M)
         for match in allmatch:
             anchor = match
             anchor = re.sub('_', '-', anchor) # normalize labels
@@ -73,7 +73,9 @@ class ReflabelMapper(Builder):
             'link': '/docs/index.html',
             'title': 'Proxmox Backup Server Documentation Index',
         }
-        self.env.used_anchors = scan_extjs_files()
+        # Disabled until we find a sensible way to scan proxmox-widget-toolkit
+        # as well
+        #self.env.used_anchors = scan_extjs_files()
 
         if not os.path.isdir(self.outdir):
             os.mkdir(self.outdir)
@@ -93,6 +95,9 @@ class ReflabelMapper(Builder):
                     logger.info('traversing section {}'.format(title.astext()))
                     ref_name = getattr(title, 'rawsource', title.astext())
 
+                    if (ref_name[:7] == ':term:`'):
+                        ref_name = ref_name[7:-1]
+
                     self.env.online_help[labelid] = {'link': '', 'title': ''}
                     self.env.online_help[labelid]['link'] = "/docs/" + os.path.basename(filename_html) + "#{}".format(labelid)
                     self.env.online_help[labelid]['title'] = ref_name
@@ -112,15 +117,18 @@ class ReflabelMapper(Builder):
     def validate_anchors(self):
         #pprint(self.env.online_help)
         to_remove = []
-        for anchor in self.env.used_anchors:
+
-            if anchor not in self.env.online_help:
+        # Disabled until we find a sensible way to scan proxmox-widget-toolkit
-                logger.info("[-] anchor {} is missing from onlinehelp!".format(anchor))
+        # as well
-        for anchor in self.env.online_help:
+        #for anchor in self.env.used_anchors:
-            if anchor not in self.env.used_anchors and anchor != 'pbs_documentation_index':
+        #    if anchor not in self.env.online_help:
-                logger.info("[*] anchor {} not used! deleting...".format(anchor))
+        #        logger.info("[-] anchor {} is missing from onlinehelp!".format(anchor))
-                to_remove.append(anchor)
+        #for anchor in self.env.online_help:
-        for anchor in to_remove:
+        #    if anchor not in self.env.used_anchors and anchor != 'pbs_documentation_index':
-            self.env.online_help.pop(anchor, None)
+        #        logger.info("[*] anchor {} not used! deleting...".format(anchor))
+        #        to_remove.append(anchor)
+        #for anchor in to_remove:
+        #   self.env.online_help.pop(anchor, None)
         return
 
     def finish(self):

docs/backup-client.rst

@@ -365,9 +365,22 @@ To set up a master key:
   backed up. It can happen, for example, that you back up an entire system, using
   a key on that system. If the system then becomes inaccessible for any reason
   and needs to be restored, this will not be possible as the encryption key will be
-  lost along with the broken system. In preparation for the worst case scenario,
+  lost along with the broken system.
-  you should consider keeping a paper copy of this key locked away in
+
-  a safe place.
+It is recommended that you keep your master key safe, but easily accessible, in
+order for quick disaster recovery. For this reason, the best place to store it
+is in your password manager, where it is immediately recoverable. As a backup to
+this, you should also save the key to a USB drive and store that in a secure
+place. This way, it is detached from any system, but is still easy to recover
+from, in case of emergency. Finally, in preparation for the worst case scenario,
+you should also consider keeping a paper copy of your master key locked away in
+a safe place. The ``paperkey`` subcommand can be used to create a QR encoded
+version of your master key. The following command sends the output of the
+``paperkey`` command to a text file, for easy printing.
+
+.. code-block:: console
+
+  proxmox-backup-client key paperkey --output-format text > qrkey.txt
 
 
 Restoring Data

docs/faq.rst

@@ -27,7 +27,7 @@ How long will my Proxmox Backup Server version be supported?
 +-----------------------+--------------------+---------------+------------+--------------------+
 |Proxmox Backup Version | Debian Version     | First Release | Debian EOL | Proxmox Backup EOL |
 +=======================+====================+===============+============+====================+
-|Proxmox Backup 1.x     | Debian 10 (Buster) | tba           | tba        | tba                |
+|Proxmox Backup 1.x     | Debian 10 (Buster) | 2020-11       | tba        | tba                |
 +-----------------------+--------------------+---------------+------------+--------------------+
 
 

docs/gui.rst

@@ -132,5 +132,5 @@ top panel to view:
   collection <garbage-collection>` operations, and run garbage collection
   manually
 * **Sync Jobs**: Create, manage and run :ref:`syncjobs` from remote servers
-* **Verify Jobs**: Create, manage and run :ref:`verification` jobs on the
+* **Verify Jobs**: Create, manage and run :ref:`maintenance_verification` jobs on the
   datastore

docs/installation.rst

@@ -37,16 +37,15 @@ Download the ISO from |DOWNLOADS|.
 It includes the following:
 
 * The `Proxmox Backup`_ server installer, which partitions the local
-  disk(s) with ext4, ext3, xfs or ZFS, and installs the operating
+  disk(s) with ext4, xfs or ZFS, and installs the operating system
-  system
 
 * Complete operating system (Debian Linux, 64-bit)
 
-* Our Linux kernel with ZFS support
+* Proxmox Linux kernel with ZFS support
 
 * Complete tool-set to administer backups and all necessary resources
 
-* Web based GUI management interface
+* Web based management interface
 
 .. note:: During the installation process, the complete server
    is used by default and all existing data is removed.

docs/introduction.rst

@@ -127,8 +127,7 @@ language.
 
  -- `The Rust Programming Language <https://doc.rust-lang.org/book/ch00-00-introduction.html>`_
 
-.. todo:: further explain the software stack
+.. _get_help:
-
 
 Getting Help
 ------------

docs/maintenance.rst

@@ -77,6 +77,42 @@ edit the interval at which pruning takes place.
   :alt: Prune and garbage collection options
 
 
+Retention Settings Example
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The backup frequency and retention of old backups may depend on how often data
+changes, and how important an older state may be, in a specific work load.
+When backups act as a company's document archive, there may also be legal
+requirements for how long backup snapshots must be kept.
+
+For this example, we assume that you are doing daily backups, have a retention
+period of 10 years, and the period between backups stored gradually grows.
+
+- **keep-last:** ``3`` - even if only daily backups, an admin may want to create
+  an extra one just before or after a big upgrade. Setting keep-last ensures
+  this.
+
+- **keep-hourly:** not set - for daily backups this is not relevant. You cover
+  extra manual backups already, with keep-last.
+
+- **keep-daily:** ``13`` - together with keep-last, which covers at least one
+  day, this ensures that you have at least two weeks of backups.
+
+- **keep-weekly:** ``8`` - ensures that you have at least two full months of
+  weekly backups.
+
+- **keep-monthly:** ``11`` - together with the previous keep settings, this
+  ensures that you have at least a year of monthly backups.
+
+- **keep-yearly:** ``9`` - this is for the long term archive. As you covered the
+  current year with the previous options, you would set this to nine for the
+  remaining ones, giving you a total of at least 10 years of coverage.
+
+We recommend that you use a higher retention period than is minimally required
+by your environment; you can always reduce it if you find it is unnecessarily
+high, but you cannot recreate backup snapshots from the past.
+
+
 .. _maintenance_gc:
 
 Garbage Collection
@@ -93,7 +129,7 @@ GC** from the top panel. From here, you can edit the schedule at which garbage
 collection runs and manually start the operation.
 
 
-.. _verification:
+.. _maintenance_verification:
 
 Verification
 ------------

docs/network-management.rst

@@ -1,3 +1,5 @@
+.. _sysadmin_network_configuration:
+
 Network Management
 ==================
 

docs/package-repositories.rst

@@ -26,11 +26,8 @@ update``.
 
 .. FIXME for 7.0: change security update suite to bullseye-security
 
-In addition, you need a package repository from Proxmox to get Proxmox Backup updates.
+In addition, you need a package repository from Proxmox to get Proxmox Backup
-
+updates.
-During the Proxmox Backup beta phase, only one repository (pbstest) will be
-available. Once released, an Enterprise repository for production use and a
-no-subscription repository will be provided.
 
 SecureApt
 ~~~~~~~~~
@@ -72,49 +69,45 @@ Here, the output should be:
 
  f3f6c5a3a67baf38ad178e5ff1ee270c /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
 
-.. comment
+`Proxmox Backup`_ Enterprise Repository
-    `Proxmox Backup`_ Enterprise Repository
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-    This will be the default, stable, and recommended repository. It is available for
+This will be the default, stable, and recommended repository. It is available for
-    all `Proxmox Backup`_ subscription users. It contains the most stable packages,
+all `Proxmox Backup`_ subscription users. It contains the most stable packages,
-    and is suitable for production use. The ``pbs-enterprise`` repository is
+and is suitable for production use. The ``pbs-enterprise`` repository is
-    enabled by default:
+enabled by default:
 
-    .. note:: During the Proxmox Backup beta phase only one repository (pbstest)
+.. code-block:: sources.list
-     will be available.
-
-    .. code-block:: sources.list
   :caption: File: ``/etc/apt/sources.list.d/pbs-enterprise.list``
 
   deb https://enterprise.proxmox.com/debian/pbs buster pbs-enterprise
 
 
-    To never miss important security fixes, the superuser (``root@pam`` user) is
+To never miss important security fixes, the superuser (``root@pam`` user) is
-    notified via email about new packages as soon as they are available. The
+notified via email about new packages as soon as they are available. The
-    change-log and details of each package can be viewed in the GUI (if available).
+change-log and details of each package can be viewed in the GUI (if available).
 
-    Please note that you need a valid subscription key to access this
+Please note that you need a valid subscription key to access this
-    repository. More information regarding subscription levels and pricing can be
+repository. More information regarding subscription levels and pricing can be
-    found at https://www.proxmox.com/en/proxmox-backup/pricing.
+found at https://www.proxmox.com/en/proxmox-backup-server/pricing
 
-    .. note:: You can disable this repository by commenting out the above
+.. note:: You can disable this repository by commenting out the above line
-      line using a `#` (at the start of the line). This prevents error
+ using a `#` (at the start of the line). This prevents error messages if you do
-      messages if you do not have a subscription key. Please configure the
+ not have a subscription key. Please configure the ``pbs-no-subscription``
-      ``pbs-no-subscription`` repository in that case.
+ repository in that case.
 
 
-    `Proxmox Backup`_ No-Subscription Repository
+`Proxmox Backup`_ No-Subscription Repository
-    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-    As the name suggests, you do not need a subscription key to access
+As the name suggests, you do not need a subscription key to access
-    this repository. It can be used for testing and non-production
+this repository. It can be used for testing and non-production
-    use. It is not recommended to use it on production servers, because these
+use. It is not recommended to use it on production servers, because these
-    packages are not always heavily tested and validated.
+packages are not always heavily tested and validated.
 
-    We recommend to configure this repository in ``/etc/apt/sources.list``.
+We recommend to configure this repository in ``/etc/apt/sources.list``.
 
-    .. code-block:: sources.list
+.. code-block:: sources.list
   :caption: File: ``/etc/apt/sources.list``
 
   deb http://ftp.debian.org/debian buster main contrib
@@ -128,12 +121,11 @@ Here, the output should be:
   deb http://security.debian.org/debian-security buster/updates main contrib
 
 
-`Proxmox Backup`_ Beta Repository
+`Proxmox Backup`_ Test Repository
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-During the public beta, there is a repository called ``pbstest``. This one
+This repository contains the latest packages and is heavily used by developers
-contains the latest packages and is heavily used by developers to test new
+to test new features.
-features.
 
 .. .. warning:: the ``pbstest`` repository should (as the name implies)
   only be used to test new features or bug fixes.
@@ -145,7 +137,3 @@ You can access this repository by adding the following line to
   :caption: sources.list entry for ``pbstest``
 
   deb http://download.proxmox.com/debian/pbs buster pbstest
-
-If you installed Proxmox Backup Server from the official beta ISO, you should
-have this repository already configured in
-``/etc/apt/sources.list.d/pbstest-beta.list``

docs/prune-simulator/index.html

@@ -13,6 +13,7 @@
         .cal-day {
             vertical-align: top;
             width: 150px;
+            height: 75px; /* this is like min-height when used in tables */
             border: #939393 1px solid;
             color: #454545;
         }
@@ -32,6 +33,9 @@
         .first-of-month {
             border-right: dashed black 4px;
         }
+        .clear-trigger {
+            background-image: url(./clear-trigger.png);
+        }
     </style>
 
     <script type="text/javascript" src="extjs/ext-all.js"></script>

docs/prune-simulator/prune-simulator.js

@@ -152,7 +152,12 @@ Ext.onReady(function() {
 			    dataIndex: 'mark',
 			    renderer: function(value, metaData, record) {
 				if (record.data.mark === 'keep') {
+				    if (record.data.keepCount) {
+					return 'keep (' + record.data.keepName +
+					       ': ' + record.data.keepCount + ')';
+				    } else {
 					return 'keep (' + record.data.keepName + ')';
+				    }
 				} else {
 				    return value;
 				}
@@ -212,8 +217,12 @@ Ext.onReady(function() {
 			let text = Ext.Date.format(backup.data.backuptime, 'H:i');
 			if (backup.data.mark === 'remove') {
 			    html += `<span class="strikethrough">${text}</span>`;
+			} else {
+			    if (backup.data.keepCount) {
+				text += ` (${backup.data.keepName} ${backup.data.keepCount})`;
 			    } else {
 				text += ` (${backup.data.keepName})`;
+			    }
 			    if (me.useColors) {
 				let bgColor = COLORS[backup.data.keepName];
 				let textColor = TEXT_COLORS[backup.data.keepName];
@@ -256,6 +265,34 @@ Ext.onReady(function() {
 	},
     });
 
+    Ext.define('PBS.PruneSimulatorKeepInput', {
+	extend: 'Ext.form.field.Number',
+	alias: 'widget.prunesimulatorKeepInput',
+
+	allowBlank: true,
+	fieldGroup: 'keep',
+	minValue: 1,
+
+	listeners: {
+	    afterrender: function(field) {
+		this.triggers.clear.setVisible(field.value !== null);
+	    },
+	    change: function(field, newValue, oldValue) {
+		this.triggers.clear.setVisible(newValue !== null);
+	    },
+	},
+	triggers: {
+	    clear: {
+		cls: 'clear-trigger',
+		weight: -1,
+		handler: function() {
+		    this.triggers.clear.setVisible(false);
+		    this.setValue(null);
+		},
+	    },
+	},
+    });
+
     Ext.define('PBS.PruneSimulatorPanel', {
 	extend: 'Ext.panel.Panel',
 	alias: 'widget.prunesimulatorPanel',
@@ -470,6 +507,7 @@ Ext.onReady(function() {
 			newlyIncludedCount++;
 			backup.mark = 'keep';
 			backup.keepName = keepName;
+			backup.keepCount = newlyIncludedCount;
 		    } else {
 			backup.mark = 'remove';
 		    }
@@ -488,7 +526,7 @@ Ext.onReady(function() {
 		    Number(keepParams['keep-yearly']) === 0) {
 		    backups.forEach(function(backup) {
 			backup.mark = 'keep';
-			backup.keepName = 'all zero';
+			backup.keepName = 'keep-all';
 		    });
 
 		    return;
@@ -550,58 +588,37 @@ Ext.onReady(function() {
 
 	keepItems: [
 	    {
-		xtype: 'numberfield',
+		xtype: 'prunesimulatorKeepInput',
 		name: 'keep-last',
-		allowBlank: true,
 		fieldLabel: 'keep-last',
-		minValue: 0,
 		value: 4,
-		fieldGroup: 'keep',
 	    },
 	    {
-		xtype: 'numberfield',
+		xtype: 'prunesimulatorKeepInput',
 		name: 'keep-hourly',
-		allowBlank: true,
 		fieldLabel: 'keep-hourly',
-		minValue: 0,
-		value: 0,
-		fieldGroup: 'keep',
 	    },
 	    {
-		xtype: 'numberfield',
+		xtype: 'prunesimulatorKeepInput',
 		name: 'keep-daily',
-		allowBlank: true,
 		fieldLabel: 'keep-daily',
-		minValue: 0,
 		value: 5,
-		fieldGroup: 'keep',
 	    },
 	    {
-		xtype: 'numberfield',
+		xtype: 'prunesimulatorKeepInput',
 		name: 'keep-weekly',
-		allowBlank: true,
 		fieldLabel: 'keep-weekly',
-		minValue: 0,
 		value: 2,
-		fieldGroup: 'keep',
 	    },
 	    {
-		xtype: 'numberfield',
+		xtype: 'prunesimulatorKeepInput',
 		name: 'keep-monthly',
-		allowBlank: true,
 		fieldLabel: 'keep-monthly',
-		minValue: 0,
-		value: 0,
-		fieldGroup: 'keep',
 	    },
 	    {
-		xtype: 'numberfield',
+		xtype: 'prunesimulatorKeepInput',
 		name: 'keep-yearly',
-		allowBlank: true,
 		fieldLabel: 'keep-yearly',
-		minValue: 0,
-		value: 0,
-		fieldGroup: 'keep',
 	    },
 	],
 
@@ -613,42 +630,6 @@ Ext.onReady(function() {
 		sorters: { property: 'backuptime', direction: 'DESC' },
 	    });
 
-	    let scheduleItems = [
-		{
-		    xtype: 'prunesimulatorDayOfWeekSelector',
-		    name: 'schedule-weekdays',
-		    fieldLabel: 'Day of week',
-		    value: ['mon', 'tue', 'wed', 'thu', 'fri', 'sat', 'sun'],
-		    allowBlank: false,
-		    multiSelect: true,
-		    padding: '0 0 0 10',
-		},
-		{
-		    xtype: 'prunesimulatorCalendarEvent',
-		    name: 'schedule-time',
-		    allowBlank: false,
-		    value: '0/6:00',
-		    fieldLabel: 'Backup schedule',
-		    padding: '0 0 0 10',
-		},
-		{
-		    xtype: 'numberfield',
-		    name: 'numberOfWeeks',
-		    allowBlank: false,
-		    fieldLabel: 'Number of weeks',
-		    minValue: 1,
-		    value: 15,
-		    maxValue: 260, // five years
-		    padding: '0 0 0 10',
-		},
-		{
-		    xtype: 'button',
-		    name: 'schedule-button',
-		    text: 'Update Schedule',
-		    handler: 'reloadFull',
-		},
-	    ];
-
 	    me.items = [
 		{
 		    xtype: 'panel',
@@ -684,6 +665,7 @@ Ext.onReady(function() {
 			},
 			{ xtype: "panel", width: 1, border: 1 },
 			{
+			    xtype: 'form',
 			    layout: 'anchor',
 			    flex: 1,
 			    border: false,
@@ -692,7 +674,42 @@ Ext.onReady(function() {
 				labelWidth: 120,
 			    },
 			    bodyPadding: 10,
-			    items: scheduleItems,
+			    items: [
+				{
+				    xtype: 'prunesimulatorDayOfWeekSelector',
+				    name: 'schedule-weekdays',
+				    fieldLabel: 'Day of week',
+				    value: ['mon', 'tue', 'wed', 'thu', 'fri', 'sat', 'sun'],
+				    allowBlank: false,
+				    multiSelect: true,
+				    padding: '0 0 0 10',
+				},
+				{
+				    xtype: 'prunesimulatorCalendarEvent',
+				    name: 'schedule-time',
+				    allowBlank: false,
+				    value: '0/6:00',
+				    fieldLabel: 'Backup schedule',
+				    padding: '0 0 0 10',
+				},
+				{
+				    xtype: 'numberfield',
+				    name: 'numberOfWeeks',
+				    allowBlank: false,
+				    fieldLabel: 'Number of weeks',
+				    minValue: 1,
+				    value: 15,
+				    maxValue: 260, // five years
+				    padding: '0 0 0 10',
+				},
+				{
+				    xtype: 'button',
+				    name: 'schedule-button',
+				    text: 'Update Schedule',
+				    formBind: true,
+				    handler: 'reloadFull',
+				},
+			    ],
 			},
 		    ],
 		},

docs/storage.rst

@@ -1,6 +1,8 @@
 Storage
 =======
 
+.. _storage_disk_management:
+
 Disk Management
 ---------------
 
@@ -57,7 +59,7 @@ create a datastore at the location ``/mnt/datastore/store1``:
 You can also create a ``zpool`` with various raid levels from **Administration
 -> Disks -> Zpool** in the web interface, or by using ``zpool create``. The command
 below creates a mirrored ``zpool`` using two disks (``sdb`` & ``sdc``) and
-mounts it on the root directory (default):
+mounts it under ``/mnt/datastore/zpool1``:
 
 .. code-block:: console
 
@@ -85,7 +87,7 @@ display S.M.A.R.T. attributes from the web interface or by using the command:
 
 .. _datastore_intro:
 
-:term:`DataStore`
+:term:`Datastore`
 -----------------
 
 A datastore refers to a location at which backups are stored. The current
@@ -121,6 +123,8 @@ number of backups to keep in that store. :ref:`backup-pruning` and
 periodically based on a configured schedule (see :ref:`calendar-events`) per datastore.
 
 
+.. _storage_datastore_create:
+
 Creating a Datastore
 ^^^^^^^^^^^^^^^^^^^^
 .. image:: images/screenshots/pbs-gui-datastore-create-general.png

docs/sysadmin.rst

@@ -1,3 +1,5 @@
+.. _sysadmin_host_administration:
+
 Host System Administration
 ==========================
 

docs/user-management.rst

@@ -230,11 +230,11 @@ You can list the ACLs of each user/token using the following command:
 .. code-block:: console
 
    # proxmox-backup-manager acl list
-   ┌──────────┬──────────────────┬───────────┬────────────────┐
+   ┌──────────┬───────────────────┬───────────┬────────────────┐
    │ ugid     │ path              │ propagate │ roleid         │
-   ╞══════════╪══════════════════╪═══════════╪════════════════╡
+   ╞══════════╪═══════════════════╪═══════════╪════════════════╡
-   │ john@pbs │ /datastore/disk1 │         1 │ DatastoreAdmin │
+   │ john@pbs │ /datastore/store1 │         1 │ DatastoreAdmin │
-   └──────────┴──────────────────┴───────────┴────────────────┘
+   └──────────┴───────────────────┴───────────┴────────────────┘
 
 A single user/token can be assigned multiple permission sets for different datastores.
 
@@ -267,7 +267,7 @@ you can use the ``proxmox-backup-manager user permission`` command:
 
 .. code-block:: console
 
-  # proxmox-backup-manager user permissions john@pbs -- path /datastore/store1
+  # proxmox-backup-manager user permissions john@pbs --path /datastore/store1
   Privileges with (*) have the propagate flag set
   
   Path: /datastore/store1
@@ -276,9 +276,10 @@ you can use the ``proxmox-backup-manager user permission`` command:
   - Datastore.Modify (*)
   - Datastore.Prune (*)
   - Datastore.Read (*)
+  - Datastore.Verify (*)
   
   # proxmox-backup-manager acl update /datastore/store1 DatastoreBackup --auth-id 'john@pbs!client1'
-  # proxmox-backup-manager user permissions 'john@pbs!test' -- path /datastore/store1
+  # proxmox-backup-manager user permissions 'john@pbs!client1' --path /datastore/store1
   Privileges with (*) have the propagate flag set
   
   Path: /datastore/store1

etc/Makefile

@@ -9,7 +9,7 @@ DYNAMIC_UNITS := \
 	proxmox-backup.service \
 	proxmox-backup-proxy.service
 
-all: $(UNITS) $(DYNAMIC_UNITS) pbstest-beta.list
+all: $(UNITS) $(DYNAMIC_UNITS) pbs-enterprise.list
 
 clean:
 	rm -f $(DYNAMIC_UNITS)

etc/pbs-enterprise.list

@@ -0,0 +1 @@
+deb https://enterprise.proxmox.com/debian/pbs buster pbs-enterprise

etc/pbstest-beta.list

@@ -1 +0,0 @@
-deb http://download.proxmox.com/debian/pbs buster pbstest

src/api2/access/user.rs

@@ -268,6 +268,21 @@ pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<
     Ok(user)
 }
 
+#[api()]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all="kebab-case")]
+#[allow(non_camel_case_types)]
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    comment,
+    /// Delete the firstname property.
+    firstname,
+    /// Delete the lastname property.
+    lastname,
+    /// Delete the email property.
+    email,
+}
+
 #[api(
     protected: true,
     input: {
@@ -303,6 +318,14 @@ pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<
                 schema: user::EMAIL_SCHEMA,
                 optional: true,
             },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
             digest: {
                 optional: true,
                 schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
@@ -326,6 +349,7 @@ pub fn update_user(
     firstname: Option<String>,
     lastname: Option<String>,
     email: Option<String>,
+    delete: Option<Vec<DeletableProperty>>,
     digest: Option<String>,
 ) -> Result<(), Error> {
 
@@ -340,6 +364,17 @@ pub fn update_user(
 
     let mut data: user::User = config.lookup("user", userid.as_str())?;
 
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::comment => data.comment = None,
+                DeletableProperty::firstname => data.firstname = None,
+                DeletableProperty::lastname => data.lastname = None,
+                DeletableProperty::email => data.email = None,
+            }
+        }
+    }
+
     if let Some(comment) = comment {
         let comment = comment.trim().to_string();
         if comment.is_empty() {

src/api2/admin/datastore.rs

@@ -1,4 +1,4 @@
-use std::collections::{HashSet, HashMap};
+use std::collections::HashSet;
 use std::ffi::OsStr;
 use std::os::unix::ffi::OsStrExt;
 use std::sync::{Arc, Mutex};
@@ -125,19 +125,6 @@ fn get_all_snapshot_files(
     Ok((manifest, files))
 }
 
-fn group_backups(backup_list: Vec<BackupInfo>) -> HashMap<String, Vec<BackupInfo>> {
-
-    let mut group_hash = HashMap::new();
-
-    for info in backup_list {
-        let group_id = info.backup_dir.group().group_path().to_str().unwrap().to_owned();
-        let time_list = group_hash.entry(group_id).or_insert(vec![]);
-        time_list.push(info);
-    }
-
-    group_hash
-}
-
 #[api(
     input: {
         properties: {
@@ -171,39 +158,64 @@ fn list_groups(
     let user_privs = user_info.lookup_privs(&auth_id, &["datastore", &store]);
 
     let datastore = DataStore::lookup_datastore(&store)?;
-
-    let backup_list = BackupInfo::list_backups(&datastore.base_path())?;
-
-    let group_hash = group_backups(backup_list);
-
-    let mut groups = Vec::new();
-
-    for (_group_id, mut list) in group_hash {
-
-        BackupInfo::sort_list(&mut list, false);
-
-        let info = &list[0];
-
-        let group = info.backup_dir.group();
-
     let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
-        let owner = datastore.get_owner(group)?;
+
+    let backup_groups = BackupInfo::list_backup_groups(&datastore.base_path())?;
+
+    let group_info = backup_groups
+        .into_iter()
+        .fold(Vec::new(), |mut group_info, group| {
+            let owner = match datastore.get_owner(&group) {
+                Ok(auth_id) => auth_id,
+                Err(err) => {
+                    eprintln!("Failed to get owner of group '{}/{}' - {}",
+                             &store,
+                             group,
+                             err);
+                    return group_info;
+                },
+            };
             if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
-            continue;
+                return group_info;
             }
 
-        let result_item = GroupListItem {
+            let snapshots = match group.list_backups(&datastore.base_path()) {
+                Ok(snapshots) => snapshots,
+                Err(_) => {
+                    return group_info;
+                },
+            };
+
+            let backup_count: u64 = snapshots.len() as u64;
+            if backup_count == 0 {
+                return group_info;
+            }
+
+            let last_backup = snapshots
+                .iter()
+                .fold(&snapshots[0], |last, curr| {
+                    if curr.is_finished()
+                        && curr.backup_dir.backup_time() > last.backup_dir.backup_time() {
+                        curr
+                    } else {
+                        last
+                    }
+                })
+                .to_owned();
+
+            group_info.push(GroupListItem {
                 backup_type: group.backup_type().to_string(),
                 backup_id: group.backup_id().to_string(),
-            last_backup: info.backup_dir.backup_time(),
+                last_backup: last_backup.backup_dir.backup_time(),
-            backup_count: list.len() as u64,
-            files: info.files.clone(),
                 owner: Some(owner),
-        };
+                backup_count,
-        groups.push(result_item);
+                files: last_backup.files,
-    }
+            });
 
-    Ok(groups)
+            group_info
+        });
+
+    Ok(group_info)
 }
 
 #[api(
@@ -351,43 +363,56 @@ pub fn list_snapshots (
     let user_info = CachedUserInfo::new()?;
     let user_privs = user_info.lookup_privs(&auth_id, &["datastore", &store]);
 
+    let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
+
     let datastore = DataStore::lookup_datastore(&store)?;
 
     let base_path = datastore.base_path();
 
-    let backup_list = BackupInfo::list_backups(&base_path)?;
+    let groups = match (backup_type, backup_id) {
+        (Some(backup_type), Some(backup_id)) => {
+            let mut groups = Vec::with_capacity(1);
+            groups.push(BackupGroup::new(backup_type, backup_id));
+            groups
+        },
+        (Some(backup_type), None) => {
+            BackupInfo::list_backup_groups(&base_path)?
+                .into_iter()
+                .filter(|group| group.backup_type() == backup_type)
+                .collect()
+        },
+        (None, Some(backup_id)) => {
+            BackupInfo::list_backup_groups(&base_path)?
+                .into_iter()
+                .filter(|group| group.backup_id() == backup_id)
+                .collect()
+        },
+        _ => BackupInfo::list_backup_groups(&base_path)?,
+    };
 
-    let mut snapshots = vec![];
+    let info_to_snapshot_list_item = |group: &BackupGroup, owner, info: BackupInfo| {
+        let backup_type = group.backup_type().to_string();
+        let backup_id = group.backup_id().to_string();
+        let backup_time = info.backup_dir.backup_time();
 
-    for info in backup_list {
+        match get_all_snapshot_files(&datastore, &info) {
-        let group = info.backup_dir.group();
-        if let Some(ref backup_type) = backup_type {
-            if backup_type != group.backup_type() { continue; }
-        }
-        if let Some(ref backup_id) = backup_id {
-            if backup_id != group.backup_id() { continue; }
-        }
-
-        let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
-        let owner = datastore.get_owner(group)?;
-
-        if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
-            continue;
-        }
-
-        let mut size = None;
-
-        let (comment, verification, files) = match get_all_snapshot_files(&datastore, &info) {
             Ok((manifest, files)) => {
-                size = Some(files.iter().map(|x| x.size.unwrap_or(0)).sum());
                 // extract the first line from notes
                 let comment: Option<String> = manifest.unprotected["notes"]
                     .as_str()
                     .and_then(|notes| notes.lines().next())
                     .map(String::from);
 
-                let verify = manifest.unprotected["verify_state"].clone();
+                let fingerprint = match manifest.fingerprint() {
-                let verify: Option<SnapshotVerifyState> = match serde_json::from_value(verify) {
+                    Ok(fp) => fp,
+                    Err(err) => {
+                        eprintln!("error parsing fingerprint: '{}'", err);
+                        None
+                    },
+                };
+
+                let verification = manifest.unprotected["verify_state"].clone();
+                let verification: Option<SnapshotVerifyState> = match serde_json::from_value(verification) {
                     Ok(verify) => verify,
                     Err(err) => {
                         eprintln!("error parsing verification state : '{}'", err);
@@ -395,88 +420,114 @@ pub fn list_snapshots (
                     }
                 };
 
-                (comment, verify, files)
+                let size = Some(files.iter().map(|x| x.size.unwrap_or(0)).sum());
+
+                SnapshotListItem {
+                    backup_type,
+                    backup_id,
+                    backup_time,
+                    comment,
+                    verification,
+                    fingerprint,
+                    files,
+                    size,
+                    owner,
+                }
             },
             Err(err) => {
                 eprintln!("error during snapshot file listing: '{}'", err);
-                (
+                let files = info
-                    None,
-                    None,
-                    info
                         .files
-                        .iter()
+                        .into_iter()
                         .map(|x| BackupContent {
                             filename: x.to_string(),
                             size: None,
                             crypt_mode: None,
                         })
-                        .collect()
+                        .collect();
-                )
+
+                SnapshotListItem {
+                    backup_type,
+                    backup_id,
+                    backup_time,
+                    comment: None,
+                    verification: None,
+                    fingerprint: None,
+                    files,
+                    size: None,
+                    owner,
+                }
+            },
+        }
+    };
+
+    groups
+        .iter()
+        .try_fold(Vec::new(), |mut snapshots, group| {
+            let owner = match datastore.get_owner(group) {
+                Ok(auth_id) => auth_id,
+                Err(err) => {
+                    eprintln!("Failed to get owner of group '{}/{}' - {}",
+                              &store,
+                              group,
+                              err);
+                    return Ok(snapshots);
                 },
             };
 
-        let result_item = SnapshotListItem {
+            if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
-            backup_type: group.backup_type().to_string(),
+                return Ok(snapshots);
-            backup_id: group.backup_id().to_string(),
-            backup_time: info.backup_dir.backup_time(),
-            comment,
-            verification,
-            files,
-            size,
-            owner: Some(owner),
-        };
-
-        snapshots.push(result_item);
             }
 
+            let group_backups = group.list_backups(&datastore.base_path())?;
+
+            snapshots.extend(
+                group_backups
+                    .into_iter()
+                    .map(|info| info_to_snapshot_list_item(&group, Some(owner.clone()), info))
+            );
+
             Ok(snapshots)
+        })
 }
 
-fn get_snapshots_count(store: &DataStore) -> Result<Counts, Error> {
+fn get_snapshots_count(store: &DataStore, filter_owner: Option<&Authid>) -> Result<Counts, Error> {
     let base_path = store.base_path();
-    let backup_list = BackupInfo::list_backups(&base_path)?;
+    let groups = BackupInfo::list_backup_groups(&base_path)?;
-    let mut groups = HashSet::new();
 
-    let mut result = Counts {
+    groups.iter()
-        ct: None,
+        .filter(|group| {
-        host: None,
+            let owner = match store.get_owner(&group) {
-        vm: None,
+                Ok(owner) => owner,
-        other: None,
+                Err(err) => {
+                    eprintln!("Failed to get owner of group '{}/{}' - {}",
+                              store.name(),
+                              group,
+                              err);
+                    return false;
+                },
             };
 
-    for info in backup_list {
+            match filter_owner {
-        let group = info.backup_dir.group();
+                Some(filter) => check_backup_owner(&owner, filter).is_ok(),
-
+                None => true,
-        let id = group.backup_id();
-        let backup_type = group.backup_type();
-
-        let mut new_id = false;
-
-        if groups.insert(format!("{}-{}", &backup_type, &id)) {
-            new_id = true;
             }
+        })
+        .try_fold(Counts::default(), |mut counts, group| {
+            let snapshot_count = group.list_backups(&base_path)?.len() as u64;
 
-        let mut counts = match backup_type {
+            let type_count = match group.backup_type() {
-            "ct" => result.ct.take().unwrap_or(Default::default()),
+                "ct" => counts.ct.get_or_insert(Default::default()),
-            "host" => result.host.take().unwrap_or(Default::default()),
+                "vm" => counts.vm.get_or_insert(Default::default()),
-            "vm" => result.vm.take().unwrap_or(Default::default()),
+                "host" => counts.host.get_or_insert(Default::default()),
-            _ => result.other.take().unwrap_or(Default::default()),
+                _ => counts.other.get_or_insert(Default::default()),
             };
 
-        counts.snapshots += 1;
+            type_count.groups += 1;
-        if new_id {
+            type_count.snapshots += snapshot_count;
-            counts.groups +=1;
-        }
 
-        match backup_type {
+            Ok(counts)
-            "ct" => result.ct = Some(counts),
+        })
-            "host" => result.host = Some(counts),
-            "vm" => result.vm = Some(counts),
-            _ => result.other = Some(counts),
-        }
-    }
-
-    Ok(result)
 }
 
 #[api(
@@ -485,8 +536,15 @@ fn get_snapshots_count(store: &DataStore) -> Result<Counts, Error> {
             store: {
                 schema: DATASTORE_SCHEMA,
             },
+            verbose: {
+                type: bool,
+                default: false,
+                optional: true,
+                description: "Include additional information like snapshot counts and GC status.",
             },
         },
+
+    },
     returns: {
         type: DataStoreStatus,
     },
@@ -497,13 +555,30 @@ fn get_snapshots_count(store: &DataStore) -> Result<Counts, Error> {
 /// Get datastore status.
 pub fn status(
     store: String,
+    verbose: bool,
     _info: &ApiMethod,
-    _rpcenv: &mut dyn RpcEnvironment,
+    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<DataStoreStatus, Error> {
     let datastore = DataStore::lookup_datastore(&store)?;
     let storage = crate::tools::disks::disk_usage(&datastore.base_path())?;
-    let counts = get_snapshots_count(&datastore)?;
+    let (counts, gc_status) = if verbose {
-    let gc_status = datastore.last_gc_status();
+        let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+        let user_info = CachedUserInfo::new()?;
+
+        let store_privs = user_info.lookup_privs(&auth_id, &["datastore", &store]);
+        let filter_owner = if store_privs & PRIV_DATASTORE_AUDIT != 0 {
+            None
+        } else {
+            Some(&auth_id)
+        };
+
+        let counts = Some(get_snapshots_count(&datastore, filter_owner)?);
+        let gc_status = Some(datastore.last_gc_status());
+
+        (counts, gc_status)
+    } else {
+        (None, None)
+    };
 
     Ok(DataStoreStatus {
         total: storage.total,
@@ -636,7 +711,7 @@ pub fn verify(
                 verify_all_backups(datastore, worker.clone(), worker.upid(), owner, None)?
             };
             if failed_dirs.len() > 0 {
-                worker.log("Failed to verify following snapshots:");
+                worker.log("Failed to verify the following snapshots/groups:");
                 for dir in failed_dirs {
                     worker.log(format!("\t{}", dir));
                 }

src/api2/backup.rs

@@ -311,6 +311,10 @@ pub const BACKUP_API_SUBDIRS: SubdirMap = &[
         "previous", &Router::new()
             .download(&API_METHOD_DOWNLOAD_PREVIOUS)
     ),
+    (
+        "previous_backup_time", &Router::new()
+            .get(&API_METHOD_GET_PREVIOUS_BACKUP_TIME)
+    ),
     (
         "speedtest", &Router::new()
             .upload(&API_METHOD_UPLOAD_SPEEDTEST)
@@ -694,6 +698,28 @@ fn finish_backup (
     Ok(Value::Null)
 }
 
+#[sortable]
+pub const API_METHOD_GET_PREVIOUS_BACKUP_TIME: ApiMethod = ApiMethod::new(
+    &ApiHandler::Sync(&get_previous_backup_time),
+    &ObjectSchema::new(
+        "Get previous backup time.",
+        &[],
+    )
+);
+
+fn get_previous_backup_time(
+    _param: Value,
+    _info: &ApiMethod,
+    rpcenv: &mut dyn RpcEnvironment,
+) -> Result<Value, Error> {
+
+    let env: &BackupEnvironment = rpcenv.as_ref();
+
+    let backup_time = env.last_backup.as_ref().map(|info| info.backup_dir.backup_time());
+
+    Ok(json!(backup_time))
+}
+
 #[sortable]
 pub const API_METHOD_DOWNLOAD_PREVIOUS: ApiMethod = ApiMethod::new(
     &ApiHandler::AsyncHttp(&download_previous),

src/api2/config/remote.rs

@@ -78,7 +78,7 @@ pub fn list_remotes(
                 optional: true,
                 default: 8007,
             },
-            userid: {
+            "auth-id": {
                 type: Authid,
             },
             password: {
@@ -178,7 +178,7 @@ pub enum DeletableProperty {
                 type: u16,
                 optional: true,
             },
-            userid: {
+            "auth-id": {
                 optional: true,
                 type: Authid,
             },
@@ -214,7 +214,7 @@ pub fn update_remote(
     comment: Option<String>,
     host: Option<String>,
     port: Option<u16>,
-    userid: Option<Authid>,
+    auth_id: Option<Authid>,
     password: Option<String>,
     fingerprint: Option<String>,
     delete: Option<Vec<DeletableProperty>>,
@@ -252,7 +252,7 @@ pub fn update_remote(
     }
     if let Some(host) = host { data.host = host; }
     if port.is_some() { data.port = port; }
-    if let Some(userid) = userid { data.userid = userid; }
+    if let Some(auth_id) = auth_id { data.auth_id = auth_id; }
     if let Some(password) = password { data.password = password; }
 
     if let Some(fingerprint) = fingerprint { data.fingerprint = Some(fingerprint); }
@@ -284,6 +284,17 @@ pub fn update_remote(
 /// Remove a remote from the configuration file.
 pub fn delete_remote(name: String, digest: Option<String>) -> Result<(), Error> {
 
+    use crate::config::sync::{self, SyncJobConfig};
+
+    let (sync_jobs, _) = sync::config()?;
+
+    let job_list: Vec<SyncJobConfig>  = sync_jobs.convert_to_typed_array("sync")?;
+    for job in job_list {
+        if job.remote == name {
+            bail!("remote '{}' is used by sync job '{}' (datastore '{}')", name, job.id, job.store);
+        }
+    }
+
     let _lock = open_file_locked(remote::REMOTE_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
 
     let (mut config, expected_digest) = remote::config()?;
@@ -312,7 +323,7 @@ pub async fn remote_client(remote: remote::Remote) -> Result<HttpClient, Error>
     let client = HttpClient::new(
         &remote.host,
         remote.port.unwrap_or(8007),
-        &remote.userid,
+        &remote.auth_id,
         options)?;
     let _auth_info = client.login() // make sure we can auth
         .await

src/api2/node.rs

@@ -34,7 +34,7 @@ pub mod subscription;
 pub(crate) mod rrd;
 
 mod journal;
-mod services;
+pub(crate) mod services;
 mod status;
 mod syslog;
 mod time;

src/api2/node/apt.rs

@@ -1,12 +1,13 @@
 use anyhow::{Error, bail, format_err};
 use serde_json::{json, Value};
+use std::collections::HashMap;
 
 use proxmox::list_subdirs_api_method;
 use proxmox::api::{api, RpcEnvironment, RpcEnvironmentType, Permission};
 use proxmox::api::router::{Router, SubdirMap};
 
 use crate::server::WorkerTask;
-use crate::tools::{apt, http};
+use crate::tools::{apt, http, subscription};
 
 use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
 use crate::api2::types::{Authid, APTUpdateInfo, NODE_SCHEMA, UPID_SCHEMA};
@@ -202,9 +203,34 @@ fn apt_get_changelog(
     let changelog_url = &pkg_info[0].change_log_url;
     // FIXME: use 'apt-get changelog' for proxmox packages as well, once repo supports it
     if changelog_url.starts_with("http://download.proxmox.com/") {
-        let changelog = crate::tools::runtime::block_on(http::get_string(changelog_url))
+        let changelog = crate::tools::runtime::block_on(http::get_string(changelog_url, None))
             .map_err(|err| format_err!("Error downloading changelog from '{}': {}", changelog_url, err))?;
         return Ok(json!(changelog));
+
+    } else if changelog_url.starts_with("https://enterprise.proxmox.com/") {
+        let sub = match subscription::read_subscription()? {
+            Some(sub) => sub,
+            None => bail!("cannot retrieve changelog from enterprise repo: no subscription info found")
+        };
+        let (key, id) = match sub.key {
+            Some(key) => {
+                match sub.serverid {
+                    Some(id) => (key, id),
+                    None =>
+                        bail!("cannot retrieve changelog from enterprise repo: no server id found")
+                }
+            },
+            None => bail!("cannot retrieve changelog from enterprise repo: no subscription key found")
+        };
+
+        let mut auth_header = HashMap::new();
+        auth_header.insert("Authorization".to_owned(),
+            format!("Basic {}", base64::encode(format!("{}:{}", key, id))));
+
+        let changelog = crate::tools::runtime::block_on(http::get_string(changelog_url, Some(&auth_header)))
+            .map_err(|err| format_err!("Error downloading changelog from '{}': {}", changelog_url, err))?;
+        return Ok(json!(changelog));
+
     } else {
         let mut command = std::process::Command::new("apt-get");
         command.arg("changelog");
@@ -215,12 +241,128 @@ fn apt_get_changelog(
     }
 }
 
+#[api(
+    input: {
+        properties: {
+            node: {
+                schema: NODE_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        description: "List of more relevant packages.",
+        type: Array,
+        items: {
+            type: APTUpdateInfo,
+        },
+    },
+    access: {
+        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+    },
+)]
+/// Get package information for important Proxmox Backup Server packages.
+pub fn get_versions() -> Result<Vec<APTUpdateInfo>, Error> {
+    const PACKAGES: &[&str] = &[
+        "ifupdown2",
+        "libjs-extjs",
+        "proxmox-backup",
+        "proxmox-backup-docs",
+        "proxmox-backup-client",
+        "proxmox-backup-server",
+        "proxmox-mini-journalreader",
+        "proxmox-widget-toolkit",
+        "pve-xtermjs",
+        "smartmontools",
+        "zfsutils-linux",
+    ];
+
+    fn unknown_package(package: String, extra_info: Option<String>) -> APTUpdateInfo {
+        APTUpdateInfo {
+            package,
+            title: "unknown".into(),
+            arch: "unknown".into(),
+            description: "unknown".into(),
+            version: "unknown".into(),
+            old_version: "unknown".into(),
+            origin: "unknown".into(),
+            priority: "unknown".into(),
+            section: "unknown".into(),
+            change_log_url: "unknown".into(),
+            extra_info,
+        }
+    }
+
+    let is_kernel = |name: &str| name.starts_with("pve-kernel-");
+
+    let mut packages: Vec<APTUpdateInfo> = Vec::new();
+    let pbs_packages = apt::list_installed_apt_packages(
+        |filter| {
+            filter.installed_version == Some(filter.active_version)
+                && (is_kernel(filter.package) || PACKAGES.contains(&filter.package))
+        },
+        None,
+    );
+
+    let running_kernel = format!(
+        "running kernel: {}",
+        nix::sys::utsname::uname().release().to_owned()
+    );
+    if let Some(proxmox_backup) = pbs_packages.iter().find(|pkg| pkg.package == "proxmox-backup") {
+        let mut proxmox_backup = proxmox_backup.clone();
+        proxmox_backup.extra_info = Some(running_kernel);
+        packages.push(proxmox_backup);
+    } else {
+        packages.push(unknown_package("proxmox-backup".into(), Some(running_kernel)));
+    }
+
+    let version = crate::api2::version::PROXMOX_PKG_VERSION;
+    let release = crate::api2::version::PROXMOX_PKG_RELEASE;
+    let daemon_version_info = Some(format!("running version: {}.{}", version, release));
+    if let Some(pkg) = pbs_packages.iter().find(|pkg| pkg.package == "proxmox-backup-server") {
+        let mut pkg = pkg.clone();
+        pkg.extra_info = daemon_version_info;
+        packages.push(pkg);
+    } else {
+        packages.push(unknown_package("proxmox-backup".into(), daemon_version_info));
+    }
+
+    let mut kernel_pkgs: Vec<APTUpdateInfo> = pbs_packages
+        .iter()
+        .filter(|pkg| is_kernel(&pkg.package))
+        .cloned()
+        .collect();
+    // make sure the cache mutex gets dropped before the next call to list_installed_apt_packages
+    {
+        let cache = apt_pkg_native::Cache::get_singleton();
+        kernel_pkgs.sort_by(|left, right| {
+            cache
+                .compare_versions(&left.old_version, &right.old_version)
+                .reverse()
+        });
+    }
+    packages.append(&mut kernel_pkgs);
+
+    // add entry for all packages we're interested in, even if not installed
+    for pkg in PACKAGES.iter() {
+        if pkg == &"proxmox-backup" || pkg == &"proxmox-backup-server" {
+            continue;
+        }
+        match pbs_packages.iter().find(|item| &item.package == pkg) {
+            Some(apt_pkg) => packages.push(apt_pkg.to_owned()),
+            None => packages.push(unknown_package(pkg.to_string(), None)),
+        }
+    }
+
+    Ok(packages)
+}
+
 const SUBDIRS: SubdirMap = &[
     ("changelog", &Router::new().get(&API_METHOD_APT_GET_CHANGELOG)),
     ("update", &Router::new()
         .get(&API_METHOD_APT_UPDATE_AVAILABLE)
         .post(&API_METHOD_APT_UPDATE_DATABASE)
     ),
+    ("versions", &Router::new().get(&API_METHOD_GET_VERSIONS)),
 ];
 
 pub const ROUTER: Router = Router::new()

src/api2/node/disks/directory.rs

@@ -142,6 +142,18 @@ pub fn create_datastore_disk(
         bail!("disk '{}' is already in use.", disk);
     }
 
+    let mount_point = format!("/mnt/datastore/{}", &name);
+
+    // check if the default path does exist already and bail if it does
+    let default_path = std::path::PathBuf::from(&mount_point);
+
+    match std::fs::metadata(&default_path) {
+        Err(_) => {}, // path does not exist
+        Ok(_) => {
+            bail!("path {:?} already exists", default_path);
+        }
+    }
+
     let upid_str = WorkerTask::new_thread(
         "dircreate", Some(name.clone()), auth_id, to_stdout, move |worker|
         {
@@ -160,7 +172,7 @@ pub fn create_datastore_disk(
             let uuid = get_fs_uuid(&partition)?;
             let uuid_path = format!("/dev/disk/by-uuid/{}", uuid);
 
-            let (mount_unit_name, mount_point) = create_datastore_mount_unit(&name, filesystem, &uuid_path)?;
+            let mount_unit_name = create_datastore_mount_unit(&name, &mount_point, filesystem, &uuid_path)?;
 
             systemd::reload_daemon()?;
             systemd::enable_unit(&mount_unit_name)?;
@@ -243,11 +255,11 @@ pub const ROUTER: Router = Router::new()
 
 fn create_datastore_mount_unit(
     datastore_name: &str,
+    mount_point: &str,
     fs_type: FileSystemType,
     what: &str,
-) -> Result<(String, String), Error> {
+) -> Result<String, Error> {
 
-    let mount_point = format!("/mnt/datastore/{}", datastore_name);
     let mut mount_unit_name = systemd::escape_unit(&mount_point, true);
     mount_unit_name.push_str(".mount");
 
@@ -265,7 +277,7 @@ fn create_datastore_mount_unit(
 
     let mount = SystemdMountSection {
         What: what.to_string(),
-        Where: mount_point.clone(),
+        Where: mount_point.to_string(),
         Type: Some(fs_type.to_string()),
         Options: Some(String::from("defaults")),
         ..Default::default()
@@ -278,5 +290,5 @@ fn create_datastore_mount_unit(
 
     systemd::config::save_systemd_mount(&mount_unit_path, &config)?;
 
-    Ok((mount_unit_name, mount_point))
+    Ok(mount_unit_name)
 }

src/api2/node/disks/zfs.rs

@@ -243,7 +243,7 @@ pub fn zpool_details(
         permission: &Permission::Privilege(&["system", "disks"], PRIV_SYS_MODIFY, false),
     },
 )]
-/// Create a new ZFS pool.
+/// Create a new ZFS pool. Will be mounted under '/mnt/datastore/<name>'.
 pub fn create_zpool(
     name: String,
     devices: String,
@@ -303,10 +303,11 @@ pub fn create_zpool(
         bail!("{:?} needs at least {} disks.", raidlevel, min_disks);
     }
 
+    let mount_point = format!("/mnt/datastore/{}", &name);
+
     // check if the default path does exist already and bail if it does
-    // otherwise we get an error on mounting
+    // otherwise 'zpool create' aborts after partitioning, but before creating the pool
-    let mut default_path = std::path::PathBuf::from("/");
+    let default_path = std::path::PathBuf::from(&mount_point);
-    default_path.push(&name);
 
     match std::fs::metadata(&default_path) {
         Err(_) => {}, // path does not exist
@@ -322,7 +323,7 @@ pub fn create_zpool(
 
 
             let mut command = std::process::Command::new("zpool");
-            command.args(&["create", "-o", &format!("ashift={}", ashift), &name]);
+            command.args(&["create", "-o", &format!("ashift={}", ashift), "-m", &mount_point, &name]);
 
             match raidlevel {
                 ZfsRaidLevel::Single => {
@@ -371,7 +372,6 @@ pub fn create_zpool(
             }
 
             if add_datastore {
-                let mount_point = format!("/{}", name);
                 crate::api2::config::datastore::create_datastore(json!({ "name": name, "path": mount_point }))?
             }
 

src/api2/node/services.rs

@@ -22,7 +22,7 @@ static SERVICE_NAME_LIST: [&str; 7] = [
     "systemd-timesyncd",
 ];
 
-fn real_service_name(service: &str) -> &str {
+pub fn real_service_name(service: &str) -> &str {
 
     // since postfix package 3.1.0-3.1 the postfix unit is only here
     // to manage subinstances, of which the default is called "-".

src/api2/node/syslog.rs

@@ -134,12 +134,18 @@ fn get_syslog(
     mut rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Value, Error> {
 
+    let service = if let Some(service) = param["service"].as_str() {
+        Some(crate::api2::node::services::real_service_name(service))
+    } else {
+        None
+    };
+
     let (count, lines) = dump_journal(
         param["start"].as_u64(),
         param["limit"].as_u64(),
         param["since"].as_str(),
         param["until"].as_str(),
-        param["service"].as_str())?;
+        service)?;
 
     rpcenv["total"] = Value::from(count);
 

src/api2/node/tasks.rs

@@ -71,6 +71,36 @@ fn check_job_privs(auth_id: &Authid, user_info: &CachedUserInfo, upid: &UPID) ->
     bail!("not a scheduled job task");
 }
 
+// get the store out of the worker_id
+fn check_job_store(upid: &UPID, store: &str) -> bool {
+    match (upid.worker_type.as_str(), &upid.worker_id) {
+        (workertype, Some(workerid)) if workertype.starts_with("verif") => {
+            if let Some(captures) = VERIFICATION_JOB_WORKER_ID_REGEX.captures(&workerid) {
+                if let Some(jobstore) = captures.get(1) {
+                    return store == jobstore.as_str();
+                }
+            } else {
+                return workerid == store;
+            }
+        }
+        ("syncjob", Some(workerid)) => {
+            if let Some(captures) = SYNC_JOB_WORKER_ID_REGEX.captures(&workerid) {
+                if let Some(local_store) = captures.get(3) {
+                    return store == local_store.as_str();
+                }
+            }
+        }
+        ("prune", Some(workerid))
+        | ("backup", Some(workerid))
+        | ("garbage_collection", Some(workerid)) => {
+            return workerid == store || workerid.starts_with(&format!("{}:", store));
+        }
+        _ => {}
+    };
+
+    false
+}
+
 fn check_task_access(auth_id: &Authid, upid: &UPID) -> Result<(), Error> {
     let task_auth_id = &upid.auth_id;
     if auth_id == task_auth_id
@@ -455,21 +485,8 @@ pub fn list_tasks(
         }
 
         if let Some(store) = store {
-            // Note: useful to select all tasks spawned by proxmox-backup-client
+            if !check_job_store(&info.upid, store) {
-            let worker_id = match &info.upid.worker_id {
+                return None;
-                Some(w) => w,
-                None => return None, // skip
-            };
-
-            if info.upid.worker_type == "backup" || info.upid.worker_type == "restore" ||
-                info.upid.worker_type == "prune"
-            {
-                let prefix = format!("{}:", store);
-                if !worker_id.starts_with(&prefix) { return None; }
-            } else if info.upid.worker_type == "garbage_collection" {
-                if worker_id != store { return None; }
-            } else {
-                return None; // skip
             }
         }
 

src/api2/pull.rs

@@ -50,7 +50,7 @@ pub async fn get_pull_parameters(
     let (remote_config, _digest) = remote::config()?;
     let remote: remote::Remote = remote_config.lookup("remote", remote)?;
 
-    let src_repo = BackupRepository::new(Some(remote.userid.clone()), Some(remote.host.clone()), remote.port, remote_store.to_string());
+    let src_repo = BackupRepository::new(Some(remote.auth_id.clone()), Some(remote.host.clone()), remote.port, remote_store.to_string());
 
     let client = crate::api2::config::remote::remote_client(remote).await?;
 

src/api2/status.rs

@@ -103,6 +103,7 @@ fn datastore_status(
             "total": status.total,
             "used": status.used,
             "avail": status.avail,
+            "gc-status": datastore.last_gc_status(),
         });
 
         let rrd_dir = format!("datastore/{}", store);
@@ -152,6 +153,8 @@ fn datastore_status(
                     }
                 }
 
+                entry["history-start"] = start.into();
+                entry["history-delta"] = reso.into();
                 entry["history"] = history.into();
 
                 // we skip the calculation for datastores with not enough data

src/api2/types/mod.rs

@@ -5,7 +5,7 @@ use proxmox::api::{api, schema::*};
 use proxmox::const_regex;
 use proxmox::{IPRE, IPRE_BRACKET, IPV4RE, IPV6RE, IPV4OCTET, IPV6H16, IPV6LS32};
 
-use crate::backup::{CryptMode, BACKUP_ID_REGEX};
+use crate::backup::{CryptMode, Fingerprint, BACKUP_ID_REGEX};
 use crate::server::UPID;
 
 #[macro_use]
@@ -484,6 +484,10 @@ pub struct SnapshotVerifyState {
             type: SnapshotVerifyState,
             optional: true,
         },
+        fingerprint: {
+            type: String,
+            optional: true,
+        },
         files: {
             items: {
                 schema: BACKUP_ARCHIVE_NAME_SCHEMA
@@ -508,6 +512,9 @@ pub struct SnapshotListItem {
     /// The result of the last run verify task
     #[serde(skip_serializing_if="Option::is_none")]
     pub verification: Option<SnapshotVerifyState>,
+    /// Fingerprint of encryption key
+    #[serde(skip_serializing_if="Option::is_none")]
+    pub fingerprint: Option<Fingerprint>,
     /// List of contained archive files.
     pub files: Vec<BackupContent>,
     /// Overall snapshot size (sum of all archive sizes).
@@ -692,7 +699,7 @@ pub struct TypeCounts {
         },
     },
 )]
-#[derive(Serialize, Deserialize)]
+#[derive(Serialize, Deserialize, Default)]
 /// Counts of groups/snapshots per BackupType.
 pub struct Counts {
     /// The counts for CT backups
@@ -707,8 +714,14 @@ pub struct Counts {
 
 #[api(
     properties: {
-        "gc-status": { type: GarbageCollectionStatus, },
+        "gc-status": {
-        counts: { type: Counts, }
+            type: GarbageCollectionStatus,
+            optional: true,
+        },
+        counts: {
+            type: Counts,
+            optional: true,
+        },
     },
 )]
 #[derive(Serialize, Deserialize)]
@@ -722,9 +735,11 @@ pub struct DataStoreStatus {
     /// Available space (bytes).
     pub avail: u64,
     /// Status of last GC
-    pub gc_status: GarbageCollectionStatus,
+    #[serde(skip_serializing_if="Option::is_none")]
+    pub gc_status: Option<GarbageCollectionStatus>,
     /// Group/Snapshot counts
-    pub counts: Counts,
+    #[serde(skip_serializing_if="Option::is_none")]
+    pub counts: Option<Counts>,
 }
 
 #[api(
@@ -1153,7 +1168,7 @@ pub enum RRDTimeFrameResolution {
 }
 
 #[api()]
-#[derive(Debug, Serialize, Deserialize)]
+#[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(rename_all = "PascalCase")]
 /// Describes a package for which an update is available.
 pub struct APTUpdateInfo {
@@ -1177,6 +1192,9 @@ pub struct APTUpdateInfo {
     pub section: String,
     /// URL under which the package's changelog can be retrieved
     pub change_log_url: String,
+    /// Custom extra field for additional package information
+    #[serde(skip_serializing_if="Option::is_none")]
+    pub extra_info: Option<String>,
 }
 
 #[api()]

src/backup/backup_info.rs

@@ -327,26 +327,20 @@ impl BackupInfo {
         Ok(files)
     }
 
-    pub fn list_backups(base_path: &Path) -> Result<Vec<BackupInfo>, Error> {
+    pub fn list_backup_groups(base_path: &Path) -> Result<Vec<BackupGroup>, Error> {
         let mut list = Vec::new();
 
         tools::scandir(libc::AT_FDCWD, base_path, &BACKUP_TYPE_REGEX, |l0_fd, backup_type, file_type| {
             if file_type != nix::dir::Type::Directory { return Ok(()); }
-            tools::scandir(l0_fd, backup_type, &BACKUP_ID_REGEX, |l1_fd, backup_id, file_type| {
+            tools::scandir(l0_fd, backup_type, &BACKUP_ID_REGEX, |_, backup_id, file_type| {
-                if file_type != nix::dir::Type::Directory { return Ok(()); }
-                tools::scandir(l1_fd, backup_id, &BACKUP_DATE_REGEX, |l2_fd, backup_time_string, file_type| {
                 if file_type != nix::dir::Type::Directory { return Ok(()); }
 
-                    let backup_dir = BackupDir::with_rfc3339(backup_type, backup_id, backup_time_string)?;
+                list.push(BackupGroup::new(backup_type, backup_id));
-
-                    let files = list_backup_files(l2_fd, backup_time_string)?;
-
-                    list.push(BackupInfo { backup_dir, files });
 
                 Ok(())
             })
-            })
         })?;
+
         Ok(list)
     }
 

src/backup/chunk_store.rs

@@ -154,9 +154,11 @@ impl ChunkStore {
     }
 
     pub fn cond_touch_chunk(&self, digest: &[u8; 32], fail_if_not_exist: bool) -> Result<bool, Error> {
-
         let (chunk_path, _digest_str) = self.chunk_path(digest);
+        self.cond_touch_path(&chunk_path, fail_if_not_exist)
+    }
 
+    pub fn cond_touch_path(&self, path: &Path, fail_if_not_exist: bool) -> Result<bool, Error> {
         const UTIME_NOW: i64 = (1 << 30) - 1;
         const UTIME_OMIT: i64 = (1 << 30) - 2;
 
@@ -167,7 +169,7 @@ impl ChunkStore {
 
         use nix::NixPath;
 
-        let res = chunk_path.with_nix_path(|cstr| unsafe {
+        let res = path.with_nix_path(|cstr| unsafe {
             let tmp = libc::utimensat(-1, cstr.as_ptr(), &times[0], libc::AT_SYMLINK_NOFOLLOW);
             nix::errno::Errno::result(tmp)
         })?;
@@ -177,7 +179,7 @@ impl ChunkStore {
                 return Ok(false);
             }
 
-            bail!("update atime failed for chunk {:?} - {}", chunk_path, err);
+            bail!("update atime failed for chunk/file {:?} - {}", path, err);
         }
 
         Ok(true)
@@ -328,49 +330,13 @@ impl ChunkStore {
             let lock = self.mutex.lock();
 
             if let Ok(stat) = fstatat(dirfd, filename, nix::fcntl::AtFlags::AT_SYMLINK_NOFOLLOW) {
-                if bad {
+                if stat.st_atime < min_atime {
-                    // filename validity checked in iterator
-                    let orig_filename = std::ffi::CString::new(&filename.to_bytes()[..64])?;
-                    match fstatat(
-                        dirfd,
-                        orig_filename.as_c_str(),
-                        nix::fcntl::AtFlags::AT_SYMLINK_NOFOLLOW)
-                    {
-                        Ok(_) => {
-                            match unlinkat(Some(dirfd), filename, UnlinkatFlags::NoRemoveDir) {
-                                Err(err) =>
-                                    crate::task_warn!(
-                                        worker,
-                                        "unlinking corrupt chunk {:?} failed on store '{}' - {}",
-                                        filename,
-                                        self.name,
-                                        err,
-                                    ),
-                                Ok(_) => {
-                                    status.removed_bad += 1;
-                                    status.removed_bytes += stat.st_size as u64;
-                                }
-                            }
-                        },
-                        Err(nix::Error::Sys(nix::errno::Errno::ENOENT)) => {
-                            // chunk hasn't been rewritten yet, keep .bad file
-                            status.still_bad += 1;
-                        },
-                        Err(err) => {
-                            // some other error, warn user and keep .bad file around too
-                            status.still_bad += 1;
-                            crate::task_warn!(
-                                worker,
-                                "error during stat on '{:?}' - {}",
-                                orig_filename,
-                                err,
-                            );
-                        }
-                    }
-                } else if stat.st_atime < min_atime {
                     //let age = now - stat.st_atime;
                     //println!("UNLINK {}  {:?}", age/(3600*24), filename);
                     if let Err(err) = unlinkat(Some(dirfd), filename, UnlinkatFlags::NoRemoveDir) {
+                        if bad {
+                            status.still_bad += 1;
+                        }
                         bail!(
                             "unlinking chunk {:?} failed on store '{}' - {}",
                             filename,
@@ -378,13 +344,23 @@ impl ChunkStore {
                             err,
                         );
                     }
+                    if bad {
+                        status.removed_bad += 1;
+                    } else {
                         status.removed_chunks += 1;
+                    }
                     status.removed_bytes += stat.st_size as u64;
                 } else if stat.st_atime < oldest_writer {
+                    if bad {
+                        status.still_bad += 1;
+                    } else {
                         status.pending_chunks += 1;
+                    }
                     status.pending_bytes += stat.st_size as u64;
                 } else {
+                    if !bad {
                         status.disk_chunks += 1;
+                    }
                     status.disk_bytes += stat.st_size as u64;
                 }
             }

src/backup/crypt_config.rs

@@ -7,6 +7,8 @@
 //! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
 //! for a short introduction.
 
+use std::fmt;
+use std::fmt::Display;
 use std::io::Write;
 
 use anyhow::{bail, Error};
@@ -15,8 +17,15 @@ use openssl::pkcs5::pbkdf2_hmac;
 use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
 use serde::{Deserialize, Serialize};
 
+use crate::tools::format::{as_fingerprint, bytes_as_fingerprint};
+
 use proxmox::api::api;
 
+// openssl::sha::sha256(b"Proxmox Backup Encryption Key Fingerprint")
+const FINGERPRINT_INPUT: [u8; 32] = [ 110, 208, 239, 119,  71,  31, 255,  77,
+                                       85, 199, 168, 254,  74, 157, 182,  33,
+                                       97,  64, 127,  19,  76, 114,  93, 223,
+                                       48, 153,  45,  37, 236,  69, 237,  38, ];
 #[api(default: "encrypt")]
 #[derive(Copy, Clone, Debug, Eq, PartialEq, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
@@ -30,6 +39,21 @@ pub enum CryptMode {
     SignOnly,
 }
 
+#[derive(Debug, Eq, PartialEq, Deserialize, Serialize)]
+#[serde(transparent)]
+/// 32-byte fingerprint, usually calculated with SHA256.
+pub struct Fingerprint {
+    #[serde(with = "bytes_as_fingerprint")]
+    bytes: [u8; 32],
+}
+
+/// Display as short key ID
+impl Display for Fingerprint {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", as_fingerprint(&self.bytes[0..8]))
+    }
+}
+
 /// Encryption Configuration with secret key
 ///
 /// This structure stores the secret key and provides helpers for
@@ -101,6 +125,12 @@ impl CryptConfig {
         tag
     }
 
+    pub fn fingerprint(&self) -> Fingerprint {
+        Fingerprint {
+            bytes: self.compute_digest(&FINGERPRINT_INPUT)
+        }
+    }
+
     pub fn data_crypter(&self, iv: &[u8; 16], mode: Mode) -> Result<Crypter, Error>  {
         let mut crypter = openssl::symm::Crypter::new(self.cipher, mode, &self.enc_key, Some(iv))?;
         crypter.aad_update(b"")?; //??
@@ -219,7 +249,13 @@ impl CryptConfig {
     ) -> Result<Vec<u8>, Error> {
 
         let modified = proxmox::tools::time::epoch_i64();
-        let key_config = super::KeyConfig { kdf: None, created, modified, data: self.enc_key.to_vec() };
+        let key_config = super::KeyConfig {
+            kdf: None,
+            created,
+            modified,
+            data: self.enc_key.to_vec(),
+            fingerprint: Some(self.fingerprint()),
+        };
         let data = serde_json::to_string(&key_config)?.as_bytes().to_vec();
 
         let mut buffer = vec![0u8; rsa.size() as usize];

src/backup/datastore.rs

@@ -446,6 +446,17 @@ impl DataStore {
                     file_name,
                     err,
                 );
+
+                // touch any corresponding .bad files to keep them around, meaning if a chunk is
+                // rewritten correctly they will be removed automatically, as well as if no index
+                // file requires the chunk anymore (won't get to this loop then)
+                for i in 0..=9 {
+                    let bad_ext = format!("{}.bad", i);
+                    let mut bad_path = PathBuf::new();
+                    bad_path.push(self.chunk_path(digest).0);
+                    bad_path.set_extension(bad_ext);
+                    self.chunk_store.cond_touch_path(&bad_path, false)?;
+                }
             }
         }
         Ok(())

src/backup/dynamic_index.rs

@@ -219,7 +219,6 @@ impl IndexFile for DynamicIndexReader {
         (csum, chunk_end)
     }
 
-    #[allow(clippy::cast_ptr_alignment)]
     fn chunk_info(&self, pos: usize) -> Option<ChunkReadInfo> {
         if pos >= self.index.len() {
             return None;

src/backup/key_derivation.rs

@@ -2,9 +2,34 @@ use anyhow::{bail, format_err, Context, Error};
 
 use serde::{Deserialize, Serialize};
 
+use crate::backup::{CryptConfig, Fingerprint};
+
+use proxmox::api::api;
 use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
 use proxmox::try_block;
 
+#[api(default: "scrypt")]
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+/// Key derivation function for password protected encryption keys.
+pub enum Kdf {
+    /// Do not encrypt the key.
+    None,
+
+    /// Encrypt they key with a password using SCrypt.
+    Scrypt,
+
+    /// Encrtypt the Key with a password using PBKDF2
+    PBKDF2,
+}
+
+impl Default for Kdf {
+    #[inline]
+    fn default() -> Self {
+        Kdf::Scrypt
+    }
+}
+
 #[derive(Deserialize, Serialize, Debug)]
 pub enum KeyDerivationConfig {
     Scrypt {
@@ -66,6 +91,9 @@ pub struct KeyConfig {
     pub modified: i64,
     #[serde(with = "proxmox::tools::serde::bytes_as_base64")]
     pub data: Vec<u8>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(default)]
+    pub fingerprint: Option<Fingerprint>,
  }
 
 pub fn store_key_config(
@@ -103,15 +131,25 @@ pub fn store_key_config(
 pub fn encrypt_key_with_passphrase(
     raw_key: &[u8],
     passphrase: &[u8],
+    kdf: Kdf,
 ) -> Result<KeyConfig, Error> {
 
     let salt = proxmox::sys::linux::random_data(32)?;
 
-    let kdf = KeyDerivationConfig::Scrypt {
+    let kdf = match kdf {
+        Kdf::Scrypt => KeyDerivationConfig::Scrypt {
             n: 65536,
             r: 8,
             p: 1,
             salt,
+        },
+        Kdf::PBKDF2 => KeyDerivationConfig::PBKDF2 {
+            iter: 65535,
+            salt,
+        },
+        Kdf::None => {
+            bail!("No key derivation function specified");
+        }
     };
 
     let derived_key = kdf.derive_key(passphrase)?;
@@ -142,28 +180,22 @@ pub fn encrypt_key_with_passphrase(
         created,
         modified: created,
         data: enc_data,
+        fingerprint: None,
     })
 }
 
 pub fn load_and_decrypt_key(
     path: &std::path::Path,
     passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
-) -> Result<([u8;32], i64), Error> {
+) -> Result<([u8;32], i64, Fingerprint), Error> {
-    do_load_and_decrypt_key(path, passphrase)
-        .with_context(|| format!("failed to load decryption key from {:?}", path))
-}
-
-fn do_load_and_decrypt_key(
-    path: &std::path::Path,
-    passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
-) -> Result<([u8;32], i64), Error> {
     decrypt_key(&file_get_contents(&path)?, passphrase)
+        .with_context(|| format!("failed to load decryption key from {:?}", path))
 }
 
 pub fn decrypt_key(
     mut keydata: &[u8],
     passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
-) -> Result<([u8;32], i64), Error> {
+) -> Result<([u8;32], i64, Fingerprint), Error> {
     let key_config: KeyConfig = serde_json::from_reader(&mut keydata)?;
 
     let raw_data = key_config.data;
@@ -203,5 +235,13 @@ pub fn decrypt_key(
     let mut result = [0u8; 32];
     result.copy_from_slice(&key);
 
-    Ok((result, created))
+    let fingerprint = match key_config.fingerprint {
+        Some(fingerprint) => fingerprint,
+        None => {
+            let crypt_config = CryptConfig::new(result.clone())?;
+            crypt_config.fingerprint()
+        },
+    };
+
+    Ok((result, created, fingerprint))
 }

src/backup/manifest.rs

@@ -5,7 +5,7 @@ use std::path::Path;
 use serde_json::{json, Value};
 use ::serde::{Deserialize, Serialize};
 
-use crate::backup::{BackupDir, CryptMode, CryptConfig};
+use crate::backup::{BackupDir, CryptMode, CryptConfig, Fingerprint};
 
 pub const MANIFEST_BLOB_NAME: &str = "index.json.blob";
 pub const MANIFEST_LOCK_NAME: &str = ".index.json.lck";
@@ -223,12 +223,48 @@ impl BackupManifest {
         if let Some(crypt_config) = crypt_config {
             let sig = self.signature(crypt_config)?;
             manifest["signature"] = proxmox::tools::digest_to_hex(&sig).into();
+            let fingerprint = &crypt_config.fingerprint();
+            manifest["unprotected"]["key-fingerprint"] = serde_json::to_value(fingerprint)?;
         }
 
         let manifest = serde_json::to_string_pretty(&manifest).unwrap().into();
         Ok(manifest)
     }
 
+    pub fn fingerprint(&self) -> Result<Option<Fingerprint>, Error> {
+        match &self.unprotected["key-fingerprint"] {
+            Value::Null => Ok(None),
+            value => Ok(Some(serde_json::from_value(value.clone())?))
+        }
+    }
+
+    /// Checks if a BackupManifest and a CryptConfig share a valid fingerprint combination.
+    ///
+    /// An unsigned manifest is valid with any or no CryptConfig.
+    /// A signed manifest is only valid with a matching CryptConfig.
+    pub fn check_fingerprint(&self, crypt_config: Option<&CryptConfig>) -> Result<(), Error> {
+        if let Some(fingerprint) = self.fingerprint()? {
+            match crypt_config {
+                None => bail!(
+                    "missing key - manifest was created with key {}",
+                    fingerprint,
+                ),
+                Some(crypt_config) => {
+                    let config_fp = crypt_config.fingerprint();
+                    if config_fp != fingerprint {
+                        bail!(
+                            "wrong key - manifest's key {} does not match provided key {}",
+                            fingerprint,
+                            config_fp
+                        );
+                    }
+                }
+            }
+        };
+
+        Ok(())
+    }
+
     /// Try to read the manifest. This verifies the signature if there is a crypt_config.
     pub fn from_data(data: &[u8], crypt_config: Option<&CryptConfig>) -> Result<BackupManifest, Error> {
         let json: Value = serde_json::from_slice(data)?;
@@ -237,6 +273,19 @@ impl BackupManifest {
         if let Some(ref crypt_config) = crypt_config {
             if let Some(signature) = signature {
                 let expected_signature = proxmox::tools::digest_to_hex(&Self::json_signature(&json, crypt_config)?);
+
+                let fingerprint = &json["unprotected"]["key-fingerprint"];
+                if fingerprint != &Value::Null {
+                    let fingerprint = serde_json::from_value(fingerprint.clone())?;
+                    let config_fp = crypt_config.fingerprint();
+                    if config_fp != fingerprint {
+                        bail!(
+                            "wrong key - unable to verify signature since manifest's key {} does not match provided key {}",
+                            fingerprint,
+                            config_fp
+                        );
+                    }
+                }
                 if signature != expected_signature {
                     bail!("wrong signature in manifest");
                 }

src/backup/verify.rs

@@ -498,28 +498,38 @@ pub fn verify_all_backups(
 ) -> Result<Vec<String>, Error> {
     let mut errors = Vec::new();
 
+    task_log!(worker, "verify datastore {}", datastore.name());
+
     if let Some(owner) = &owner {
-        task_log!(
+        task_log!(worker, "limiting to backups owned by {}", owner);
-            worker,
-            "verify datastore {} - limiting to backups owned by {}",
-            datastore.name(),
-            owner
-        );
     }
 
     let filter_by_owner = |group: &BackupGroup| {
-        if let Some(owner) = &owner {
+        match (datastore.get_owner(group), &owner) {
-            match datastore.get_owner(group) {
+            (Ok(ref group_owner), Some(owner)) => {
-                Ok(ref group_owner) => {
                 group_owner == owner
                     || (group_owner.is_token()
                         && !owner.is_token()
                         && group_owner.user() == owner.user())
             },
-                Err(_) => false,
+            (Ok(_), None) => true,
-            }
+            (Err(err), Some(_)) => {
-        } else {
+                // intentionally not in task log
+                // the task user might not be allowed to see this group!
+                println!("Failed to get owner of group '{}' - {}", group, err);
+                false
+            },
+            (Err(err), None) => {
+                // we don't filter by owner, but we want to log the error
+                task_log!(
+                    worker,
+                    "Failed to get owner of group '{} - {}",
+                    group,
+                    err,
+                );
+                errors.push(group.to_string());
                 true
+            },
         }
     };
 
@@ -532,8 +542,7 @@ pub fn verify_all_backups(
         Err(err) => {
             task_log!(
                 worker,
-                "verify datastore {} - unable to list backups: {}",
+                "unable to list backups: {}",
-                datastore.name(),
                 err,
             );
             return Ok(errors);
@@ -553,7 +562,7 @@ pub fn verify_all_backups(
     // start with 64 chunks since we assume there are few corrupt ones
     let corrupt_chunks = Arc::new(Mutex::new(HashSet::with_capacity(64)));
 
-    task_log!(worker, "verify datastore {} ({} snapshots)", datastore.name(), snapshot_count);
+    task_log!(worker, "found {} snapshots", snapshot_count);
 
     let mut done = 0;
     for group in list {

src/bin/proxmox-backup-api.rs

@@ -76,6 +76,7 @@ async fn run() -> Result<(), Error> {
                 })
             )
         },
+        "proxmox-backup.service",
     );
 
     server::write_pid(buildcfg::PROXMOX_BACKUP_API_PID_FN)?;

src/bin/proxmox-backup-client.rs

@@ -193,8 +193,12 @@ pub fn complete_repository(_arg: &str, _param: &HashMap<String, String>) -> Vec<
     result
 }
 
-fn connect(server: &str, port: u16, auth_id: &Authid) -> Result<HttpClient, Error> {
+fn connect(repo: &BackupRepository) -> Result<HttpClient, Error> {
+    connect_do(repo.host(), repo.port(), repo.auth_id())
+        .map_err(|err| format_err!("error building client for repository {} - {}", repo, err))
+}
 
+fn connect_do(server: &str, port: u16, auth_id: &Authid) -> Result<HttpClient, Error> {
     let fingerprint = std::env::var(ENV_VAR_PBS_FINGERPRINT).ok();
 
     use std::env::VarError::*;
@@ -366,7 +370,7 @@ async fn list_backup_groups(param: Value) -> Result<Value, Error> {
 
     let repo = extract_repository_from_value(&param)?;
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     let path = format!("api2/json/admin/datastore/{}/groups", repo.store());
 
@@ -435,7 +439,7 @@ async fn change_backup_owner(group: String, mut param: Value) -> Result<(), Erro
 
     let repo = extract_repository_from_value(&param)?;
 
-    let mut client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let mut client = connect(&repo)?;
 
     param.as_object_mut().unwrap().remove("repository");
 
@@ -478,7 +482,7 @@ async fn list_snapshots(param: Value) -> Result<Value, Error> {
 
     let output_format = get_output_format(&param);
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     let group: Option<BackupGroup> = if let Some(path) = param["group"].as_str() {
         Some(path.parse()?)
@@ -543,7 +547,7 @@ async fn forget_snapshots(param: Value) -> Result<Value, Error> {
     let path = tools::required_string_param(&param, "snapshot")?;
     let snapshot: BackupDir = path.parse()?;
 
-    let mut client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let mut client = connect(&repo)?;
 
     let path = format!("api2/json/admin/datastore/{}/snapshots", repo.store());
 
@@ -573,7 +577,7 @@ async fn api_login(param: Value) -> Result<Value, Error> {
 
     let repo = extract_repository_from_value(&param)?;
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
     client.login().await?;
 
     record_repository(&repo);
@@ -630,7 +634,7 @@ async fn api_version(param: Value) -> Result<(), Error> {
 
     let repo = extract_repository_from_value(&param);
     if let Ok(repo) = repo {
-        let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+        let client = connect(&repo)?;
 
         match client.get("api2/json/version", None).await {
             Ok(mut result) => version_info["server"] = result["data"].take(),
@@ -680,7 +684,7 @@ async fn list_snapshot_files(param: Value) -> Result<Value, Error> {
 
     let output_format = get_output_format(&param);
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     let path = format!("api2/json/admin/datastore/{}/files", repo.store());
 
@@ -724,7 +728,7 @@ async fn start_garbage_collection(param: Value) -> Result<Value, Error> {
 
     let output_format = get_output_format(&param);
 
-    let mut client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let mut client = connect(&repo)?;
 
     let path = format!("api2/json/admin/datastore/{}/gc", repo.store());
 
@@ -798,7 +802,10 @@ fn keyfile_parameters(param: &Value) -> Result<(Option<Vec<u8>>, CryptMode), Err
     let keydata = match (keyfile, key_fd) {
         (None, None) => None,
         (Some(_), Some(_)) => bail!("--keyfile and --keyfd are mutually exclusive"),
-        (Some(keyfile), None) => Some(file_get_contents(keyfile)?),
+        (Some(keyfile), None) => {
+            println!("Using encryption key file: {}", keyfile);
+            Some(file_get_contents(keyfile)?)
+        },
         (None, Some(fd)) => {
             let input = unsafe { std::fs::File::from_raw_fd(fd) };
             let mut data = Vec::new();
@@ -806,6 +813,7 @@ fn keyfile_parameters(param: &Value) -> Result<(Option<Vec<u8>>, CryptMode), Err
                 .map_err(|err| {
                     format_err!("error reading encryption key from fd {}: {}", fd, err)
                 })?;
+            println!("Using encryption key from file descriptor");
             Some(data)
         }
     };
@@ -813,7 +821,10 @@ fn keyfile_parameters(param: &Value) -> Result<(Option<Vec<u8>>, CryptMode), Err
     Ok(match (keydata, crypt_mode) {
         // no parameters:
         (None, None) => match key::read_optional_default_encryption_key()? {
-            Some(key) => (Some(key), CryptMode::Encrypt),
+            Some(key) => {
+                println!("Encrypting with default encryption key!");
+                (Some(key), CryptMode::Encrypt)
+            },
             None => (None, CryptMode::None),
         },
 
@@ -823,7 +834,10 @@ fn keyfile_parameters(param: &Value) -> Result<(Option<Vec<u8>>, CryptMode), Err
         // just --crypt-mode other than none
         (None, Some(crypt_mode)) => match key::read_optional_default_encryption_key()? {
             None => bail!("--crypt-mode without --keyfile and no default key file available"),
-            Some(key) => (Some(key), crypt_mode),
+            Some(key) => {
+                println!("Encrypting with default encryption key!");
+                (Some(key), crypt_mode)
+            },
         }
 
         // just --keyfile
@@ -861,6 +875,11 @@ fn keyfile_parameters(param: &Value) -> Result<(Option<Vec<u8>>, CryptMode), Err
                    description: "Path to file.",
                }
            },
+           "all-file-systems": {
+               type: Boolean,
+               description: "Include all mounted subdirectories.",
+               optional: true,
+           },
            keyfile: {
                schema: KEYFILE_SCHEMA,
                optional: true,
@@ -1036,7 +1055,7 @@ async fn create_backup(
 
     let backup_time = backup_time_opt.unwrap_or_else(|| epoch_i64());
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
     record_repository(&repo);
 
     println!("Starting backup: {}/{}/{}", backup_type, backup_id, BackupDir::backup_time_to_string(backup_time)?);
@@ -1050,7 +1069,8 @@ async fn create_backup(
     let (crypt_config, rsa_encrypted_key) = match keydata {
         None => (None, None),
         Some(key) => {
-            let (key, created) = decrypt_key(&key, &key::get_encryption_key_password)?;
+            let (key, created, fingerprint) = decrypt_key(&key, &key::get_encryption_key_password)?;
+            println!("Encryption key fingerprint: {}", fingerprint);
 
             let crypt_config = CryptConfig::new(key)?;
 
@@ -1059,6 +1079,8 @@ async fn create_backup(
                     let pem_data = file_get_contents(path)?;
                     let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;
                     let enc_key = crypt_config.generate_rsa_encoded_key(rsa, created)?;
+                    println!("Master key '{:?}'", path);
+
                     (Some(Arc::new(crypt_config)), Some(enc_key))
                 }
                 _ => (Some(Arc::new(crypt_config)), None),
@@ -1077,8 +1099,40 @@ async fn create_backup(
         false
     ).await?;
 
-    let previous_manifest = if let Ok(previous_manifest) = client.download_previous_manifest().await {
+    let download_previous_manifest = match client.previous_backup_time().await {
-        Some(Arc::new(previous_manifest))
+        Ok(Some(backup_time)) => {
+            println!(
+                "Downloading previous manifest ({})",
+                strftime_local("%c", backup_time)?
+            );
+            true
+        }
+        Ok(None) => {
+            println!("No previous manifest available.");
+            false
+        }
+        Err(_) => {
+            // Fallback for outdated server, TODO remove/bubble up with 2.0
+            true
+        }
+    };
+
+    let previous_manifest = if download_previous_manifest {
+        match client.download_previous_manifest().await {
+            Ok(previous_manifest) => {
+                match previous_manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref)) {
+                    Ok(()) => Some(Arc::new(previous_manifest)),
+                    Err(err) => {
+                        println!("Couldn't re-use previous manifest - {}", err);
+                        None
+                    }
+                }
+            }
+            Err(err) => {
+                println!("Couldn't download previous manifest - {}", err);
+                None
+            }
+        }
     } else {
         None
     };
@@ -1339,7 +1393,7 @@ async fn restore(param: Value) -> Result<Value, Error> {
 
     let archive_name = tools::required_string_param(&param, "archive-name")?;
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     record_repository(&repo);
 
@@ -1361,7 +1415,8 @@ async fn restore(param: Value) -> Result<Value, Error> {
     let crypt_config = match keydata {
         None => None,
         Some(key) => {
-            let (key, _) = decrypt_key(&key, &key::get_encryption_key_password)?;
+            let (key, _, fingerprint) = decrypt_key(&key, &key::get_encryption_key_password)?;
+            println!("Encryption key fingerprint: '{}'", fingerprint);
             Some(Arc::new(CryptConfig::new(key)?))
         }
     };
@@ -1377,6 +1432,7 @@ async fn restore(param: Value) -> Result<Value, Error> {
     ).await?;
 
     let (manifest, backup_index_data) = client.download_manifest().await?;
+    manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref))?;
 
     let (archive_name, archive_type) = parse_archive_type(archive_name);
 
@@ -1512,14 +1568,14 @@ async fn upload_log(param: Value) -> Result<Value, Error> {
     let snapshot = tools::required_string_param(&param, "snapshot")?;
     let snapshot: BackupDir = snapshot.parse()?;
 
-    let mut client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let mut client = connect(&repo)?;
 
     let (keydata, crypt_mode) = keyfile_parameters(&param)?;
 
     let crypt_config = match keydata {
         None => None,
         Some(key) => {
-            let (key, _created) = decrypt_key(&key, &key::get_encryption_key_password)?;
+            let (key, _created, _) = decrypt_key(&key, &key::get_encryption_key_password)?;
             let crypt_config = CryptConfig::new(key)?;
             Some(Arc::new(crypt_config))
         }
@@ -1583,7 +1639,7 @@ fn prune<'a>(
 async fn prune_async(mut param: Value) -> Result<Value, Error> {
     let repo = extract_repository_from_value(&param)?;
 
-    let mut client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let mut client = connect(&repo)?;
 
     let path = format!("api2/json/admin/datastore/{}/prune", repo.store());
 
@@ -1669,7 +1725,7 @@ async fn status(param: Value) -> Result<Value, Error> {
 
     let output_format = get_output_format(&param);
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     let path = format!("api2/json/admin/datastore/{}/status", repo.store());
 

src/bin/proxmox-backup-manager.rs

@@ -245,7 +245,7 @@ async fn task_stop(param: Value) -> Result<Value, Error> {
 
     let mut client = connect()?;
 
-    let path = format!("api2/json/nodes/localhost/tasks/{}", upid_str);
+    let path = format!("api2/json/nodes/localhost/tasks/{}", tools::percent_encode_component(upid_str));
     let _ = client.delete(&path, None).await?;
 
     Ok(Value::Null)
@@ -363,6 +363,43 @@ async fn report() -> Result<Value, Error> {
     Ok(Value::Null)
 }
 
+#[api(
+    input: {
+        properties: {
+            verbose: {
+                type: Boolean,
+                optional: true,
+                default: false,
+                description: "Output verbose package information. It is ignored if output-format is specified.",
+            },
+            "output-format": {
+                schema: OUTPUT_FORMAT,
+                optional: true,
+            }
+        }
+    }
+)]
+/// List package versions for important Proxmox Backup Server packages.
+async fn get_versions(verbose: bool, param: Value) -> Result<Value, Error> {
+    let output_format = get_output_format(&param);
+
+    let packages = crate::api2::node::apt::get_versions()?;
+    let mut packages = json!(if verbose { &packages[..] } else { &packages[1..2] });
+
+    let options = default_table_format_options()
+        .disable_sort()
+        .noborder(true) // just not helpfull for version info which gets copy pasted often
+        .column(ColumnConfig::new("Package"))
+        .column(ColumnConfig::new("Version"))
+        .column(ColumnConfig::new("ExtraInfo").header("Extra Info"))
+        ;
+    let schema = &crate::api2::node::apt::API_RETURN_SCHEMA_GET_VERSIONS;
+
+    format_and_print_result_full(&mut packages, schema, &output_format, &options);
+
+    Ok(Value::Null)
+}
+
 fn main() {
 
     proxmox_backup::tools::setup_safe_path_env();
@@ -396,6 +433,9 @@ fn main() {
         )
         .insert("report",
             CliCommand::new(&API_METHOD_REPORT)
+        )
+        .insert("versions",
+            CliCommand::new(&API_METHOD_GET_VERSIONS)
         );
 
 

src/bin/proxmox-backup-proxy.rs

@@ -133,6 +133,7 @@ async fn run() -> Result<(), Error> {
                 .map(|_| ())
             )
         },
+        "proxmox-backup-proxy.service",
     );
 
     server::write_pid(buildcfg::PROXMOX_BACKUP_PROXY_PID_FN)?;
@@ -592,9 +593,9 @@ async fn schedule_task_log_rotate() {
                         .ok_or_else(|| format_err!("could not get API auth log file names"))?;
 
                 if logrotate.rotate(max_size, None, Some(max_files))? {
-                    worker.log(format!("API access log was rotated"));
+                    worker.log(format!("API authentication log was rotated"));
                 } else {
-                    worker.log(format!("API access log was not rotated"));
+                    worker.log(format!("API authentication log was not rotated"));
                 }
 
                 Ok(())

src/bin/proxmox_backup_client/benchmark.rs

@@ -151,7 +151,7 @@ pub async fn benchmark(
     let crypt_config = match keyfile {
         None => None,
         Some(path) => {
-            let (key, _) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?;
+            let (key, _, _) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?;
             let crypt_config = CryptConfig::new(key)?;
             Some(Arc::new(crypt_config))
         }
@@ -225,7 +225,7 @@ async fn test_upload_speed(
 
     let backup_time = proxmox::tools::time::epoch_i64();
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
     record_repository(&repo);
 
     if verbose { eprintln!("Connecting to backup server"); }

src/bin/proxmox_backup_client/catalog.rs

@@ -73,13 +73,13 @@ async fn dump_catalog(param: Value) -> Result<Value, Error> {
     let crypt_config = match keydata {
         None => None,
         Some(key) => {
-            let (key, _created) = decrypt_key(&key, &get_encryption_key_password)?;
+            let (key, _created, _fingerprint) = decrypt_key(&key, &get_encryption_key_password)?;
             let crypt_config = CryptConfig::new(key)?;
             Some(Arc::new(crypt_config))
         }
     };
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     let client = BackupReader::start(
         client,
@@ -92,6 +92,7 @@ async fn dump_catalog(param: Value) -> Result<Value, Error> {
     ).await?;
 
     let (manifest, _) = client.download_manifest().await?;
+    manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref))?;
 
     let index = client.download_dynamic_index(&manifest, CATALOG_NAME).await?;
 
@@ -153,7 +154,7 @@ async fn dump_catalog(param: Value) -> Result<Value, Error> {
 /// Shell to interactively inspect and restore snapshots.
 async fn catalog_shell(param: Value) -> Result<(), Error> {
     let repo = extract_repository_from_value(&param)?;
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
     let path = tools::required_string_param(&param, "snapshot")?;
     let archive_name = tools::required_string_param(&param, "archive-name")?;
 
@@ -170,7 +171,7 @@ async fn catalog_shell(param: Value) -> Result<(), Error> {
     let crypt_config = match keydata {
         None => None,
         Some(key) => {
-            let (key, _created) = decrypt_key(&key, &get_encryption_key_password)?;
+            let (key, _created, _fingerprint) = decrypt_key(&key, &get_encryption_key_password)?;
             let crypt_config = CryptConfig::new(key)?;
             Some(Arc::new(crypt_config))
         }
@@ -199,6 +200,7 @@ async fn catalog_shell(param: Value) -> Result<(), Error> {
         .open("/tmp")?;
 
     let (manifest, _) = client.download_manifest().await?;
+    manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref))?;
 
     let index = client.download_dynamic_index(&manifest, &server_archive_name).await?;
     let most_used = index.find_most_used_chunks(8);

src/bin/proxmox_backup_client/key.rs

@@ -4,14 +4,28 @@ use std::process::{Stdio, Command};
 
 use anyhow::{bail, format_err, Error};
 use serde::{Deserialize, Serialize};
+use serde_json::Value;
 
 use proxmox::api::api;
-use proxmox::api::cli::{CliCommand, CliCommandMap};
+use proxmox::api::cli::{
+    ColumnConfig,
+    CliCommand,
+    CliCommandMap,
+    format_and_print_result_full,
+    get_output_format,
+    OUTPUT_FORMAT,
+};
 use proxmox::sys::linux::tty;
 use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
 
 use proxmox_backup::backup::{
-    encrypt_key_with_passphrase, load_and_decrypt_key, store_key_config, KeyConfig,
+    encrypt_key_with_passphrase,
+    load_and_decrypt_key,
+    store_key_config,
+    CryptConfig,
+    Kdf,
+    KeyConfig,
+    KeyDerivationConfig,
 };
 use proxmox_backup::tools;
 
@@ -71,27 +85,6 @@ pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
     bail!("no password input mechanism available");
 }
 
-#[api(
-    default: "scrypt",
-)]
-#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-/// Key derivation function for password protected encryption keys.
-pub enum Kdf {
-    /// Do not encrypt the key.
-    None,
-
-    /// Encrypt they key with a password using SCrypt.
-    Scrypt,
-}
-
-impl Default for Kdf {
-    #[inline]
-    fn default() -> Self {
-        Kdf::Scrypt
-    }
-}
-
 #[api(
     input: {
         properties: {
@@ -120,7 +113,10 @@ fn create(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error> {
 
     let kdf = kdf.unwrap_or_default();
 
-    let key = proxmox::sys::linux::random_data(32)?;
+    let mut key_array = [0u8; 32];
+    proxmox::sys::linux::fill_with_random_data(&mut key_array)?;
+    let crypt_config = CryptConfig::new(key_array.clone())?;
+    let key = key_array.to_vec();
 
     match kdf {
         Kdf::None => {
@@ -134,10 +130,11 @@ fn create(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error> {
                     created,
                     modified: created,
                     data: key,
+                    fingerprint: Some(crypt_config.fingerprint()),
                 },
             )?;
         }
-        Kdf::Scrypt => {
+        Kdf::Scrypt | Kdf::PBKDF2 => {
             // always read passphrase from tty
             if !tty::stdin_isatty() {
                 bail!("unable to read passphrase - no tty");
@@ -145,7 +142,8 @@ fn create(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error> {
 
             let password = tty::read_and_verify_password("Encryption Key Password: ")?;
 
-            let key_config = encrypt_key_with_passphrase(&key, &password)?;
+            let mut key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
+            key_config.fingerprint = Some(crypt_config.fingerprint());
 
             store_key_config(&path, false, key_config)?;
         }
@@ -188,7 +186,7 @@ fn change_passphrase(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error
         bail!("unable to change passphrase - no tty");
     }
 
-    let (key, created) = load_and_decrypt_key(&path, &get_encryption_key_password)?;
+    let (key, created, fingerprint) = load_and_decrypt_key(&path, &get_encryption_key_password)?;
 
     match kdf {
         Kdf::None => {
@@ -202,14 +200,16 @@ fn change_passphrase(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error
                     created, // keep original value
                     modified,
                     data: key.to_vec(),
+                    fingerprint: Some(fingerprint),
                 },
             )?;
         }
-        Kdf::Scrypt => {
+        Kdf::Scrypt | Kdf::PBKDF2 => {
             let password = tty::read_and_verify_password("New Password: ")?;
 
-            let mut new_key_config = encrypt_key_with_passphrase(&key, &password)?;
+            let mut new_key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
             new_key_config.created = created; // keep original value
+            new_key_config.fingerprint = Some(fingerprint);
 
             store_key_config(&path, true, new_key_config)?;
         }
@@ -218,6 +218,91 @@ fn change_passphrase(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error
     Ok(())
 }
 
+#[api(
+    properties: {
+        kdf: {
+            type: Kdf,
+        },
+    },
+)]
+#[derive(Deserialize, Serialize)]
+/// Encryption Key Information
+struct KeyInfo {
+    /// Path to key
+    path: String,
+    kdf: Kdf,
+    /// Key creation time
+    pub created: i64,
+    /// Key modification time
+    pub modified: i64,
+    /// Key fingerprint
+    pub fingerprint: Option<String>,
+}
+
+#[api(
+    input: {
+        properties: {
+            path: {
+                description: "Key file. Without this the default key's metadata will be shown.",
+                optional: true,
+            },
+            "output-format": {
+                schema: OUTPUT_FORMAT,
+                optional: true,
+            },
+        },
+    },
+)]
+/// Print the encryption key's metadata.
+fn show_key(
+    path: Option<String>,
+    param: Value,
+) -> Result<(), Error> {
+    let path = match path {
+        Some(path) => PathBuf::from(path),
+        None => {
+            let path = find_default_encryption_key()?
+                .ok_or_else(|| {
+                    format_err!("no encryption file provided and no default file found")
+                })?;
+            path
+        }
+    };
+
+
+    let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?;
+
+    let output_format = get_output_format(&param);
+
+    let info = KeyInfo {
+        path: format!("{:?}", path),
+        kdf: match config.kdf {
+            Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2,
+            Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt,
+            None => Kdf::None,
+        },
+        created: config.created,
+        modified: config.modified,
+        fingerprint:  match config.fingerprint {
+            Some(ref fp) => Some(format!("{}", fp)),
+            None => None,
+        },
+    };
+
+    let options = proxmox::api::cli::default_table_format_options()
+        .column(ColumnConfig::new("path"))
+        .column(ColumnConfig::new("kdf"))
+        .column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
+        .column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
+        .column(ColumnConfig::new("fingerprint"));
+
+    let schema = &KeyInfo::API_SCHEMA;
+
+    format_and_print_result_full(&mut serde_json::to_value(info)?, schema, &output_format, &options);
+
+    Ok(())
+}
+
 #[api(
     input: {
         properties: {
@@ -313,13 +398,47 @@ fn paper_key(
     };
 
     let data = file_get_contents(&path)?;
-    let data = std::str::from_utf8(&data)?;
+    let data = String::from_utf8(data)?;
+
+    let (data, is_private_key) = if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n") {
+        let lines: Vec<String> = data
+            .lines()
+            .map(|s| s.trim_end())
+            .filter(|s| !s.is_empty())
+            .map(String::from)
+            .collect();
+
+        if !lines[lines.len()-1].starts_with("-----END ENCRYPTED PRIVATE KEY-----") {
+            bail!("unexpected key format");
+        }
+
+        if lines.len() < 20 {
+            bail!("unexpected key format");
+        }
+
+        (lines, true)
+    } else {
+        match serde_json::from_str::<KeyConfig>(&data) {
+            Ok(key_config) => {
+                let lines = serde_json::to_string_pretty(&key_config)?
+                    .lines()
+                    .map(String::from)
+                    .collect();
+
+                (lines, false)
+            },
+            Err(err) => {
+                eprintln!("Couldn't parse '{:?}' as KeyConfig - {}", path, err);
+                bail!("Neither a PEM-formatted private key, nor a PBS key file.");
+            },
+        }
+    };
 
     let format = output_format.unwrap_or(PaperkeyFormat::Html);
 
     match format {
-        PaperkeyFormat::Html => paperkey_html(data, subject),
+        PaperkeyFormat::Html => paperkey_html(&data, subject, is_private_key),
-        PaperkeyFormat::Text => paperkey_text(data, subject),
+        PaperkeyFormat::Text => paperkey_text(&data, subject, is_private_key),
     }
 }
 
@@ -337,6 +456,10 @@ pub fn cli() -> CliCommandMap {
         .arg_param(&["path"])
         .completion_cb("path", tools::complete_file_name);
 
+    let key_show_cmd_def = CliCommand::new(&API_METHOD_SHOW_KEY)
+        .arg_param(&["path"])
+        .completion_cb("path", tools::complete_file_name);
+
     let paper_key_cmd_def = CliCommand::new(&API_METHOD_PAPER_KEY)
         .arg_param(&["path"])
         .completion_cb("path", tools::complete_file_name);
@@ -346,10 +469,11 @@ pub fn cli() -> CliCommandMap {
         .insert("create-master-key", key_create_master_key_cmd_def)
         .insert("import-master-pubkey", key_import_master_pubkey_cmd_def)
         .insert("change-passphrase", key_change_passphrase_cmd_def)
+        .insert("show", key_show_cmd_def)
         .insert("paperkey", paper_key_cmd_def)
 }
 
-fn paperkey_html(data: &str, subject: Option<String>) -> Result<(), Error> {
+fn paperkey_html(lines: &[String], subject: Option<String>, is_private: bool) -> Result<(), Error> {
 
     let img_size_pt = 500;
 
@@ -378,21 +502,7 @@ fn paperkey_html(data: &str, subject: Option<String>) -> Result<(), Error> {
         println!("<p>Subject: {}</p>", subject);
     }
 
-    if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n") {
+    if is_private {
-        let lines: Vec<String> = data.lines()
-            .map(|s| s.trim_end())
-            .filter(|s| !s.is_empty())
-            .map(String::from)
-            .collect();
-
-        if !lines[lines.len()-1].starts_with("-----END ENCRYPTED PRIVATE KEY-----") {
-            bail!("unexpected key format");
-        }
-
-        if lines.len() < 20 {
-            bail!("unexpected key format");
-        }
-
         const BLOCK_SIZE: usize = 20;
         let blocks = (lines.len() + BLOCK_SIZE -1)/BLOCK_SIZE;
 
@@ -413,8 +523,7 @@ fn paperkey_html(data: &str, subject: Option<String>) -> Result<(), Error> {
 
             println!("</p>");
 
-            let data = data.join("\n");
+            let qr_code = generate_qr_code("svg", data)?;
-            let qr_code = generate_qr_code("svg", data.as_bytes())?;
             let qr_code = base64::encode_config(&qr_code, base64::STANDARD_NO_PAD);
 
             println!("<center>");
@@ -430,16 +539,13 @@ fn paperkey_html(data: &str, subject: Option<String>) -> Result<(), Error> {
         return Ok(());
     }
 
-    let key_config: KeyConfig = serde_json::from_str(&data)?;
-    let key_text = serde_json::to_string_pretty(&key_config)?;
-
     println!("<div style=\"page-break-inside: avoid\">");
 
     println!("<p>");
 
     println!("-----BEGIN PROXMOX BACKUP KEY-----");
 
-    for line in key_text.lines() {
+    for line in lines {
         println!("{}", line);
     }
 
@@ -447,7 +553,7 @@ fn paperkey_html(data: &str, subject: Option<String>) -> Result<(), Error> {
 
     println!("</p>");
 
-    let qr_code = generate_qr_code("svg", key_text.as_bytes())?;
+    let qr_code = generate_qr_code("svg", lines)?;
     let qr_code = base64::encode_config(&qr_code, base64::STANDARD_NO_PAD);
 
     println!("<center>");
@@ -464,27 +570,13 @@ fn paperkey_html(data: &str, subject: Option<String>) -> Result<(), Error> {
     Ok(())
 }
 
-fn paperkey_text(data: &str, subject: Option<String>) -> Result<(), Error> {
+fn paperkey_text(lines: &[String], subject: Option<String>, is_private: bool) -> Result<(), Error> {
 
     if let Some(subject) = subject {
         println!("Subject: {}\n", subject);
     }
 
-    if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n") {
+    if is_private {
-        let lines: Vec<String> = data.lines()
-            .map(|s| s.trim_end())
-            .filter(|s| !s.is_empty())
-            .map(String::from)
-            .collect();
-
-        if !lines[lines.len()-1].starts_with("-----END ENCRYPTED PRIVATE KEY-----") {
-            bail!("unexpected key format");
-        }
-
-        if lines.len() < 20 {
-            bail!("unexpected key format");
-        }
-
         const BLOCK_SIZE: usize = 5;
         let blocks = (lines.len() + BLOCK_SIZE -1)/BLOCK_SIZE;
 
@@ -499,8 +591,7 @@ fn paperkey_text(data: &str, subject: Option<String>) -> Result<(), Error> {
             for l in start..end {
                 println!("{:-2}: {}", l, lines[l]);
             }
-            let data = data.join("\n");
+            let qr_code = generate_qr_code("utf8i", data)?;
-            let qr_code = generate_qr_code("utf8i", data.as_bytes())?;
             let qr_code = String::from_utf8(qr_code)
                 .map_err(|_| format_err!("Failed to read qr code (got non-utf8 data)"))?;
             println!("{}", qr_code);
@@ -510,14 +601,13 @@ fn paperkey_text(data: &str, subject: Option<String>) -> Result<(), Error> {
         return Ok(());
     }
 
-    let key_config: KeyConfig = serde_json::from_str(&data)?;
-    let key_text = serde_json::to_string_pretty(&key_config)?;
-
     println!("-----BEGIN PROXMOX BACKUP KEY-----");
-    println!("{}", key_text);
+    for line in lines {
+        println!("{}", line);
+    }
     println!("-----END PROXMOX BACKUP KEY-----");
 
-    let qr_code = generate_qr_code("utf8i", key_text.as_bytes())?;
+    let qr_code = generate_qr_code("utf8i", &lines)?;
     let qr_code = String::from_utf8(qr_code)
         .map_err(|_| format_err!("Failed to read qr code (got non-utf8 data)"))?;
 
@@ -526,8 +616,7 @@ fn paperkey_text(data: &str, subject: Option<String>) -> Result<(), Error> {
     Ok(())
 }
 
-fn generate_qr_code(output_type: &str, data: &[u8]) -> Result<Vec<u8>, Error> {
+fn generate_qr_code(output_type: &str, lines: &[String]) -> Result<Vec<u8>, Error> {
-
     let mut child = Command::new("qrencode")
         .args(&["-t", output_type, "-m0", "-s1", "-lm", "--output", "-"])
         .stdin(Stdio::piped())
@@ -537,7 +626,8 @@ fn generate_qr_code(output_type: &str, data: &[u8]) -> Result<Vec<u8>, Error> {
     {
         let stdin = child.stdin.as_mut()
             .ok_or_else(|| format_err!("Failed to open stdin"))?;
-        stdin.write_all(data)
+        let data = lines.join("\n");
+        stdin.write_all(data.as_bytes())
             .map_err(|_| format_err!("Failed to write to stdin"))?;
     }
 

src/bin/proxmox_backup_client/mount.rs

@@ -163,7 +163,7 @@ fn mount(
 async fn mount_do(param: Value, pipe: Option<RawFd>) -> Result<Value, Error> {
     let repo = extract_repository_from_value(&param)?;
     let archive_name = tools::required_string_param(&param, "archive-name")?;
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     let target = param["target"].as_str();
 
@@ -182,7 +182,9 @@ async fn mount_do(param: Value, pipe: Option<RawFd>) -> Result<Value, Error> {
     let crypt_config = match keyfile {
         None => None,
         Some(path) => {
-            let (key, _) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?;
+            println!("Encryption key file: '{:?}'", path);
+            let (key, _, fingerprint) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?;
+            println!("Encryption key fingerprint: '{}'", fingerprint);
             Some(Arc::new(CryptConfig::new(key)?))
         }
     };
@@ -212,6 +214,7 @@ async fn mount_do(param: Value, pipe: Option<RawFd>) -> Result<Value, Error> {
     ).await?;
 
     let (manifest, _) = client.download_manifest().await?;
+    manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref))?;
 
     let file_info = manifest.lookup_file_info(&server_archive_name)?;
 

src/bin/proxmox_backup_client/task.rs

@@ -48,7 +48,7 @@ async fn task_list(param: Value) -> Result<Value, Error> {
     let output_format = get_output_format(&param);
 
     let repo = extract_repository_from_value(&param)?;
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     let limit = param["limit"].as_u64().unwrap_or(50) as usize;
     let running = !param["all"].as_bool().unwrap_or(false);
@@ -96,7 +96,7 @@ async fn task_log(param: Value) -> Result<Value, Error> {
     let repo = extract_repository_from_value(&param)?;
     let upid =  tools::required_string_param(&param, "upid")?;
 
-    let client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let client = connect(&repo)?;
 
     display_task_log(client, upid, true).await?;
 
@@ -122,9 +122,9 @@ async fn task_stop(param: Value) -> Result<Value, Error> {
     let repo = extract_repository_from_value(&param)?;
     let upid_str =  tools::required_string_param(&param, "upid")?;
 
-    let mut client = connect(repo.host(), repo.port(), repo.auth_id())?;
+    let mut client = connect(&repo)?;
 
-    let path = format!("api2/json/nodes/localhost/tasks/{}", upid_str);
+    let path = format!("api2/json/nodes/localhost/tasks/{}", tools::percent_encode_component(upid_str));
     let _ = client.delete(&path, None).await?;
 
     Ok(Value::Null)

src/client/backup_writer.rs

@@ -475,6 +475,13 @@ impl BackupWriter {
         Ok(index)
     }
 
+    /// Retrieve backup time of last backup
+    pub async fn previous_backup_time(&self) -> Result<Option<i64>, Error> {
+        let data = self.h2.get("previous_backup_time", None).await?;
+        serde_json::from_value(data)
+            .map_err(|err| format_err!("Failed to parse backup time value returned by server - {}", err))
+    }
+
     /// Download backup manifest (index.json) of last backup
     pub async fn download_previous_manifest(&self) -> Result<BackupManifest, Error> {
 

src/client/http_client.rs

@@ -534,6 +534,15 @@ impl HttpClient {
         self.request(req).await
     }
 
+    pub async fn put(
+        &mut self,
+        path: &str,
+        data: Option<Value>,
+    ) -> Result<Value, Error> {
+        let req = Self::request_builder(&self.server, self.port, "PUT", path, data)?;
+        self.request(req).await
+    }
+
     pub async fn download(
         &mut self,
         path: &str,

src/client/merge_known_chunks.rs

@@ -3,6 +3,7 @@ use std::task::{Context, Poll};
 
 use anyhow::{Error};
 use futures::*;
+use pin_project::pin_project;
 
 use crate::backup::ChunkInfo;
 
@@ -15,7 +16,9 @@ pub trait MergeKnownChunks: Sized {
     fn merge_known_chunks(self) -> MergeKnownChunksQueue<Self>;
 }
 
+#[pin_project]
 pub struct MergeKnownChunksQueue<S> {
+    #[pin]
     input: S,
     buffer: Option<MergedChunkInfo>,
 }
@@ -39,10 +42,10 @@ where
     type Item = Result<MergedChunkInfo, Error>;
 
     fn poll_next(self: Pin<&mut Self>, cx: &mut Context) -> Poll<Option<Self::Item>> {
-        let this = unsafe { self.get_unchecked_mut() };
+        let mut this = self.project();
 
         loop {
-            match ready!(unsafe { Pin::new_unchecked(&mut this.input) }.poll_next(cx)) {
+            match ready!(this.input.as_mut().poll_next(cx)) {
                 Some(Err(err)) => return Poll::Ready(Some(Err(err))),
                 None => {
                     if let Some(last) = this.buffer.take() {
@@ -58,13 +61,13 @@ where
 
                             match last {
                                 None => {
-                                    this.buffer = Some(MergedChunkInfo::Known(list));
+                                    *this.buffer = Some(MergedChunkInfo::Known(list));
                                     // continue
                                 }
                                 Some(MergedChunkInfo::Known(mut last_list)) => {
                                     last_list.extend_from_slice(&list);
                                     let len = last_list.len();
-                                    this.buffer = Some(MergedChunkInfo::Known(last_list));
+                                    *this.buffer = Some(MergedChunkInfo::Known(last_list));
 
                                     if len >= 64 {
                                         return Poll::Ready(this.buffer.take().map(Ok));
@@ -72,7 +75,7 @@ where
                                     // continue
                                 }
                                 Some(MergedChunkInfo::New(_)) => {
-                                    this.buffer = Some(MergedChunkInfo::Known(list));
+                                    *this.buffer = Some(MergedChunkInfo::Known(list));
                                     return Poll::Ready(last.map(Ok));
                                 }
                             }
@@ -80,7 +83,7 @@ where
                         MergedChunkInfo::New(chunk_info) => {
                             let new = MergedChunkInfo::New(chunk_info);
                             if let Some(last) = this.buffer.take() {
-                                this.buffer = Some(new);
+                                *this.buffer = Some(new);
                                 return Poll::Ready(Some(Ok(last)));
                             } else {
                                 return Poll::Ready(Some(Ok(new)));

src/client/pull.rs

@@ -528,7 +528,16 @@ pub async fn pull_store(
     for (groups_done, item) in list.into_iter().enumerate() {
         let group = BackupGroup::new(&item.backup_type, &item.backup_id);
 
-        let (owner, _lock_guard) = tgt_store.create_locked_backup_group(&group, &auth_id)?;
+        let (owner, _lock_guard) = match tgt_store.create_locked_backup_group(&group, &auth_id) {
+            Ok(result) => result,
+            Err(err) => {
+                worker.log(format!("sync group {}/{} failed - group lock failed: {}",
+                                   item.backup_type, item.backup_id, err));
+                errors = true; // do not stop here, instead continue
+                continue;
+            }
+        };
+
         // permission check
         if auth_id != owner { // only the owner is allowed to create additional snapshots
             worker.log(format!("sync group {}/{} failed - owner check failed ({} != {})",

src/client/task_log.rs

@@ -2,6 +2,7 @@ use anyhow::{bail, Error};
 use serde_json::json;
 
 use super::HttpClient;
+use crate::tools;
 
 pub async fn display_task_log(
     client: HttpClient,
@@ -9,7 +10,7 @@ pub async fn display_task_log(
     strip_date: bool,
 ) -> Result<(), Error> {
 
-    let path = format!("api2/json/nodes/localhost/tasks/{}/log", upid_str);
+    let path = format!("api2/json/nodes/localhost/tasks/{}/log", tools::percent_encode_component(upid_str));
 
     let mut start = 1;
     let limit = 500;

src/config/remote.rs

@@ -44,7 +44,7 @@ pub const REMOTE_PASSWORD_SCHEMA: Schema = StringSchema::new("Password or auth t
             description: "The (optional) port",
             type: u16,
         },
-        userid: {
+        "auth-id": {
             type: Authid,
         },
         password: {
@@ -57,6 +57,7 @@ pub const REMOTE_PASSWORD_SCHEMA: Schema = StringSchema::new("Password or auth t
     }
 )]
 #[derive(Serialize,Deserialize)]
+#[serde(rename_all = "kebab-case")]
 /// Remote properties.
 pub struct Remote {
     pub name: String,
@@ -65,7 +66,7 @@ pub struct Remote {
     pub host: String,
     #[serde(skip_serializing_if="Option::is_none")]
     pub port: Option<u16>,
-    pub userid: Authid,
+    pub auth_id: Authid,
     #[serde(skip_serializing_if="String::is_empty")]
     #[serde(with = "proxmox::tools::serde::string_as_base64")]
     pub password: String,

src/pxar/create.rs

@@ -89,7 +89,21 @@ struct HardLinkInfo {
     st_ino: u64,
 }
 
-/// In case we want to collect them or redirect them we can just add this here:
+/// TODO: make a builder for the create_archive call for fewer parameters and add a method to add a
+/// logger which does not write to stderr.
+struct Logger;
+
+impl std::io::Write for Logger {
+    fn write(&mut self, data: &[u8]) -> io::Result<usize> {
+        std::io::stderr().write(data)
+    }
+
+    fn flush(&mut self) -> io::Result<()> {
+        std::io::stderr().flush()
+    }
+}
+
+/// And the error case.
 struct ErrorReporter;
 
 impl std::io::Write for ErrorReporter {
@@ -116,6 +130,7 @@ struct Archiver<'a, 'b> {
     device_set: Option<HashSet<u64>>,
     hardlinks: HashMap<HardLinkInfo, (PathBuf, LinkOffset)>,
     errors: ErrorReporter,
+    logger: Logger,
     file_copy_buffer: Vec<u8>,
 }
 
@@ -181,6 +196,7 @@ where
         device_set,
         hardlinks: HashMap::new(),
         errors: ErrorReporter,
+        logger: Logger,
         file_copy_buffer: vec::undefined(4 * 1024 * 1024),
     };
 
@@ -221,7 +237,15 @@ impl<'a, 'b> Archiver<'a, 'b> {
         let old_patterns_count = self.patterns.len();
         self.read_pxar_excludes(dir.as_raw_fd())?;
 
-        let file_list = self.generate_directory_file_list(&mut dir, is_root)?;
+        let mut file_list = self.generate_directory_file_list(&mut dir, is_root)?;
+
+        if is_root && old_patterns_count > 0 {
+            file_list.push(FileListEntry {
+                name: CString::new(".pxarexclude-cli").unwrap(),
+                path: PathBuf::new(),
+                stat: unsafe { std::mem::zeroed() },
+            });
+        }
 
         let dir_fd = dir.as_raw_fd();
 
@@ -231,7 +255,7 @@ impl<'a, 'b> Archiver<'a, 'b> {
             let file_name = file_entry.name.to_bytes();
 
             if is_root && file_name == b".pxarexclude-cli" {
-                self.encode_pxarexclude_cli(encoder, &file_entry.name)?;
+                self.encode_pxarexclude_cli(encoder, &file_entry.name, old_patterns_count)?;
                 continue;
             }
 
@@ -363,8 +387,9 @@ impl<'a, 'b> Archiver<'a, 'b> {
         &mut self,
         encoder: &mut Encoder,
         file_name: &CStr,
+        patterns_count: usize,
     ) -> Result<(), Error> {
-        let content = generate_pxar_excludes_cli(&self.patterns);
+        let content = generate_pxar_excludes_cli(&self.patterns[..patterns_count]);
 
         if let Some(ref mut catalog) = self.catalog {
             catalog.add_file(file_name, content.len() as u64, 0)?;
@@ -388,14 +413,6 @@ impl<'a, 'b> Archiver<'a, 'b> {
 
         let mut file_list = Vec::new();
 
-        if is_root && !self.patterns.is_empty() {
-            file_list.push(FileListEntry {
-                name: CString::new(".pxarexclude-cli").unwrap(),
-                path: PathBuf::new(),
-                stat: unsafe { std::mem::zeroed() },
-            });
-        }
-
         for file in dir.iter() {
             let file = file?;
 
@@ -409,10 +426,6 @@ impl<'a, 'b> Archiver<'a, 'b> {
                 continue;
             }
 
-            if file_name_bytes == b".pxarexclude" {
-                continue;
-            }
-
             let os_file_name = OsStr::from_bytes(file_name_bytes);
             assert_single_path_component(os_file_name)?;
             let full_path = self.path.join(os_file_name);
@@ -427,9 +440,10 @@ impl<'a, 'b> Archiver<'a, 'b> {
                 Err(err) => bail!("stat failed on {:?}: {}", full_path, err),
             };
 
+            let match_path = PathBuf::from("/").join(full_path.clone());
             if self
                 .patterns
-                .matches(full_path.as_os_str().as_bytes(), Some(stat.st_mode as u32))
+                .matches(match_path.as_os_str().as_bytes(), Some(stat.st_mode as u32))
                 == Some(MatchType::Exclude)
             {
                 continue;
@@ -632,6 +646,7 @@ impl<'a, 'b> Archiver<'a, 'b> {
         }
 
         let result = if skip_contents {
+            writeln!(self.logger, "skipping mount point: {:?}", self.path)?;
             Ok(())
         } else {
             self.archive_dir_contents(&mut encoder, dir, false)

src/server/email_notifications.rs

@@ -81,7 +81,7 @@ const VERIFY_ERR_TEMPLATE: &str = r###"
 Job ID:    {{job.id}}
 Datastore: {{job.store}}
 
-Verification failed on these snapshots:
+Verification failed on these snapshots/groups:
 
 {{#each errors}}
   {{this~}}

src/server/report.rs

@@ -20,6 +20,7 @@ fn files() -> Vec<&'static str> {
 fn commands() -> Vec<(&'static str, Vec<&'static str>)> {
     vec![
     //  ("<command>", vec![<arg [, arg]>])
+        ("proxmox-backup-manager", vec!["versions", "--verbose"]),
         ("df", vec!["-h"]),
         ("lsblk", vec!["--ascii"]),
         ("zpool", vec!["status"]),
@@ -54,10 +55,10 @@ pub fn generate_report() -> String {
         .map(|file_name| {
             let content = match file_read_optional_string(Path::new(file_name)) {
                 Ok(Some(content)) => content,
-                Ok(None) => String::from("# file does not exists"),
+                Ok(None) => String::from("# file does not exist"),
                 Err(err) => err.to_string(),
             };
-            format!("# cat '{}'\n{}", file_name, content)
+            format!("$ cat '{}'\n{}", file_name, content)
         })
         .collect::<Vec<String>>()
         .join("\n\n");
@@ -73,14 +74,14 @@ pub fn generate_report() -> String {
                 Ok(output) => String::from_utf8_lossy(&output.stdout).to_string(),
                 Err(err) => err.to_string(),
             };
-            format!("# `{} {}`\n{}", command, args.join(" "), output)
+            format!("$ `{} {}`\n{}", command, args.join(" "), output)
         })
         .collect::<Vec<String>>()
         .join("\n\n");
 
     let function_outputs = function_calls()
         .iter()
-        .map(|(desc, function)| format!("# {}\n{}", desc, function()))
+        .map(|(desc, function)| format!("$ {}\n{}", desc, function()))
         .collect::<Vec<String>>()
         .join("\n\n");
 

src/server/rest.rs

@@ -623,6 +623,10 @@ fn check_auth(
                 .ok_or_else(|| format_err!("failed to split API token header"))?;
             let tokenid: Authid = tokenid.parse()?;
 
+            if !user_info.is_active_auth_id(&tokenid) {
+                bail!("user account or token disabled or expired.");
+            }
+
             let tokensecret = parts.next()
                 .ok_or_else(|| format_err!("failed to split API token header"))?;
             let tokensecret = percent_decode_str(tokensecret)

src/server/verify_job.rs

@@ -69,8 +69,15 @@ pub fn do_verification_job(
 
             let result = verify_all_backups(datastore, worker.clone(), worker.upid(), None, Some(&filter));
             let job_result = match result {
-                Ok(ref errors) if errors.is_empty() => Ok(()),
+                Ok(ref failed_dirs) if failed_dirs.is_empty() => Ok(()),
-                Ok(_) => Err(format_err!("verification failed - please check the log for details")),
+                Ok(ref failed_dirs) => {
+                    worker.log("Failed to verify the following snapshots/groups:");
+                    for dir in failed_dirs {
+                        worker.log(format!("\t{}", dir));
+                    }
+
+                    Err(format_err!("verification failed - please check the log for details"))
+                },
                 Err(_) => Err(format_err!("verification failed - job aborted")),
             };
 

src/tools.rs

@@ -5,16 +5,14 @@ use std::any::Any;
 use std::collections::HashMap;
 use std::hash::BuildHasher;
 use std::fs::File;
-use std::io::{self, BufRead, ErrorKind, Read, Seek, SeekFrom};
+use std::io::{self, BufRead, Read, Seek, SeekFrom};
 use std::os::unix::io::RawFd;
 use std::path::Path;
 
 use anyhow::{bail, format_err, Error};
 use serde_json::Value;
 use openssl::hash::{hash, DigestBytes, MessageDigest};
-use percent_encoding::AsciiSet;
+use percent_encoding::{utf8_percent_encode, AsciiSet};
-
-use proxmox::tools::vec;
 
 pub use proxmox::tools::fd::Fd;
 
@@ -25,45 +23,43 @@ pub mod borrow;
 pub mod cert;
 pub mod daemon;
 pub mod disks;
-pub mod fs;
 pub mod format;
-pub mod lru_cache;
+pub mod fs;
-pub mod runtime;
+pub mod fuse_loop;
-pub mod ticket;
+pub mod http;
-pub mod statistics;
-pub mod systemd;
-pub mod nom;
 pub mod logrotate;
 pub mod loopdev;
-pub mod fuse_loop;
+pub mod lru_cache;
+pub mod nom;
+pub mod runtime;
 pub mod socket;
+pub mod statistics;
 pub mod subscription;
+pub mod systemd;
+pub mod ticket;
+pub mod xattr;
 pub mod zip;
-pub mod http;
 
-mod parallel_handler;
+pub mod parallel_handler;
-pub use parallel_handler::*;
+pub use parallel_handler::ParallelHandler;
 
 mod wrapped_reader_stream;
-pub use wrapped_reader_stream::*;
+pub use wrapped_reader_stream::{AsyncReaderStream, StdChannelStream, WrappedReaderStream};
 
 mod async_channel_writer;
-pub use async_channel_writer::*;
+pub use async_channel_writer::AsyncChannelWriter;
-
 
 mod std_channel_writer;
-pub use std_channel_writer::*;
+pub use std_channel_writer::StdChannelWriter;
-
-pub mod xattr;
 
 mod process_locker;
-pub use process_locker::*;
+pub use process_locker::{ProcessLocker, ProcessLockExclusiveGuard, ProcessLockSharedGuard};
 
 mod file_logger;
-pub use file_logger::*;
+pub use file_logger::{FileLogger, FileLogOptions};
 
 mod broadcast_future;
-pub use broadcast_future::*;
+pub use broadcast_future::{BroadcastData, BroadcastFuture};
 
 /// The `BufferedRead` trait provides a single function
 /// `buffered_read`. It returns a reference to an internal buffer. The
@@ -75,76 +71,6 @@ pub trait BufferedRead {
     fn buffered_read(&mut self, offset: u64) -> Result<&[u8], Error>;
 }
 
-/// Split a file into equal sized chunks. The last chunk may be
-/// smaller. Note: We cannot implement an `Iterator`, because iterators
-/// cannot return a borrowed buffer ref (we want zero-copy)
-pub fn file_chunker<C, R>(mut file: R, chunk_size: usize, mut chunk_cb: C) -> Result<(), Error>
-where
-    C: FnMut(usize, &[u8]) -> Result<bool, Error>,
-    R: Read,
-{
-    const READ_BUFFER_SIZE: usize = 4 * 1024 * 1024; // 4M
-
-    if chunk_size > READ_BUFFER_SIZE {
-        bail!("chunk size too large!");
-    }
-
-    let mut buf = vec::undefined(READ_BUFFER_SIZE);
-
-    let mut pos = 0;
-    let mut file_pos = 0;
-    loop {
-        let mut eof = false;
-        let mut tmp = &mut buf[..];
-        // try to read large portions, at least chunk_size
-        while pos < chunk_size {
-            match file.read(tmp) {
-                Ok(0) => {
-                    eof = true;
-                    break;
-                }
-                Ok(n) => {
-                    pos += n;
-                    if pos > chunk_size {
-                        break;
-                    }
-                    tmp = &mut tmp[n..];
-                }
-                Err(ref e) if e.kind() == ErrorKind::Interrupted => { /* try again */ }
-                Err(e) => bail!("read chunk failed - {}", e.to_string()),
-            }
-        }
-        let mut start = 0;
-        while start + chunk_size <= pos {
-            if !(chunk_cb)(file_pos, &buf[start..start + chunk_size])? {
-                break;
-            }
-            file_pos += chunk_size;
-            start += chunk_size;
-        }
-        if eof {
-            if start < pos {
-                (chunk_cb)(file_pos, &buf[start..pos])?;
-                //file_pos += pos - start;
-            }
-            break;
-        } else {
-            let rest = pos - start;
-            if rest > 0 {
-                let ptr = buf.as_mut_ptr();
-                unsafe {
-                    std::ptr::copy_nonoverlapping(ptr.add(start), ptr, rest);
-                }
-                pos = rest;
-            } else {
-                pos = 0;
-            }
-        }
-    }
-
-    Ok(())
-}
-
 pub fn json_object_to_query(data: Value) -> Result<String, Error> {
     let mut query = url::form_urlencoded::Serializer::new(String::new());
 
@@ -363,6 +289,11 @@ pub fn extract_cookie(cookie: &str, cookie_name: &str) -> Option<String> {
     None
 }
 
+/// percent encode a url component
+pub fn percent_encode_component(comp: &str) -> String {
+    utf8_percent_encode(comp, percent_encoding::NON_ALPHANUMERIC).to_string()
+}
+
 pub fn join(data: &Vec<String>, sep: char) -> String {
     let mut list = String::new();
 

src/tools/apt.rs

@@ -128,19 +128,26 @@ fn get_changelog_url(
             None => bail!("incompatible filename, doesn't match regex")
         };
 
+        if component == "pbs-enterprise" {
+            return Ok(format!("https://enterprise.proxmox.com/{}/{}_{}.changelog",
+                              base, package, version));
+        } else {
             return Ok(format!("http://download.proxmox.com/{}/{}_{}.changelog",
                               base, package, version));
         }
+    }
 
     bail!("unknown origin ({}) or component ({})", origin, component)
 }
 
 pub struct FilterData<'a> {
-    // this is version info returned by APT
+    /// package name
+    pub package: &'a str,
+    /// this is version info returned by APT
     pub installed_version: Option<&'a str>,
     pub candidate_version: &'a str,
 
-    // this is the version info the filter is supposed to check
+    /// this is the version info the filter is supposed to check
     pub active_version: &'a str,
 }
 
@@ -270,6 +277,7 @@ where
         let mut long_desc = "".to_owned();
 
         let fd = FilterData {
+            package: package.as_str(),
             installed_version: current_version.as_deref(),
             candidate_version: &candidate_version,
             active_version: &version,
@@ -353,6 +361,7 @@ where
                 },
                 priority: priority_res,
                 section: section_res,
+                extra_info: None,
             });
         }
     }

src/tools/async_io.rs

@@ -16,18 +16,18 @@ pub enum EitherStream<L, R> {
     Right(R),
 }
 
-impl<L: AsyncRead, R: AsyncRead> AsyncRead for EitherStream<L, R> {
+impl<L: AsyncRead + Unpin, R: AsyncRead + Unpin> AsyncRead for EitherStream<L, R> {
     fn poll_read(
         self: Pin<&mut Self>,
         cx: &mut Context,
         buf: &mut [u8],
     ) -> Poll<Result<usize, io::Error>> {
-        match unsafe { self.get_unchecked_mut() } {
+        match self.get_mut() {
             EitherStream::Left(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_read(cx, buf)
+                Pin::new(s).poll_read(cx, buf)
             }
             EitherStream::Right(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_read(cx, buf)
+                Pin::new(s).poll_read(cx, buf)
             }
         }
     }
@@ -47,51 +47,51 @@ impl<L: AsyncRead, R: AsyncRead> AsyncRead for EitherStream<L, R> {
     where
         B: bytes::BufMut,
     {
-        match unsafe { self.get_unchecked_mut() } {
+        match self.get_mut() {
             EitherStream::Left(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_read_buf(cx, buf)
+                Pin::new(s).poll_read_buf(cx, buf)
             }
             EitherStream::Right(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_read_buf(cx, buf)
+                Pin::new(s).poll_read_buf(cx, buf)
             }
         }
     }
 }
 
-impl<L: AsyncWrite, R: AsyncWrite> AsyncWrite for EitherStream<L, R> {
+impl<L: AsyncWrite + Unpin, R: AsyncWrite + Unpin> AsyncWrite for EitherStream<L, R> {
     fn poll_write(
         self: Pin<&mut Self>,
         cx: &mut Context,
         buf: &[u8],
     ) -> Poll<Result<usize, io::Error>> {
-        match unsafe { self.get_unchecked_mut() } {
+        match self.get_mut() {
             EitherStream::Left(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_write(cx, buf)
+                Pin::new(s).poll_write(cx, buf)
             }
             EitherStream::Right(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_write(cx, buf)
+                Pin::new(s).poll_write(cx, buf)
             }
         }
     }
 
     fn poll_flush(self: Pin<&mut Self>, cx: &mut Context) -> Poll<Result<(), io::Error>> {
-        match unsafe { self.get_unchecked_mut() } {
+        match self.get_mut() {
             EitherStream::Left(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_flush(cx)
+                Pin::new(s).poll_flush(cx)
             }
             EitherStream::Right(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_flush(cx)
+                Pin::new(s).poll_flush(cx)
             }
         }
     }
 
     fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context) -> Poll<Result<(), io::Error>> {
-        match unsafe { self.get_unchecked_mut() } {
+        match self.get_mut() {
             EitherStream::Left(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_shutdown(cx)
+                Pin::new(s).poll_shutdown(cx)
             }
             EitherStream::Right(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_shutdown(cx)
+                Pin::new(s).poll_shutdown(cx)
             }
         }
     }
@@ -104,12 +104,12 @@ impl<L: AsyncWrite, R: AsyncWrite> AsyncWrite for EitherStream<L, R> {
     where
         B: bytes::Buf,
     {
-        match unsafe { self.get_unchecked_mut() } {
+        match self.get_mut() {
             EitherStream::Left(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_write_buf(cx, buf)
+                Pin::new(s).poll_write_buf(cx, buf)
             }
             EitherStream::Right(ref mut s) => {
-                unsafe { Pin::new_unchecked(s) }.poll_write_buf(cx, buf)
+                Pin::new(s).poll_write_buf(cx, buf)
             }
         }
     }
@@ -180,7 +180,7 @@ pub struct HyperAccept<T>(pub T);
 
 impl<T, I> hyper::server::accept::Accept for HyperAccept<T>
 where
-    T: TryStream<Ok = I>,
+    T: TryStream<Ok = I> + Unpin,
     I: AsyncRead + AsyncWrite,
 {
     type Conn = I;
@@ -190,7 +190,7 @@ where
         self: Pin<&mut Self>,
         cx: &mut Context,
     ) -> Poll<Option<Result<Self::Conn, Self::Error>>> {
-        let this = unsafe { self.map_unchecked_mut(|this| &mut this.0) };
+        let this = Pin::new(&mut self.get_mut().0);
         this.try_poll_next(cx)
     }
 }

src/tools/daemon.rs

@@ -260,6 +260,7 @@ impl Future for NotifyReady {
 pub async fn create_daemon<F, S>(
     address: std::net::SocketAddr,
     create_service: F,
+    service_name: &str,
 ) -> Result<(), Error>
 where
     F: FnOnce(tokio::net::TcpListener, NotifyReady) -> Result<S, Error>,
@@ -301,10 +302,39 @@ where
     if let Some(future) = finish_future {
         future.await;
     }
+
+    // FIXME: this is a hack, replace with sd_notify_barrier when available
+    if server::is_reload_request() {
+        wait_service_is_active(service_name).await?;
+    }
+
     log::info!("daemon shut down...");
     Ok(())
 }
 
+// hack, do not use if unsure!
+async fn wait_service_is_active(service: &str) -> Result<(), Error> {
+    tokio::time::delay_for(std::time::Duration::new(1, 0)).await;
+    loop {
+        let text = match tokio::process::Command::new("systemctl")
+            .args(&["is-active", service])
+            .output()
+            .await
+        {
+            Ok(output) => match String::from_utf8(output.stdout) {
+                Ok(text) => text,
+                Err(err) => bail!("output of 'systemctl is-active' not valid UTF-8 - {}", err),
+            },
+            Err(err) => bail!("executing 'systemctl is-active' failed - {}", err),
+        };
+
+        if text.trim().trim_start() != "reloading" {
+            return Ok(());
+        }
+        tokio::time::delay_for(std::time::Duration::new(5, 0)).await;
+    }
+}
+
 #[link(name = "systemd")]
 extern "C" {
     fn sd_notify(unset_environment: c_int, state: *const c_char) -> c_int;

src/tools/format.rs

@@ -102,6 +102,40 @@ impl From<u64> for HumanByte {
     }
 }
 
+pub fn as_fingerprint(bytes: &[u8]) -> String {
+    proxmox::tools::digest_to_hex(bytes)
+        .as_bytes()
+        .chunks(2)
+        .map(|v| std::str::from_utf8(v).unwrap())
+        .collect::<Vec<&str>>().join(":")
+}
+
+pub mod bytes_as_fingerprint {
+    use serde::{Deserialize, Serializer, Deserializer};
+
+    pub fn serialize<S>(
+        bytes: &[u8; 32],
+        serializer: S,
+    ) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        let s = crate::tools::format::as_fingerprint(bytes);
+        serializer.serialize_str(&s)
+    }
+
+    pub fn deserialize<'de, D>(
+        deserializer: D,
+    ) -> Result<[u8; 32], D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let mut s = String::deserialize(deserializer)?;
+        s.retain(|c| c != ':');
+        proxmox::tools::hex_to_digest(&s).map_err(serde::de::Error::custom)
+    }
+}
+
 #[test]
 fn correct_byte_convert() {
     fn convert(b: usize) -> String {

src/tools/http.rs

@@ -2,6 +2,7 @@ use anyhow::{Error, format_err, bail};
 use lazy_static::lazy_static;
 use std::task::{Context, Poll};
 use std::os::unix::io::AsRawFd;
+use std::collections::HashMap;
 
 use hyper::{Uri, Body};
 use hyper::client::{Client, HttpConnector};
@@ -26,8 +27,21 @@ lazy_static! {
     };
 }
 
-pub async fn get_string(uri: &str) -> Result<String, Error> {
+pub async fn get_string(uri: &str, extra_headers: Option<&HashMap<String, String>>) -> Result<String, Error> {
-    let res = HTTP_CLIENT.get(uri.parse()?).await?;
+    let mut request = Request::builder()
+        .method("GET")
+        .uri(uri)
+        .header("User-Agent", "proxmox-backup-client/1.0");
+
+    if let Some(hs) = extra_headers {
+        for (h, v) in hs.iter() {
+            request = request.header(h, v);
+        }
+    }
+
+    let request = request.body(Body::empty())?;
+
+    let res = HTTP_CLIENT.request(request).await?;
 
     let status = res.status();
     if !status.is_success() {
@@ -115,7 +129,12 @@ impl hyper::service::Service<Uri> for HttpsConnector {
                 .to_string();
 
             let config = this.ssl_connector.configure();
-            let conn = this.http.call(dst).await?;
+            let dst_str = dst.to_string(); // for error messages
+            let conn = this
+                .http
+                .call(dst)
+                .await
+                .map_err(|err| format_err!("error connecting to {} - {}", dst_str, err))?;
 
             let _ = set_tcp_keepalive(conn.as_raw_fd(), PROXMOX_BACKUP_TCP_KEEPALIVE_TIME);
 

src/tools/runtime.rs

@@ -7,6 +7,7 @@ use std::task::{Context, Poll, RawWaker, Waker};
 use std::thread::{self, Thread};
 
 use lazy_static::lazy_static;
+use pin_utils::pin_mut;
 use tokio::runtime::{self, Runtime};
 
 thread_local! {
@@ -154,9 +155,8 @@ pub fn main<F: Future>(fut: F) -> F::Output {
     block_on(fut)
 }
 
-fn block_on_local_future<F: Future>(mut fut: F) -> F::Output {
+fn block_on_local_future<F: Future>(fut: F) -> F::Output {
-    use std::pin::Pin;
+    pin_mut!(fut);
-    let mut fut = unsafe { Pin::new_unchecked(&mut fut) };
 
     let waker = Arc::new(thread::current());
     let waker = thread_waker_clone(Arc::into_raw(waker) as *const ());

www/Application.js

@@ -36,8 +36,7 @@ Ext.define('PBS.Application', {
 	    xtype: view,
 	});
 	if (skipCheck !== true) {
-	    // fixme:
+	    Proxmox.Utils.checked_command(Ext.emptyFn);
-	    // Proxmox.Utils.checked_command(function() {}); // display subscription status
 	}
     },
 

www/Dashboard.js

@@ -332,12 +332,13 @@ Ext.define('PBS.Dashboard', {
 		Ext.String.format(gettext('{0} days'), '{days}') + ')',
 	    },
 	    xtype: 'pbsTaskSummary',
+	    height: 200,
 	    reference: 'tasksummary',
 	},
 	{
 	    iconCls: 'fa fa-ticket',
 	    title: 'Subscription',
-	    height: 166,
+	    height: 200,
 	    reference: 'subscription',
 	    xtype: 'pbsSubscriptionInfo',
 	},
@@ -394,7 +395,7 @@ Ext.define('PBS.dashboard.SubscriptionInfo', {
 		break;
 	    case 0:
 		icon = 'times-circle critical';
-		message = gettext('This node does not have a subscription.');
+		message = gettext('<h1>No valid subscription</h1>' + PBS.Utils.noSubKeyHtml);
 		break;
 	    default:
 		throw 'invalid subscription status';

www/MainView.js

@@ -202,11 +202,6 @@ Ext.define('PBS.MainView', {
 		    padding: '0 0 0 5',
 		    xtype: 'versioninfo',
 		},
-		{
-		    padding: 5,
-		    html: '<a href="https://bugzilla.proxmox.com" target="_blank">BETA</a>',
-		    baseCls: 'x-plain',
-		},
 		{
 		    flex: 1,
 		    baseCls: 'x-plain',

www/Makefile

@@ -43,6 +43,8 @@ JSSRC=							\
 	panel/Tasks.js					\
 	panel/XtermJsConsole.js				\
 	panel/AccessControl.js				\
+	panel/StorageAndDisks.js			\
+	panel/UsageChart.js				\
 	ZFSList.js					\
 	DirectoryList.js				\
 	LoginView.js					\
@@ -56,6 +58,8 @@ JSSRC=							\
 	datastore/Content.js				\
 	datastore/OptionView.js				\
 	datastore/Panel.js				\
+	datastore/DataStoreListSummary.js		\
+	datastore/DataStoreList.js			\
 	ServerStatus.js					\
 	ServerAdministration.js				\
 	Dashboard.js					\
@@ -79,7 +83,7 @@ js/proxmox-backup-gui.js: .lint-incremental js OnlineHelpInfo.js ${JSSRC}
 
 .PHONY: check
 check:
-	eslint ${JSSRC}
+	eslint --strict ${JSSRC}
 	touch ".lint-incremental"
 
 .lint-incremental: ${JSSRC}

www/NavigationTree.js

@@ -62,31 +62,18 @@ Ext.define('PBS.store.NavigationStore', {
 			leaf: true,
 		    },
 		    {
-			text: gettext('Disks'),
+			text: gettext('Storage / Disks'),
 			iconCls: 'fa fa-hdd-o',
-			path: 'pmxDiskList',
+			path: 'pbsStorageAndDiskPanel',
-			leaf: false,
-			children: [
-			    {
-				text: Proxmox.Utils.directoryText,
-				iconCls: 'fa fa-folder',
-				path: 'pbsDirectoryList',
 			leaf: true,
 		    },
-			    {
-				text: "ZFS",
-				iconCls: 'fa fa-th-large',
-				path: 'pbsZFSList',
-				leaf: true,
-			    },
-			],
-		    },
 		],
 	    },
 	    {
 		text: gettext('Datastore'),
 		iconCls: 'fa fa-archive',
 		id: 'datastores',
+		path: 'pbsDataStores',
 		expanded: true,
 		expandable: false,
 		leaf: false,
@@ -174,9 +161,6 @@ Ext.define('PBS.view.main.NavigationTree', {
 
     listeners: {
 	itemclick: function(tl, info) {
-	    if (info.node.data.id === 'datastores') {
-		return false;
-	    }
 	    if (info.node.data.id === 'addbutton') {
 		let me = this;
 		Ext.create('PBS.DataStoreEdit', {

www/OnlineHelpInfo.js

@@ -3,38 +3,102 @@ const proxmoxOnlineHelpInfo = {
     "link": "/docs/index.html",
     "title": "Proxmox Backup Server Documentation Index"
   },
+  "id1": {
+    "link": "/docs/calendarevents.html#id1",
+    "title": "Calendar Events"
+  },
+  "id2": {
+    "link": "/docs/backup-client.html#id2",
+    "title": "Encryption"
+  },
+  "changing-backup-owner": {
+    "link": "/docs/backup-client.html#changing-backup-owner",
+    "title": "Changing the Owner of a Backup Group"
+  },
   "backup-pruning": {
     "link": "/docs/backup-client.html#backup-pruning",
     "title": "Pruning and Removing Backups"
   },
+  "id3": {
+    "link": "/docs/backup-client.html#id3",
+    "title": "Garbage Collection"
+  },
+  "pxar-format": {
+    "link": "/docs/file-formats.html#pxar-format",
+    "title": "Proxmox File Archive Format (``.pxar``)"
+  },
+  "sysadmin-package-repositories": {
+    "link": "/docs/package-repositories.html#sysadmin-package-repositories",
+    "title": "Debian Package Repositories"
+  },
+  "get-help": {
+    "link": "/docs/introduction.html#get-help",
+    "title": "Getting Help"
+  },
   "chapter-zfs": {
     "link": "/docs/sysadmin.html#chapter-zfs",
     "title": "ZFS on Linux"
   },
+  "local-zfs-special-device": {
+    "link": "/docs/sysadmin.html#local-zfs-special-device",
+    "title": "ZFS Special Device"
+  },
   "maintenance-pruning": {
     "link": "/docs/maintenance.html#maintenance-pruning",
     "title": "Pruning"
   },
+  "maintenance-gc": {
+    "link": "/docs/maintenance.html#maintenance-gc",
+    "title": "Garbage Collection"
+  },
+  "maintenance-verification": {
+    "link": "/docs/maintenance.html#maintenance-verification",
+    "title": "Verification"
+  },
   "maintenance-notification": {
     "link": "/docs/maintenance.html#maintenance-notification",
     "title": "Notifications"
   },
   "backup-remote": {
     "link": "/docs/managing-remotes.html#backup-remote",
-    "title": ":term:`Remote`"
+    "title": "Remote"
   },
   "syncjobs": {
     "link": "/docs/managing-remotes.html#syncjobs",
     "title": "Sync Jobs"
   },
+  "sysadmin-network-configuration": {
+    "link": "/docs/network-management.html#sysadmin-network-configuration",
+    "title": "Network Management"
+  },
+  "pve-integration": {
+    "link": "/docs/pve-integration.html#pve-integration",
+    "title": "`Proxmox VE`_ Integration"
+  },
+  "storage-disk-management": {
+    "link": "/docs/storage.html#storage-disk-management",
+    "title": "Disk Management"
+  },
   "datastore-intro": {
     "link": "/docs/storage.html#datastore-intro",
-    "title": ":term:`DataStore`"
+    "title": "Datastore"
+  },
+  "storage-datastore-create": {
+    "link": "/docs/storage.html#storage-datastore-create",
+    "title": "Creating a Datastore"
+  },
+  "sysadmin-host-administration": {
+    "link": "/docs/sysadmin.html#sysadmin-host-administration",
+    "title": "Host System Administration"
   },
   "user-mgmt": {
     "link": "/docs/user-management.html#user-mgmt",
     "title": "User Management"
   },
+  "user-tokens": {
+    "link": "/docs/user-management.html#user-tokens",
+    "title": "API Tokens"
+  },
   "user-acl": {
     "link": "/docs/user-management.html#user-acl",
     "title": "Access Control"

www/ServerAdministration.js

@@ -7,6 +7,8 @@ Ext.define('PBS.ServerAdministration', {
     border: true,
     defaults: { border: false },
 
+    tools: [PBS.Utils.get_help_tool("sysadmin-host-administration")],
+
     controller: {
 	xclass: 'Ext.app.ViewController',
 

www/ServerStatus.js

@@ -51,6 +51,78 @@ Ext.define('PBS.ServerStatus', {
 
     scrollable: true,
 
+    showVersions: function() {
+	let me = this;
+
+	// Note: use simply text/html here, as ExtJS grid has problems with cut&paste
+	let panel = Ext.createWidget('component', {
+	    autoScroll: true,
+	    id: 'pkgversions',
+	    padding: 5,
+	    style: {
+		'background-color': 'white',
+		'white-space': 'pre',
+		'font-family': 'monospace',
+	    },
+	});
+
+	let win = Ext.create('Ext.window.Window', {
+	    title: gettext('Package versions'),
+	    width: 600,
+	    height: 600,
+	    layout: 'fit',
+	    modal: true,
+	    items: [panel],
+	    buttons: [
+		{
+		    xtype: 'button',
+		    iconCls: 'fa fa-clipboard',
+		    handler: function(button) {
+			window.getSelection().selectAllChildren(
+			    document.getElementById('pkgversions'),
+			);
+			document.execCommand("copy");
+		    },
+		    text: gettext('Copy'),
+		},
+		{
+		    text: gettext('Ok'),
+		    handler: function() {
+			this.up('window').close();
+		    },
+		},
+	    ],
+	});
+
+	Proxmox.Utils.API2Request({
+	    waitMsgTarget: me,
+	    url: `/nodes/localhost/apt/versions`,
+	    method: 'GET',
+	    failure: function(response, opts) {
+		win.close();
+		Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+	    },
+	    success: function(response, opts) {
+		let text = '';
+		Ext.Array.each(response.result.data, function(rec) {
+		    let version = "not correctly installed";
+		    let pkg = rec.Package;
+		    if (rec.OldVersion && rec.OldVersion !== 'unknown') {
+			version = rec.OldVersion;
+		    }
+		    if (rec.ExtraInfo) {
+			text += `${pkg}: ${version} (${rec.ExtraInfo})\n`;
+		    } else {
+			text += `${pkg}: ${version}\n`;
+		    }
+		});
+
+		win.show();
+		panel.update(Ext.htmlEncode(text));
+	    },
+	});
+    },
+
     initComponent: function() {
         var me = this;
 
@@ -94,7 +166,15 @@ Ext.define('PBS.ServerStatus', {
 	    },
 	});
 
-	me.tbar = [consoleBtn, restartBtn, shutdownBtn, '->', { xtype: 'proxmoxRRDTypeSelector' }];
+	let version_btn = new Ext.Button({
+	    text: gettext('Package versions'),
+	    iconCls: 'fa fa-gift',
+	    handler: function() {
+		Proxmox.Utils.checked_command(function() { me.showVersions(); });
+	    },
+	});
+
+	me.tbar = [version_btn, '-', consoleBtn, '-', restartBtn, shutdownBtn, '->', { xtype: 'proxmoxRRDTypeSelector' }];
 
 	var rrdstore = Ext.create('Proxmox.data.RRDStore', {
 	    rrdurl: "/api2/json/nodes/localhost/rrd",

www/Subscription.js

@@ -2,13 +2,14 @@ Ext.define('PBS.SubscriptionKeyEdit', {
     extend: 'Proxmox.window.Edit',
 
     title: gettext('Upload Subscription Key'),
-    width: 300,
+    width: 320,
     autoLoad: true,
 
-    onlineHelp: 'getting_help',
+    onlineHelp: 'get_help',
 
     items: {
 	xtype: 'textfield',
+	labelWidth: 120,
 	name: 'key',
 	value: '',
 	fieldLabel: gettext('Subscription Key'),
@@ -22,7 +23,8 @@ Ext.define('PBS.Subscription', {
     title: gettext('Subscription'),
     border: true,
 
-    onlineHelp: 'getting_help',
+    onlineHelp: 'get_help',
+    tools: [PBS.Utils.get_help_tool("get_help")],
 
     viewConfig: {
 	enableTextSelection: true,
@@ -140,16 +142,18 @@ Ext.define('PBS.Subscription', {
 	    tbar: [
 		{
 		    text: gettext('Upload Subscription Key'),
+		    iconCls: 'fa fa-ticket',
 		    handler: function() {
 			let win = Ext.create('PBS.SubscriptionKeyEdit', {
 			    url: '/api2/extjs/' + baseurl,
+			    autoShow: true,
 			});
-			win.show();
 			win.on('destroy', reload);
 		    },
 		},
 		{
 		    text: gettext('Check'),
+		    iconCls: 'fa fa-check-square-o',
 		    handler: function() {
 			Proxmox.Utils.API2Request({
 			    params: { force: 1 },
@@ -171,10 +175,12 @@ Ext.define('PBS.Subscription', {
 		    dangerous: true,
 		    selModel: false,
 		    callback: reload,
+		    iconCls: 'fa fa-trash-o',
 		},
 		'-',
 		{
 		    text: gettext('System Report'),
+		    iconCls: 'fa fa-stethoscope',
 		    handler: function() {
 			Proxmox.Utils.checked_command(function() { me.showReport(); });
 		    },

www/SystemConfiguration.js

@@ -6,6 +6,7 @@ Ext.define('PBS.SystemConfiguration', {
     border: true,
     scrollable: true,
     defaults: { border: false },
+    tools: [PBS.Utils.get_help_tool("sysadmin-network-configuration")],
     items: [
 	{
 	    title: gettext('Network/Time'),

www/Utils.js

@@ -50,6 +50,8 @@ Ext.define('PBS.Utils', {
 	}
     },
 
+    noSubKeyHtml: 'You do not have a valid subscription for this server. Please visit <a target="_blank" href="https://www.proxmox.com/proxmox-backup-server/pricing">www.proxmox.com</a> to get a list of available options.',
+
     getDataStoreFromPath: function(path) {
 	return path.slice(PBS.Utils.dataStorePrefix.length);
     },
@@ -145,7 +147,7 @@ Ext.define('PBS.Utils', {
     },
 
     render_datastore_worker_id: function(id, what) {
-	const res = id.match(/^(\S+?)_(\S+?)_(\S+?)(_(.+))?$/);
+	const res = id.match(/^(\S+?):(\S+?)\/(\S+?)(\/(.+))?$/);
 	if (res) {
 	    let datastore = res[1], backupGroup = `${res[2]}/${res[3]}`;
 	    if (res[4] !== undefined) {
@@ -159,6 +161,39 @@ Ext.define('PBS.Utils', {
 	return `Datastore ${what} ${id}`;
     },
 
+    // mimics Display trait in backend
+    renderKeyID: function(fingerprint) {
+	return fingerprint.substring(0, 23);
+    },
+
+    parse_datastore_worker_id: function(type, id) {
+	let result;
+	let res;
+	if (type.startsWith('verif')) {
+	    res = PBS.Utils.VERIFICATION_JOB_ID_RE.exec(id);
+	    if (res) {
+		result = res[1];
+	    }
+	} else if (type.startsWith('sync')) {
+	    res = PBS.Utils.SYNC_JOB_ID_RE.exec(id);
+	    if (res) {
+		result = res[3];
+	    }
+	} else if (type === 'backup') {
+	    res = PBS.Utils.BACKUP_JOB_ID_RE.exec(id);
+	    if (res) {
+		result = res[1];
+	    }
+	} else if (type === 'garbage_collection') {
+	    return id;
+	} else if (type === 'prune') {
+	    return id;
+	}
+
+
+	return result;
+    },
+
     extractTokenUser: function(tokenid) {
 	return tokenid.match(/^(.+)!([^!]+)$/)[1];
     },
@@ -167,9 +202,75 @@ Ext.define('PBS.Utils', {
 	return tokenid.match(/^(.+)!([^!]+)$/)[2];
     },
 
+    render_estimate: function(value) {
+	if (!value) {
+	    return gettext('Not enough data');
+	}
+
+	let now = new Date();
+	let estimate = new Date(value*1000);
+
+	let timespan = (estimate - now)/1000;
+
+	if (Number(estimate) <= Number(now) || isNaN(timespan)) {
+	    return gettext('Never');
+	}
+
+	let duration = Proxmox.Utils.format_duration_human(timespan);
+	return Ext.String.format(gettext("in {0}"), duration);
+    },
+
+    render_size_usage: function(val, max) {
+	if (max === 0) {
+	    return gettext('N/A');
+	}
+	return (val*100/max).toFixed(2) + '% (' +
+	    Ext.String.format(gettext('{0} of {1}'),
+	    Proxmox.Utils.format_size(val), Proxmox.Utils.format_size(max)) + ')';
+    },
+
+    get_help_tool: function(blockid) {
+	let info = Proxmox.Utils.get_help_info(blockid);
+	if (info === undefined) {
+	    info = Proxmox.Utils.get_help_info('pbs_documentation_index');
+	}
+	if (info === undefined) {
+	    throw "get_help_info failed"; // should not happen
+	}
+
+	let docsURI = window.location.origin + info.link;
+	let title = info.title;
+	if (info.subtitle) {
+	    title += ' - ' + info.subtitle;
+	}
+	return {
+	    type: 'help',
+	    tooltip: title,
+	    handler: function() {
+		window.open(docsURI);
+	    },
+        };
+    },
+
+    calculate_dedup_factor: function(gcstatus) {
+	let dedup = 1.0;
+	if (gcstatus['disk-bytes'] > 0) {
+	    dedup = (gcstatus['index-data-bytes'] || 0)/gcstatus['disk-bytes'];
+	}
+	return dedup;
+    },
+
     constructor: function() {
 	var me = this;
 
+	let PROXMOX_SAFE_ID_REGEX = "([A-Za-z0-9_][A-Za-z0-9._-]*)";
+	// only anchored at beginning
+	// only parses datastore for now
+	me.VERIFICATION_JOB_ID_RE = new RegExp("^" + PROXMOX_SAFE_ID_REGEX + ':?');
+	me.SYNC_JOB_ID_RE = new RegExp("^" + PROXMOX_SAFE_ID_REGEX + ':' +
+	    PROXMOX_SAFE_ID_REGEX + ':' + PROXMOX_SAFE_ID_REGEX + ':');
+	me.BACKUP_JOB_ID_RE = new RegExp("^" + PROXMOX_SAFE_ID_REGEX + ':');
+
 	// do whatever you want here
 	Proxmox.Utils.override_task_descriptions({
 	    backup: (type, id) => PBS.Utils.render_datastore_worker_id(id, gettext('Backup')),

www/config/ACLView.js

@@ -22,7 +22,12 @@ Ext.define('PBS.config.ACLView', {
 
     title: gettext('Permissions'),
 
+    // Show only those permissions, which can affect this and children paths.
+    // That means that also higher up, "shorter" paths are included, as those
+    // can have a say in the rights on the asked path.
     aclPath: undefined,
+
+    // tell API to only return ACLs matching exactly the aclPath config.
     aclExact: undefined,
 
     controller: {
@@ -83,12 +88,37 @@ Ext.define('PBS.config.ACLView', {
 	    let proxy = view.getStore().rstore.getProxy();
 
 	    let params = {};
+	    if (typeof view.aclPath === "string") {
+		let pathFilter = Ext.create('Ext.util.Filter', {
+		    filterPath: view.aclPath,
+		    filterAtoms: view.aclPath.split('/'),
+		    filterFn: function(item) {
+			let me = this;
+			let path = item.data.path;
+			if (path === "/" || path === me.filterPath) {
+			    return true;
+			} else if (path.length > me.filterPath.length) {
+			    return path.startsWith(me.filterPath + '/');
+			}
+			let pathAtoms = path.split('/');
+			let commonLength = Math.min(pathAtoms.length, me.filterAtoms.length);
+			for (let i = 1; i < commonLength; i++) {
+			    if (me.filterAtoms[i] !== pathAtoms[i]) {
+				return false;
+			    }
+			}
+			return true;
+		    },
+		});
+		view.getStore().addFilter(pathFilter);
+	    }
+	    if (view.aclExact !== undefined) {
 		if (view.aclPath !== undefined) {
 		    params.path = view.aclPath;
 		}
-	    if (view.aclExact !== undefined) {
 		params.exact = view.aclExact;
 	    }
+
 	    proxy.setExtraParams(params);
 	    Proxmox.Utils.monStoreErrors(view, view.getStore().rstore);
 	},

www/config/RemoteView.js

@@ -1,6 +1,6 @@
 Ext.define('pmx-remotes', {
     extend: 'Ext.data.Model',
-    fields: ['name', 'host', 'port', 'userid', 'fingerprint', 'comment',
+    fields: ['name', 'host', 'port', 'auth-id', 'fingerprint', 'comment',
 	{
 	    name: 'server',
 	    calculate: function(data) {
@@ -32,6 +32,8 @@ Ext.define('PBS.config.RemoteView', {
 
     title: gettext('Remotes'),
 
+    tools: [PBS.Utils.get_help_tool("backup-remote")],
+
     controller: {
 	xclass: 'Ext.app.ViewController',
 
@@ -127,11 +129,11 @@ Ext.define('PBS.config.RemoteView', {
 	    dataIndex: 'server',
 	},
 	{
-	    header: gettext('User name'),
+	    header: gettext('Auth ID'),
 	    width: 200,
 	    sortable: true,
 	    renderer: Ext.String.htmlEncode,
-	    dataIndex: 'userid',
+	    dataIndex: 'auth-id',
 	},
 	{
 	    header: gettext('Fingerprint'),

www/config/SyncView.js

@@ -162,9 +162,11 @@ Ext.define('PBS.config.SyncJobView', {
 	reload: function() { this.getView().getStore().rstore.load(); },
 
 	init: function(view) {
-	    view.getStore().rstore.getProxy().setExtraParams({
+	    let params = {};
-		store: view.datastore,
+	    if (view.datastore !== undefined) {
-	    });
+		params.store = view.datastore;
+	    }
+	    view.getStore().rstore.getProxy().setExtraParams(params);
 	    Proxmox.Utils.monStoreErrors(view, view.getStore().rstore);
 	},
     },
@@ -237,6 +239,12 @@ Ext.define('PBS.config.SyncJobView', {
 	    flex: 1,
 	    sortable: true,
 	},
+	{
+	    header: gettext('Local Store'),
+	    dataIndex: 'store',
+	    width: 120,
+	    sortable: true,
+	},
 	{
 	    header: gettext('Remote'),
 	    dataIndex: 'remote',
@@ -249,12 +257,6 @@ Ext.define('PBS.config.SyncJobView', {
 	    width: 120,
 	    sortable: true,
 	},
-	{
-	    header: gettext('Local Store'),
-	    dataIndex: 'store',
-	    width: 120,
-	    sortable: true,
-	},
 	{
 	    header: gettext('Owner'),
 	    dataIndex: 'owner',
@@ -304,4 +306,18 @@ Ext.define('PBS.config.SyncJobView', {
 	    sortable: true,
 	},
     ],
+
+    initComponent: function() {
+	let me = this;
+	let hideLocalDatastore = !!me.datastore;
+
+	for (let column of me.columns) {
+	    if (column.dataIndex === 'store') {
+		column.hidden = hideLocalDatastore;
+		break;
+	    }
+	}
+
+	me.callParent();
+    },
 });

www/config/UserView.js

@@ -76,6 +76,17 @@ Ext.define('PBS.config.UserView', {
 	    }).show();
 	},
 
+	renderName: function(val, cell, rec) {
+	    let name = [];
+	    if (rec.data.firstname) {
+		name.push(rec.data.firstname);
+	    }
+	    if (rec.data.lastname) {
+		name.push(rec.data.lastname);
+	    }
+	    return name.join(' ');
+	},
+
 	renderUsername: function(userid) {
 	    return Ext.String.htmlEncode(userid.match(/^(.+)@([^@]+)$/)[1]);
 	},
@@ -181,6 +192,7 @@ Ext.define('PBS.config.UserView', {
 	    width: 150,
 	    sortable: true,
 	    dataIndex: 'firstname',
+	    renderer: 'renderName',
 	},
 	{
 	    header: gettext('Comment'),

www/config/VerifyView.js

@@ -157,9 +157,11 @@ Ext.define('PBS.config.VerifyJobView', {
 	reload: function() { this.getView().getStore().rstore.load(); },
 
 	init: function(view) {
-	    view.getStore().rstore.getProxy().setExtraParams({
+	    let params = {};
-		store: view.datastore,
+	    if (view.datastore !== undefined) {
-	    });
+		params.store = view.datastore;
+	    }
+	    view.getStore().rstore.getProxy().setExtraParams(params);
 	    Proxmox.Utils.monStoreErrors(view, view.getStore().rstore);
 	},
     },
@@ -232,6 +234,11 @@ Ext.define('PBS.config.VerifyJobView', {
 	    flex: 1,
 	    sortable: true,
 	},
+	{
+	    header: gettext('Datastore'),
+	    dataIndex: 'store',
+	    flex: 1,
+	},
 	{
 	    header: gettext('Skip Verified'),
 	    dataIndex: 'ignore-verified',
@@ -288,4 +295,18 @@ Ext.define('PBS.config.VerifyJobView', {
 	    sortable: true,
 	},
     ],
+
+    initComponent: function() {
+	let me = this;
+	let hideDatastore = !!me.datastore;
+
+	for (let column of me.columns) {
+	    if (column.dataIndex === 'store') {
+		column.hidden = hideDatastore;
+		break;
+	    }
+	}
+
+	me.callParent();
+    },
 });

www/css/ext6-pbs.css

@@ -241,3 +241,15 @@ span.snapshot-comment-column {
     font-weight: bold;
     content: "V.";
 }
+
+.x-action-col-icon {
+    margin: 0 1px;
+    font-size: 14px;
+}
+.x-action-col-icon:before, .x-action-col-icon:after {
+    font-size: 14px;
+}
+.x-action-col-icon:hover:before, .x-action-col-icon:hover:after {
+    text-shadow: 1px 1px 1px #AAA;
+    font-weight: 800;
+}

www/dashboard/DataStoreStatistics.js

@@ -47,24 +47,6 @@ Ext.define('PBS.DatastoreStatistics', {
     controller: {
 	xclass: 'Ext.app.ViewController',
 
-	render_estimate: function(value) {
-	    if (!value) {
-		return gettext('Not enough data');
-	    }
-
-	    let now = new Date();
-	    let estimate = new Date(value*1000);
-
-	    let timespan = (estimate - now)/1000;
-
-	    if (Number(estimate) <= Number(now) || isNaN(timespan)) {
-		return gettext('Never');
-	    }
-
-	    let duration = Proxmox.Utils.format_duration_human(timespan);
-	    return Ext.String.format(gettext("in {0}"), duration);
-	},
-
 	init: function(view) {
 	    Proxmox.Utils.monStoreErrors(view, view.getStore().rstore);
 	},
@@ -111,7 +93,7 @@ Ext.define('PBS.DatastoreStatistics', {
 	    text: gettext('Estimated Full'),
 	    dataIndex: 'estimated-full-date',
 	    sortable: true,
-	    renderer: 'render_estimate',
+	    renderer: PBS.Utils.render_estimate,
 	    flex: 1,
 	    minWidth: 130,
 	    maxWidth: 200,

www/dashboard/TaskSummary.js

@@ -4,9 +4,6 @@ Ext.define('PBS.TaskSummary', {
 
     title: gettext('Task Summary'),
 
-    controller: {
-	xclass: 'Ext.app.ViewController',
-
     states: [
 	"",
 	"error",
@@ -30,14 +27,24 @@ Ext.define('PBS.TaskSummary', {
 	"verify": gettext('Verify'),
     },
 
+    // set true to show the onclick panel as modal grid
+    subPanelModal: false,
+
+    // the datastore the onclick panel is filtered by
+    datastore: undefined,
+
+    controller: {
+	xclass: 'Ext.app.ViewController',
+
+
 	openTaskList: function(grid, td, cellindex, record, tr, rowindex) {
 	    let me = this;
 	    let view = me.getView();
 
 	    if (cellindex > 0) {
 		let tasklist = view.tasklist;
-		let state = me.states[cellindex];
+		let state = view.states[cellindex];
-		let type = me.types[rowindex];
+		let type = view.types[rowindex];
 		let filterParam = {
 		    limit: 0,
 		    'statusfilter': state,
@@ -48,7 +55,11 @@ Ext.define('PBS.TaskSummary', {
 		    filterParam.since = me.since;
 		}
 
-		if (record.data[state] === 0) {
+		if (view.datastore) {
+		    filterParam.store = view.datastore;
+		}
+
+		if (record.data[state] === 0 || record.data[state] === undefined) {
 		    return;
 		}
 
@@ -137,7 +148,7 @@ Ext.define('PBS.TaskSummary', {
 		tasklist.cidx = cellindex;
 		tasklist.ridx = rowindex;
 
-		let task = me.titles[type];
+		let task = view.titles[type];
 		let status = "";
 		switch (state) {
 		    case 'ok': status = gettext("OK"); break;
@@ -149,7 +160,13 @@ Ext.define('PBS.TaskSummary', {
 		tasklist.getStore().getProxy().setExtraParams(filterParam);
 		tasklist.getStore().removeAll();
 
+		if (view.subPanelModal) {
+		    tasklist.modal = true;
+		    tasklist.showBy(Ext.getBody(), 'c-c');
+		} else {
+		    tasklist.modal = false;
 		    tasklist.showBy(td, 'bl-tl');
+		}
 		setTimeout(() => tasklist.getStore().reload(), 10);
 	    }
 	},
@@ -182,8 +199,13 @@ Ext.define('PBS.TaskSummary', {
 
 	render_count: function(value, md, record, rowindex, colindex) {
 	    let me = this;
-	    let icon = me.render_icon(me.states[colindex], value);
+	    let view = me.getView();
-	    return `${icon} ${value}`;
+	    let count = value || 0;
+	    if (count > 0) {
+		md.tdCls = 'pointer';
+	    }
+	    let icon = me.render_icon(view.states[colindex], count);
+	    return `${icon} ${value || 0}`;
 	},
     },
 
@@ -191,8 +213,18 @@ Ext.define('PBS.TaskSummary', {
 	let me = this;
 	let controller = me.getController();
 	let data = [];
-	controller.types.forEach((type) => {
+	if (!source) {
-	    source[type].type = controller.titles[type];
+	    source = {};
+	}
+	me.types.forEach((type) => {
+	    if (!source[type]) {
+		source[type] = {
+		    error: 0,
+		    warning: 0,
+		    ok: 0,
+		};
+	    }
+	    source[type].type = me.titles[type];
 	    data.push(source[type]);
 	});
 	me.lookup('grid').getStore().setData(data);
@@ -214,7 +246,7 @@ Ext.define('PBS.TaskSummary', {
 	    rowLines: false,
 	    viewConfig: {
 		stripeRows: false,
-		trackOver: false,
+		trackOver: true,
 	    },
 	    scrollable: false,
 	    disableSelection: true,

www/datastore/Content.js

@@ -12,6 +12,7 @@ Ext.define('pbs-data-store-snapshots', {
 	'files',
 	'owner',
 	'verification',
+	'fingerprint',
 	{ name: 'size', type: 'int', allowNull: true },
 	{
 	    name: 'crypt-mode',
@@ -182,6 +183,7 @@ Ext.define('PBS.DataStoreContent', {
 		for (const file of data.files) {
 		    file.text = file.filename;
 		    file['crypt-mode'] = PBS.Utils.cryptmap.indexOf(file['crypt-mode']);
+		    file.fingerprint = data.fingerprint;
 		    file.leaf = true;
 		    file.matchesFilter = true;
 
@@ -595,6 +597,7 @@ Ext.define('PBS.DataStoreContent', {
 	    header: gettext('Actions'),
 	    xtype: 'actioncolumn',
 	    dataIndex: 'text',
+	    width: 140,
 	    items: [
 		{
 		    handler: 'onVerify',
@@ -698,7 +701,16 @@ Ext.define('PBS.DataStoreContent', {
 		if (iconCls) {
 		    iconTxt = `<i class="fa fa-fw fa-${iconCls}"></i> `;
 		}
-		return (iconTxt + PBS.Utils.cryptText[v]) || Proxmox.Utils.unknownText;
+		let tip;
+		if (v !== PBS.Utils.cryptmap.indexOf('none') && record.data.fingerprint !== undefined) {
+		    tip = "Key: " + PBS.Utils.renderKeyID(record.data.fingerprint);
+		}
+		let txt = (iconTxt + PBS.Utils.cryptText[v]) || Proxmox.Utils.unknownText;
+		if (record.parentNode.id === 'root' || tip === undefined) {
+		    return txt;
+		} else {
+		    return `<span data-qtip="${tip}">${txt}</span>`;
+		}
 	    },
 	},
 	{

www/datastore/DataStoreList.js

@@ -0,0 +1,257 @@
+// Overview over all datastores
+Ext.define('PBS.datastore.DataStoreList', {
+    extend: 'Ext.panel.Panel',
+    alias: 'widget.pbsDataStoreList',
+
+    title: gettext('Summary'),
+
+    scrollable: true,
+
+    bodyPadding: 5,
+    defaults: {
+	xtype: 'pbsDataStoreListSummary',
+	padding: 5,
+    },
+
+    datastores: {},
+    tasks: {},
+
+    updateTasks: function(taskStore, records, success) {
+	let me = this;
+	if (!success) {
+	    return;
+	}
+
+	for (const store of Object.keys(me.tasks)) {
+	    me.tasks[store] = {};
+	}
+
+	records.forEach(record => {
+	    let task = record.data;
+	    if (!task.worker_id) {
+		return;
+	    }
+
+	    let type = task.worker_type;
+	    if (type === 'syncjob') {
+		type = 'sync';
+	    }
+
+	    if (type.startsWith('verif')) {
+		type = 'verify';
+	    }
+
+	    let datastore = PBS.Utils.parse_datastore_worker_id(type, task.worker_id);
+	    if (!datastore) {
+		return;
+	    }
+
+	    if (!me.tasks[datastore]) {
+		me.tasks[datastore] = {};
+	    }
+
+	    if (!me.tasks[datastore][type]) {
+		me.tasks[datastore][type] = {};
+	    }
+
+	    if (me.tasks[datastore][type] && task.status) {
+		let parsed = Proxmox.Utils.parse_task_status(task.status);
+		if (!me.tasks[datastore][type][parsed]) {
+		    me.tasks[datastore][type][parsed] = 0;
+		}
+		me.tasks[datastore][type][parsed]++;
+	    }
+	});
+
+	for (const [store, panel] of Object.entries(me.datastores)) {
+	    panel.setTasks(me.tasks[store], me.since);
+	}
+    },
+
+    updateStores: function(usageStore, records, success) {
+	let me = this;
+	if (!success) {
+	    return;
+	}
+
+	let found = {};
+
+	records.forEach((rec) => {
+	    found[rec.data.store] = true;
+	    me.addSorted(rec.data);
+	});
+
+	for (const [store, panel] of Object.entries(me.datastores)) {
+	    if (!found[store]) {
+		me.remove(panel);
+		delete me.datastores[store];
+	    }
+	}
+
+	let hasDatastores = Object.keys(me.datastores).length > 0;
+
+	me.getComponent('emptybox').setHidden(hasDatastores);
+    },
+
+    addSorted: function(data) {
+	let me = this;
+	let i = 1;
+	let datastores = Object
+	    .keys(me.datastores)
+	    .sort((a, b) => a.localeCompare(b));
+
+	for (const datastore of datastores) {
+	    let result = datastore.localeCompare(data.store);
+	    if (result === 0) {
+		me.datastores[datastore].setStatus(data);
+		return;
+	    } else if (result > 0) {
+		break;
+	    }
+	    i++;
+	}
+
+	me.datastores[data.store] = me.insert(i, {
+	    datastore: data.store,
+	});
+	me.datastores[data.store].setStatus(data);
+	me.datastores[data.store].setTasks(me.tasks[data.store], me.since);
+    },
+
+    initComponent: function() {
+	let me = this;
+	me.items = [
+	    {
+		itemId: 'emptybox',
+		hidden: true,
+		xtype: 'box',
+		html: gettext('No Datastores configured'),
+	    },
+	];
+	me.datastores = {};
+	// todo make configurable?
+	me.since = (Date.now()/1000 - 30 * 24*3600).toFixed(0);
+
+	me.usageStore = Ext.create('Proxmox.data.UpdateStore', {
+	    storeid: 'datastore-overview-usage',
+	    interval: 5000,
+	    proxy: {
+		type: 'proxmox',
+		url: '/api2/json/status/datastore-usage',
+	    },
+	    listeners: {
+		load: {
+		    fn: me.updateStores,
+		    scope: me,
+		},
+	    },
+	});
+
+	me.taskStore = Ext.create('Proxmox.data.UpdateStore', {
+	    storeid: 'datastore-overview-tasks',
+	    interval: 15000,
+	    model: 'proxmox-tasks',
+	    proxy: {
+		type: 'proxmox',
+		url: '/api2/json/nodes/localhost/tasks',
+		extraParams: {
+		    limit: 0,
+		    since: me.since,
+		},
+	    },
+	    listeners: {
+		load: {
+		    fn: me.updateTasks,
+		    scope: me,
+		},
+	    },
+	});
+
+	me.callParent();
+	Proxmox.Utils.monStoreErrors(me, me.usageStore);
+	Proxmox.Utils.monStoreErrors(me, me.taskStore);
+	me.on('activate', function() {
+	    me.usageStore.startUpdate();
+	    me.taskStore.startUpdate();
+	});
+	me.on('destroy', function() {
+	    me.usageStore.stopUpdate();
+	    me.taskStore.stopUpdate();
+	});
+	me.on('deactivate', function() {
+	    me.usageStore.stopUpdate();
+	    me.taskStore.stopUpdate();
+	});
+    },
+});
+
+Ext.define('PBS.datastore.DataStores', {
+    extend: 'Ext.tab.Panel',
+    alias: 'widget.pbsDataStores',
+
+    title: gettext('Datastores'),
+
+    stateId: 'pbs-datastores-panel',
+    stateful: true,
+
+    stateEvents: ['tabchange'],
+
+    applyState: function(state) {
+	let me = this;
+	if (state.tab !== undefined && me.rendered) {
+	    me.setActiveTab(state.tab);
+	} else if (state.tab) {
+	    // if we are not rendered yet, defer setting the activetab
+	    setTimeout(function() {
+		me.setActiveTab(state.tab);
+	    }, 10);
+	}
+    },
+
+    getState: function() {
+	let me = this;
+	return {
+	    tab: me.getActiveTab().getItemId(),
+	};
+    },
+
+    border: false,
+    defaults: {
+	border: false,
+    },
+
+    tools: [PBS.Utils.get_help_tool("datastore_intro")],
+
+    items: [
+	{
+	    xtype: 'pbsDataStoreList',
+	    iconCls: 'fa fa-book',
+	},
+
+	{
+	    iconCls: 'fa fa-refresh',
+	    itemId: 'syncjobs',
+	    xtype: 'pbsSyncJobView',
+	},
+	{
+	    iconCls: 'fa fa-check-circle',
+	    itemId: 'verifyjobs',
+	    xtype: 'pbsVerifyJobView',
+	},
+	{
+	    itemId: 'acl',
+	    xtype: 'pbsACLView',
+	    iconCls: 'fa fa-unlock',
+	    aclPath: '/datastore',
+	},
+    ],
+
+    initComponent: function() {
+	let me = this;
+	// remove invalid activeTab settings
+	if (me.activeTab && !me.items.some((item) => item.itemId === me.activeTab)) {
+	    delete me.activeTab;
+	}
+	me.callParent();
+    },
+});

www/datastore/DataStoreListSummary.js

@@ -0,0 +1,182 @@
+// Summary Panel for a single datastore in overview
+Ext.define('PBS.datastore.DataStoreListSummary', {
+    extend: 'Ext.panel.Panel',
+    alias: 'widget.pbsDataStoreListSummary',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    cbind: {
+	title: '{datastore}',
+    },
+
+    referenceHolder: true,
+    bodyPadding: 10,
+
+    layout: {
+	type: 'hbox',
+	align: 'stretch',
+    },
+
+    viewModel: {
+	data: {
+	    full: "N/A",
+	    stillbad: 0,
+	    deduplication: 1.0,
+	},
+    },
+    setTasks: function(taskdata, since) {
+	let me = this;
+	me.down('pbsTaskSummary').updateTasks(taskdata, since);
+    },
+
+    setStatus: function(statusData) {
+	let me = this;
+	let vm = me.getViewModel();
+
+	let usage = statusData.used/statusData.total;
+	let usagetext = Ext.String.format(gettext('{0} of {1}'),
+	    Proxmox.Utils.format_size(statusData.used),
+	    Proxmox.Utils.format_size(statusData.total),
+	);
+
+	let usagePanel = me.lookup('usage');
+	usagePanel.updateValue(usage, usagetext);
+
+	let estimate = PBS.Utils.render_estimate(statusData['estimated-full-date']);
+	vm.set('full', estimate);
+	vm.set('deduplication', PBS.Utils.calculate_dedup_factor(statusData['gc-status']).toFixed(2));
+	vm.set('stillbad', statusData['gc-status']['still-bad']);
+
+	let last = 0;
+	let time = statusData['history-start'];
+	let delta = statusData['history-delta'];
+	let data = statusData.history.map((val) => {
+	    if (val === null) {
+		val = last;
+	    } else {
+		last = val;
+	    }
+	    let entry = {
+		time: time*1000, // js Dates are ms since epoch
+		val,
+	    };
+
+	    time += delta;
+	    return entry;
+	});
+
+	me.lookup('historychart').setData(data);
+    },
+
+    items: [
+	{
+	    xtype: 'container',
+	    layout: {
+		type: 'vbox',
+		align: 'stretch',
+	    },
+
+	    width: 375,
+	    padding: '5 25 5 5',
+
+	    defaults: {
+		padding: 2,
+	    },
+
+	    items: [
+		{
+		    xtype: 'proxmoxGauge',
+		    warningThreshold: 0.8,
+		    criticalThreshold: 0.95,
+		    flex: 1,
+		    reference: 'usage',
+		},
+		{
+		    xtype: 'pmxInfoWidget',
+		    iconCls: 'fa fa-fw fa-line-chart',
+		    title: gettext('Estimated Full'),
+		    printBar: false,
+		    bind: {
+			data: {
+			    text: '{full}',
+			},
+		    },
+		},
+		{
+		    xtype: 'pmxInfoWidget',
+		    iconCls: 'fa fa-fw fa-compress',
+		    title: gettext('Deduplication Factor'),
+		    printBar: false,
+		    bind: {
+			data: {
+			    text: '{deduplication}',
+			},
+		    },
+		},
+		{
+		    xtype: 'pmxInfoWidget',
+		    iconCls: 'fa critical fa-fw fa-exclamation-triangle',
+		    title: gettext('Bad Chunks'),
+		    printBar: false,
+		    hidden: true,
+		    bind: {
+			data: {
+			    text: '{stillbad}',
+			},
+			visible: '{stillbad}',
+		    },
+		},
+	    ],
+	},
+	{
+	    xtype: 'container',
+	    layout: {
+		type: 'vbox',
+		align: 'stretch',
+	    },
+
+	    flex: 1,
+
+	    items: [
+		{
+		    padding: 5,
+		    xtype: 'pbsUsageChart',
+		    reference: 'historychart',
+		    title: gettext('Usage History'),
+		    height: 100,
+		},
+		{
+		    xtype: 'container',
+		    flex: 1,
+		    layout: {
+			type: 'vbox',
+			align: 'stretch',
+		    },
+
+		    defaults: {
+			padding: 5,
+		    },
+
+		    items: [
+			{
+			    xtype: 'label',
+			    text: gettext('Task Summary')
+			        + ` (${Ext.String.format(gettext('{0} days'), 30)})`,
+			},
+			{
+			    xtype: 'pbsTaskSummary',
+			    border: false,
+			    header: false,
+			    subPanelModal: true,
+			    flex: 2,
+			    bodyPadding: 0,
+			    minHeight: 0,
+			    cbind: {
+				datastore: '{datastore}',
+			    },
+			},
+		    ],
+		},
+	    ],
+	},
+    ],
+});

www/datastore/Notes.js

@@ -56,7 +56,7 @@ Ext.define('PBS.DataStoreNotes', {
 	    url: me.url,
 	    waitMsgTarget: me,
 	    failure: function(response, opts) {
-		me.update(gettext('Error') + " " + response.htmlStatus);
+		Ext.Msg.alert(gettext('Error'), response.htmlStatus);
 		me.setCollapsed(false);
 	    },
 	    success: function(response, opts) {