[GH-ISSUE #81] API tokens syntax is an unlucky choice #78

New issue

Closed

opened 2026-02-26 17:44:17 +03:00 by kerem · 13 comments

kerem commented 2026-02-26 17:44:17 +03:00

Owner

Copy link

Originally created by @meyergru on GitHub (Oct 18, 2023).
Original GitHub issue: https://github.com/Corsinvest/cv4pve-autosnap/issues/81

What happened?

The syntax of API tokens is very unlucky. If you use something like this in your crontab:

SNAP_APITOKEN="USER@REALM!TOKENID=UUID"

* * * * * root cv4pve-autosnap --host="$SNAP_HOST" --api-token="$SNAP_APITOKEN" --vmid="$SNAP_VMID" snap --only-running --label="hourly" --keep="$SNAP_KEEP_HOURLY" > /dev/null

You will have a problem, since the second '=' will end the token string. No combination of quoting and escaping I have tried succeeded. It is possible to use this from a shell within single quotes, but his cannot be transferred into a crontab entry.

Expected behavior

This should work is the syntax of the string was slightly modified or if another parameter --api-token-base64 was used, such that special characters are eliminated.

Relevant log output

No response

Proxmox VE Version

8.0.4

Version (bug)

1.14.4

Version (working)

no

On what operating system are you experiencing the issue?

Linux

Pull Request

• I would like to do a Pull Request

Originally created by @meyergru on GitHub (Oct 18, 2023). Original GitHub issue: https://github.com/Corsinvest/cv4pve-autosnap/issues/81 ### What happened? The syntax of API tokens is very unlucky. If you use something like this in your crontab: ``` SNAP_APITOKEN="USER@REALM!TOKENID=UUID" * * * * * root cv4pve-autosnap --host="$SNAP_HOST" --api-token="$SNAP_APITOKEN" --vmid="$SNAP_VMID" snap --only-running --label="hourly" --keep="$SNAP_KEEP_HOURLY" > /dev/null ``` You will have a problem, since the second '=' will end the token string. No combination of quoting and escaping I have tried succeeded. It is possible to use this from a shell within single quotes, but his cannot be transferred into a crontab entry. ### Expected behavior This should work is the syntax of the string was slightly modified or if another parameter --api-token-base64 was used, such that special characters are eliminated. ### Relevant log output _No response_ ### Proxmox VE Version 8.0.4 ### Version (bug) 1.14.4 ### Version (working) no ### On what operating system are you experiencing the issue? Linux ### Pull Request - [ ] I would like to do a Pull Request

kerem 2026-02-26 17:44:17 +03:00

• closed this issue
• added the
  needs investigation
  label

kerem commented 2026-02-26 17:44:18 +03:00

Author

Owner

Copy link

@franklupo commented on GitHub (Oct 19, 2023):

Hi,
This is a format user from Proxmox

<!-- gh-comment-id:1769879780 --> @franklupo commented on GitHub (Oct 19, 2023): Hi, This is a format user from Proxmox

kerem commented 2026-02-26 17:44:18 +03:00

Author

Owner

Copy link

@meyergru commented on GitHub (Oct 19, 2023):

I know that, but the way it is given to the program makes it impossible to use. If the parameter format for cv4pve-autosnap was not like "--xxx=yyy", but "-x yyy", there was no problem if an API token like USER@REALM!TOKENID=UUID was provided.

The problem is the second '=', since after crontab expansion is used, all is left is "--api-token=USER@REALM!TOKENID=UUID" without any possibility of quoting it. That remaining string is cut off at the second '='.

<!-- gh-comment-id:1770248637 --> @meyergru commented on GitHub (Oct 19, 2023): I know that, but the way it is given to the program makes it impossible to use. If the parameter format for cv4pve-autosnap was not like "--xxx=yyy", but "-x yyy", there was no problem if an API token like USER@REALM!TOKENID=UUID was provided. The problem is the second '=', since after crontab expansion is used, all is left is "--api-token=USER@REALM!TOKENID=UUID" without any possibility of quoting it. That remaining string is cut off at the second '='.

kerem commented 2026-02-26 17:44:18 +03:00

Author

Owner

Copy link

@franklupo commented on GitHub (Oct 19, 2023):

Hi,
You can use wothout =,
--api-token USER@REALM!TOKENID=UUID

<!-- gh-comment-id:1770409625 --> @franklupo commented on GitHub (Oct 19, 2023): Hi, You can use wothout =, ` --api-token USER@REALM!TOKENID=UUID `

kerem commented 2026-02-26 17:44:18 +03:00

Author

Owner

Copy link

@meyergru commented on GitHub (Oct 19, 2023):

It tried, but within a crontab, it does not work. It is capped at the '='.

<!-- gh-comment-id:1770414516 --> @meyergru commented on GitHub (Oct 19, 2023): It tried, but within a crontab, it does not work. It is capped at the '='.

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@franklupo commented on GitHub (Oct 19, 2023):

In shell work?

<!-- gh-comment-id:1770421462 --> @franklupo commented on GitHub (Oct 19, 2023): In shell work?

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@franklupo commented on GitHub (Oct 19, 2023):

If you wanth can specify esternal file for parameters.

<!-- gh-comment-id:1770425820 --> @franklupo commented on GitHub (Oct 19, 2023): If you wanth can specify esternal file for parameters.

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@franklupo commented on GitHub (Oct 19, 2023):

https://github.com/Corsinvest/cv4pve-autosnap#execution-with-file-parameter

<!-- gh-comment-id:1770428833 --> @franklupo commented on GitHub (Oct 19, 2023): https://github.com/Corsinvest/cv4pve-autosnap#execution-with-file-parameter

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@meyergru commented on GitHub (Oct 19, 2023):

Yes, it works in a shell because there, I can quote, which is not possible in a crontab entry. Here is the full example for /etc/cron.d/whatever:

PATH=/usr/bin:/bin:/usr/local/bin/
MAILTO="proxmox@test.de"

SNAP_HOST="127.0.0.1"
SNAP_USER="snapshot@pam"
SNAP_PASS="snappass"
SNAP_APITOKEN="snapshot@pam!snapshot=42cfa924-0c23-4b9f-9eba-db62c3984b33"

# "all" for all VMs, exceptions with "-105"
SNAP_VMID="all,-105'

SNAP_KEEP_HOURLY=23
SNAP_KEEP_DAILY=6
SNAP_KEEP_WEEKLY=4
SNAP_KEEP_MONTHLY=3

# hourly
#1 1-23  *       *       *       root    cv4pve-autosnap --host="$SNAP_HOST" --username="$SNAP_USER" --password="$SNAP_PASS" --vmid="$SNAP_VMID" snap --only-running --label="hourly" --keep="$SNAP_KEEP_HOURLY" > /dev/null
* *  *       *       *       root    cv4pve-autosnap --host="$SNAP_HOST" --api-token="$SNAP_APITOKEN" --vmid="$SNAP_VMID" snap --only-running --label="minute" --keep="$SNAP_KEEP_HOURLY"

As you can see, I commented out and modified the username/passwd version in order to send mail of the output and start once every minute. You have to modify MAILTO to get the results. I have tried every imaginable way of quoting and escaping - including using a space after --api-token, but this never works. And obviously, the user/pass and api-tokens are not real.

The example is from here: https://techlr.de/proxmox-automatische-snapshots-einrichten/ , thus there are a few lines missing. They all use the same parameters, so it is not really feasible to insert the API key literally everywhere.

Specifying in a file is difficult if you want to have it centrally in a crontab file, especially if you have multiple invocations. I would need 4 additional parameter files, although it would be a valid workaround.

<!-- gh-comment-id:1770445499 --> @meyergru commented on GitHub (Oct 19, 2023): Yes, it works in a shell because there, I can quote, which is not possible in a crontab entry. Here is the full example for /etc/cron.d/whatever: ``` PATH=/usr/bin:/bin:/usr/local/bin/ MAILTO="proxmox@test.de" SNAP_HOST="127.0.0.1" SNAP_USER="snapshot@pam" SNAP_PASS="snappass" SNAP_APITOKEN="snapshot@pam!snapshot=42cfa924-0c23-4b9f-9eba-db62c3984b33" # "all" for all VMs, exceptions with "-105" SNAP_VMID="all,-105' SNAP_KEEP_HOURLY=23 SNAP_KEEP_DAILY=6 SNAP_KEEP_WEEKLY=4 SNAP_KEEP_MONTHLY=3 # hourly #1 1-23 * * * root cv4pve-autosnap --host="$SNAP_HOST" --username="$SNAP_USER" --password="$SNAP_PASS" --vmid="$SNAP_VMID" snap --only-running --label="hourly" --keep="$SNAP_KEEP_HOURLY" > /dev/null * * * * * root cv4pve-autosnap --host="$SNAP_HOST" --api-token="$SNAP_APITOKEN" --vmid="$SNAP_VMID" snap --only-running --label="minute" --keep="$SNAP_KEEP_HOURLY" ``` As you can see, I commented out and modified the username/passwd version in order to send mail of the output and start once every minute. You have to modify MAILTO to get the results. I have tried every imaginable way of quoting and escaping - including using a space after --api-token, but this never works. And obviously, the user/pass and api-tokens are not real. The example is from here: https://techlr.de/proxmox-automatische-snapshots-einrichten/ , thus there are a few lines missing. They all use the same parameters, so it is not really feasible to insert the API key literally everywhere. Specifying in a file is difficult if you want to have it centrally in a crontab file, especially if you have multiple invocations. I would need 4 additional parameter files, although it would be a valid workaround.

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@franklupo commented on GitHub (Oct 19, 2023):

Try with ' symbol to esecute command
'cv4pve-autosnap ...'

<!-- gh-comment-id:1770469260 --> @franklupo commented on GitHub (Oct 19, 2023): Try with ' symbol to esecute command 'cv4pve-autosnap ...'

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@meyergru commented on GitHub (Oct 19, 2023):

No, that is interpreted as one whole string when given to /bin/sh, also the expansions are not done within single quotes:

/bin/sh: 1: cv4pve-autosnap --host="$SNAP_HOST" --api-token="$SNAP_APITOKEN" --vmid="$SNAP_VMID" snap --only-running --label="minute" --keep="$SNAP_KEEP_HOURLY" : not found

<!-- gh-comment-id:1770488355 --> @meyergru commented on GitHub (Oct 19, 2023): No, that is interpreted as one whole string when given to /bin/sh, also the expansions are not done within single quotes: `/bin/sh: 1: cv4pve-autosnap --host="$SNAP_HOST" --api-token="$SNAP_APITOKEN" --vmid="$SNAP_VMID" snap --only-running --label="minute" --keep="$SNAP_KEEP_HOURLY" : not found `

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@meyergru commented on GitHub (Oct 19, 2023):

It is a fine line to keep expanding parameters and having the result kept together despite containing special characters.

Even the '!' is a problem there, because it has special meaning in a shell. That is why you need single quotes around the API token in an interactive shell.

<!-- gh-comment-id:1770496027 --> @meyergru commented on GitHub (Oct 19, 2023): It is a fine line to keep expanding parameters and having the result kept together despite containing special characters. Even the '!' is a problem there, because it has special meaning in a shell. That is why you need single quotes around the API token in an interactive shell.

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@franklupo commented on GitHub (Oct 19, 2023):

External file with all comman line is a solution

<!-- gh-comment-id:1770857491 --> @franklupo commented on GitHub (Oct 19, 2023): External file with all comman line is a solution

kerem commented 2026-02-26 17:44:19 +03:00

Author

Owner

Copy link

@meyergru commented on GitHub (Oct 19, 2023):

As I wrote, I would have to specifiy 4 different files for the 4 periods in the original example crontab. However, one can also use @file with additional parameters. So, I modified the crontab entry to this:

PATH=/usr/bin:/bin:/usr/local/bin/
MAILTO="proxmox@test.de"

SNAP_CREDENTIALS=/etc/cv4pve-autosnap/credentials.conf

# "all" for all VMs, exceptions with "-123" possible, or just the following VMs: "123,124"
SNAP_VMID="all,-105"

SNAP_KEEP_HOURLY=23
SNAP_KEEP_DAILY=6
SNAP_KEEP_WEEKLY=4
SNAP_KEEP_MONTHLY=3

# hourly
1 1-23  *       *       *       root    cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="hourly" --keep="$SNAP_KEEP_HOURLY" > /dev/null

# weekly -> So; daily -> Mo-Sa
1 0     2-31    *       *       root    [ "$(date +\%u)" = "7" ] && cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="weekly" --keep="$SNAP_KEEP_WEEKLY" > /dev/null || cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="daily" --keep="$SNAP_KEEP_DAILY" > /dev/null

# monthly
1 0     1       *       *       root    cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="monthly" --keep="$SNAP_KEEP_MONTHLY" > /dev/null

With /etc/cv4pve-autosnap/credentials containing this:

--host=127.0.0.1 --api-token=--host=127.0.0.1 --api-token=snapshot@pam!snapshot=42cfa924-0c23-4b9f-9eba-db62c3984b33
or this:

--host=127.0.0.1 --username=snapshot@pam --password=snappass

<!-- gh-comment-id:1770958619 --> @meyergru commented on GitHub (Oct 19, 2023): As I wrote, I would have to specifiy 4 different files for the 4 periods in the original example crontab. However, one can also use @file with additional parameters. So, I modified the crontab entry to this: ``` PATH=/usr/bin:/bin:/usr/local/bin/ MAILTO="proxmox@test.de" SNAP_CREDENTIALS=/etc/cv4pve-autosnap/credentials.conf # "all" for all VMs, exceptions with "-123" possible, or just the following VMs: "123,124" SNAP_VMID="all,-105" SNAP_KEEP_HOURLY=23 SNAP_KEEP_DAILY=6 SNAP_KEEP_WEEKLY=4 SNAP_KEEP_MONTHLY=3 # hourly 1 1-23 * * * root cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="hourly" --keep="$SNAP_KEEP_HOURLY" > /dev/null # weekly -> So; daily -> Mo-Sa 1 0 2-31 * * root [ "$(date +\%u)" = "7" ] && cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="weekly" --keep="$SNAP_KEEP_WEEKLY" > /dev/null || cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="daily" --keep="$SNAP_KEEP_DAILY" > /dev/null # monthly 1 0 1 * * root cv4pve-autosnap @"$SNAP_CREDENTIALS" --vmid="$SNAP_VMID" snap --only-running --label="monthly" --keep="$SNAP_KEEP_MONTHLY" > /dev/null ``` With /etc/cv4pve-autosnap/credentials containing this: `--host=127.0.0.1 --api-token=--host=127.0.0.1 --api-token=snapshot@pam!snapshot=42cfa924-0c23-4b9f-9eba-db62c3984b33 ` or this: `--host=127.0.0.1 --username=snapshot@pam --password=snappass `

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

improve/v2.0.1

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.21.0

v1.20.0

v1.19.0

v1.18.0

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.11

v1.14.10

v1.14.9

v1.14.8

v1.14.7

v1.14.6

v1.14.5

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.11

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.0

v1.4.0

v1.3.0

v1.2.0

v1.1.2

1.1.1

0.1.11

0.1.10

0.1.9

0.1.8

0.1.7

0.1.6_all

0.1.5-1_all

0.1.4-1_all

0.1.3-1_all

0.1.2-1_all

0.1.1-1_all

0.1.0-1_all

Labels

Clear labels   

bug

  

enhancement

  

needs investigation

  

needs investigation

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

bug

enhancement

needs investigation

needs investigation

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/cv4pve-autosnap#78

No description provided.