rpms/guestfs-tools
7
0
Fork 0
Code Issues Pull Requests Releases Activity

let virt-inspector recognize "--key /dev/mapper/VG-LV🔑password"

Browse Source 
resolves: rhbz#2209280
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
This commit is contained in:
Laszlo Ersek 2023-06-08 15:46:32 +02:00
parent b7a0847f6d
commit 457bbcca1e
8 changed files with 347 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
0001-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
View File

@ -22,6 +22,3 @@ index 16debd129..1c13ddac3 100755
sparse windows.img-t 512M
run
--
2.31.1

3
0002-RHEL-builder-Disable-opensuse-repository.patch
View File

@ -24,6 +24,3 @@ index 19f979699..a57fc6977 100644
+#[opensuse.org]
+#uri=http://download.opensuse.org/repositories/Virtualization:/virt-builder-images/images/index
+#gpgkey=file://@SYSCONFDIR@/virt-builder/repos.d/opensuse.gpg
--
2.31.1

3
0003-Remove-virt-dib.patch
View File

@ -3625,6 +3625,3 @@ index f5c643822..15f487b4c 100755
prepend PATH "$b/diff"
prepend PATH "$b/drivers"
prepend PATH "$b/edit"
--
2.31.1

3
0004-drivers-Look-up-vendor-and-device-names-in-PCI-and-U.patch
View File

@ -478,6 +478,3 @@ index 73984796f..7632f374d 100644
get-kernel/get_kernel.ml
resize/resize.ml
sparsify/cmdline.ml
--
2.31.1

203
0005-update-common-submodule.patch Normal file
View File

@ -0,0 +1,203 @@
From a55dcd5162e51a952ee6c23c4a89c1b098f304f4 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 19 May 2023 17:55:05 +0200
Subject: [PATCH] update common submodule
Laszlo Ersek (2):
options/keys: key_store_import_key(): un-constify "key" parameter
options/keys: introduce unescape_device_mapper_lvm()
Richard W.M. Jones (1):
mlcustomize/SELinux_relabel.ml: Use Array.mem
Roman Kagan (1):
mlcustomize: skip SELinux relabeling if it's disabled
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20230519155507.369494-2-lersek@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
(cherry picked from commit 4ddcae7e8543d2a63d907729d5b0d22f659d071f)
---
common | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Submodule common 70c10a079..b636c3f20:
diff --git a/common/options/options.h b/common/options/options.h
index 94573ee06..94e8b9eef 100644
--- a/common/options/options.h
+++ b/common/options/options.h
@@ -169,7 +169,8 @@ extern struct matching_key *get_keys (struct key_store *ks, const char *device,
const char *uuid, size_t *nr_matches);
extern void free_keys (struct matching_key *keys, size_t nr_matches);
extern struct key_store *key_store_add_from_selector (struct key_store *ks, const char *selector);
-extern struct key_store *key_store_import_key (struct key_store *ks, const struct key_store_key *key);
+extern struct key_store *key_store_import_key (struct key_store *ks,
+ struct key_store_key *key);
extern bool key_store_requires_network (const struct key_store *ks);
extern void free_key_store (struct key_store *ks);
diff --git a/common/mlcustomize/SELinux_relabel.ml b/common/mlcustomize/SELinux_relabel.ml
index 5ecf7bd7e..2f3a09bf7 100644
--- a/common/mlcustomize/SELinux_relabel.ml
+++ b/common/mlcustomize/SELinux_relabel.ml
@@ -24,10 +24,6 @@ open Printf
module G = Guestfs
-(* Simple reimplementation of Array.mem, available only with OCaml >= 4.03. *)
-let array_find a l =
- List.mem a (Array.to_list l)
-
let rec relabel (g : G.guestfs) =
(* Is the guest using SELinux? (Otherwise this is a no-op). *)
if is_selinux_guest g then (
@@ -59,14 +55,24 @@ and use_setfiles g =
g#aug_load ();
debug_augeas_errors g;
+ let config_path = "/files/etc/selinux/config" in
+ let config_keys = g#aug_ls config_path in
+ (* SELinux may be disabled via a setting in config file *)
+ let selinux_disabled =
+ let selinuxmode_path = config_path ^ "/SELINUX" in
+ if Array.mem selinuxmode_path config_keys then
+ g#aug_get selinuxmode_path = "disabled"
+ else
+ false in
+ if selinux_disabled then
+ failwith "selinux disabled";
+
(* Get the SELinux policy name, eg. "targeted", "minimum".
* Use "targeted" if not specified, just like libselinux does.
*)
let policy =
- let config_path = "/files/etc/selinux/config" in
let selinuxtype_path = config_path ^ "/SELINUXTYPE" in
- let keys = g#aug_ls config_path in
- if array_find selinuxtype_path keys then
+ if Array.mem selinuxtype_path config_keys then
g#aug_get selinuxtype_path
else
"targeted" in
diff --git a/common/options/keys.c b/common/options/keys.c
index 48f1bc7c7..52b273690 100644
--- a/common/options/keys.c
+++ b/common/options/keys.c
@@ -260,8 +260,107 @@ key_store_add_from_selector (struct key_store *ks, const char *selector)
return key_store_import_key (ks, &key);
}
+/* Turn /dev/mapper/VG-LV into /dev/VG/LV, in-place. */
+static void
+unescape_device_mapper_lvm (char *id)
+{
+ static const char dev[] = "/dev/", dev_mapper[] = "/dev/mapper/";
+ const char *input_start;
+ char *output;
+ enum { M_SCAN, M_FILL, M_DONE } mode;
+
+ if (!STRPREFIX (id, dev_mapper))
+ return;
+
+ /* Start parsing "VG-LV" from "id" after "/dev/mapper/". */
+ input_start = id + (sizeof dev_mapper - 1);
+
+ /* Start writing the unescaped "VG/LV" output after "/dev/". */
+ output = id + (sizeof dev - 1);
+
+ for (mode = M_SCAN; mode < M_DONE; ++mode) {
+ char c;
+ const char *input = input_start;
+ const char *hyphen_buffered = NULL;
+ bool single_hyphen_seen = false;
+
+ do {
+ c = *input;
+
+ switch (c) {
+ case '-':
+ if (hyphen_buffered == NULL)
+ /* This hyphen may start an escaped hyphen, or it could be the
+ * separator in VG-LV.
+ */
+ hyphen_buffered = input;
+ else {
+ /* This hyphen completes an escaped hyphen; unescape it. */
+ if (mode == M_FILL)
+ *output++ = '-';
+ hyphen_buffered = NULL;
+ }
+ break;
+
+ case '/':
+ /* Slash characters are forbidden in VG-LV anywhere. If there's any,
+ * we'll find it in the first (i.e., scanning) phase, before we output
+ * anything back to "id".
+ */
+ assert (mode == M_SCAN);
+ return;
+
+ default:
+ /* Encountered a non-slash, non-hyphen character -- which also may be
+ * the terminating NUL.
+ */
+ if (hyphen_buffered != NULL) {
+ /* The non-hyphen character comes after a buffered hyphen, so the
+ * buffered hyphen is supposed to be the single hyphen that separates
+ * VG from LV in VG-LV. There are three requirements for this
+ * separator: (a) it must be unique (we must not have seen another
+ * such separator earlier), (b) it must not be at the start of VG-LV
+ * (because VG would be empty that way), (c) it must not be at the end
+ * of VG-LV (because LV would be empty that way). Should any of these
+ * be violated, we'll catch that during the first (i.e., scanning)
+ * phase, before modifying "id".
+ */
+ if (single_hyphen_seen || hyphen_buffered == input_start ||
+ c == '\0') {
+ assert (mode == M_SCAN);
+ return;
+ }
+
+ /* Translate the separator hyphen to a slash character. */
+ if (mode == M_FILL)
+ *output++ = '/';
+ hyphen_buffered = NULL;
+ single_hyphen_seen = true;
+ }
+
+ /* Output the non-hyphen character (including the terminating NUL)
+ * regardless of whether there was a buffered hyphen separator (which,
+ * by now, we'll have attempted to translate and flush).
+ */
+ if (mode == M_FILL)
+ *output++ = c;
+ }
+
+ ++input;
+ } while (c != '\0');
+
+ /* We must have seen the VG-LV separator. If that's not the case, we'll
+ * catch it before modifying "id".
+ */
+ if (!single_hyphen_seen) {
+ assert (mode == M_SCAN);
+ return;
+ }
+ }
+}
+
struct key_store *
-key_store_import_key (struct key_store *ks, const struct key_store_key *key)
+key_store_import_key (struct key_store *ks, struct key_store_key *key)
{
struct key_store_key *new_keys;
@@ -278,6 +377,7 @@ key_store_import_key (struct key_store *ks, const struct key_store_key *key)
error (EXIT_FAILURE, errno, "realloc");
ks->keys = new_keys;
+ unescape_device_mapper_lvm (key->id);
ks->keys[ks->nr_keys] = *key;
++ks->nr_keys;

88
0006-inspector-rename-VGs-and-LVs-in-LUKS-on-LVM-test.patch Normal file
View File

@ -0,0 +1,88 @@
From 9ac1ea9d5269c72874ea662cd70803b3781d0876 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 19 May 2023 17:55:06 +0200
Subject: [PATCH] inspector: rename VGs and LVs in LUKS-on-LVM test
In preparation for a subsequent patch, rename "VG" to "Volume-Group", and
"LV<n>" to "Logical-Volume-<n>", in the LUKS-on-LVM virt-inspector test.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20230519155507.369494-3-lersek@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
(cherry picked from commit 46a381efcf2bf74f1534ecb198f9570ee5baaccd)
---
inspector/test-virt-inspector-luks-on-lvm.sh | 11 +++----
test-data/phony-guests/make-fedora-img.pl | 30 +++++++++++---------
2 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/inspector/test-virt-inspector-luks-on-lvm.sh b/inspector/test-virt-inspector-luks-on-lvm.sh
index b9989433d..35454e630 100755
--- a/inspector/test-virt-inspector-luks-on-lvm.sh
+++ b/inspector/test-virt-inspector-luks-on-lvm.sh
@@ -36,14 +36,15 @@ if [ "$(guestfish version | grep minor | awk '{print $2}')" -lt 47 ]; then
fi
f=../test-data/phony-guests/fedora-luks-on-lvm.img
-keys=(--key /dev/VG/Root:key:FEDORA-Root
- --key /dev/VG/LV1:key:FEDORA-LV1
- --key /dev/VG/LV2:key:FEDORA-LV2
- --key /dev/VG/LV3:key:FEDORA-LV3)
+keys=(--key /dev/Volume-Group/Root:key:FEDORA-Root
+ --key /dev/Volume-Group/Logical-Volume-1:key:FEDORA-LV1
+ --key /dev/Volume-Group/Logical-Volume-2:key:FEDORA-LV2
+ --key /dev/Volume-Group/Logical-Volume-3:key:FEDORA-LV3)
# Ignore zero-sized file.
if [ -s "$f" ]; then
- uuid_root=$(guestfish --ro -i -a "$f" "${keys[@]}" luks-uuid /dev/VG/Root)
+ uuid_root=$(guestfish --ro -i -a "$f" "${keys[@]}" \
+ luks-uuid /dev/Volume-Group/Root)
b=$(basename "$f")
$VG virt-inspector "${keys[@]}" --format=raw -a "$f" > "actual-$b.xml"
# Check the generated output validate the schema.
diff --git a/test-data/phony-guests/make-fedora-img.pl b/test-data/phony-guests/make-fedora-img.pl
index ffa7e0f10..9721ce4a9 100755
--- a/test-data/phony-guests/make-fedora-img.pl
+++ b/test-data/phony-guests/make-fedora-img.pl
@@ -224,23 +224,27 @@ EOF
# Create the Volume Group on /dev/sda2.
$g->pvcreate ('/dev/sda2');
- $g->vgcreate ('VG', ['/dev/sda2']);
- $g->lvcreate ('Root', 'VG', 256);
- $g->lvcreate ('LV1', 'VG', 32);
- $g->lvcreate ('LV2', 'VG', 32);
- $g->lvcreate ('LV3', 'VG', 64);
+ $g->vgcreate ('Volume-Group', ['/dev/sda2']);
+ $g->lvcreate ('Root', 'Volume-Group', 256);
+ $g->lvcreate ('Logical-Volume-1', 'Volume-Group', 32);
+ $g->lvcreate ('Logical-Volume-2', 'Volume-Group', 32);
+ $g->lvcreate ('Logical-Volume-3', 'Volume-Group', 64);
# Format each Logical Group as a LUKS device, with a different password.
- $g->luks_format ('/dev/VG/Root', 'FEDORA-Root', 0);
- $g->luks_format ('/dev/VG/LV1', 'FEDORA-LV1', 0);
- $g->luks_format ('/dev/VG/LV2', 'FEDORA-LV2', 0);
- $g->luks_format ('/dev/VG/LV3', 'FEDORA-LV3', 0);
+ $g->luks_format ('/dev/Volume-Group/Root', 'FEDORA-Root', 0);
+ $g->luks_format ('/dev/Volume-Group/Logical-Volume-1', 'FEDORA-LV1', 0);
+ $g->luks_format ('/dev/Volume-Group/Logical-Volume-2', 'FEDORA-LV2', 0);
+ $g->luks_format ('/dev/Volume-Group/Logical-Volume-3', 'FEDORA-LV3', 0);
# Open the LUKS devices. This creates nodes like /dev/mapper/*-luks.
- $g->cryptsetup_open ('/dev/VG/Root', 'FEDORA-Root', 'Root-luks');
- $g->cryptsetup_open ('/dev/VG/LV1', 'FEDORA-LV1', 'LV1-luks');
- $g->cryptsetup_open ('/dev/VG/LV2', 'FEDORA-LV2', 'LV2-luks');
- $g->cryptsetup_open ('/dev/VG/LV3', 'FEDORA-LV3', 'LV3-luks');
+ $g->cryptsetup_open ('/dev/Volume-Group/Root',
+ 'FEDORA-Root', 'Root-luks');
+ $g->cryptsetup_open ('/dev/Volume-Group/Logical-Volume-1',
+ 'FEDORA-LV1', 'LV1-luks');
+ $g->cryptsetup_open ('/dev/Volume-Group/Logical-Volume-2',
+ 'FEDORA-LV2', 'LV2-luks');
+ $g->cryptsetup_open ('/dev/Volume-Group/Logical-Volume-3',
+ 'FEDORA-LV3', 'LV3-luks');
# Phony root filesystem.
$g->mkfs ('ext2', '/dev/mapper/Root-luks', blocksize => 4096, label => 'ROOT');

48
0007-inspector-test-dev-mapper-VG-LV-translation-in-LUKS-.patch Normal file
View File

@ -0,0 +1,48 @@
From d8d1e7213716835f263a4f20d9e6cf8719c210c0 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 19 May 2023 17:55:07 +0200
Subject: [PATCH] inspector: test /dev/mapper/VG-LV translation in LUKS-on-LVM
test
In the LUKS-on-LVM virt-inspector test, run virt-inspector one more time,
now with such "--key" options that exercise the recent "/dev/mapper/VG-LV"
-> "/dev/VG/LV" translation (unescaping) from libguestfs-common. Verify
that virt-inspector outputs the same XML as it did when we passed it the
"/dev/VG/LV" format "--key" options.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20230519155507.369494-4-lersek@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
(cherry picked from commit 569bd1dd29da7f3a7b3399ad85340f84d59b3a10)
---
inspector/test-virt-inspector-luks-on-lvm.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/inspector/test-virt-inspector-luks-on-lvm.sh b/inspector/test-virt-inspector-luks-on-lvm.sh
index 35454e630..13b25e338 100755
--- a/inspector/test-virt-inspector-luks-on-lvm.sh
+++ b/inspector/test-virt-inspector-luks-on-lvm.sh
@@ -41,6 +41,11 @@ keys=(--key /dev/Volume-Group/Root:key:FEDORA-Root
--key /dev/Volume-Group/Logical-Volume-2:key:FEDORA-LV2
--key /dev/Volume-Group/Logical-Volume-3:key:FEDORA-LV3)
+keys_mapper=(--key /dev/mapper/Volume--Group-Root:key:FEDORA-Root
+ --key /dev/mapper/Volume--Group-Logical--Volume--1:key:FEDORA-LV1
+ --key /dev/mapper/Volume--Group-Logical--Volume--2:key:FEDORA-LV2
+ --key /dev/mapper/Volume--Group-Logical--Volume--3:key:FEDORA-LV3)
+
# Ignore zero-sized file.
if [ -s "$f" ]; then
uuid_root=$(guestfish --ro -i -a "$f" "${keys[@]}" \
@@ -53,4 +58,10 @@ if [ -s "$f" ]; then
# are any differences.
sed -e "s/ROOTUUID/$uuid_root/" < "$srcdir/expected-$b.xml" \
| diff -u - "actual-$b.xml"
+
+ # Re-run virt-inspector with keys using the /dev/mapper/VG-LV format; verify
+ # only that the XML output matches the output from the previous
+ # virt-inspector invocation (which used the /dev/VG/LV format).
+ $VG virt-inspector "${keys_mapper[@]}" --format=raw -a "$f" \
+ | diff -u "actual-$b.xml" -
fi

9
guestfs-tools.spec
View File

@ -26,7 +26,7 @@
Summary: Tools to access and modify virtual machine disk images
Name: guestfs-tools
Version: 1.50.1
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
# Build only for architectures that have a kernel
@ -59,6 +59,9 @@ Patch0001: 0001-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
Patch0002: 0002-RHEL-builder-Disable-opensuse-repository.patch
Patch0003: 0003-Remove-virt-dib.patch
Patch0004: 0004-drivers-Look-up-vendor-and-device-names-in-PCI-and-U.patch
Patch0005: 0005-update-common-submodule.patch
Patch0006: 0006-inspector-rename-VGs-and-LVs-in-LUKS-on-LVM-test.patch
Patch0007: 0007-inspector-test-dev-mapper-VG-LV-translation-in-LUKS-.patch
%if 0%{patches_touch_autotools}
BuildRequires: autoconf, automake, libtool, gettext-devel
@ -417,6 +420,10 @@ end
%changelog
* Thu Jun 08 2023 Laszlo Ersek <lersek@redhat.com> - 1.50.1-3
- let virt-inspector recognize "--key /dev/mapper/VG-LV:key:password"
resolves: rhbz#2209280
* Thu Apr 06 2023 Richard W.M. Jones <rjones@redhat.com> - 1.50.1-1
- Rebase to guestfs-tools 1.50.1
resolves: rhbz#2168626