From 457bbcca1e2ad0e86ec08509945190ca48f493c1 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 8 Jun 2023 15:46:32 +0200 Subject: [PATCH] let virt-inspector recognize "--key /dev/mapper/VG-LV:key:password" resolves: rhbz#2209280 Signed-off-by: Laszlo Ersek --- ...of-libguestfs-winsupport-features-ex.patch | 3 - ...-builder-Disable-opensuse-repository.patch | 3 - 0003-Remove-virt-dib.patch | 3 - ...vendor-and-device-names-in-PCI-and-U.patch | 3 - 0005-update-common-submodule.patch | 203 ++++++++++++++++++ ...name-VGs-and-LVs-in-LUKS-on-LVM-test.patch | 88 ++++++++ ...ev-mapper-VG-LV-translation-in-LUKS-.patch | 48 +++++ guestfs-tools.spec | 9 +- 8 files changed, 347 insertions(+), 13 deletions(-) create mode 100644 0005-update-common-submodule.patch create mode 100644 0006-inspector-rename-VGs-and-LVs-in-LUKS-on-LVM-test.patch create mode 100644 0007-inspector-test-dev-mapper-VG-LV-translation-in-LUKS-.patch diff --git a/0001-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch b/0001-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch index f1b4b83..1253d15 100644 --- a/0001-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch +++ b/0001-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch @@ -22,6 +22,3 @@ index 16debd129..1c13ddac3 100755 sparse windows.img-t 512M run --- -2.31.1 - diff --git a/0002-RHEL-builder-Disable-opensuse-repository.patch b/0002-RHEL-builder-Disable-opensuse-repository.patch index c4c8346..b43a2d6 100644 --- a/0002-RHEL-builder-Disable-opensuse-repository.patch +++ b/0002-RHEL-builder-Disable-opensuse-repository.patch @@ -24,6 +24,3 @@ index 19f979699..a57fc6977 100644 +#[opensuse.org] +#uri=http://download.opensuse.org/repositories/Virtualization:/virt-builder-images/images/index +#gpgkey=file://@SYSCONFDIR@/virt-builder/repos.d/opensuse.gpg --- -2.31.1 - diff --git a/0003-Remove-virt-dib.patch b/0003-Remove-virt-dib.patch index 9e84187..4887d2d 100644 --- a/0003-Remove-virt-dib.patch +++ b/0003-Remove-virt-dib.patch @@ -3625,6 +3625,3 @@ index f5c643822..15f487b4c 100755 prepend PATH "$b/diff" prepend PATH "$b/drivers" prepend PATH "$b/edit" --- -2.31.1 - diff --git a/0004-drivers-Look-up-vendor-and-device-names-in-PCI-and-U.patch b/0004-drivers-Look-up-vendor-and-device-names-in-PCI-and-U.patch index 5adc2c6..70396be 100644 --- a/0004-drivers-Look-up-vendor-and-device-names-in-PCI-and-U.patch +++ b/0004-drivers-Look-up-vendor-and-device-names-in-PCI-and-U.patch @@ -478,6 +478,3 @@ index 73984796f..7632f374d 100644 get-kernel/get_kernel.ml resize/resize.ml sparsify/cmdline.ml --- -2.31.1 - diff --git a/0005-update-common-submodule.patch b/0005-update-common-submodule.patch new file mode 100644 index 0000000..21dc25e --- /dev/null +++ b/0005-update-common-submodule.patch @@ -0,0 +1,203 @@ +From a55dcd5162e51a952ee6c23c4a89c1b098f304f4 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 19 May 2023 17:55:05 +0200 +Subject: [PATCH] update common submodule + +Laszlo Ersek (2): + options/keys: key_store_import_key(): un-constify "key" parameter + options/keys: introduce unescape_device_mapper_lvm() + +Richard W.M. Jones (1): + mlcustomize/SELinux_relabel.ml: Use Array.mem + +Roman Kagan (1): + mlcustomize: skip SELinux relabeling if it's disabled + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506 +Signed-off-by: Laszlo Ersek +Message-Id: <20230519155507.369494-2-lersek@redhat.com> +Reviewed-by: Richard W.M. Jones +(cherry picked from commit 4ddcae7e8543d2a63d907729d5b0d22f659d071f) +--- + common | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Submodule common 70c10a079..b636c3f20: +diff --git a/common/options/options.h b/common/options/options.h +index 94573ee06..94e8b9eef 100644 +--- a/common/options/options.h ++++ b/common/options/options.h +@@ -169,7 +169,8 @@ extern struct matching_key *get_keys (struct key_store *ks, const char *device, + const char *uuid, size_t *nr_matches); + extern void free_keys (struct matching_key *keys, size_t nr_matches); + extern struct key_store *key_store_add_from_selector (struct key_store *ks, const char *selector); +-extern struct key_store *key_store_import_key (struct key_store *ks, const struct key_store_key *key); ++extern struct key_store *key_store_import_key (struct key_store *ks, ++ struct key_store_key *key); + extern bool key_store_requires_network (const struct key_store *ks); + extern void free_key_store (struct key_store *ks); + +diff --git a/common/mlcustomize/SELinux_relabel.ml b/common/mlcustomize/SELinux_relabel.ml +index 5ecf7bd7e..2f3a09bf7 100644 +--- a/common/mlcustomize/SELinux_relabel.ml ++++ b/common/mlcustomize/SELinux_relabel.ml +@@ -24,10 +24,6 @@ open Printf + + module G = Guestfs + +-(* Simple reimplementation of Array.mem, available only with OCaml >= 4.03. *) +-let array_find a l = +- List.mem a (Array.to_list l) +- + let rec relabel (g : G.guestfs) = + (* Is the guest using SELinux? (Otherwise this is a no-op). *) + if is_selinux_guest g then ( +@@ -59,14 +55,24 @@ and use_setfiles g = + g#aug_load (); + debug_augeas_errors g; + ++ let config_path = "/files/etc/selinux/config" in ++ let config_keys = g#aug_ls config_path in ++ (* SELinux may be disabled via a setting in config file *) ++ let selinux_disabled = ++ let selinuxmode_path = config_path ^ "/SELINUX" in ++ if Array.mem selinuxmode_path config_keys then ++ g#aug_get selinuxmode_path = "disabled" ++ else ++ false in ++ if selinux_disabled then ++ failwith "selinux disabled"; ++ + (* Get the SELinux policy name, eg. "targeted", "minimum". + * Use "targeted" if not specified, just like libselinux does. + *) + let policy = +- let config_path = "/files/etc/selinux/config" in + let selinuxtype_path = config_path ^ "/SELINUXTYPE" in +- let keys = g#aug_ls config_path in +- if array_find selinuxtype_path keys then ++ if Array.mem selinuxtype_path config_keys then + g#aug_get selinuxtype_path + else + "targeted" in +diff --git a/common/options/keys.c b/common/options/keys.c +index 48f1bc7c7..52b273690 100644 +--- a/common/options/keys.c ++++ b/common/options/keys.c +@@ -260,8 +260,107 @@ key_store_add_from_selector (struct key_store *ks, const char *selector) + return key_store_import_key (ks, &key); + } + ++/* Turn /dev/mapper/VG-LV into /dev/VG/LV, in-place. */ ++static void ++unescape_device_mapper_lvm (char *id) ++{ ++ static const char dev[] = "/dev/", dev_mapper[] = "/dev/mapper/"; ++ const char *input_start; ++ char *output; ++ enum { M_SCAN, M_FILL, M_DONE } mode; ++ ++ if (!STRPREFIX (id, dev_mapper)) ++ return; ++ ++ /* Start parsing "VG-LV" from "id" after "/dev/mapper/". */ ++ input_start = id + (sizeof dev_mapper - 1); ++ ++ /* Start writing the unescaped "VG/LV" output after "/dev/". */ ++ output = id + (sizeof dev - 1); ++ ++ for (mode = M_SCAN; mode < M_DONE; ++mode) { ++ char c; ++ const char *input = input_start; ++ const char *hyphen_buffered = NULL; ++ bool single_hyphen_seen = false; ++ ++ do { ++ c = *input; ++ ++ switch (c) { ++ case '-': ++ if (hyphen_buffered == NULL) ++ /* This hyphen may start an escaped hyphen, or it could be the ++ * separator in VG-LV. ++ */ ++ hyphen_buffered = input; ++ else { ++ /* This hyphen completes an escaped hyphen; unescape it. */ ++ if (mode == M_FILL) ++ *output++ = '-'; ++ hyphen_buffered = NULL; ++ } ++ break; ++ ++ case '/': ++ /* Slash characters are forbidden in VG-LV anywhere. If there's any, ++ * we'll find it in the first (i.e., scanning) phase, before we output ++ * anything back to "id". ++ */ ++ assert (mode == M_SCAN); ++ return; ++ ++ default: ++ /* Encountered a non-slash, non-hyphen character -- which also may be ++ * the terminating NUL. ++ */ ++ if (hyphen_buffered != NULL) { ++ /* The non-hyphen character comes after a buffered hyphen, so the ++ * buffered hyphen is supposed to be the single hyphen that separates ++ * VG from LV in VG-LV. There are three requirements for this ++ * separator: (a) it must be unique (we must not have seen another ++ * such separator earlier), (b) it must not be at the start of VG-LV ++ * (because VG would be empty that way), (c) it must not be at the end ++ * of VG-LV (because LV would be empty that way). Should any of these ++ * be violated, we'll catch that during the first (i.e., scanning) ++ * phase, before modifying "id". ++ */ ++ if (single_hyphen_seen || hyphen_buffered == input_start || ++ c == '\0') { ++ assert (mode == M_SCAN); ++ return; ++ } ++ ++ /* Translate the separator hyphen to a slash character. */ ++ if (mode == M_FILL) ++ *output++ = '/'; ++ hyphen_buffered = NULL; ++ single_hyphen_seen = true; ++ } ++ ++ /* Output the non-hyphen character (including the terminating NUL) ++ * regardless of whether there was a buffered hyphen separator (which, ++ * by now, we'll have attempted to translate and flush). ++ */ ++ if (mode == M_FILL) ++ *output++ = c; ++ } ++ ++ ++input; ++ } while (c != '\0'); ++ ++ /* We must have seen the VG-LV separator. If that's not the case, we'll ++ * catch it before modifying "id". ++ */ ++ if (!single_hyphen_seen) { ++ assert (mode == M_SCAN); ++ return; ++ } ++ } ++} ++ + struct key_store * +-key_store_import_key (struct key_store *ks, const struct key_store_key *key) ++key_store_import_key (struct key_store *ks, struct key_store_key *key) + { + struct key_store_key *new_keys; + +@@ -278,6 +377,7 @@ key_store_import_key (struct key_store *ks, const struct key_store_key *key) + error (EXIT_FAILURE, errno, "realloc"); + + ks->keys = new_keys; ++ unescape_device_mapper_lvm (key->id); + ks->keys[ks->nr_keys] = *key; + ++ks->nr_keys; + diff --git a/0006-inspector-rename-VGs-and-LVs-in-LUKS-on-LVM-test.patch b/0006-inspector-rename-VGs-and-LVs-in-LUKS-on-LVM-test.patch new file mode 100644 index 0000000..1878e8c --- /dev/null +++ b/0006-inspector-rename-VGs-and-LVs-in-LUKS-on-LVM-test.patch @@ -0,0 +1,88 @@ +From 9ac1ea9d5269c72874ea662cd70803b3781d0876 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 19 May 2023 17:55:06 +0200 +Subject: [PATCH] inspector: rename VGs and LVs in LUKS-on-LVM test + +In preparation for a subsequent patch, rename "VG" to "Volume-Group", and +"LV" to "Logical-Volume-", in the LUKS-on-LVM virt-inspector test. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506 +Signed-off-by: Laszlo Ersek +Message-Id: <20230519155507.369494-3-lersek@redhat.com> +Reviewed-by: Richard W.M. Jones +(cherry picked from commit 46a381efcf2bf74f1534ecb198f9570ee5baaccd) +--- + inspector/test-virt-inspector-luks-on-lvm.sh | 11 +++---- + test-data/phony-guests/make-fedora-img.pl | 30 +++++++++++--------- + 2 files changed, 23 insertions(+), 18 deletions(-) + +diff --git a/inspector/test-virt-inspector-luks-on-lvm.sh b/inspector/test-virt-inspector-luks-on-lvm.sh +index b9989433d..35454e630 100755 +--- a/inspector/test-virt-inspector-luks-on-lvm.sh ++++ b/inspector/test-virt-inspector-luks-on-lvm.sh +@@ -36,14 +36,15 @@ if [ "$(guestfish version | grep minor | awk '{print $2}')" -lt 47 ]; then + fi + + f=../test-data/phony-guests/fedora-luks-on-lvm.img +-keys=(--key /dev/VG/Root:key:FEDORA-Root +- --key /dev/VG/LV1:key:FEDORA-LV1 +- --key /dev/VG/LV2:key:FEDORA-LV2 +- --key /dev/VG/LV3:key:FEDORA-LV3) ++keys=(--key /dev/Volume-Group/Root:key:FEDORA-Root ++ --key /dev/Volume-Group/Logical-Volume-1:key:FEDORA-LV1 ++ --key /dev/Volume-Group/Logical-Volume-2:key:FEDORA-LV2 ++ --key /dev/Volume-Group/Logical-Volume-3:key:FEDORA-LV3) + + # Ignore zero-sized file. + if [ -s "$f" ]; then +- uuid_root=$(guestfish --ro -i -a "$f" "${keys[@]}" luks-uuid /dev/VG/Root) ++ uuid_root=$(guestfish --ro -i -a "$f" "${keys[@]}" \ ++ luks-uuid /dev/Volume-Group/Root) + b=$(basename "$f") + $VG virt-inspector "${keys[@]}" --format=raw -a "$f" > "actual-$b.xml" + # Check the generated output validate the schema. +diff --git a/test-data/phony-guests/make-fedora-img.pl b/test-data/phony-guests/make-fedora-img.pl +index ffa7e0f10..9721ce4a9 100755 +--- a/test-data/phony-guests/make-fedora-img.pl ++++ b/test-data/phony-guests/make-fedora-img.pl +@@ -224,23 +224,27 @@ EOF + + # Create the Volume Group on /dev/sda2. + $g->pvcreate ('/dev/sda2'); +- $g->vgcreate ('VG', ['/dev/sda2']); +- $g->lvcreate ('Root', 'VG', 256); +- $g->lvcreate ('LV1', 'VG', 32); +- $g->lvcreate ('LV2', 'VG', 32); +- $g->lvcreate ('LV3', 'VG', 64); ++ $g->vgcreate ('Volume-Group', ['/dev/sda2']); ++ $g->lvcreate ('Root', 'Volume-Group', 256); ++ $g->lvcreate ('Logical-Volume-1', 'Volume-Group', 32); ++ $g->lvcreate ('Logical-Volume-2', 'Volume-Group', 32); ++ $g->lvcreate ('Logical-Volume-3', 'Volume-Group', 64); + + # Format each Logical Group as a LUKS device, with a different password. +- $g->luks_format ('/dev/VG/Root', 'FEDORA-Root', 0); +- $g->luks_format ('/dev/VG/LV1', 'FEDORA-LV1', 0); +- $g->luks_format ('/dev/VG/LV2', 'FEDORA-LV2', 0); +- $g->luks_format ('/dev/VG/LV3', 'FEDORA-LV3', 0); ++ $g->luks_format ('/dev/Volume-Group/Root', 'FEDORA-Root', 0); ++ $g->luks_format ('/dev/Volume-Group/Logical-Volume-1', 'FEDORA-LV1', 0); ++ $g->luks_format ('/dev/Volume-Group/Logical-Volume-2', 'FEDORA-LV2', 0); ++ $g->luks_format ('/dev/Volume-Group/Logical-Volume-3', 'FEDORA-LV3', 0); + + # Open the LUKS devices. This creates nodes like /dev/mapper/*-luks. +- $g->cryptsetup_open ('/dev/VG/Root', 'FEDORA-Root', 'Root-luks'); +- $g->cryptsetup_open ('/dev/VG/LV1', 'FEDORA-LV1', 'LV1-luks'); +- $g->cryptsetup_open ('/dev/VG/LV2', 'FEDORA-LV2', 'LV2-luks'); +- $g->cryptsetup_open ('/dev/VG/LV3', 'FEDORA-LV3', 'LV3-luks'); ++ $g->cryptsetup_open ('/dev/Volume-Group/Root', ++ 'FEDORA-Root', 'Root-luks'); ++ $g->cryptsetup_open ('/dev/Volume-Group/Logical-Volume-1', ++ 'FEDORA-LV1', 'LV1-luks'); ++ $g->cryptsetup_open ('/dev/Volume-Group/Logical-Volume-2', ++ 'FEDORA-LV2', 'LV2-luks'); ++ $g->cryptsetup_open ('/dev/Volume-Group/Logical-Volume-3', ++ 'FEDORA-LV3', 'LV3-luks'); + + # Phony root filesystem. + $g->mkfs ('ext2', '/dev/mapper/Root-luks', blocksize => 4096, label => 'ROOT'); diff --git a/0007-inspector-test-dev-mapper-VG-LV-translation-in-LUKS-.patch b/0007-inspector-test-dev-mapper-VG-LV-translation-in-LUKS-.patch new file mode 100644 index 0000000..8046716 --- /dev/null +++ b/0007-inspector-test-dev-mapper-VG-LV-translation-in-LUKS-.patch @@ -0,0 +1,48 @@ +From d8d1e7213716835f263a4f20d9e6cf8719c210c0 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 19 May 2023 17:55:07 +0200 +Subject: [PATCH] inspector: test /dev/mapper/VG-LV translation in LUKS-on-LVM + test + +In the LUKS-on-LVM virt-inspector test, run virt-inspector one more time, +now with such "--key" options that exercise the recent "/dev/mapper/VG-LV" +-> "/dev/VG/LV" translation (unescaping) from libguestfs-common. Verify +that virt-inspector outputs the same XML as it did when we passed it the +"/dev/VG/LV" format "--key" options. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2168506 +Signed-off-by: Laszlo Ersek +Message-Id: <20230519155507.369494-4-lersek@redhat.com> +Reviewed-by: Richard W.M. Jones +(cherry picked from commit 569bd1dd29da7f3a7b3399ad85340f84d59b3a10) +--- + inspector/test-virt-inspector-luks-on-lvm.sh | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/inspector/test-virt-inspector-luks-on-lvm.sh b/inspector/test-virt-inspector-luks-on-lvm.sh +index 35454e630..13b25e338 100755 +--- a/inspector/test-virt-inspector-luks-on-lvm.sh ++++ b/inspector/test-virt-inspector-luks-on-lvm.sh +@@ -41,6 +41,11 @@ keys=(--key /dev/Volume-Group/Root:key:FEDORA-Root + --key /dev/Volume-Group/Logical-Volume-2:key:FEDORA-LV2 + --key /dev/Volume-Group/Logical-Volume-3:key:FEDORA-LV3) + ++keys_mapper=(--key /dev/mapper/Volume--Group-Root:key:FEDORA-Root ++ --key /dev/mapper/Volume--Group-Logical--Volume--1:key:FEDORA-LV1 ++ --key /dev/mapper/Volume--Group-Logical--Volume--2:key:FEDORA-LV2 ++ --key /dev/mapper/Volume--Group-Logical--Volume--3:key:FEDORA-LV3) ++ + # Ignore zero-sized file. + if [ -s "$f" ]; then + uuid_root=$(guestfish --ro -i -a "$f" "${keys[@]}" \ +@@ -53,4 +58,10 @@ if [ -s "$f" ]; then + # are any differences. + sed -e "s/ROOTUUID/$uuid_root/" < "$srcdir/expected-$b.xml" \ + | diff -u - "actual-$b.xml" ++ ++ # Re-run virt-inspector with keys using the /dev/mapper/VG-LV format; verify ++ # only that the XML output matches the output from the previous ++ # virt-inspector invocation (which used the /dev/VG/LV format). ++ $VG virt-inspector "${keys_mapper[@]}" --format=raw -a "$f" \ ++ | diff -u "actual-$b.xml" - + fi diff --git a/guestfs-tools.spec b/guestfs-tools.spec index 83d674b..6410b60 100644 --- a/guestfs-tools.spec +++ b/guestfs-tools.spec @@ -26,7 +26,7 @@ Summary: Tools to access and modify virtual machine disk images Name: guestfs-tools Version: 1.50.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ # Build only for architectures that have a kernel @@ -59,6 +59,9 @@ Patch0001: 0001-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch Patch0002: 0002-RHEL-builder-Disable-opensuse-repository.patch Patch0003: 0003-Remove-virt-dib.patch Patch0004: 0004-drivers-Look-up-vendor-and-device-names-in-PCI-and-U.patch +Patch0005: 0005-update-common-submodule.patch +Patch0006: 0006-inspector-rename-VGs-and-LVs-in-LUKS-on-LVM-test.patch +Patch0007: 0007-inspector-test-dev-mapper-VG-LV-translation-in-LUKS-.patch %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool, gettext-devel @@ -417,6 +420,10 @@ end %changelog +* Thu Jun 08 2023 Laszlo Ersek - 1.50.1-3 +- let virt-inspector recognize "--key /dev/mapper/VG-LV:key:password" + resolves: rhbz#2209280 + * Thu Apr 06 2023 Richard W.M. Jones - 1.50.1-1 - Rebase to guestfs-tools 1.50.1 resolves: rhbz#2168626