diff --git a/0001-sysprep-remove-lvm2-s-default-system.devices-file.patch b/0001-sysprep-remove-lvm2-s-default-system.devices-file.patch new file mode 100644 index 0000000..154923c --- /dev/null +++ b/0001-sysprep-remove-lvm2-s-default-system.devices-file.patch @@ -0,0 +1,100 @@ +From 9cae03a73ecfd89634dee40d12c14ba00bff321d Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Sun, 10 Apr 2022 13:38:34 +0200 +Subject: [PATCH] sysprep: remove lvm2's default "system.devices" file + +(Background: lvm2 commit 83fe6e720f42, "device usage based on devices +file", 2021-02-23; first released in v2_03_12.) + +"lvm pvscan" may be -- and in RHEL9, will soon be -- restricted to those +block devices whose WWIDs are listed in "/etc/lvm/devices/system.devices". +This is a problem when cloning a VM, as cloning may change the WWIDs of +the domain's disk devices, and then physical volumes underlying the guest +filesystems may not be found. Example: +. + +Add the "lvm-system-devices" operation for removing this file, so that +"lvm pvscan" investigate all block devices for PVs. + +(Note that this operation is independent from "lvm-uuids". The libguestfs +appliance creates a pristine LVM_SYSTEM_DIR in "appliance/init" (see +libguestfs commit dd162d2cd56a), thus, when "lvm-uuids" calls "g#pvs" and +"g#vgs", those APIs can never be affected by an +"$LVM_SYSTEM_DIR/devices/system.devices" file.) + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2072493 +Signed-off-by: Laszlo Ersek +Message-Id: <20220410113834.6258-1-lersek@redhat.com> +Reviewed-by: Richard W.M. Jones +(cherry picked from commit 4fe8a03cd2d3e4570f4298245bb184ccdc4da0cd) +--- + sysprep/Makefile.am | 1 + + .../sysprep_operation_lvm_system_devices.ml | 44 +++++++++++++++++++ + 2 files changed, 45 insertions(+) + create mode 100644 sysprep/sysprep_operation_lvm_system_devices.ml + +diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am +index 0e3afc8a..7d5e8aad 100644 +--- a/sysprep/Makefile.am ++++ b/sysprep/Makefile.am +@@ -46,6 +46,7 @@ operations = \ + ipa_client \ + kerberos_data \ + kerberos_hostkeytab \ ++ lvm_system_devices \ + lvm_uuids \ + logfiles \ + machine_id \ +diff --git a/sysprep/sysprep_operation_lvm_system_devices.ml b/sysprep/sysprep_operation_lvm_system_devices.ml +new file mode 100644 +index 00000000..b41fa5db +--- /dev/null ++++ b/sysprep/sysprep_operation_lvm_system_devices.ml +@@ -0,0 +1,44 @@ ++(* virt-sysprep ++ * Copyright (C) 2012-2022 Red Hat Inc. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ *) ++ ++open Sysprep_operation ++open Common_gettext.Gettext ++ ++module G = Guestfs ++ ++let system_devices_file = "/etc/lvm/devices/system.devices" ++ ++let rec lvm_system_devices_perform g root side_effects = ++ let typ = g#inspect_get_type root in ++ if typ = "linux" then g#rm_f system_devices_file ++ ++let op = { ++ defaults with ++ name = "lvm-system-devices"; ++ enabled_by_default = true; ++ heading = s_"Remove LVM2 system.devices file"; ++ pod_description = ++ Some (s_"On Linux guests, LVM2's scanning for physical volumes (PVs) may \ ++ be restricted to those block devices whose WWIDs are listed in \ ++ C<" ^ system_devices_file ^ ">. When cloning VMs, WWIDs may \ ++ change, breaking C. Remove \ ++ C<" ^ system_devices_file ^ ">."); ++ perform_on_filesystems = Some lvm_system_devices_perform; ++} ++ ++let () = register_operation op +-- +2.31.1 + diff --git a/0002-adopt-inversion-of-SELinux-relabeling-in-virt-custom.patch b/0002-adopt-inversion-of-SELinux-relabeling-in-virt-custom.patch new file mode 100644 index 0000000..9946297 --- /dev/null +++ b/0002-adopt-inversion-of-SELinux-relabeling-in-virt-custom.patch @@ -0,0 +1,347 @@ +From 572241b740ffeb2bd1f1f58023fcd0f3341f0a64 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 10 May 2022 12:50:46 +0200 +Subject: [PATCH] adopt inversion of SELinux relabeling in virt-customize + +Remove "--selinux-relabel" options. + +Do not add any "--no-selinux-relabel" options; rely on the internal check +for SELinux support instead ("is_selinux_guest" in +"common/mlcustomize/SELinux_relabel.ml"). + +"--no-selinux-relabel" becomes a real option for virt-sysprep now. +(Again?) + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718 +Signed-off-by: Laszlo Ersek +Message-Id: <20220510105046.15167-1-lersek@redhat.com> +Acked-by: Richard W.M. Jones +[lersek@redhat.com: incorporate common submodule update] +(cherry picked from commit 19de3d1c8d4efb53565dbffe532d41ee9d25a832) +--- + builder/templates/make-template.ml | 8 +------- + builder/virt-builder.pod | 20 ++++---------------- + common | 2 +- + customize/customize_run.ml | 2 +- + customize/test-settings.sh | 3 --- + sysprep/main.ml | 2 -- + sysprep/test-virt-sysprep-docs.sh | 2 +- + 7 files changed, 8 insertions(+), 31 deletions(-) + +diff --git a/builder/templates/make-template.ml b/builder/templates/make-template.ml +index d8734940..58603242 100755 +--- a/builder/templates/make-template.ml ++++ b/builder/templates/make-template.ml +@@ -256,8 +256,7 @@ let rec main () = + printf "Sysprepping ...\n%!"; + let cmd = + sprintf "virt-sysprep --quiet -a %s%s" +- (quote tmpout) +- (if is_selinux_os os then " --selinux-relabel" else "") in ++ (quote tmpout) in + if Sys.command cmd <> 0 then exit 1 + ); + +@@ -480,11 +479,6 @@ and can_sysprep_os = function + | Debian _ | Ubuntu _ -> true + | FreeBSD _ | Windows _ -> false + +-and is_selinux_os = function +- | RHEL _ | Alma _ | CentOS _ | CentOSStream _ | Fedora _ -> true +- | Debian _ | Ubuntu _ +- | FreeBSD _ | Windows _ -> false +- + and needs_uefi os arch = + match os, arch with + | Fedora _, Armv7 +diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod +index f7dd6cda..aeb50529 100644 +--- a/builder/virt-builder.pod ++++ b/builder/virt-builder.pod +@@ -131,12 +131,6 @@ To update the installed packages to the latest version: + + virt-builder debian-7 --update + +-For guests which use SELinux, like Fedora and Red Hat Enterprise +-Linux, you may need to do SELinux relabelling after installing or +-updating packages (see L below): +- +- virt-builder fedora-27 --update --selinux-relabel +- + =head2 Customizing the installation + + There are many options that let you customize the installation. These +@@ -972,7 +966,7 @@ command line. + + =item * + +-SELinux relabelling is done (I<--selinux-relabel>). ++SELinux relabelling is done unless disabled with I<--no-selinux-relabel>. + + =back + +@@ -1072,8 +1066,7 @@ A typical virt-builder command would be: + --install puppet \ + --append-line '/etc/puppet/puppet.conf:[agent]' \ + --append-line '/etc/puppet/puppet.conf:server = puppetmaster.example.com/' \ +- --run-command 'systemctl enable puppet' \ +- --selinux-relabel ++ --run-command 'systemctl enable puppet' + + The precise instructions vary according to the Linux distro. For + further information see: +@@ -1753,14 +1746,14 @@ two possible strategies it can use to ensure correct labelling: + + =over 4 + +-=item Using I<--selinux-relabel> ++=item Automatic relabeling + + This runs L just before finalizing the guest, which sets + SELinux labels correctly in the disk image. + + This is the recommended method. + +-=item I<--touch> F ++=item Using I<--no-selinux-relabel> I<--touch> F + + Guest templates may already contain a file called F or + you may touch it. +@@ -1771,11 +1764,6 @@ them, which is normal and harmless. + + =back + +-Please note that if your guest uses SELinux, and you are doing operations +-on it which might create new files or change existing ones, you are +-recommended to use I<--selinux-relabel>. This will help in making sure +-that files have the right SELinux labels. +- + =head1 MACHINE READABLE OUTPUT + + The I<--machine-readable> option can be used to make the output more +Submodule common 0a231b3e..48527b87: +diff --git a/common/mlcustomize/customize-options.pod b/common/mlcustomize/customize-options.pod +index 71b545d..a83c80a 100644 +--- a/common/mlcustomize/customize-options.pod ++++ b/common/mlcustomize/customize-options.pod +@@ -206,6 +206,19 @@ the image was built, use this option. + + See also: L. + ++=item B<--no-selinux-relabel> ++ ++Do not attempt to correct the SELinux labels of files in the guest. ++ ++In such guests that support SELinux, customization automatically ++relabels files so that they have the correct SELinux label. (The ++relabeling is performed immediately, but if the operation fails, ++customization will instead touch F on the image to ++schedule a relabel operation for the next time the image boots.) This ++option disables the automatic relabeling. ++ ++The option is a no-op for guests that do not support SELinux. ++ + =item B<--password> USER:SELECTOR + + Set the password for C. (Note this option does I +@@ -297,16 +310,6 @@ It cannot delete directories, only regular files. + + =back + +-=item B<--selinux-relabel> +- +-Relabel files in the guest so that they have the correct SELinux label. +- +-This will attempt to relabel files immediately, but if the operation fails +-this will instead touch F on the image to schedule a +-relabel operation for the next time the image boots. +- +-You should only use this option for guests which support SELinux. +- + =item B<--sm-attach> SELECTOR + + Attach to a pool using C. +diff --git a/common/mlcustomize/customize-synopsis.pod b/common/mlcustomize/customize-synopsis.pod +index 5f18540..2520853 100644 +--- a/common/mlcustomize/customize-synopsis.pod ++++ b/common/mlcustomize/customize-synopsis.pod +@@ -12,5 +12,5 @@ + [--truncate-recursive PATH] [--timezone TIMEZONE] [--touch FILE] + [--uninstall PKG,PKG..] [--update] [--upload FILE:DEST] + [--write FILE:CONTENT] [--no-logfile] +- [--password-crypto md5|sha256|sha512] [--selinux-relabel] ++ [--password-crypto md5|sha256|sha512] [--no-selinux-relabel] + [--sm-credentials SELECTOR] +diff --git a/common/mlcustomize/customize_cmdline.ml b/common/mlcustomize/customize_cmdline.ml +index 9326baa..5d404e8 100644 +--- a/common/mlcustomize/customize_cmdline.ml ++++ b/common/mlcustomize/customize_cmdline.ml +@@ -109,8 +109,8 @@ and flags = { + (* --no-logfile *) + password_crypto : Password.password_crypto option; + (* --password-crypto md5|sha256|sha512 *) +- selinux_relabel : bool; +- (* --selinux-relabel *) ++ no_selinux_relabel : bool; ++ (* --no-selinux-relabel *) + sm_credentials : Subscription_manager.sm_credentials option; + (* --sm-credentials SELECTOR *) + } +@@ -121,7 +121,7 @@ let rec argspec () = + let ops = ref [] in + let scrub_logfile = ref false in + let password_crypto = ref None in +- let selinux_relabel = ref false in ++ let no_selinux_relabel = ref false in + let sm_credentials = ref None in + + let rec get_ops () = { +@@ -131,7 +131,7 @@ let rec argspec () = + and get_flags () = { + scrub_logfile = !scrub_logfile; + password_crypto = !password_crypto; +- selinux_relabel = !selinux_relabel; ++ no_selinux_relabel = !no_selinux_relabel; + sm_credentials = !sm_credentials; + } + in +@@ -459,11 +459,11 @@ let rec argspec () = + ), + Some "md5|sha256|sha512", "When the virt tools change or set a password in the guest, this\noption sets the password encryption of that password to\nC, C or C.\n\nC and C require glibc E 2.7 (check crypt(3) inside\nthe guest).\n\nC will work with relatively old Linux guests (eg. RHEL 3), but\nis not secure against modern attacks.\n\nThe default is C unless libguestfs detects an old guest that\ndidn't have support for SHA-512, in which case it will use C.\nYou can override libguestfs by specifying this option.\n\nNote this does not change the default password encryption used\nby the guest when you create new user accounts inside the guest.\nIf you want to do that, then you should use the I<--edit> option\nto modify C (Fedora, RHEL) or\nC (Debian, Ubuntu)."; + ( +- [ L"selinux-relabel" ], +- Getopt.Set selinux_relabel, +- s_"Relabel files with correct SELinux labels" ++ [ L"no-selinux-relabel" ], ++ Getopt.Set no_selinux_relabel, ++ s_"Do not relabel files with correct SELinux labels" + ), +- None, "Relabel files in the guest so that they have the correct SELinux label.\n\nThis will attempt to relabel files immediately, but if the operation fails\nthis will instead touch F on the image to schedule a\nrelabel operation for the next time the image boots.\n\nYou should only use this option for guests which support SELinux."; ++ None, "Do not attempt to correct the SELinux labels of files in the guest.\n\nIn such guests that support SELinux, customization automatically\nrelabels files so that they have the correct SELinux label. (The\nrelabeling is performed immediately, but if the operation fails,\ncustomization will instead touch F on the image to\nschedule a relabel operation for the next time the image boots.) This\noption disables the automatic relabeling.\n\nThe option is a no-op for guests that do not support SELinux."; + ( + [ L"sm-credentials" ], + Getopt.String ( +diff --git a/common/mlcustomize/customize_cmdline.mli b/common/mlcustomize/customize_cmdline.mli +index 14eda49..7ee882a 100644 +--- a/common/mlcustomize/customize_cmdline.mli ++++ b/common/mlcustomize/customize_cmdline.mli +@@ -101,8 +101,8 @@ and flags = { + (* --no-logfile *) + password_crypto : Password.password_crypto option; + (* --password-crypto md5|sha256|sha512 *) +- selinux_relabel : bool; +- (* --selinux-relabel *) ++ no_selinux_relabel : bool; ++ (* --no-selinux-relabel *) + sm_credentials : Subscription_manager.sm_credentials option; + (* --sm-credentials SELECTOR *) + } +diff --git a/common/mlcustomize/test-firstboot.sh b/common/mlcustomize/test-firstboot.sh +index b906997..24c67f3 100755 +--- a/common/mlcustomize/test-firstboot.sh ++++ b/common/mlcustomize/test-firstboot.sh +@@ -61,9 +61,6 @@ case "$guestname" in + extra[${#extra[*]}]='/etc/inittab: + s,^#([1-9].*respawn.*/sbin/getty.*),$1,' + ;; +- fedora*|rhel*|centos*) +- extra[${#extra[*]}]='--selinux-relabel' +- ;; + *) + ;; + esac +diff --git a/common/mlcustomize/test-selinuxrelabel.sh b/common/mlcustomize/test-selinuxrelabel.sh +index 86278c6..caf7521 100755 +--- a/common/mlcustomize/test-selinuxrelabel.sh ++++ b/common/mlcustomize/test-selinuxrelabel.sh +@@ -41,13 +41,12 @@ virt-builder "$guestname" --quiet -o "$disk" + # Test #1: relabel with the default configuration works. + rm -f "$disk_overlay" + guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk" +-virt-customize -a "$disk" --selinux-relabel ++virt-customize -a "$disk" + + # Test #2: relabel with no SELINUXTYPE in the configuration. + rm -f "$disk_overlay" + guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk" + virt-customize -a "$disk" \ +- --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \ +- --selinux-relabel ++ --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" + + rm "$disk" "$disk_overlay" +diff --git a/common/options/uri.c b/common/options/uri.c +index 6b696fc..84d393c 100644 +--- a/common/options/uri.c ++++ b/common/options/uri.c +@@ -135,7 +135,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret, + socket = query_get (uri, "socket"); + + if (uri->server && STRNEQ (uri->server, "") && socket) { +- fprintf (stderr, _("%s: %s: cannot both a server name and a socket query parameter\n"), ++ fprintf (stderr, _("%s: %s: cannot have both a server name and a socket query parameter\n"), + getprogname (), arg); + return -1; + } +@@ -347,6 +347,7 @@ make_server (xmlURIPtr uri, const char *socket, char ***ret) + *ret = malloc (sizeof (char *) * 2); + if (*ret == NULL) { + perror ("malloc"); ++ free (server); + return -1; + } + (*ret)[0] = server; +diff --git a/customize/customize_run.ml b/customize/customize_run.ml +index f2ee2041..99b5fe14 100644 +--- a/customize/customize_run.ml ++++ b/customize/customize_run.ml +@@ -415,7 +415,7 @@ let run (g : G.guestfs) root (ops : ops) = + warning (f_"passwords could not be set for this type of guest") + ); + +- if ops.flags.selinux_relabel then ( ++ if not ops.flags.no_selinux_relabel then ( + message (f_"SELinux relabelling"); + SELinux_relabel.relabel g + ); +diff --git a/customize/test-settings.sh b/customize/test-settings.sh +index ed4c90f2..e8b492dd 100755 +--- a/customize/test-settings.sh ++++ b/customize/test-settings.sh +@@ -61,9 +61,6 @@ case "$guestname" in + extra[${#extra[*]}]='/etc/inittab: + s,^#([1-9].*respawn.*/sbin/getty.*),$1,' + ;; +- fedora*|rhel*|centos*) +- extra[${#extra[*]}]='--selinux-relabel' +- ;; + *) + ;; + esac +diff --git a/sysprep/main.ml b/sysprep/main.ml +index 087d1a17..b760618a 100644 +--- a/sysprep/main.ml ++++ b/sysprep/main.ml +@@ -132,8 +132,6 @@ let main () = + [ L"mount-options" ], Getopt.Set_string (s_"opts", mount_opts), s_"Set mount options (eg /:noatime;/var:rw,noatime)"; + [ L"network" ], Getopt.Set network, s_"Enable appliance network"; + [ L"no-network" ], Getopt.Clear network, s_"Disable appliance network (default)"; +- [ L"no-selinux-relabel" ], Getopt.Unit (fun () -> ()), +- s_"Compatibility option, does nothing"; + [ L"operation"; L"operations" ], Getopt.String (s_"operations", set_operations), s_"Enable/disable specific operations"; + ] in + let args = basic_args @ Sysprep_operation.extra_args () in +diff --git a/sysprep/test-virt-sysprep-docs.sh b/sysprep/test-virt-sysprep-docs.sh +index 51500b5e..9d0298d6 100755 +--- a/sysprep/test-virt-sysprep-docs.sh ++++ b/sysprep/test-virt-sysprep-docs.sh +@@ -25,4 +25,4 @@ $top_srcdir/podcheck.pl "$srcdir/virt-sysprep.pod" virt-sysprep \ + --path $top_srcdir/common/options \ + --insert sysprep-extra-options.pod:__EXTRA_OPTIONS__ \ + --insert sysprep-operations.pod:__OPERATIONS__ \ +- --ignore=--dryrun,--dump-pod,--dump-pod-options,--no-selinux-relabel ++ --ignore=--dryrun,--dump-pod,--dump-pod-options +-- +2.31.1 + diff --git a/copy-patches.sh b/copy-patches.sh index 03de548..ade6db3 100755 --- a/copy-patches.sh +++ b/copy-patches.sh @@ -7,7 +7,7 @@ set -e # ./copy-patches.sh project=guestfs-tools -rhel_version=9.0 +rhel_version=9.1 # Check we're in the right directory. if [ ! -f $project.spec ]; then diff --git a/guestfs-tools.spec b/guestfs-tools.spec index c9ead30..e1286e1 100644 --- a/guestfs-tools.spec +++ b/guestfs-tools.spec @@ -15,7 +15,7 @@ %global verify_tarball_signature 1 # If there are patches which touch autotools files, set this to 1. -%global patches_touch_autotools %{nil} +%global patches_touch_autotools 1 # The source directory. %global source_directory 1.48-stable @@ -25,7 +25,7 @@ Summary: Tools to access and modify virtual machine disk images Name: guestfs-tools -Version: 1.48.0 +Version: 1.48.1 Release: 1%{?dist} License: GPLv2+ @@ -54,6 +54,10 @@ Source3: copy-patches.sh # Patches are maintained in the following repository: # https://github.com/rwmjones/guestfs-tools/commits/rhel-9.1 +# Patches. +Patch0001: 0001-sysprep-remove-lvm2-s-default-system.devices-file.patch +Patch0002: 0002-adopt-inversion-of-SELinux-relabeling-in-virt-custom.patch + %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool, gettext-devel %endif @@ -420,9 +424,13 @@ end %changelog -* Mon Mar 14 2022 Richard W.M. Jones - 1.48.0-1 -- Rebase to guestfs-tools 1.48.0 +* Mon Mar 14 2022 Richard W.M. Jones - 1.48.1-1 +- Rebase to guestfs-tools 1.48.1 resolves: rhbz#2059286 +- Default to --selinux-relabel in various tools + resolves: rhbz#2075718 +- Add lvm system.devices cleanup operation to virt-sysprep + resolves: rhbz#2072493 * Sat Dec 04 2021 Richard W.M. Jones - 1.46.1-6 - Clean up NetworkManager connection files diff --git a/sources b/sources index ca504b8..0a394a6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (guestfs-tools-1.48.0.tar.gz) = 8576ef0e283a02a112f785e8f1656b41c93be29e12617ee8c83033b90758736ea3c2d4ecfb446a86c7913e2c0b39a7c5666e8ad22682419cc877543a3825c489 -SHA512 (guestfs-tools-1.48.0.tar.gz.sig) = dd59c590163e13e30425c4f26eddef51596be757b85d9e09c2406a7697a369e23b54dce075005f31c067aea91598ff1f8c887332be691ba23d25ee2e86b93814 +SHA512 (guestfs-tools-1.48.1.tar.gz) = be1ee4e31b33b31794a84dc7939ba6474d1a224d42277b3ec91fed917bcea38de468b64cbed543156a6057126ba501b01c26beccc27a63f16ff481da5335c266 +SHA512 (guestfs-tools-1.48.1.tar.gz.sig) = 930721c013cc5b6f6f786a3ede8cb4639f26f9f8c4c6592c880709ca9539a409a5e5a33beff18bbbe2a3d0833108f35589aa98f90272f241d982bac851352766