Compare commits
4 Commits
4c6fd83035
...
1bb7a1e8ca
Author | SHA1 | Date | |
---|---|---|---|
1bb7a1e8ca | |||
86ceea7877 | |||
cc8f945675 | |||
|
0b0a106c04 |
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/guestfs-tools-1.48.2.tar.gz
|
||||
SOURCES/guestfs-tools-1.51.6.tar.gz
|
||||
SOURCES/libguestfs.keyring
|
||||
|
@ -1,2 +1,2 @@
|
||||
a4082a350bc8d303ebe31780964e2d72a81378c3 SOURCES/guestfs-tools-1.48.2.tar.gz
|
||||
7a64ba52bca3a3591d2e639a6bc9002d61e7d374 SOURCES/guestfs-tools-1.51.6.tar.gz
|
||||
1bbc40f501a7fef9eef2a39b701a71aee2fea7c4 SOURCES/libguestfs.keyring
|
||||
|
26
SOURCES/0001-Update-common-submodule.patch
Normal file
26
SOURCES/0001-Update-common-submodule.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 28ecb8693bbded3e1c70c1baa57f3498a6b8127e Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Sat, 9 Dec 2023 12:59:13 +0000
|
||||
Subject: [PATCH] Update common submodule
|
||||
|
||||
Pick up this bug fix:
|
||||
|
||||
mltools/libosinfo-c.c: Fix off-by-one error
|
||||
---
|
||||
common | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
Submodule common cd29aee91..0dba002c2:
|
||||
diff --git a/common/mltools/libosinfo-c.c b/common/mltools/libosinfo-c.c
|
||||
index 93357fd91..a48c8989f 100644
|
||||
--- a/common/mltools/libosinfo-c.c
|
||||
+++ b/common/mltools/libosinfo-c.c
|
||||
@@ -296,7 +296,7 @@ v2v_osinfo_os_get_device_drivers (value osv)
|
||||
|
||||
driver = OSINFO_DEVICE_DRIVER(osinfo_list_get_nth (OSINFO_LIST(list), i));
|
||||
|
||||
- vi = caml_alloc (6, 0);
|
||||
+ vi = caml_alloc (7, 0);
|
||||
str = osinfo_device_driver_get_architecture (driver);
|
||||
copyv = caml_copy_string (str);
|
||||
Store_field (vi, 0, copyv);
|
@ -1,100 +0,0 @@
|
||||
From 37c002682a9e5b87d5793f1567c4ddfb8ca72d11 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Sun, 10 Apr 2022 13:38:34 +0200
|
||||
Subject: [PATCH] sysprep: remove lvm2's default "system.devices" file
|
||||
|
||||
(Background: lvm2 commit 83fe6e720f42, "device usage based on devices
|
||||
file", 2021-02-23; first released in v2_03_12.)
|
||||
|
||||
"lvm pvscan" may be -- and in RHEL9, will soon be -- restricted to those
|
||||
block devices whose WWIDs are listed in "/etc/lvm/devices/system.devices".
|
||||
This is a problem when cloning a VM, as cloning may change the WWIDs of
|
||||
the domain's disk devices, and then physical volumes underlying the guest
|
||||
filesystems may not be found. Example:
|
||||
<https://bugzilla.redhat.com/show_bug.cgi?id=2059545#c12>.
|
||||
|
||||
Add the "lvm-system-devices" operation for removing this file, so that
|
||||
"lvm pvscan" investigate all block devices for PVs.
|
||||
|
||||
(Note that this operation is independent from "lvm-uuids". The libguestfs
|
||||
appliance creates a pristine LVM_SYSTEM_DIR in "appliance/init" (see
|
||||
libguestfs commit dd162d2cd56a), thus, when "lvm-uuids" calls "g#pvs" and
|
||||
"g#vgs", those APIs can never be affected by an
|
||||
"$LVM_SYSTEM_DIR/devices/system.devices" file.)
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2072493
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220410113834.6258-1-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit 4fe8a03cd2d3e4570f4298245bb184ccdc4da0cd)
|
||||
---
|
||||
sysprep/Makefile.am | 1 +
|
||||
.../sysprep_operation_lvm_system_devices.ml | 44 +++++++++++++++++++
|
||||
2 files changed, 45 insertions(+)
|
||||
create mode 100644 sysprep/sysprep_operation_lvm_system_devices.ml
|
||||
|
||||
diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am
|
||||
index 0e3afc8a0..7d5e8aadf 100644
|
||||
--- a/sysprep/Makefile.am
|
||||
+++ b/sysprep/Makefile.am
|
||||
@@ -46,6 +46,7 @@ operations = \
|
||||
ipa_client \
|
||||
kerberos_data \
|
||||
kerberos_hostkeytab \
|
||||
+ lvm_system_devices \
|
||||
lvm_uuids \
|
||||
logfiles \
|
||||
machine_id \
|
||||
diff --git a/sysprep/sysprep_operation_lvm_system_devices.ml b/sysprep/sysprep_operation_lvm_system_devices.ml
|
||||
new file mode 100644
|
||||
index 000000000..b41fa5dbc
|
||||
--- /dev/null
|
||||
+++ b/sysprep/sysprep_operation_lvm_system_devices.ml
|
||||
@@ -0,0 +1,44 @@
|
||||
+(* virt-sysprep
|
||||
+ * Copyright (C) 2012-2022 Red Hat Inc.
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation; either version 2 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * This program is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License along
|
||||
+ * with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *)
|
||||
+
|
||||
+open Sysprep_operation
|
||||
+open Common_gettext.Gettext
|
||||
+
|
||||
+module G = Guestfs
|
||||
+
|
||||
+let system_devices_file = "/etc/lvm/devices/system.devices"
|
||||
+
|
||||
+let rec lvm_system_devices_perform g root side_effects =
|
||||
+ let typ = g#inspect_get_type root in
|
||||
+ if typ = "linux" then g#rm_f system_devices_file
|
||||
+
|
||||
+let op = {
|
||||
+ defaults with
|
||||
+ name = "lvm-system-devices";
|
||||
+ enabled_by_default = true;
|
||||
+ heading = s_"Remove LVM2 system.devices file";
|
||||
+ pod_description =
|
||||
+ Some (s_"On Linux guests, LVM2's scanning for physical volumes (PVs) may \
|
||||
+ be restricted to those block devices whose WWIDs are listed in \
|
||||
+ C<" ^ system_devices_file ^ ">. When cloning VMs, WWIDs may \
|
||||
+ change, breaking C<lvm pvscan>. Remove \
|
||||
+ C<" ^ system_devices_file ^ ">.");
|
||||
+ perform_on_filesystems = Some lvm_system_devices_perform;
|
||||
+}
|
||||
+
|
||||
+let () = register_operation op
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,347 +0,0 @@
|
||||
From 5792f2e95bcddf476f2fe37e0bc4d97bd881d8fa Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 10 May 2022 12:50:46 +0200
|
||||
Subject: [PATCH] adopt inversion of SELinux relabeling in virt-customize
|
||||
|
||||
Remove "--selinux-relabel" options.
|
||||
|
||||
Do not add any "--no-selinux-relabel" options; rely on the internal check
|
||||
for SELinux support instead ("is_selinux_guest" in
|
||||
"common/mlcustomize/SELinux_relabel.ml").
|
||||
|
||||
"--no-selinux-relabel" becomes a real option for virt-sysprep now.
|
||||
(Again?)
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220510105046.15167-1-lersek@redhat.com>
|
||||
Acked-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
[lersek@redhat.com: incorporate common submodule update]
|
||||
(cherry picked from commit 19de3d1c8d4efb53565dbffe532d41ee9d25a832)
|
||||
---
|
||||
builder/templates/make-template.ml | 8 +-------
|
||||
builder/virt-builder.pod | 20 ++++----------------
|
||||
common | 2 +-
|
||||
customize/customize_run.ml | 2 +-
|
||||
customize/test-settings.sh | 3 ---
|
||||
sysprep/main.ml | 2 --
|
||||
sysprep/test-virt-sysprep-docs.sh | 2 +-
|
||||
7 files changed, 8 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/builder/templates/make-template.ml b/builder/templates/make-template.ml
|
||||
index 6786fec19..b40789284 100755
|
||||
--- a/builder/templates/make-template.ml
|
||||
+++ b/builder/templates/make-template.ml
|
||||
@@ -256,8 +256,7 @@ let rec main () =
|
||||
printf "Sysprepping ...\n%!";
|
||||
let cmd =
|
||||
sprintf "virt-sysprep --quiet -a %s%s"
|
||||
- (quote tmpout)
|
||||
- (if is_selinux_os os then " --selinux-relabel" else "") in
|
||||
+ (quote tmpout) in
|
||||
if Sys.command cmd <> 0 then exit 1
|
||||
);
|
||||
|
||||
@@ -480,11 +479,6 @@ and can_sysprep_os = function
|
||||
| Debian _ | Ubuntu _ -> true
|
||||
| FreeBSD _ | Windows _ -> false
|
||||
|
||||
-and is_selinux_os = function
|
||||
- | RHEL _ | Alma _ | CentOS _ | CentOSStream _ | Fedora _ -> true
|
||||
- | Debian _ | Ubuntu _
|
||||
- | FreeBSD _ | Windows _ -> false
|
||||
-
|
||||
and needs_uefi os arch =
|
||||
match os, arch with
|
||||
| Fedora _, Armv7
|
||||
diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod
|
||||
index f7dd6cdad..aeb505296 100644
|
||||
--- a/builder/virt-builder.pod
|
||||
+++ b/builder/virt-builder.pod
|
||||
@@ -131,12 +131,6 @@ To update the installed packages to the latest version:
|
||||
|
||||
virt-builder debian-7 --update
|
||||
|
||||
-For guests which use SELinux, like Fedora and Red Hat Enterprise
|
||||
-Linux, you may need to do SELinux relabelling after installing or
|
||||
-updating packages (see L</SELINUX> below):
|
||||
-
|
||||
- virt-builder fedora-27 --update --selinux-relabel
|
||||
-
|
||||
=head2 Customizing the installation
|
||||
|
||||
There are many options that let you customize the installation. These
|
||||
@@ -972,7 +966,7 @@ command line.
|
||||
|
||||
=item *
|
||||
|
||||
-SELinux relabelling is done (I<--selinux-relabel>).
|
||||
+SELinux relabelling is done unless disabled with I<--no-selinux-relabel>.
|
||||
|
||||
=back
|
||||
|
||||
@@ -1072,8 +1066,7 @@ A typical virt-builder command would be:
|
||||
--install puppet \
|
||||
--append-line '/etc/puppet/puppet.conf:[agent]' \
|
||||
--append-line '/etc/puppet/puppet.conf:server = puppetmaster.example.com/' \
|
||||
- --run-command 'systemctl enable puppet' \
|
||||
- --selinux-relabel
|
||||
+ --run-command 'systemctl enable puppet'
|
||||
|
||||
The precise instructions vary according to the Linux distro. For
|
||||
further information see:
|
||||
@@ -1753,14 +1746,14 @@ two possible strategies it can use to ensure correct labelling:
|
||||
|
||||
=over 4
|
||||
|
||||
-=item Using I<--selinux-relabel>
|
||||
+=item Automatic relabeling
|
||||
|
||||
This runs L<setfiles(8)> just before finalizing the guest, which sets
|
||||
SELinux labels correctly in the disk image.
|
||||
|
||||
This is the recommended method.
|
||||
|
||||
-=item I<--touch> F</.autorelabel>
|
||||
+=item Using I<--no-selinux-relabel> I<--touch> F</.autorelabel>
|
||||
|
||||
Guest templates may already contain a file called F</.autorelabel> or
|
||||
you may touch it.
|
||||
@@ -1771,11 +1764,6 @@ them, which is normal and harmless.
|
||||
|
||||
=back
|
||||
|
||||
-Please note that if your guest uses SELinux, and you are doing operations
|
||||
-on it which might create new files or change existing ones, you are
|
||||
-recommended to use I<--selinux-relabel>. This will help in making sure
|
||||
-that files have the right SELinux labels.
|
||||
-
|
||||
=head1 MACHINE READABLE OUTPUT
|
||||
|
||||
The I<--machine-readable> option can be used to make the output more
|
||||
Submodule common 0a231b3e6..48527b876:
|
||||
diff --git a/common/mlcustomize/customize-options.pod b/common/mlcustomize/customize-options.pod
|
||||
index 71b545d..a83c80a 100644
|
||||
--- a/common/mlcustomize/customize-options.pod
|
||||
+++ b/common/mlcustomize/customize-options.pod
|
||||
@@ -206,6 +206,19 @@ the image was built, use this option.
|
||||
|
||||
See also: L</LOG FILE>.
|
||||
|
||||
+=item B<--no-selinux-relabel>
|
||||
+
|
||||
+Do not attempt to correct the SELinux labels of files in the guest.
|
||||
+
|
||||
+In such guests that support SELinux, customization automatically
|
||||
+relabels files so that they have the correct SELinux label. (The
|
||||
+relabeling is performed immediately, but if the operation fails,
|
||||
+customization will instead touch F</.autorelabel> on the image to
|
||||
+schedule a relabel operation for the next time the image boots.) This
|
||||
+option disables the automatic relabeling.
|
||||
+
|
||||
+The option is a no-op for guests that do not support SELinux.
|
||||
+
|
||||
=item B<--password> USER:SELECTOR
|
||||
|
||||
Set the password for C<USER>. (Note this option does I<not>
|
||||
@@ -297,16 +310,6 @@ It cannot delete directories, only regular files.
|
||||
|
||||
=back
|
||||
|
||||
-=item B<--selinux-relabel>
|
||||
-
|
||||
-Relabel files in the guest so that they have the correct SELinux label.
|
||||
-
|
||||
-This will attempt to relabel files immediately, but if the operation fails
|
||||
-this will instead touch F</.autorelabel> on the image to schedule a
|
||||
-relabel operation for the next time the image boots.
|
||||
-
|
||||
-You should only use this option for guests which support SELinux.
|
||||
-
|
||||
=item B<--sm-attach> SELECTOR
|
||||
|
||||
Attach to a pool using C<subscription-manager>.
|
||||
diff --git a/common/mlcustomize/customize-synopsis.pod b/common/mlcustomize/customize-synopsis.pod
|
||||
index 5f18540..2520853 100644
|
||||
--- a/common/mlcustomize/customize-synopsis.pod
|
||||
+++ b/common/mlcustomize/customize-synopsis.pod
|
||||
@@ -12,5 +12,5 @@
|
||||
[--truncate-recursive PATH] [--timezone TIMEZONE] [--touch FILE]
|
||||
[--uninstall PKG,PKG..] [--update] [--upload FILE:DEST]
|
||||
[--write FILE:CONTENT] [--no-logfile]
|
||||
- [--password-crypto md5|sha256|sha512] [--selinux-relabel]
|
||||
+ [--password-crypto md5|sha256|sha512] [--no-selinux-relabel]
|
||||
[--sm-credentials SELECTOR]
|
||||
diff --git a/common/mlcustomize/customize_cmdline.ml b/common/mlcustomize/customize_cmdline.ml
|
||||
index 9326baa..5d404e8 100644
|
||||
--- a/common/mlcustomize/customize_cmdline.ml
|
||||
+++ b/common/mlcustomize/customize_cmdline.ml
|
||||
@@ -109,8 +109,8 @@ and flags = {
|
||||
(* --no-logfile *)
|
||||
password_crypto : Password.password_crypto option;
|
||||
(* --password-crypto md5|sha256|sha512 *)
|
||||
- selinux_relabel : bool;
|
||||
- (* --selinux-relabel *)
|
||||
+ no_selinux_relabel : bool;
|
||||
+ (* --no-selinux-relabel *)
|
||||
sm_credentials : Subscription_manager.sm_credentials option;
|
||||
(* --sm-credentials SELECTOR *)
|
||||
}
|
||||
@@ -121,7 +121,7 @@ let rec argspec () =
|
||||
let ops = ref [] in
|
||||
let scrub_logfile = ref false in
|
||||
let password_crypto = ref None in
|
||||
- let selinux_relabel = ref false in
|
||||
+ let no_selinux_relabel = ref false in
|
||||
let sm_credentials = ref None in
|
||||
|
||||
let rec get_ops () = {
|
||||
@@ -131,7 +131,7 @@ let rec argspec () =
|
||||
and get_flags () = {
|
||||
scrub_logfile = !scrub_logfile;
|
||||
password_crypto = !password_crypto;
|
||||
- selinux_relabel = !selinux_relabel;
|
||||
+ no_selinux_relabel = !no_selinux_relabel;
|
||||
sm_credentials = !sm_credentials;
|
||||
}
|
||||
in
|
||||
@@ -459,11 +459,11 @@ let rec argspec () =
|
||||
),
|
||||
Some "md5|sha256|sha512", "When the virt tools change or set a password in the guest, this\noption sets the password encryption of that password to\nC<md5>, C<sha256> or C<sha512>.\n\nC<sha256> and C<sha512> require glibc E<ge> 2.7 (check crypt(3) inside\nthe guest).\n\nC<md5> will work with relatively old Linux guests (eg. RHEL 3), but\nis not secure against modern attacks.\n\nThe default is C<sha512> unless libguestfs detects an old guest that\ndidn't have support for SHA-512, in which case it will use C<md5>.\nYou can override libguestfs by specifying this option.\n\nNote this does not change the default password encryption used\nby the guest when you create new user accounts inside the guest.\nIf you want to do that, then you should use the I<--edit> option\nto modify C</etc/sysconfig/authconfig> (Fedora, RHEL) or\nC</etc/pam.d/common-password> (Debian, Ubuntu).";
|
||||
(
|
||||
- [ L"selinux-relabel" ],
|
||||
- Getopt.Set selinux_relabel,
|
||||
- s_"Relabel files with correct SELinux labels"
|
||||
+ [ L"no-selinux-relabel" ],
|
||||
+ Getopt.Set no_selinux_relabel,
|
||||
+ s_"Do not relabel files with correct SELinux labels"
|
||||
),
|
||||
- None, "Relabel files in the guest so that they have the correct SELinux label.\n\nThis will attempt to relabel files immediately, but if the operation fails\nthis will instead touch F</.autorelabel> on the image to schedule a\nrelabel operation for the next time the image boots.\n\nYou should only use this option for guests which support SELinux.";
|
||||
+ None, "Do not attempt to correct the SELinux labels of files in the guest.\n\nIn such guests that support SELinux, customization automatically\nrelabels files so that they have the correct SELinux label. (The\nrelabeling is performed immediately, but if the operation fails,\ncustomization will instead touch F</.autorelabel> on the image to\nschedule a relabel operation for the next time the image boots.) This\noption disables the automatic relabeling.\n\nThe option is a no-op for guests that do not support SELinux.";
|
||||
(
|
||||
[ L"sm-credentials" ],
|
||||
Getopt.String (
|
||||
diff --git a/common/mlcustomize/customize_cmdline.mli b/common/mlcustomize/customize_cmdline.mli
|
||||
index 14eda49..7ee882a 100644
|
||||
--- a/common/mlcustomize/customize_cmdline.mli
|
||||
+++ b/common/mlcustomize/customize_cmdline.mli
|
||||
@@ -101,8 +101,8 @@ and flags = {
|
||||
(* --no-logfile *)
|
||||
password_crypto : Password.password_crypto option;
|
||||
(* --password-crypto md5|sha256|sha512 *)
|
||||
- selinux_relabel : bool;
|
||||
- (* --selinux-relabel *)
|
||||
+ no_selinux_relabel : bool;
|
||||
+ (* --no-selinux-relabel *)
|
||||
sm_credentials : Subscription_manager.sm_credentials option;
|
||||
(* --sm-credentials SELECTOR *)
|
||||
}
|
||||
diff --git a/common/mlcustomize/test-firstboot.sh b/common/mlcustomize/test-firstboot.sh
|
||||
index b906997..24c67f3 100755
|
||||
--- a/common/mlcustomize/test-firstboot.sh
|
||||
+++ b/common/mlcustomize/test-firstboot.sh
|
||||
@@ -61,9 +61,6 @@ case "$guestname" in
|
||||
extra[${#extra[*]}]='/etc/inittab:
|
||||
s,^#([1-9].*respawn.*/sbin/getty.*),$1,'
|
||||
;;
|
||||
- fedora*|rhel*|centos*)
|
||||
- extra[${#extra[*]}]='--selinux-relabel'
|
||||
- ;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
diff --git a/common/mlcustomize/test-selinuxrelabel.sh b/common/mlcustomize/test-selinuxrelabel.sh
|
||||
index 86278c6..caf7521 100755
|
||||
--- a/common/mlcustomize/test-selinuxrelabel.sh
|
||||
+++ b/common/mlcustomize/test-selinuxrelabel.sh
|
||||
@@ -41,13 +41,12 @@ virt-builder "$guestname" --quiet -o "$disk"
|
||||
# Test #1: relabel with the default configuration works.
|
||||
rm -f "$disk_overlay"
|
||||
guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"
|
||||
-virt-customize -a "$disk" --selinux-relabel
|
||||
+virt-customize -a "$disk"
|
||||
|
||||
# Test #2: relabel with no SELINUXTYPE in the configuration.
|
||||
rm -f "$disk_overlay"
|
||||
guestfish -- disk-create "$disk_overlay" qcow2 -1 backingfile:"$disk"
|
||||
virt-customize -a "$disk" \
|
||||
- --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g" \
|
||||
- --selinux-relabel
|
||||
+ --edit /etc/selinux/config:"s,^SELINUXTYPE=,#&,g"
|
||||
|
||||
rm "$disk" "$disk_overlay"
|
||||
diff --git a/common/options/uri.c b/common/options/uri.c
|
||||
index 6b696fc..84d393c 100644
|
||||
--- a/common/options/uri.c
|
||||
+++ b/common/options/uri.c
|
||||
@@ -135,7 +135,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret,
|
||||
socket = query_get (uri, "socket");
|
||||
|
||||
if (uri->server && STRNEQ (uri->server, "") && socket) {
|
||||
- fprintf (stderr, _("%s: %s: cannot both a server name and a socket query parameter\n"),
|
||||
+ fprintf (stderr, _("%s: %s: cannot have both a server name and a socket query parameter\n"),
|
||||
getprogname (), arg);
|
||||
return -1;
|
||||
}
|
||||
@@ -347,6 +347,7 @@ make_server (xmlURIPtr uri, const char *socket, char ***ret)
|
||||
*ret = malloc (sizeof (char *) * 2);
|
||||
if (*ret == NULL) {
|
||||
perror ("malloc");
|
||||
+ free (server);
|
||||
return -1;
|
||||
}
|
||||
(*ret)[0] = server;
|
||||
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
|
||||
index f2ee20413..99b5fe14d 100644
|
||||
--- a/customize/customize_run.ml
|
||||
+++ b/customize/customize_run.ml
|
||||
@@ -415,7 +415,7 @@ let run (g : G.guestfs) root (ops : ops) =
|
||||
warning (f_"passwords could not be set for this type of guest")
|
||||
);
|
||||
|
||||
- if ops.flags.selinux_relabel then (
|
||||
+ if not ops.flags.no_selinux_relabel then (
|
||||
message (f_"SELinux relabelling");
|
||||
SELinux_relabel.relabel g
|
||||
);
|
||||
diff --git a/customize/test-settings.sh b/customize/test-settings.sh
|
||||
index ed4c90f2e..e8b492dd1 100755
|
||||
--- a/customize/test-settings.sh
|
||||
+++ b/customize/test-settings.sh
|
||||
@@ -61,9 +61,6 @@ case "$guestname" in
|
||||
extra[${#extra[*]}]='/etc/inittab:
|
||||
s,^#([1-9].*respawn.*/sbin/getty.*),$1,'
|
||||
;;
|
||||
- fedora*|rhel*|centos*)
|
||||
- extra[${#extra[*]}]='--selinux-relabel'
|
||||
- ;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
diff --git a/sysprep/main.ml b/sysprep/main.ml
|
||||
index 087d1a17f..b760618ad 100644
|
||||
--- a/sysprep/main.ml
|
||||
+++ b/sysprep/main.ml
|
||||
@@ -132,8 +132,6 @@ let main () =
|
||||
[ L"mount-options" ], Getopt.Set_string (s_"opts", mount_opts), s_"Set mount options (eg /:noatime;/var:rw,noatime)";
|
||||
[ L"network" ], Getopt.Set network, s_"Enable appliance network";
|
||||
[ L"no-network" ], Getopt.Clear network, s_"Disable appliance network (default)";
|
||||
- [ L"no-selinux-relabel" ], Getopt.Unit (fun () -> ()),
|
||||
- s_"Compatibility option, does nothing";
|
||||
[ L"operation"; L"operations" ], Getopt.String (s_"operations", set_operations), s_"Enable/disable specific operations";
|
||||
] in
|
||||
let args = basic_args @ Sysprep_operation.extra_args () in
|
||||
diff --git a/sysprep/test-virt-sysprep-docs.sh b/sysprep/test-virt-sysprep-docs.sh
|
||||
index 51500b5e9..9d0298d68 100755
|
||||
--- a/sysprep/test-virt-sysprep-docs.sh
|
||||
+++ b/sysprep/test-virt-sysprep-docs.sh
|
||||
@@ -25,4 +25,4 @@ $top_srcdir/podcheck.pl "$srcdir/virt-sysprep.pod" virt-sysprep \
|
||||
--path $top_srcdir/common/options \
|
||||
--insert sysprep-extra-options.pod:__EXTRA_OPTIONS__ \
|
||||
--insert sysprep-operations.pod:__OPERATIONS__ \
|
||||
- --ignore=--dryrun,--dump-pod,--dump-pod-options,--no-selinux-relabel
|
||||
+ --ignore=--dryrun,--dump-pod,--dump-pod-options
|
||||
--
|
||||
2.31.1
|
||||
|
63
SOURCES/0002-builder-Add-a-test-of-the-chown-parameter.patch
Normal file
63
SOURCES/0002-builder-Add-a-test-of-the-chown-parameter.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From 5f9beb89443f84640efc52ee6cd68f7f880fb66b Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Fri, 19 Jan 2024 13:22:51 +0000
|
||||
Subject: [PATCH] builder: Add a test of the --chown parameter
|
||||
|
||||
Also update the libguestfs common submodule, pulling in this change
|
||||
from libguestfs:
|
||||
|
||||
generator/customize.ml: Split --chown parameter on ':' character
|
||||
|
||||
and this patch to common/mltools:
|
||||
|
||||
mltools/libosinfo-c.c: Fix off-by-one error
|
||||
|
||||
(cherry picked from commit 299dc5ec2a0bdd9adecef75adc6a5eca0dc685b1)
|
||||
---
|
||||
builder/test-virt-builder.sh | 4 ++++
|
||||
common | 2 +-
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/builder/test-virt-builder.sh b/builder/test-virt-builder.sh
|
||||
index 705788a3c..f839fd7af 100755
|
||||
--- a/builder/test-virt-builder.sh
|
||||
+++ b/builder/test-virt-builder.sh
|
||||
@@ -69,6 +69,7 @@ virt-builder phony-fedora \
|
||||
--write '/etc/append6:
|
||||
' \
|
||||
--append-line '/etc/append6:line2' \
|
||||
+ --chown 1:1:/etc/append6 \
|
||||
--firstboot Makefile --firstboot-command 'echo "hello"' \
|
||||
--firstboot-install "minicom,inkscape"
|
||||
|
||||
@@ -112,6 +113,7 @@ echo append5:
|
||||
cat /etc/append5
|
||||
echo append6:
|
||||
cat /etc/append6
|
||||
+stat /etc/append6 | grep '^[ug]id:'
|
||||
|
||||
echo -----
|
||||
EOF
|
||||
@@ -154,6 +156,8 @@ append6:
|
||||
|
||||
line2
|
||||
|
||||
+uid: 1
|
||||
+gid: 1
|
||||
-----" ]; then
|
||||
echo "$0: unexpected output:"
|
||||
cat test-virt-builder.out
|
||||
Submodule common 0dba002c2..54869c987:
|
||||
diff --git a/common/mlcustomize/customize_cmdline.ml b/common/mlcustomize/customize_cmdline.ml
|
||||
index 245d9960a..48ee33445 100644
|
||||
--- a/common/mlcustomize/customize_cmdline.ml
|
||||
+++ b/common/mlcustomize/customize_cmdline.ml
|
||||
@@ -157,7 +157,7 @@ let rec argspec () =
|
||||
let len = String.length arg in
|
||||
String.sub arg 0 i, String.sub arg (i+1) (len-(i+1))
|
||||
and split_string_triplet option_name arg =
|
||||
- match String.nsplit ~max:3 "," arg with
|
||||
+ match String.nsplit ~max:3 ":" arg with
|
||||
| [a; b; c] -> a, b, c
|
||||
| _ ->
|
||||
error (f_"invalid format for '--%s' parameter, see the man page")
|
@ -1,4 +1,4 @@
|
||||
From bbdc10642eff480246271f98180733f732c306b3 Mon Sep 17 00:00:00 2001
|
||||
From b5fdf9eac368a1c5df4ddd93ce40884924e6092a Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Tue, 7 Jul 2015 09:28:03 -0400
|
||||
Subject: [PATCH] RHEL: Reject use of libguestfs-winsupport features except for
|
||||
@ -11,7 +11,7 @@ edits.
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/test-data/phony-guests/make-windows-img.sh b/test-data/phony-guests/make-windows-img.sh
|
||||
index 30908a918..73cf5144e 100755
|
||||
index 16debd129..1c13ddac3 100755
|
||||
--- a/test-data/phony-guests/make-windows-img.sh
|
||||
+++ b/test-data/phony-guests/make-windows-img.sh
|
||||
@@ -37,6 +37,7 @@ fi
|
||||
@ -22,6 +22,3 @@ index 30908a918..73cf5144e 100755
|
||||
sparse windows.img-t 512M
|
||||
run
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,101 +0,0 @@
|
||||
From 10e2f3fc7eef6da4d741f7617e80d028257d9884 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 25 May 2022 13:06:01 +0200
|
||||
Subject: [PATCH] update common submodule
|
||||
|
||||
Shortlog for 48527b8768d7..f8de5508fe75:
|
||||
|
||||
Laszlo Ersek (1):
|
||||
mlcustomize: refresh generated files
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2089748
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 273de755dfe7eb0f1e81dc62463c125e8bed0cff)
|
||||
---
|
||||
common | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
Submodule common 48527b876..f8de5508f:
|
||||
diff --git a/common/mlcustomize/customize-options.pod b/common/mlcustomize/customize-options.pod
|
||||
index a83c80a..8aafacd 100644
|
||||
--- a/common/mlcustomize/customize-options.pod
|
||||
+++ b/common/mlcustomize/customize-options.pod
|
||||
@@ -310,6 +310,10 @@ It cannot delete directories, only regular files.
|
||||
|
||||
=back
|
||||
|
||||
+=item B<--selinux-relabel>
|
||||
+
|
||||
+This is a compatibility option that does nothing.
|
||||
+
|
||||
=item B<--sm-attach> SELECTOR
|
||||
|
||||
Attach to a pool using C<subscription-manager>.
|
||||
diff --git a/common/mlcustomize/customize-synopsis.pod b/common/mlcustomize/customize-synopsis.pod
|
||||
index 2520853..9e2c4b2 100644
|
||||
--- a/common/mlcustomize/customize-synopsis.pod
|
||||
+++ b/common/mlcustomize/customize-synopsis.pod
|
||||
@@ -13,4 +13,4 @@
|
||||
[--uninstall PKG,PKG..] [--update] [--upload FILE:DEST]
|
||||
[--write FILE:CONTENT] [--no-logfile]
|
||||
[--password-crypto md5|sha256|sha512] [--no-selinux-relabel]
|
||||
- [--sm-credentials SELECTOR]
|
||||
+ [--selinux-relabel] [--sm-credentials SELECTOR]
|
||||
diff --git a/common/mlcustomize/customize_cmdline.ml b/common/mlcustomize/customize_cmdline.ml
|
||||
index 5d404e8..a17bed4 100644
|
||||
--- a/common/mlcustomize/customize_cmdline.ml
|
||||
+++ b/common/mlcustomize/customize_cmdline.ml
|
||||
@@ -111,6 +111,8 @@ and flags = {
|
||||
(* --password-crypto md5|sha256|sha512 *)
|
||||
no_selinux_relabel : bool;
|
||||
(* --no-selinux-relabel *)
|
||||
+ selinux_relabel_ignored : bool;
|
||||
+ (* --selinux-relabel *)
|
||||
sm_credentials : Subscription_manager.sm_credentials option;
|
||||
(* --sm-credentials SELECTOR *)
|
||||
}
|
||||
@@ -122,6 +124,7 @@ let rec argspec () =
|
||||
let scrub_logfile = ref false in
|
||||
let password_crypto = ref None in
|
||||
let no_selinux_relabel = ref false in
|
||||
+ let selinux_relabel_ignored = ref false in
|
||||
let sm_credentials = ref None in
|
||||
|
||||
let rec get_ops () = {
|
||||
@@ -132,6 +135,7 @@ let rec argspec () =
|
||||
scrub_logfile = !scrub_logfile;
|
||||
password_crypto = !password_crypto;
|
||||
no_selinux_relabel = !no_selinux_relabel;
|
||||
+ selinux_relabel_ignored = !selinux_relabel_ignored;
|
||||
sm_credentials = !sm_credentials;
|
||||
}
|
||||
in
|
||||
@@ -464,6 +468,12 @@ let rec argspec () =
|
||||
s_"Do not relabel files with correct SELinux labels"
|
||||
),
|
||||
None, "Do not attempt to correct the SELinux labels of files in the guest.\n\nIn such guests that support SELinux, customization automatically\nrelabels files so that they have the correct SELinux label. (The\nrelabeling is performed immediately, but if the operation fails,\ncustomization will instead touch F</.autorelabel> on the image to\nschedule a relabel operation for the next time the image boots.) This\noption disables the automatic relabeling.\n\nThe option is a no-op for guests that do not support SELinux.";
|
||||
+ (
|
||||
+ [ L"selinux-relabel" ],
|
||||
+ Getopt.Set selinux_relabel_ignored,
|
||||
+ s_"Compatibility option doing nothing"
|
||||
+ ),
|
||||
+ None, "This is a compatibility option that does nothing.";
|
||||
(
|
||||
[ L"sm-credentials" ],
|
||||
Getopt.String (
|
||||
diff --git a/common/mlcustomize/customize_cmdline.mli b/common/mlcustomize/customize_cmdline.mli
|
||||
index 7ee882a..7d14e78 100644
|
||||
--- a/common/mlcustomize/customize_cmdline.mli
|
||||
+++ b/common/mlcustomize/customize_cmdline.mli
|
||||
@@ -103,6 +103,8 @@ and flags = {
|
||||
(* --password-crypto md5|sha256|sha512 *)
|
||||
no_selinux_relabel : bool;
|
||||
(* --no-selinux-relabel *)
|
||||
+ selinux_relabel_ignored : bool;
|
||||
+ (* --selinux-relabel *)
|
||||
sm_credentials : Subscription_manager.sm_credentials option;
|
||||
(* --sm-credentials SELECTOR *)
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
26
SOURCES/0004-RHEL-builder-Disable-opensuse-repository.patch
Normal file
26
SOURCES/0004-RHEL-builder-Disable-opensuse-repository.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 511de43cdca80381d52360e050bf57f7079f46d6 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Mon, 21 Nov 2022 13:03:22 +0000
|
||||
Subject: [PATCH] RHEL: builder: Disable opensuse repository
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2145160
|
||||
(cherry picked from commit 8e0e91c923bd7076fd906a71678ddd3f328ae2c0)
|
||||
---
|
||||
builder/opensuse.conf.in | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/builder/opensuse.conf.in b/builder/opensuse.conf.in
|
||||
index 19f979699..a57fc6977 100644
|
||||
--- a/builder/opensuse.conf.in
|
||||
+++ b/builder/opensuse.conf.in
|
||||
@@ -1,3 +1,7 @@
|
||||
-[opensuse.org]
|
||||
-uri=http://download.opensuse.org/repositories/Virtualization:/virt-builder-images/images/index
|
||||
-gpgkey=file://@SYSCONFDIR@/virt-builder/repos.d/opensuse.gpg
|
||||
+# https://bugzilla.redhat.com/show_bug.cgi?id=2145160
|
||||
+# This is disabled in RHEL by default, but you can enable it by
|
||||
+# uncommenting the lines below.
|
||||
+
|
||||
+#[opensuse.org]
|
||||
+#uri=http://download.opensuse.org/repositories/Virtualization:/virt-builder-images/images/index
|
||||
+#gpgkey=file://@SYSCONFDIR@/virt-builder/repos.d/opensuse.gpg
|
536
SOURCES/0005-Update-common-submodule.patch
Normal file
536
SOURCES/0005-Update-common-submodule.patch
Normal file
@ -0,0 +1,536 @@
|
||||
From 31b4b33ec87560182f338a088bd242d571bc79e7 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Tue, 27 Aug 2024 13:46:46 +0100
|
||||
Subject: [PATCH] Update common submodule
|
||||
|
||||
Pick up the commits below. In particular this makes several
|
||||
refinements to the Windows firstboot code to make it more reliable.
|
||||
|
||||
Fixes: https://issues.redhat.com/browse/RHEL-55824
|
||||
|
||||
Ben Brown (1):
|
||||
Initialise bar->fp as NULL
|
||||
|
||||
Richard W.M. Jones (16):
|
||||
mlcustomize: Update virt-customize generated files
|
||||
options: Allow nbd+unix:// URIs
|
||||
mlcustomize: Add virt-customize --inject-blnsvr generated files
|
||||
mlcustomize: Add Inject_virtio_win.inject_blnsvr implementation
|
||||
mlcustomize: firstboot: Use Linux path for Powershell script path
|
||||
mlcustomize: firstboot: Use powershell.exe instead of path
|
||||
mlcustomize: firstboot: Use Powershell -NoProfile flag
|
||||
mlcustomize: Revert delay installation of qemu-ga MSI
|
||||
mldrivers/linux_kernels.ml: Prefix general information with ^info:
|
||||
mlcustomize: Use Start-Process -Wait to run qemu-ga installer
|
||||
mlcustomize: Add Firstboot.firstboot_dir function
|
||||
mlcustomize: Place powershell scripts into <firstboot_dir>\Temp
|
||||
mlcustomize: Inject qemu-ga & blnsvr into <firstboot_dir>/Temp
|
||||
mlcustomize: Write qemu-ga log file name to log.txt
|
||||
mlcustomize: Add some comments to firstboot batch file
|
||||
mlcustomize: Reboot Windows between each firstboot script
|
||||
---
|
||||
common | 2 +-
|
||||
customize/customize_run.ml | 3 +++
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
Submodule common 54869c987..a78839676:
|
||||
diff --git a/common/mlcustomize/customize-synopsis.pod b/common/mlcustomize/customize-synopsis.pod
|
||||
index bb0ce1255..957de8cf2 100644
|
||||
--- a/common/mlcustomize/customize-synopsis.pod
|
||||
+++ b/common/mlcustomize/customize-synopsis.pod
|
||||
@@ -3,16 +3,16 @@
|
||||
[--copy SOURCE:DEST] [--copy-in LOCALPATH:REMOTEDIR]
|
||||
[--delete PATH] [--edit FILE:EXPR] [--firstboot SCRIPT]
|
||||
[--firstboot-command 'CMD+ARGS'] [--firstboot-install PKG,PKG..]
|
||||
- [--hostname HOSTNAME] [--inject-qemu-ga METHOD]
|
||||
- [--inject-virtio-win METHOD] [--install PKG,PKG..]
|
||||
- [--link TARGET:LINK[:LINK..]] [--mkdir DIR] [--move SOURCE:DEST]
|
||||
- [--password USER:SELECTOR] [--root-password SELECTOR]
|
||||
- [--run SCRIPT] [--run-command 'CMD+ARGS'] [--scrub FILE]
|
||||
- [--sm-attach SELECTOR] [--sm-register] [--sm-remove]
|
||||
- [--sm-unregister] [--ssh-inject USER[:SELECTOR]]
|
||||
- [--tar-in TARFILE:REMOTEDIR] [--timezone TIMEZONE] [--touch FILE]
|
||||
- [--truncate FILE] [--truncate-recursive PATH]
|
||||
- [--uninstall PKG,PKG..] [--update] [--upload FILE:DEST]
|
||||
- [--write FILE:CONTENT] [--no-logfile]
|
||||
+ [--hostname HOSTNAME]
|
||||
+ [--inject-qemu-ga METHOD] [--inject-virtio-win METHOD]
|
||||
+ [--install PKG,PKG..] [--link TARGET:LINK[:LINK..]] [--mkdir DIR]
|
||||
+ [--move SOURCE:DEST] [--password USER:SELECTOR]
|
||||
+ [--root-password SELECTOR] [--run SCRIPT]
|
||||
+ [--run-command 'CMD+ARGS'] [--scrub FILE] [--sm-attach SELECTOR]
|
||||
+ [--sm-register] [--sm-remove] [--sm-unregister]
|
||||
+ [--ssh-inject USER[:SELECTOR]] [--tar-in TARFILE:REMOTEDIR]
|
||||
+ [--timezone TIMEZONE] [--touch FILE] [--truncate FILE]
|
||||
+ [--truncate-recursive PATH] [--uninstall PKG,PKG..] [--update]
|
||||
+ [--upload FILE:DEST] [--write FILE:CONTENT] [--no-logfile]
|
||||
[--password-crypto md5|sha256|sha512] [--no-selinux-relabel]
|
||||
[--selinux-relabel] [--sm-credentials SELECTOR]
|
||||
diff --git a/common/mlcustomize/customize_cmdline.ml b/common/mlcustomize/customize_cmdline.ml
|
||||
index 48ee33445..c4d6a77d5 100644
|
||||
--- a/common/mlcustomize/customize_cmdline.ml
|
||||
+++ b/common/mlcustomize/customize_cmdline.ml
|
||||
@@ -61,6 +61,8 @@ and op = [
|
||||
(* --firstboot-install PKG,PKG.. *)
|
||||
| `Hostname of string
|
||||
(* --hostname HOSTNAME *)
|
||||
+ | `InjectBalloonServer of string
|
||||
+ (* --inject-blnsvr METHOD *)
|
||||
| `InjectQemuGA of string
|
||||
(* --inject-qemu-ga METHOD *)
|
||||
| `InjectVirtioWin of string
|
||||
diff --git a/common/mlcustomize/customize_cmdline.mli b/common/mlcustomize/customize_cmdline.mli
|
||||
index 51a156eae..ee62961a1 100644
|
||||
--- a/common/mlcustomize/customize_cmdline.mli
|
||||
+++ b/common/mlcustomize/customize_cmdline.mli
|
||||
@@ -53,6 +53,8 @@ and op = [
|
||||
(* --firstboot-install PKG,PKG.. *)
|
||||
| `Hostname of string
|
||||
(* --hostname HOSTNAME *)
|
||||
+ | `InjectBalloonServer of string
|
||||
+ (* --inject-blnsvr METHOD *)
|
||||
| `InjectQemuGA of string
|
||||
(* --inject-qemu-ga METHOD *)
|
||||
| `InjectVirtioWin of string
|
||||
diff --git a/common/mlcustomize/firstboot.ml b/common/mlcustomize/firstboot.ml
|
||||
index 5dc012340..52e76401e 100644
|
||||
--- a/common/mlcustomize/firstboot.ml
|
||||
+++ b/common/mlcustomize/firstboot.ml
|
||||
@@ -239,7 +239,22 @@ WantedBy=%s
|
||||
end
|
||||
|
||||
module Windows = struct
|
||||
- let rec install_service (g : Guestfs.guestfs) root =
|
||||
+ (* Create and return the firstboot directory. *)
|
||||
+ let create_firstboot_dir (g : Guestfs.guestfs) =
|
||||
+ let rec loop firstboot_dir firstboot_dir_win = function
|
||||
+ | [] -> firstboot_dir, firstboot_dir_win
|
||||
+ | dir :: path ->
|
||||
+ let firstboot_dir =
|
||||
+ if firstboot_dir = "" then "/" ^ dir else firstboot_dir // dir in
|
||||
+ let firstboot_dir_win = firstboot_dir_win ^ "\\" ^ dir in
|
||||
+ let firstboot_dir = g#case_sensitive_path firstboot_dir in
|
||||
+ g#mkdir_p firstboot_dir;
|
||||
+ loop firstboot_dir firstboot_dir_win path
|
||||
+ in
|
||||
+ loop "" "C:" ["Program Files"; "Guestfs"; "Firstboot"]
|
||||
+
|
||||
+ let rec install_service (g : Guestfs.guestfs) root
|
||||
+ firstboot_dir firstboot_dir_win =
|
||||
(* Either rhsrvany.exe or pvvxsvc.exe must exist.
|
||||
*
|
||||
* (Check also that it's not a dangling symlink but a real file).
|
||||
@@ -254,20 +269,7 @@ module Windows = struct
|
||||
error (f_"One of rhsrvany.exe or pvvxsvc.exe is missing in %s. One of them is required in order to install Windows firstboot scripts. You can get one by building rhsrvany (https://github.com/rwmjones/rhsrvany)")
|
||||
(virt_tools_data_dir ()) in
|
||||
|
||||
- (* Create a directory for firstboot files in the guest. *)
|
||||
- let firstboot_dir, firstboot_dir_win =
|
||||
- let rec loop firstboot_dir firstboot_dir_win = function
|
||||
- | [] -> firstboot_dir, firstboot_dir_win
|
||||
- | dir :: path ->
|
||||
- let firstboot_dir =
|
||||
- if firstboot_dir = "" then "/" ^ dir else firstboot_dir // dir in
|
||||
- let firstboot_dir_win = firstboot_dir_win ^ "\\" ^ dir in
|
||||
- let firstboot_dir = g#case_sensitive_path firstboot_dir in
|
||||
- g#mkdir_p firstboot_dir;
|
||||
- loop firstboot_dir firstboot_dir_win path
|
||||
- in
|
||||
- loop "" "C:" ["Program Files"; "Guestfs"; "Firstboot"] in
|
||||
-
|
||||
+ (* Create a directory for firstboot scripts in the guest. *)
|
||||
g#mkdir_p (firstboot_dir // "scripts");
|
||||
|
||||
(* Copy pvvxsvc or rhsrvany to the guest. *)
|
||||
@@ -276,6 +278,9 @@ module Windows = struct
|
||||
(* Write a firstboot.bat control script which just runs the other
|
||||
* scripts in the directory. Note we need to use CRLF line endings
|
||||
* in this script.
|
||||
+ *
|
||||
+ * XXX It would be better to use powershell here. For some ideas see
|
||||
+ * https://github.com/HCK-CI/HLK-Setup-Scripts/
|
||||
*)
|
||||
let firstboot_script = sprintf "\
|
||||
@echo off
|
||||
@@ -297,6 +302,7 @@ if not exist \"%%scripts_done%%\" (
|
||||
mkdir \"%%scripts_done%%\"
|
||||
)
|
||||
|
||||
+:: Pick the next script to run.
|
||||
for %%%%f in (\"%%scripts%%\"\\*.bat) do (
|
||||
echo running \"%%%%f\"
|
||||
move \"%%%%f\" \"%%scripts_done%%\"
|
||||
@@ -305,8 +311,17 @@ for %%%%f in (\"%%scripts%%\"\\*.bat) do (
|
||||
set elvl=!errorlevel!
|
||||
echo .... exit code !elvl!
|
||||
popd
|
||||
+
|
||||
+ :: Reboot the computer. This is necessary to free any locked
|
||||
+ :: files which may prevent later scripts from running.
|
||||
+ shutdown /r /t 0 /y
|
||||
+
|
||||
+ :: Exit the script (in case shutdown returns before rebooting).
|
||||
+ :: On next boot, the whole firstboot service will be called again.
|
||||
+ exit /b
|
||||
)
|
||||
|
||||
+:: Fallthrough here if there are no scripts.
|
||||
echo uninstalling firstboot service
|
||||
\"%%firstboot%%\\%s\" -s firstboot uninstall
|
||||
" firstboot_dir_win srvany in
|
||||
@@ -339,11 +354,25 @@ echo uninstalling firstboot service
|
||||
"PWD", REG_SZ firstboot_dir_win ];
|
||||
] in
|
||||
reg_import reg regedits
|
||||
- );
|
||||
-
|
||||
- firstboot_dir
|
||||
+ )
|
||||
end
|
||||
|
||||
+let firstboot_dir (g : Guestfs.guestfs) root =
|
||||
+ let typ = g#inspect_get_type root in
|
||||
+
|
||||
+ match typ with
|
||||
+ | "linux" ->
|
||||
+ let dir = Linux.firstboot_dir in
|
||||
+ g#mkdir_p dir;
|
||||
+ dir, None
|
||||
+
|
||||
+ | "windows" ->
|
||||
+ let dir, dir_win = Windows.create_firstboot_dir g in
|
||||
+ dir, Some dir_win
|
||||
+
|
||||
+ | _ ->
|
||||
+ error (f_"guest type %s is not supported") typ
|
||||
+
|
||||
let script_count = ref 0
|
||||
|
||||
let add_firstboot_script (g : Guestfs.guestfs) root ?(prio = 5000) name
|
||||
@@ -363,7 +392,8 @@ let add_firstboot_script (g : Guestfs.guestfs) root ?(prio = 5000) name
|
||||
g#chmod 0o755 filename
|
||||
|
||||
| "windows", _ ->
|
||||
- let firstboot_dir = Windows.install_service g root in
|
||||
+ let firstboot_dir, firstboot_dir_win = Windows.create_firstboot_dir g in
|
||||
+ Windows.install_service g root firstboot_dir firstboot_dir_win;
|
||||
let filename = firstboot_dir // "scripts" // filename ^ ".bat" in
|
||||
g#write filename (String.unix2dos content)
|
||||
|
||||
@@ -382,21 +412,18 @@ let add_firstboot_powershell g root ?prio name code =
|
||||
*)
|
||||
assert (g#inspect_get_type root = "windows");
|
||||
|
||||
- let windows_systemroot = g#inspect_get_windows_systemroot root in
|
||||
-
|
||||
- (* Create the temporary directory to put the Powershell file. *)
|
||||
- let tempdir = sprintf "%s/Temp" windows_systemroot in
|
||||
+ (* Place the Powershell script into firstboot_dir/Temp *)
|
||||
+ let firstboot_dir, firstboot_dir_win = Windows.create_firstboot_dir g in
|
||||
+ let tempdir = sprintf "%s/Temp" firstboot_dir in
|
||||
g#mkdir_p tempdir;
|
||||
+
|
||||
+ let ps_path = sprintf "%s/%s.ps1" tempdir name in
|
||||
+ let ps_path_win = sprintf "%s\\Temp\\%s.ps1" firstboot_dir_win name in
|
||||
let code = String.concat "\r\n" code ^ "\r\n" in
|
||||
- g#write (sprintf "%s/%s" tempdir name) code;
|
||||
+ g#write ps_path code;
|
||||
|
||||
- (* Powershell interpreter. Should we check this exists? XXX *)
|
||||
- let ps_exe =
|
||||
- windows_systemroot ^
|
||||
- "\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" in
|
||||
-
|
||||
- (* Windows path to the Powershell script. *)
|
||||
- let ps_path = windows_systemroot ^ "\\Temp\\" ^ name in
|
||||
-
|
||||
- let fb = sprintf "%s -ExecutionPolicy ByPass -file %s" ps_exe ps_path in
|
||||
+ (* Create a regular firstboot bat that just invokes powershell *)
|
||||
+ let fb =
|
||||
+ sprintf "powershell.exe -ExecutionPolicy ByPass -NoProfile -file \"%s\""
|
||||
+ ps_path_win in
|
||||
add_firstboot_script g root ?prio name fb
|
||||
diff --git a/common/mlcustomize/firstboot.mli b/common/mlcustomize/firstboot.mli
|
||||
index 8231af658..34ff06901 100644
|
||||
--- a/common/mlcustomize/firstboot.mli
|
||||
+++ b/common/mlcustomize/firstboot.mli
|
||||
@@ -16,6 +16,23 @@
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*)
|
||||
|
||||
+val firstboot_dir : Guestfs.guestfs -> string -> string * string option
|
||||
+(** [firstboot_dir g root]
|
||||
+ returns the path of the firstboot directory, creating it in
|
||||
+ the guest if necessary.
|
||||
+
|
||||
+ This returns the name of the directory as a guestfs path, and
|
||||
+ optionally the name as a Windows path (only for Windows guests).
|
||||
+
|
||||
+ For Linux this could be [/usr/lib/virt-sysprep, None]
|
||||
+
|
||||
+ For Windows this could be ["/Program Files/Guestfs/Firstboot",
|
||||
+ Some "C:\Program Files\Guestfs\Firstboot"]
|
||||
+
|
||||
+ Additional files that are used during firstboot can be placed
|
||||
+ in this directory, but be careful not to conflict with files
|
||||
+ and scripts added by the firstboot process itself. *)
|
||||
+
|
||||
val add_firstboot_script : Guestfs.guestfs -> string -> ?prio:int -> string ->
|
||||
string -> unit
|
||||
(** [add_firstboot_script g root prio name content] adds a firstboot
|
||||
diff --git a/common/mlcustomize/inject_virtio_win.ml b/common/mlcustomize/inject_virtio_win.ml
|
||||
index 2a30b2008..afec1e456 100644
|
||||
--- a/common/mlcustomize/inject_virtio_win.ml
|
||||
+++ b/common/mlcustomize/inject_virtio_win.ml
|
||||
@@ -24,6 +24,8 @@ open Common_gettext.Gettext
|
||||
|
||||
open Regedit
|
||||
|
||||
+let re_blnsvr = PCRE.compile ~caseless:true "\\bblnsvr\\.exe$"
|
||||
+
|
||||
type t = {
|
||||
g : Guestfs.guestfs; (** guestfs handle *)
|
||||
|
||||
@@ -261,12 +263,38 @@ let rec inject_virtio_win_drivers ({ g } as t) reg =
|
||||
}
|
||||
)
|
||||
|
||||
-and inject_qemu_ga t =
|
||||
- let msi_files = copy_qemu_ga t in
|
||||
+and inject_qemu_ga ({ g; root } as t) =
|
||||
+ (* Copy the qemu-ga MSI(s) to the guest. *)
|
||||
+ let dir, dir_win = Firstboot.firstboot_dir g root in
|
||||
+ let dir_win = Option.value dir_win ~default:dir in
|
||||
+ let tempdir = sprintf "%s/Temp" dir in
|
||||
+ let tempdir_win = sprintf "%s\\Temp" dir_win in
|
||||
+ g#mkdir_p tempdir;
|
||||
+
|
||||
+ let msi_files = copy_qemu_ga t tempdir in
|
||||
if msi_files <> [] then
|
||||
- configure_qemu_ga t msi_files;
|
||||
+ configure_qemu_ga t tempdir_win msi_files;
|
||||
msi_files <> [] (* return true if we found some qemu-ga MSI files *)
|
||||
|
||||
+and inject_blnsvr ({ g; root } as t) =
|
||||
+ (* Copy the files to the guest. *)
|
||||
+ let dir, dir_win = Firstboot.firstboot_dir g root in
|
||||
+ let dir_win = Option.value dir_win ~default:dir in
|
||||
+ let tempdir = sprintf "%s/Temp" dir in
|
||||
+ let tempdir_win = sprintf "%s\\Temp" dir_win in
|
||||
+ g#mkdir_p tempdir;
|
||||
+
|
||||
+ let files = copy_blnsvr t tempdir in
|
||||
+ match files with
|
||||
+ | [] -> false (* Didn't find or install anything. *)
|
||||
+
|
||||
+ (* We usually find blnsvr.exe in two locations (drivers/by-os and
|
||||
+ * drivers/by-driver). Pick the first.
|
||||
+ *)
|
||||
+ | blnsvr :: _ ->
|
||||
+ configure_blnsvr t tempdir_win blnsvr;
|
||||
+ true
|
||||
+
|
||||
and add_guestor_to_registry t ((g, root) as reg) drv_name drv_pciid =
|
||||
let ddb_node = g#hivex_node_get_child root "DriverDatabase" in
|
||||
|
||||
@@ -346,8 +374,13 @@ and copy_drivers t driverdir =
|
||||
(fun () ->
|
||||
error (f_"root directory ‘/’ is missing from the virtio-win directory or ISO.\n\nThis should not happen and may indicate that virtio-win or virt-v2v is broken in some way. Please report this as a bug with a full debug log."))
|
||||
|
||||
-and copy_qemu_ga t =
|
||||
- copy_from_virtio_win t "/" "/" (virtio_iso_path_matches_qemu_ga t)
|
||||
+and copy_qemu_ga t tempdir =
|
||||
+ copy_from_virtio_win t "/" tempdir (virtio_iso_path_matches_qemu_ga t)
|
||||
+ (fun () ->
|
||||
+ error (f_"root directory ‘/’ is missing from the virtio-win directory or ISO.\n\nThis should not happen and may indicate that virtio-win or virt-v2v is broken in some way. Please report this as a bug with a full debug log."))
|
||||
+
|
||||
+and copy_blnsvr t tempdir =
|
||||
+ copy_from_virtio_win t "/" tempdir (virtio_iso_path_matches_blnsvr t)
|
||||
(fun () ->
|
||||
error (f_"root directory ‘/’ is missing from the virtio-win directory or ISO.\n\nThis should not happen and may indicate that virtio-win or virt-v2v is broken in some way. Please report this as a bug with a full debug log."))
|
||||
|
||||
@@ -513,6 +546,10 @@ and virtio_iso_path_matches_qemu_ga t path =
|
||||
| ("x86_64", "rhev-qga64.msi") -> true
|
||||
| _ -> false
|
||||
|
||||
+(* Find blnsvr for the current Windows version. *)
|
||||
+and virtio_iso_path_matches_blnsvr t path =
|
||||
+ virtio_iso_path_matches_guest_os t path && PCRE.matches re_blnsvr path
|
||||
+
|
||||
(* Look up in libosinfo for the OS, and copy all the locally
|
||||
* available files specified as drivers for that OS to the [destdir].
|
||||
*
|
||||
@@ -552,37 +589,35 @@ and copy_from_libosinfo { g; i_osinfo; i_arch } destdir =
|
||||
) driver.Libosinfo.files
|
||||
with Not_found -> []
|
||||
|
||||
-and configure_qemu_ga t files =
|
||||
+(* Install qemu-ga. [files] is the non-empty list of possible qemu-ga
|
||||
+ * installers we detected.
|
||||
+ *)
|
||||
+and configure_qemu_ga t tempdir_win files =
|
||||
+ let script = ref [] in
|
||||
+ let add = List.push_back script in
|
||||
+
|
||||
+ add "# Virt-v2v script which installs QEMU Guest Agent";
|
||||
+ add "";
|
||||
+ add "# Uncomment this line for lots of debug output.";
|
||||
+ add "# Set-PSDebug -Trace 2";
|
||||
+ add "";
|
||||
+ add "Write-Host Installing QEMU Guest Agent";
|
||||
+ add "";
|
||||
+ add "# Run qemu-ga installers";
|
||||
List.iter (
|
||||
- fun msi_path ->
|
||||
- (* Windows is a trashfire.
|
||||
- * https://stackoverflow.com/a/18730884
|
||||
- * https://bugzilla.redhat.com/show_bug.cgi?id=1895323
|
||||
- *)
|
||||
- let psh_script = ref [] in
|
||||
- let add = List.push_back psh_script in
|
||||
+ fun msi ->
|
||||
+ add (sprintf "Write-Host \"Writing log to %s\\%s.log\""
|
||||
+ tempdir_win msi);
|
||||
+ (* [`] is an escape char for quotes *)
|
||||
+ add (sprintf "Start-Process -Wait -FilePath \"%s\\%s\" -ArgumentList \"/norestart\",\"/qn\",\"/l+*vx\",\"`\"%s\\%s.log`\"\""
|
||||
+ tempdir_win msi tempdir_win msi)
|
||||
+ ) files;
|
||||
|
||||
- add "# Uncomment this line for lots of debug output.";
|
||||
- add "# Set-PSDebug -Trace 2";
|
||||
- add "";
|
||||
- add "Write-Host Removing any previously scheduled qemu-ga installation";
|
||||
- add "schtasks.exe /Delete /TN Firstboot-qemu-ga /F";
|
||||
- add "";
|
||||
- add (sprintf
|
||||
- "Write-Host Scheduling delayed installation of qemu-ga from %s"
|
||||
- msi_path);
|
||||
- add "$d = (get-date).AddSeconds(120)";
|
||||
- add "$dtfinfo = [System.Globalization.DateTimeFormatInfo]::CurrentInfo";
|
||||
- add "$sdp = $dtfinfo.ShortDatePattern";
|
||||
- add "$sdp = $sdp -replace 'y+', 'yyyy'";
|
||||
- add "$sdp = $sdp -replace 'M+', 'MM'";
|
||||
- add "$sdp = $sdp -replace 'd+', 'dd'";
|
||||
- add "schtasks.exe /Create /SC ONCE `";
|
||||
- add " /ST $d.ToString('HH:mm') /SD $d.ToString($sdp) `";
|
||||
- add " /RU SYSTEM /TN Firstboot-qemu-ga `";
|
||||
- add (sprintf " /TR \"C:\\%s /forcerestart /qn /l+*vx C:\\%s.log\""
|
||||
- msi_path msi_path);
|
||||
+ Firstboot.add_firstboot_powershell t.g t.root "install-qemu-ga" !script
|
||||
|
||||
- Firstboot.add_firstboot_powershell t.g t.root
|
||||
- (sprintf "install-%s.ps1" msi_path) !psh_script;
|
||||
- ) files
|
||||
+and configure_blnsvr t tempdir_win blnsvr =
|
||||
+ let cmd = sprintf "\
|
||||
+ @echo off\n\
|
||||
+ echo Installing %s\n\
|
||||
+ \"%s\\%s\" -i\n" blnsvr tempdir_win blnsvr in
|
||||
+ Firstboot.add_firstboot_script t.g t.root "install-blnsvr" cmd
|
||||
diff --git a/common/mlcustomize/inject_virtio_win.mli b/common/mlcustomize/inject_virtio_win.mli
|
||||
index d14f04973..d273c4dd3 100644
|
||||
--- a/common/mlcustomize/inject_virtio_win.mli
|
||||
+++ b/common/mlcustomize/inject_virtio_win.mli
|
||||
@@ -93,3 +93,11 @@ val inject_qemu_ga : t -> bool
|
||||
the MSI(s).
|
||||
|
||||
Returns [true] iff we were able to inject qemu-ga. *)
|
||||
+
|
||||
+val inject_blnsvr : t -> bool
|
||||
+(** Inject the Balloon Server ([blnsvr.exe]) into a Windows guest.
|
||||
+
|
||||
+ A firstboot script is also injected which should install
|
||||
+ the server by running [blnsvr -i].
|
||||
+
|
||||
+ Returns [true] iff we were able to inject the Balloon Server. *)
|
||||
diff --git a/common/mldrivers/linux_kernels.ml b/common/mldrivers/linux_kernels.ml
|
||||
index 23ff76a55..e0b6b8a00 100644
|
||||
--- a/common/mldrivers/linux_kernels.ml
|
||||
+++ b/common/mldrivers/linux_kernels.ml
|
||||
@@ -102,7 +102,7 @@ let detect_kernels (g : G.guestfs) root bootloader apps =
|
||||
) apps in
|
||||
if verbose () then (
|
||||
let names = List.map (fun { G.app2_name = name } -> name) kernel_pkgs in
|
||||
- eprintf "candidate kernel packages in this guest: %s%!\n"
|
||||
+ eprintf "info: candidate kernel packages in this guest: %s%!\n"
|
||||
(String.concat " " names)
|
||||
);
|
||||
List.filter_map (
|
||||
@@ -306,7 +306,7 @@ let detect_kernels (g : G.guestfs) root bootloader apps =
|
||||
) kernel_pkgs in
|
||||
|
||||
if verbose () then (
|
||||
- eprintf "installed kernel packages in this guest:\n";
|
||||
+ eprintf "info: installed kernel packages in this guest:\n";
|
||||
List.iter (print_kernel_info stderr "\t") installed_kernels;
|
||||
flush stderr
|
||||
);
|
||||
@@ -343,7 +343,7 @@ let detect_kernels (g : G.guestfs) root bootloader apps =
|
||||
) vmlinuzes in
|
||||
|
||||
if verbose () then (
|
||||
- eprintf "kernels offered by the bootloader in this guest (first in list is default):\n";
|
||||
+ eprintf "info: kernels offered by the bootloader in this guest (first in list is default):\n";
|
||||
List.iter (print_kernel_info stderr "\t") bootloader_kernels;
|
||||
flush stderr
|
||||
);
|
||||
diff --git a/common/options/uri.c b/common/options/uri.c
|
||||
index 84d393c1e..9180d6a27 100644
|
||||
--- a/common/options/uri.c
|
||||
+++ b/common/options/uri.c
|
||||
@@ -99,7 +99,7 @@ is_uri (const char *arg)
|
||||
return 0;
|
||||
|
||||
for (p--; p >= arg; p--) {
|
||||
- if (!c_islower (*p))
|
||||
+ if (! (c_islower (*p) || *p == '+'))
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -148,7 +148,10 @@ parse (const char *arg, char **path_ret, char **protocol_ret,
|
||||
}
|
||||
*/
|
||||
|
||||
- *protocol_ret = strdup (uri->scheme);
|
||||
+ if (STREQ (uri->scheme, "nbd+unix"))
|
||||
+ *protocol_ret = strdup ("nbd");
|
||||
+ else
|
||||
+ *protocol_ret = strdup (uri->scheme);
|
||||
if (*protocol_ret == NULL) {
|
||||
perror ("strdup: protocol");
|
||||
return -1;
|
||||
@@ -194,7 +197,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret,
|
||||
if (path && path[0] == '/' &&
|
||||
(STREQ (uri->scheme, "gluster") ||
|
||||
STREQ (uri->scheme, "iscsi") ||
|
||||
- STREQ (uri->scheme, "nbd") ||
|
||||
+ STRPREFIX (uri->scheme, "nbd") ||
|
||||
STREQ (uri->scheme, "rbd") ||
|
||||
STREQ (uri->scheme, "sheepdog")))
|
||||
path++;
|
||||
diff --git a/common/progress/progress.c b/common/progress/progress.c
|
||||
index e4b30663f..5848abd70 100644
|
||||
--- a/common/progress/progress.c
|
||||
+++ b/common/progress/progress.c
|
||||
@@ -123,6 +123,7 @@ progress_bar_init (unsigned flags)
|
||||
bar->machine_readable = 1;
|
||||
bar->utf8_mode = 0;
|
||||
bar->have_terminfo = 0;
|
||||
+ bar->fp = NULL;
|
||||
} else {
|
||||
bar->machine_readable = 0;
|
||||
|
||||
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
|
||||
index 1314d6e30..afced8c84 100644
|
||||
--- a/customize/customize_run.ml
|
||||
+++ b/customize/customize_run.ml
|
||||
@@ -216,6 +216,9 @@ let run (g : G.guestfs) root (ops : ops) =
|
||||
if not (Hostname.set_hostname g root hostname) then
|
||||
warning (f_"hostname could not be set for this type of guest")
|
||||
|
||||
+ | `InjectBalloonServer _ ->
|
||||
+ error "injecting the balloon server is not supported in RHEL 9.4, use RHEL 9.5 or above"
|
||||
+
|
||||
| `InjectQemuGA meth ->
|
||||
(match get_virtio_win_handle "--inject-qemu-ga" meth with
|
||||
| None -> ()
|
@ -1,378 +0,0 @@
|
||||
From 2014844107fc356e945fb637ef9179bc29656864 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Mon, 6 Jun 2022 16:20:42 +0200
|
||||
Subject: [PATCH] customize: rebase to the common/mlcustomize/Guest_packages
|
||||
interface
|
||||
|
||||
Replace the "guest_install_command", "guest_update_command" and
|
||||
"guest_uninstall_command" helper functions with the corresponding
|
||||
functions from libguestfs-common, interface mlcustomize/Guest_packages.
|
||||
|
||||
Add a wrapper function for (a) dealing with the exceptions uniformly
|
||||
(keeping the original behavior of virt-customize), (b) centralizing the
|
||||
[g#inspect_get_package_management root] call. Regarding (b), the wrapper
|
||||
function fills in the last argument [package_management] of the
|
||||
Guest_packages functions; thus, pass partially applied functions to the
|
||||
wrapper at the original call sites.
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2028764
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220606142042.16680-1-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit 7eb1ecf467e86374d72b23994d435139e302bca5)
|
||||
---
|
||||
common | 2 +-
|
||||
customize/customize_run.ml | 106 ++++---------------------------------
|
||||
2 files changed, 10 insertions(+), 98 deletions(-)
|
||||
|
||||
Submodule common f8de5508f..9e990f3e4:
|
||||
diff --git a/common/mlcustomize/Makefile.am b/common/mlcustomize/Makefile.am
|
||||
index cd7d897..4e26064 100644
|
||||
--- a/common/mlcustomize/Makefile.am
|
||||
+++ b/common/mlcustomize/Makefile.am
|
||||
@@ -38,10 +38,12 @@ generator_built = \
|
||||
|
||||
SOURCES_MLI = \
|
||||
firstboot.mli \
|
||||
+ guest_packages.mli \
|
||||
SELinux_relabel.mli
|
||||
|
||||
SOURCES_ML = \
|
||||
firstboot.ml \
|
||||
+ guest_packages.ml \
|
||||
SELinux_relabel.ml
|
||||
|
||||
if HAVE_OCAML
|
||||
diff --git a/common/mlcustomize/guest_packages.ml b/common/mlcustomize/guest_packages.ml
|
||||
new file mode 100644
|
||||
index 0000000..4c3c34e
|
||||
--- /dev/null
|
||||
+++ b/common/mlcustomize/guest_packages.ml
|
||||
@@ -0,0 +1,132 @@
|
||||
+(* virt-customize
|
||||
+ * Copyright (C) 2012-2021 Red Hat Inc.
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation; either version 2 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * This program is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License along
|
||||
+ * with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *)
|
||||
+
|
||||
+open Printf
|
||||
+
|
||||
+open Common_gettext.Gettext
|
||||
+open Std_utils
|
||||
+
|
||||
+exception Unknown_package_manager of string
|
||||
+exception Unimplemented_package_manager of string
|
||||
+
|
||||
+(* Windows has package_management == "unknown". *)
|
||||
+let error_unknown_package_manager flag =
|
||||
+ let msg = sprintf (f_"cannot use ‘%s’ because no package manager has been \
|
||||
+ detected for this guest OS.\n\nIf this guest OS is a \
|
||||
+ common one with ordinary package management then this \
|
||||
+ may have been caused by a failure of libguestfs \
|
||||
+ inspection.\n\nFor OSes such as Windows that lack \
|
||||
+ package management, this is not possible. Try using \
|
||||
+ one of the ‘--firstboot*’ flags instead (described in \
|
||||
+ the virt-customize(1) manual).") flag in
|
||||
+ raise (Unknown_package_manager msg)
|
||||
+
|
||||
+let error_unimplemented_package_manager flag pm =
|
||||
+ let msg = sprintf (f_"sorry, ‘%s’ with the ‘%s’ package manager has not \
|
||||
+ been implemented yet.\n\nYou can work around this by \
|
||||
+ using one of the ‘--run*’ or ‘--firstboot*’ options \
|
||||
+ instead (described in the virt-customize(1) manual).")
|
||||
+ flag pm in
|
||||
+ raise (Unimplemented_package_manager msg)
|
||||
+
|
||||
+(* http://distrowatch.com/dwres.php?resource=package-management *)
|
||||
+let install_command packages package_management =
|
||||
+ let quoted_args = String.concat " " (List.map quote packages) in
|
||||
+ match package_management with
|
||||
+ | "apk" ->
|
||||
+ sprintf "
|
||||
+ apk update
|
||||
+ apk add %s
|
||||
+ " quoted_args
|
||||
+ | "apt" ->
|
||||
+ (* http://unix.stackexchange.com/questions/22820 *)
|
||||
+ sprintf "
|
||||
+ export DEBIAN_FRONTEND=noninteractive
|
||||
+ apt_opts='-q -y -o Dpkg::Options::=--force-confnew'
|
||||
+ apt-get $apt_opts update
|
||||
+ apt-get $apt_opts install %s
|
||||
+ " quoted_args
|
||||
+ | "dnf" ->
|
||||
+ sprintf "dnf%s -y install %s"
|
||||
+ (if verbose () then " --verbose" else "")
|
||||
+ quoted_args
|
||||
+ | "pisi" -> sprintf "pisi it %s" quoted_args
|
||||
+ | "pacman" -> sprintf "pacman -S --noconfirm %s" quoted_args
|
||||
+ | "urpmi" -> sprintf "urpmi %s" quoted_args
|
||||
+ | "xbps" -> sprintf "xbps-install -Sy %s" quoted_args
|
||||
+ | "yum" -> sprintf "yum -y install %s" quoted_args
|
||||
+ | "zypper" -> sprintf "zypper -n in -l %s" quoted_args
|
||||
+
|
||||
+ | "unknown" ->
|
||||
+ error_unknown_package_manager (s_"--install")
|
||||
+ | pm ->
|
||||
+ error_unimplemented_package_manager (s_"--install") pm
|
||||
+
|
||||
+let update_command package_management =
|
||||
+ match package_management with
|
||||
+ | "apk" ->
|
||||
+ "
|
||||
+ apk update
|
||||
+ apk upgrade
|
||||
+ "
|
||||
+ | "apt" ->
|
||||
+ (* http://unix.stackexchange.com/questions/22820 *)
|
||||
+ "
|
||||
+ export DEBIAN_FRONTEND=noninteractive
|
||||
+ apt_opts='-q -y -o Dpkg::Options::=--force-confnew'
|
||||
+ apt-get $apt_opts update
|
||||
+ apt-get $apt_opts upgrade
|
||||
+ "
|
||||
+ | "dnf" ->
|
||||
+ sprintf "dnf%s -y --best upgrade"
|
||||
+ (if verbose () then " --verbose" else "")
|
||||
+ | "pisi" -> "pisi upgrade"
|
||||
+ | "pacman" -> "pacman -Su"
|
||||
+ | "urpmi" -> "urpmi --auto-select"
|
||||
+ | "xbps" -> "xbps-install -Suy"
|
||||
+ | "yum" -> "yum -y update"
|
||||
+ | "zypper" -> "zypper -n update -l"
|
||||
+
|
||||
+ | "unknown" ->
|
||||
+ error_unknown_package_manager (s_"--update")
|
||||
+ | pm ->
|
||||
+ error_unimplemented_package_manager (s_"--update") pm
|
||||
+
|
||||
+let uninstall_command packages package_management =
|
||||
+ let quoted_args = String.concat " " (List.map quote packages) in
|
||||
+ match package_management with
|
||||
+ | "apk" -> sprintf "apk del %s" quoted_args
|
||||
+ | "apt" ->
|
||||
+ (* http://unix.stackexchange.com/questions/22820 *)
|
||||
+ sprintf "
|
||||
+ export DEBIAN_FRONTEND=noninteractive
|
||||
+ apt_opts='-q -y -o Dpkg::Options::=--force-confnew'
|
||||
+ apt-get $apt_opts remove %s
|
||||
+ " quoted_args
|
||||
+ | "dnf" -> sprintf "dnf -y remove %s" quoted_args
|
||||
+ | "pisi" -> sprintf "pisi rm %s" quoted_args
|
||||
+ | "pacman" -> sprintf "pacman -R %s" quoted_args
|
||||
+ | "urpmi" -> sprintf "urpme %s" quoted_args
|
||||
+ | "xbps" -> sprintf "xbps-remove -Sy %s" quoted_args
|
||||
+ | "yum" -> sprintf "yum -y remove %s" quoted_args
|
||||
+ | "zypper" -> sprintf "zypper -n rm %s" quoted_args
|
||||
+
|
||||
+ | "unknown" ->
|
||||
+ error_unknown_package_manager (s_"--uninstall")
|
||||
+ | pm ->
|
||||
+ error_unimplemented_package_manager (s_"--uninstall") pm
|
||||
diff --git a/common/mlcustomize/guest_packages.mli b/common/mlcustomize/guest_packages.mli
|
||||
new file mode 100644
|
||||
index 0000000..7504a6a
|
||||
--- /dev/null
|
||||
+++ b/common/mlcustomize/guest_packages.mli
|
||||
@@ -0,0 +1,44 @@
|
||||
+(* virt-customize
|
||||
+ * Copyright (C) 2012-2021 Red Hat Inc.
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation; either version 2 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * This program is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License along
|
||||
+ * with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *)
|
||||
+
|
||||
+exception Unknown_package_manager of string
|
||||
+exception Unimplemented_package_manager of string
|
||||
+(** For all three functions below, [package_management] determines the package
|
||||
+ management system in use by the guest; commonly it should be filled in from
|
||||
+ [Guestfs.inspect_get_package_management], or the equivalent guestfs object
|
||||
+ method.
|
||||
+
|
||||
+ If [package_management] is unknown or unimplemented, the functions raise
|
||||
+ [Unknown_package_manager "error message"] or [Unimplemented_package_manager
|
||||
+ "error message"], correspondingly. *)
|
||||
+
|
||||
+val install_command : string list -> string -> string
|
||||
+(** [install_command packages package_management] produces a properly quoted
|
||||
+ shell command string suitable for execution in the guest (directly or via a
|
||||
+ Firstboot script) for installing the OS packages listed in [packages]. *)
|
||||
+
|
||||
+val update_command : string -> string
|
||||
+(** [update_command package_management] produces a properly quoted shell command
|
||||
+ string suitable for execution in the guest (directly or via a Firstboot
|
||||
+ script) for updating the OS packages that are currently installed in the
|
||||
+ guest. *)
|
||||
+
|
||||
+val uninstall_command : string list -> string -> string
|
||||
+(** [uninstall_command packages package_management] produces a properly quoted
|
||||
+ shell command string suitable for execution in the guest (directly or via a
|
||||
+ Firstboot script) for uninstalling the OS packages listed in [packages]. *)
|
||||
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
|
||||
index 99b5fe14d..bb2ba2a03 100644
|
||||
--- a/customize/customize_run.ml
|
||||
+++ b/customize/customize_run.ml
|
||||
@@ -67,99 +67,11 @@ let run (g : G.guestfs) root (ops : ops) =
|
||||
error (f_"%s: command exited with an error") display
|
||||
in
|
||||
|
||||
- (* http://distrowatch.com/dwres.php?resource=package-management *)
|
||||
- let rec guest_install_command packages =
|
||||
- let quoted_args = String.concat " " (List.map quote packages) in
|
||||
- match g#inspect_get_package_management root with
|
||||
- | "apk" ->
|
||||
- sprintf "
|
||||
- apk update
|
||||
- apk add %s
|
||||
- " quoted_args
|
||||
- | "apt" ->
|
||||
- (* http://unix.stackexchange.com/questions/22820 *)
|
||||
- sprintf "
|
||||
- export DEBIAN_FRONTEND=noninteractive
|
||||
- apt_opts='-q -y -o Dpkg::Options::=--force-confnew'
|
||||
- apt-get $apt_opts update
|
||||
- apt-get $apt_opts install %s
|
||||
- " quoted_args
|
||||
- | "dnf" ->
|
||||
- sprintf "dnf%s -y install %s"
|
||||
- (if verbose () then " --verbose" else "")
|
||||
- quoted_args
|
||||
- | "pisi" -> sprintf "pisi it %s" quoted_args
|
||||
- | "pacman" -> sprintf "pacman -S --noconfirm %s" quoted_args
|
||||
- | "urpmi" -> sprintf "urpmi %s" quoted_args
|
||||
- | "xbps" -> sprintf "xbps-install -Sy %s" quoted_args
|
||||
- | "yum" -> sprintf "yum -y install %s" quoted_args
|
||||
- | "zypper" -> sprintf "zypper -n in -l %s" quoted_args
|
||||
-
|
||||
- | "unknown" ->
|
||||
- error_unknown_package_manager (s_"--install")
|
||||
- | pm ->
|
||||
- error_unimplemented_package_manager (s_"--install") pm
|
||||
-
|
||||
- and guest_update_command () =
|
||||
- match g#inspect_get_package_management root with
|
||||
- | "apk" ->
|
||||
- "
|
||||
- apk update
|
||||
- apk upgrade
|
||||
- "
|
||||
- | "apt" ->
|
||||
- (* http://unix.stackexchange.com/questions/22820 *)
|
||||
- "
|
||||
- export DEBIAN_FRONTEND=noninteractive
|
||||
- apt_opts='-q -y -o Dpkg::Options::=--force-confnew'
|
||||
- apt-get $apt_opts update
|
||||
- apt-get $apt_opts upgrade
|
||||
- "
|
||||
- | "dnf" ->
|
||||
- sprintf "dnf%s -y --best upgrade"
|
||||
- (if verbose () then " --verbose" else "")
|
||||
- | "pisi" -> "pisi upgrade"
|
||||
- | "pacman" -> "pacman -Su"
|
||||
- | "urpmi" -> "urpmi --auto-select"
|
||||
- | "xbps" -> "xbps-install -Suy"
|
||||
- | "yum" -> "yum -y update"
|
||||
- | "zypper" -> "zypper -n update -l"
|
||||
-
|
||||
- | "unknown" ->
|
||||
- error_unknown_package_manager (s_"--update")
|
||||
- | pm ->
|
||||
- error_unimplemented_package_manager (s_"--update") pm
|
||||
-
|
||||
- and guest_uninstall_command packages =
|
||||
- let quoted_args = String.concat " " (List.map quote packages) in
|
||||
- match g#inspect_get_package_management root with
|
||||
- | "apk" -> sprintf "apk del %s" quoted_args
|
||||
- | "apt" ->
|
||||
- (* http://unix.stackexchange.com/questions/22820 *)
|
||||
- sprintf "
|
||||
- export DEBIAN_FRONTEND=noninteractive
|
||||
- apt_opts='-q -y -o Dpkg::Options::=--force-confnew'
|
||||
- apt-get $apt_opts remove %s
|
||||
- " quoted_args
|
||||
- | "dnf" -> sprintf "dnf -y remove %s" quoted_args
|
||||
- | "pisi" -> sprintf "pisi rm %s" quoted_args
|
||||
- | "pacman" -> sprintf "pacman -R %s" quoted_args
|
||||
- | "urpmi" -> sprintf "urpme %s" quoted_args
|
||||
- | "xbps" -> sprintf "xbps-remove -Sy %s" quoted_args
|
||||
- | "yum" -> sprintf "yum -y remove %s" quoted_args
|
||||
- | "zypper" -> sprintf "zypper -n rm %s" quoted_args
|
||||
-
|
||||
- | "unknown" ->
|
||||
- error_unknown_package_manager (s_"--uninstall")
|
||||
- | pm ->
|
||||
- error_unimplemented_package_manager (s_"--uninstall") pm
|
||||
-
|
||||
- (* Windows has package_management == "unknown". *)
|
||||
- and error_unknown_package_manager flag =
|
||||
- error (f_"cannot use ‘%s’ because no package manager has been detected for this guest OS.\n\nIf this guest OS is a common one with ordinary package management then this may have been caused by a failure of libguestfs inspection.\n\nFor OSes such as Windows that lack package management, this is not possible. Try using one of the ‘--firstboot*’ flags instead (described in the manual).") flag
|
||||
-
|
||||
- and error_unimplemented_package_manager flag pm =
|
||||
- error (f_"sorry, ‘%s’ with the ‘%s’ package manager has not been implemented yet.\n\nYou can work around this by using one of the ‘--run*’ or ‘--firstboot*’ options instead (described in the manual).") flag pm
|
||||
+ let guest_pkgs_command f =
|
||||
+ try f (g#inspect_get_package_management root) with
|
||||
+ | Guest_packages.Unknown_package_manager msg
|
||||
+ | Guest_packages.Unimplemented_package_manager msg ->
|
||||
+ error "%s" msg
|
||||
in
|
||||
|
||||
(* Set the random seed. *)
|
||||
@@ -255,7 +167,7 @@ let run (g : G.guestfs) root (ops : ops) =
|
||||
| `FirstbootPackages pkgs ->
|
||||
message (f_"Installing firstboot packages: %s")
|
||||
(String.concat " " pkgs);
|
||||
- let cmd = guest_install_command pkgs in
|
||||
+ let cmd = guest_pkgs_command (Guest_packages.install_command pkgs) in
|
||||
let name = String.concat " " ("install" :: pkgs) in
|
||||
Firstboot.add_firstboot_script g root name cmd
|
||||
|
||||
@@ -271,7 +183,7 @@ let run (g : G.guestfs) root (ops : ops) =
|
||||
|
||||
| `InstallPackages pkgs ->
|
||||
message (f_"Installing packages: %s") (String.concat " " pkgs);
|
||||
- let cmd = guest_install_command pkgs in
|
||||
+ let cmd = guest_pkgs_command (Guest_packages.install_command pkgs) in
|
||||
do_run ~display:cmd ~warn_failed_no_network:true cmd
|
||||
|
||||
| `Link (target, links) ->
|
||||
@@ -365,12 +277,12 @@ let run (g : G.guestfs) root (ops : ops) =
|
||||
|
||||
| `UninstallPackages pkgs ->
|
||||
message (f_"Uninstalling packages: %s") (String.concat " " pkgs);
|
||||
- let cmd = guest_uninstall_command pkgs in
|
||||
+ let cmd = guest_pkgs_command (Guest_packages.uninstall_command pkgs) in
|
||||
do_run ~display:cmd cmd
|
||||
|
||||
| `Update ->
|
||||
message (f_"Updating packages");
|
||||
- let cmd = guest_update_command () in
|
||||
+ let cmd = guest_pkgs_command Guest_packages.update_command in
|
||||
do_run ~display:cmd ~warn_failed_no_network:true cmd
|
||||
|
||||
| `Upload (path, dest) ->
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,53 +0,0 @@
|
||||
From 493060f2ee3d5c1c8d6192bbfd307e0b720f6c11 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Wed, 29 Jun 2022 15:38:46 +0200
|
||||
Subject: [PATCH] update common submodule for CVE-2022-2211 fix
|
||||
|
||||
$ git shortlog 9e990f3e4530..35467027f657
|
||||
|
||||
Laszlo Ersek (1):
|
||||
options: fix buffer overflow in get_keys() [CVE-2022-2211]
|
||||
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit b2e7de29b413d531c9540eb46878170e357f4b62)
|
||||
---
|
||||
common | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
Submodule common 9e990f3e4..35467027f:
|
||||
diff --git a/common/options/keys.c b/common/options/keys.c
|
||||
index 798315c..d27a712 100644
|
||||
--- a/common/options/keys.c
|
||||
+++ b/common/options/keys.c
|
||||
@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename)
|
||||
char **
|
||||
get_keys (struct key_store *ks, const char *device, const char *uuid)
|
||||
{
|
||||
- size_t i, j, len;
|
||||
+ size_t i, j, nmemb;
|
||||
char **r;
|
||||
char *s;
|
||||
|
||||
/* We know the returned list must have at least one element and not
|
||||
* more than ks->nr_keys.
|
||||
*/
|
||||
- len = 1;
|
||||
- if (ks)
|
||||
- len = MIN (1, ks->nr_keys);
|
||||
- r = calloc (len+1, sizeof (char *));
|
||||
+ nmemb = 1;
|
||||
+ if (ks && ks->nr_keys > nmemb)
|
||||
+ nmemb = ks->nr_keys;
|
||||
+
|
||||
+ /* make room for the terminating NULL */
|
||||
+ if (nmemb == (size_t)-1)
|
||||
+ error (EXIT_FAILURE, 0, _("size_t overflow"));
|
||||
+ nmemb++;
|
||||
+
|
||||
+ r = calloc (nmemb, sizeof (char *));
|
||||
if (r == NULL)
|
||||
error (EXIT_FAILURE, errno, "calloc");
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,695 +0,0 @@
|
||||
From d95394da96af41b03c9347721a177a4ad9b7f1b0 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Fri, 1 Jul 2022 15:20:39 +0200
|
||||
Subject: [PATCH] cat, log, ls, tail, diff, edit, insp.: set networking for
|
||||
"--key ID:clevis"
|
||||
|
||||
Call the C-language helper key_store_requires_network() in those C
|
||||
utilities that understand "OPTION_key".
|
||||
|
||||
(Short log for libguestfs-common commit range 35467027f657..af6cb55bc58a:
|
||||
|
||||
Laszlo Ersek (12):
|
||||
options: fix UUID comparison logic bug in get_keys()
|
||||
mltools/tools_utils: remove unused function "key_store_to_cli"
|
||||
mltools/tools_utils: allow multiple "--key" options for OCaml tools too
|
||||
options: replace NULL-termination with number-of-elements in get_keys()
|
||||
options: wrap each passphrase from get_keys() into a struct
|
||||
options: add back-end for LUKS decryption with Clevis+Tang
|
||||
options: introduce selector type "key_clevis"
|
||||
options: generalize "--key" selector parsing for C-language utilities
|
||||
mltools/tools_utils-c: handle internal type error with abort()
|
||||
mltools/tools_utils: generalize "--key" selector parsing for OCaml utils
|
||||
options, mltools/tools_utils: parse "--key ID:clevis" options
|
||||
options, mltools/tools_utils: add helper for network dependency
|
||||
).
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220628115702.5584-2-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit 14bf833e21cd89f1273e09f4952999b8da86b6ff)
|
||||
---
|
||||
cat/cat.c | 3 +++
|
||||
cat/log.c | 3 +++
|
||||
cat/ls.c | 3 +++
|
||||
cat/tail.c | 3 +++
|
||||
common | 2 +-
|
||||
diff/diff.c | 8 ++++++++
|
||||
edit/edit.c | 3 +++
|
||||
inspector/inspector.c | 3 +++
|
||||
8 files changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cat/cat.c b/cat/cat.c
|
||||
index 5b51b7df8..ea2021140 100644
|
||||
--- a/cat/cat.c
|
||||
+++ b/cat/cat.c
|
||||
@@ -250,6 +250,9 @@ main (int argc, char *argv[])
|
||||
/* Add drives, inspect and mount. */
|
||||
add_drives (drvs);
|
||||
|
||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g) == -1)
|
||||
exit (EXIT_FAILURE);
|
||||
|
||||
diff --git a/cat/log.c b/cat/log.c
|
||||
index df7e2be92..0fe486c05 100644
|
||||
--- a/cat/log.c
|
||||
+++ b/cat/log.c
|
||||
@@ -224,6 +224,9 @@ main (int argc, char *argv[])
|
||||
*/
|
||||
add_drives (drvs);
|
||||
|
||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g) == -1)
|
||||
exit (EXIT_FAILURE);
|
||||
|
||||
diff --git a/cat/ls.c b/cat/ls.c
|
||||
index e062823b8..1b8e87225 100644
|
||||
--- a/cat/ls.c
|
||||
+++ b/cat/ls.c
|
||||
@@ -374,6 +374,9 @@ main (int argc, char *argv[])
|
||||
/* Add drives, inspect and mount. */
|
||||
add_drives (drvs);
|
||||
|
||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g) == -1)
|
||||
exit (EXIT_FAILURE);
|
||||
|
||||
diff --git a/cat/tail.c b/cat/tail.c
|
||||
index 1cf1d6e0e..2a06e0ebd 100644
|
||||
--- a/cat/tail.c
|
||||
+++ b/cat/tail.c
|
||||
@@ -296,6 +296,9 @@ do_tail (int argc, char *argv[], /* list of files in the guest */
|
||||
/* Add drives, inspect and mount. */
|
||||
add_drives (drvs);
|
||||
|
||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g) == -1)
|
||||
return -1;
|
||||
|
||||
Submodule common 35467027f..af6cb55bc:
|
||||
diff --git a/common/mltools/tools_utils-c.c b/common/mltools/tools_utils-c.c
|
||||
index 0814667..4ff42e5 100644
|
||||
--- a/common/mltools/tools_utils-c.c
|
||||
+++ b/common/mltools/tools_utils-c.c
|
||||
@@ -62,24 +62,31 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv)
|
||||
caml_raise_out_of_memory ();
|
||||
|
||||
v = Field (elemv, 1);
|
||||
- switch (Tag_val (v)) {
|
||||
- case 0: /* KeyString of string */
|
||||
- key.type = key_string;
|
||||
- key.string.s = strdup (String_val (Field (v, 0)));
|
||||
- if (!key.string.s)
|
||||
- caml_raise_out_of_memory ();
|
||||
- break;
|
||||
- case 1: /* KeyFileName of string */
|
||||
- key.type = key_file;
|
||||
- key.file.name = strdup (String_val (Field (v, 0)));
|
||||
- if (!key.file.name)
|
||||
- caml_raise_out_of_memory ();
|
||||
- break;
|
||||
- default:
|
||||
- error (EXIT_FAILURE, 0,
|
||||
- "internal error: unhandled Tag_val (v) = %d",
|
||||
- Tag_val (v));
|
||||
- }
|
||||
+ if (Is_block (v))
|
||||
+ switch (Tag_val (v)) {
|
||||
+ case 0: /* KeyString of string */
|
||||
+ key.type = key_string;
|
||||
+ key.string.s = strdup (String_val (Field (v, 0)));
|
||||
+ if (!key.string.s)
|
||||
+ caml_raise_out_of_memory ();
|
||||
+ break;
|
||||
+ case 1: /* KeyFileName of string */
|
||||
+ key.type = key_file;
|
||||
+ key.file.name = strdup (String_val (Field (v, 0)));
|
||||
+ if (!key.file.name)
|
||||
+ caml_raise_out_of_memory ();
|
||||
+ break;
|
||||
+ default:
|
||||
+ abort ();
|
||||
+ }
|
||||
+ else
|
||||
+ switch (Int_val (v)) {
|
||||
+ case 0: /* KeyClevis */
|
||||
+ key.type = key_clevis;
|
||||
+ break;
|
||||
+ default:
|
||||
+ abort ();
|
||||
+ }
|
||||
|
||||
ks = key_store_import_key (ks, &key);
|
||||
|
||||
diff --git a/common/mltools/tools_utils.ml b/common/mltools/tools_utils.ml
|
||||
index 695fda7..562bfad 100644
|
||||
--- a/common/mltools/tools_utils.ml
|
||||
+++ b/common/mltools/tools_utils.ml
|
||||
@@ -29,11 +29,12 @@ open Getopt.OptionName
|
||||
let prog = ref prog
|
||||
|
||||
type key_store = {
|
||||
- keys : (string, key_store_key) Hashtbl.t;
|
||||
+ keys : (string * key_store_key) list ref;
|
||||
}
|
||||
and key_store_key =
|
||||
| KeyString of string
|
||||
| KeyFileName of string
|
||||
+ | KeyClevis
|
||||
|
||||
external c_inspect_decrypt : Guestfs.t -> int64 -> (string * key_store_key) list -> unit = "guestfs_int_mllib_inspect_decrypt"
|
||||
external c_set_echo_keys : unit -> unit = "guestfs_int_mllib_set_echo_keys" [@@noalloc]
|
||||
@@ -376,7 +377,7 @@ let create_standard_options argspec ?anon_fun ?(key_opts = false)
|
||||
)
|
||||
in
|
||||
let ks = {
|
||||
- keys = Hashtbl.create 13;
|
||||
+ keys = ref [];
|
||||
} in
|
||||
let argspec = ref argspec in
|
||||
let add_argspec = List.push_back argspec in
|
||||
@@ -392,14 +393,28 @@ let create_standard_options argspec ?anon_fun ?(key_opts = false)
|
||||
|
||||
if key_opts then (
|
||||
let parse_key_selector arg =
|
||||
- let parts = String.nsplit ~max:3 ":" arg in
|
||||
+ let parts = String.nsplit ":" arg in
|
||||
match parts with
|
||||
+ | [] ->
|
||||
+ error (f_"selector '%s': missing ID") arg
|
||||
+ | [ _ ] ->
|
||||
+ error (f_"selector '%s': missing TYPE") arg
|
||||
+ | [ _; "key" ]
|
||||
+ | _ :: "key" :: _ :: _ :: _ ->
|
||||
+ error (f_"selector '%s': missing KEY_STRING, or too many fields") arg
|
||||
| [ device; "key"; key ] ->
|
||||
- Hashtbl.replace ks.keys device (KeyString key)
|
||||
+ List.push_back ks.keys (device, KeyString key)
|
||||
+ | [ _; "file" ]
|
||||
+ | _ :: "file" :: _ :: _ :: _ ->
|
||||
+ error (f_"selector '%s': missing FILENAME, or too many fields") arg
|
||||
| [ device; "file"; file ] ->
|
||||
- Hashtbl.replace ks.keys device (KeyFileName file)
|
||||
+ List.push_back ks.keys (device, KeyFileName file)
|
||||
+ | _ :: "clevis" :: _ :: _ ->
|
||||
+ error (f_"selector '%s': too many fields") arg
|
||||
+ | [ device; "clevis" ] ->
|
||||
+ List.push_back ks.keys (device, KeyClevis)
|
||||
| _ ->
|
||||
- error (f_"invalid selector string for --key: %s") arg
|
||||
+ error (f_"selector '%s': invalid TYPE") arg
|
||||
in
|
||||
|
||||
add_argspec ([ L"echo-keys" ], Getopt.Unit c_set_echo_keys, s_"Don’t turn off echo for passphrases");
|
||||
@@ -420,16 +435,6 @@ let create_standard_options argspec ?anon_fun ?(key_opts = false)
|
||||
let getopt = Getopt.create argspec ?anon_fun usage_msg in
|
||||
{ getopt; ks; debug_gc }
|
||||
|
||||
-let key_store_to_cli { keys } =
|
||||
- Hashtbl.fold (
|
||||
- fun k v acc ->
|
||||
- let arg =
|
||||
- match v with
|
||||
- | KeyString s -> sprintf "%s:key:%s" k s
|
||||
- | KeyFileName f -> sprintf "%s:file:%s" k f in
|
||||
- "--key" :: arg :: acc
|
||||
- ) keys []
|
||||
-
|
||||
(* Run an external command, slurp up the output as a list of lines. *)
|
||||
let external_command ?(echo_cmd = true) cmd =
|
||||
if echo_cmd then
|
||||
@@ -691,21 +696,19 @@ let is_btrfs_subvolume g fs =
|
||||
if g#last_errno () = Guestfs.Errno.errno_EINVAL then false
|
||||
else raise exn
|
||||
|
||||
+let key_store_requires_network ks =
|
||||
+ List.exists (function
|
||||
+ | _, KeyClevis -> true
|
||||
+ | _ -> false) !(ks.keys)
|
||||
+
|
||||
let inspect_decrypt g ks =
|
||||
- (* Turn the keys in the key_store into a simpler struct, so it is possible
|
||||
- * to read it using the C API.
|
||||
- *)
|
||||
- let keys_as_list = Hashtbl.fold (
|
||||
- fun k v acc ->
|
||||
- (k, v) :: acc
|
||||
- ) ks.keys [] in
|
||||
(* Note we pass original 'g' even though it is not used by the
|
||||
* callee. This is so that 'g' is kept as a root on the stack, and
|
||||
* so cannot be garbage collected while we are in the c_inspect_decrypt
|
||||
* function.
|
||||
*)
|
||||
c_inspect_decrypt g#ocaml_handle (Guestfs.c_pointer g#ocaml_handle)
|
||||
- keys_as_list
|
||||
+ !(ks.keys)
|
||||
|
||||
let with_timeout op timeout ?(sleep = 2) fn =
|
||||
let start_t = Unix.gettimeofday () in
|
||||
diff --git a/common/mltools/tools_utils.mli b/common/mltools/tools_utils.mli
|
||||
index 5018300..ec900e6 100644
|
||||
--- a/common/mltools/tools_utils.mli
|
||||
+++ b/common/mltools/tools_utils.mli
|
||||
@@ -103,14 +103,6 @@ val create_standard_options : Getopt.speclist -> ?anon_fun:Getopt.anon_fun -> ?k
|
||||
|
||||
Returns a new {!cmdline_options} structure. *)
|
||||
|
||||
-val key_store_to_cli : key_store -> string list
|
||||
-(** Convert a {!key_store} object back to a list of command line
|
||||
- options, essentially undoing the effect of Getopt parsing.
|
||||
- This is used in virt-v2v to pass the keystore to helpers.
|
||||
- It is not particularly secure, especially if you use the
|
||||
- [:key:] selector, although not any less secure than passing
|
||||
- them via the command line in the first place. *)
|
||||
-
|
||||
val external_command : ?echo_cmd:bool -> string -> string list
|
||||
(** Run an external command, slurp up the output as a list of lines.
|
||||
|
||||
@@ -204,6 +196,10 @@ val inspect_mount_root_ro : Guestfs.guestfs -> string -> unit
|
||||
val is_btrfs_subvolume : Guestfs.guestfs -> string -> bool
|
||||
(** Checks if a filesystem is a btrfs subvolume. *)
|
||||
|
||||
+val key_store_requires_network : key_store -> bool
|
||||
+(** [key_store_requires_network ks] returns [true] iff [ks] contains at least
|
||||
+ one "ID:clevis" selector. *)
|
||||
+
|
||||
val inspect_decrypt : Guestfs.guestfs -> key_store -> unit
|
||||
(** Simple implementation of decryption: look for any encrypted
|
||||
partitions and decrypt them, then rescan for VGs. *)
|
||||
diff --git a/common/options/decrypt.c b/common/options/decrypt.c
|
||||
index 1cd7b62..97c8b88 100644
|
||||
--- a/common/options/decrypt.c
|
||||
+++ b/common/options/decrypt.c
|
||||
@@ -124,10 +124,10 @@ decrypt_mountables (guestfs_h *g, const char * const *mountables,
|
||||
while ((mountable = *mnt_scan++) != NULL) {
|
||||
CLEANUP_FREE char *type = NULL;
|
||||
CLEANUP_FREE char *uuid = NULL;
|
||||
- CLEANUP_FREE_STRING_LIST char **keys = NULL;
|
||||
+ struct matching_key *keys;
|
||||
+ size_t nr_matches;
|
||||
CLEANUP_FREE char *mapname = NULL;
|
||||
- const char * const *key_scan;
|
||||
- const char *key;
|
||||
+ size_t scan;
|
||||
|
||||
type = guestfs_vfs_type (g, mountable);
|
||||
if (type == NULL)
|
||||
@@ -144,33 +144,45 @@ decrypt_mountables (guestfs_h *g, const char * const *mountables,
|
||||
/* Grab the keys that we should try with this device, based on device name,
|
||||
* or UUID (if any).
|
||||
*/
|
||||
- keys = get_keys (ks, mountable, uuid);
|
||||
- assert (keys[0] != NULL);
|
||||
+ keys = get_keys (ks, mountable, uuid, &nr_matches);
|
||||
+ assert (nr_matches > 0);
|
||||
|
||||
/* Generate a node name for the plaintext (decrypted) device node. */
|
||||
if (uuid == NULL || asprintf (&mapname, "luks-%s", uuid) == -1)
|
||||
mapname = make_mapname (mountable);
|
||||
|
||||
/* Try each key in turn. */
|
||||
- key_scan = (const char * const *)keys;
|
||||
- while ((key = *key_scan++) != NULL) {
|
||||
+ for (scan = 0; scan < nr_matches; ++scan) {
|
||||
+ struct matching_key *key = keys + scan;
|
||||
int r;
|
||||
|
||||
guestfs_push_error_handler (g, NULL, NULL);
|
||||
- r = guestfs_cryptsetup_open (g, mountable, key, mapname, -1);
|
||||
+ assert (key->clevis == (key->passphrase == NULL));
|
||||
+ if (key->clevis)
|
||||
+#ifdef GUESTFS_HAVE_CLEVIS_LUKS_UNLOCK
|
||||
+ r = guestfs_clevis_luks_unlock (g, mountable, mapname);
|
||||
+#else
|
||||
+ error (EXIT_FAILURE, 0,
|
||||
+ _("'clevis_luks_unlock', needed for decrypting %s, is "
|
||||
+ "unavailable in this libguestfs version"), mountable);
|
||||
+#endif
|
||||
+ else
|
||||
+ r = guestfs_cryptsetup_open (g, mountable, key->passphrase, mapname,
|
||||
+ -1);
|
||||
guestfs_pop_error_handler (g);
|
||||
|
||||
if (r == 0)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (key == NULL)
|
||||
+ if (scan == nr_matches)
|
||||
error (EXIT_FAILURE, 0,
|
||||
_("could not find key to open LUKS encrypted %s.\n\n"
|
||||
"Try using --key on the command line.\n\n"
|
||||
"Original error: %s (%d)"),
|
||||
mountable, guestfs_last_error (g), guestfs_last_errno (g));
|
||||
|
||||
+ free_keys (keys, nr_matches);
|
||||
decrypted_some = true;
|
||||
}
|
||||
|
||||
diff --git a/common/options/key-option.pod b/common/options/key-option.pod
|
||||
index 90a3b15..6bc04df 100644
|
||||
--- a/common/options/key-option.pod
|
||||
+++ b/common/options/key-option.pod
|
||||
@@ -14,4 +14,13 @@ Use the specified C<KEY_STRING> as passphrase.
|
||||
|
||||
Read the passphrase from F<FILENAME>.
|
||||
|
||||
+=item B<--key> C<ID>:clevis
|
||||
+
|
||||
+Attempt passphrase-less unlocking for C<ID> with Clevis, over the
|
||||
+network. Please refer to L<guestfs(3)/ENCRYPTED DISKS> for more
|
||||
+information on network-bound disk encryption (NBDE).
|
||||
+
|
||||
+Note that if any such option is present on the command line, QEMU user
|
||||
+networking will be automatically enabled for the libguestfs appliance.
|
||||
+
|
||||
=back
|
||||
diff --git a/common/options/keys.c b/common/options/keys.c
|
||||
index d27a712..d987ae5 100644
|
||||
--- a/common/options/keys.c
|
||||
+++ b/common/options/keys.c
|
||||
@@ -125,11 +125,12 @@ read_first_line_from_file (const char *filename)
|
||||
* keystore. There may be multiple. If none are read from the
|
||||
* keystore, ask the user.
|
||||
*/
|
||||
-char **
|
||||
-get_keys (struct key_store *ks, const char *device, const char *uuid)
|
||||
+struct matching_key *
|
||||
+get_keys (struct key_store *ks, const char *device, const char *uuid,
|
||||
+ size_t *nr_matches)
|
||||
{
|
||||
- size_t i, j, nmemb;
|
||||
- char **r;
|
||||
+ size_t i, nmemb;
|
||||
+ struct matching_key *r, *match;
|
||||
char *s;
|
||||
|
||||
/* We know the returned list must have at least one element and not
|
||||
@@ -139,22 +140,20 @@ get_keys (struct key_store *ks, const char *device, const char *uuid)
|
||||
if (ks && ks->nr_keys > nmemb)
|
||||
nmemb = ks->nr_keys;
|
||||
|
||||
- /* make room for the terminating NULL */
|
||||
- if (nmemb == (size_t)-1)
|
||||
+ if (nmemb > (size_t)-1 / sizeof *r)
|
||||
error (EXIT_FAILURE, 0, _("size_t overflow"));
|
||||
- nmemb++;
|
||||
|
||||
- r = calloc (nmemb, sizeof (char *));
|
||||
+ r = malloc (nmemb * sizeof *r);
|
||||
if (r == NULL)
|
||||
- error (EXIT_FAILURE, errno, "calloc");
|
||||
+ error (EXIT_FAILURE, errno, "malloc");
|
||||
|
||||
- j = 0;
|
||||
+ match = r;
|
||||
|
||||
if (ks) {
|
||||
for (i = 0; i < ks->nr_keys; ++i) {
|
||||
struct key_store_key *key = &ks->keys[i];
|
||||
|
||||
- if (STRNEQ (key->id, device) && (uuid && STRNEQ (key->id, uuid)))
|
||||
+ if (STRNEQ (key->id, device) && (!uuid || STRNEQ (key->id, uuid)))
|
||||
continue;
|
||||
|
||||
switch (key->type) {
|
||||
@@ -162,68 +161,101 @@ get_keys (struct key_store *ks, const char *device, const char *uuid)
|
||||
s = strdup (key->string.s);
|
||||
if (!s)
|
||||
error (EXIT_FAILURE, errno, "strdup");
|
||||
- r[j++] = s;
|
||||
+ match->clevis = false;
|
||||
+ match->passphrase = s;
|
||||
+ ++match;
|
||||
break;
|
||||
case key_file:
|
||||
s = read_first_line_from_file (key->file.name);
|
||||
- r[j++] = s;
|
||||
+ match->clevis = false;
|
||||
+ match->passphrase = s;
|
||||
+ ++match;
|
||||
+ break;
|
||||
+ case key_clevis:
|
||||
+ match->clevis = true;
|
||||
+ match->passphrase = NULL;
|
||||
+ ++match;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
- if (j == 0) {
|
||||
+ if (match == r) {
|
||||
/* Key not found in the key store, ask the user for it. */
|
||||
s = read_key (device);
|
||||
if (!s)
|
||||
error (EXIT_FAILURE, 0, _("could not read key from user"));
|
||||
- r[0] = s;
|
||||
+ match->clevis = false;
|
||||
+ match->passphrase = s;
|
||||
+ ++match;
|
||||
}
|
||||
|
||||
+ *nr_matches = (size_t)(match - r);
|
||||
return r;
|
||||
}
|
||||
|
||||
+void
|
||||
+free_keys (struct matching_key *keys, size_t nr_matches)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < nr_matches; ++i) {
|
||||
+ struct matching_key *key = keys + i;
|
||||
+
|
||||
+ assert (key->clevis == (key->passphrase == NULL));
|
||||
+ if (!key->clevis)
|
||||
+ free (key->passphrase);
|
||||
+ }
|
||||
+ free (keys);
|
||||
+}
|
||||
+
|
||||
struct key_store *
|
||||
key_store_add_from_selector (struct key_store *ks, const char *selector)
|
||||
{
|
||||
- CLEANUP_FREE_STRING_LIST char **fields =
|
||||
- guestfs_int_split_string (':', selector);
|
||||
+ CLEANUP_FREE_STRING_LIST char **fields = NULL;
|
||||
+ size_t field_count;
|
||||
struct key_store_key key;
|
||||
|
||||
+ fields = guestfs_int_split_string (':', selector);
|
||||
if (!fields)
|
||||
error (EXIT_FAILURE, errno, "guestfs_int_split_string");
|
||||
+ field_count = guestfs_int_count_strings (fields);
|
||||
|
||||
- if (guestfs_int_count_strings (fields) != 3) {
|
||||
- invalid_selector:
|
||||
- error (EXIT_FAILURE, 0, "invalid selector for --key: %s", selector);
|
||||
- }
|
||||
-
|
||||
- /* 1: device */
|
||||
+ /* field#0: ID */
|
||||
+ if (field_count < 1)
|
||||
+ error (EXIT_FAILURE, 0, _("selector '%s': missing ID"), selector);
|
||||
key.id = strdup (fields[0]);
|
||||
if (!key.id)
|
||||
error (EXIT_FAILURE, errno, "strdup");
|
||||
|
||||
- /* 2: key type */
|
||||
- if (STREQ (fields[1], "key"))
|
||||
+ /* field#1...: TYPE, and TYPE-specific properties */
|
||||
+ if (field_count < 2)
|
||||
+ error (EXIT_FAILURE, 0, _("selector '%s': missing TYPE"), selector);
|
||||
+
|
||||
+ if (STREQ (fields[1], "key")) {
|
||||
key.type = key_string;
|
||||
- else if (STREQ (fields[1], "file"))
|
||||
- key.type = key_file;
|
||||
- else
|
||||
- goto invalid_selector;
|
||||
-
|
||||
- /* 3: actual key */
|
||||
- switch (key.type) {
|
||||
- case key_string:
|
||||
+ if (field_count != 3)
|
||||
+ error (EXIT_FAILURE, 0,
|
||||
+ _("selector '%s': missing KEY_STRING, or too many fields"),
|
||||
+ selector);
|
||||
key.string.s = strdup (fields[2]);
|
||||
if (!key.string.s)
|
||||
error (EXIT_FAILURE, errno, "strdup");
|
||||
- break;
|
||||
- case key_file:
|
||||
+ } else if (STREQ (fields[1], "file")) {
|
||||
+ key.type = key_file;
|
||||
+ if (field_count != 3)
|
||||
+ error (EXIT_FAILURE, 0,
|
||||
+ _("selector '%s': missing FILENAME, or too many fields"),
|
||||
+ selector);
|
||||
key.file.name = strdup (fields[2]);
|
||||
if (!key.file.name)
|
||||
error (EXIT_FAILURE, errno, "strdup");
|
||||
- break;
|
||||
- }
|
||||
+ } else if (STREQ (fields[1], "clevis")) {
|
||||
+ key.type = key_clevis;
|
||||
+ if (field_count != 2)
|
||||
+ error (EXIT_FAILURE, 0, _("selector '%s': too many fields"), selector);
|
||||
+ } else
|
||||
+ error (EXIT_FAILURE, 0, _("selector '%s': invalid TYPE"), selector);
|
||||
|
||||
return key_store_import_key (ks, &key);
|
||||
}
|
||||
@@ -252,6 +284,21 @@ key_store_import_key (struct key_store *ks, const struct key_store_key *key)
|
||||
return ks;
|
||||
}
|
||||
|
||||
+bool
|
||||
+key_store_requires_network (const struct key_store *ks)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ if (ks == NULL)
|
||||
+ return false;
|
||||
+
|
||||
+ for (i = 0; i < ks->nr_keys; ++i)
|
||||
+ if (ks->keys[i].type == key_clevis)
|
||||
+ return true;
|
||||
+
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
void
|
||||
free_key_store (struct key_store *ks)
|
||||
{
|
||||
@@ -270,6 +317,9 @@ free_key_store (struct key_store *ks)
|
||||
case key_file:
|
||||
free (key->file.name);
|
||||
break;
|
||||
+ case key_clevis:
|
||||
+ /* nothing */
|
||||
+ break;
|
||||
}
|
||||
free (key->id);
|
||||
}
|
||||
diff --git a/common/options/options.h b/common/options/options.h
|
||||
index 80df91a..60d5d80 100644
|
||||
--- a/common/options/options.h
|
||||
+++ b/common/options/options.h
|
||||
@@ -115,6 +115,7 @@ struct key_store_key {
|
||||
enum {
|
||||
key_string, /* key specified as string */
|
||||
key_file, /* key stored in a file */
|
||||
+ key_clevis, /* key reconstructed with Clevis+Tang */
|
||||
} type;
|
||||
union {
|
||||
struct {
|
||||
@@ -134,6 +135,19 @@ struct key_store {
|
||||
size_t nr_keys;
|
||||
};
|
||||
|
||||
+/* A key matching a particular ID (pathname of the libguestfs device node that
|
||||
+ * stands for the encrypted block device, or LUKS UUID).
|
||||
+ */
|
||||
+struct matching_key {
|
||||
+ /* True iff the passphrase should be reconstructed using Clevis, talking to
|
||||
+ * Tang servers over the network.
|
||||
+ */
|
||||
+ bool clevis;
|
||||
+
|
||||
+ /* Explicit passphrase, otherwise. */
|
||||
+ char *passphrase;
|
||||
+};
|
||||
+
|
||||
/* in config.c */
|
||||
extern void parse_config (void);
|
||||
|
||||
@@ -151,9 +165,12 @@ extern void print_inspect_prompt (void);
|
||||
|
||||
/* in key.c */
|
||||
extern char *read_key (const char *param);
|
||||
-extern char **get_keys (struct key_store *ks, const char *device, const char *uuid);
|
||||
+extern struct matching_key *get_keys (struct key_store *ks, const char *device,
|
||||
+ const char *uuid, size_t *nr_matches);
|
||||
+extern void free_keys (struct matching_key *keys, size_t nr_matches);
|
||||
extern struct key_store *key_store_add_from_selector (struct key_store *ks, const char *selector);
|
||||
extern struct key_store *key_store_import_key (struct key_store *ks, const struct key_store_key *key);
|
||||
+extern bool key_store_requires_network (const struct key_store *ks);
|
||||
extern void free_key_store (struct key_store *ks);
|
||||
|
||||
/* in options.c */
|
||||
diff --git a/diff/diff.c b/diff/diff.c
|
||||
index 6aae88e6a..c73129c82 100644
|
||||
--- a/diff/diff.c
|
||||
+++ b/diff/diff.c
|
||||
@@ -209,6 +209,7 @@ main (int argc, char *argv[])
|
||||
int option_index;
|
||||
struct tree *tree1, *tree2;
|
||||
struct key_store *ks = NULL;
|
||||
+ bool network;
|
||||
|
||||
g = guestfs_create ();
|
||||
if (g == NULL)
|
||||
@@ -378,6 +379,10 @@ main (int argc, char *argv[])
|
||||
/* Mount up first guest. */
|
||||
add_drives (drvs);
|
||||
|
||||
+ network = key_store_requires_network (ks);
|
||||
+ if (guestfs_set_network (g, network) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g) == -1)
|
||||
exit (EXIT_FAILURE);
|
||||
|
||||
@@ -389,6 +394,9 @@ main (int argc, char *argv[])
|
||||
/* Mount up second guest. */
|
||||
add_drives_handle (g2, drvs2, 0);
|
||||
|
||||
+ if (guestfs_set_network (g2, network) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g2) == -1)
|
||||
exit (EXIT_FAILURE);
|
||||
|
||||
diff --git a/edit/edit.c b/edit/edit.c
|
||||
index 7f06bce7f..90c6b85d5 100644
|
||||
--- a/edit/edit.c
|
||||
+++ b/edit/edit.c
|
||||
@@ -274,6 +274,9 @@ main (int argc, char *argv[])
|
||||
/* Add drives. */
|
||||
add_drives (drvs);
|
||||
|
||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g) == -1)
|
||||
exit (EXIT_FAILURE);
|
||||
|
||||
diff --git a/inspector/inspector.c b/inspector/inspector.c
|
||||
index 25ee40f3f..2702e3310 100644
|
||||
--- a/inspector/inspector.c
|
||||
+++ b/inspector/inspector.c
|
||||
@@ -294,6 +294,9 @@ main (int argc, char *argv[])
|
||||
*/
|
||||
add_drives (drvs);
|
||||
|
||||
+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1)
|
||||
+ exit (EXIT_FAILURE);
|
||||
+
|
||||
if (guestfs_launch (g) == -1)
|
||||
exit (EXIT_FAILURE);
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,59 +0,0 @@
|
||||
From 77a10b30f6f6fdb1648b12f68147e6a894526802 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 28 Jun 2022 13:57:00 +0200
|
||||
Subject: [PATCH] get-kernel, sparsify: set networking for "--key ID:clevis"
|
||||
|
||||
Call the OCaml-language helper "key_store_requires_network" in those OCaml
|
||||
utilities that pass "~key_opts:true" to "create_standard_options", and do
|
||||
not have any code related to networking yet.
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220628115702.5584-3-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit 4f66f0892e6fd75d10dcfa2f9e94b3e32bdb906e)
|
||||
---
|
||||
get-kernel/get_kernel.ml | 1 +
|
||||
sparsify/copying.ml | 1 +
|
||||
sparsify/in_place.ml | 1 +
|
||||
3 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/get-kernel/get_kernel.ml b/get-kernel/get_kernel.ml
|
||||
index e485cf495..9c2aa17c2 100644
|
||||
--- a/get-kernel/get_kernel.ml
|
||||
+++ b/get-kernel/get_kernel.ml
|
||||
@@ -176,6 +176,7 @@ let main () =
|
||||
(* Connect to libguestfs. *)
|
||||
let g = open_guestfs () in
|
||||
add g;
|
||||
+ g#set_network (key_store_requires_network ks);
|
||||
g#launch ();
|
||||
|
||||
(* Decrypt the disks. *)
|
||||
diff --git a/sparsify/copying.ml b/sparsify/copying.ml
|
||||
index 39d06c94c..21a603d63 100644
|
||||
--- a/sparsify/copying.ml
|
||||
+++ b/sparsify/copying.ml
|
||||
@@ -187,6 +187,7 @@ You can ignore this warning or change it to a hard failure using the
|
||||
let machine_readable = machine_readable () <> None in
|
||||
Progress.set_up_progress_bar ~machine_readable g
|
||||
);
|
||||
+ g#set_network (key_store_requires_network ks);
|
||||
g#launch ();
|
||||
|
||||
g in
|
||||
diff --git a/sparsify/in_place.ml b/sparsify/in_place.ml
|
||||
index 00f0e0564..0eec63e6f 100644
|
||||
--- a/sparsify/in_place.ml
|
||||
+++ b/sparsify/in_place.ml
|
||||
@@ -58,6 +58,7 @@ let run disk format ignores zeroes ks =
|
||||
let machine_readable = machine_readable () <> None in
|
||||
Progress.set_up_progress_bar ~machine_readable g
|
||||
);
|
||||
+ g#set_network (key_store_requires_network ks);
|
||||
g#launch ();
|
||||
|
||||
(* If discard is not supported in the appliance, we must return exit
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,47 +0,0 @@
|
||||
From fe59e93b27e3bc17b5cc0874e103330e0000b210 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 28 Jun 2022 13:57:01 +0200
|
||||
Subject: [PATCH] customize: add reminder about "--key ID:clevis"
|
||||
|
||||
virt-customize already enables appliance networking by default;
|
||||
conversely, if the user passes "--no-network", we shouldn't override that
|
||||
for the sake of "--key ID:clevis". Add comments about clevis to the code.
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220628115702.5584-4-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit e52aea48cbcea3f3b538db0573b58517cbc33da0)
|
||||
---
|
||||
customize/customize_main.ml | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/customize/customize_main.ml b/customize/customize_main.ml
|
||||
index 8a022342f..32b7eebdd 100644
|
||||
--- a/customize/customize_main.ml
|
||||
+++ b/customize/customize_main.ml
|
||||
@@ -52,7 +52,11 @@ let main () =
|
||||
let libvirturi = ref "" in
|
||||
let memsize = ref None in
|
||||
let set_memsize arg = memsize := Some arg in
|
||||
+
|
||||
+ (* Note that [--key ID:clevis] depends on this default. See more below, near
|
||||
+ * [g#set_network network]. *)
|
||||
let network = ref true in
|
||||
+
|
||||
let smp = ref None in
|
||||
let set_smp arg = smp := Some arg in
|
||||
|
||||
@@ -159,6 +163,9 @@ read the man page virt-customize(1).
|
||||
let g = open_guestfs () in
|
||||
Option.may g#set_memsize memsize;
|
||||
Option.may g#set_smp smp;
|
||||
+ (* [--no-network] from the command line takes precedence over the automatic
|
||||
+ * network enablement for [--key ID:clevis], so here we intentionally don't check
|
||||
+ * [key_store_requires_network opthandle.ks]. *)
|
||||
g#set_network network;
|
||||
|
||||
(* Add disks. *)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,67 +0,0 @@
|
||||
From c2917c9a7f0c23b94d30af2a5a14e67c46e38242 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 28 Jun 2022 13:57:02 +0200
|
||||
Subject: [PATCH] sysprep: set networking for "--key ID:clevis"
|
||||
|
||||
Similarly to virt-customize, virt-sysprep has prior "--network" and
|
||||
"--no-network" options. Unlike virt-customize though, virt-sysprep
|
||||
defaults to disabling the appliance network. Therefore we can't tell
|
||||
whether the network is disabled "by default" or because the user requested
|
||||
it.
|
||||
|
||||
That's a problem: "--key ID:clevis" is supposed to override the former,
|
||||
but not the latter. Add a separate option for tracking "--no-network", and
|
||||
only if "--no-network" is absent, permit "--network" or "--key ID:clevis"
|
||||
to turn on the network.
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220628115702.5584-5-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit 1cce13223e9321d1ef333d6ae356c24203990a4a)
|
||||
---
|
||||
sysprep/main.ml | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/sysprep/main.ml b/sysprep/main.ml
|
||||
index b760618ad..1f722dfb0 100644
|
||||
--- a/sysprep/main.ml
|
||||
+++ b/sysprep/main.ml
|
||||
@@ -44,6 +44,7 @@ let main () =
|
||||
let libvirturi = ref "" in
|
||||
let mount_opts = ref "" in
|
||||
let network = ref false in
|
||||
+ let no_network = ref false in
|
||||
let operations = ref None in
|
||||
|
||||
let format = ref "auto" in
|
||||
@@ -131,7 +132,7 @@ let main () =
|
||||
[ L"list-operations" ], Getopt.Unit list_operations, s_"List supported operations";
|
||||
[ L"mount-options" ], Getopt.Set_string (s_"opts", mount_opts), s_"Set mount options (eg /:noatime;/var:rw,noatime)";
|
||||
[ L"network" ], Getopt.Set network, s_"Enable appliance network";
|
||||
- [ L"no-network" ], Getopt.Clear network, s_"Disable appliance network (default)";
|
||||
+ [ L"no-network" ], Getopt.Set no_network, s_"Disable appliance network (default)";
|
||||
[ L"operation"; L"operations" ], Getopt.String (s_"operations", set_operations), s_"Enable/disable specific operations";
|
||||
] in
|
||||
let args = basic_args @ Sysprep_operation.extra_args () in
|
||||
@@ -188,6 +189,7 @@ read the man page virt-sysprep(1).
|
||||
(* Dereference the rest of the args. *)
|
||||
let dryrun = !dryrun in
|
||||
let network = !network in
|
||||
+ let no_network = !no_network in
|
||||
let operations = !operations in
|
||||
|
||||
(* At this point we know which operations are enabled. So call the
|
||||
@@ -208,7 +210,8 @@ read the man page virt-sysprep(1).
|
||||
|
||||
(* Connect to libguestfs. *)
|
||||
let g = open_guestfs () in
|
||||
- g#set_network network;
|
||||
+ g#set_network (not no_network &&
|
||||
+ (network || key_store_requires_network opthandle.ks));
|
||||
add g dryrun;
|
||||
g#launch ();
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,87 +0,0 @@
|
||||
From d15d829d20c1a0d21da584257c4634517d4271d1 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Thu, 14 Jul 2022 12:40:04 +0200
|
||||
Subject: [PATCH] sysprep: make an effort to cope with LUKS-on-LVM
|
||||
|
||||
If the guest disk uses the LUKS-on-LVM scheme, then sysprep has a problem:
|
||||
|
||||
- the "fs-uuids" blockdev operation depends on the decrypted LUKS devices
|
||||
being open,
|
||||
|
||||
- the "lvm-uuids" blockdev operation depends on the same devices being
|
||||
closed.
|
||||
|
||||
Attempt to deal with this in "lvm-uuids".
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2106286
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220714104005.8334-2-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit 361a447bcb7aef399abad8075ee41197c4071f71)
|
||||
---
|
||||
sysprep/sysprep_operation_lvm_uuids.ml | 42 +++++++++++++++++++++++++-
|
||||
1 file changed, 41 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sysprep/sysprep_operation_lvm_uuids.ml b/sysprep/sysprep_operation_lvm_uuids.ml
|
||||
index c67b21487..5fc623039 100644
|
||||
--- a/sysprep/sysprep_operation_lvm_uuids.ml
|
||||
+++ b/sysprep/sysprep_operation_lvm_uuids.ml
|
||||
@@ -30,7 +30,46 @@ let rec lvm_uuids_perform g root side_effects =
|
||||
try g#available [|"lvm2"|]; true with G.Error _ -> false in
|
||||
if has_lvm2_feature then (
|
||||
let has_pvs, has_vgs = g#pvs () <> [||], g#vgs () <> [||] in
|
||||
- if has_pvs || has_vgs then g#vg_activate_all false;
|
||||
+ if has_pvs || has_vgs then (
|
||||
+ try g#vg_activate_all false
|
||||
+ with G.Error _ as exn ->
|
||||
+ (* If the "luks" feature is not available, re-raise the exception. *)
|
||||
+ (try g#available [|"luks"|] with G.Error _ -> raise exn);
|
||||
+
|
||||
+ (* Assume VG deactivation failed due to the guest using the
|
||||
+ * FS-on-LUKS-on-LVM scheme.
|
||||
+ *
|
||||
+ * By now, we have unmounted filesystems, but the decrypted LUKS
|
||||
+ * devices still keep the LVs open. Therefore, attempt closing all
|
||||
+ * decrypted LUKS devices that were opened by inspection (i.e., device
|
||||
+ * nodes with pathnames like "/dev/mapper/luks-<uuid>"). Closing the
|
||||
+ * decrypted LUKS devices should remove the references from their
|
||||
+ * underlying LVs, and then VG deactivation should succeed too.
|
||||
+ *
|
||||
+ * Note that closing the decrypted LUKS devices prevents the
|
||||
+ * blockdev-level manipulation of those filesystems that reside on
|
||||
+ * said decrypted LUKS devices, such as the "fs-uuids" operation. But
|
||||
+ * that should be OK, as we order the present operation after all
|
||||
+ * other block device ops.
|
||||
+ *
|
||||
+ * In case the guest uses the FS-on-LVM-on-LUKS scheme, then the
|
||||
+ * original VG deactivation must have failed for a different reason.
|
||||
+ * (As we have unmounted filesystems earlier, and LUKS is below, not
|
||||
+ * on top of, LVM.) The LUKS-closing attempts below will fail then,
|
||||
+ * due to LVM keeping the decrypted LUKS devices open. This failure is
|
||||
+ * harmless and can be considered a no-op. The final, retried VG
|
||||
+ * deactivation should reproduce the original failure.
|
||||
+ *)
|
||||
+ let luks_re = PCRE.compile ("^/dev/mapper/luks" ^
|
||||
+ "-[[:xdigit:]]{8}" ^
|
||||
+ "(?:-[[:xdigit:]]{4}){3}" ^
|
||||
+ "-[[:xdigit:]]{12}$")
|
||||
+ and dmdevs = Array.to_list (g#list_dm_devices ()) in
|
||||
+ let plaintext_devs = List.filter (PCRE.matches luks_re) dmdevs in
|
||||
+ List.iter (fun dev -> try g#cryptsetup_close dev with _ -> ())
|
||||
+ plaintext_devs;
|
||||
+ g#vg_activate_all false
|
||||
+ );
|
||||
if has_pvs then g#pvchange_uuid_all ();
|
||||
if has_vgs then g#vgchange_uuid_all ();
|
||||
if has_pvs || has_vgs then g#vg_activate_all true
|
||||
@@ -39,6 +78,7 @@ let rec lvm_uuids_perform g root side_effects =
|
||||
|
||||
let op = {
|
||||
defaults with
|
||||
+ order = 99; (* Run it after other block device ops. *)
|
||||
name = "lvm-uuids";
|
||||
enabled_by_default = true;
|
||||
heading = s_"Change LVM2 PV and VG UUIDs";
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 0b92347337e9201140ed2daf77a934c731de6630 Mon Sep 17 00:00:00 2001
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Thu, 14 Jul 2022 12:40:05 +0200
|
||||
Subject: [PATCH] sysprep: advise against cloning VMs with internal full disk
|
||||
encryption
|
||||
|
||||
This is relevant for sysprep because we recommend sysprep for facilitating
|
||||
cloning.
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2106286
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20220714104005.8334-3-lersek@redhat.com>
|
||||
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
(cherry picked from commit b49ee909f5d1a0d7b5c668335b9098ca8ff85bfd)
|
||||
---
|
||||
sysprep/virt-sysprep.pod | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod
|
||||
index deeb5341e..232b9f24b 100644
|
||||
--- a/sysprep/virt-sysprep.pod
|
||||
+++ b/sysprep/virt-sysprep.pod
|
||||
@@ -519,6 +519,13 @@ Either or both options can be used multiple times on the command line.
|
||||
|
||||
=head1 SECURITY
|
||||
|
||||
+Virtual machines that employ full disk encryption I<internally to the
|
||||
+guest> should not be considered for cloning and distribution, as it
|
||||
+provides multiple parties with the same internal volume key, enabling
|
||||
+any one such party to decrypt all the other clones. Refer to the L<LUKS
|
||||
+FAQ|https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md> for
|
||||
+details.
|
||||
+
|
||||
Although virt-sysprep removes some sensitive information from the
|
||||
guest, it does not pretend to remove all of it. You should examine
|
||||
the L</OPERATIONS> above and the guest afterwards.
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,144 +0,0 @@
|
||||
From 3576da023fb42ceaea80b81aebad345de606a332 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Fri, 15 Jul 2022 08:55:53 +0100
|
||||
Subject: [PATCH] builder, dib: Replace On_exit.rmdir with On_exit.rm_rf
|
||||
|
||||
Update common submodule.
|
||||
|
||||
(cherry picked from commit f5baf83e464c276d3dae6f8e878b8f47fe0d43d9)
|
||||
---
|
||||
builder/builder.ml | 2 +-
|
||||
builder/index_parser_tests.ml | 2 +-
|
||||
builder/repository_main.ml | 2 +-
|
||||
common | 2 +-
|
||||
dib/dib.ml | 2 +-
|
||||
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/builder/builder.ml b/builder/builder.ml
|
||||
index 2c9c83085..e34aae6c7 100644
|
||||
--- a/builder/builder.ml
|
||||
+++ b/builder/builder.ml
|
||||
@@ -182,7 +182,7 @@ let main () =
|
||||
* create.
|
||||
*)
|
||||
let tmpdir = Mkdtemp.temp_dir "virt-builder." in
|
||||
- On_exit.rmdir tmpdir;
|
||||
+ On_exit.rm_rf tmpdir;
|
||||
|
||||
(* Download the sources. *)
|
||||
let downloader = Downloader.create ~curl:cmdline.curl ~cache ~tmpdir in
|
||||
diff --git a/builder/index_parser_tests.ml b/builder/index_parser_tests.ml
|
||||
index 39983faba..5262a1607 100644
|
||||
--- a/builder/index_parser_tests.ml
|
||||
+++ b/builder/index_parser_tests.ml
|
||||
@@ -28,7 +28,7 @@ open Tools_utils
|
||||
|
||||
let tmpdir =
|
||||
let tmpdir = Mkdtemp.temp_dir "guestfs-tests." in
|
||||
- On_exit.rmdir tmpdir;
|
||||
+ On_exit.rm_rf tmpdir;
|
||||
tmpdir
|
||||
|
||||
let dummy_sigchecker = Sigchecker.create ~gpg:"gpg"
|
||||
diff --git a/builder/repository_main.ml b/builder/repository_main.ml
|
||||
index c5b656310..c24729c4c 100644
|
||||
--- a/builder/repository_main.ml
|
||||
+++ b/builder/repository_main.ml
|
||||
@@ -420,7 +420,7 @@ let main () =
|
||||
(* Create a temporary folder to work in *)
|
||||
let tmpdir = Mkdtemp.temp_dir ~base_dir:cmdline.repo
|
||||
"virt-builder-repository." in
|
||||
- On_exit.rmdir tmpdir;
|
||||
+ On_exit.rm_rf tmpdir;
|
||||
|
||||
let tmprepo = tmpdir // "repo" in
|
||||
mkdir_p tmprepo 0o700;
|
||||
Submodule common af6cb55bc..fd964c1ba:
|
||||
diff --git a/common/mlcustomize/guest_packages.ml b/common/mlcustomize/guest_packages.ml
|
||||
index 4c3c34e..7c29a2a 100644
|
||||
--- a/common/mlcustomize/guest_packages.ml
|
||||
+++ b/common/mlcustomize/guest_packages.ml
|
||||
@@ -73,9 +73,9 @@ let install_command packages package_management =
|
||||
| "zypper" -> sprintf "zypper -n in -l %s" quoted_args
|
||||
|
||||
| "unknown" ->
|
||||
- error_unknown_package_manager (s_"--install")
|
||||
+ error_unknown_package_manager "--install"
|
||||
| pm ->
|
||||
- error_unimplemented_package_manager (s_"--install") pm
|
||||
+ error_unimplemented_package_manager "--install" pm
|
||||
|
||||
let update_command package_management =
|
||||
match package_management with
|
||||
@@ -103,9 +103,9 @@ let update_command package_management =
|
||||
| "zypper" -> "zypper -n update -l"
|
||||
|
||||
| "unknown" ->
|
||||
- error_unknown_package_manager (s_"--update")
|
||||
+ error_unknown_package_manager "--update"
|
||||
| pm ->
|
||||
- error_unimplemented_package_manager (s_"--update") pm
|
||||
+ error_unimplemented_package_manager "--update" pm
|
||||
|
||||
let uninstall_command packages package_management =
|
||||
let quoted_args = String.concat " " (List.map quote packages) in
|
||||
@@ -127,6 +127,6 @@ let uninstall_command packages package_management =
|
||||
| "zypper" -> sprintf "zypper -n rm %s" quoted_args
|
||||
|
||||
| "unknown" ->
|
||||
- error_unknown_package_manager (s_"--uninstall")
|
||||
+ error_unknown_package_manager "--uninstall"
|
||||
| pm ->
|
||||
- error_unimplemented_package_manager (s_"--uninstall") pm
|
||||
+ error_unimplemented_package_manager "--uninstall" pm
|
||||
diff --git a/common/mltools/on_exit.ml b/common/mltools/on_exit.ml
|
||||
index 53ccb68..cae12e7 100644
|
||||
--- a/common/mltools/on_exit.ml
|
||||
+++ b/common/mltools/on_exit.ml
|
||||
@@ -52,7 +52,7 @@ let do_actions () =
|
||||
List.iter (do_action (fun file -> Unix.unlink file)) !files;
|
||||
List.iter (do_action (
|
||||
fun dir ->
|
||||
- let cmd = sprintf "rm -rf %s" (Filename.quote dir) in
|
||||
+ let cmd = sprintf "rm -rf -- %s" (Filename.quote dir) in
|
||||
ignore (Tools_utils.shell_command cmd)
|
||||
)
|
||||
) !rmdirs;
|
||||
@@ -102,7 +102,7 @@ let unlink filename =
|
||||
register ();
|
||||
List.push_front filename files
|
||||
|
||||
-let rmdir dir =
|
||||
+let rm_rf dir =
|
||||
register ();
|
||||
List.push_front dir rmdirs
|
||||
|
||||
diff --git a/common/mltools/on_exit.mli b/common/mltools/on_exit.mli
|
||||
index a02e3db..9bcf104 100644
|
||||
--- a/common/mltools/on_exit.mli
|
||||
+++ b/common/mltools/on_exit.mli
|
||||
@@ -47,7 +47,7 @@ val f : (unit -> unit) -> unit
|
||||
val unlink : string -> unit
|
||||
(** Unlink a single temporary file on exit. *)
|
||||
|
||||
-val rmdir : string -> unit
|
||||
+val rm_rf : string -> unit
|
||||
(** Recursively remove a temporary directory on exit (using [rm -rf]). *)
|
||||
|
||||
val kill : ?signal:int -> int -> unit
|
||||
diff --git a/dib/dib.ml b/dib/dib.ml
|
||||
index f5ce604c8..a4ba36040 100644
|
||||
--- a/dib/dib.ml
|
||||
+++ b/dib/dib.ml
|
||||
@@ -550,7 +550,7 @@ let main () =
|
||||
let image_basename_d = image_basename ^ ".d" in
|
||||
|
||||
let tmpdir = Mkdtemp.temp_dir "dib." in
|
||||
- On_exit.rmdir tmpdir;
|
||||
+ On_exit.rm_rf tmpdir;
|
||||
let auxtmpdir = tmpdir // "in_target.aux" in
|
||||
do_mkdir auxtmpdir;
|
||||
let hookstmpdir = auxtmpdir // "hooks" in
|
||||
--
|
||||
2.31.1
|
||||
|
11
SOURCES/copy-patches.sh
Executable file → Normal file
11
SOURCES/copy-patches.sh
Executable file → Normal file
@ -7,7 +7,7 @@ set -e
|
||||
# ./copy-patches.sh
|
||||
|
||||
project=guestfs-tools
|
||||
rhel_version=9.1
|
||||
rhel_version=9.4
|
||||
|
||||
# Check we're in the right directory.
|
||||
if [ ! -f $project.spec ]; then
|
||||
@ -17,7 +17,7 @@ fi
|
||||
|
||||
case `id -un` in
|
||||
rjones) git_checkout=$HOME/d/$project-rhel-$rhel_version ;;
|
||||
lersek) git_checkout=$HOME/src/guestfs-tools/$project ;;
|
||||
lacos) git_checkout=$HOME/src/v2v/$project ;;
|
||||
*) git_checkout=$HOME/d/$project-rhel-$rhel_version ;;
|
||||
esac
|
||||
if [ ! -d $git_checkout ]; then
|
||||
@ -36,7 +36,12 @@ git rm -f [0-9]*.patch ||:
|
||||
rm -f [0-9]*.patch
|
||||
|
||||
# Get the patches.
|
||||
(cd $git_checkout; rm -f [0-9]*.patch; git format-patch -N --submodule=diff $tag)
|
||||
(
|
||||
cd $git_checkout
|
||||
rm -f [0-9]*.patch
|
||||
git -c core.abbrev=9 format-patch -O/dev/null --subject-prefix=PATCH -N \
|
||||
--submodule=diff --no-signature --patience $tag
|
||||
)
|
||||
mv $git_checkout/[0-9]*.patch .
|
||||
|
||||
# Remove any not to be applied.
|
||||
|
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmKPVz0RHHJpY2hAYW5u
|
||||
ZXhpYS5vcmcACgkQkXOPc+G3aKBYYxAAm31U2XKvJ164dv92ezjUbQL4D4A+nWh1
|
||||
WGmDmiTFq9IWT8W9U7xw7qT7kzqky+gQBUCGHDQSYiEcdsIlaR7WqdNBfRUHi5lu
|
||||
mrZSMjCfMWaEwTvjtcZrJBmIIP/b/AHfXo/Nxg79MFmSPocfl7RBNpf6HQ7ZnRHW
|
||||
w5P94fJQtOf6Bi9MHc7cwJ/wh7gslOT70puO85igBFbpBUedjINNudl0r7fYUz5I
|
||||
zVxVQuFDYI0+d/UhIBa1ULVTCzlyGn9Rg+9B/B0b2XUZwxXOePusPJ/uK1OUkgue
|
||||
fEtzTzEbl2x90w28+2mbXTyHJWJCKcO36/jII8H8ekF2uREwxgA8qzN6AC4sBwM1
|
||||
o2RiK5LMgqTlPsUP/5lrtAKp9RlXJ76WFnZzt/nSyCTwY+xApbmCQFYWJAaFzAso
|
||||
TAazoyG31AUBhJzBNCoyAsfkb82Lh4++sev8oG8A0qeEvxktFh0tGzfnesFrahfW
|
||||
VwbNbDUFEtTam+8rC667K7/v1FwCfC24BFmq8GZyyE/kmOwRN1jHq9FPYV/0sFLv
|
||||
khkEdR7BWCOGjRS9sP8kN7ApWLHv9gthu9ZtGNA8ms7Gk//WfzMRrhCAWAWyI1kG
|
||||
CG8DuXw63mDpbvY52TBbzD3mKZ30AN8tB4U+j9+PaxwIi0JXqtjJL2ggExCtZMDG
|
||||
W1p4vqAvtB0=
|
||||
=bW2f
|
||||
-----END PGP SIGNATURE-----
|
17
SOURCES/guestfs-tools-1.51.6.tar.gz.sig
Normal file
17
SOURCES/guestfs-tools-1.51.6.tar.gz.sig
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmV0UtkRHHJpY2hAYW5u
|
||||
ZXhpYS5vcmcACgkQkXOPc+G3aKArQQ/8DR2NMjDy8zyXfLSAoSPcChx+wS36RRhj
|
||||
rYGSNzD2aNhMzB+WGZHomiW4ahLqj7OAuXQlmpUMjLVsAfyja8aNW7rsnfTM1l5u
|
||||
p6GS3DFTk34XgVrZO01pEBLWk9blr+xhAFP+qNIwWKv76+xO0QjNa0D5gJvBojZf
|
||||
J3ct9l1ibKqDh4eG9ReSSUh76WOxm97JwP80ZRBKCpcNJe+fceJGHdBhl5UJFw/N
|
||||
lAKY+d7MESk9aKZCNy6BRrls6IeIlsOBB8HbG5mXqMv4IfwarB91zZTG9NJRpmSN
|
||||
MzZ/GIwSCJy9U9hmG3dA/70xFu3HQkshaCisXb4FrzCnlTHZFNCvwdhY2k3qIzZr
|
||||
PuvsA3ETQqYUj66AlOOD/3TqAu36kFEeeateH75cIiOYfkUUmrO7FF76hY2jNs+q
|
||||
puTm14dg/MA0OROQv5ykcuN2ukvfsyEsCFao+76am5MG8CViy1tSnL/ZSBN0itLl
|
||||
jalFbag3GbDCwVt+lpPQbrLDTWNVabAEeN9LlMMcsciIGWDiz99Ntmwe1yxwLLl3
|
||||
kk8f9xFiWXU7C0yrPY4HzPGNjzklsaNlpzVnqgkWpR1gzpLr37HWx0E1Ct6OlJBJ
|
||||
7vllv9L9bZErUwyvlSuGcY/6rHd+KnWSS0IBvEfE/eveQErzwgiuGiBUnvGB6NUT
|
||||
l868E59pb84=
|
||||
=cEbV
|
||||
-----END PGP SIGNATURE-----
|
@ -2,14 +2,7 @@
|
||||
#
|
||||
# As the test suite takes a very long time to run and is somewhat
|
||||
# unreliable on !x86 architectures, only run it on x86-64.
|
||||
%if !0%{?rhel}
|
||||
%global test_arches x86_64
|
||||
%else
|
||||
# RHEL 9 only:
|
||||
# x86-64: "/lib64/libc.so.6: CPU ISA level is lower than required"
|
||||
# (RHBZ#1919389)
|
||||
%global test_arches NONE
|
||||
%endif
|
||||
|
||||
# Verify tarball signature with GPGv2.
|
||||
%global verify_tarball_signature 1
|
||||
@ -18,16 +11,16 @@
|
||||
%global patches_touch_autotools 1
|
||||
|
||||
# The source directory.
|
||||
%global source_directory 1.48-stable
|
||||
%global source_directory 1.51-development
|
||||
|
||||
# Filter perl provides.
|
||||
%{?perl_default_filter}
|
||||
|
||||
Summary: Tools to access and modify virtual machine disk images
|
||||
Name: guestfs-tools
|
||||
Version: 1.48.2
|
||||
Release: 5%{?dist}.alma
|
||||
License: GPLv2+
|
||||
Version: 1.51.6
|
||||
Release: 3%{?dist}.alma.1.kvm
|
||||
License: GPL-2.0-or-later AND LGPL-2.0-or-later
|
||||
|
||||
# Build only for architectures that have a kernel
|
||||
ExclusiveArch: %{kernel_arches}
|
||||
@ -48,22 +41,14 @@ Source2: libguestfs.keyring
|
||||
Source3: copy-patches.sh
|
||||
|
||||
# Patches are maintained in the following repository:
|
||||
# https://github.com/rwmjones/guestfs-tools/commits/rhel-9.1
|
||||
# https://github.com/rwmjones/guestfs-tools/commits/rhel-9.4
|
||||
|
||||
# Patches.
|
||||
Patch0001: 0001-sysprep-remove-lvm2-s-default-system.devices-file.patch
|
||||
Patch0002: 0002-adopt-inversion-of-SELinux-relabeling-in-virt-custom.patch
|
||||
Patch0003: 0003-update-common-submodule.patch
|
||||
Patch0004: 0004-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
|
||||
Patch0005: 0005-customize-rebase-to-the-common-mlcustomize-Guest_pac.patch
|
||||
Patch0006: 0006-update-common-submodule-for-CVE-2022-2211-fix.patch
|
||||
Patch0007: 0007-cat-log-ls-tail-diff-edit-insp.-set-networking-for-k.patch
|
||||
Patch0008: 0008-get-kernel-sparsify-set-networking-for-key-ID-clevis.patch
|
||||
Patch0009: 0009-customize-add-reminder-about-key-ID-clevis.patch
|
||||
Patch0010: 0010-sysprep-set-networking-for-key-ID-clevis.patch
|
||||
Patch0011: 0011-sysprep-make-an-effort-to-cope-with-LUKS-on-LVM.patch
|
||||
Patch0012: 0012-sysprep-advise-against-cloning-VMs-with-internal-ful.patch
|
||||
Patch0013: 0013-builder-dib-Replace-On_exit.rmdir-with-On_exit.rm_rf.patch
|
||||
Patch0001: 0001-Update-common-submodule.patch
|
||||
Patch0002: 0002-builder-Add-a-test-of-the-chown-parameter.patch
|
||||
Patch0003: 0003-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
|
||||
Patch0004: 0004-RHEL-builder-Disable-opensuse-repository.patch
|
||||
Patch0005: 0005-Update-common-submodule.patch
|
||||
|
||||
%if 0%{patches_touch_autotools}
|
||||
BuildRequires: autoconf, automake, libtool, gettext-devel
|
||||
@ -72,7 +57,7 @@ BuildRequires: autoconf, automake, libtool, gettext-devel
|
||||
# Basic build requirements.
|
||||
BuildRequires: gcc, gcc-c++
|
||||
BuildRequires: make
|
||||
BuildRequires: libguestfs-devel >= 1:1.48.3-4
|
||||
BuildRequires: libguestfs-devel >= 1:1.49.8-1
|
||||
BuildRequires: libguestfs-xfs
|
||||
BuildRequires: perl(Pod::Simple)
|
||||
BuildRequires: perl(Pod::Man)
|
||||
@ -84,8 +69,12 @@ BuildRequires: pcre2-devel
|
||||
BuildRequires: libxml2-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libvirt-devel
|
||||
BuildRequires: libosinfo-devel
|
||||
BuildRequires: libxcrypt-devel
|
||||
BuildRequires: ncurses-devel
|
||||
%ifarch x86_64
|
||||
BuildRequires: glibc-static
|
||||
%endif
|
||||
BuildRequires: ocaml-libguestfs-devel
|
||||
BuildRequires: ocaml-findlib-devel
|
||||
BuildRequires: ocaml-gettext-devel
|
||||
@ -105,6 +94,7 @@ BuildRequires: perl(Expect)
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: /usr/bin/qemu-img
|
||||
BuildRequires: xorriso
|
||||
BuildRequires: hwdata-devel
|
||||
BuildRequires: perl(Locale::TextDomain)
|
||||
BuildRequires: perl(Sys::Guestfs)
|
||||
BuildRequires: perl(Win::Hivex)
|
||||
@ -115,8 +105,10 @@ BuildRequires: perl-generators
|
||||
BuildRequires: gnupg2
|
||||
%endif
|
||||
|
||||
# Version containing guestfs_clevis_luks_unlock
|
||||
Requires: libguestfs%{?_isa} >= 1:1.48.3-4
|
||||
# Ensure a minimum version of libguestfs is installed. This contains
|
||||
# a workaround for openssl bug RHBZ#2133884 and the hang where we
|
||||
# called setenv between fork and exec.
|
||||
Requires: libguestfs >= 1.49.6-1
|
||||
|
||||
# For virt-builder:
|
||||
Requires: curl
|
||||
@ -127,6 +119,9 @@ Requires: xz
|
||||
# For virt-builder-repository:
|
||||
Suggests: osinfo-db
|
||||
|
||||
# For virt-drivers:
|
||||
Recommends: hwdata
|
||||
|
||||
# For virt-inspector, since Fedora and RHEL >= 7 use XFS:
|
||||
Recommends: libguestfs-xfs
|
||||
|
||||
@ -166,6 +161,8 @@ works for Windows virtual machines.
|
||||
|
||||
Virt-diff shows the differences between virtual machines.
|
||||
|
||||
Virt-drivers detects the bootloader, kernel and drivers inside a guest.
|
||||
|
||||
Virt-edit is a command line tool to edit the contents of a file in a
|
||||
virtual machine.
|
||||
|
||||
@ -204,7 +201,7 @@ Virt-tail follows (tails) a log file within a guest, like 'tail -f'.
|
||||
|
||||
%package -n virt-win-reg
|
||||
Summary: Access and modify the Windows Registry of a Windows VM
|
||||
License: GPLv2+
|
||||
License: GPL-2.0-or-later
|
||||
BuildArch: noarch
|
||||
|
||||
# This replaces the libguestfs-tools package.
|
||||
@ -217,24 +214,6 @@ Virt-win-reg lets you look at and modify the Windows Registry of
|
||||
Windows virtual machines.
|
||||
|
||||
|
||||
%if !0%{?rhel}
|
||||
%package -n virt-dib
|
||||
Summary: Safe and secure diskimage-builder replacement
|
||||
License: GPLv2+
|
||||
# This subpackage (only) must have an Epoch of 1 because it
|
||||
# replaces a package in libguestfs which had an Epoch of 1.
|
||||
Epoch: 1
|
||||
|
||||
Requires: libguestfs-dib >= 1:1.45.2-1
|
||||
|
||||
|
||||
%description -n virt-dib
|
||||
Virt-dib is a safe and secure alternative to the OpenStack
|
||||
diskimage-builder command. It is compatible with most
|
||||
diskimage-builder elements.
|
||||
%endif
|
||||
|
||||
|
||||
%package bash-completion
|
||||
Summary: Bash tab-completion scripts for %{name}
|
||||
BuildArch: noarch
|
||||
@ -292,6 +271,13 @@ make V=1 %{?_smp_mflags}
|
||||
|
||||
%check
|
||||
%ifarch %{test_arches}
|
||||
# Only run the tests with non-debug (ie. non-Rawhide) kernels.
|
||||
# XXX This tests for any debug kernel installed.
|
||||
if grep CONFIG_DEBUG_MUTEXES=y /lib/modules/*/config ; then
|
||||
echo "Skipping tests because debug kernel is installed"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Enable debugging.
|
||||
export LIBGUESTFS_DEBUG=1
|
||||
export LIBGUESTFS_TRACE=1
|
||||
@ -331,12 +317,6 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
|
||||
mv $RPM_BUILD_ROOT%{_docdir}/%{name} installed-docs
|
||||
gzip --best installed-docs/*.xml
|
||||
|
||||
%if 0%{?rhel}
|
||||
# Remove virt-dib if it was built.
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/virt-dib
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/virt-dib.1*
|
||||
%endif
|
||||
|
||||
# Find locale files.
|
||||
%find_lang %{name}
|
||||
|
||||
@ -367,6 +347,7 @@ end
|
||||
%{_bindir}/virt-customize
|
||||
%{_bindir}/virt-df
|
||||
%{_bindir}/virt-diff
|
||||
%{_bindir}/virt-drivers
|
||||
%{_bindir}/virt-edit
|
||||
%{_bindir}/virt-filesystems
|
||||
%{_bindir}/virt-format
|
||||
@ -388,6 +369,7 @@ end
|
||||
%{_mandir}/man1/virt-customize.1*
|
||||
%{_mandir}/man1/virt-df.1*
|
||||
%{_mandir}/man1/virt-diff.1*
|
||||
%{_mandir}/man1/virt-drivers.1*
|
||||
%{_mandir}/man1/virt-edit.1*
|
||||
%{_mandir}/man1/virt-filesystems.1*
|
||||
%{_mandir}/man1/virt-format.1*
|
||||
@ -410,15 +392,6 @@ end
|
||||
%{_mandir}/man1/virt-win-reg.1*
|
||||
|
||||
|
||||
%if !0%{?rhel}
|
||||
%files -n virt-dib
|
||||
%license COPYING
|
||||
%doc README
|
||||
%{_bindir}/virt-dib
|
||||
%{_mandir}/man1/virt-dib.1*
|
||||
%endif
|
||||
|
||||
|
||||
%files bash-completion
|
||||
%license COPYING
|
||||
%dir %{_datadir}/bash-completion/completions
|
||||
@ -434,9 +407,39 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Aug 27 2024 Richard W.M. Jones <rjones@redhat.com> - 1.51.6-3
|
||||
- Reboot Windows between each firstboot script to improve reliability
|
||||
resolves: RHEL-55824
|
||||
|
||||
* Fri Jan 19 2024 Richard W.M. Jones <rjones@redhat.com> - 1.51.6-2
|
||||
- Rebase to guestfs-tools 1.51.6
|
||||
- Implement --key all:...
|
||||
resolves: RHEL-19030
|
||||
- Fix crash because of off-by-one error
|
||||
resolves: RHEL-19062
|
||||
- Fix virt-customize --chown invalid format
|
||||
resolves: RHEL-21899
|
||||
|
||||
* Thu Jun 08 2023 Laszlo Ersek <lersek@redhat.com> - 1.50.1-3
|
||||
- let virt-inspector recognize "--key /dev/mapper/VG-LV:key:password"
|
||||
- reenable "make check"; we now use "-cpu max" (libguestfs 30f74f38bd6e)
|
||||
resolves: rhbz#2209280
|
||||
|
||||
* Thu Apr 06 2023 Richard W.M. Jones <rjones@redhat.com> - 1.50.1-1
|
||||
- Rebase to guestfs-tools 1.50.1
|
||||
resolves: rhbz#2168626
|
||||
- Fix virt-drivers inspection of RHEL 9.2 guests
|
||||
resolves: rhbz#2184963
|
||||
|
||||
* Mon Dec 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1.48.2-5.alma
|
||||
- Enable for ppc64le
|
||||
|
||||
* Thu Nov 24 2022 Richard W.M. Jones <rjones@redhat.com> - 1.48.2-8
|
||||
- Support Rocky Linux in virt-customize
|
||||
resolves: rhbz#2133443
|
||||
- Disable OpenSUSE repo in virt-builder
|
||||
resolves: rhbz#2145160
|
||||
|
||||
* Fri Jul 15 2022 Richard W.M. Jones <rjones@redhat.com> - 1.48.2-5
|
||||
- Rebase to guestfs-tools 1.48.2
|
||||
resolves: rhbz#2059286
|
||||
|
Loading…
Reference in New Issue
Block a user