diff --git a/0018-lib-utils-fix-typo.patch b/0018-lib-utils-fix-typo.patch new file mode 100644 index 0000000..1caecc7 --- /dev/null +++ b/0018-lib-utils-fix-typo.patch @@ -0,0 +1,30 @@ +From 7a370cc7fcf4ba664eef73d4bac03dfc4d7041b3 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 29 Jun 2023 14:34:41 +0200 +Subject: [PATCH] lib/utils: fix typo + +Fix a small comment typo from commit 4e7f20684373 ("lib: Improve security +of in/out sockets when running virt-v2v as root", 2022-03-23). + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2182024 +Signed-off-by: Laszlo Ersek +Message-Id: <20230629123443.188350-2-lersek@redhat.com> +Reviewed-by: Richard W.M. Jones +(cherry picked from commit dab9629c01915efc3678885e8bb0ccc5da1802a3) +--- + lib/utils.mli | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/utils.mli b/lib/utils.mli +index 5687bf75..cf88a467 100644 +--- a/lib/utils.mli ++++ b/lib/utils.mli +@@ -62,7 +62,7 @@ val backend_is_libvirt : unit -> bool + (** Return true iff the current backend is libvirt. *) + + val chown_for_libvirt_rhbz_1045069 : string -> unit +-(** If running and root, and if the backend is libvirt, libvirt ++(** If running as root, and if the backend is libvirt, libvirt + will run qemu as a non-root user. This prevents access + to root-owned files and directories. To fix this, provide + a function to chown things we might need to qemu:root so diff --git a/0019-lib-utils-make-chown_for_libvirt_rhbz_1045069-fail-h.patch b/0019-lib-utils-make-chown_for_libvirt_rhbz_1045069-fail-h.patch new file mode 100644 index 0000000..11a2229 --- /dev/null +++ b/0019-lib-utils-make-chown_for_libvirt_rhbz_1045069-fail-h.patch @@ -0,0 +1,96 @@ +From 522a927257cfa55ac87775165be23779e00076bb Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 29 Jun 2023 14:34:42 +0200 +Subject: [PATCH] lib/utils: make "chown_for_libvirt_rhbz_1045069" fail hard + +Currently "chown_for_libvirt_rhbz_1045069" is best effort; if it fails, we +suppress the exception (we log it in verbose mode only, even). + +That's not proved helpful: it almost certainly leads to later errors, but +those errors are less clear than the original (suppressed) exception. +Namely, the user sees something like + +> Failed to connect to '/tmp/v2v.sKlulY/in0': Permission denied + +rather than + +> Failed to connect socket to '/var/run/libvirt/virtqemud-sock-ro': +> Connection refused + +So just allow the exception to propagate outwards. + +And then, now that "chown_for_libvirt_rhbz_1045069" will be able to fail, +hoist the call to "On_exit.rm_rf" before the call to +"chown_for_libvirt_rhbz_1045069", after creating the v2v temporary +directory. In the current order, if "chown_for_libvirt_rhbz_1045069" threw +an exception, then we'd leak the temp dir in the filesystem. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2182024 +Signed-off-by: Laszlo Ersek +Message-Id: <20230629123443.188350-3-lersek@redhat.com> +[lersek@redhat.com: reinstate parens under "then" [Rich]] +Reviewed-by: Richard W.M. Jones +(cherry picked from commit 8bcf383510a3d9deaa9b4c069a45c1604c9d5f53) +--- + lib/utils.ml | 23 +++++++++-------------- + lib/utils.mli | 5 +---- + 2 files changed, 10 insertions(+), 18 deletions(-) + +diff --git a/lib/utils.ml b/lib/utils.ml +index 54431307..7b3aa2e2 100644 +--- a/lib/utils.ml ++++ b/lib/utils.ml +@@ -151,19 +151,14 @@ let backend_is_libvirt () = + let rec chown_for_libvirt_rhbz_1045069 file = + let running_as_root = Unix.geteuid () = 0 in + if running_as_root && backend_is_libvirt () then ( +- try +- let user = Option.value ~default:"qemu" (libvirt_qemu_user ()) in +- let uid = +- if String.is_prefix user "+" then +- int_of_string (String.sub user 1 (String.length user - 1)) +- else +- (Unix.getpwnam user).pw_uid in +- debug "setting owner of %s to %d:root" file uid; +- Unix.chown file uid 0 +- with +- | exn -> (* Print exception, but continue. *) +- debug "could not set owner of %s: %s" +- file (Printexc.to_string exn) ++ let user = Option.value ~default:"qemu" (libvirt_qemu_user ()) in ++ let uid = ++ if String.is_prefix user "+" then ++ int_of_string (String.sub user 1 (String.length user - 1)) ++ else ++ (Unix.getpwnam user).pw_uid in ++ debug "setting owner of %s to %d:root" file uid; ++ Unix.chown file uid 0 + ) + + (* Get the local user that libvirt uses to run qemu when we are +@@ -206,8 +201,8 @@ let error_if_no_ssh_agent () = + (* Create the directory containing inX and outX sockets. *) + let create_v2v_directory () = + let d = Mkdtemp.temp_dir "v2v." in +- chown_for_libvirt_rhbz_1045069 d; + On_exit.rm_rf d; ++ chown_for_libvirt_rhbz_1045069 d; + d + + (* Wait for a file to appear until a timeout. *) +diff --git a/lib/utils.mli b/lib/utils.mli +index cf88a467..391a2a35 100644 +--- a/lib/utils.mli ++++ b/lib/utils.mli +@@ -67,10 +67,7 @@ val chown_for_libvirt_rhbz_1045069 : string -> unit + to root-owned files and directories. To fix this, provide + a function to chown things we might need to qemu:root so + qemu can access them. Note that root normally ignores +- permissions so can still access the resource. +- +- This is best-effort. If something fails then we carry +- on and hope for the best. *) ++ permissions so can still access the resource. *) + + val error_if_no_ssh_agent : unit -> unit + diff --git a/0020-docs-virt-v2v-document-libvirt-system-instance-start.patch b/0020-docs-virt-v2v-document-libvirt-system-instance-start.patch new file mode 100644 index 0000000..df8eee4 --- /dev/null +++ b/0020-docs-virt-v2v-document-libvirt-system-instance-start.patch @@ -0,0 +1,79 @@ +From f2e233b9e073327b1881ef17695380bc02a51f68 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 29 Jun 2023 14:34:43 +0200 +Subject: [PATCH] docs/virt-v2v: document libvirt system instance startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It has frequently tripped us up that on RHEL / Fedora, installing the +right set of libvirt RPMs (such as the one pulled in by +"libvirt-daemon-kvm") does not result in an immediately running libvirt +system instance. Document the need, and the simplest method, for starting +libvirt up manually. + +Thanks: Daniel Berrangé +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2182024 +Signed-off-by: Laszlo Ersek +Message-Id: <20230629123443.188350-4-lersek@redhat.com> +Reviewed-by: Richard W.M. Jones +(cherry picked from commit dcfea1b9b5d0f237f49c9eb870af93527093b40b) +--- + docs/virt-v2v.pod | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/docs/virt-v2v.pod b/docs/virt-v2v.pod +index 0394b421..058eb800 100644 +--- a/docs/virt-v2v.pod ++++ b/docs/virt-v2v.pod +@@ -237,6 +237,8 @@ In this mode you have to specify a libvirt guest name or UUID on the + command line. You may also specify a libvirt connection URI (see + I<-ic>). + ++See L below. ++ + =item B<-i> B + + Set the input method to I. +@@ -440,7 +442,8 @@ Set the output method to I. This is the default. + In this mode, the converted guest is created as a libvirt guest. You + may also specify a libvirt connection URI (see I<-oc>). + +-See L. ++See L below, and ++L. + + =item B<-o> B + +@@ -1335,6 +1338,8 @@ see L. Alternatively, use + I<-oc qemu:///session>, which will write to your per-user libvirt + instance. + ++See also L. ++ + =item Writing to Openstack + + Because of how Cinder volumes are presented as F block devices, +@@ -1476,6 +1481,22 @@ option at all. The option was added when virt-v2v was rewritten in 2014. + It is possible to specify a format string for controlling the output; + see L. + ++=head2 Starting the libvirt system instance ++ ++ Failed to connect socket to '/var/run/libvirt/virtqemud-sock': No such file or directory ++ Failed to connect socket to '/var/run/libvirt/virtqemud-sock-ro': Connection refused ++ ++If you have just installed libvirt and virt-v2v, then you may see the ++errors above. This is caused by libvirt daemons that provide various ++services not running straight after installation. (This may depend on ++your distribution and vendor presets). ++ ++To fix this on systemd-based distributions, do: ++ ++ systemctl isolate multi-user.target ++ ++See also L. ++ + =head1 FILES + + =over 4 diff --git a/virt-v2v.spec b/virt-v2v.spec index 31badc3..0395ff0 100644 --- a/virt-v2v.spec +++ b/virt-v2v.spec @@ -16,7 +16,7 @@ Name: virt-v2v Epoch: 1 Version: 2.3.4 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Convert a virtual machine to run on KVM License: GPLv2+ @@ -53,6 +53,9 @@ Patch0014: 0014-update-common-submodule.patch Patch0015: 0015-LUKS-on-LVM-conversion-test-rename-VGs-and-LVs.patch Patch0016: 0016-LUKS-on-LVM-conversion-test-test-dev-mapper-VG-LV-tr.patch Patch0017: 0017-test-data-phony-guests-fix-prerequisite-list-of-fedo.patch +Patch0018: 0018-lib-utils-fix-typo.patch +Patch0019: 0019-lib-utils-make-chown_for_libvirt_rhbz_1045069-fail-h.patch +Patch0020: 0020-docs-virt-v2v-document-libvirt-system-instance-start.patch %if !0%{?rhel} # libguestfs hasn't been built on i686 for a while since there is no @@ -353,6 +356,10 @@ make -C tests TESTS=test-v2v-fedora-luks-on-lvm-conversion.sh check %changelog +* Fri Jun 30 2023 Laszlo Ersek - 1:2.3.4-4 +- improve UX when running as root and we can't chown v2v tmpdir or socks + resolves: rhbz#2182024 + * Tue Jun 20 2023 Laszlo Ersek - 1:2.3.4-3 - recognize "--key /dev/mapper/VG-LV:key:password" - enable the %%check tests for real