input-xen: cover RHEL9 OpenSSL crypto settings

- Backport upstream ddab06d5eb99 [master] / 9e1c78a4dda8 [rhel-9.1]. - copy-patches.sh: rewrap patch formatting command, spell out "--patience" (already expected), then decrease churn by passing "--no-signature". - Migrate earlier rhbz#2062360 %changelog entries to latest (=new) entry. resolves: rhbz#2062360 Signed-off-by: Laszlo Ersek <lersek@redhat.com>
2022-07-29 15:23:37 +02:00 · 2022-07-29 15:23:37 +02:00 · ef5fbb5721
commit ef5fbb5721
parent b6d936748a
33 changed files with 72 additions and 96 deletions
--- a/0001-RHEL-v2v-Select-correct-qemu-binary-for-o-qemu-mode-.patch
+++ b/0001-RHEL-v2v-Select-correct-qemu-binary-for-o-qemu-mode-.patch
@ -28,6 +28,3 @@ index 3269fba5..7f2e9284 100644
 
     let flag = Qemuopts.flag cmd
     and arg = Qemuopts.arg cmd
-- 
-2.31.1
-
--- a/0002-RHEL-v2v-Disable-the-qemu-boot-oo-qemu-boot-option-R.patch
+++ b/0002-RHEL-v2v-Disable-the-qemu-boot-oo-qemu-boot-option-R.patch
@ -107,6 +107,3 @@ index 9790416e..97b4e4ec 100644
     [ L"root" ],     Getopt.String ("ask|... ", set_root_choice),
       s_"How to choose root filesystem";
     [ L"vddk-config" ], Getopt.String ("filename", set_input_option_compat "vddk-config"),
-- 
-2.31.1
-
--- a/0003-RHEL-Fix-list-of-supported-sound-cards-to-match-RHEL.patch
+++ b/0003-RHEL-Fix-list-of-supported-sound-cards-to-match-RHEL.patch
@ -29,6 +29,3 @@ index 128bb697..7116a4f9 100644
 
 (* Find the UEFI firmware. *)
 let find_uefi_firmware guest_arch =
-- 
-2.31.1
-
--- a/0004-RHEL-Fixes-for-libguestfs-winsupport.patch
+++ b/0004-RHEL-Fixes-for-libguestfs-winsupport.patch
@ -99,6 +99,3 @@ index a4cf191d..1ff41f6a 100755
 diff -u "$expected" "$response"
 
 # We also update the Registry several times, for firstboot, and (ONLY
-- 
-2.31.1
-
--- a/0005-RHEL-v2v-i-disk-force-VNC-as-display-RHBZ-1372671.patch
+++ b/0005-RHEL-v2v-i-disk-force-VNC-as-display-RHBZ-1372671.patch
@ -21,6 +21,3 @@ index 508adf9d..20f2e898 100644
                s_listen = LNoListen; s_port = None };
       s_sound = None;
       s_disks = s_disks;
-- 
-2.31.1
-
--- a/0006-RHEL-v2v-do-not-mention-SUSE-Xen-hosts-RHBZ-1430203.patch
+++ b/0006-RHEL-v2v-do-not-mention-SUSE-Xen-hosts-RHBZ-1430203.patch
@ -21,6 +21,3 @@ index 8080ebea..ad5772de 100644
 
 =head1 INPUT FROM XEN
 
-- 
-2.31.1
-
--- a/0007-RHEL-point-to-KB-for-supported-v2v-hypervisors-guest.patch
+++ b/0007-RHEL-point-to-KB-for-supported-v2v-hypervisors-guest.patch
@ -122,6 +122,3 @@ index 9815f51f..1ffc0f9d 100644
 
 =head2 Guest firmware
 
-- 
-2.31.1
-
--- a/0008-RHEL-Disable-o-glance.patch
+++ b/0008-RHEL-Disable-o-glance.patch
@ -214,6 +214,3 @@ index 97b4e4ec..41e020cb 100644
     | `Openstack -> (module Output_openstack.Openstack)
     | `RHV_Upload -> (module Output_rhv_upload.RHVUpload)
     | `RHV -> (module Output_rhv.RHV)
-- 
-2.31.1
-
--- a/0009-RHEL-Remove-the-in-place-option.patch
+++ b/0009-RHEL-Remove-the-in-place-option.patch
@ -82,6 +82,3 @@ index 41e020cb..e00f9814 100644
     [ L"mac" ],      Getopt.String ("mac:network|bridge|ip:out", add_mac),
       s_"Map NIC to network or bridge or assign static IP";
     [ S 'n'; L"network" ], Getopt.String ("in:out", add_network),
-- 
-2.31.1
-
--- a/0010-output-Remove-o-json-mode.patch
+++ b/0010-output-Remove-o-json-mode.patch
@ -1123,6 +1123,3 @@ index e00f9814..994982ac 100644
 
   let output_options = {
     Output.output_alloc = output_alloc;
-- 
-2.31.1
-
--- a/0011-output-Remove-unused-dummy.c.patch
+++ b/0011-output-Remove-unused-dummy.c.patch
@ -25,6 +25,3 @@ index ebab6198..00000000
@@ -1,2 +0,0 @@
 -/* Dummy source, to be used for OCaml-based tools with no C sources. */
 -enum { foo = 1 };
-- 
-2.31.1
-
--- a/0012-adopt-inversion-of-SELinux-relabeling-in-virt-custom.patch
+++ b/0012-adopt-inversion-of-SELinux-relabeling-in-virt-custom.patch
@ -77,6 +77,3 @@ index 5a974d1b..5c5cae7c 100755
 
 # Don't try to update Windows versions.
 case "$guestname" in
-- 
-2.31.1
-
--- a/0013-output-create_libvirt_xml-wire-up-the-QEMU-guest-age.patch
+++ b/0013-output-create_libvirt_xml-wire-up-the-QEMU-guest-age.patch
@ -103,6 +103,3 @@ index 6b8cda62..da1db473 100644
 +    </channel>
   </devices>
 </domain>
-- 
-2.31.1
-
--- a/0014-convert_linux-extract-qemu-guest-agent-package-name.patch
+++ b/0014-convert_linux-extract-qemu-guest-agent-package-name.patch
@ -80,6 +80,3 @@ index 79462aa1..2ddbc07a 100644
 
   and configure_kernel () =
     (* Previously this function would try to install kernels, but we
-- 
-2.31.1
-
--- a/0015-convert_linux-install-the-QEMU-guest-agent-with-a-fi.patch
+++ b/0015-convert_linux-install-the-QEMU-guest-agent-with-a-fi.patch
@ -117,6 +117,3 @@ index 2ddbc07a..59d143bd 100644
 
   and configure_kernel () =
     (* Previously this function would try to install kernels, but we
-- 
-2.31.1
-
--- a/0016-RHV-outputs-limit-copied-disk-count-to-23.patch
+++ b/0016-RHV-outputs-limit-copied-disk-count-to-23.patch
@ -120,6 +120,3 @@ index a1e8c246..23d1b9cd 100644
     let disks = get_disks dir in
     let output_alloc, output_format,
         output_name, output_storage,
-- 
-2.31.1
-
--- a/0017-convert-document-networking-dependency-of-key-ID-cle.patch
+++ b/0017-convert-document-networking-dependency-of-key-ID-cle.patch
@ -47,6 +47,3 @@ index 5e0e6c2b..b678dc92 100644
   g#set_network true;
   List.iter (
     fun { s_disk_id = i } ->
-- 
-2.31.1
-
--- a/0018-qemu-nbd-Implement-output-compression-for-qcow2-file.patch
+++ b/0018-qemu-nbd-Implement-output-compression-for-qcow2-file.patch
@ -140,6 +140,3 @@ index 8d3d6865..c1f0f53d 100644
                            Types.output_allocation ->
                            string -> string -> int64 -> string ->
                            unit
-- 
-2.31.1
-
--- a/0019-o-disk-o-libvirt-o-qemu-Implement-of-qcow2-oo-compre.patch
+++ b/0019-o-disk-o-libvirt-o-qemu-Implement-of-qcow2-oo-compre.patch
@ -270,6 +270,3 @@ index 527d3c5e..e7efbb73 100644
         output_name, output_storage = options in
 
     let { guestcaps; target_buses; target_firmware } = target_meta in
-- 
-2.31.1
-
--- a/0020-tests-Add-a-simple-test-of-o-local-of-qcow2-oo-compr.patch
+++ b/0020-tests-Add-a-simple-test-of-o-local-of-qcow2-oo-compr.patch
@ -112,6 +112,3 @@ index bdfd3418..6c5f5938 100755
 # Test the disk is qcow2 format.
 if [ "$(guestfish disk-format $d/windows-sda)" != qcow2 ]; then
     echo "$0: test failed: output is not qcow2"
-- 
-2.31.1
-
--- a/0021-RHEL-9-oo-compressed-Remove-nbdcopy-version-check-an.patch
+++ b/0021-RHEL-9-oo-compressed-Remove-nbdcopy-version-check-an.patch
@ -45,6 +45,3 @@ index a26ecf7a..47e5f10d 100644
 	test-v2v-o-null.sh \
 	test-v2v-o-openstack.sh \
 	test-v2v-o-qemu.sh \
-- 
-2.31.1
-
--- a/0022-RHEL-9-tests-Remove-btrfs-test.patch
+++ b/0022-RHEL-9-tests-Remove-btrfs-test.patch
@ -20,6 +20,3 @@ index 47e5f10d..9560cc77 100644
 	test-v2v-fedora-luks-on-lvm-conversion.sh \
 	test-v2v-fedora-lvm-on-luks-conversion.sh \
 	test-v2v-fedora-md-conversion.sh \
-- 
-2.31.1
-
--- a/0023-convert-convert_linux-complete-the-remapping-of-NVMe.patch
+++ b/0023-convert-convert_linux-complete-the-remapping-of-NVMe.patch
@ -78,6 +78,3 @@ index 59d143bd..a66ff1e4 100644
       else if PCRE.matches rex_device value then (
         let device = PCRE.sub 1
         and part = try PCRE.sub 2 with Not_found -> "" in
-- 
-2.31.1
-
--- a/0024-input-xen-sync-ip-limitations-language-from-input-vm.patch
+++ b/0024-input-xen-sync-ip-limitations-language-from-input-vm.patch
@ -47,6 +47,3 @@ index ad5772de..80ad94f7 100644
 With some modern ssh implementations, legacy crypto policies required
 to interoperate with RHEL 5 sshd are disabled.  To enable them you may
 need to run this command on the conversion server (ie. ssh client),
-- 
-2.31.1
-
--- a/0025-input-xen-replace-enable-LEGACY-crypto-advice-with-t.patch
+++ b/0025-input-xen-replace-enable-LEGACY-crypto-advice-with-t.patch
@ -80,6 +80,3 @@ index 80ad94f7..1775fc31 100644
 
 =head2 Test libvirt connection to remote Xen host
 
-- 
-2.31.1
-
--- a/0026-common-Adapt-to-renamed-function-On_exit.rmdir-On_ex.patch
+++ b/0026-common-Adapt-to-renamed-function-On_exit.rmdir-On_ex.patch
@ -170,6 +170,3 @@ index 54ccd1b5..ecf46c2d 100644
   let path = tmpdir // name in
   with_open_out path (fun chan -> output_string chan code);
   { tmpdir; path }
-- 
-2.31.1
-
--- a/0027-o-rhv-Unmount-the-temporary-NFS-mountpoint-as-late-a.patch
+++ b/0027-o-rhv-Unmount-the-temporary-NFS-mountpoint-as-late-a.patch
@ -138,10 +138,10 @@ index 9bcf104f..66a85542 100644
     Similar to [Stdlib.at_exit] but also runs if the program is
 -    killed with a signal that we can catch. *)
 +    killed with a signal that we can catch.
+
+    [?prio] is the priority, default 5000.  See the description above. *)
 
 -val unlink : string -> unit
-+    [?prio] is the priority, default 5000.  See the description above. *)
-+
 +val unlink : ?prio:int -> string -> unit
 (** Unlink a single temporary file on exit. *)
 
@ -169,6 +169,3 @@ index 8571e07b..15a2c14a 100644
          fun () ->
            let cmd = [ "umount"; mp ] in
            ignore (run_command cmd);
-- 
-2.31.1
-
--- a/0028-output-Permit-output-modes-to-wait-on-the-local-NBD-.patch
+++ b/0028-output-Permit-output-modes-to-wait-on-the-local-NBD-.patch
@ -177,6 +177,3 @@ index c1f0f53d..c4486311 100644
 
 val disk_path : string -> string -> int -> string
 (** For [-o disk|qemu], return the output disk name of the i'th disk,
-- 
-2.31.1
-
--- a/0029-o-rhv-Wait-for-the-NBD-server-to-exit-to-avoid-a-rac.patch
+++ b/0029-o-rhv-Wait-for-the-NBD-server-to-exit-to-avoid-a-rac.patch
@ -31,6 +31,3 @@ index 15a2c14a..45f831e3 100644
           output_alloc output_format filename size socket
     ) (List.combine disks filenames);
 
-- 
-2.31.1
-
--- a/0030-output-create_libvirt_xml-relax-VCPU-feature-checkin.patch
+++ b/0030-output-create_libvirt_xml-relax-VCPU-feature-checkin.patch
@ -64,6 +64,3 @@ index 531a4f75..bd01304d 100644
          (match source.s_cpu_vendor with
           | None -> ()
           | Some vendor ->
-- 
-2.31.1
-
--- a/0031-input-xen-cover-RHEL9-OpenSSL-crypto-settings.patch
+++ b/0031-input-xen-cover-RHEL9-OpenSSL-crypto-settings.patch
@ -0,0 +1,59 @@
+From 9e1c78a4dda8e8f504fd8f01d7ff5a02e6d3b8ff Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 29 Jul 2022 12:57:03 +0200
+Subject: [PATCH] input-xen: cover RHEL9 OpenSSL crypto settings
+
+In [master] commit af4a0454cdd2 ("input-xen: replace "enable LEGACY
+crypto" advice with targeted ssh options", 2022-07-11), we documented how
+the libssh / openssh crypto settings needed to be relaxed, for connecting
+to RHEL5 sshd. [rhel-9.1 commit: 3f7f730ac9cb.]
+
+It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in
+signature algorithms even at the OpenSSL level. Explain how the user can
+re-enable that separately, for individual virt-v2v invocations.
+
+The method depends on Rich's libvirt commit 45912ac399ab ("rpc: Pass
+OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is going
+to be released in upstream libvirt v8.6.0.
+
+Thanks: Dmitry Belyavskiy & Rich Jones
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20220729105703.10150-1-lersek@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+(cherry picked from commit ddab06d5eb99696f5fd1073b8ec91efbc8c3e4ab)
+---
+ docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod
+index 1775fc31..9c3981e1 100644
+--- a/docs/virt-v2v-input-xen.pod
+++ b/docs/virt-v2v-input-xen.pod
+@@ -54,6 +54,26 @@ new one. Virt-v2v uses both C<libssh> and C<ssh> when converting a guest
+ from Xen, and on some operating systems, C<libssh> and C<ssh> may not
+ both accept the same option variant.)
+ 
+When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use in
+signatures has to be re-enabled at the OpenSSL level, in addition to the
+above SSH configuration.  Create a file called F<$HOME/openssl-sha1.cnf>
+with the following contents:
+
+ .include /etc/ssl/openssl.cnf
+ [openssl_init]
+ alg_section = evp_properties
+ [evp_properties]
+ rh-allow-sha1-signatures = yes
+
+and export the following variable into the environment of the
+C<virt-v2v> process:
+
+ OPENSSL_CONF=$HOME/openssl-sha1.cnf
+
+Note that the C<OPENSSL_CONF> environment variable will only take effect
+if the libvirt client library used by virt-v2v is at least version
+8.6.0.
+
+ =head2 Test libvirt connection to remote Xen host
+ 
+ Use the L<virsh(1)> command to list the guests on the remote Xen host:
--- a/copy-patches.sh
+++ b/copy-patches.sh
@ -36,7 +36,12 @@ git rm -f [0-9]*.patch ||:
 rm -f [0-9]*.patch

 # Get the patches.
-(cd $git_checkout; rm -f [0-9]*.patch; git -c core.abbrev=8 format-patch -O/dev/null --subject-prefix=PATCH -N --submodule=diff $tag)
+(
+  cd $git_checkout
+  rm -f [0-9]*.patch
+  git -c core.abbrev=8 format-patch -O/dev/null --subject-prefix=PATCH -N \
+      --submodule=diff --no-signature --patience $tag
+)
 mv $git_checkout/[0-9]*.patch .

 # Remove any not to be applied.
--- a/virt-v2v.spec
+++ b/virt-v2v.spec
@ -16,7 +16,7 @@
 Name:          virt-v2v
 Epoch:         1
 Version:       2.0.7
-Release:       3%{?dist}
+Release:       4%{?dist}
 Summary:       Convert a virtual machine to run on KVM

 License:       GPLv2+
@ -63,6 +63,7 @@ Patch0027:     0027-o-rhv-Unmount-the-temporary-NFS-mountpoint-as-late-a.patch
 Patch0028:     0028-output-Permit-output-modes-to-wait-on-the-local-NBD-.patch
 Patch0029:     0029-o-rhv-Wait-for-the-NBD-server-to-exit-to-avoid-a-rac.patch
 Patch0030:     0030-output-create_libvirt_xml-relax-VCPU-feature-checkin.patch
+Patch0031:     0031-input-xen-cover-RHEL9-OpenSSL-crypto-settings.patch

 %if !0%{?rhel}
 # libguestfs hasn't been built on i686 for a while since there is no
@ -341,6 +342,9 @@ rm $RPM_BUILD_ROOT%{_mandir}/man1/virt-v2v-in-place.1*


 %changelog
+* Fri Jul 29 2022 Laszlo Ersek <lersek@redhat.com> - 1:2.0.7-4
+- Remove legacy crypto advice and replace with targeted mechanism
+  resolves: rhbz#2062360
 * Mon Jul 25 2022 Laszlo Ersek <lersek@redhat.com> - 1:2.0.7-3
 - relax qemu64 VCPU feature checking in the libvirt output
  resolves rhbz#2107503
@ -398,8 +402,6 @@ rm $RPM_BUILD_ROOT%{_mandir}/man1/virt-v2v-in-place.1*
  resolves: rhbz#2101665
 - Improve documentation of vmx+ssh and -ip option
  resolves: rhbz#1854275
- Remove legacy crypto advice and replace with targeted mechanism
-  resolves: rhbz#2062360
 - Fix race condition when unmounting in -o rhv mode (1953286#c26)

 * Tue Feb 15 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.45.99-1