[PATCH] Make appliance-building work on systems with default library search paths differing from the appliance's
by Nix
Systems such as Debian (and thus Ubuntu) operate with 64-bit programs in
/lib, with /lib64 a symlink to it: as a result, they apply a patch to
their glibc adjusting the default search path of the 64-bit dynamic
loader (only used if the library is not found in ld.so.cache) to look in
/lib, and instruct the 32-bit one to look in /lib32. Because fakechroot
is implemented via LD_PRELOAD, it ends up running the native dynamic
loader, and of course the appliance doesn't have an ld.so.cache early in
building. The effect of this is that, while building the appliance, you
are suddenly hit with an error like this:
,----
| Complete!
| ++ basename initramfs/lib/modules/2.6.33.3-85.fc13.x86_64
| + kversion=2.6.33.3-85.fc13.x86_64
| + febootstrap-run initramfs -- /sbin/depmod -a 2.6.33.3-85.fc13.x86_64
| + febootstrap-run initramfs -- mkdir -p --mode=0777 /sysroot
| mkdir: error while loading shared libraries: libselinux.so.1: wrong ELF class: ELFCLASS32
`----
The 64-bit ld.so hunted in the initramfs's lib/ for 64-bit libraries to
link to... but in the appliance's lib/, 64-bit libraries are found in
lib64!
To work around this for good, explicitly set LD_LIBRARY_PATH
appropriately for the bitness of the current environment (and,
technically, for the distro of the appliance we're building, but that
just means a change to debirf is needed as well: this fix only handles
Fedora- appliance-on-Debian/Ubuntu-system, not vice versa).
(Note: it is quite possible that this is better implemented inside
febootstrap: but it works here.)
---
appliance/make.sh.in | 63 +++++++++++++++++++++++++++++++++++--------------
1 files changed, 45 insertions(+), 18 deletions(-)
diff --git a/appliance/make.sh.in b/appliance/make.sh.in
index efd1f46..d492ba5 100755
--- a/appliance/make.sh.in
+++ b/appliance/make.sh.in
@@ -24,6 +24,33 @@ set -e
set -x
if [ "@DIST@" = "REDHAT" ]; then
+
+ if [[ $(uname -m) =~ .*64 ]]; then
+ BOOT_LD_LIBRARY_PATH="$(pwd)/../initramfs/lib64:$LD_LIBRARY_PATH"
+ else
+ BOOT_LD_LIBRARY_PATH="$(pwd)/../initramfs/lib:$LD_LIBRARY_PATH"
+ fi
+
+ bootstrap_run()
+ {
+ LD_LIBRARY_PATH=$BOOT_LD_LIBRARY_PATH @FEBOOTSTRAP_RUN@ "$@"
+ }
+
+ xargs0_bootstrap_run()
+ {
+ LD_LIBRARY_PATH=$BOOT_LD_LIBRARY_PATH xargs -0 @FEBOOTSTRAP_RUN@ "$@"
+ }
+
+ xargs_bootstrap_run()
+ {
+ LD_LIBRARY_PATH=$BOOT_LD_LIBRARY_PATH xargs @FEBOOTSTRAP_RUN@ "$@"
+ }
+
+ bootstrap_minimize()
+ {
+ LD_LIBRARY_PATH=$BOOT_LD_LIBRARY_PATH @FEBOOTSTRAP_MINIMIZE@ "$@"
+ }
+
cd @top_builddir@
# Decide on names for the final output. These have to match Makefile.am.
output=appliance/initramfs.@REPO@.@host_cpu@.img
@@ -44,45 +71,45 @@ if [ "@DIST@" = "REDHAT" ]; then
# Create modules.dep. This is only used in the normal appliance
# (not supermin).
kversion=$(basename initramfs/lib/modules/*)
- @FEBOOTSTRAP_RUN@ initramfs -- /sbin/depmod -a $kversion
+ bootstrap_run initramfs -- /sbin/depmod -a $kversion
# /sysroot is where the guest root filesystem will be mounted.
- @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0777 /sysroot
+ bootstrap_run initramfs -- mkdir -p --mode=0777 /sysroot
# Create /tmp if it is missing.
- @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0777 /tmp
+ bootstrap_run initramfs -- mkdir -p --mode=0777 /tmp
# Create /selinux if it is missing.
- @FEBOOTSTRAP_RUN@ initramfs -- mkdir -p --mode=0755 /selinux
+ bootstrap_run initramfs -- mkdir -p --mode=0755 /selinux
# Nuke some stuff. The kernel pulls mkinitrd and plymouth which pulls in
# all of Python. Sheez.
(cd initramfs && find -name '*python*' -print0) |
- xargs -0 @FEBOOTSTRAP_RUN@ initramfs -- rm -rf
+ xargs0_bootstrap_run initramfs -- rm -rf
(cd initramfs && find -name '*plymouth*' -print0) |
- xargs -0 @FEBOOTSTRAP_RUN@ initramfs -- rm -rf
+ xargs0_bootstrap_run initramfs -- rm -rf
(cd initramfs && find -name 'libply-*' -print0) |
- xargs -0 @FEBOOTSTRAP_RUN@ initramfs -- rm -rf
+ xargs0_bootstrap_run initramfs -- rm -rf
# In Fedora >= 11, it pulls in all of Perl from somewhere. Nuke from orbit.
- @FEBOOTSTRAP_RUN@ initramfs -- rm -rf /usr/lib/perl5 /usr/lib64/perl5
+ bootstrap_run initramfs -- rm -rf /usr/lib/perl5 /usr/lib64/perl5
# Anaconda? JPEG images?
- @FEBOOTSTRAP_RUN@ initramfs -- rm -rf /usr/lib/anaconda-runtime
+ bootstrap_run initramfs -- rm -rf /usr/lib/anaconda-runtime
# Don't need any firmware.
- @FEBOOTSTRAP_RUN@ initramfs -- rm -rf /lib/firmware
+ bootstrap_run initramfs -- rm -rf /lib/firmware
# Don't need any keyboard maps.
- @FEBOOTSTRAP_RUN@ initramfs -- rm -rf /lib/kbd
+ bootstrap_run initramfs -- rm -rf /lib/kbd
# Remove anything in home directory. Because of the potential for disaster
# we don't put a slash before 'home'.
(cd initramfs && echo home/*) |
- xargs @FEBOOTSTRAP_RUN@ initramfs -- rm -rf
+ xargs_bootstrap_run initramfs -- rm -rf
# Remove /var/lib/yum stuff.
- @FEBOOTSTRAP_RUN@ initramfs -- rm -rf /var/lib/yum
+ bootstrap_run initramfs -- rm -rf /var/lib/yum
# Remove some unreadable binaries which are incompatible with
# the supermin appliance. Since these binaries can't be read
@@ -90,7 +117,7 @@ if [ "@DIST@" = "REDHAT" ]; then
# appliance at run time. XXX Need a better fix for this.
# Probably we should change febootstrap-supermin-helper to just
# ignore such files.
- @FEBOOTSTRAP_RUN@ initramfs -- rm -f \
+ bootstrap_run initramfs -- rm -f \
/usr/bin/chfn \
/usr/bin/chsh \
/usr/libexec/pt_chown \
@@ -139,15 +166,15 @@ if [ "@DIST@" = "REDHAT" ]; then
(cd initramfs && \
find lib/modules/*/kernel -name '*.ko' $whitelist -a -print0 ) |
- xargs -0 febootstrap-run initramfs -- rm
+ xargs0_bootstrap_run initramfs -- rm
# Pull the kernel out into the current directory. We don't want it in
# the initramfs image.
cp initramfs/boot/vmlinuz* $koutput
- @FEBOOTSTRAP_RUN@ initramfs -- rm -rf boot
+ bootstrap_run initramfs -- rm -rf boot
# Minimize the image.
- @FEBOOTSTRAP_MINIMIZE@ initramfs
+ bootstrap_minimize initramfs
# Add some missing configuration files.
if [ ! -f initramfs/etc/hosts ]; then
@@ -160,7 +187,7 @@ __EOF__
fi
if [ ! -f initramfs/etc/fstab ]; then
- @FEBOOTSTRAP_RUN@ initramfs -- touch /etc/fstab
+ bootstrap_run initramfs -- touch /etc/fstab
fi
echo nameserver 169.254.2.3 > resolv.conf.new
--
1.7.3.125.g963bc.dirty
13 years, 7 months
installing appears broken by 199f218bf431b77c12a728f7072bed1553a0f0af
by Nix
The intent of commit 199f218bf431b77c12a728f7072bed1553a0f0af seems
praiseworthy, but since 'all-am' is automatically added by Automake as a
prerequisite of the 'install' target, its effect is to stop people
running 'make install' as root:
make install-am
make[2]: Entering directory `/usr/src/libguestfs/x86_64-spindle/src'
make -C ../generator stamp-generator
make[3]: Entering directory `/usr/src/libguestfs/x86_64-spindle/generator'
make[3]: `stamp-generator' is up to date.
make[3]: Leaving directory `/usr/src/libguestfs/x86_64-spindle/generator'
*** Error: Don't run 'make' or 'make check' as root.
make[2]: *** [checkroot] Error 1
make[2]: Leaving directory `/usr/src/libguestfs/x86_64-spindle/src'
make[1]: *** [install] Error 2
make[1]: Leaving directory `/usr/src/libguestfs/x86_64-spindle/src'
make: *** [install-recursive] Error 1
This seems... counterintuitive. Was that really the intent of this
change?
(And how did nobody notice it? I'm using Automake 1.11.1, but Automake
has done this for a long, long time.)
13 years, 7 months
[PATCH 0/8 v2] Complete fix for CVE-2010-3851.
by Richard W.M. Jones
1/8 generator: Rearrange argt logically (RHBZ#642934,CVE-2010-3851).
2/8 generator: Optional arguments, add-drive-opts (RHBZ#642934,CVE-2010-3851).
These two previously posted.
3/8 fish: Specify format of disks (RHBZ#642934,CVE-2010-3851).
Updates to guestfish to add the --format option and to make -d copy
the format from libvirt.
4/8 fuse: Specify format of disks (RHBZ#642934,CVE-2010-3851).
Nearly the same for guestmount.
5/8 tools: Specify format of disks (RHBZ#642934,CVE-2010-3851).
Update Sys::Guestfs::Lib and the tools, except for the tools below.
For each tool, add --format or copy the format from libvirt.
6/8 df: Specify format of disks (RHBZ#642934,CVE-2010-3851).
Update virt-df, add --format or copy the format from libvirt.
7/8 virt-make-fs: Specify format of disk (RHBZ#642934,CVE-2010-3851).
Update virt-make-fs to set the format correctly.
8/8 resize: Specify format of input, output disk (RHBZ#642934,CVE-2010-3851).
Update virt-resize, add --format, --output-format.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
13 years, 7 months
[PATCH 0/2] First part of fix for CVE-2010-3851
by Richard W.M. Jones
These two patches implement the first (and hardest) part of the fix
for CVE-2010-3851.
This adds a way to specify the format when adding a drive, avoiding
qemu's auto-detection.
In order to avoid an explosion of different add_drive_* functions (we
have 4 already), we have implemented a way to specify optional
arguments to functions, so all we need is a single new
'add_drive_opts' call.
The upshot is that (for example) Perl programs can be modified from
this:
$g->add_drive ($file); # unsafe if $file is not trusted
to this:
$g->add_drive_opts ($file, format => "raw"); # safe
The optional argument syntax for guestfish and all the various
languages we support is summarised at the top of the second patch.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://et.redhat.com/~rjones/libguestfs/
See what it can do: http://et.redhat.com/~rjones/libguestfs/recipes.html
13 years, 7 months
CVE-2010-3851 libguestfs: missing disk format specifier when adding a disk
by Richard W.M. Jones
(This bug was found by Matthew Booth during routine code review)
We found a security issue which affects libguestfs programs in some
circumstances. Since we don't pass the disk format through to qemu, a
malicious guest backed by raw-format storage might craft a qcow2
header into its own disk. QEmu would interpret this, and qcow2 offers
a wide range of features such as accessing arbitrary backing files
from the host, allowing the guest to read a host file (under rather
narrow conditions, see below).
All versions of virt-v2v are vulnerable. virt-inspector is vulnerable
for versions <= 1.5.3. Other programs that use libguestfs may be
vulnerable.
You should review the bug below carefully to find out if you could be
affected, particularly the Description and Comment 1:
https://bugzilla.redhat.com/show_bug.cgi?id=643958
A CVE has been allocated to this bug:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=+CVE-2010-3851
No fix is available at present, but we are working on one. In the
meantime, avoid using libguestfs / tools on:
- untrusted, malicious guests that use raw-format storage
- where you are running commands from these guests
(http://libguestfs.org/guestfs.3.html#running_commands)
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
13 years, 7 months
[PATCH] Fix Windows conversion when ControlSet001 isn't the CurrentControlSet
by Matthew Booth
If a Windows boot fails and the user boots the last known good configuration,
ControlSet001 will be marked as failed and no longer used. However, virt-v2v
would only install viostor to ControlSet001, meaning it will fail to boot this
guest after conversion.
This patch looks up the current controlset and always installs registry keys to
the correct one.
Fixes RHBZ#644254
---
lib/Sys/VirtV2V/Converter/Windows.pm | 27 ++++++++++++++++-----------
1 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/lib/Sys/VirtV2V/Converter/Windows.pm b/lib/Sys/VirtV2V/Converter/Windows.pm
index bec1d60..29f5cd7 100644
--- a/lib/Sys/VirtV2V/Converter/Windows.pm
+++ b/lib/Sys/VirtV2V/Converter/Windows.pm
@@ -217,24 +217,29 @@ sub _add_viostor_to_registry
my $h = Win::Hivex->open ($tmpdir . "/system", write => 1)
or die "open system hive: $!";
+ # Get the 'Current' ControlSet. This is normally 001, but not always.
+ my $select = $h->node_get_child($h->root(), 'Select');
+ my $current_cs = $h->node_get_value($select, 'Current');
+ $current_cs = sprintf("ControlSet%03i", $h->value_dword($current_cs));
+
# Make the changes.
- my $regedits = '
+ my $regedits = <<REGEDITS;
; Edits to be made to a Windows guest to have
; it boot from viostor.
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_1af4&dev_1001&subsys_00000000]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Control\\CriticalDeviceDatabase\\pci#ven_1af4&dev_1001&subsys_00000000]
"Service"="viostor"
"ClassGUID"="{4D36E97B-E325-11CE-BFC1-08002BE10318}"
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_1af4&dev_1001&subsys_00020000]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Control\\CriticalDeviceDatabase\\pci#ven_1af4&dev_1001&subsys_00020000]
"Service"="viostor"
"ClassGUID"="{4D36E97B-E325-11CE-BFC1-08002BE10318}"
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_1af4&dev_1001&subsys_00021af4]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Control\\CriticalDeviceDatabase\\pci#ven_1af4&dev_1001&subsys_00021af4]
"Service"="viostor"
"ClassGUID"="{4D36E97B-E325-11CE-BFC1-08002BE10318}"
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Services\\viostor]
"Type"=dword:00000001
"Start"=dword:00000000
"Group"="SCSI miniport"
@@ -242,27 +247,27 @@ sub _add_viostor_to_registry
"ImagePath"="system32\\\\drivers\\\\viostor.sys"
"Tag"=dword:00000021
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor\Parameters]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Services\\viostor\\Parameters]
"BusType"=dword:00000001
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor\Parameters\MaxTransferSize]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Services\\viostor\\Parameters\\MaxTransferSize]
"ParamDesc"="Maximum Transfer Size"
"type"="enum"
"default"="0"
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor\Parameters\MaxTransferSize\enum]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Services\\viostor\\Parameters\\MaxTransferSize\\enum]
"0"="64 KB"
"1"="128 KB"
"2"="256 KB"
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor\Parameters\PnpInterface]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Services\\viostor\\Parameters\\PnpInterface]
"5"=dword:00000001
-[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor\Enum]
+[HKEY_LOCAL_MACHINE\\SYSTEM\\$current_cs\\Services\\viostor\\Enum]
"0"="PCI\\\\VEN_1AF4&DEV_1001&SUBSYS_00021AF4&REV_00\\\\3&13c0b0c5&0&20"
"Count"=dword:00000001
"NextInstance"=dword:00000001
-';
+REGEDITS
my $io;
if ($desc->{major_version} == 5 || $desc->{major_version} == 6) {
--
1.7.2.3
13 years, 7 months