SELinux relabel API
by Richard W.M. Jones
[
I realized that we were discussing adding this feature, in various
private email, IRC, and this long bugzilla thread:
https://bugzilla.redhat.com/show_bug.cgi?id=1060423
That's not how we should do things. Let's discuss it on the
mailing list.
]
One thing that virt-customize/virt-sysprep/virt-builder have to do is
relabel SELinux guests.
What we do at the moment is run:
if load_policy && fixfiles restore; then
rm -f /.autorelabel
else
touch /.autorelabel
echo '%s: SELinux relabelling failed, will relabel at boot instead.'
fi
while chrooted into the guest (using the 'guestfs_sh' API).
This has a number of problems:
- It has to load the policy using 'load_policy', but this doesn't
work sometimes:
* RHEL 5 load_policy takes a parameter.
* Doesn't work if appliance kernel is significantly different from
guest kernel version, because the binary policy format changes
irregularly and is not backwards compatible.
* Requires the appliance [host] kernel to be compiled with
LSM/SELinux support.
- Touching /.autorelabel is often broken, eg. it's broken in Fedora 20
because of systemd (RHBZ#1049656).
- /etc/resolv.conf will not be relabelled if guestfs network is on,
because of resolv.conf shenanigans in libguestfs.git/daemon/command.c
- It requires running guest code, which we'd like to avoid.
What would be nice would be to have an API to just do this
relabelling. Libguestfs could change this API as required to handle
different guests.
Dan Walsh helpfully pointed out to us that we've been doing it wrong
all along :-) A much better way to relabel is to run:
setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR
where 'file_contexts' is a file which contains the default labels for
files (a set of regexps), and 'DIR' is the directory at which
relabelling starts. Note that 'setfiles' would be the libguestfs
appliance binary, so no guest binary needs to be run.
A simple API could just look like this:
guestfs_selinux_relabel (g);
which would always use the 'targeted' policy from the guest, and
always start relabelling at the root. This would work fine for
virt-builder.
For Colin's requirements for Project Atomic, I suspect he will want to
be able to set the file_contexts file and the root directory, but I'll
leave him to describe what would be useful.
A couple of notes:
- I'd like to avoid baking in assumptions from the 'setfiles' command
as far as possible. libguestfs APIs last for many years and some
have caused us many years of regret (but that's our job) :-/
- Is it a good idea to tie this into inspection in some way -- for
example, inspection could provide us with the path to the current or
default SELinux policy.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
9 years
missing btrfs subvol support
by Olaf Hering
Is btrfs subvol support failing just for me? Looks like nothing adds the
required '@/' string. virt-ls uses the first variant of the command:
><rescue> mount -vo subvol=var/spool,ro /dev/sda2 /sysroot/
[ 113.852047] BTRFS info (device sda2): disk space caching is enabled
[ 113.852869] BTRFS: has skinny extents
mount: mount(2) failed: No such file or directory
><rescue> mount -vo subvol=@var/spool,ro /dev/sda2 /sysroot/
[ 116.082642] BTRFS info (device sda2): disk space caching is enabled
[ 116.083476] BTRFS: has skinny extents
mount: mount(2) failed: No such file or directory
><rescue> mount -vo subvol=@/var/spool,ro /dev/sda2 /sysroot/
[ 123.995343] BTRFS info (device sda2): disk space caching is enabled
[ 123.996238] BTRFS: has skinny extents
mount: /dev/sda2 mounted on /sysroot.
><rescue> exit
fstab is:
UUID=d538a81f-9778-424d-96cc-e48dd2d4a323 swap swap defaults 0 0
UUID=65b72f12-eccb-4cf2-a4f4-9c4bb462456f / btrfs defaults 0 0
UUID=65b72f12-eccb-4cf2-a4f4-9c4bb462456f /var/spool btrfs subvol=@/var/spool 0 0
Olaf
9 years, 3 months
[libguestfs] conversion issue on NFS shares
by Artur Krzywdzinski
Hi
T'm trying to convert XEN virtual machine image into raw. Source file is on
NFS export and destination is also on nfs export. (both exports are mounted
on migration servers RW access). I'm getting permission denied.
I have RW access to both exports - I can create, delete objects on both
exports from migration server. But when I copy img file onto migration
server local filesystem, conversion works, from local fs to nfs export.
However when I tried to run guestfish against file located on NFS - I'm
getting the same erro - Permission denied .
[root@kvm01 export]# virt-v2v -i disk migr01.img -o local -os /tmp
[ 0.0] Opening the source -i disk migr01.img
[ 0.0] Creating an overlay to protect the source from being modified
[ 0.0] Opening the overlay
virt-v2v: error: libguestfs error: could not create appliance through
libvirt.
Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct
Original error from libvirt: internal error: process exited while
connecting to monitor: 2014-10-16T14:25:13.729270Z qemu-kvm: -drive
file=/var/tmp/v2vovl60e1a0.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=unsafe,discard=unmap:
could not open disk image /var/tmp/v2vovl60e1a0.qcow2: Could not open
backing file: Could not open '/mnt/xen01/export/migr01.img': Permission
denied
[code=1 domain=10]
If reporting bugs, run virt-v2v with debugging enabled and include the
complete output:
virt-v2v -v -x [...]
[root@kvm01 export]#
--
Artur Krzywdzinski
9 years, 7 months
[PATCH v5 REBASE 0/4] virt-resize: add support for resizing logical
by Hu Tao
Hi Rich,
This is rebase of v5 series. Meanwhile, I found a bug when shrinking
partitions, and the fix is incuded in this version (patch 2).
Regards,
Hu
changes to v4:
1. add support to resize extended partition (--resize or --expand extended partition)
2. fix the problem of deficit of 512 bytes when expanding a logical partition
(this problem can be reproduced in v4 by only expanding a logical partition, without resizing any other partitions)
3. update the test script to support logical partitions and extended partition
changes to v3:
1. merge patch 1 and patch 3 in v3
2. let mbr_part_type return 'primary' for GPT partitions
3. add test for resizing logical partitions
4. fix extending the extended partition (yet). see patch 7.
changes to v2:
1. remove p_part_num
2. remove filter_parts
3. name the function calculate_target_partitions
4. remove the code to restart guest introduced in v2
changes to v1:
1. spit the patches so it's easier to review
2. fix the parted error caused by unaligned logical partitions
3. extend the content of logical partitions
4. refactor to make logical partitions a seperate list
Hu Tao (4):
resize: add partition type LogicalPartition
resize: add support to resize logical partitions
resize: support resize extended partition
resize: test: add support for resizing extended and logical partitions
resize/resize.ml | 123 +++++++++++++++++++++++++++++++++++++++------
resize/test-virt-resize.pl | 32 ++----------
2 files changed, 112 insertions(+), 43 deletions(-)
--
1.9.3
9 years, 9 months
[PATCH 1/6] cmd: add a way to run (and wait) asynchronously commands
by Pino Toscano
---
src/command.c | 64 +++++++++++++++++++++++++++++++++++++++++++-------
src/guestfs-internal.h | 3 +++
2 files changed, 58 insertions(+), 9 deletions(-)
diff --git a/src/command.c b/src/command.c
index 4bb469b..e26573d 100644
--- a/src/command.c
+++ b/src/command.c
@@ -360,7 +360,7 @@ debug_command (struct command *cmd)
}
static int
-run_command (struct command *cmd)
+run_command (struct command *cmd, bool get_stdout_fd, bool get_stderr_fd)
{
struct sigaction sa;
int i, fd, max_fd, r;
@@ -368,8 +368,11 @@ run_command (struct command *cmd)
int outfd[2] = { -1, -1 };
char status_string[80];
+ get_stdout_fd = get_stdout_fd || cmd->stdout_callback != NULL;
+ get_stderr_fd = get_stderr_fd || cmd->capture_errors;
+
/* Set up a pipe to capture command output and send it to the error log. */
- if (cmd->capture_errors) {
+ if (get_stderr_fd) {
if (pipe2 (errorfd, O_CLOEXEC) == -1) {
perrorf (cmd->g, "pipe2");
goto error;
@@ -377,7 +380,7 @@ run_command (struct command *cmd)
}
/* Set up a pipe to capture stdout for the callback. */
- if (cmd->stdout_callback) {
+ if (get_stdout_fd) {
if (pipe2 (outfd, O_CLOEXEC) == -1) {
perrorf (cmd->g, "pipe2");
goto error;
@@ -392,14 +395,14 @@ run_command (struct command *cmd)
/* In parent, return to caller. */
if (cmd->pid > 0) {
- if (cmd->capture_errors) {
+ if (get_stderr_fd) {
close (errorfd[1]);
errorfd[1] = -1;
cmd->errorfd = errorfd[0];
errorfd[0] = -1;
}
- if (cmd->stdout_callback) {
+ if (get_stdout_fd) {
close (outfd[1]);
outfd[1] = -1;
cmd->outfd = outfd[0];
@@ -410,15 +413,15 @@ run_command (struct command *cmd)
}
/* Child process. */
- if (cmd->capture_errors) {
+ if (get_stderr_fd) {
close (errorfd[0]);
- if (!cmd->stdout_callback)
+ if (!get_stdout_fd)
dup2 (errorfd[1], 1);
dup2 (errorfd[1], 2);
close (errorfd[1]);
}
- if (cmd->stdout_callback) {
+ if (get_stdout_fd) {
close (outfd[0]);
dup2 (outfd[1], 1);
close (outfd[1]);
@@ -615,7 +618,7 @@ guestfs___cmd_run (struct command *cmd)
if (cmd->g->verbose)
debug_command (cmd);
- if (run_command (cmd) == -1)
+ if (run_command (cmd, false, false) == -1)
return -1;
if (loop (cmd) == -1)
@@ -624,6 +627,49 @@ guestfs___cmd_run (struct command *cmd)
return wait_command (cmd);
}
+/* Fork, run the command, and returns the pid of the command,
+ * and its stdout and stderr file descriptors.
+ *
+ * Returns the exit status. Test it using WIF* macros.
+ *
+ * On error: Calls error(g) and returns -1.
+ */
+int
+guestfs___cmd_run_async (struct command *cmd, pid_t *pid,
+ int *stdout_fd, int *stderr_fd)
+{
+ finish_command (cmd);
+
+ if (cmd->g->verbose)
+ debug_command (cmd);
+
+ if (run_command (cmd, stdout_fd != NULL, stderr_fd != NULL) == -1)
+ return -1;
+
+ if (pid)
+ *pid = cmd->pid;
+ if (stdout_fd)
+ *stdout_fd = cmd->outfd;
+ if (stderr_fd)
+ *stderr_fd = cmd->errorfd;
+
+ return 0;
+}
+
+/* Wait for the command to finish.
+ *
+ * The command MUST have been started with guestfs___cmd_run_async.
+ *
+ * Returns the exit status. Test it using WIF* macros.
+ *
+ * On error: Calls error(g) and returns -1.
+ */
+int
+guestfs___cmd_wait (struct command *cmd)
+{
+ return wait_command (cmd);
+}
+
void
guestfs___cmd_close (struct command *cmd)
{
diff --git a/src/guestfs-internal.h b/src/guestfs-internal.h
index 573c3da..bd5f675 100644
--- a/src/guestfs-internal.h
+++ b/src/guestfs-internal.h
@@ -20,6 +20,7 @@
#define GUESTFS_INTERNAL_H_
#include <stdbool.h>
+#include <sys/types.h>
#include <libintl.h>
@@ -870,6 +871,8 @@ extern void guestfs___cmd_set_stderr_to_stdout (struct command *);
extern void guestfs___cmd_clear_capture_errors (struct command *);
extern void guestfs___cmd_clear_close_files (struct command *);
extern int guestfs___cmd_run (struct command *);
+extern int guestfs___cmd_run_async (struct command *, pid_t *pid, int *stdout_fd, int *stderr_fd);
+extern int guestfs___cmd_wait (struct command *);
extern void guestfs___cmd_close (struct command *);
#ifdef HAVE_ATTRIBUTE_CLEANUP
--
1.9.3
9 years, 10 months
[PATCH 1/2] sparsify: ignore read-only btrfs snapshots (RHBZ#1079625)
by Pino Toscano
In copy mode, make sure to not zero-free-space read-only btrfs
snapshots, as we cannot write to them.
---
sparsify/copying.ml | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/sparsify/copying.ml b/sparsify/copying.ml
index 8d77964..4c23939 100644
--- a/sparsify/copying.ml
+++ b/sparsify/copying.ml
@@ -208,6 +208,11 @@ You can ignore this warning or change it to a hard failure using the
* and selected swap partitions.
*)
let filesystems = g#list_filesystems () in
+ let btrfs_filesystems = List.filter (
+ fun (fs, fstype) ->
+ fstype = "btrfs"
+ ) filesystems in
+ let btrfs_filesystems = List.map fst btrfs_filesystems in
let filesystems = List.map fst filesystems in
let filesystems = List.sort compare filesystems in
@@ -216,6 +221,18 @@ You can ignore this warning or change it to a hard failure using the
List.exists (fun fs' -> fs = g#canonical_device_name fs') ignores
in
+ let is_readonly_btrfs_snapshot fs mp =
+ try
+ let is_btrfs = List.mem fs btrfs_filesystems in
+ if is_btrfs then (
+ try
+ let vol_info = g#btrfs_subvolume_show mp in
+ string_find (List.assoc "Flags" vol_info) "readonly" <> -1
+ with _ -> false
+ ) else false
+ with Not_found -> false
+ in
+
List.iter (
fun fs ->
if not (is_ignored fs) then (
@@ -230,10 +247,15 @@ You can ignore this warning or change it to a hard failure using the
with _ -> false in
if mounted then (
- if not quiet then
- printf (f_"Fill free space in %s with zero ...\n%!") fs;
+ if is_readonly_btrfs_snapshot fs "/" then (
+ if not quiet then
+ printf (f_"Skipping %s, as it is a read-only btrfs snapshot.\n%!") fs;
+ ) else (
+ if not quiet then
+ printf (f_"Fill free space in %s with zero ...\n%!") fs;
- g#zero_free_space "/"
+ g#zero_free_space "/"
+ )
) else (
let is_linux_x86_swap =
(* Look for the signature for Linux swap on i386.
--
1.9.3
9 years, 10 months
virt-v2v - can i convert a ESXi Guest to oVirt (KVM)
by Ml Ml
Hello List,
i have Debian ESXi Guest VMs. Can i use virt-v2v to convert and import
them in oVirt?
I have read that this is possible for RedHat guest and i was wondering
if this also works for Debian Guest VMs, too.
Thanks,
Mario
9 years, 10 months
Can't create any VPS using KVM template due to the error with libguestfs
by Thirumalai Nambi
Hi,
I'm using SolusVM control panel to create KVM VPS. Suddenly, I can't make
any VPS on Host-Node. Their build log says the SolusVM can't read the
libguestfs in server.
During the debug, I've tried to mount existing VPS using guestmount command
and I can't mount the KVM image.
Please check here.
[root@msv07 /]# guestmount -i -a /dev/msv07data/kvm139_img /mnt
libguestfs: error: guestfs_launch failed.
See http://libguestfs.org/guestfs-faq.1.html#debugging-libguestfs
and/or run 'libguestfs-test-tool'.
[root@msv07 /]#
I've attached libguestfs-test-tool output (untitled document 1) and debug
output of guestmount command here(untitled document 2).
Please take a look and respond asap, Last time I've opened a ticket, we got
response after one day..
Please make this hurry, I've invested whole day on this issue. But I can't
solve it.
9 years, 11 months
[PATCH] daemon: parted: use --part-type with recent sfdisk
by Pino Toscano
Check whether --part-type is supported (in the rewritten sfdisk in
util-linux >= 2.26), and use it instead of --print-id & --change-id.
The actual result should be the same, just not using a (recently)
deprecated command line API.
---
daemon/parted.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/daemon/parted.c b/daemon/parted.c
index 8fbb6e4..2f10144 100644
--- a/daemon/parted.c
+++ b/daemon/parted.c
@@ -681,6 +681,30 @@ do_part_get_bootable (const char *device, int partnum)
}
}
+/* Test if sfdisk is recent enough to have --part-type, to be used instead
+ * of --print-id and --change-id.
+ */
+static int
+test_sfdisk_has_part_type (void)
+{
+ static int tested = -1;
+
+ if (tested != -1)
+ return tested;
+
+ int r;
+ CLEANUP_FREE char *out = NULL, *err = NULL;
+
+ r = command (&out, &err, str_sfdisk, "--help", NULL);
+ if (r == -1) {
+ reply_with_error ("%s: %s", "sfdisk --help", err);
+ return -1;
+ }
+
+ tested = strstr (out, "--part-type") != NULL;
+ return tested;
+}
+
/* Currently we use sfdisk for getting and setting the ID byte. In
* future, extend parted to provide this functionality. As a result
* of using sfdisk, this won't work for non-MBR-style partitions, but
@@ -695,6 +719,8 @@ do_part_get_mbr_id (const char *device, int partnum)
return -1;
}
+ const char *param = test_sfdisk_has_part_type () ? "--part-type" : "--print-id";
+
char partnum_str[16];
snprintf (partnum_str, sizeof partnum_str, "%d", partnum);
@@ -703,9 +729,9 @@ do_part_get_mbr_id (const char *device, int partnum)
udev_settle ();
- r = command (&out, &err, str_sfdisk, "--print-id", device, partnum_str, NULL);
+ r = command (&out, &err, str_sfdisk, param, device, partnum_str, NULL);
if (r == -1) {
- reply_with_error ("sfdisk --print-id: %s", err);
+ reply_with_error ("sfdisk %s: %s", param, err);
return -1;
}
@@ -729,6 +755,8 @@ do_part_set_mbr_id (const char *device, int partnum, int idbyte)
return -1;
}
+ const char *param = test_sfdisk_has_part_type () ? "--part-type" : "--change-id";
+
char partnum_str[16];
snprintf (partnum_str, sizeof partnum_str, "%d", partnum);
@@ -741,9 +769,9 @@ do_part_set_mbr_id (const char *device, int partnum, int idbyte)
udev_settle ();
r = command (NULL, &err, str_sfdisk,
- "--change-id", device, partnum_str, idbyte_str, NULL);
+ param, device, partnum_str, idbyte_str, NULL);
if (r == -1) {
- reply_with_error ("sfdisk --change-id: %s", err);
+ reply_with_error ("sfdisk %s: %s", param, err);
return -1;
}
--
1.9.3
9 years, 11 months