SELinux relabel API
by Richard W.M. Jones
[
I realized that we were discussing adding this feature, in various
private email, IRC, and this long bugzilla thread:
https://bugzilla.redhat.com/show_bug.cgi?id=1060423
That's not how we should do things. Let's discuss it on the
mailing list.
]
One thing that virt-customize/virt-sysprep/virt-builder have to do is
relabel SELinux guests.
What we do at the moment is run:
if load_policy && fixfiles restore; then
rm -f /.autorelabel
else
touch /.autorelabel
echo '%s: SELinux relabelling failed, will relabel at boot instead.'
fi
while chrooted into the guest (using the 'guestfs_sh' API).
This has a number of problems:
- It has to load the policy using 'load_policy', but this doesn't
work sometimes:
* RHEL 5 load_policy takes a parameter.
* Doesn't work if appliance kernel is significantly different from
guest kernel version, because the binary policy format changes
irregularly and is not backwards compatible.
* Requires the appliance [host] kernel to be compiled with
LSM/SELinux support.
- Touching /.autorelabel is often broken, eg. it's broken in Fedora 20
because of systemd (RHBZ#1049656).
- /etc/resolv.conf will not be relabelled if guestfs network is on,
because of resolv.conf shenanigans in libguestfs.git/daemon/command.c
- It requires running guest code, which we'd like to avoid.
What would be nice would be to have an API to just do this
relabelling. Libguestfs could change this API as required to handle
different guests.
Dan Walsh helpfully pointed out to us that we've been doing it wrong
all along :-) A much better way to relabel is to run:
setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR
where 'file_contexts' is a file which contains the default labels for
files (a set of regexps), and 'DIR' is the directory at which
relabelling starts. Note that 'setfiles' would be the libguestfs
appliance binary, so no guest binary needs to be run.
A simple API could just look like this:
guestfs_selinux_relabel (g);
which would always use the 'targeted' policy from the guest, and
always start relabelling at the root. This would work fine for
virt-builder.
For Colin's requirements for Project Atomic, I suspect he will want to
be able to set the file_contexts file and the root directory, but I'll
leave him to describe what would be useful.
A couple of notes:
- I'd like to avoid baking in assumptions from the 'setfiles' command
as far as possible. libguestfs APIs last for many years and some
have caused us many years of regret (but that's our job) :-/
- Is it a good idea to tie this into inspection in some way -- for
example, inspection could provide us with the path to the current or
default SELinux policy.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
8 years, 5 months
missing btrfs subvol support
by Olaf Hering
Is btrfs subvol support failing just for me? Looks like nothing adds the
required '@/' string. virt-ls uses the first variant of the command:
><rescue> mount -vo subvol=var/spool,ro /dev/sda2 /sysroot/
[ 113.852047] BTRFS info (device sda2): disk space caching is enabled
[ 113.852869] BTRFS: has skinny extents
mount: mount(2) failed: No such file or directory
><rescue> mount -vo subvol=@var/spool,ro /dev/sda2 /sysroot/
[ 116.082642] BTRFS info (device sda2): disk space caching is enabled
[ 116.083476] BTRFS: has skinny extents
mount: mount(2) failed: No such file or directory
><rescue> mount -vo subvol=@/var/spool,ro /dev/sda2 /sysroot/
[ 123.995343] BTRFS info (device sda2): disk space caching is enabled
[ 123.996238] BTRFS: has skinny extents
mount: /dev/sda2 mounted on /sysroot.
><rescue> exit
fstab is:
UUID=d538a81f-9778-424d-96cc-e48dd2d4a323 swap swap defaults 0 0
UUID=65b72f12-eccb-4cf2-a4f4-9c4bb462456f / btrfs defaults 0 0
UUID=65b72f12-eccb-4cf2-a4f4-9c4bb462456f /var/spool btrfs subvol=@/var/spool 0 0
Olaf
8 years, 8 months
[libguestfs] conversion issue on NFS shares
by Artur Krzywdzinski
Hi
T'm trying to convert XEN virtual machine image into raw. Source file is on
NFS export and destination is also on nfs export. (both exports are mounted
on migration servers RW access). I'm getting permission denied.
I have RW access to both exports - I can create, delete objects on both
exports from migration server. But when I copy img file onto migration
server local filesystem, conversion works, from local fs to nfs export.
However when I tried to run guestfish against file located on NFS - I'm
getting the same erro - Permission denied .
[root@kvm01 export]# virt-v2v -i disk migr01.img -o local -os /tmp
[ 0.0] Opening the source -i disk migr01.img
[ 0.0] Creating an overlay to protect the source from being modified
[ 0.0] Opening the overlay
virt-v2v: error: libguestfs error: could not create appliance through
libvirt.
Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct
Original error from libvirt: internal error: process exited while
connecting to monitor: 2014-10-16T14:25:13.729270Z qemu-kvm: -drive
file=/var/tmp/v2vovl60e1a0.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=unsafe,discard=unmap:
could not open disk image /var/tmp/v2vovl60e1a0.qcow2: Could not open
backing file: Could not open '/mnt/xen01/export/migr01.img': Permission
denied
[code=1 domain=10]
If reporting bugs, run virt-v2v with debugging enabled and include the
complete output:
virt-v2v -v -x [...]
[root@kvm01 export]#
--
Artur Krzywdzinski
9 years
[PATCH] v2v: allow configurable location for virtio drivers
by Roman Kagan
Make the location of the Windows virtio drivers overridable with the
environment variable VIRTIO_WIN_DIR, in the same vein as is done for
virt-tools.
Signed-off-by: Roman Kagan <rkagan(a)parallels.com>
---
v2v/convert_windows.ml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/v2v/convert_windows.ml b/v2v/convert_windows.ml
index 0cd818a..e966341 100644
--- a/v2v/convert_windows.ml
+++ b/v2v/convert_windows.ml
@@ -47,7 +47,9 @@ let convert ~verbose ~keep_serial_console (g : G.guestfs) inspect source =
try Sys.getenv "VIRT_TOOLS_DATA_DIR"
with Not_found -> Config.datadir // "virt-tools" in
- let virtio_win_dir = "/usr/share/virtio-win" in
+ let virtio_win_dir =
+ try Sys.getenv "VIRTIO_WIN_DIR"
+ with Not_found -> Config.datadir // "virtio-win" in
(* Check if RHEV-APT exists. This is optional. *)
let rhev_apt_exe = virt_tools_data_dir // "rhev-apt.exe" in
--
2.1.0
9 years, 1 month
[PATCH v3] virt-copy, virt-tar: show help for -h
by Maros Zatko
Shows manpage for virt-copy-in,out and virt-tar-in,out
when user supplies -h as a parameter instead of listing
unrelated commands with descriptions.
Maros Zatko (1):
virt-copy, virt-tar: show help for -h
fish/virt-copy-in | 9 +++++++++
fish/virt-copy-out | 9 +++++++++
fish/virt-tar-in | 9 +++++++++
fish/virt-tar-out | 9 +++++++++
4 files changed, 36 insertions(+)
--
1.9.3
9 years, 1 month
[PATCH v5 REBASE 0/4] virt-resize: add support for resizing logical
by Hu Tao
Hi Rich,
This is rebase of v5 series. Meanwhile, I found a bug when shrinking
partitions, and the fix is incuded in this version (patch 2).
Regards,
Hu
changes to v4:
1. add support to resize extended partition (--resize or --expand extended partition)
2. fix the problem of deficit of 512 bytes when expanding a logical partition
(this problem can be reproduced in v4 by only expanding a logical partition, without resizing any other partitions)
3. update the test script to support logical partitions and extended partition
changes to v3:
1. merge patch 1 and patch 3 in v3
2. let mbr_part_type return 'primary' for GPT partitions
3. add test for resizing logical partitions
4. fix extending the extended partition (yet). see patch 7.
changes to v2:
1. remove p_part_num
2. remove filter_parts
3. name the function calculate_target_partitions
4. remove the code to restart guest introduced in v2
changes to v1:
1. spit the patches so it's easier to review
2. fix the parted error caused by unaligned logical partitions
3. extend the content of logical partitions
4. refactor to make logical partitions a seperate list
Hu Tao (4):
resize: add partition type LogicalPartition
resize: add support to resize logical partitions
resize: support resize extended partition
resize: test: add support for resizing extended and logical partitions
resize/resize.ml | 123 +++++++++++++++++++++++++++++++++++++++------
resize/test-virt-resize.pl | 32 ++----------
2 files changed, 112 insertions(+), 43 deletions(-)
--
1.9.3
9 years, 2 months
[PATCH 0/4] btrfs: add support to btrfstune
by Chen Hanxiao
This series adds new APIs to support btrfstune.
Chen Hanxiao (4):
New API: btrfstune_S_enable
New API: btrfstune_S_disable
New API: btrfstune_r
New API: btrfstune_x
daemon/btrfs.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++
generator/actions.ml | 64 +++++++++++++++++++++++++++++++++
src/MAX_PROC_NR | 2 +-
3 files changed, 164 insertions(+), 1 deletion(-)
--
2.1.0
9 years, 2 months
[PATCH 0/4] firstboot: assorted enhancements
by Roman Kagan
This patchset attempts to address a number of shortcomings in the
firstboot infrastructure I came across while working with v2v conversion
of various Windows VMs.
Roman Kagan (4):
firstboot: consolidate line ending conversion
firstboot: enhance firstboot driver script for Windows
firstboot: make script naming descriptive
convert_windows: split firstboot into steps
customize/customize_run.ml | 19 +++++-------
customize/firstboot.ml | 73 +++++++++++++++++++++++++++++++---------------
customize/firstboot.mli | 13 +++++----
v2v/convert_windows.ml | 31 ++++++++++----------
4 files changed, 80 insertions(+), 56 deletions(-)
--
2.1.0
9 years, 2 months
Corrupt index.asc
by Yagmur Akbulut
Hi all,
I am trying to use virt-builder but facing the following error. I see that
the file at the link has two entries for fedora-21. Is there way to
override the download? Or can somebody please update the file at the link?
virt-builder --list
virt-builder: index is corrupt: os-version 'fedora-21' appears two or more
times
The index file downloaded from '
http://libguestfs.org/download/builder/index.asc' is corrupt.
You need to ask the supplier of this file to fix it and upload a fixed
version.
Regards,
Yagmur
9 years, 2 months
[PATCH] builder: handle -v and -x flags like in other tools (RHBZ#1196100)
by Pino Toscano
Make sure that -x enables tracing and -v enables verbose mode, just like
other tools do.
Kind of followup of commit b6b9b90dd74c7b9204bdf218aa9360e117308e78.
---
builder/builder.ml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/builder/builder.ml b/builder/builder.ml
index a519913..0ddf076 100644
--- a/builder/builder.ml
+++ b/builder/builder.ml
@@ -555,7 +555,8 @@ let main () =
let preallocation = if oformat = "qcow2" then Some "metadata" else None in
let () =
let g = new G.guestfs () in
- if verbose then ( g#set_trace true; g#set_verbose true );
+ if trace then g#set_trace true;
+ if verbose then g#set_verbose true;
g#disk_create ?preallocation ofile oformat osize in
let cmd =
sprintf "virt-resize%s%s%s --output-format %s%s%s %s %s"
@@ -608,7 +609,8 @@ let main () =
msg (f_"Opening the new disk");
let g =
let g = new G.guestfs () in
- if verbose then g#set_trace true;
+ if trace then g#set_trace true;
+ if verbose then g#set_verbose true;
(match memsize with None -> () | Some memsize -> g#set_memsize memsize);
(match smp with None -> () | Some smp -> g#set_smp smp);
--
2.1.0
9 years, 2 months
