SELinux relabel API
by Richard W.M. Jones
[
I realized that we were discussing adding this feature, in various
private email, IRC, and this long bugzilla thread:
https://bugzilla.redhat.com/show_bug.cgi?id=1060423
That's not how we should do things. Let's discuss it on the
mailing list.
]
One thing that virt-customize/virt-sysprep/virt-builder have to do is
relabel SELinux guests.
What we do at the moment is run:
if load_policy && fixfiles restore; then
rm -f /.autorelabel
else
touch /.autorelabel
echo '%s: SELinux relabelling failed, will relabel at boot instead.'
fi
while chrooted into the guest (using the 'guestfs_sh' API).
This has a number of problems:
- It has to load the policy using 'load_policy', but this doesn't
work sometimes:
* RHEL 5 load_policy takes a parameter.
* Doesn't work if appliance kernel is significantly different from
guest kernel version, because the binary policy format changes
irregularly and is not backwards compatible.
* Requires the appliance [host] kernel to be compiled with
LSM/SELinux support.
- Touching /.autorelabel is often broken, eg. it's broken in Fedora 20
because of systemd (RHBZ#1049656).
- /etc/resolv.conf will not be relabelled if guestfs network is on,
because of resolv.conf shenanigans in libguestfs.git/daemon/command.c
- It requires running guest code, which we'd like to avoid.
What would be nice would be to have an API to just do this
relabelling. Libguestfs could change this API as required to handle
different guests.
Dan Walsh helpfully pointed out to us that we've been doing it wrong
all along :-) A much better way to relabel is to run:
setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR
where 'file_contexts' is a file which contains the default labels for
files (a set of regexps), and 'DIR' is the directory at which
relabelling starts. Note that 'setfiles' would be the libguestfs
appliance binary, so no guest binary needs to be run.
A simple API could just look like this:
guestfs_selinux_relabel (g);
which would always use the 'targeted' policy from the guest, and
always start relabelling at the root. This would work fine for
virt-builder.
For Colin's requirements for Project Atomic, I suspect he will want to
be able to set the file_contexts file and the root directory, but I'll
leave him to describe what would be useful.
A couple of notes:
- I'd like to avoid baking in assumptions from the 'setfiles' command
as far as possible. libguestfs APIs last for many years and some
have caused us many years of regret (but that's our job) :-/
- Is it a good idea to tie this into inspection in some way -- for
example, inspection could provide us with the path to the current or
default SELinux policy.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
9 years, 1 month
ANNOUNCE: libguestfs & virt-v2v & virt-p2v RHEL 7.2 preview packages available
by Richard W.M. Jones
[The subject line isn't strictly correct, as virt-p2v packages aren't
available right now, but will be shortly]
If you are running RHEL 7.1 then you may be interested in trying out
the newer RHEL 7.2 preview versions of:
- libguestfs
- virt-v2v (Technical Preview in RHEL 7.1, Supported in RHEL 7.2)
- virt-p2v (Technical Preview in RHEL 7.2)
To install the preview repository, copy the attached file into
/etc/yum.repos.d/
Then use this command to update virt-v2v:
yum install virt-v2v libguestfs-tools-c libguestfs-xfs
To convert Windows guests you'll also need libguestfs-winsupport which
is finally available in RHN (V2VWIN channel) or you can get it from
http://people.redhat.com/~rjones/libguestfs-winsupport/
Please note these packages are *not* supported by Red Hat. If you
find bugs, please file them using the link below:
https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%...
To downgrade back to the RHEL 7.1 supported packages, delete
/etc/yum.repos.d/libguestfs-RHEL-7.2-preview.repo , uninstall
libguestfs, then reinstall libguestfs from RHN.
I have not tested these packages on CentOS 7.1, but they will probably
work there too, and if they don't then let me know.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
9 years, 4 months
missing btrfs subvol support
by Olaf Hering
Is btrfs subvol support failing just for me? Looks like nothing adds the
required '@/' string. virt-ls uses the first variant of the command:
><rescue> mount -vo subvol=var/spool,ro /dev/sda2 /sysroot/
[ 113.852047] BTRFS info (device sda2): disk space caching is enabled
[ 113.852869] BTRFS: has skinny extents
mount: mount(2) failed: No such file or directory
><rescue> mount -vo subvol=@var/spool,ro /dev/sda2 /sysroot/
[ 116.082642] BTRFS info (device sda2): disk space caching is enabled
[ 116.083476] BTRFS: has skinny extents
mount: mount(2) failed: No such file or directory
><rescue> mount -vo subvol=@/var/spool,ro /dev/sda2 /sysroot/
[ 123.995343] BTRFS info (device sda2): disk space caching is enabled
[ 123.996238] BTRFS: has skinny extents
mount: /dev/sda2 mounted on /sysroot.
><rescue> exit
fstab is:
UUID=d538a81f-9778-424d-96cc-e48dd2d4a323 swap swap defaults 0 0
UUID=65b72f12-eccb-4cf2-a4f4-9c4bb462456f / btrfs defaults 0 0
UUID=65b72f12-eccb-4cf2-a4f4-9c4bb462456f /var/spool btrfs subvol=@/var/spool 0 0
Olaf
9 years, 4 months
[PATCH 00/10] virt-resize: add support for resizing MBR logical partitions
by Chen Hanxiao
In current virt-resize, only primary partitions(including
extended partition) are supported. They are collected in an
array for resize operations. Logical partitions are not
supported.
This series add support for resizing logical partitions.
Original patches by Hu Tao at:
https://www.redhat.com/archives/libguestfs/2014-October/msg00238.html
Chen Hanxiao (10):
resize: don't filter out logical partitions
resize: don't count new size of logical and extended partition
resize: caculate the size of logical partitions
resize: update calculate_target_partitions for logical partitions
resize: calculate location of the partitions of logical partition
resize: skip overlap check for logical partitions
resize: parted logical partitions
resize: caculate surplus for resize extended partition
resize: support resize extended partition
resize: test: add support for resizing extended and logical partitions
resize/resize.ml | 144 ++++++++++++++++++++++++++++++++++-----------
resize/test-virt-resize.pl | 32 ++--------
2 files changed, 114 insertions(+), 62 deletions(-)
--
2.1.0
9 years, 8 months
[libguestfs] conversion issue on NFS shares
by Artur Krzywdzinski
Hi
T'm trying to convert XEN virtual machine image into raw. Source file is on
NFS export and destination is also on nfs export. (both exports are mounted
on migration servers RW access). I'm getting permission denied.
I have RW access to both exports - I can create, delete objects on both
exports from migration server. But when I copy img file onto migration
server local filesystem, conversion works, from local fs to nfs export.
However when I tried to run guestfish against file located on NFS - I'm
getting the same erro - Permission denied .
[root@kvm01 export]# virt-v2v -i disk migr01.img -o local -os /tmp
[ 0.0] Opening the source -i disk migr01.img
[ 0.0] Creating an overlay to protect the source from being modified
[ 0.0] Opening the overlay
virt-v2v: error: libguestfs error: could not create appliance through
libvirt.
Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct
Original error from libvirt: internal error: process exited while
connecting to monitor: 2014-10-16T14:25:13.729270Z qemu-kvm: -drive
file=/var/tmp/v2vovl60e1a0.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=unsafe,discard=unmap:
could not open disk image /var/tmp/v2vovl60e1a0.qcow2: Could not open
backing file: Could not open '/mnt/xen01/export/migr01.img': Permission
denied
[code=1 domain=10]
If reporting bugs, run virt-v2v with debugging enabled and include the
complete output:
virt-v2v -v -x [...]
[root@kvm01 export]#
--
Artur Krzywdzinski
9 years, 8 months
v2v: Support conversion of EFI guests (RHBZ#1184690)
by Richard W.M. Jones
VMware allows you to present UEFI firmware to guests (instead of the
ordinary PC BIOS). Virt-v2v can convert these guests, but requires
that UEFI is supported by the target hypervisor.
Currently KVM supports OVMF, a partially open source UEFI firmware,
and can run these guests.
Since OVMF support was only recently added to KVM (in 2014/2015), only
output to raw qemu or libvirt is supported.
Rich.
9 years, 9 months
[PATCH] inspector: fix formatting of xpath result (RHBZ#1212680)
by Pino Toscano
Discard blank nodes when reading the XML from stdin, while enabling
formatting in output nodes.
---
inspector/inspector.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/inspector/inspector.c b/inspector/inspector.c
index 1863de0..412384a 100644
--- a/inspector/inspector.c
+++ b/inspector/inspector.c
@@ -769,7 +769,7 @@ do_xpath (const char *query)
xmlSaveCtxtPtr saveCtx;
xmlNodePtr wrnode;
- doc = xmlReadFd (STDIN_FILENO, NULL, "utf8", 0);
+ doc = xmlReadFd (STDIN_FILENO, NULL, "utf8", XML_PARSE_NOBLANKS);
if (doc == NULL) {
fprintf (stderr, _("%s: unable to parse XML from stdin\n"), guestfs_int_program_name);
exit (EXIT_FAILURE);
@@ -795,7 +795,7 @@ do_xpath (const char *query)
if (nodes == NULL)
break;
- saveCtx = xmlSaveToFd (STDOUT_FILENO, NULL, XML_SAVE_NO_DECL);
+ saveCtx = xmlSaveToFd (STDOUT_FILENO, NULL, XML_SAVE_NO_DECL | XML_SAVE_FORMAT);
if (saveCtx == NULL) {
fprintf (stderr, _("%s: xmlSaveToFd failed\n"), guestfs_int_program_name);
exit (EXIT_FAILURE);
--
2.1.0
9 years, 9 months
[PATCH] customize: add a "touch" operation (RHBZ#1212808)
by Pino Toscano
---
builder/cmdline.ml | 3 ++-
customize/customize_run.ml | 4 ++++
generator/customize.ml | 8 ++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/builder/cmdline.ml b/builder/cmdline.ml
index 7b119d5..ec189ad 100644
--- a/builder/cmdline.ml
+++ b/builder/cmdline.ml
@@ -312,7 +312,8 @@ read the man page virt-builder(1).
| `Password _ | `RootPassword _ | `Scrub _ | `SSHInject _
| `Timezone _ | `Truncate _ | `TruncateRecursive _
| `Upload _ | `Write _ | `Chmod _
- | `CommandsFromFile _ | `CopyIn _ | `Copy _ | `Move _ -> false
+ | `CommandsFromFile _ | `CopyIn _ | `Copy _ | `Move _
+ | `Touch _ -> false
) ops.ops in
if requires_execute_on_guest then
error (f_"sorry, cannot run commands on a guest with a different architecture");
diff --git a/customize/customize_run.ml b/customize/customize_run.ml
index f2dbaa2..08cff0b 100644
--- a/customize/customize_run.ml
+++ b/customize/customize_run.ml
@@ -268,6 +268,10 @@ exec >>%s 2>&1
if not (Timezone.set_timezone g root tz) then
warning (f_"timezone could not be set for this type of guest")
+ | `Touch path ->
+ msg (f_"Running touch: %s") path;
+ g#touch path
+
| `Update ->
msg (f_"Updating core packages");
let cmd = guest_update_command () in
diff --git a/generator/customize.ml b/generator/customize.ml
index 99ff4b9..2980d39 100644
--- a/generator/customize.ml
+++ b/generator/customize.ml
@@ -363,6 +363,14 @@ Set the default timezone of the guest to C<TIMEZONE>. Use a location
string like C<Europe/London>";
};
+ { op_name = "touch";
+ op_type = String "FILE";
+ op_discrim = "`Touch";
+ op_shortdesc = "Run touch on a file";
+ op_pod_longdesc = "\
+This command performs a L<touch(1)>-like operation on C<FILE>.";
+ };
+
{ op_name = "update";
op_type = Unit;
op_discrim = "`Update";
--
2.1.0
9 years, 9 months
[PATCH 1/2] firstboot: Factor out regular expression constant.
by Richard W.M. Jones
Don't need to evaluate this every time we call the function.
---
customize/firstboot.ml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/customize/firstboot.ml b/customize/firstboot.ml
index b12d616..c4af7a9 100644
--- a/customize/firstboot.ml
+++ b/customize/firstboot.ml
@@ -27,8 +27,10 @@ open Regedit
let unix2dos s =
String.concat "\r\n" (Str.split_delim (Str.regexp_string "\n") s)
-let sanitize_name n =
- Str.global_replace (Str.regexp "[^A-Za-z0-9_]") "-" n
+let sanitize_name =
+ let rex = Str.regexp "[^A-Za-z0-9_]" in
+ fun n ->
+ Str.global_replace rex "-" n
(* For Linux guests. *)
module Linux = struct
--
2.3.1
9 years, 9 months
[PATCH v3] inspector: recognize ppc64 and ppc64le archs (RHBZ#1211996)
by Maros Zatko
Patch extracts MSB/LSB info from /bin/file output and passes it as separate
parameter from elf_arch. Then it is sent to impl_file_architecture and checked.
Modified magic_for_file to handle regex changes.
Fixes: RHBZ#1211996
Maros Zatko (1):
inspector: recognize ppc64 and ppc64le archs (RHBZ#1211996)
src/filearch.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--
1.9.3
9 years, 9 months