[nbdkit PATCH 0/5] More retry fixes
by Eric Blake
I think this is my last round of patches for issues I identified with
the retry filter. With this in place, it should be safe to interject
another filter in between retry and the plugin.
Eric Blake (5):
retry: Don't call into closed plugin
tests: Refactor test-retry-reopen-fail.sh
tests: Enhance retry test to cover failed reopen
server: Move prepare/finalize/close recursion to backend.c
server: Ensure .finalize and .close are called as needed
docs/nbdkit-filter.pod | 8 ++-
server/internal.h | 14 +++--
server/backend.c | 105 ++++++++++++++++++++++++++------
server/connections.c | 5 +-
server/filters.c | 35 +++--------
server/plugins.c | 10 +--
filters/retry/retry.c | 26 +++++---
tests/test-retry-reopen-fail.sh | 105 ++++++++++++++++++++++++--------
8 files changed, 211 insertions(+), 97 deletions(-)
--
2.21.0
5 years, 2 months
[PATCH] build: define CGO_CFLAGS_ALLOW with -U option we need
by Tomáš Golembiovský
cgo does not allow arbitrary CFLAGS to be used. Instead it contains a
list of flags (safelist) that are allowed to be passed to the compiler.
Sadly -U option (introduced in commit d8d8c856a1) is not among them.
See: https://github.com/golang/go/issues/23672
Signed-off-by: Tomáš Golembiovský <tgolembi(a)redhat.com>
---
run.in | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/run.in b/run.in
index 7e4963cdf..2c43cf87a 100755
--- a/run.in
+++ b/run.in
@@ -187,6 +187,13 @@ else
CGO_CFLAGS="$CGO_CFLAGS -I$s/lib"
fi
export CGO_CFLAGS
+if [ -z "$CGO_CFLAGS_ALLOW" ]; then
+ CGO_CFLAGS_ALLOW='-UGUESTFS_NO_DEPRECATED'
+ export CGO_CFLAGS_ALLOW
+else
+ echo "Warning: CGO_CFLAGS_ALLOW already defined! Be sure to include"
+ echo "the -U option."
+fi
if [ -z "$CGO_LDFLAGS" ]; then
CGO_LDFLAGS="-L$b/lib/.libs"
else
--
2.23.0
5 years, 2 months
[nbdkit PATCH] Check for python3 first
by Martin Kletzander
On systems where python is still set to python2 the check will fail even though
it is still completely possible to compile and use nbdkit.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
configure.ac | 2 +-
plugins/python/nbdkit-python-plugin.pod | 13 +++++++------
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/configure.ac b/configure.ac
index 5adce7d7bab5..83eefb60ab73 100644
--- a/configure.ac
+++ b/configure.ac
@@ -471,7 +471,7 @@ AC_SUBST([PERL_CFLAGS])
AC_SUBST([PERL_LDOPTS])
dnl Check for Python 3, for embedding in the python plugin.
-AC_CHECK_PROG([PYTHON],[python],[python],[no])
+AC_PATH_PROGS([PYTHON],[python3 python],[no])
AC_ARG_ENABLE([python],
[AS_HELP_STRING([--disable-python], [disable Python embed plugin])],
[],
diff --git a/plugins/python/nbdkit-python-plugin.pod b/plugins/python/nbdkit-python-plugin.pod
index 321aeb2c3b53..92a03c3cde6c 100644
--- a/plugins/python/nbdkit-python-plugin.pod
+++ b/plugins/python/nbdkit-python-plugin.pod
@@ -46,14 +46,15 @@ may want to include documentation and globals (eg. for storing global
state). Any other top level statements are run when the script is
loaded, just like ordinary Python.
-=head2 Python 2 and Python 3
+=head2 Python versions
-The Python plugin has to be compiled for either Python 2 or Python 3
-when building nbdkit. You can set the C<PYTHON> environment variable
-to the desired interpreter, otherwise nbdkit will use the interpreter
-called C<python> on the current C<$PATH>. For example:
+Python 2 end of life is 2020-01-01 and nbdkit >= 1.16 no longer
+supports it. If you want to use Python 2, you will need to use nbdkit
+version 1.14. You can set the C<PYTHON> environment variable
+to the desired interpreter, otherwise nbdkit will use interpreter
+called C<python3> or C<python> on the current C<$PATH>. For example:
- PYTHON=/usr/bin/python3 ./configure
+ PYTHON=/opt/local/bin/python3 ./configure
To find out which version the Python plugin was compiled for, use the
I<--dump-plugin> option, eg:
--
2.23.0
5 years, 2 months
[PATCH libnbd 1/4] generator: Allow long ‘name - shortdesc’ in man pages.
by Richard W.M. Jones
For commands with long names and/or short descriptors, you can end up
going over 72 characters in the first line of the man page (causing
podwrapper to complain). Wrap these lines.
---
generator/generator | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/generator/generator b/generator/generator
index 7d3f656..ad1cb6b 100755
--- a/generator/generator
+++ b/generator/generator
@@ -4487,7 +4487,8 @@ let generate_docs_nbd_pod name { args; optargs; ret;
first_version = (major, minor) } () =
pr "=head1 NAME\n";
pr "\n";
- pr "nbd_%s - %s\n" name shortdesc;
+ pr_wrap ' ' (fun () -> pr "nbd_%s - %s" name shortdesc);
+ pr "\n";
pr "\n";
pr "=head1 SYNOPSIS\n";
--
2.23.0
5 years, 2 months
[nbdkit PATCH 0/5] Another round of retry fixes
by Eric Blake
I still don't have .prepare/.finalize working cleanly across reopen,
but did find a nasty bug where a botched assertion means we failed to
notice reads beyond EOF in both the xz and retry filter.
Refactoring backend.c will make .finalize work easier.
Eric Blake (5):
xz: Avoid reading beyond EOF
retry: Check size before transactions
tests: Test retry when get_size values change
server: Fix backend range check
server: Refactor to drop connection_get_handle()
server/internal.h | 66 +++++++------
server/backend.c | 53 ++++++----
server/connections.c | 2 +-
server/filters.c | 70 +++++--------
server/plugins.c | 142 ++++++++++-----------------
server/protocol-handshake-newstyle.c | 4 +-
filters/retry/retry.c | 23 +++++
filters/xz/xzfile.c | 4 +
tests/Makefile.am | 2 +
tests/test-retry-size.sh | 101 +++++++++++++++++++
10 files changed, 275 insertions(+), 192 deletions(-)
create mode 100755 tests/test-retry-size.sh
--
2.21.0
5 years, 2 months
[nbdkit PATCH 0/4] More work with retry safety
by Eric Blake
I'm still working on another set of patches to have reopen call
.finalize/.prepare (so that another filter can safely appear between
retry and the plugin), but for tonight, these are the patches I think
are ready to go.
Eric Blake (4):
retry: Handle can_fua and can_fast_zero changes
tests: Test retry with different fua/fast-zero flags
server: Close backends if a filter's .open fails
server: Better documentation of .open ordering
docs/nbdkit-filter.pod | 17 +++--
server/backend.c | 5 +-
server/connections.c | 2 +-
server/filters.c | 8 ++-
filters/retry/retry.c | 20 ++++++
tests/test-layers-filter.c | 5 +-
tests/test-layers.c | 14 ++--
tests/Makefile.am | 2 +
tests/test-retry-zero-flags.sh | 126 +++++++++++++++++++++++++++++++++
9 files changed, 183 insertions(+), 16 deletions(-)
create mode 100755 tests/test-retry-zero-flags.sh
--
2.21.0
5 years, 2 months
[nbdkit PATCH v2 0/6] Improve retry filter
by Eric Blake
Includes a rework of the previously posted patch for --run
improvements (mostly with improved comments and commit message; I
decided that waiting for the captive nbdkit to exit was overkill), and
four new patches. The tests are intentionally separate, to allow
rearranging the order of the series to see the failures being fixed.
Eric Blake (6):
server: Propagate unexpected nbdkit failure with --run
tests: Enhance captive test
retry: Check next_ops->can_FOO on retry
tests: Test for retry-readonly behavior
retry: Avoid assertion during retried extents
tests: Test retry after partial extents
server/captive.c | 47 +++++++++++----
filters/retry/retry.c | 80 ++++++++++++++++++++++--
tests/Makefile.am | 4 ++
tests/test-captive.sh | 46 ++++++++++++--
tests/test-retry-extents.sh | 114 +++++++++++++++++++++++++++++++++++
tests/test-retry-readonly.sh | 96 +++++++++++++++++++++++++++++
6 files changed, 366 insertions(+), 21 deletions(-)
create mode 100755 tests/test-retry-extents.sh
create mode 100755 tests/test-retry-readonly.sh
--
2.21.0
5 years, 2 months
[libnbd PATCH] docs: Add libnbd-security(1) man page
by Eric Blake
Copies heavily after a similar addition recently made in nbdkit.
---
I'm not sure if .1 or .3 fits better for the man page. With nbdkit,
.1 made sense because 'nbdkit' is a standalone program; but with
libnbd, our only standalone is nbdsh, yet naming it nbdsh-security
seems off.
docs/Makefile.am | 7 +++++++
docs/libnbd-security.pod | 32 ++++++++++++++++++++++++++++++++
docs/libnbd.pod | 1 +
Makefile.am | 1 +
.gitignore | 3 ++-
SECURITY | 14 ++++++++++++++
6 files changed, 57 insertions(+), 1 deletion(-)
create mode 100644 docs/libnbd-security.pod
create mode 100644 SECURITY
diff --git a/docs/Makefile.am b/docs/Makefile.am
index df58586..4c99b5d 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -38,6 +38,7 @@ generator_built = \
EXTRA_DIST = \
$(generator_built) \
libnbd.pod \
+ libnbd-security.pod \
nbd_create.pod \
nbd_close.3 \
nbd_get_error.3 \
@@ -48,6 +49,7 @@ if HAVE_POD
man_MANS = \
libnbd.3 \
+ libnbd-security.1 \
nbd_create.3 \
nbd_close.3 \
nbd_get_error.3 \
@@ -73,4 +75,9 @@ libnbd.3: libnbd.pod $(top_builddir)/podwrapper.pl \
--html $(top_builddir)/html/$@.html \
$<
+libnbd-security.1: libnbd-security.pod
+ $(PODWRAPPER) --section=1 --man $@ \
+ --html $(top_builddir)/html/$@.html \
+ $<
+
endif HAVE_POD
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
new file mode 100644
index 0000000..5fe0926
--- /dev/null
+++ b/docs/libnbd-security.pod
@@ -0,0 +1,32 @@
+=head1 NAME
+
+libnbd-security - information about past security issues in libnbd
+
+=head1 DESCRIPTION
+
+This page details past security issues found in libnbd.
+
+For how to report new security issues, see the C<SECURITY> file in the
+top level source directory, also available online here:
+L<https://github.com/libguestfs/libnbd/blob/master/SECURITY>
+
+=head2 CVE-2019-14842
+protocol downgrade attack when using LIBNBD_TLS_REQUIRE
+
+See the full announcement and links to mitigation, tests and fixes
+here:
+https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html
+
+=head1 SEE ALSO
+
+L<libnbd(1)>.
+
+=head1 AUTHORS
+
+Eric Blake
+
+Richard W.M. Jones
+
+=head1 COPYRIGHT
+
+Copyright (C) 2019 Red Hat Inc.
diff --git a/docs/libnbd.pod b/docs/libnbd.pod
index 7bd59f5..e4810f6 100644
--- a/docs/libnbd.pod
+++ b/docs/libnbd.pod
@@ -830,6 +830,7 @@ L<https://github.com/NetworkBlockDevice/nbd/blob/master/doc/uri.md>.
=head2 Other
+L<libnbd-security(1),
L<qemu(1)>.
=head1 AUTHORS
diff --git a/Makefile.am b/Makefile.am
index 59918b9..019936f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -24,6 +24,7 @@ EXTRA_DIST = \
.gitignore \
html/pod.css \
scripts/git.orderfile \
+ SECURITY \
$(NULL)
SUBDIRS = \
diff --git a/.gitignore b/.gitignore
index 9254d1a..ae3e04f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -37,10 +37,11 @@ Makefile.in
/config.sub
/configure
/depcomp
-/docs/*.3
+/docs/*.[13]
/docs/*.pod
/docs/Makefile.inc
!/docs/libnbd.pod
+!/docs/libnbd-security.pod
!/docs/nbd_close.3
!/docs/nbd_create.pod
!/docs/nbd_get_err??.3
diff --git a/SECURITY b/SECURITY
new file mode 100644
index 0000000..d9a32d6
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,14 @@
+If you think you've found a serious or potential security bug that you
+don't want to report on a public mailing list, then send email to both
+<rjones(a)redhat.com> and <eblake(a)redhat.com>.
+
+Make it clear in the email Subject line that it's a serious or
+security-related bug in libnbd.
+
+You can also sign and/or encrypt messages using our GPG public keys
+available on the usual keyservers.
+
+For information about past security issues, see
+docs/libnbd-security.pod, or the libnbd-security(1) man page if you
+have installed libnbd, also available online here:
+http://libguestfs.org/libnbd-security.1.html
--
2.21.0
5 years, 2 months
[libnbd PATCH] docs: Add libnbd-security(1) man page
by Eric Blake
Copies heavily after a similar addition recently made in nbdkit.
---
docs/Makefile.am | 7 +++++++
docs/libnbd-security.pod | 32 ++++++++++++++++++++++++++++++++
docs/libnbd.pod | 1 +
Makefile.am | 1 +
.gitignore | 3 ++-
SECURITY | 14 ++++++++++++++
6 files changed, 57 insertions(+), 1 deletion(-)
create mode 100644 docs/libnbd-security.pod
create mode 100644 SECURITY
diff --git a/docs/Makefile.am b/docs/Makefile.am
index df58586..4c99b5d 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -38,6 +38,7 @@ generator_built = \
EXTRA_DIST = \
$(generator_built) \
libnbd.pod \
+ libnbd-security.pod \
nbd_create.pod \
nbd_close.3 \
nbd_get_error.3 \
@@ -48,6 +49,7 @@ if HAVE_POD
man_MANS = \
libnbd.3 \
+ libnbd-security.1 \
nbd_create.3 \
nbd_close.3 \
nbd_get_error.3 \
@@ -73,4 +75,9 @@ libnbd.3: libnbd.pod $(top_builddir)/podwrapper.pl \
--html $(top_builddir)/html/$@.html \
$<
+libnbd-security.1: libnbd-security.pod
+ $(PODWRAPPER) --section=1 --man $@ \
+ --html $(top_builddir)/html/$@.html \
+ $<
+
endif HAVE_POD
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
new file mode 100644
index 0000000..61a27fc
--- /dev/null
+++ b/docs/libnbd-security.pod
@@ -0,0 +1,32 @@
+=head1 NAME
+
+libnbd-security - information about past security issues in libnbd
+
+=head1 DESCRIPTION
+
+This page details past security issues found in libnbd.
+
+For how to report new security issues, see the C<SECURITY> file in the
+top level source directory, also available online here:
+L<https://github.com/libguestfs/libnbd/blob/master/SECURITY>
+
+=head2 CVE-2019-14842
+protocol downgrade attack when using LIBNBD_TLS_REQUIRE
+
+See the full announcement and links to mitigation, tests and fixes
+here:
+https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html
+
+=head1 SEE ALSO
+
+L<libnbd(1)>.
+
+=head1 AUTHORS
+
+Eric Blake
+
+Richard W.M. Jones
+
+=head1 COPYRIGHT
+
+Copyright (C) 2019 Red Hat Inc.
diff --git a/docs/libnbd.pod b/docs/libnbd.pod
index 7bd59f5..e4810f6 100644
--- a/docs/libnbd.pod
+++ b/docs/libnbd.pod
@@ -830,6 +830,7 @@ L<https://github.com/NetworkBlockDevice/nbd/blob/master/doc/uri.md>.
=head2 Other
+L<libnbd-security(1),
L<qemu(1)>.
=head1 AUTHORS
diff --git a/Makefile.am b/Makefile.am
index 59918b9..019936f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -24,6 +24,7 @@ EXTRA_DIST = \
.gitignore \
html/pod.css \
scripts/git.orderfile \
+ SECURITY \
$(NULL)
SUBDIRS = \
diff --git a/.gitignore b/.gitignore
index 9254d1a..ae3e04f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -37,10 +37,11 @@ Makefile.in
/config.sub
/configure
/depcomp
-/docs/*.3
+/docs/*.[13]
/docs/*.pod
/docs/Makefile.inc
!/docs/libnbd.pod
+!/docs/libnbd-security.pod
!/docs/nbd_close.3
!/docs/nbd_create.pod
!/docs/nbd_get_err??.3
diff --git a/SECURITY b/SECURITY
new file mode 100644
index 0000000..d9a32d6
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,14 @@
+If you think you've found a serious or potential security bug that you
+don't want to report on a public mailing list, then send email to both
+<rjones(a)redhat.com> and <eblake(a)redhat.com>.
+
+Make it clear in the email Subject line that it's a serious or
+security-related bug in libnbd.
+
+You can also sign and/or encrypt messages using our GPG public keys
+available on the usual keyservers.
+
+For information about past security issues, see
+docs/libnbd-security.pod, or the libnbd-security(1) man page if you
+have installed libnbd, also available online here:
+http://libguestfs.org/libnbd-security.1.html
--
2.21.0
5 years, 2 months