October 2019 - Libguestfs - Libguestfs List Archives

by Eric Blake

I think this is my last round of patches for issues I identified with the retry filter. With this in place, it should be safe to interject another filter in between retry and the plugin. Eric Blake (5): retry: Don't call into closed plugin tests: Refactor test-retry-reopen-fail.sh tests: Enhance retry test to cover failed reopen server: Move prepare/finalize/close recursion to backend.c server: Ensure .finalize and .close are called as needed docs/nbdkit-filter.pod | 8 ++- server/internal.h | 14 +++-- server/backend.c | 105 ++++++++++++++++++++++++++------ server/connections.c | 5 +- server/filters.c | 35 +++-------- server/plugins.c | 10 +-- filters/retry/retry.c | 26 +++++--- tests/test-retry-reopen-fail.sh | 105 ++++++++++++++++++++++++-------- 8 files changed, 211 insertions(+), 97 deletions(-) -- 2.21.0

4 years, 7 months

2
6
0 / 0

[PATCH] build: define CGO_CFLAGS_ALLOW with -U option we need

by Tomáš Golembiovský

cgo does not allow arbitrary CFLAGS to be used. Instead it contains a list of flags (safelist) that are allowed to be passed to the compiler. Sadly -U option (introduced in commit d8d8c856a1) is not among them. See: https://github.com/golang/go/issues/23672 Signed-off-by: Tomáš Golembiovský <tgolembi(a)redhat.com> --- run.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/run.in b/run.in index 7e4963cdf..2c43cf87a 100755 --- a/run.in +++ b/run.in @@ -187,6 +187,13 @@ else CGO_CFLAGS="$CGO_CFLAGS -I$s/lib" fi export CGO_CFLAGS +if [ -z "$CGO_CFLAGS_ALLOW" ]; then + CGO_CFLAGS_ALLOW='-UGUESTFS_NO_DEPRECATED' + export CGO_CFLAGS_ALLOW +else + echo "Warning: CGO_CFLAGS_ALLOW already defined! Be sure to include" + echo "the -U option." +fi if [ -z "$CGO_LDFLAGS" ]; then CGO_LDFLAGS="-L$b/lib/.libs" else -- 2.23.0

4 years, 7 months

2
1
0 / 0

[nbdkit PATCH] Check for python3 first

by Martin Kletzander

On systems where python is still set to python2 the check will fail even though it is still completely possible to compile and use nbdkit. Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> --- configure.ac | 2 +- plugins/python/nbdkit-python-plugin.pod | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 5adce7d7bab5..83eefb60ab73 100644 --- a/configure.ac +++ b/configure.ac @@ -471,7 +471,7 @@ AC_SUBST([PERL_CFLAGS]) AC_SUBST([PERL_LDOPTS]) dnl Check for Python 3, for embedding in the python plugin. -AC_CHECK_PROG([PYTHON],[python],[python],[no]) +AC_PATH_PROGS([PYTHON],[python3 python],[no]) AC_ARG_ENABLE([python], [AS_HELP_STRING([--disable-python], [disable Python embed plugin])], [], diff --git a/plugins/python/nbdkit-python-plugin.pod b/plugins/python/nbdkit-python-plugin.pod index 321aeb2c3b53..92a03c3cde6c 100644 --- a/plugins/python/nbdkit-python-plugin.pod +++ b/plugins/python/nbdkit-python-plugin.pod @@ -46,14 +46,15 @@ may want to include documentation and globals (eg. for storing global state). Any other top level statements are run when the script is loaded, just like ordinary Python. -=head2 Python 2 and Python 3 +=head2 Python versions -The Python plugin has to be compiled for either Python 2 or Python 3 -when building nbdkit. You can set the C<PYTHON> environment variable -to the desired interpreter, otherwise nbdkit will use the interpreter -called C<python> on the current C<$PATH>. For example: +Python 2 end of life is 2020-01-01 and nbdkit >= 1.16 no longer +supports it. If you want to use Python 2, you will need to use nbdkit +version 1.14. You can set the C<PYTHON> environment variable +to the desired interpreter, otherwise nbdkit will use interpreter +called C<python3> or C<python> on the current C<$PATH>. For example: - PYTHON=/usr/bin/python3 ./configure + PYTHON=/opt/local/bin/python3 ./configure To find out which version the Python plugin was compiled for, use the I<--dump-plugin> option, eg: -- 2.23.0

4 years, 7 months

2
1
0 / 0

[PATCH libnbd 1/4] generator: Allow long ‘name - shortdesc’ in man pages.

by Richard W.M. Jones

For commands with long names and/or short descriptors, you can end up going over 72 characters in the first line of the man page (causing podwrapper to complain). Wrap these lines. --- generator/generator | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/generator/generator b/generator/generator index 7d3f656..ad1cb6b 100755 --- a/generator/generator +++ b/generator/generator @@ -4487,7 +4487,8 @@ let generate_docs_nbd_pod name { args; optargs; ret; first_version = (major, minor) } () = pr "=head1 NAME\n"; pr "\n"; - pr "nbd_%s - %s\n" name shortdesc; + pr_wrap ' ' (fun () -> pr "nbd_%s - %s" name shortdesc); + pr "\n"; pr "\n"; pr "=head1 SYNOPSIS\n"; -- 2.23.0

4 years, 7 months

2
6
0 / 0

[nbdkit PATCH 0/5] Another round of retry fixes

by Eric Blake

I still don't have .prepare/.finalize working cleanly across reopen, but did find a nasty bug where a botched assertion means we failed to notice reads beyond EOF in both the xz and retry filter. Refactoring backend.c will make .finalize work easier. Eric Blake (5): xz: Avoid reading beyond EOF retry: Check size before transactions tests: Test retry when get_size values change server: Fix backend range check server: Refactor to drop connection_get_handle() server/internal.h | 66 +++++++------ server/backend.c | 53 ++++++---- server/connections.c | 2 +- server/filters.c | 70 +++++-------- server/plugins.c | 142 ++++++++++----------------- server/protocol-handshake-newstyle.c | 4 +- filters/retry/retry.c | 23 +++++ filters/xz/xzfile.c | 4 + tests/Makefile.am | 2 + tests/test-retry-size.sh | 101 +++++++++++++++++++ 10 files changed, 275 insertions(+), 192 deletions(-) create mode 100755 tests/test-retry-size.sh -- 2.21.0

4 years, 7 months

2
7
0 / 0

FYI: cryptsetup luksOpen now requires loads of RAM

by Richard W.M. Jones

https://gitlab.com/cryptsetup/cryptsetup/issues/488 This prevents virt-* tools from opening encrypted partitions automatically. Even 1024M isn't sufficient. I had to bump the memory up to 1400M to make it work, which is just too big for routine use. Even worse if the RAM size isn't quite large enough (eg 1200M) cryptsetup crashes. I'm not sure what to do about this now. The worst aspect is probably the lack of any error message from cryptsetup when it fails, but this is at least the easiest to fix because we can catch the exit code and turn that into an error message. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/

4 years, 7 months

1
0
0 / 0

[nbdkit PATCH 0/4] More work with retry safety

by Eric Blake

I'm still working on another set of patches to have reopen call .finalize/.prepare (so that another filter can safely appear between retry and the plugin), but for tonight, these are the patches I think are ready to go. Eric Blake (4): retry: Handle can_fua and can_fast_zero changes tests: Test retry with different fua/fast-zero flags server: Close backends if a filter's .open fails server: Better documentation of .open ordering docs/nbdkit-filter.pod | 17 +++-- server/backend.c | 5 +- server/connections.c | 2 +- server/filters.c | 8 ++- filters/retry/retry.c | 20 ++++++ tests/test-layers-filter.c | 5 +- tests/test-layers.c | 14 ++-- tests/Makefile.am | 2 + tests/test-retry-zero-flags.sh | 126 +++++++++++++++++++++++++++++++++ 9 files changed, 183 insertions(+), 16 deletions(-) create mode 100755 tests/test-retry-zero-flags.sh -- 2.21.0

4 years, 7 months

2
9
0 / 0

[nbdkit PATCH v2 0/6] Improve retry filter

by Eric Blake

Includes a rework of the previously posted patch for --run improvements (mostly with improved comments and commit message; I decided that waiting for the captive nbdkit to exit was overkill), and four new patches. The tests are intentionally separate, to allow rearranging the order of the series to see the failures being fixed. Eric Blake (6): server: Propagate unexpected nbdkit failure with --run tests: Enhance captive test retry: Check next_ops->can_FOO on retry tests: Test for retry-readonly behavior retry: Avoid assertion during retried extents tests: Test retry after partial extents server/captive.c | 47 +++++++++++---- filters/retry/retry.c | 80 ++++++++++++++++++++++-- tests/Makefile.am | 4 ++ tests/test-captive.sh | 46 ++++++++++++-- tests/test-retry-extents.sh | 114 +++++++++++++++++++++++++++++++++++ tests/test-retry-readonly.sh | 96 +++++++++++++++++++++++++++++ 6 files changed, 366 insertions(+), 21 deletions(-) create mode 100755 tests/test-retry-extents.sh create mode 100755 tests/test-retry-readonly.sh -- 2.21.0

4 years, 7 months

2
9
0 / 0

[libnbd PATCH] docs: Add libnbd-security(1) man page

by Eric Blake

Copies heavily after a similar addition recently made in nbdkit. --- I'm not sure if .1 or .3 fits better for the man page. With nbdkit, .1 made sense because 'nbdkit' is a standalone program; but with libnbd, our only standalone is nbdsh, yet naming it nbdsh-security seems off. docs/Makefile.am | 7 +++++++ docs/libnbd-security.pod | 32 ++++++++++++++++++++++++++++++++ docs/libnbd.pod | 1 + Makefile.am | 1 + .gitignore | 3 ++- SECURITY | 14 ++++++++++++++ 6 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 docs/libnbd-security.pod create mode 100644 SECURITY diff --git a/docs/Makefile.am b/docs/Makefile.am index df58586..4c99b5d 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -38,6 +38,7 @@ generator_built = \ EXTRA_DIST = \ $(generator_built) \ libnbd.pod \ + libnbd-security.pod \ nbd_create.pod \ nbd_close.3 \ nbd_get_error.3 \ @@ -48,6 +49,7 @@ if HAVE_POD man_MANS = \ libnbd.3 \ + libnbd-security.1 \ nbd_create.3 \ nbd_close.3 \ nbd_get_error.3 \ @@ -73,4 +75,9 @@ libnbd.3: libnbd.pod $(top_builddir)/podwrapper.pl \ --html $(top_builddir)/html/$@.html \ $< +libnbd-security.1: libnbd-security.pod + $(PODWRAPPER) --section=1 --man $@ \ + --html $(top_builddir)/html/$@.html \ + $< + endif HAVE_POD diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod new file mode 100644 index 0000000..5fe0926 --- /dev/null +++ b/docs/libnbd-security.pod @@ -0,0 +1,32 @@ +=head1 NAME + +libnbd-security - information about past security issues in libnbd + +=head1 DESCRIPTION + +This page details past security issues found in libnbd. + +For how to report new security issues, see the C<SECURITY> file in the +top level source directory, also available online here: +L<https://github.com/libguestfs/libnbd/blob/master/SECURITY> + +=head2 CVE-2019-14842 +protocol downgrade attack when using LIBNBD_TLS_REQUIRE + +See the full announcement and links to mitigation, tests and fixes +here: +https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html + +=head1 SEE ALSO + +L<libnbd(1)>. + +=head1 AUTHORS + +Eric Blake + +Richard W.M. Jones + +=head1 COPYRIGHT + +Copyright (C) 2019 Red Hat Inc. diff --git a/docs/libnbd.pod b/docs/libnbd.pod index 7bd59f5..e4810f6 100644 --- a/docs/libnbd.pod +++ b/docs/libnbd.pod @@ -830,6 +830,7 @@ L<https://github.com/NetworkBlockDevice/nbd/blob/master/doc/uri.md>. =head2 Other +L<libnbd-security(1), L<qemu(1)>. =head1 AUTHORS diff --git a/Makefile.am b/Makefile.am index 59918b9..019936f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,6 +24,7 @@ EXTRA_DIST = \ .gitignore \ html/pod.css \ scripts/git.orderfile \ + SECURITY \ $(NULL) SUBDIRS = \ diff --git a/.gitignore b/.gitignore index 9254d1a..ae3e04f 100644 --- a/.gitignore +++ b/.gitignore @@ -37,10 +37,11 @@ Makefile.in /config.sub /configure /depcomp -/docs/*.3 +/docs/*.[13] /docs/*.pod /docs/Makefile.inc !/docs/libnbd.pod +!/docs/libnbd-security.pod !/docs/nbd_close.3 !/docs/nbd_create.pod !/docs/nbd_get_err??.3 diff --git a/SECURITY b/SECURITY new file mode 100644 index 0000000..d9a32d6 --- /dev/null +++ b/SECURITY @@ -0,0 +1,14 @@ +If you think you've found a serious or potential security bug that you +don't want to report on a public mailing list, then send email to both +<rjones(a)redhat.com> and <eblake(a)redhat.com>. + +Make it clear in the email Subject line that it's a serious or +security-related bug in libnbd. + +You can also sign and/or encrypt messages using our GPG public keys +available on the usual keyservers. + +For information about past security issues, see +docs/libnbd-security.pod, or the libnbd-security(1) man page if you +have installed libnbd, also available online here: +http://libguestfs.org/libnbd-security.1.html -- 2.21.0

4 years, 7 months

2
1
0 / 0

[libnbd PATCH] docs: Add libnbd-security(1) man page

by Eric Blake

Copies heavily after a similar addition recently made in nbdkit. --- docs/Makefile.am | 7 +++++++ docs/libnbd-security.pod | 32 ++++++++++++++++++++++++++++++++ docs/libnbd.pod | 1 + Makefile.am | 1 + .gitignore | 3 ++- SECURITY | 14 ++++++++++++++ 6 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 docs/libnbd-security.pod create mode 100644 SECURITY diff --git a/docs/Makefile.am b/docs/Makefile.am index df58586..4c99b5d 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -38,6 +38,7 @@ generator_built = \ EXTRA_DIST = \ $(generator_built) \ libnbd.pod \ + libnbd-security.pod \ nbd_create.pod \ nbd_close.3 \ nbd_get_error.3 \ @@ -48,6 +49,7 @@ if HAVE_POD man_MANS = \ libnbd.3 \ + libnbd-security.1 \ nbd_create.3 \ nbd_close.3 \ nbd_get_error.3 \ @@ -73,4 +75,9 @@ libnbd.3: libnbd.pod $(top_builddir)/podwrapper.pl \ --html $(top_builddir)/html/$@.html \ $< +libnbd-security.1: libnbd-security.pod + $(PODWRAPPER) --section=1 --man $@ \ + --html $(top_builddir)/html/$@.html \ + $< + endif HAVE_POD diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod new file mode 100644 index 0000000..61a27fc --- /dev/null +++ b/docs/libnbd-security.pod @@ -0,0 +1,32 @@ +=head1 NAME + +libnbd-security - information about past security issues in libnbd + +=head1 DESCRIPTION + +This page details past security issues found in libnbd. + +For how to report new security issues, see the C<SECURITY> file in the +top level source directory, also available online here: +L<https://github.com/libguestfs/libnbd/blob/master/SECURITY> + +=head2 CVE-2019-14842 +protocol downgrade attack when using LIBNBD_TLS_REQUIRE + +See the full announcement and links to mitigation, tests and fixes +here: +https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html + +=head1 SEE ALSO + +L<libnbd(1)>. + +=head1 AUTHORS + +Eric Blake + +Richard W.M. Jones + +=head1 COPYRIGHT + +Copyright (C) 2019 Red Hat Inc. diff --git a/docs/libnbd.pod b/docs/libnbd.pod index 7bd59f5..e4810f6 100644 --- a/docs/libnbd.pod +++ b/docs/libnbd.pod @@ -830,6 +830,7 @@ L<https://github.com/NetworkBlockDevice/nbd/blob/master/doc/uri.md>. =head2 Other +L<libnbd-security(1), L<qemu(1)>. =head1 AUTHORS diff --git a/Makefile.am b/Makefile.am index 59918b9..019936f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,6 +24,7 @@ EXTRA_DIST = \ .gitignore \ html/pod.css \ scripts/git.orderfile \ + SECURITY \ $(NULL) SUBDIRS = \ diff --git a/.gitignore b/.gitignore index 9254d1a..ae3e04f 100644 --- a/.gitignore +++ b/.gitignore @@ -37,10 +37,11 @@ Makefile.in /config.sub /configure /depcomp -/docs/*.3 +/docs/*.[13] /docs/*.pod /docs/Makefile.inc !/docs/libnbd.pod +!/docs/libnbd-security.pod !/docs/nbd_close.3 !/docs/nbd_create.pod !/docs/nbd_get_err??.3 diff --git a/SECURITY b/SECURITY new file mode 100644 index 0000000..d9a32d6 --- /dev/null +++ b/SECURITY @@ -0,0 +1,14 @@ +If you think you've found a serious or potential security bug that you +don't want to report on a public mailing list, then send email to both +<rjones(a)redhat.com> and <eblake(a)redhat.com>. + +Make it clear in the email Subject line that it's a serious or +security-related bug in libnbd. + +You can also sign and/or encrypt messages using our GPG public keys +available on the usual keyservers. + +For information about past security issues, see +docs/libnbd-security.pod, or the libnbd-security(1) man page if you +have installed libnbd, also available online here: +http://libguestfs.org/libnbd-security.1.html -- 2.21.0

4 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Libguestfs October 2019