[guestfs-tools PATCH 0/2] sysprep: full disk encryption improvements
by Laszlo Ersek
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2106286
The first patch extends our support for LUKS-on-LVM a bit.
The second patch explains why the functionality from the first patch
should not be relied upon.
Laszlo
Laszlo Ersek (2):
sysprep: make an effort to cope with LUKS-on-LVM
sysprep: advise against cloning VMs with internal full disk encryption
sysprep/sysprep_operation_lvm_uuids.ml | 42 +++++++++++++++++++-
sysprep/virt-sysprep.pod | 7 ++++
2 files changed, 48 insertions(+), 1 deletion(-)
--
2.19.1.3.g30247aa5d201
2 years, 5 months
A few Coverity errors in nbdkit
by Richard W.M. Jones
Hi Eric,
None of this is important, and may not even be bugs, but here are a
few issues raised with the latest run of Coverity on nbdkit 1.30.7.
**********************************************************************
*** filters/multi-conn
It seems as if "group_vector" is really leaked from this filter. I
think it needs an unload handler to free it.
Error: GCC_ANALYZER_WARNING (CWE-401): [#def75]
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:195:14: warning[-Wanalyzer-malloc-leak]: leak of 'g'
nbdkit-1.30.7/common/utils/vector.h:44: included_from: Included from here.
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:46: included_from: Included from here.
nbdkit-1.30.7/common/utils/cleanup.h:56:3: note: in expansion of macro 'ACQUIRE_LOCK_FOR_CURRENT_SCOPE_1'
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:208:3: note: in expansion of macro 'ACQUIRE_LOCK_FOR_CURRENT_SCOPE'
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:46: included_from: Included from here.
nbdkit-1.30.7/common/utils/vector.h:132:12: note: in definition of macro 'DEFINE_VECTOR_TYPE'
nbdkit-1.30.7/common/utils/vector.h:132:12: note: in definition of macro 'DEFINE_VECTOR_TYPE'
nbdkit-1.30.7/common/utils/vector.h:116:3: note: in definition of macro 'DEFINE_VECTOR_TYPE'
nbdkit-1.30.7/common/utils/vector.h:44: included_from: Included from here.
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:46: included_from: Included from here.
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:87:1: note: in expansion of macro 'DEFINE_VECTOR_TYPE'
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:46: included_from: Included from here.
nbdkit-1.30.7/common/utils/vector.h:132:12: note: in definition of macro 'DEFINE_VECTOR_TYPE'
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:45: included_from: Included from here.
nbdkit-1.30.7/common/utils/cleanup.h:58:41: note: in definition of macro 'ACQUIRE_LOCK_FOR_CURRENT_SCOPE_1'
nbdkit-1.30.7/common/include/unique-name.h:40:37: note: in expansion of macro 'XXUNIQUE_NAME'
nbdkit-1.30.7/common/include/unique-name.h:41:34: note: in expansion of macro 'XUNIQUE_NAME'
nbdkit-1.30.7/common/utils/cleanup.h:56:45: note: in expansion of macro 'NBDKIT_UNIQUE_NAME'
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:208:3: note: in expansion of macro 'ACQUIRE_LOCK_FOR_CURRENT_SCOPE'
# 193| r = next->can_multi_conn (next);
# 194| if (r == -1)
# 195|-> return -1;
# 196| if (r == 0)
# 197| h->mode = EMULATE;
Error: CLANG_WARNING: [#def76]
nbdkit-1.30.7/filters/multi-conn/multi-conn.c:227:15: warning[unix.Malloc]: Potential leak of memory pointed to by 'g'
# 225| }
# 226| if (group_vector_append (&groups, g) == -1)
# 227|-> return -1;
# 228| g->name = h->name;
# 229| h->name = NULL;
**********************************************************************
*** server/protocol-handshake-newstyle.c
I think Coverity has a point here. Certainly there is code before
this point which assigns conn->top_context = NULL, and it's not
immediately clear to me that the code that Coverity has highlighted is
unreachable in that case.
Error: CLANG_WARNING: [#def234]
nbdkit-1.30.7/server/protocol-handshake-newstyle.c:657:34: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'
# 655| case NBD_INFO_DESCRIPTION:
# 656| {
# 657|-> const char *desc = backend_export_description (conn->top_context);
# 658|
# 659| if (!desc) {
Error: CLANG_WARNING: [#def235]
nbdkit-1.30.7/server/protocol-handshake-newstyle.c:676:19: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'
# 674| uint32_t minimum, preferred, maximum;
# 675|
# 676|-> if (backend_block_size (conn->top_context,
# 677| &minimum, &preferred, &maximum) == -1)
# 678| return -1;
**********************************************************************
*** server/public.c
Any clue about what this error means?
Error: ASSERT_SIDE_EFFECT (CWE-1006): [#def239]
nbdkit-1.30.7/server/public.c:728: assert_side_effect: Argument "quit" of assert() has a side effect because the variable is volatile. The containing function might work differently in a non-debug build.
# 726| * event, we know the connection should be shutting down.
# 727| */
# 728|-> assert (quit ||
# 729| (conn && conn->nworkers > 0 && connection_get_status () < 1) ||
# 730| (conn && (fds[2].revents & (POLLRDHUP | POLLHUP | POLLERR |
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
2 years, 5 months
Error ret=-1 with EINTR in nbd_connect_systemd_socket_activation()
by Motohiro Kawahito
Hi, I'd like to connect to an encrypted QCOW2 file by nbd_connect_systemd_socket_activation(), but I got ret=-1 with EINTR. In our program, signals are frequently occurred, so I think this is the background of the problem. Could you advise me what should I do next? (such as open issue in https://gitlab.com/nbdkit/libnbd or something).
The arg parameter I used is
qemu-nbd --object secret,id=sec0,data=abc123 --image-opts driver=qcow2,encrypt.format=luks,encrypt.key-secret=sec0,file.filename=/tmp/empty.qcow2
One more problem is that this qemu-nbd process still remains when error occurred.
I also attached a test program below. Is there any problem in my test program? The version of qemu-nbd is
$ qemu-nbd -V
qemu-nbd 4.2.1 (Debian 1:4.2-3ubuntu6.23)
I created this encrypted QCOW2 image by the following command.
qemu-img create --object secret,id=sec0,data=abc123 -f qcow2 -o encrypt.format=luks,encrypt.key-secret=sec0 /tmp/empty.qcow2 8539292672
Here is a test program I made. I found that this error occurred even for a normal QCOW2 file (not encrypted one). If you need more information, please let me know.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <unistd.h>
#include <libnbd.h>
typedef struct _processInfo {
char *fname;
int64_t filesize;
} processInfo;
processInfo pinfo[1024];
int pnum;
static char **
makeCommandQemuNbd(bool sync, char *key_encrypted_qcow2, char *fileName)
{
int num = 0;
int pos = 0;
char **ret;
if (key_encrypted_qcow2) {
static const char *keyTemplate = "secret,id=sec0,data=%s";
static const char *fileNameTemplate = "driver=qcow2,encrypt.format=luks,encrypt.key-secret=sec0,file.filename=%s";
num = 6 + (sync ? 1 : 0);
ret = (char **)malloc(sizeof(*ret) * num);
ret[pos++] = (char *)"qemu-nbd"; // 0
ret[pos++] = (char *)"--object"; // 1
ret[pos] = (char *)malloc(strlen(keyTemplate) + strlen(key_encrypted_qcow2)); // 2
sprintf(ret[pos], keyTemplate, key_encrypted_qcow2);
pos++;
ret[pos++] = (char *)"--image-opts"; // 3
ret[pos] = (char *)malloc(strlen(fileNameTemplate) + strlen(fileName)); // 4
sprintf(ret[pos], fileNameTemplate, fileName);
pos++;
if (sync)
ret[pos++] = (char *)"--cache=writethrough"; // 5
ret[pos++] = NULL; // 5 or 6
} else {
num = 5 + (sync ? 1 : 0);
ret = (char **)malloc(sizeof(*ret) * num);
ret[pos++] = (char *)"qemu-nbd"; // 0
ret[pos++] = (char *)"-f"; // 1
ret[pos++] = (char *)"qcow2"; // 2
ret[pos++] = fileName; // 3
if (sync)
ret[pos++] = (char *)"--cache=writethrough"; // 4
ret[pos++] = NULL; // 4 or 5
}
return ret;
}
void sigHandler(int num)
{
// do nothing
}
#define TEST_NORMAL 0
struct nbd_handle *
openNbd(processInfo *pi, bool isWritethrough)
{
struct nbd_handle *nbd;
fprintf(stderr, "Before nbd_create\n");
nbd = nbd_create ();
if (nbd == NULL) {
fprintf(stderr, "nbd_create failed. %s\n", nbd_get_error ());
return nbd;
}
#if TEST_NORMAL // not encrypted file
char **args = makeCommandQemuNbd(isWritethrough, (char*)NULL, (char *)"/tmp/my.qcow2");
#else
char **args = makeCommandQemuNbd(isWritethrough, (char*)"abc123", pi->fname);
#endif
fprintf(stderr, "Before nbd_connect_systemd_socket_activation\n");
int ret = nbd_connect_systemd_socket_activation (nbd, args);
free(args);
if (ret == -1) {
fprintf(stderr, "nbd_connect_systemd_socket_activation failed. %s\n", nbd_get_error ());
return nbd;
}
fprintf(stderr, "After nbd_connect_systemd_socket_activation\n");
pi->filesize = nbd_get_size(nbd);
fprintf(stderr, "size=%ld\n", pi->filesize);
return nbd;
}
int main(int argc, char *argv[])
{
pnum = 0;
pinfo[0].fname = (char*)"/tmp/empty.qcow2";
signal(SIGUSR1, sigHandler);
pid_t pid;
if ((pid = fork()) == 0) {
nbd_close(openNbd(pinfo, false));
} else {
uint64_t i;
for (i = 0; i < 10000000; i++) {
kill(pid, SIGUSR1);
}
fprintf(stderr, "kill end\n");
}
}
Debug output is like this.
Before nbd_create
libnbd: debug: nbd1: nbd_create: opening handle
Before nbd_connect_systemd_socket_activation
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: enter: argv=<list>
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: event CmdConnectSA: START -> CONNECT_SA.START
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: transition: CONNECT_SA.START -> CONNECT.START
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: poll start: events=4
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: poll end: r=1 revents=4
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: event NotifyWrite: CONNECT.START -> CONNECT.CONNECTING
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: transition: CONNECT.CONNECTING -> MAGIC.START
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: transition: MAGIC.START -> MAGIC.RECV_MAGIC
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: poll start: events=1
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: poll end: r=-1 revents=0
libnbd: debug: nbd1: nbd_connect_systemd_socket_activation: leave: error="nbd_connect_systemd_socket_activation: poll: Interrupted system call"
nbd_connect_systemd_socket_activation failed. nbd_connect_systemd_socket_activation: poll: Interrupted system call
libnbd: debug: nbd1: nbd_close: closing handle
kill end
Many thanks,
Motohiro Kawahito
2 years, 5 months
[v2v PATCH 0/2] input-xen: SSH authentication documentation improvements
by Laszlo Ersek
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854275
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
The input-xen documentation currently recommends a system-wide crypto
policy downgrade (to LEGACY) for connecting to RHEL5 sshd. Replace the
recommendation with the individual ssh options that enable this kind of
connection.
While investigating this (for RHBZ#2062360), I found that, for
RHBZ#1854275, I had missed a call chain in virt-v2v where libvirt
launched "ssh", and therefore the "-ip" option would be relevant.
Because "-ip" does not work there, first copy the respective caveat from
the input-vmware documentation to input-xen.
Thanks
Laszlo
Laszlo Ersek (2):
input-xen: sync "-ip" limitations language from input-vmware manual
input-xen: replace "enable LEGACY crypto" advice with targeted ssh
options
docs/virt-v2v-input-xen.pod | 25 ++++++++++++++++----
1 file changed, 20 insertions(+), 5 deletions(-)
--
2.19.1.3.g30247aa5d201
2 years, 5 months
EVE-NG - VM - Compression
by Jaime Rodriguez
Hello Team,
I am trying to compress a windows 10VM on Eve-ng with the 'virt-sparsify'.
Initial Command Run: virt-sparsify --compress virtioa.qcow2
compressedvirtioa.qcow2
Added debugging and ran again with '-v -x' parameters to get output.
Please see the attached file.
apt list --installed | grep libguest
libguestfs-perl/focal,now 1:1.40.2-7ubuntu5 amd64 [installed,automatic]
libguestfs-tools/focal,now 1:1.40.2-7ubuntu5 amd64 [installed,automatic]
libguestfs0/focal,now 1:1.40.2-7ubuntu5 amd64 [installed,automatic]
Thank you,
Jaime Rodriguez
2 years, 5 months