[PATCH nbdkit] vddk: Demote another "phone home" error message to debug
by Richard W.M. Jones
Reported-by: Ming Xie
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2104720
---
plugins/vddk/vddk.c | 31 ++++++++++++++++++++-----------
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/plugins/vddk/vddk.c b/plugins/vddk/vddk.c
index dbd3fdbe..1ed9fc53 100644
--- a/plugins/vddk/vddk.c
+++ b/plugins/vddk/vddk.c
@@ -495,11 +495,25 @@ debug_function (const char *fs, va_list args)
nbdkit_debug ("%s", str);
}
+/* VDDK 7 added some useless error messages about their "phone home"
+ * system called CEIP which only panics users. Demote these to debug
+ * statements below.
+ *
+ * https://bugzilla.redhat.com/show_bug.cgi?id=1834267
+ * https://bugzilla.redhat.com/show_bug.cgi?id=2083617
+ * https://bugzilla.redhat.com/show_bug.cgi?id=2104720
+ */
+static const char *demoted_errors[] = {
+ "Get CEIP status failed",
+ "VDDK_PhoneHome:",
+};
+
/* Turn error messages from the library into nbdkit_error. */
static void
error_function (const char *fs, va_list args)
{
CLEANUP_FREE char *str = NULL;
+ size_t i;
/* If the thread-local error_suppression flag is non-zero then we
* will suppress error messages from VDDK in this thread.
@@ -513,17 +527,12 @@ error_function (const char *fs, va_list args)
trim (str);
- /* VDDK 7 added some useless error messages about their "phone home"
- * system called CEIP which only panics users. Demote to a debug
- * statement.
- * https://bugzilla.redhat.com/show_bug.cgi?id=1834267
- * https://bugzilla.redhat.com/show_bug.cgi?id=2083617
- */
- if (strstr (str, "Get CEIP status failed") != NULL ||
- strstr (str, "VDDK_PhoneHome: Unable to load configuration "
- "options from ") != NULL) {
- nbdkit_debug ("%s", str);
- return;
+ /* See comment above about demoted errors. */
+ for (i = 0; i < sizeof demoted_errors / sizeof demoted_errors[0]; ++i) {
+ if (strstr (str, demoted_errors[i]) != NULL) {
+ nbdkit_debug ("%s", str);
+ return;
+ }
}
nbdkit_error ("%s", str);
--
2.37.0.rc2
2 years, 5 months
[v2v PATCH] convert/convert_linux: complete the remapping of NVMe devices
by Laszlo Ersek
In commit 75872bf282d7 ("input: -i vmx: Add support for NVMe devices",
2022-04-08), we missed that pathnames such as
/dev/nvme0n1[p1]
would not match our "rex_device_cciss" and "rex_device" regular
expressions.
As a consequence, we don't remap such pathnames now in the boot config
files with Augeas.
Add a new regex and associated mapping logic for this kind of pathname.
Notes:
(1) "rex_device_cciss" could be extended internally with an alternative
pattern:
^/dev/(cciss/c\\d+d\\d+|nvme\\d+n1)(?:p(\\d+))?$
^^^^^^^^^^^
but Rich suggested we should add a separate, complete regexp for
maintainability.
(2) Even with a separate regexp, we could reuse the existent CCISS pattern
handler:
if PCRE.matches rex_device_cciss value ||
PCRE.matches rex_device_nvme value then (
let device = PCRE.sub 1
and part = try PCRE.sub 2 with Not_found -> "" in
"/dev/" ^ replace device ^ part
)
Namely, although "PCRE.matches" creates/updates global state, and
"PCRE.sub" reads that state, the "||" operator in OCaml has short-circuit
behavior, and both regexps have the same structure.
But, using the same maintainability argument, let's keep the handler logic
for NVMe detached.
Fixes: 75872bf282d7f2322110caca70963717b43806b1
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2101665
Signed-off-by: Laszlo Ersek <lersek(a)redhat.com>
---
convert/convert_linux.ml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/convert/convert_linux.ml b/convert/convert_linux.ml
index 59d143bdda4b..a66ff1e45a57 100644
--- a/convert/convert_linux.ml
+++ b/convert/convert_linux.ml
@@ -1199,6 +1199,7 @@ let convert (g : G.guestfs) source inspect keep_serial_console _ =
(* Map device names for each entry. *)
let rex_resume = PCRE.compile "^resume=(/dev/[-a-z\\d/_]+)(.*)$"
and rex_device_cciss = PCRE.compile "^/dev/(cciss/c\\d+d\\d+)(?:p(\\d+))?$"
+ and rex_device_nvme = PCRE.compile "^/dev/(nvme\\d+n1)(?:p(\\d+))?$"
and rex_device = PCRE.compile "^/dev/([a-z]+)(\\d*)?$" in
let rec replace_if_device path value =
@@ -1221,6 +1222,11 @@ let convert (g : G.guestfs) source inspect keep_serial_console _ =
and part = try PCRE.sub 2 with Not_found -> "" in
"/dev/" ^ replace device ^ part
)
+ else if PCRE.matches rex_device_nvme value then (
+ let device = PCRE.sub 1
+ and part = try PCRE.sub 2 with Not_found -> "" in
+ "/dev/" ^ replace device ^ part
+ )
else if PCRE.matches rex_device value then (
let device = PCRE.sub 1
and part = try PCRE.sub 2 with Not_found -> "" in
--
2.19.1.3.g30247aa5d201
2 years, 5 months
[PATCH v2v 0/3] Implement -of qcow2 -oo compressed
by Richard W.M. Jones
Pre-modularised virt-v2v allows you to use either --compress or -oo
compressed which basically added the -c option to qemu-img convert,
compressing the qcow2 output. Since we switched over to nbdcopy this
option is no longer available. The alternative is to set up the
"compress" driver in qemu-nbd. However that didn't work because
nbdcopy used to ignore the target minimum block size, and the compress
driver requires you to obey the 64k minimum when writing, else it
fails. Now that nbdcopy 1.13.5 actually fixes this problem, we can
reimplement -oo compressed.
This is a minimal fix for https://bugzilla.redhat.com/show_bug.cgi?id=2047660
I only implemented this for small selection of output modes that go to
local files.
Old virt-v2v also implemented this option (at least, in theory) for -o
glance, -o rhv and -o vdsm, but all of these modes are deprecated to
some degree. -o openstack which replaces glance only allows raw
format uploads, and -o rhv-upload which replaces -o rhv/vdsm does its
own thing completely.
Rich.
2 years, 5 months
LUKS decryption with Clevis+Tang | CVE-2022-2211
by Laszlo Ersek
Hi,
* in response to this cover letter, I'm going to post four series (one
for each of libguestfs-common, libguestfs, guestfs-tools, virt-v2v).
These four series implement LUKS decryption with Clevis+Tang:
https://bugzilla.redhat.com/show_bug.cgi?id=1809453
* The first patch in the libguestfs-common series fixes a bug that I'd
found while working on the feature, and ended up receiving a CVE number
(CVE-2022-2211):
https://bugzilla.redhat.com/show_bug.cgi?id=2100862
This patch is an integral part of the larger Clevis+Tang feature.
However, it can be backported easily to stable branches that only want
the bugfix.
* Correspondingly, the first patch in the libguestfs series documents
the new CVE (and updates the common submodule just enough to get the CVE
fix). This patch should also be easy to backport to stable branches.
A later patch in the libguestfs series updates the "common" submodule
checkout to the end of the libguestfs-common series.
* In each of the guestfs-tools and virt-v2v series, the full "common"
submodule series is consumed right in the first patch, covering both the
CVE fix and the new stuff needed for the Clevis feature.
Thanks,
Laszlo
2 years, 5 months
[libguestfs PATCH v2 0/3] LUKS decryption with Clevis+Tang
by Laszlo Ersek
v1: https://listman.redhat.com/archives/libguestfs/2022-June/029290.html
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
Please see the Notes section on each patch for the updates in this
version. (The documentation of the CVE fix has been merged:
99844660b48e.)
Thanks
Laszlo
Laszlo Ersek (3):
use local git repo for common submodule
introduce the "clevis_luks_unlock" API
guestfish, guestmount: enable networking for "--key ID:clevis"
.gitmodules | 3 +-
appliance/packagelist.in | 4 ++
common | 2 +-
daemon/Makefile.am | 1 +
daemon/clevis-luks.c | 58 ++++++++++++++++++++
fish/fish.c | 3 +
fuse/guestmount.c | 4 ++
generator/actions_core.ml | 40 ++++++++++++++
generator/proc_nr.ml | 1 +
lib/MAX_PROC_NR | 2 +-
lib/guestfs.pod | 19 +++++--
11 files changed, 130 insertions(+), 7 deletions(-)
create mode 100644 daemon/clevis-luks.c
--
2.19.1.3.g30247aa5d201
2 years, 5 months