From patchwork Sun Mar 23 11:50:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 14026489 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49CA7202C23 for ; Sun, 23 Mar 2025 11:50:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742730611; cv=none; b=DAcQEBH3HDHL9LsHbAP6838oPcqn2B8srFNnKShvyarlKnihC5Q1RS9I+CWvFrtlZfS8DNxTTYFz1o9mzhOsVZ6VWU9qRlI4hZmOZpju+dwmuRcd8S9xVod80tkYhC8b5zXGrwYqFzzgyk0doStw81ZjtTy97iShClbUzCs6rEo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742730611; c=relaxed/simple; bh=kuYv3dXlaZJ51TMr+GBKBJyI6NOEQUMEEsiMQRJpkKU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EZi0WWISsb/PKMFNViIksvur2QbpNamvWPhqdODxD3SHM0HKbxFt6WoyOTbZyFUaKse5FJ7WqMFc9cQQyUDKz8z6rfD5ejOyFydzbxXKS3h6hkZfdAkUB/H9T3Bi6Kl4wiIKPW+vF11ew/jqK3o95U7wG1HzO5BtLZKLVUDOS+M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=3mITQSL6; arc=none smtp.client-ip=198.137.202.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="3mITQSL6" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description; bh=zPKdQbnLhvt/O9Si3Vvpd9/QyN+xwDEbU+FdcdXEvXk=; b=3mITQSL6PrZKCTiaNN9AFFYmxr OGtiAxM+QtNvIfM+RJbU4NhMKwCexOBsM9hJolsw+m5dTwqeEO/TCf62tel4kIjsQ8Cgm9caNfl+L XVa1RaM6GWSixbARgTh2mlnmgbFUxoSGFP3EpeNdtXdO26Cn7FErI1aGDVqmrmCZjgZluxv02vIXw bpocZRBfprxNZgKRVM3PbQqm+w5ryZUJUuaJUbgsn/xd1REA80+Qk1ZZ84wGaMWqvo+JAACu8X1PC AxPy4sv0h4E2hVlp/lppX+kKbafpQhuJLORoyV6myBpOf4I92YoSZJS5BflOvDFhR7NqAzo+tHfqg s2bT06aQ==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.98 #2 (Red Hat Linux)) id 1twJqE-00000001824-07A5; Sun, 23 Mar 2025 11:50:10 +0000 From: Luis Chamberlain To: kdevops@lists.linux.dev Cc: Luis Chamberlain Subject: [PATCH 5/6] guestfs: add ansible group permisison check on libvirt system uri Date: Sun, 23 Mar 2025 04:50:08 -0700 Message-ID: <20250323115009.269172-6-mcgrof@kernel.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250323115009.269172-1-mcgrof@kernel.org> References: <20250323115009.269172-1-mcgrof@kernel.org> Precedence: bulk X-Mailing-List: kdevops@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Sender: Luis Chamberlain The bringup process for libvirt system URI support (not session), so all debian based distros, requieres us to be paranoid about the permissions of our storage directory where we place our libvirt storage pool, and guestfs images. We used to be stupid and were hammering with a sledge hammer a crazy sudo chown -R on a target storage path. That was removed by commit c31459dc384c ("scripts/bringup_guestfs.sh: fix silly directory permission fix"). I rushed that change in because it was affecting live systems and we needed to get testing moving. This adds some sanity checks which don't do the crazy wild permission checks, it will just fail if the permissions are not right. Signed-off-by: Luis Chamberlain --- kconfigs/Kconfig.guestfs | 10 ++++ .../roles/bringup_guestfs/tasks/main.yml | 59 +++++++++++++++++++ scripts/bringup_guestfs.sh | 3 - scripts/guestfs.Makefile | 2 +- 4 files changed, 70 insertions(+), 4 deletions(-) diff --git a/kconfigs/Kconfig.guestfs b/kconfigs/Kconfig.guestfs index c6d2d1907dd5..d309436fa7c9 100644 --- a/kconfigs/Kconfig.guestfs +++ b/kconfigs/Kconfig.guestfs @@ -5,6 +5,16 @@ config STORAGE_POOL_PATH output yaml default LIBVIRT_STORAGE_POOL_PATH +config GUESTFS_STORAGE_DIR + string + output yaml + default "{{ kdevops_storage_pool_path }}/kdevops/guestfs" + +config GUESTFS_BASE_IMAGE_DIR + string + output yaml + default "{{ guestfs_storage_dir }}/base_images" + config GUESTFS_HAS_CUSTOM_RAW_IMAGE bool diff --git a/playbooks/roles/bringup_guestfs/tasks/main.yml b/playbooks/roles/bringup_guestfs/tasks/main.yml index dcbbaef02522..947d7dbc0b8b 100644 --- a/playbooks/roles/bringup_guestfs/tasks/main.yml +++ b/playbooks/roles/bringup_guestfs/tasks/main.yml @@ -42,6 +42,65 @@ when: guestfs_subdirectories.matched == 0 tags: [ 'config-check' ] +- name: Create kdevops guestfs storage directory if missing (libvirt session uri) + file: + path: "{{ guestfs_base_image_dir }}" + state: directory + mode: '0755' + tags: ['storage-pool-path'] + when: + - 'not libvirt_uri_system|bool' + +- name: Create kdevops guestfs storage directory if missing (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + file: + path: "{{ guestfs_base_image_dir }}" + state: directory + mode: '0775' + group: "{{ libvirt_qemu_group }}" + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + +- name: Check if directory is owned by the correct group (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + command: stat -c '%G' "{{ libvirt_storage_pool_path }}" + register: dir_group + changed_when: false + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + +- name: Check if directory has group write permissions (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + command: stat -c '%A' "{{ libvirt_storage_pool_path }}" + register: dir_perms + changed_when: false + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + +- name: Verify storage pool path directory is group-writable (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + fail: + msg: | + The permissions for {{ libvirt_storage_pool_path }} should be group + writeable by the group used by libvirt: {{ libvirt_qemu_group }} + Current group: {{ dir_group.stdout }} + Current permissions: {{ dir_perms.stdout }} + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + - (dir_group.stdout != libvirt_qemu_group) or (dir_perms.stdout[5] != 'w') + - name: Check for dnsmasq configuration files stat: path: "{{ item }}" diff --git a/scripts/bringup_guestfs.sh b/scripts/bringup_guestfs.sh index 976d1e78ed6a..bc0176f8f5b4 100755 --- a/scripts/bringup_guestfs.sh +++ b/scripts/bringup_guestfs.sh @@ -271,9 +271,6 @@ if [[ "$CONFIG_LIBVIRT_URI_SYSTEM" == "y" ]]; then USE_SUDO="sudo " fi -$USE_SUDO mkdir -p $STORAGEDIR -$USE_SUDO mkdir -p $BASE_IMAGE_DIR - cmdfile=$(mktemp) if [ ! -f $BASE_IMAGE ]; then diff --git a/scripts/guestfs.Makefile b/scripts/guestfs.Makefile index d08e697f3cfb..e1cf25d62d04 100644 --- a/scripts/guestfs.Makefile +++ b/scripts/guestfs.Makefile @@ -83,7 +83,7 @@ bringup_guestfs: $(GUESTFS_BRINGUP_DEPS) playbooks/bringup_guestfs.yml \ -e 'ansible_python_interpreter=/usr/bin/python3' \ --extra-vars=@./extra_vars.yaml \ - --tags config-check,network + --tags config-check,network,storage-pool-path $(Q)$(TOPDIR)/scripts/bringup_guestfs.sh $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --connection=local \ --inventory localhost, \