Commit Graph

181 Commits

Author SHA1 Message Date
John Ferlan
1d1330f37e storage: Create helper to generate FS pool source value
Refactor the code that builds the pool source string during the FS
storage pool mount to be a separate helper.

A future patch will use the helper in order to validate the mounted
FS matches the pool's expectation during poolCheck processing
2015-12-15 14:33:00 -05:00
Eric Blake
034e47c338 CVE-2015-5313: storage: don't allow '/' in filesystem volume names
The libvirt file system storage driver determines what file to
act on by concatenating the pool location with the volume name.
If a user is able to pick names like "../../../etc/passwd", then
they can escape the bounds of the pool.  For that matter,
virStoragePoolListVolumes() doesn't descend into subdirectories,
so a user really shouldn't use a name with a slash.

Normally, only privileged users can coerce libvirt into creating
or opening existing files using the virStorageVol APIs; and such
users already have full privilege to create any domain XML (so it
is not an escalation of privilege).  But in the case of
fine-grained ACLs, it is feasible that a user can be granted
storage_vol:create but not domain:write, and it violates
assumptions if such a user can abuse libvirt to access files
outside of the storage pool.

Therefore, prevent all use of volume names that contain "/",
whether or not such a name is actually attempting to escape the
pool.

This changes things from:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
Vol ../../../../../../etc/haha created
$ rm /etc/haha

to:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
error: Failed to create vol ../../../../../../etc/haha
error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'

Signed-off-by: Eric Blake <eblake@redhat.com>
2015-12-11 16:34:53 -07:00
John Ferlan
22346003dc storage: Add readflags for backend error processing
Similar to the openflags which allow VIR_STORAGE_VOL_OPEN_NOERROR to be
passed to avoid open errors, add a 'readflags' variable so that in the
future read failures could also be ignored.
2015-12-09 16:31:14 -05:00
John Ferlan
1b046a6837 virfile: Rename virFileUnlink to virFileRemove
Similar to commit id '35847860', it's possible to attempt to create
a 'netfs' directory in an NFS root-squash environment which will cause
the 'vol-delete' command to fail.  It's also possible error paths from
the 'vol-create' would result in an error to remove a created directory
if the permissions were incorrect (and disallowed root access).

Thus rename the virFileUnlink to be virFileRemove to match the C API
functionality, adjust the code to following using rmdir or unlink
depending on the path type, and then use/call it for the VIR_STORAGE_VOL_DIR
2015-09-21 08:24:16 -04:00
John Ferlan
35847860f6 virfile: Introduce virFileUnlink
In an NFS root-squashed environment the 'vol-delete' command will fail to
'unlink' the target volume since it was created under a different uid:gid.

This code continues the concepts introduced in virFileOpenForked and
virDirCreate[NoFork] with respect to running the unlink command under
the uid/gid of the child. Unlike the other two, don't retry on EACCES
(that's why we're here doing this now).
2015-09-02 08:59:53 -04:00
Christophe Fergeau
60d5ed8c52 storage: Fix pool building when directory already exists
Currently, when trying to virsh pool-define/virsh pool-build a new
'dir' pool, if the target directory already exists, virsh
pool-build/virStoragePoolBuild will error out. This is a change of
behaviour compared to eg libvirt 1.2.13

This is caused by the wrong type being used for the dir_create_flags
variable in virStorageBackendFileSystemBuild , it's defined as a bool
but is used as a flag bit field so should be unsigned int (this matches
the type virDirCreate expects for this variable).

This should fix https://bugzilla.gnome.org/show_bug.cgi?id=752417 (GNOME
Boxes) and https://bugzilla.redhat.com/show_bug.cgi?id=1244080
(downstream virt-manager).
2015-07-17 15:24:18 +02:00
John Ferlan
e66a4c0b53 storage: Set correct vol->type at VolCreate
https://bugzilla.redhat.com/show_bug.cgi?id=1227664

If the requested format type for the new entry in the file system pool
is a 'dir', then be sure to set the vol->type correctly as would be done
when the pool is refreshed.
2015-06-30 06:49:49 -04:00
John Ferlan
29230951f1 storage: Generate correct parameters for CIFS
https://bugzilla.redhat.com/show_bug.cgi?id=1186969

When generating the path to the dir for a CIFS/Samba driver, the code
would generate a source path for the mount using "%s:%s" while the
mount.cifs expects to see "//%s/%s". So check for the cifsfs and
format the source path appropriately.

Additionally, since there is no means to authenticate, the mount
needs a "-o guest" on the command line in order to anonymously mount
the Samba directory.
2015-06-15 17:25:47 -04:00
John Ferlan
257250f764 storage: Adjust command arglist for gluster
In order for the glusterfs boolean to be set, the pool->def->type must be
VIR_STORAGE_POOL_NETFS, thus the check within virCommandNewArgList whether
pool->def->type is VIR_STORAGE_POOL_FS will never be true, so remove it
2015-06-15 17:25:47 -04:00
John Ferlan
94a1579b0a storage: Add check for valid FS types in checkPool callback
https://bugzilla.redhat.com/show_bug.cgi?id=1181087

The virStorageBackendFileSystemIsMounted is called from three source paths
checkPool, startPool, and stopPool. Both start and stop validate the FS
fields before calling *IsMounted; however the check path there is no call.
This could lead the code into returning a true in "isActive" if for some
reason the target path for the pool was mounted. The assumption being
that if it was mounted, then we believe we started/mounted it.

It's also of note that commit id '81165294' added an error message for
the start/mount path regarding that the target is already mounted so
fail the start. That check was adjusted by commit id '13fde7ce' to
only message if actually mounted.

At one time this led to the libvirtd restart autostart code to declare
that the pool was active even though the startPool would inhibit startup
and the stopPool would inhibit shutdown. The autostart path changed as
of commit id '2a31c5f0' as part of the keep storage pools started between
libvirtd restarts.

This patch adds the same check made prior to start/mount and stop/unmount
to ensure we have a valid configuration before attempting to see if the
target is already mounted to declare "isActive" or not. Finding an improper
configuration will now cause an error at checkPool, which should make it
so we can no longer be left in a situation where the pool was started and
we have no way to stop it.
2015-06-05 06:25:43 -04:00
John Ferlan
fcf0fd52cb storage: FS backend adjust error message on error path
https://bugzilla.redhat.com/show_bug.cgi?id=1181087

Currently the assumption on the error message is that there are
no source device paths defined when the number of devices check
fails, but in reality the XML could have had none or it could have
had more than the value supported. Adjust the error message accordingly
to make it clearer what the error really is.
2015-06-05 06:25:19 -04:00
John Ferlan
5a8c98dbd9 storage: Refactor storage pool type checks
Refactor the code for both startPool (*Mount) and stopPool (*Unmount) code
paths by introducing virStorageBackendFileSystemIsValid.
2015-06-05 06:24:59 -04:00
John Ferlan
325a8134f9 storage: Remove extraneous @conn from function comments
Over time the parameters changed, but the comment wasn't updated
2015-06-05 06:07:50 -04:00
Martin Kletzander
7d0481cb93 storage_fs: Create directory with UID if needed
The code already exists there, it just modified different flags.  I just
noticed this when looking at the code.  This patch is better to view
with bigger context or '-W'.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-05-27 16:59:25 +02:00
Cole Robinson
db1140f117 storage: fs: Only force directory permissions if required
Only set directory permissions at pool build time, if:

- User explicitly requested a mode via the XML
- The directory needs to be created
- We need to do the crazy NFS root-squash workaround

This allows qemu:///session to call build on an existing directory
like /tmp.
2015-05-25 20:52:57 -04:00
Cole Robinson
7c2d65dde2 storage: conf: Don't set any default <mode> in the XML
The XML parser sets a default <mode> if none is explicitly passed in.
This is then used at pool/vol creation time, and unconditionally reported
in the XML.

The problem with this approach is that it's impossible for other code
to determine if the user explicitly requested a storage mode. There
are some cases where we want to make this distinction, but we currently
can't.

Handle <mode> parsing like we handle <owner>/<group>: if no value is
passed in, set it to -1, and adjust the internal consumers to handle
it.
2015-05-25 20:52:55 -04:00
Cole Robinson
9ce409561a virfile: virDirCreate: Drop redundant FORCE_PERMS flag
The only two virDirCreate callers already use it
2015-05-19 19:29:39 -04:00
Cole Robinson
d6f8b35db5 storage: fs: Fill in permissions on pool refresh
This means pool XML actually reports accurate user/group/mode/label.

This uses UpdateVolTargetInfoFD in a bit of a hackish way, but it works
2015-05-04 12:56:38 -04:00
Cole Robinson
27a4c492f5 storage: fs: Don't overwrite virDirCreate error
virDirCreate will give us fine grained details about what actually failed.
2015-05-04 12:56:38 -04:00
Pavel Hrdina
ff3f93bcc2 use new macro helpers to check exclusive flags
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2015-05-04 09:20:00 +02:00
Ján Tomko
60db2bc80f Ignore storage volumes with control codes in their names
To prevent generating invalid XML.

https://bugzilla.redhat.com/show_bug.cgi?id=1066564
2015-04-15 18:41:20 +02:00
Erik Skultety
cf7392a0d2 storage: Remove unused attribute conn from 'checkPool' callback
In order to be able to use 'checkPool' inside functions which do not
have any connection reference, 'conn' attribute needs to be discarded
from the checkPool's signature, since it's not used by any storage backend
anyway.
2015-04-02 11:57:07 +02:00
Ján Tomko
155ca616eb Allow creating volumes with a backing store but no capacity
The tool creating the image can get the capacity from the backing
storage. Just refresh the volume afterwards.

https://bugzilla.redhat.com/show_bug.cgi?id=958510
2015-03-02 08:07:11 +01:00
Ján Tomko
d3452a3f73 Revert "Restore skipping of setting capacity"
This reverts commit f1856eb622.

Now that we can update capacity from image metadata,
we don't need to skip the update.
2015-03-02 08:07:11 +01:00
Daniel P. Berrange
aa9aa6a975 Allow shrinking of file based volumes
While the main storage driver code allows the flag
VIR_STORAGE_VOL_RESIZE_SHRINK to be set, none of the backend
drivers are supporting it. At the very least this can work
for plain file based volumes since we just ftruncate() them
to the new size. It does not work with qcow2 volumes, but we
can arguably delegate to qemu-img for error reporting for that
instead of second guessing this for ourselves:

$ virsh vol-resize --shrink /home/berrange/VirtualMachines/demo.qcow2 2G
error: Failed to change size of volume 'demo.qcow2' to 2G

error: internal error: Child process (/usr/bin/qemu-img resize /home/berrange/VirtualMachines/demo.qcow2 2147483648) unexpected exit status 1: qemu-img: qcow2 doesn't support shrinking images yet
qemu-img: This image does not support resize

See also https://bugzilla.redhat.com/show_bug.cgi?id=1021802
2015-02-12 11:11:52 +00:00
Chen Hanxiao
95da191376 storage: add a flag to clone files on btrfs
When creating a RAW file, we don't take advantage
of clone of btrfs.

Add a VIR_STORAGE_VOL_CREATE_REFLINK flag to request
a reflink copy.

Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2015-01-27 13:41:14 +01:00
Peter Krempa
3b31cbc558 storage: backend: Log uid/gid when initializing storage file backend
To ease debugging permission problems add uid/gid values to the debug
message when initializing a storage file backend.
2014-12-05 10:07:17 +01:00
John Ferlan
a0b13d35e7 Replace virSecretFree with virObjectUnref
Since virSecretFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.
2014-12-02 11:03:41 -05:00
Martin Kletzander
e7a1da8aeb Remove unnecessary curly brackets in src/storage/
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-11-14 17:13:01 +01:00
John Ferlan
8ea809df15 storage: Resolve Coverity UNUSED_VALUE
Since cd4d547576

Coverity notes that setting 'ret = -3' prior to the unconditional
setting of 'ret = 0' will cause the value to be UNUSED.

Since the comment indicates that it is expect to allow the code
to continue, just remove the ret = -3 setting.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2014-09-11 07:33:19 -04:00
Peter Krempa
f8cf4962ac storage: create: Create files with correct mode
Use correct mode when pre-creating files (for snapshots). The refactor
changing to storage driver usage caused a regression as some systems
created the file with 000 permissions forbidding qemu to write the file.

Pass mode to the creating functions to avoid the problem.

Regression since 185e07a5f8.
2014-07-29 10:45:32 +02:00
Peter Krempa
a2a67eff18 storage: Implement virStorageFileCreate for local and gluster files
Add backends for this frontend function so that we can use it in the
snapshot creation code.
2014-07-24 09:59:00 +02:00
Peter Krempa
50f09651df storage: Implement storage driver helper to chown disk images
Gluster storage works on a similar principle to NFS where it takes the
uid and gid of the actual process and uses it to access the storage
volume on the remote server. This introduces a need to chown storage
files on gluster via native API.
2014-07-24 09:58:59 +02:00
Peter Krempa
11d28050c5 storage: Split out volume wiping as separate backend function
For non-local storage drivers we can't expect to use the "scrub" tool to
wipe the volume. Split the code into a separate backend function so that
we can add protocol specific code later.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1118710
2014-07-17 10:12:34 +02:00
Peter Krempa
dc2943579f storage: fs: Properly parse backing store info
Use the backing store parser to properly create the information about a
volume's backing store. Unfortunately as the storage driver isn't
prepared to allow volumes backed by networked filesystems add a
workaround that will avoid changing the XML output.
2014-07-16 11:42:51 +02:00
Peter Krempa
cd4d547576 storage: fs: Process backing store data in virStorageBackendProbeTarget
Move the processing of the backend metadata directly to the helper
instead of passing it through arguments to the function.
2014-07-16 11:42:51 +02:00
Peter Krempa
9f20d6a56d storage: backend: fs: Touch up coding style
virStorageBackendFileSystemRefresh() used "cleanup" label just for error
exits and didn't meet libvirt's standard for braces in one case.
2014-07-16 11:42:51 +02:00
Peter Krempa
15213d1e5d storage: Track backing store of a volume in the target struct
As we have a nested pointer for storing the backing store of a volume
there's no need to store it in a separate struct.
2014-07-16 11:42:51 +02:00
Peter Krempa
c861750ee9 storage: backend: Fix formatting of function arguments 2014-07-16 11:42:51 +02:00
Ján Tomko
d7dedc3650 Fix error on fs pool build failure
https://bugzilla.redhat.com/show_bug.cgi?id=1119592

Introduced by commit 62927dd v0.7.6.
2014-07-16 09:39:57 +02:00
Peter Krempa
589c2ad93f storage: Split out volume upload/download as separate backend function
For non-local storage drivers we can't expect to use the FDStream
backend for up/downloading volumes. Split the code into a separate
backend function so that we can add protocol specific code later.
2014-07-11 09:54:08 +02:00
Ján Tomko
c110cdb2bc Fix storage format probing
Commit fff74b2 moved the probing into virStorageFileGetMetadataFromBuf
but didn't update the format in volume definition.

https://bugzilla.redhat.com/show_bug.cgi?id=1104908
2014-06-05 18:58:58 +02:00
Ján Tomko
effbb11e29 Simplify conditions in virStorageBackendProbeTarget
Jump out early if no metadata was detected (for directories).
Join the error and cleanup labels.
2014-06-05 18:46:20 +02:00
Ján Tomko
febcb89c5b Don't reuse 'ret' variable in virStorageBackendProbeTarget
To match the convention:
ret - current function's return value
rc - other function's return values
2014-06-05 18:19:16 +02:00
Peter Krempa
4cb2505557 storage: Add API to check accessibility of storage volumes
Add a storage driver API equivalent of the access() function.
Implementations for the filesystem and gluster backends are provided.
2014-06-03 09:27:23 +02:00
Peter Krempa
684ec651e9 storage: backend: Add unique id retrieval API
Different protocols have different means to uniquely identify a storage
file. This patch implements a storage driver API to retrieve a unique
string describing a volume. The current implementation works for local
storage only and returns the canonical path of the volume.

To add caching support the local filesystem driver now has a private
structure holding the cached string, which is created only when it's
initially accessed.

This patch provides the implementation for local files only for start.
2014-06-03 09:27:22 +02:00
Peter Krempa
34d86185ec storage: fs: Drop-in replace use of virStorageFileGetMetadataFromBuf
Use virStorageFileGetMetadataFromFD instead in
virStorageBackendProbeTarget as it now returns all required data and the
storage file is already open in a filedescriptor.

Also fix improper error code being returned when virFileReadHeaderFD
would fail as virStorageBackendUpdateVolTargetInfoFD would set the
return code to 0.
2014-05-28 19:23:35 +02:00
Peter Krempa
81271a9261 storage: Add storage file API to read file headers
Add storage driver based functions to access headers of storage files
for metadata extraction. Along with this patch a local filesystem and
gluster via libgfapi implementation is provided. The gluster
implementation is based on code of the saferead_lim function.
2014-05-23 10:57:33 +02:00
Peter Krempa
0620bd42ad storage: Rework debugging of storage file access through storage driver
Print the debug statements of individual file access functions from the
main API functions instead of the individual backend functions.

Also enhance initialization debug messages on a per-backend basis.
2014-05-23 09:25:52 +02:00
Eric Blake
fff74b275e conf: drop extra storage probe
All callers of virStorageFileGetMetadataFromBuf were first calling
virStorageFileProbeFormatFromBuf, to learn what format to pass in.
But this function is already wired to do the exact same probe if
the incoming format is VIR_STORAGE_FILE_AUTO, so it's simpler to
just refactor the probing into the central function.

* src/util/virstoragefile.h (virStorageFileGetMetadataFromBuf):
Drop parameter.
(virStorageFileProbeFormatFromBuf): Drop declaration.
* src/util/virstoragefile.c (virStorageFileGetMetadataFromBuf):
Do probe here instead of in callers.
(virStorageFileProbeFormatFromBuf): Make static.
* src/libvirt_private.syms (virstoragefile.h): Drop function.
* src/storage/storage_backend_fs.c (virStorageBackendProbeTarget):
Update caller.
* src/storage/storage_backend_gluster.c
(virStorageBackendGlusterRefreshVol): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-05-05 10:46:05 -06:00