Commit Graph

8 Commits

Author SHA1 Message Date
Michal Privoznik
e19171b40c tools: Fix dry run of libvirt_recover_xattrs.sh
The libvirt_recover_xattrs.sh script can be used to remove stale
XATTRs that were left behind by secdrivers (which should happen
only if there's an imbalance between set and restore calls).
Anyway, the script has '-n' switch which is supposed to perform
just a dry run, i.e. just to report which files have XATTRs set
without any attempt to remove them.

But, when rewriting the script a few months ago a typo was
introduced which made the script report no files even if there
were files with XATTRs.

Fixes: 5377177f80
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2021-03-02 09:42:38 +01:00
Peter Krempa
a6e4c87299 libvirt_recover_xattrs: Allow fixing multiple PATHs
Loop for multiple PATH arguments to support shell pattern expansion.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-12-04 16:27:22 +01:00
Peter Krempa
ea6bc0557d libvirt_recover_xattrs: Add unsafe operation mode
In some cases you want to fix a certain directory while you don't really
care whether there are other VMs running. Add a option to disable the
check.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-12-04 16:27:22 +01:00
Peter Krempa
5377177f80 libvirt_recover_xattrs: Use only the correct xattr prefix
Linux and FreeBSD have different prefix. In the current state we've
tried to reset the labels for both systems which resulted in errors like
this:

Fixing /tmp/bitmaps2.qcow2
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported

The 6 failed 'setfattrs' correspond to the wrong prefix.

Select the correct prefix based on the kernel name and modify the code
appropriately.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-12-04 16:27:22 +01:00
Peter Krempa
7b6bc11f65 libvirt_recover_xattrs: Avoid backticks for subshell
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-12-04 16:27:22 +01:00
Michal Privoznik
7cfb7aab57 security_util: Remove stale XATTRs
It may happen that we leave some XATTRs behind. For instance, on
a sudden power loss, the host just shuts down without calling
restore on domain paths. This creates a problem, because when the
host starts up again, the XATTRs are there but they don't reflect
the true state and this may result in libvirt denying start of a
domain.

To solve this, save a unique timestamp (host boot time) among
with our XATTRs.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2019-08-22 17:05:17 +02:00
Michal Privoznik
f45c97eac2 tools: Slightly rework libvirt_recover_xattrs.sh
Firstly, there's no reason to enumerate all XATTRs since they
differ only in the prefix and we can construct them in a loop.

Secondly, and more importantly, the script was still looking for
just one prefix "trusted.libvirt.security" even on FreeBSD.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
1845991d9b tools: Provide a script to recover fubar'ed XATTRs setup
Our code is not bug free. The refcounting I introduced will
almost certainly not work in some use cases. Provide a script
that will remove all the XATTRs set by libvirt so that it can
start cleanly.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:45 +01:00