[PATCH 5/6] guestfs: add ansible group permisison check on libvirt system uri

public inbox for kdevops@lists.linux.dev
 help / color / mirror / Atom feed

From: Luis Chamberlain <mcgrof@kernel.org>
To: kdevops@lists.linux.dev
Cc: Luis Chamberlain <mcgrof@kernel.org>
Subject: [PATCH 5/6] guestfs: add ansible group permisison check on libvirt system uri
Date: Sun, 23 Mar 2025 04:50:08 -0700	[thread overview]
Message-ID: <20250323115009.269172-6-mcgrof@kernel.org> (raw)
In-Reply-To: <20250323115009.269172-1-mcgrof@kernel.org>

The bringup process for libvirt system URI support (not session),
so all debian based distros, requieres us to be paranoid about the
permissions of our storage directory where we place our libvirt
storage pool, and guestfs images.

We used to be stupid and were hammering with a sledge hammer a crazy
sudo chown -R on a target storage path. That was removed by commit
c31459dc384c ("scripts/bringup_guestfs.sh: fix silly directory permission
fix"). I rushed that change in because it was affecting live systems
and we needed to get testing moving.

This adds some sanity checks which don't do the crazy wild permission
checks, it will just fail if the permissions are not right.

Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 kconfigs/Kconfig.guestfs                      | 10 ++++
 .../roles/bringup_guestfs/tasks/main.yml      | 59 +++++++++++++++++++
 scripts/bringup_guestfs.sh                    |  3 -
 scripts/guestfs.Makefile                      |  2 +-
 4 files changed, 70 insertions(+), 4 deletions(-)

diff --git a/kconfigs/Kconfig.guestfs b/kconfigs/Kconfig.guestfs
index c6d2d1907dd5..d309436fa7c9 100644
--- a/kconfigs/Kconfig.guestfs
+++ b/kconfigs/Kconfig.guestfs
@@ -5,6 +5,16 @@ config STORAGE_POOL_PATH
 	output yaml
 	default LIBVIRT_STORAGE_POOL_PATH
 
+config GUESTFS_STORAGE_DIR
+	string
+	output yaml
+	default "{{ kdevops_storage_pool_path }}/kdevops/guestfs"
+
+config GUESTFS_BASE_IMAGE_DIR
+	string
+	output yaml
+	default "{{ guestfs_storage_dir }}/base_images"
+
 config GUESTFS_HAS_CUSTOM_RAW_IMAGE
 	bool
 
diff --git a/playbooks/roles/bringup_guestfs/tasks/main.yml b/playbooks/roles/bringup_guestfs/tasks/main.yml
index dcbbaef02522..947d7dbc0b8b 100644
--- a/playbooks/roles/bringup_guestfs/tasks/main.yml
+++ b/playbooks/roles/bringup_guestfs/tasks/main.yml
@@ -42,6 +42,65 @@
   when: guestfs_subdirectories.matched == 0
   tags: [ 'config-check' ]
 
+- name: Create kdevops guestfs storage directory if missing (libvirt session uri)
+  file:
+    path: "{{ guestfs_base_image_dir }}"
+    state: directory
+    mode: '0755'
+  tags: ['storage-pool-path']
+  when:
+    - 'not libvirt_uri_system|bool'
+
+- name: Create kdevops guestfs storage directory if missing (libvirt system uri)
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  file:
+    path: "{{ guestfs_base_image_dir }}"
+    state: directory
+    mode: '0775'
+    group: "{{ libvirt_qemu_group }}"
+  tags: ['storage-pool-path']
+  when:
+    - 'libvirt_uri_system|bool'
+
+- name: Check if directory is owned by the correct group (libvirt system uri)
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  command: stat -c '%G' "{{ libvirt_storage_pool_path }}"
+  register: dir_group
+  changed_when: false
+  tags: ['storage-pool-path']
+  when:
+    - 'libvirt_uri_system|bool'
+
+- name: Check if directory has group write permissions (libvirt system uri)
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  command: stat -c '%A' "{{ libvirt_storage_pool_path }}"
+  register: dir_perms
+  changed_when: false
+  tags: ['storage-pool-path']
+  when:
+    - 'libvirt_uri_system|bool'
+
+- name: Verify storage pool path directory is group-writable (libvirt system uri)
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  fail:
+    msg: |
+      The permissions for {{ libvirt_storage_pool_path }} should be group
+      writeable by the group used by libvirt: {{ libvirt_qemu_group }}
+      Current group: {{ dir_group.stdout }}
+      Current permissions: {{ dir_perms.stdout }}
+  tags: ['storage-pool-path']
+  when:
+    - 'libvirt_uri_system|bool'
+    - (dir_group.stdout != libvirt_qemu_group) or (dir_perms.stdout[5] != 'w')
+
 - name: Check for dnsmasq configuration files
   stat:
     path: "{{ item }}"
diff --git a/scripts/bringup_guestfs.sh b/scripts/bringup_guestfs.sh
index 976d1e78ed6a..bc0176f8f5b4 100755
--- a/scripts/bringup_guestfs.sh
+++ b/scripts/bringup_guestfs.sh
@@ -271,9 +271,6 @@ if [[ "$CONFIG_LIBVIRT_URI_SYSTEM" == "y" ]]; then
 	USE_SUDO="sudo "
 fi
 
-$USE_SUDO mkdir -p $STORAGEDIR
-$USE_SUDO mkdir -p $BASE_IMAGE_DIR
-
 cmdfile=$(mktemp)
 
 if [ ! -f $BASE_IMAGE ]; then
diff --git a/scripts/guestfs.Makefile b/scripts/guestfs.Makefile
index d08e697f3cfb..e1cf25d62d04 100644
--- a/scripts/guestfs.Makefile
+++ b/scripts/guestfs.Makefile
@@ -83,7 +83,7 @@ bringup_guestfs: $(GUESTFS_BRINGUP_DEPS)
 		playbooks/bringup_guestfs.yml \
 		-e 'ansible_python_interpreter=/usr/bin/python3' \
 		--extra-vars=@./extra_vars.yaml \
-		--tags config-check,network
+		--tags config-check,network,storage-pool-path
 	$(Q)$(TOPDIR)/scripts/bringup_guestfs.sh
 	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) --connection=local \
 		--inventory localhost, \
-- 
2.47.2

next prev parent reply	other threads:[~2025-03-23 11:50 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-23 11:50 [PATCH 0/6] debian / libvirt / devconfig fixes Luis Chamberlain
2025-03-23 11:50 ` [PATCH 1/6] scripts/bringup_guestfs.sh: uninstall unattended-upgrades on debian guests Luis Chamberlain
2025-03-23 11:50 ` [PATCH 2/6] devconfig: ensure unattended-upgrades is not installed on debian Luis Chamberlain
2025-03-23 11:50 ` [PATCH 3/6] libvirt: use consistent pool path variables and use optional yaml output Luis Chamberlain
2025-03-23 11:50 ` [PATCH 4/6] Kconfig: adopt output yaml for KDEVOPS_FIRST_RUN Luis Chamberlain
2025-03-23 11:50 ` Luis Chamberlain [this message]
2025-03-25 14:53   ` [PATCH 5/6] guestfs: add ansible group permisison check on libvirt system uri Daniel Gomez
2025-03-29 21:55     ` Luis Chamberlain
2025-03-29 22:43       ` Luis Chamberlain
2025-03-29 22:55         ` Luis Chamberlain
2025-03-23 11:50 ` [PATCH 6/6] gen_nodes: ensure kdevops prefix has no dashes Luis Chamberlain

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c6d2d1907dd dfblob:d309436fa7c dfblob:dcbbaef0252
dfblob:947d7dbc0b8 dfblob:976d1e78ed6 dfblob:bc0176f8f5b
dfblob:d08e697f3cf dfblob:e1cf25d62d0 )
 OR (
bs:"[PATCH 5/6] guestfs: add ansible group permisison check on libvirt system uri" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250323115009.269172-6-mcgrof@kernel.org \
    --to=mcgrof@kernel.org \
    --cc=kdevops@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox