From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 042198615A for ; Sat, 29 Mar 2025 23:01:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743289304; cv=none; b=WElBTamBCxNybfT5i/aUae7NW6rg4R7lfIRhkncWih1VuUGlvJWaGwKO+k7RoO95dyJOUndAliuHiZTjAU6V+Nx3AE6TRLvCwX5fOYG+L1Ecpbtq4h5T4TTAvQoM9x/vdBLTU8wfTFAVwDHsQaut6vcbvcVzqDXIHbXEdAVMz5s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743289304; c=relaxed/simple; bh=C8LANLcVTHmYYHW2bNgmBgx/fIzYDvinxYQkIITjJXc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aUGydL8YfrrwdJk0ttPIAVAb5QZknWPcQsLyfamyVRfYHd4Jna/Hk0lo+/awCxG2W8Ly12LuVaQU5qFMgUtxIysjvOvGECFaSd0alZiUCdyx4cl84DhgDa1hfv7OEbjMHOChTtxYqtCFwL+3NQz8xo+5N8MTfZV1/MhKJBFQVC8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=bSPOP+LH; arc=none smtp.client-ip=198.137.202.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="bSPOP+LH" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description; bh=Q+BUDgK0FS2dp+CBBH2PeH+7EaX1UfhFT8tQsgr9Dco=; b=bSPOP+LHI3EDefb9+u/eLJuDKE JOP4hTJI+JlyQfuGtzvk11ecPrHgwFePo3DWk5yP+OBNDrlmcVSLHuXwiw71nwZUuDlbQ/xfXUPCW Jre7IvKORmg8SDJog1JsCmWuWMviA7TR/7cNSMqK8jst+WfC/Zvr6R4AsSy+4dCC5BcZdxplTS5EM bN/zsXRc2S/SPRqQDek12BGO13jmdbXmmO/ZUQSrCDMr3CzOhBskSBNyr5tXiTnrsjWr6++Y5KwnY PyKqPp6g/vLVJhMjl6CWQjCk4yBYRJRIT/sT0TQjjOvTHOz/TAOCrXtUbilbhKXrhqlOxJHsIdTPI L9xTSEEw==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.98.1 #2 (Red Hat Linux)) id 1tyfBO-0000000FbIe-22cw; Sat, 29 Mar 2025 23:01:42 +0000 From: Luis Chamberlain To: kdevops@lists.linux.dev Cc: Luis Chamberlain Subject: [PATCH 5/6] guestfs: replace ansible group permisison requirement on libvirt system uri Date: Sat, 29 Mar 2025 16:01:40 -0700 Message-ID: <20250329230141.3718282-6-mcgrof@kernel.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250329230141.3718282-1-mcgrof@kernel.org> References: <20250329230141.3718282-1-mcgrof@kernel.org> Precedence: bulk X-Mailing-List: kdevops@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: Luis Chamberlain The bringup process for libvirt system URI support (not session), so all debian based distros, requieres us to be paranoid about the permissions of our storage directory where we place our libvirt storage pool, and guestfs images. We used to be stupid and were hammering with a sledge hammer a crazy sudo chown -R on a target storage path. That was removed by commit c31459dc384c ("scripts/bringup_guestfs.sh: fix silly directory permission fix"). I rushed that change in because it was affecting live systems and we needed to get testing moving. This replaces the old requirement with some more less aggressive directory creation and directory permission requirements and adds some sanity checks which don't do the crazy wild permission changes that are possible with a recursive call. Signed-off-by: Luis Chamberlain --- kconfigs/Kconfig.guestfs | 10 +++ .../roles/bringup_guestfs/tasks/main.yml | 76 +++++++++++++++++++ scripts/bringup_guestfs.sh | 3 - scripts/guestfs.Makefile | 2 +- 4 files changed, 87 insertions(+), 4 deletions(-) diff --git a/kconfigs/Kconfig.guestfs b/kconfigs/Kconfig.guestfs index c6d2d1907dd5..d309436fa7c9 100644 --- a/kconfigs/Kconfig.guestfs +++ b/kconfigs/Kconfig.guestfs @@ -5,6 +5,16 @@ config STORAGE_POOL_PATH output yaml default LIBVIRT_STORAGE_POOL_PATH +config GUESTFS_STORAGE_DIR + string + output yaml + default "{{ kdevops_storage_pool_path }}/kdevops/guestfs" + +config GUESTFS_BASE_IMAGE_DIR + string + output yaml + default "{{ guestfs_storage_dir }}/base_images" + config GUESTFS_HAS_CUSTOM_RAW_IMAGE bool diff --git a/playbooks/roles/bringup_guestfs/tasks/main.yml b/playbooks/roles/bringup_guestfs/tasks/main.yml index dcbbaef02522..0b193dad807f 100644 --- a/playbooks/roles/bringup_guestfs/tasks/main.yml +++ b/playbooks/roles/bringup_guestfs/tasks/main.yml @@ -42,6 +42,82 @@ when: guestfs_subdirectories.matched == 0 tags: [ 'config-check' ] +- name: Create storage pool path directory if (libvirt session uri) + file: + path: "{{ libvirt_storage_pool_path }}" + state: directory + when: 'not libvirt_uri_system|bool' + tags: ['storage-pool-path'] + +- name: Create storage pool path directory and set group if using (libvirt system uri) + file: + path: "{{ libvirt_storage_pool_path }}" + state: directory + owner: root + group: "{{ libvirt_qemu_group }}" + mode: "0775" + when: 'libvirt_uri_system|bool' + tags: ['storage-pool-path'] + +- name: Create kdevops guestfs storage directory if missing (libvirt session uri) + file: + path: "{{ guestfs_base_image_dir }}" + state: directory + mode: '0755' + tags: ['storage-pool-path'] + when: + - 'not libvirt_uri_system|bool' + +- name: Create kdevops guestfs storage directory if missing (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + file: + path: "{{ guestfs_base_image_dir }}" + state: directory + mode: '0775' + group: "{{ libvirt_qemu_group }}" + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + +- name: Check if directory is owned by the correct group (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + command: stat -c '%G' "{{ libvirt_storage_pool_path }}" + register: dir_group + changed_when: false + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + +- name: Check if directory has group write permissions (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + command: stat -c '%A' "{{ libvirt_storage_pool_path }}" + register: dir_perms + changed_when: false + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + +- name: Verify storage pool path directory is group-writable (libvirt system uri) + become: yes + become_flags: 'su - -c' + become_method: sudo + fail: + msg: | + The permissions for {{ libvirt_storage_pool_path }} should be group + writeable by the group used by libvirt: {{ libvirt_qemu_group }} + Current group: {{ dir_group.stdout }} + Current permissions: {{ dir_perms.stdout }} + tags: ['storage-pool-path'] + when: + - 'libvirt_uri_system|bool' + - (dir_group.stdout != libvirt_qemu_group) or (dir_perms.stdout[5] != 'w') + - name: Check for dnsmasq configuration files stat: path: "{{ item }}" diff --git a/scripts/bringup_guestfs.sh b/scripts/bringup_guestfs.sh index 976d1e78ed6a..bc0176f8f5b4 100755 --- a/scripts/bringup_guestfs.sh +++ b/scripts/bringup_guestfs.sh @@ -271,9 +271,6 @@ if [[ "$CONFIG_LIBVIRT_URI_SYSTEM" == "y" ]]; then USE_SUDO="sudo " fi -$USE_SUDO mkdir -p $STORAGEDIR -$USE_SUDO mkdir -p $BASE_IMAGE_DIR - cmdfile=$(mktemp) if [ ! -f $BASE_IMAGE ]; then diff --git a/scripts/guestfs.Makefile b/scripts/guestfs.Makefile index d08e697f3cfb..e1cf25d62d04 100644 --- a/scripts/guestfs.Makefile +++ b/scripts/guestfs.Makefile @@ -83,7 +83,7 @@ bringup_guestfs: $(GUESTFS_BRINGUP_DEPS) playbooks/bringup_guestfs.yml \ -e 'ansible_python_interpreter=/usr/bin/python3' \ --extra-vars=@./extra_vars.yaml \ - --tags config-check,network + --tags config-check,network,storage-pool-path $(Q)$(TOPDIR)/scripts/bringup_guestfs.sh $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --connection=local \ --inventory localhost, \ -- 2.47.2