* [Qemu-devel] [PATCH] iotests: Avoid SIGPIPE death to certtool
@ 2019-02-19 16:09 Eric Blake
2019-02-19 16:13 ` Thomas Huth
2019-02-19 16:14 ` Daniel P. Berrangé
0 siblings, 2 replies; 3+ messages in thread
From: Eric Blake @ 2019-02-19 16:09 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block, thuth, berrange, Kevin Wolf, Max Reitz
Our use of 'head -1' to log less output of certtool during
iotest 233 could result in certtool dying early due to SIGPIPE
if it generates enough output; if that happens, the certificate
it was supposed to generate may be zero length, which causes
failures such as:
== check TLS client to plain server fails ==
-qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Denied by server for option 5 (starttls)
-server reported: TLS not configured
-qemu-nbd: Denied by server for option 5 (starttls)
-server reported: TLS not configured
+qemu-nbd: Unable to import client certificate /tmp/qemu-iotests-quick-28354/tls/client1/client-cert.pem: Base64 unexpected header error.
Fix the pipelines to consume all output.
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
---
tests/qemu-iotests/common.tls | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls
index eae81789bbc..15c6e8c8425 100644
--- a/tests/qemu-iotests/common.tls
+++ b/tests/qemu-iotests/common.tls
@@ -74,7 +74,7 @@ EOF
certtool --generate-self-signed \
--load-privkey "${tls_dir}/key.pem" \
--template "${tls_dir}/ca.info" \
- --outfile "${tls_dir}/$name-cert.pem" 2>&1 | head -1
+ --outfile "${tls_dir}/$name-cert.pem" 2>&1 | sed -n 1p
rm -f "${tls_dir}/ca.info"
}
@@ -103,7 +103,7 @@ EOF
--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
--load-privkey "${tls_dir}/key.pem" \
--template "${tls_dir}/cert.info" \
- --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | head -1
+ --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | sed -n 1p
ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"
@@ -132,7 +132,7 @@ EOF
--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
--load-privkey "${tls_dir}/key.pem" \
--template "${tls_dir}/cert.info" \
- --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | head -1
+ --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | sed -n 1p
ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH] iotests: Avoid SIGPIPE death to certtool
2019-02-19 16:09 [Qemu-devel] [PATCH] iotests: Avoid SIGPIPE death to certtool Eric Blake
@ 2019-02-19 16:13 ` Thomas Huth
2019-02-19 16:14 ` Daniel P. Berrangé
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Huth @ 2019-02-19 16:13 UTC (permalink / raw)
To: Eric Blake, qemu-devel
Cc: qemu-block, berrange, Kevin Wolf, Max Reitz, QEMU Trivial
On 19/02/2019 17.09, Eric Blake wrote:
> Our use of 'head -1' to log less output of certtool during
> iotest 233 could result in certtool dying early due to SIGPIPE
> if it generates enough output; if that happens, the certificate
> it was supposed to generate may be zero length, which causes
> failures such as:
>
> == check TLS client to plain server fails ==
> -qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Denied by server for option 5 (starttls)
> -server reported: TLS not configured
> -qemu-nbd: Denied by server for option 5 (starttls)
> -server reported: TLS not configured
> +qemu-nbd: Unable to import client certificate /tmp/qemu-iotests-quick-28354/tls/client1/client-cert.pem: Base64 unexpected header error.
>
> Fix the pipelines to consume all output.
>
> Reported-by: Thomas Huth <thuth@redhat.com>
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
> tests/qemu-iotests/common.tls | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls
> index eae81789bbc..15c6e8c8425 100644
> --- a/tests/qemu-iotests/common.tls
> +++ b/tests/qemu-iotests/common.tls
> @@ -74,7 +74,7 @@ EOF
> certtool --generate-self-signed \
> --load-privkey "${tls_dir}/key.pem" \
> --template "${tls_dir}/ca.info" \
> - --outfile "${tls_dir}/$name-cert.pem" 2>&1 | head -1
> + --outfile "${tls_dir}/$name-cert.pem" 2>&1 | sed -n 1p
>
> rm -f "${tls_dir}/ca.info"
> }
> @@ -103,7 +103,7 @@ EOF
> --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
> --load-privkey "${tls_dir}/key.pem" \
> --template "${tls_dir}/cert.info" \
> - --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | head -1
> + --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | sed -n 1p
> ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
> ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"
>
> @@ -132,7 +132,7 @@ EOF
> --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
> --load-privkey "${tls_dir}/key.pem" \
> --template "${tls_dir}/cert.info" \
> - --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | head -1
> + --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | sed -n 1p
> ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
> ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"
>
Thanks, this fixes the issue for me!
Tested-by: Thomas Huth <thuth@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH] iotests: Avoid SIGPIPE death to certtool
2019-02-19 16:09 [Qemu-devel] [PATCH] iotests: Avoid SIGPIPE death to certtool Eric Blake
2019-02-19 16:13 ` Thomas Huth
@ 2019-02-19 16:14 ` Daniel P. Berrangé
1 sibling, 0 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2019-02-19 16:14 UTC (permalink / raw)
To: Eric Blake; +Cc: qemu-devel, qemu-block, thuth, Kevin Wolf, Max Reitz
On Tue, Feb 19, 2019 at 10:09:20AM -0600, Eric Blake wrote:
> Our use of 'head -1' to log less output of certtool during
> iotest 233 could result in certtool dying early due to SIGPIPE
> if it generates enough output; if that happens, the certificate
> it was supposed to generate may be zero length, which causes
> failures such as:
>
> == check TLS client to plain server fails ==
> -qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Denied by server for option 5 (starttls)
> -server reported: TLS not configured
> -qemu-nbd: Denied by server for option 5 (starttls)
> -server reported: TLS not configured
> +qemu-nbd: Unable to import client certificate /tmp/qemu-iotests-quick-28354/tls/client1/client-cert.pem: Base64 unexpected header error.
>
> Fix the pipelines to consume all output.
>
> Reported-by: Thomas Huth <thuth@redhat.com>
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
> tests/qemu-iotests/common.tls | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls
> index eae81789bbc..15c6e8c8425 100644
> --- a/tests/qemu-iotests/common.tls
> +++ b/tests/qemu-iotests/common.tls
> @@ -74,7 +74,7 @@ EOF
> certtool --generate-self-signed \
> --load-privkey "${tls_dir}/key.pem" \
> --template "${tls_dir}/ca.info" \
> - --outfile "${tls_dir}/$name-cert.pem" 2>&1 | head -1
> + --outfile "${tls_dir}/$name-cert.pem" 2>&1 | sed -n 1p
I've actually prepared a patch which gets rid of the pipe entirely,
because in debugging this problem I found it unhelpful that we culled
stderr when certtool failed.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-02-19 16:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-19 16:09 [Qemu-devel] [PATCH] iotests: Avoid SIGPIPE death to certtool Eric Blake
2019-02-19 16:13 ` Thomas Huth
2019-02-19 16:14 ` Daniel P. Berrangé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).