11:43 a.m.
I run into scenarios where I forget to destroy a VM which has a new WIP
qemu capability. Starting a libvirtd which doesn't support it yet makes
the libvirt vanish, thus after manually killing it libvirtd doesn't
clear the xattrs, making it impossible to start the VM.
libvirt_recover_xattrs fixes this, but is unusable unless you want to
turn off all VMs.
Peter Krempa (4):
libvirt_recover_xattrs: Avoid backticks for subshell
libvirt_recover_xattrs: Use only the correct xattr prefix
libvirt_recover_xattrs: Add unsafe operation mode
libvirt_recover_xattrs: Allow fixing multiple PATHs
tools/libvirt_recover_xattrs.sh | 64 ++++++++++++++++++++++-----------
1 file changed, 43 insertions(+), 21 deletions(-)
--
2.28.0
11:43 a.m.
New subject: [PATCH 1/4] libvirt_recover_xattrs: Avoid backticks for subshell
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tools/libvirt_recover_xattrs.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs.sh
index 3907413c63..cb98497732 100755
--- a/tools/libvirt_recover_xattrs.sh
+++ b/tools/libvirt_recover_xattrs.sh
@@ -34,7 +34,7 @@ URI=("qemu:///system"
LIBVIRT_XATTR_PREFIXES=("trusted.libvirt.security"
"system.libvirt.security")
-if [ `whoami` != "root" ]; then
+if [ $(whoami) != "root" ]; then
die "Must be run as root"
fi
--
2.28.0
11:43 a.m.
New subject: [PATCH 2/4] libvirt_recover_xattrs: Use only the correct xattr prefix
Linux and FreeBSD have different prefix. In the current state we've
tried to reset the labels for both systems which resulted in errors like
this:
Fixing /tmp/bitmaps2.qcow2
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
setfattr: /tmp/bitmaps2.qcow2: Operation not supported
The 6 failed 'setfattrs' correspond to the wrong prefix.
Select the correct prefix based on the kernel name and modify the code
appropriately.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tools/libvirt_recover_xattrs.sh | 48 ++++++++++++++++++---------------
1 file changed, 27 insertions(+), 21 deletions(-)
diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs.sh
index cb98497732..b7a8c05cf4 100755
--- a/tools/libvirt_recover_xattrs.sh
+++ b/tools/libvirt_recover_xattrs.sh
@@ -29,11 +29,6 @@ DIR="/"
URI=("qemu:///system"
"lxc:///system")
-# On Linux we use 'trusted' namespace, on FreeBSD we use 'system'
-# as there is no 'trusted'.
-LIBVIRT_XATTR_PREFIXES=("trusted.libvirt.security"
- "system.libvirt.security")
-
if [ $(whoami) != "root" ]; then
die "Must be run as root"
fi
@@ -62,6 +57,21 @@ if [ $# -gt 0 ]; then
DIR=$1
fi
+case $(uname -s) in
+ Linux)
+ XATTR_PREFIX="trusted.libvirt.security"
+ ;;
+
+ FreeBSD)
+ XATTR_PREFIX="system.libvirt.security"
+ ;;
+
+ *)
+ die "$0 is not supported on this platform"
+ ;;
+esac
+
+
if [ ${DRY_RUN} -eq 0 ]; then
for u in ${URI[*]} ; do
if [ -n "`virsh -q -c $u list 2>/dev/null`" ]; then
@@ -73,24 +83,20 @@ fi
declare -a XATTRS
for i in "dac" "selinux"; do
- for p in ${LIBVIRT_XATTR_PREFIXES[@]}; do
- XATTRS+=("$p.$i" "$p.ref_$i" "$p.timestamp_$i")
- done
+ XATTRS+=("$XATTR_PREFIX.$i" "$XATTR_PREFIX.ref_$i"
"$XATTR_PREFIX.timestamp_$i")
done
-for p in ${LIBVIRT_XATTR_PREFIXES[*]}; do
- for i in $(getfattr -R -d -m ${p} --absolute-names ${DIR} 2>/dev/null | grep
"^# file:" | cut -d':' -f 2); do
- echo $i;
- if [ ${DRY_RUN} -ne 0 ]; then
- getfattr -d -m $p --absolute-names $i | grep -v "^# file:"
- continue
- fi
- if [ ${QUIET} -eq 0 ]; then
- echo "Fixing $i";
- fi
- for x in ${XATTRS[*]}; do
- setfattr -x $x $i
- done
+for i in $(getfattr -R -d -m ${XATTR_PREFIX} --absolute-names ${DIR} 2>/dev/null |
grep "^# file:" | cut -d':' -f 2); do
+ if [ ${DRY_RUN} -ne 0 ]; then
+ getfattr -d -m $p --absolute-names $i | grep -v "^# file:"
+ continue
+ fi
+
+ if [ ${QUIET} -eq 0 ]; then
+ echo "Fixing $i";
+ fi
+ for x in ${XATTRS[*]}; do
+ setfattr -x $x $i
done
done
--
2.28.0
11:43 a.m.
New subject: [PATCH 3/4] libvirt_recover_xattrs: Add unsafe operation mode
In some cases you want to fix a certain directory while you don't really
care whether there are other VMs running. Add a option to disable the
check.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tools/libvirt_recover_xattrs.sh | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs.sh
index b7a8c05cf4..bb5f23cff0 100755
--- a/tools/libvirt_recover_xattrs.sh
+++ b/tools/libvirt_recover_xattrs.sh
@@ -7,7 +7,7 @@ function die {
function show_help {
cat << EOF
-Usage: ${0##*/} -[hqn] [PATH]
+Usage: ${0##*/} -[hqnu] [PATH]
Clear out any XATTRs set by libvirt on all files that have them.
The idea is to reset refcounting, should it break.
@@ -15,6 +15,7 @@ The idea is to reset refcounting, should it break.
-h display this help and exit
-q quiet (don't print which files are being fixed)
-n dry run; don't remove any XATTR just report the file name
+ -u unsafe; don't check whether there are running VMs; PATH must be specified
PATH can be specified to refine search to only to given path
instead of whole root ('/'), which is the default.
@@ -23,6 +24,7 @@ EOF
QUIET=0
DRY_RUN=0
+UNSAFE=0
DIR="/"
# So far only qemu and lxc drivers use security driver.
@@ -33,7 +35,7 @@ if [ $(whoami) != "root" ]; then
die "Must be run as root"
fi
-while getopts hqn opt; do
+while getopts hqnu opt; do
case $opt in
h)
show_help
@@ -45,6 +47,9 @@ while getopts hqn opt; do
n)
DRY_RUN=1
;;
+ u)
+ UNSAFE=1
+ ;;
*)
show_help >&2
exit 1
@@ -55,6 +60,10 @@ done
shift $((OPTIND - 1))
if [ $# -gt 0 ]; then
DIR=$1
+else
+ if [ ${UNSAFE} -eq 1 ]; then
+ die "Unsafe mode (-u) requires explicit 'PATH' argument"
+ fi
fi
case $(uname -s) in
@@ -72,7 +81,7 @@ case $(uname -s) in
esac
-if [ ${DRY_RUN} -eq 0 ]; then
+if [ ${DRY_RUN} -eq 0 ] && [ ${UNSAFE} -eq 0 ]; then
for u in ${URI[*]} ; do
if [ -n "`virsh -q -c $u list 2>/dev/null`" ]; then
die "There are still some domains running for $u"
--
2.28.0
11:43 a.m.
New subject: [PATCH 4/4] libvirt_recover_xattrs: Allow fixing multiple PATHs
Loop for multiple PATH arguments to support shell pattern expansion.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tools/libvirt_recover_xattrs.sh | 51 +++++++++++++++++++--------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs.sh
index bb5f23cff0..59f1f3f476 100755
--- a/tools/libvirt_recover_xattrs.sh
+++ b/tools/libvirt_recover_xattrs.sh
@@ -7,7 +7,7 @@ function die {
function show_help {
cat << EOF
-Usage: ${0##*/} -[hqnu] [PATH]
+Usage: ${0##*/} -[hqnu] [PATH ...]
Clear out any XATTRs set by libvirt on all files that have them.
The idea is to reset refcounting, should it break.
@@ -25,7 +25,6 @@ EOF
QUIET=0
DRY_RUN=0
UNSAFE=0
-DIR="/"
# So far only qemu and lxc drivers use security driver.
URI=("qemu:///system"
@@ -57,15 +56,6 @@ while getopts hqnu opt; do
esac
done
-shift $((OPTIND - 1))
-if [ $# -gt 0 ]; then
- DIR=$1
-else
- if [ ${UNSAFE} -eq 1 ]; then
- die "Unsafe mode (-u) requires explicit 'PATH' argument"
- fi
-fi
-
case $(uname -s) in
Linux)
XATTR_PREFIX="trusted.libvirt.security"
@@ -95,17 +85,34 @@ for i in "dac" "selinux"; do
XATTRS+=("$XATTR_PREFIX.$i" "$XATTR_PREFIX.ref_$i"
"$XATTR_PREFIX.timestamp_$i")
done
+fix_xattrs() {
+ local DIR="$1"
-for i in $(getfattr -R -d -m ${XATTR_PREFIX} --absolute-names ${DIR} 2>/dev/null |
grep "^# file:" | cut -d':' -f 2); do
- if [ ${DRY_RUN} -ne 0 ]; then
- getfattr -d -m $p --absolute-names $i | grep -v "^# file:"
- continue
- fi
+ for i in $(getfattr -R -d -m ${XATTR_PREFIX} --absolute-names ${DIR} 2>/dev/null |
grep "^# file:" | cut -d':' -f 2); do
+ if [ ${DRY_RUN} -ne 0 ]; then
+ getfattr -d -m $p --absolute-names $i | grep -v "^# file:"
+ continue
+ fi
- if [ ${QUIET} -eq 0 ]; then
- echo "Fixing $i";
- fi
- for x in ${XATTRS[*]}; do
- setfattr -x $x $i
+ if [ ${QUIET} -eq 0 ]; then
+ echo "Fixing $i";
+ fi
+ for x in ${XATTRS[*]}; do
+ setfattr -x $x $i
+ done
done
-done
+}
+
+
+shift $((OPTIND - 1))
+if [ $# -gt 0 ]; then
+ while [ $# -gt 0 ]; do
+ fix_xattrs "$1"
+ shift $((OPTIND - 1))
+ done
+else
+ if [ ${UNSAFE} -eq 1 ]; then
+ die "Unsafe mode (-u) requires explicit 'PATH' argument"
+ fi
+ fix_xattrs "/"
+fi
--
2.28.0
3:36 p.m.
On 12/2/20 11:43 AM, Peter Krempa wrote:
I run into scenarios where I forget to destroy a VM which has a new
WIP
qemu capability. Starting a libvirtd which doesn't support it yet makes
the libvirt vanish, thus after manually killing it libvirtd doesn't
clear the xattrs, making it impossible to start the VM.
libvirt_recover_xattrs fixes this, but is unusable unless you want to
turn off all VMs.
Peter Krempa (4):
libvirt_recover_xattrs: Avoid backticks for subshell
libvirt_recover_xattrs: Use only the correct xattr prefix
libvirt_recover_xattrs: Add unsafe operation mode
libvirt_recover_xattrs: Allow fixing multiple PATHs
tools/libvirt_recover_xattrs.sh | 64 ++++++++++++++++++++++-----------
1 file changed, 43 insertions(+), 21 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Michal
1383
days inactive
1384
days old
5 comments
2 participants
participants (2)
-
Michal Privoznik -
Peter Krempa