| Summary: | RFE: virt-sysprep does not utilize libguestfs encryption support | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | emahoney |
| Component: | libguestfs | Assignee: | Richard W.M. Jones <rjones> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | low | Docs Contact: | Yehuda Zimmerman <yzimmerm> |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | emahoney, ptoscano, rjones, wshi, xchen, yoguo |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libguestfs-1.36.1-1.el7 | Doc Type: | Release Note |
| Doc Text: |
Additional *virt* tools can work on LUKS whole-disk encrypted guests
This update adds support for working on LUKS whole-disk encrypted guests using the *virt-customize*, *virt-get-kernel*, *virt-sparsify*, and *virt-sysprep* tools. As a result, these tools can provide keys or passphrases for opening LUKS whole-disk encrypted guests.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 22:08:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1359086 | ||
| Bug Blocks: | |||
|
Description
emahoney
2016-08-02 18:34:53 UTC
None of the OCaml-based tools supports opening LUKS-encrypted partitions. This has been implemented with commits https://github.com/libguestfs/libguestfs/commit/0920b805fda02729d5204d2ab2cbfa192ba6570f https://github.com/libguestfs/libguestfs/commit/5281e08802c47b3fd6a945d17d7d6ee3b428b896 https://github.com/libguestfs/libguestfs/commit/6b26a0cce4f1d6264bee88902b8931e39288c901 which are in libguestfs >= 1.35.6. Hi Pino,
Do you know by saying "1.Create 7.2 guest with LUKS encryption", does he mean that : create a partition --> encrypt it --> configured to automatically start up at boot ?
I tried that way but can't reproduce it, the version is:
libguestfs-1.32.7-3.el7.x86_64
Steps:
1. Create 7.2 guest with LUKS encryption.
Install a RHEL7.2 guest image (retain some space at the partition step),then boot it, create partition with LUKS:
# fdisk /dev/vda
--> create a new partition /dev/vda3 for testing
# cryptsetup luksFormat /dev/vda3
# cryptsetup luksOpen /dev/vda3 my_test
# mkfs.ext4 /dev/mapper/my_test
# mkdir /mnt/my_test
# mount /dev/mapper/my_test /mnt/my_test
Configure to automatically start up at boot:
# touch /root/.my_test
# cryptsetup luksAddKey /dev/vda3 /mnt/.my_test
# vim /etc/crypttab
my_test /dev/vda3 /root/.my_test
# vim /etc/fstab
/dev/mapper/my_test /mnt/my_test ext4 defaults 0 0
# init 0
2.
# virt-sysprep -a rhel7.2-LUKS.qcow2
[ 0.0] Examining the guest ...
virt-sysprep: warning: mount_options: mount_options_stub:
/dev/mapper/my_test: No such file or directory (ignored)
[ 6.5] Performing "abrt-data" ...
[ 6.5] Performing "bash-history" ...
[ 6.5] Performing "blkid-tab" ...
[ 6.5] Performing "crash-data" ...
[ 6.5] Performing "cron-spool" ...
[ 6.6] Performing "dhcp-client-state" ...
[ 6.6] Performing "dhcp-server-state" ...
[ 6.6] Performing "dovecot-data" ...
[ 6.6] Performing "logfiles" ...
[ 6.7] Performing "machine-id" ...
[ 6.7] Performing "mail-spool" ...
[ 6.7] Performing "net-hostname" ...
[ 6.8] Performing "net-hwaddr" ...
[ 6.8] Performing "pacct-log" ...
[ 6.8] Performing "package-manager-cache" ...
[ 6.8] Performing "pam-data" ...
[ 6.8] Performing "puppet-data-log" ...
[ 6.8] Performing "rh-subscription-manager" ...
[ 6.8] Performing "rhn-systemid" ...
[ 6.8] Performing "rpm-db" ...
[ 6.8] Performing "samba-db-log" ...
[ 6.9] Performing "script" ...
[ 6.9] Performing "smolt-uuid" ...
[ 6.9] Performing "ssh-hostkeys" ...
[ 6.9] Performing "ssh-userdir" ...
[ 6.9] Performing "sssd-db-log" ...
[ 6.9] Performing "tmp-files" ...
[ 6.9] Performing "udev-persistent-net" ...
[ 6.9] Performing "utmp" ...
[ 6.9] Performing "yum-uuid" ...
[ 6.9] Performing "customize" ...
[ 6.9] Setting a random seed
[ 7.4] Performing "lvm-uuids" ...
--> It finished successfully with some warning, should I use the 1.20.11-14 to test, or there is some problem in my steps?
3.
# guestfish -a rhel7.2-LUKS.qcow2 -i
Enter key or passphrase ("/dev/sda3"):
libguestfs: error: vfs_type: vfs_type_stub: /dev/mapper/my_test: No such file or directory
libguestfs: error: mount: mount_stub: /dev/mapper/my_test: No such file or directory
guestfish: some filesystems could not be mounted (ignored)
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: 'help' for help on commands
'man' to read the manual
'quit' to quit the shell
Operating system: Red Hat Enterprise Linux Server 7.2 (Maipo)
/dev/rhel/root mounted on /
/dev/sda1 mounted on /boot
libguestfs: error: lvm_canonical_lv_name: lvm_canonical_lv_name_stub: /dev/mapper/my_test: No such file or directory
/dev/mapper/my_test mounted on /mnt/my_test
--> Is this alright or just another bug ?
(In reply to Xianghua Chen from comment #4) > Hi Pino, > Do you know by saying "1.Create 7.2 guest with LUKS encryption", does he > mean that : create a partition --> encrypt it --> configured to > automatically start up at boot ? It is meant to be full-disk encryption -- i.e. the option to encrypt the root and all the filesystems (except /boot), as done by anaconda (in RHEL and Fedora guests). When using a kickstart, you can use a like like: part pv.10 --fstype=lvmpv --size=1 --grow --encrypted --passphrase="thepassword" What you describe (very nice test case, btw) is another style of LUKS encryption, which is not supported yet by the libguestfs tools. Please open a separate RFE for that, so we can track that work properly. > What you describe (very nice test case, btw) is another style of LUKS > encryption, which is not supported yet by the libguestfs tools. Please open > a separate RFE for that, so we can track that work properly. Have filed a new RFE bug for this: bug#1393747 Hi Evan, I'm QE for libguestfs, and trying to reproduce this bug. Do you have the kickstart file which can install this kind luks encrypt guest image? I failed to create the guest by adding this line to my ks file: part pv.10 --fstype=lvmpv --size=1 --grow --encrypted --passphrase="thepassword" Maybe there are some other options ? Could you kindly provide more info? Thank you very much:) Verified with package:
libguestfs-1.36.3-1.el7.x86_64
Steps:
1. Prepare a LUKS guest image (encrypt it when install the image, using password: REDHAT).
2. Virt-sysprep the encrypted guest image:
# virt-sysprep -a RHEL7.3-LUKS.qcow2 --echo-keys
[ 0.0] Examining the guest ...
Enter key or passphrase ("/dev/sda2"): REDHAT
[ 66.9] Performing "abrt-data" ...
[ 66.9] Performing "backup-files" ...
[ 67.7] Performing "bash-history" ...
[ 67.7] Performing "blkid-tab" ...
[ 67.7] Performing "crash-data" ...
[ 67.7] Performing "cron-spool" ...
[ 67.7] Performing "dhcp-client-state" ...
[ 67.7] Performing "dhcp-server-state" ...
[ 67.7] Performing "dovecot-data" ...
[ 67.7] Performing "logfiles" ...
[ 67.7] Performing "machine-id" ...
[ 67.7] Performing "mail-spool" ...
[ 67.7] Performing "net-hostname" ...
[ 67.7] Performing "net-hwaddr" ...
[ 67.7] Performing "pacct-log" ...
[ 67.7] Performing "package-manager-cache" ...
[ 67.7] Performing "pam-data" ...
[ 67.7] Performing "passwd-backups" ...
[ 67.7] Performing "puppet-data-log" ...
[ 67.7] Performing "rh-subscription-manager" ...
[ 67.7] Performing "rhn-systemid" ...
[ 67.7] Performing "rpm-db" ...
[ 67.7] Performing "samba-db-log" ...
[ 67.7] Performing "script" ...
[ 67.7] Performing "smolt-uuid" ...
[ 67.7] Performing "ssh-hostkeys" ...
[ 67.7] Performing "ssh-userdir" ...
[ 67.7] Performing "sssd-db-log" ...
[ 67.7] Performing "tmp-files" ...
[ 67.7] Performing "udev-persistent-net" ...
[ 67.7] Performing "utmp" ...
[ 67.7] Performing "yum-uuid" ...
[ 67.7] Performing "customize" ...
[ 67.7] Setting a random seed
[ 68.0] Performing "lvm-uuids" ...
The command can be executed successfully.
So verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2023 |