Summary: | RFE: virt-sysprep does not utilize libguestfs encryption support | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | emahoney |
Component: | libguestfs | Assignee: | Richard W.M. Jones <rjones> |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | low | Docs Contact: | Yehuda Zimmerman <yzimmerm> |
Priority: | unspecified | ||
Version: | 7.2 | CC: | emahoney, ptoscano, rjones, wshi, xchen, yoguo |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | libguestfs-1.36.1-1.el7 | Doc Type: | Release Note |
Doc Text: |
Additional *virt* tools can work on LUKS whole-disk encrypted guests
This update adds support for working on LUKS whole-disk encrypted guests using the *virt-customize*, *virt-get-kernel*, *virt-sparsify*, and *virt-sysprep* tools. As a result, these tools can provide keys or passphrases for opening LUKS whole-disk encrypted guests.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 22:08:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Bug Depends On: | 1359086 | ||
Bug Blocks: |
Description
emahoney
2016-08-02 18:34:53 UTC
None of the OCaml-based tools supports opening LUKS-encrypted partitions. This has been implemented with commits https://github.com/libguestfs/libguestfs/commit/0920b805fda02729d5204d2ab2cbfa192ba6570f https://github.com/libguestfs/libguestfs/commit/5281e08802c47b3fd6a945d17d7d6ee3b428b896 https://github.com/libguestfs/libguestfs/commit/6b26a0cce4f1d6264bee88902b8931e39288c901 which are in libguestfs >= 1.35.6. Hi Pino, Do you know by saying "1.Create 7.2 guest with LUKS encryption", does he mean that : create a partition --> encrypt it --> configured to automatically start up at boot ? I tried that way but can't reproduce it, the version is: libguestfs-1.32.7-3.el7.x86_64 Steps: 1. Create 7.2 guest with LUKS encryption. Install a RHEL7.2 guest image (retain some space at the partition step),then boot it, create partition with LUKS: # fdisk /dev/vda --> create a new partition /dev/vda3 for testing # cryptsetup luksFormat /dev/vda3 # cryptsetup luksOpen /dev/vda3 my_test # mkfs.ext4 /dev/mapper/my_test # mkdir /mnt/my_test # mount /dev/mapper/my_test /mnt/my_test Configure to automatically start up at boot: # touch /root/.my_test # cryptsetup luksAddKey /dev/vda3 /mnt/.my_test # vim /etc/crypttab my_test /dev/vda3 /root/.my_test # vim /etc/fstab /dev/mapper/my_test /mnt/my_test ext4 defaults 0 0 # init 0 2. # virt-sysprep -a rhel7.2-LUKS.qcow2 [ 0.0] Examining the guest ... virt-sysprep: warning: mount_options: mount_options_stub: /dev/mapper/my_test: No such file or directory (ignored) [ 6.5] Performing "abrt-data" ... [ 6.5] Performing "bash-history" ... [ 6.5] Performing "blkid-tab" ... [ 6.5] Performing "crash-data" ... [ 6.5] Performing "cron-spool" ... [ 6.6] Performing "dhcp-client-state" ... [ 6.6] Performing "dhcp-server-state" ... [ 6.6] Performing "dovecot-data" ... [ 6.6] Performing "logfiles" ... [ 6.7] Performing "machine-id" ... [ 6.7] Performing "mail-spool" ... [ 6.7] Performing "net-hostname" ... [ 6.8] Performing "net-hwaddr" ... [ 6.8] Performing "pacct-log" ... [ 6.8] Performing "package-manager-cache" ... [ 6.8] Performing "pam-data" ... [ 6.8] Performing "puppet-data-log" ... [ 6.8] Performing "rh-subscription-manager" ... [ 6.8] Performing "rhn-systemid" ... [ 6.8] Performing "rpm-db" ... [ 6.8] Performing "samba-db-log" ... [ 6.9] Performing "script" ... [ 6.9] Performing "smolt-uuid" ... [ 6.9] Performing "ssh-hostkeys" ... [ 6.9] Performing "ssh-userdir" ... [ 6.9] Performing "sssd-db-log" ... [ 6.9] Performing "tmp-files" ... [ 6.9] Performing "udev-persistent-net" ... [ 6.9] Performing "utmp" ... [ 6.9] Performing "yum-uuid" ... [ 6.9] Performing "customize" ... [ 6.9] Setting a random seed [ 7.4] Performing "lvm-uuids" ... --> It finished successfully with some warning, should I use the 1.20.11-14 to test, or there is some problem in my steps? 3. # guestfish -a rhel7.2-LUKS.qcow2 -i Enter key or passphrase ("/dev/sda3"): libguestfs: error: vfs_type: vfs_type_stub: /dev/mapper/my_test: No such file or directory libguestfs: error: mount: mount_stub: /dev/mapper/my_test: No such file or directory guestfish: some filesystems could not be mounted (ignored) Welcome to guestfish, the guest filesystem shell for editing virtual machine filesystems and disk images. Type: 'help' for help on commands 'man' to read the manual 'quit' to quit the shell Operating system: Red Hat Enterprise Linux Server 7.2 (Maipo) /dev/rhel/root mounted on / /dev/sda1 mounted on /boot libguestfs: error: lvm_canonical_lv_name: lvm_canonical_lv_name_stub: /dev/mapper/my_test: No such file or directory /dev/mapper/my_test mounted on /mnt/my_test --> Is this alright or just another bug ? (In reply to Xianghua Chen from comment #4) > Hi Pino, > Do you know by saying "1.Create 7.2 guest with LUKS encryption", does he > mean that : create a partition --> encrypt it --> configured to > automatically start up at boot ? It is meant to be full-disk encryption -- i.e. the option to encrypt the root and all the filesystems (except /boot), as done by anaconda (in RHEL and Fedora guests). When using a kickstart, you can use a like like: part pv.10 --fstype=lvmpv --size=1 --grow --encrypted --passphrase="thepassword" What you describe (very nice test case, btw) is another style of LUKS encryption, which is not supported yet by the libguestfs tools. Please open a separate RFE for that, so we can track that work properly. > What you describe (very nice test case, btw) is another style of LUKS > encryption, which is not supported yet by the libguestfs tools. Please open > a separate RFE for that, so we can track that work properly. Have filed a new RFE bug for this: bug#1393747 Hi Evan, I'm QE for libguestfs, and trying to reproduce this bug. Do you have the kickstart file which can install this kind luks encrypt guest image? I failed to create the guest by adding this line to my ks file: part pv.10 --fstype=lvmpv --size=1 --grow --encrypted --passphrase="thepassword" Maybe there are some other options ? Could you kindly provide more info? Thank you very much:) Verified with package: libguestfs-1.36.3-1.el7.x86_64 Steps: 1. Prepare a LUKS guest image (encrypt it when install the image, using password: REDHAT). 2. Virt-sysprep the encrypted guest image: # virt-sysprep -a RHEL7.3-LUKS.qcow2 --echo-keys [ 0.0] Examining the guest ... Enter key or passphrase ("/dev/sda2"): REDHAT [ 66.9] Performing "abrt-data" ... [ 66.9] Performing "backup-files" ... [ 67.7] Performing "bash-history" ... [ 67.7] Performing "blkid-tab" ... [ 67.7] Performing "crash-data" ... [ 67.7] Performing "cron-spool" ... [ 67.7] Performing "dhcp-client-state" ... [ 67.7] Performing "dhcp-server-state" ... [ 67.7] Performing "dovecot-data" ... [ 67.7] Performing "logfiles" ... [ 67.7] Performing "machine-id" ... [ 67.7] Performing "mail-spool" ... [ 67.7] Performing "net-hostname" ... [ 67.7] Performing "net-hwaddr" ... [ 67.7] Performing "pacct-log" ... [ 67.7] Performing "package-manager-cache" ... [ 67.7] Performing "pam-data" ... [ 67.7] Performing "passwd-backups" ... [ 67.7] Performing "puppet-data-log" ... [ 67.7] Performing "rh-subscription-manager" ... [ 67.7] Performing "rhn-systemid" ... [ 67.7] Performing "rpm-db" ... [ 67.7] Performing "samba-db-log" ... [ 67.7] Performing "script" ... [ 67.7] Performing "smolt-uuid" ... [ 67.7] Performing "ssh-hostkeys" ... [ 67.7] Performing "ssh-userdir" ... [ 67.7] Performing "sssd-db-log" ... [ 67.7] Performing "tmp-files" ... [ 67.7] Performing "udev-persistent-net" ... [ 67.7] Performing "utmp" ... [ 67.7] Performing "yum-uuid" ... [ 67.7] Performing "customize" ... [ 67.7] Setting a random seed [ 68.0] Performing "lvm-uuids" ... The command can be executed successfully. So verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2023 |