Bug 1362649 - RFE: virt-sysprep does not utilize libguestfs encryption support
Summary: RFE: virt-sysprep does not utilize libguestfs encryption support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libguestfs
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Richard W.M. Jones
QA Contact: Virtualization Bugs
Yehuda Zimmerman
URL:
Whiteboard:
Depends On: 1359086
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-02 18:34 UTC by emahoney
Modified: 2017-08-01 22:08 UTC (History)
6 users (show)

Fixed In Version: libguestfs-1.36.1-1.el7
Doc Type: Release Note
Doc Text:
Additional *virt* tools can work on LUKS whole-disk encrypted guests This update adds support for working on LUKS whole-disk encrypted guests using the *virt-customize*, *virt-get-kernel*, *virt-sparsify*, and *virt-sysprep* tools. As a result, these tools can provide keys or passphrases for opening LUKS whole-disk encrypted guests.
Clone Of:
Environment:
Last Closed: 2017-08-01 22:08:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2023 normal SHIPPED_LIVE libguestfs bug fix and enhancement update 2017-08-01 19:32:01 UTC

Description emahoney 2016-08-02 18:34:53 UTC
Description of problem:
Need ability to run virt-sysprep on a guest with full-disk encryption.

After running virt-sysprep from (libguestfs-tools-c-1.20.11-14.el6.x86_64)

“
Running virt-sysprep:
Examining the guest ...
virt-sysprep: no operating systems were found in the guest image
“

Version-Release number of selected component (if applicable):
libguestfs-tools-c-1.20.11-14.el6.x86_64

How reproducible:
Every Time

Steps to Reproduce:
1.Create 7.2 guest with LUKS encryption
2.Run virt-sysprep on guest from host
3.

Actual results:
“
Running virt-sysprep:
Examining the guest ...
virt-sysprep: no operating systems were found in the guest image
“

Expected results:


Additional info:

Comment 2 Pino Toscano 2016-08-05 15:11:12 UTC
None of the OCaml-based tools supports opening LUKS-encrypted partitions.

Comment 4 Xianghua Chen 2016-11-09 06:08:33 UTC
Hi Pino,
Do you know by saying "1.Create 7.2 guest with LUKS encryption", does he mean that : create a partition --> encrypt it --> configured to automatically start up at boot ?

I tried that way but can't reproduce it, the version is:
libguestfs-1.32.7-3.el7.x86_64

Steps:
1. Create 7.2 guest with LUKS encryption.
Install a RHEL7.2 guest image (retain some space at the partition step),then boot it, create partition with LUKS:
# fdisk /dev/vda
--> create a new partition /dev/vda3 for testing
# cryptsetup luksFormat /dev/vda3
# cryptsetup luksOpen  /dev/vda3 my_test
# mkfs.ext4 /dev/mapper/my_test
# mkdir /mnt/my_test
# mount /dev/mapper/my_test /mnt/my_test

Configure to automatically start up at boot:
# touch /root/.my_test
# cryptsetup luksAddKey /dev/vda3 /mnt/.my_test
# vim /etc/crypttab
my_test  /dev/vda3  /root/.my_test
# vim /etc/fstab
/dev/mapper/my_test  /mnt/my_test  ext4  defaults 0 0
# init 0

2. 
# virt-sysprep -a rhel7.2-LUKS.qcow2
[   0.0] Examining the guest ...
virt-sysprep: warning: mount_options: mount_options_stub: 
/dev/mapper/my_test: No such file or directory (ignored)
[   6.5] Performing "abrt-data" ...
[   6.5] Performing "bash-history" ...
[   6.5] Performing "blkid-tab" ...
[   6.5] Performing "crash-data" ...
[   6.5] Performing "cron-spool" ...
[   6.6] Performing "dhcp-client-state" ...
[   6.6] Performing "dhcp-server-state" ...
[   6.6] Performing "dovecot-data" ...
[   6.6] Performing "logfiles" ...
[   6.7] Performing "machine-id" ...
[   6.7] Performing "mail-spool" ...
[   6.7] Performing "net-hostname" ...
[   6.8] Performing "net-hwaddr" ...
[   6.8] Performing "pacct-log" ...
[   6.8] Performing "package-manager-cache" ...
[   6.8] Performing "pam-data" ...
[   6.8] Performing "puppet-data-log" ...
[   6.8] Performing "rh-subscription-manager" ...
[   6.8] Performing "rhn-systemid" ...
[   6.8] Performing "rpm-db" ...
[   6.8] Performing "samba-db-log" ...
[   6.9] Performing "script" ...
[   6.9] Performing "smolt-uuid" ...
[   6.9] Performing "ssh-hostkeys" ...
[   6.9] Performing "ssh-userdir" ...
[   6.9] Performing "sssd-db-log" ...
[   6.9] Performing "tmp-files" ...
[   6.9] Performing "udev-persistent-net" ...
[   6.9] Performing "utmp" ...
[   6.9] Performing "yum-uuid" ...
[   6.9] Performing "customize" ...
[   6.9] Setting a random seed
[   7.4] Performing "lvm-uuids" ...

--> It finished successfully with some warning, should I use the 1.20.11-14 to test, or there is some problem in my steps? 

3. 
# guestfish -a rhel7.2-LUKS.qcow2 -i
Enter key or passphrase ("/dev/sda3"): 
libguestfs: error: vfs_type: vfs_type_stub: /dev/mapper/my_test: No such file or directory
libguestfs: error: mount: mount_stub: /dev/mapper/my_test: No such file or directory
guestfish: some filesystems could not be mounted (ignored)

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: 'help' for help on commands
      'man' to read the manual
      'quit' to quit the shell

Operating system: Red Hat Enterprise Linux Server 7.2 (Maipo)
/dev/rhel/root mounted on /
/dev/sda1 mounted on /boot
libguestfs: error: lvm_canonical_lv_name: lvm_canonical_lv_name_stub: /dev/mapper/my_test: No such file or directory
/dev/mapper/my_test mounted on /mnt/my_test

--> Is this alright or just another bug ?

Comment 5 Pino Toscano 2016-11-09 08:55:30 UTC
(In reply to Xianghua Chen from comment #4)
> Hi Pino,
> Do you know by saying "1.Create 7.2 guest with LUKS encryption", does he
> mean that : create a partition --> encrypt it --> configured to
> automatically start up at boot ?

It is meant to be full-disk encryption -- i.e. the option to encrypt the root and all the filesystems (except /boot), as done by anaconda (in RHEL and Fedora guests).  When using a kickstart, you can use a like like:

  part pv.10   --fstype=lvmpv  --size=1 --grow --encrypted --passphrase="thepassword"

What you describe (very nice test case, btw) is another style of LUKS encryption, which is not supported yet by the libguestfs tools. Please open a separate RFE for that, so we can track that work properly.

Comment 6 Xianghua Chen 2016-11-10 09:16:57 UTC
> What you describe (very nice test case, btw) is another style of LUKS
> encryption, which is not supported yet by the libguestfs tools. Please open
> a separate RFE for that, so we can track that work properly.

Have filed a new RFE bug for this: bug#1393747


Hi Evan,
I'm QE for libguestfs, and trying to reproduce this bug.
Do you have the kickstart file which can install this kind luks encrypt guest image?
I failed to create the guest by adding this line to my ks file:
part pv.10   --fstype=lvmpv  --size=1 --grow --encrypted --passphrase="thepassword"
Maybe there are some other options ? Could you kindly provide more info?
Thank you very much:)

Comment 12 YongkuiGuo 2017-03-28 08:02:15 UTC
Verified with package:
libguestfs-1.36.3-1.el7.x86_64

Steps:
1. Prepare a LUKS guest image (encrypt  it when install the image, using password: REDHAT).
2. Virt-sysprep the encrypted  guest image:
# virt-sysprep -a RHEL7.3-LUKS.qcow2 --echo-keys
[ 0.0] Examining the guest ...
Enter key or passphrase ("/dev/sda2"): REDHAT
[ 66.9] Performing "abrt-data" ...
[ 66.9] Performing "backup-files" ...
[ 67.7] Performing "bash-history" ...
[ 67.7] Performing "blkid-tab" ...
[ 67.7] Performing "crash-data" ...
[ 67.7] Performing "cron-spool" ...
[ 67.7] Performing "dhcp-client-state" ...
[ 67.7] Performing "dhcp-server-state" ...
[ 67.7] Performing "dovecot-data" ...
[ 67.7] Performing "logfiles" ...
[ 67.7] Performing "machine-id" ...
[ 67.7] Performing "mail-spool" ...
[ 67.7] Performing "net-hostname" ...
[ 67.7] Performing "net-hwaddr" ...
[ 67.7] Performing "pacct-log" ...
[ 67.7] Performing "package-manager-cache" ...
[ 67.7] Performing "pam-data" ...
[ 67.7] Performing "passwd-backups" ...
[ 67.7] Performing "puppet-data-log" ...
[ 67.7] Performing "rh-subscription-manager" ...
[ 67.7] Performing "rhn-systemid" ...
[ 67.7] Performing "rpm-db" ...
[ 67.7] Performing "samba-db-log" ...
[ 67.7] Performing "script" ...
[ 67.7] Performing "smolt-uuid" ...
[ 67.7] Performing "ssh-hostkeys" ...
[ 67.7] Performing "ssh-userdir" ...
[ 67.7] Performing "sssd-db-log" ...
[ 67.7] Performing "tmp-files" ...
[ 67.7] Performing "udev-persistent-net" ...
[ 67.7] Performing "utmp" ...
[ 67.7] Performing "yum-uuid" ...
[ 67.7] Performing "customize" ...
[ 67.7] Setting a random seed
[ 68.0] Performing "lvm-uuids" ...

The command can be executed successfully.
So verified.

Comment 15 errata-xmlrpc 2017-08-01 22:08:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2023


Note You need to log in before you can comment on or make changes to this bug.