RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2106286 - virt-sysprep: make an effort to support LUKS on LV
Summary: virt-sysprep: make an effort to support LUKS on LV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: guestfs-tools
Version: 9.1
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Laszlo Ersek
QA Contact: YongkuiGuo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-12 09:54 UTC by YongkuiGuo
Modified: 2022-11-15 10:13 UTC (History)
5 users (show)

Fixed In Version: guestfs-tools-1.48.2-5.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-15 09:52:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-127475 0 None None None 2022-07-12 09:57:06 UTC
Red Hat Product Errata RHSA-2022:7959 0 None None None 2022-11-15 09:52:57 UTC

Description YongkuiGuo 2022-07-12 09:54:17 UTC 
Description of problem:
virt-sysprep fails to run on encrypted disk image with LUKS on LV, but according to the LUKS FAQ, virt-sysprep should not be used on encrypted disk images.

https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md

CLONING/IMAGING: If you clone or image a LUKS container, you make a copy of the LUKS header and the volume key will stay the same! That means that if you distribute an image to several machines, the same volume key will be used on all of them, regardless of whether you change the passphrases. Do NOT do this! If you do, a root-user on any of the machines with a mapped (decrypted) container or a passphrase on that machine can decrypt all other copies, breaking security.

6.15 Can I clone a LUKS container?
You can, but it breaks security, because the cloned container has the same header and hence the same volume key. Even if you change the passphrase(s), the volume key stays the same. That means whoever has access to one of the clones can decrypt them all, completely bypassing the passphrases.

While you can use cryptsetup-reencrypt to change the volume key, this is probably more effort than to create separate LUKS containers in the first place.

The right way to do this is to first luksFormat the target container, then to clone the contents of the source container, with both containers mapped, i.e. decrypted. You can clone the decrypted contents of a LUKS container in binary mode, although you may run into secondary issues with GUIDs in filesystems, partition tables, RAID-components and the like. These are just the normal problems binary cloning causes.

Note that if you need to ship (e.g.) cloned LUKS containers with a default passphrase, that is fine as long as each container was individually created (and hence has its own volume key). In this case, changing the default passphrase will make it secure again.


Version-Release number of selected component (if applicable):
libguestfs-1.48.3-5.el9.x86_64
guestfs-tools-1.48.2-4.el9.x86_64


How reproducible:
100%


Steps:

1. Create an encrypted VM (rhel9-luks-on-lv) with LUKS on LV
# lsblk
NAME                                            MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sr0                                              11:0    1 1024M  0 rom  
vda                                             252:0    0   10G  0 disk  
├─vda1                                          252:1    0    1G  0 part  /boot
└─vda2                                          252:2    0    9G  0 part  
  ├─rhel-root                                   253:0    0    8G  0 lvm  
  │ └─luks-e5b1101d-815d-4f07-a19e-8f739bcc3657 253:2    0    8G  0 crypt /
  └─rhel-swap                                   253:1    0    1G  0 lvm  
    └─luks-91fdf893-fff9-40b1-be55-ddb872501e72 253:3    0 1008M  0 crypt [SWAP]

2.
# virt-sysprep  -a /var/lib/libvirt/images/rhel9-luks-on-lv.qcow2
[   0.0] Examining the guest ...
Enter key or passphrase ("/dev/rhel/root"):  --- input passphrase
Enter key or passphrase ("/dev/rhel/swap"):  --- input passphrase
[  19.3] Performing "abrt-data" ...
[  19.3] Performing "backup-files" ...
[  19.8] Performing "bash-history" ...
[  19.8] Performing "blkid-tab" ...
[  19.8] Performing "crash-data" ...
[  19.8] Performing "cron-spool" ...
[  19.8] Performing "dhcp-client-state" ...
[  19.8] Performing "dhcp-server-state" ...
[  19.8] Performing "dovecot-data" ...
[  19.8] Performing "ipa-client" ...
[  19.8] Performing "kerberos-hostkeytab" ...
[  19.9] Performing "logfiles" ...
[  19.9] Performing "lvm-system-devices" ...
[  19.9] Performing "machine-id" ...
[  19.9] Performing "mail-spool" ...
[  19.9] Performing "net-hostname" ...
[  19.9] Performing "net-hwaddr" ...
[  19.9] Performing "net-nmconn" ...
[  20.0] Performing "pacct-log" ...
[  20.0] Performing "package-manager-cache" ...
[  20.0] Performing "pam-data" ...
[  20.0] Performing "passwd-backups" ...
[  20.0] Performing "puppet-data-log" ...
[  20.0] Performing "rh-subscription-manager" ...
[  20.1] Performing "rhn-systemid" ...
[  20.1] Performing "rpm-db" ...
[  20.1] Performing "samba-db-log" ...
[  20.1] Performing "script" ...
[  20.1] Performing "smolt-uuid" ...
[  20.1] Performing "ssh-hostkeys" ...
[  20.1] Performing "ssh-userdir" ...
[  20.1] Performing "sssd-db-log" ...
[  20.1] Performing "tmp-files" ...
[  20.2] Performing "udev-persistent-net" ...
[  20.2] Performing "utmp" ...
[  20.2] Performing "yum-uuid" ...
[  20.2] Performing "customize" ...
[  20.2] Setting a random seed
[  20.2] Setting the machine ID in /etc/machine-id
[  20.2] SELinux relabelling
[  35.4] Performing "lvm-uuids" ...
virt-sysprep: error: libguestfs error: vg_activate_all: vgchange:   Logical
volume rhel/root is used by another device.
  Can't deactivate volume group "rhel" with 2 open logical volume(s)

If reporting bugs, run virt-sysprep with debugging enabled and include the
complete output:

  virt-sysprep -v -x [...]


Actual results:
As above

Expected results:
Update virt-sysprep document 

Additional info:
Comment 1 Laszlo Ersek 2022-07-12 10:18:29 UTC 
Thanks for the report, will update the documentation, and perhaps also add some "best effort" logic for virt-sysprep not to choke on LUKS-on-LV.

(Background: https://bugzilla.redhat.com/show_bug.cgi?id=1809453#c34 and onwards.)
Comment 2 YongkuiGuo 2022-07-12 10:32:35 UTC 
(In reply to Laszlo Ersek from comment #1)
> Thanks for the report, will update the documentation, and perhaps also add
> some "best effort" logic for virt-sysprep not to choke on LUKS-on-LV.
> 
> (Background: https://bugzilla.redhat.com/show_bug.cgi?id=1809453#c34 and
> onwards.)

Got it. Adding "best effort" logic will be wonderful. Thanks.
Comment 3 Laszlo Ersek 2022-07-12 11:43:20 UTC 
Argh, this is nasty. Beyond "lvm-uuids", we have another sysprep operation that works on block devices, and not on filesystems: it's called "fs-uuids". It does basically the same (UUID regeneration), just for filesystems, not logical volumes.

Here's why it is a problem: if we close the decrypted devices between unmounting all filesystems and running the device-level operations, then filesystems on LUKS-on-LV devices will no longer be accessible at the block device level, and "fs-uuids" will not see them.

Basically the way filesystems, LUKS block devices, and logical volumes are stacked, virt-sysprep's current lumping-together of all device-level operations is not flexible enough. There is a particular order in which (1) fs unmounting, (2) fs-uuid regen, (3) LUKS closing, and (4) lvm-uuid regen need to occur. The problem is that (1) and (3) are (supposed to be) in "sysprep/main.ml", whereas (2) and (4) are supposed to be "pluggable" and at most reorderable between each other -- but not possible to order relative to (1) and (3). So with this we're hitting an infrastructure / design limit of virt-sysprep.

With LV-on-LUKS this was no problem; we'd never try to close LUKS -- step (3) from above falls away --, so (1) fs unmounting in "main" would occur, then separately the device-level operations (2) fs-uuid and (4) lvm-uuid, would execute successfully in any (unspecified) order between each other.

Rich, any ideas? Thanks.
Comment 4 Laszlo Ersek 2022-07-12 11:44:54 UTC 
As a workaround we could try ordering lvm-uuid strictly after fs-uuid (I think we have infrastructure for that), *plus* hack lvm-uuid such that, if the initial LVM deactivation attempt fails, we internally try to close all LUKS devices (again, internally to the lvm-uuid operation). This looks super ugly though.
Comment 5 Laszlo Ersek 2022-07-14 10:40:39 UTC 
[guestfs-tools PATCH 0/2] sysprep: full disk encryption improvements
Message-Id: <20220714104005.8334-1-lersek>
https://listman.redhat.com/archives/libguestfs/2022-July/029450.html
Comment 6 Laszlo Ersek 2022-07-15 06:30:47 UTC 
(In reply to Laszlo Ersek from comment #5)
> [guestfs-tools PATCH 0/2] sysprep: full disk encryption improvements
> Message-Id: <20220714104005.8334-1-lersek>
> https://listman.redhat.com/archives/libguestfs/2022-July/029450.html

Upstream commit range a7ffb717306f..b49ee909f5d1.
Comment 7 YongkuiGuo 2022-07-18 05:08:19 UTC 
Tested with package:
guestfs-tools-1.48.2-5.el9.x86_64

Steps:

1.
# virt-sysprep -a /var/lib/libvirt/images/rhel9-luks-on-lv.qcow2 
[   0.0] Examining the guest ...
Enter key or passphrase ("/dev/rhel/root"): 
Enter key or passphrase ("/dev/rhel/swap"): 
[  38.4] Performing "abrt-data" ...
[  38.4] Performing "backup-files" ...
[  38.9] Performing "bash-history" ...
[  38.9] Performing "blkid-tab" ...
[  38.9] Performing "crash-data" ...
[  38.9] Performing "cron-spool" ...
[  38.9] Performing "dhcp-client-state" ...
[  38.9] Performing "dhcp-server-state" ...
[  38.9] Performing "dovecot-data" ...
[  39.0] Performing "ipa-client" ...
[  39.0] Performing "kerberos-hostkeytab" ...
[  39.0] Performing "logfiles" ...
[  39.0] Performing "lvm-system-devices" ...
[  39.0] Performing "machine-id" ...
[  39.0] Performing "mail-spool" ...
[  39.0] Performing "net-hostname" ...
[  39.0] Performing "net-hwaddr" ...
[  39.1] Performing "net-nmconn" ...
[  39.1] Performing "pacct-log" ...
[  39.1] Performing "package-manager-cache" ...
[  39.1] Performing "pam-data" ...
[  39.1] Performing "passwd-backups" ...
[  39.2] Performing "puppet-data-log" ...
[  39.2] Performing "rh-subscription-manager" ...
[  39.2] Performing "rhn-systemid" ...
[  39.2] Performing "rpm-db" ...
[  39.2] Performing "samba-db-log" ...
[  39.2] Performing "script" ...
[  39.2] Performing "smolt-uuid" ...
[  39.2] Performing "ssh-hostkeys" ...
[  39.2] Performing "ssh-userdir" ...
[  39.3] Performing "sssd-db-log" ...
[  39.3] Performing "tmp-files" ...
[  39.3] Performing "udev-persistent-net" ...
[  39.3] Performing "utmp" ...
[  39.3] Performing "yum-uuid" ...
[  39.3] Performing "customize" ...
[  39.3] Setting a random seed
[  39.3] Setting the machine ID in /etc/machine-id
[  39.3] SELinux relabelling
[  54.6] Performing "lvm-uuids" ...

No error is printed.

2.
# man virt-sysprep
...
Virtual machines that employ full disk encryption internally to the guest should not be considered for cloning and distribution, as it provides multiple parties with the same internal volume key, enabling any one such party to decrypt all the other clones.  Refer to the LUKS FAQ for details.
...

The above lines are added to the man page.
Comment 8 YongkuiGuo 2022-07-22 02:30:08 UTC 
Hi,lersek

The Verified:Tested flag has been set, but I don't know why this bug is not added into the erratum automatically. Could you help with that manually? Thanks.
Comment 17 errata-xmlrpc 2022-11-15 09:52:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: guestfs-tools security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7959
Note You need to log in before you can comment on or make changes to this bug.