[Libguestfs] [libguestfs-common PATCH] options: attempt naming all decrypted LUKS devices by UUID

Laszlo Ersek lersek at redhat.com
Tue Apr 12 10:05:14 UTC 2022 

On 04/11/22 14:37, Richard W.M. Jones wrote:
> On Mon, Apr 11, 2022 at 02:09:52PM +0200, Laszlo Ersek wrote:
>> In commit 2d8c0f8d40b5 ("options: decrypt LUKS-on-LV devices",
>> 2022-02-28), in order to keep that change as contained as possible, we
>> didn't modify the naming scheme of those decrypted LUKS devices that
>> originated directly from partitions -- we passed "name_decrypted_by_uuid =
>> false" for partitions fetched with guestfs_list_partitions().
>>
>> Turns out that this is exactly what prevents us from decrypting the
>> following block device structure (seen in RHEL6 guests; for example one
>> installed from "RHEL-6.10-20180525.0-Server-x86_64-dvd1.iso"):
>>
>>> NAME                                                 MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
>>> vda                                                  252:0    0    9G  0 disk
>>> ├─vda1                                               252:1    0    1G  0 part  /boot
>>> ├─vda2                                               252:2    0    7G  0 part
>>> │ └─luks-37f5c9df-acda-4955-8cfd-872f0da5e35b (dm-0) 253:0    0    7G  0 crypt /
>>> └─vda3                                               252:3    0 1023M  0 part  [SWAP]
>>> sr0                                                   11:0    1 1024M  0 rom
>>
>> The problem is that we prefer (a) make_mapname() due to the LUKS header
>> residing directly on a partition, so we call the plaintext device
>> "/dev/mapper/cryptsda2"; however (b) "/etc/fstab" in the guest refers to
>> the same plaintext device by the standard, UUID-based
>> "/dev/mapper/luks-37f5c9df-acda-4955-8cfd-872f0da5e35b" pathname.
>> Therefore "inspect_get_mountpoints" in "libguestfs/daemon/inspect.ml"
>> returns the latter pathname -- which we can't mount.
>>
>> Hardwire "name_decrypted_by_uuid = true" in "options/decrypt.c" -- by
>> which effort we can as well remove the "name_decrypted_by_uuid" parameter.
>>
>> Testing: the libguestfs, guestfs-tools, and virt-v2v test suites (make
>> check) pass with this update. Furthermore, "guestfish -i", virt-inspector,
>> and virt-v2v now recognize the above blockdev / fs structure (and the
>> converted guest boots).
>>
>> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658128
>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
>> ---
>>  options/decrypt.c | 10 ++++------
>>  1 file changed, 4 insertions(+), 6 deletions(-)
>>
>> diff --git a/options/decrypt.c b/options/decrypt.c
>> index b899a0028620..1cd7b627e264 100644
>> --- a/options/decrypt.c
>> +++ b/options/decrypt.c
>> @@ -111,15 +111,15 @@ make_mapname (const char *device)
>>    }
>>  
>>    return mapname;
>>  }
>>  
>>  static bool
>>  decrypt_mountables (guestfs_h *g, const char * const *mountables,
>> -                    struct key_store *ks, bool name_decrypted_by_uuid)
>> +                    struct key_store *ks)
>>  {
>>    bool decrypted_some = false;
>>    const char * const *mnt_scan = mountables;
>>    const char *mountable;
>>  
>>    while ((mountable = *mnt_scan++) != NULL) {
>>      CLEANUP_FREE char *type = NULL;
>> @@ -144,16 +144,15 @@ decrypt_mountables (guestfs_h *g, const char * const *mountables,
>>      /* Grab the keys that we should try with this device, based on device name,
>>       * or UUID (if any).
>>       */
>>      keys = get_keys (ks, mountable, uuid);
>>      assert (keys[0] != NULL);
>>  
>>      /* Generate a node name for the plaintext (decrypted) device node. */
>> -    if (!name_decrypted_by_uuid || uuid == NULL ||
>> -        asprintf (&mapname, "luks-%s", uuid) == -1)
>> +    if (uuid == NULL || asprintf (&mapname, "luks-%s", uuid) == -1)
>>        mapname = make_mapname (mountable);
>>  
>>      /* Try each key in turn. */
>>      key_scan = (const char * const *)keys;
>>      while ((key = *key_scan++) != NULL) {
>>        int r;
>>  
>> @@ -188,20 +187,19 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks)
>>    CLEANUP_FREE_STRING_LIST char **partitions = guestfs_list_partitions (g);
>>    CLEANUP_FREE_STRING_LIST char **lvs = NULL;
>>    bool need_rescan;
>>  
>>    if (partitions == NULL)
>>      exit (EXIT_FAILURE);
>>  
>> -  need_rescan = decrypt_mountables (g, (const char * const *)partitions, ks,
>> -                                    false);
>> +  need_rescan = decrypt_mountables (g, (const char * const *)partitions, ks);
>>  
>>    if (need_rescan) {
>>      if (guestfs_lvm_scan (g, 1) == -1)
>>        exit (EXIT_FAILURE);
>>    }
>>  
>>    lvs = guestfs_lvs (g);
>>    if (lvs == NULL)
>>      exit (EXIT_FAILURE);
>> -  decrypt_mountables (g, (const char * const *)lvs, ks, true);
>> +  decrypt_mountables (g, (const char * const *)lvs, ks);
>>  }
>>
>> base-commit: ab708d11d832457d2a0c74e7a6d8c219a4fdd90f
> 
> ACK

libguestfs-common commit e96698865bf5 ("options: attempt naming all decrypted LUKS devices by UUID", 2022-04-12)
libguestfs commit 05419dbcec71 ("Update common submodule", 2022-04-12)
guestfs-tools commit 8418b44d32c3 ("Update common submodule", 2022-04-12)
virt-v2v commit 68211371411d ("Update common submodule", 2022-04-12)

Thanks
Laszlo

More information about the Libguestfs mailing list