Updates to Portable SR Functionality (master) #5842
Conversation
Shell quoting changes in xen-api.git 65f152d broke the dry-run functionality, as by quoting parameters in the way it was done it meant the space separation was not properly handled to separate parameters etc. Signed-off-by: Alex Brett <alex.brett@cloud.com>
The xe-[backup,restore]-metadata scripts have cleanup logic designed to ensure we do not leave any vbd objects etc behind. This logic calls `vbd-unplug` with a 20s timeout, and then (regardless of the result) allows up to 10s for any device specified in the VBD to disappear - if it does not, it does not trigger a `vbd-destroy`. This logic fails in the case where a VDI is attached to a VM running on the same host, as the `device` field in the new VBD will be populated with the backend device for the running VM. In this case, the `vbd-unplug` fails immediately (as the vbd is not plugged because the original `vbd-plug` attempt fails as the VDI is in use), but then we sit waiting for 10s for the device to disappear (which is obviously does not), and then fail to trigger a `vbd-destroy`, leaving the VBD behind. Fix this by simply removing the wait for the device to disappear and always attempting a `vbd-destroy`, as I am not aware of any situation where this additional 10s wait will give any benefit given current behaviours. Signed-off-by: Alex Brett <alex.brett@cloud.com>
This patch makes the feature use the debugfs utility, part of e2fsprogs. This makes the system as a whole a heck of a lot better, if only because it won't be able to parse XFS, ReiserFS or any of the many plugins of libfsimage. Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
Add a new option `-o` to xe-restore-metadata, which is used to distinguish whether to allow use of legacy backup VDIs, or enforce only use of the new format VDIs with known UUIDs. Also modify xe-restore-metadata such that it no longer stops searching the candidate list if only one VDI is found, but instead identifies all possible backup VDIs. If more than one is found, and you are doing anything other than listing the VDIs, the script will abort. This is to cover the case where a malicious legacy format VDI is present - we will detect it and the expected 'real' backup VDI. Modify xe-backup-metadata to always expect to use the deterministic UUID to identify the VDI to add backups to, do not rely on the `other-config:ctxs-pool-backup` property for identification in any way. This is XSA-459 / CVE-2024-31144 Signed-off-by: Alex Brett <alex.brett@cloud.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
scripts/xe-restore-metadata
Outdated
|
|
||
| if [ -e "${mnt}/.ctxs-metadata-backup" ]; then | ||
| ${debug} echo "Found backup metadata on VDI: ${vdi_uuid}" >&2 | ||
| matched_vdis+=( ${vdi_uuid} ) |
Check warning
Code scanning / shellcheck
SC2206 Warning
scripts/xe-restore-metadata
Outdated
| vdi_uuid=${matched_vdis[0]} | ||
| xe vdi-param-set uuid="${vdi_uuid}" other-config:ctxs-pool-backup=true | ||
| createvbd | ||
| if [ $? -ne 0 ]; then |
Check warning
Code scanning / shellcheck
SC2181 Warning
scripts/xe-restore-metadata
Outdated
| exit 1 | ||
| fi | ||
| mountvbd | ||
| if [ $? -ne 0 ]; then |
Check warning
Code scanning / shellcheck
SC2181 Warning
| @@ -319,8 +362,8 @@ | |||
| fi | |||
| shopt -s nullglob | |||
| for meta in *.vmmeta; do | |||
| echo xe vm-import filename="${meta}" sr-uuid="${sr_uuid}" --metadata --preserve"${force_flag}""${dry_run_flag}" | |||
| "@OPTDIR@/bin/xe" vm-import filename="${full_dir}/${meta}" sr-uuid="${sr_uuid}" --metadata --preserve"${force_flag}""${dry_run_flag}" | |||
| echo xe vm-import filename="${meta}" sr-uuid="${sr_uuid}" --metadata --preserve${force_flag}${dry_run_flag} | |||
Check warning
Code scanning / shellcheck
SC2086 Warning
scripts/xe-restore-metadata
Outdated
| echo xe vm-import filename="${meta}" sr-uuid="${sr_uuid}" --metadata --preserve"${force_flag}""${dry_run_flag}" | ||
| "@OPTDIR@/bin/xe" vm-import filename="${full_dir}/${meta}" sr-uuid="${sr_uuid}" --metadata --preserve"${force_flag}""${dry_run_flag}" | ||
| echo xe vm-import filename="${meta}" sr-uuid="${sr_uuid}" --metadata --preserve${force_flag}${dry_run_flag} | ||
| "@OPTDIR@/bin/xe" vm-import filename="${full_dir}/${meta}" sr-uuid="${sr_uuid}" --metadata --preserve${force_flag}${dry_run_flag} |
Check warning
Code scanning / shellcheck
SC2086 Warning
scripts/xe-restore-metadata
Outdated
| echo xe vm-import filename="${meta}" sr-uuid="${sr_uuid}" --metadata --preserve"${force_flag}""${dry_run_flag}" | ||
| "@OPTDIR@/bin/xe" vm-import filename="${full_dir}/${meta}" sr-uuid="${sr_uuid}" --metadata --preserve"${force_flag}""${dry_run_flag}" | ||
| echo xe vm-import filename="${meta}" sr-uuid="${sr_uuid}" --metadata --preserve${force_flag}${dry_run_flag} | ||
| "@OPTDIR@/bin/xe" vm-import filename="${full_dir}/${meta}" sr-uuid="${sr_uuid}" --metadata --preserve${force_flag}${dry_run_flag} |
Check warning
Code scanning / shellcheck
SC2086 Warning
|
Associated xsconsole PR xapi-project/xsconsole#47 |
- Quote a parameter - Adjust how we check the returncode of some function calls to satifsy shellcheck - Disable the warnings where we are explicitly relying on string splitting Signed-off-by: Alex Brett <alex.brett@cloud.com>
alexbrett
force-pushed
the
XSA-459_master
branch
from
716607a
to
f3ad0bc
Compare
|
@alexbrett can you address the CI problems? |
As far as I can see the one remaining issue is a false positive (and not from anything I've touched) - it claims |
|
@edwintorok can you review this |
|
There are 2 files: xe-backup-metadata and xe-restore-metadata. |
|
Suggested fix (we do want to retain the flag for backward compat): diff --git a/scripts/xe-backup-metadata b/scripts/xe-backup-metadata
index 9aac72573..63c2b8811 100755
--- a/scripts/xe-backup-metadata
+++ b/scripts/xe-backup-metadata
@@ -70,7 +70,6 @@ just_find_vdi=0
fs_uninitialised=0
usage_alert=90
force_backup=0
-yes=0
while getopts "yhvink:u:dcf" opt ; do
case $opt in
h) usage ;;
@@ -81,7 +80,8 @@ while getopts "yhvink:u:dcf" opt ; do
d) leave_mounted=1 ;;
n) just_find_vdi=1 ;;
v) debug="" ;;
- y) yes=1 ;;
+ y) # ignored for backward compat
+ ;;
f) force_backup=1 ;;
*) echo "Invalid option"; usage ;;
esac |
|
The reason shellcheck complains about this now, is that previously there was code that using |
It was only introduced in 7f1d315 as part of the original changes to bring in some of this functionality, so we can probably safely remove it entirely as I don't think any other components/users will have consumed it? |
|
@alexbrett are you going to update your PR? |
This parameter was added in 7f1d315, but the changes to always use the new metadata VDIs with known UUIDs means it is no longer required, so remove it. Signed-off-by: Alex Brett <alex.brett@cloud.com>
XSA-459 (https://xenbits.xen.org/xsa/advisory-459.html) covers a security issue with the Portable SR (also known as VM Metadata Backup/Restore) functionality.
Now the embargo has lifted, this PR includes: