similar to: [PATCH 0/2] Implement virt-builder --selinux-relabel option.

Commit 72afcf450a78b7e58f65b4a7aaf94d71cd25fca5 was partially incorrect. If the guest userspace is expecting /selinux to exist, then we should bind-mount /sys/fs/selinux from the appliance kernel there. --- daemon/command.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/daemon/command.c b/daemon/command.c index 1aa1a52..939bf87 100644 --- a/daemon/command.c

I think this patch is also uncontroversial. If selinux=1 then we mount /selinux in the appliance. We also bind-mount it into guests when running commands, just like we do for /proc, /dev etc. If SELinux is disabled, then /selinux doesn't get mounted. Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-p2v converts physical machines to virtual

This is a more working version. Inspection (partially) succeeds on a real guest this time :-) You can test it out on a real guest (in this case, a CentOS disk image located at /tmp/centos-6.img) by doing: $ ./run guestfish -v -x -a /tmp/centos-6.img ><fs> run ><fs> debug sh "guestfs-inspection --verbose" which will print lots of debugging, and at the end the

For background on this change, see: https://rwmj.wordpress.com/2015/12/06/inspection-now-with-added-prolog/ v2 was previously posted here: https://www.redhat.com/archives/libguestfs/2015-December/msg00038.html To test this patch series on a real guest, you can do: $ ./run guestfish -v -x -a /var/tmp/centos-6.img ><fs> run ><fs> debug sh "guestfs-inspection

daemon.c does just a chroot, without chdir. The result is that pwd does not work correctly (it causes fs/dcache.c:prepend_unreachable() to add the unreachable string). A workaround is to add "cd /" before each sh command. ><fs> mount /dev/sda2 / ><fs> sh "cd / ; chroot / ; /bin/pwd" / ><fs> sh "/bin/pwd" (unreachable)/ ><fs> sh

I ran the Coverity static analyzer[1] on libguestfs, and fixed many errors as a result. Coverity found some errors in gnulib, but it doesn't seem to be worth following those up since the version of gnulib we are using is so old. There are a couple more errors (possibly 1 false-positive) which I'm going to send in a separate email. BTW all the errors found by Coverity were in the daemon

Simply a file rename, no other change. --- daemon/Makefile.am | 2 +- daemon/command.c | 319 ----------------------------------------------------- daemon/sh.c | 319 +++++++++++++++++++++++++++++++++++++++++++++++++++++ po/POTFILES | 2 +- 4 files changed, 321 insertions(+), 321 deletions(-) delete mode 100644 daemon/command.c create mode 100644 daemon/sh.c diff --git

On Tuesday 28 January 2014 16:21:09 Richard W.M. Jones wrote: > Commit 72afcf450a78b7e58f65b4a7aaf94d71cd25fca5 was partially > incorrect. If the guest userspace is expecting /selinux to exist, > then we should bind-mount /sys/fs/selinux from the appliance kernel > there. > --- > daemon/command.c | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) >

Add an architecture field for all the entries in each index, so we know which architecture they are (not used right now, but will be in the future). The problematic part here is properly marking with the correct architecture: since we only know the current index on libguestfs.org contains x86_64/amd64 images, entries coming from it are marked that way; images in all the other indexes

Tested with 'make check-release'. tests/parallel (in check-slow) failed, although it does regularly and that seems to be because of libvirt. Rich.

There's not going to be an easy way to present this patch. It's huge and interconnected. Anyway, what it does is lay the groundwork for a new tool which I'm calling 'virt-customize'. virt-customize is virt-builder, but without the part where it downloads a template from a respository. Just the part where it customizes the template, that is, installing packages, editing

Setting timezone is easy. It turns out to be almost impossible to set keyboard layout in virt-builder sanely, so I have added some examples instead. Coming up next, setting languages in virt-builder (clue: very very very hard). Rich.

Hi, This small patch serie adds a JSON output for virt-builder. This way it is possible to parse the list of available templates, with no need to parse the unstructured and possibly changing short and long outputs of virt-builder. Pino Toscano (3): builder: small refactor of the list output builder: add --list-format builder: add a JSON output for --list builder/builder.ml

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1212807

On Tuesday 11 March 2014 10:09:45 Richard W.M. Jones wrote: > On Mon, Mar 10, 2014 at 02:28:20PM +0100, Pino Toscano wrote: > > Add the possibility to choose which architecture use to build the > > wanted image (--arch). Since this implies that running commands on > > the guest is usually not possible when the architecture is > > different than the host one, another new

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.

We can use the setfiles(8) command to relabel the guest filesystem, even though we don't have a policy loaded nor SELinux enabled in the appliance kernel. This also deprecates or removes the old and broken SELinux support. This patch isn't quite complete - I would like to add some tests to the new API. I'm posting here to garner early feedback. Rich.

When running commands in the mounted guest (using the "command" API, and APIs based on it), provide the /dev/null from the appliance as open fd for stdin. Commands usually assume stdin is open if they didn't close it explicitly, so this should avoid crashes or misbehavings due to that. --- daemon/command.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)

- add a flag to request chroot for the process, which is done only as very last (before chdir) operation before exec'ing the process in the child: this avoids using CHROOT_IN & CHROOT_OUT around command* invocations, and reduces the code spent in chroot mode - add failure checks for dup2 and open done in child, not proceeding to executing the process if they fail - open /dev/null