We have traditionally used custom printf formatters %Q and %R, where
%Q replaces the argument with a shell-quoted string, and %R replaces
the argument with a sysroot-prefixed shell-quoted string. They are
actually pretty useful, but unfortunately only supported by glibc.
We only used them in about a dozen places in the daemon (much code
having been replaced by OCaml which does not need them).
In every remaining case we were constructing a command using code like
this:
asprintf_nowarn (&cmd,
"cd %Q && find -print0 | %s -0 -o -H %s --quiet", ...);
We can replace this with:
char *cmd;
size_t cmd_size;
fp = open_memstream (&cmd, &cmd_size);
fprintf (fp, "cd ");
shell_quote (dir, fp);
fprintf (fp, " && find -print0 | %s -0 -o -H %s --quiet", ...);
fclose (fp);
(cherry picked from commit 0b3c6cc0c0)
For Device parameters we expect a block device name. However we were
only testing for "/dev/..." and so chardevs (from the appliance) could
be passed here, resulting in strange effects. This adds a function
is_device_parameter which tests for a valid block device name.
For Dev_or_Path parameters much the same, except we can also use the
is_device_parameter function elsewhere in the daemon to distinguish if
we were called with a device or path parameter. Previously we used a
simple test if the path begins with "/dev/...".
Reported by Mathieu Tarral.
GUESTFSD_EXT_CMD was used by OpenSUSE to track which external commands
are run by the daemon and package those commands into the appliance.
It is no longer used by recent SUSE builds, so remove it.
Thanks: Pino Toscano, Olaf Hering.
Run the following command over the source:
perl -pi.bak -e 's/(20[01][0-9])-2016/$1-2017/g' `git ls-files`
(Thanks Rich for the perl snippet, as used in past years.)
Declare most of the stringsbuf as CLEANUP_FREE_STRINGSBUF, so they are
freed completely on stack unwind: use take_stringsbuf() in return
places to take away from the stringsbuf its content, and remove all the
manual calls to free_stringslen (no more needed now).
This requires to not use free_stringslen anymore on failure in the
helper functions of stringsbuf, which now leave the content as-is (might
be still useful even on error).
This allows us to simplify the memory management of stringsbuf's, which
are not properly fully freed, fixing memory leaks in some error paths
(which were not calling free_stringslen).
e2fsck returns 1 in case of "file system errors corrected".
We treat it as success in normal e2fsck, but fail if e2fsck
is run by resize2fs.
Change 'manual' execution of e2fsck to dedicated function call.
GCC has two warnings related to large stack frames. We were already
using the -Wframe-larger-than warning, but this reduces the threshold
from 10000 to 5000 bytes.
However that warning only covers the static part of frames (not
alloca). So this change also enables -Wstack-usage=10000 which covers
both the static and dynamic usage (alloca and variable length arrays).
Multiple changes are made throughout the code to reduce frames to fit
within these new limits.
Note that stack allocation of large strings can be a security issue.
For example, we had code like:
size_t len = strlen (fs->windows_systemroot) + 64;
char software[len];
snprintf (software, len, "%s/system32/config/software",
fs->windows_systemroot);
where fs->windows_systemroot is guest controlled. It's not clear what
the effects might be of allowing the guest to allocate potentially
very large stack frames, but at best it allows the guest to cause
libguestfs to segfault. It turns out we are very lucky that
fs->windows_systemroot cannot be set arbitrarily large (see checks in
is_systemroot).
This commit changes those to large heap allocations instead.
Sometimes the user wants to know minimum size
for dirty (e.g. mounted) filesystems. In this case,
resize2fs -P will require calling e2fsck -f, while
"in general, it is not safe to run e2fsck on mounted filesystems".
Since resize2fs -P does not modify filesystem, we force it
to display (probably approximate) minimum size.
Updating gnulib has caused -Wformat-signedness to be enabled. This
has revealed many problems in C format strings. The fixes here fall
into the following main categories:
- Using %d with an unsigned parameter.
- %x and %o expect an unsigned argument.
- uid_t and gid_t are unsigned on Linux. The safe way to print these
is to cast them to uintmax_t and then print them using the %ju
modifier (see http://stackoverflow.com/a/1401581).
- Using %d to print an enum. Since enums may be either char or int,
I fixed this by casting the enum to int.
- strtol_error & lzma_ret are both unsigned types.
Use commandrvf() instead of commandvf() to execute e2fsck. A non-zero
exit status does not always indicate a failure.
Signed-off-by: Nikos Skalkotos <skalkoto@grnet.gr>
Code like:
CLEANUP_FREE char *buf;
/* some code which might return early */
buf = malloc (10);
is a potential bug because the free (*buf) might be called when buf is
an uninitialized pointer. Initialize buf = NULL to avoid this.
Several of these are bugs, most are not bugs (because there is no
early return statement before the variable gets initialized).
However the compiler can elide the initialization, and even if it does
not the performance "penalty" is miniscule, and correctness is better.
Previously device name translation worked on the string in-place.
This worked fine because the device strings always come from XDR where
they are dynamically allocated. However it wouldn't work if the
translated name had to be longer than the original, specifically for
/dev/sd -> /dev/ubd (for User Mode Linux).
Therefore this commit changes the generator so that
device_name_translation and parse_btrfsvol (which depends on it)
allocate the new device name instead of overwriting it.
These macros are pretty horrible to use, with unexpected side-effects.
Move them exclusively into the generated code and rewrite the one
place in the general C code which used them.
There's no functional change in this code.
Add a utility function (fstype_is_extfs) to match ext2/3/4 filesystem
names. This is used in a couple of places.
When passing the mke2fs -t parameter, verify that the request is for
an ext2/3/4 filesystem. Previously we did not check this, and neither
did mke2fs when the -F flag was also used.
A Mountable is passed from the library to the daemon as a string. The daemon
stub parses it into a mountable_t, which it passes to the implementation.
Update all implementations which now take a mountable_t.
User Phill Bandelow noted that virt-resize fails with an e2fsck error
on a host where the system clock had been accidentally set in the
past.
Unfortunately this was hard to diagnose because guestfsd 'ate' the
stdout of the e2fsck program. I have verified by code inspection that
e2fsck prints messages on stdout.
Thus this changes the daemon to fold stdout and stderr together so we
get to see all error messages from e2fsck when it fails.
New api mke2fs for full configuration of filesystem.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
RWMJ:
- Update description.
- Run and fix the tests.
- Remove bogus filename from po/POTFILES.
guestfsd calls many different tools. Keeping track of all of them is
error prone. This patch introduces a new helper macro to put the command
string into its own ELF section:
GUESTFSD_EXT_CMD(C_variable, command_name);
This syntax makes it still possible to grep for used command names.
The actual usage of the collected list could be like this:
objcopy -j .guestfsd_ext_cmds -O binary daemon/guestfsd /dev/stdout |
tr '\0' '\n' | sort -u
The resulting output will be used to tell mkinitrd which programs to
copy into the initrd.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
RWMJ:
- Move str_vgchange at request of author.
- Fix snprintf call in daemon/debug.c
Apparently e2fsprogs only knows that "/dev/sda" is a whole device, but
doesn't think that "/dev/vda" is. On switching the default device
over to virtio-scsi, that causes mke2fs without -F option to complain
and ask for an interactive prompt. Adding -F forces it to go ahead
anyway.
This caused several less-used APIs to break with virtio-scsi.
The new APIs are:
get-e2attrs: List ext2 file attributes of a file.
set-e2attrs: Set or clear ext2 file attributes of a file.
get-e2generation: Get ext2 file generation of a file.
set-e2generation: Set ext2 file generation of a file.
These are implemented using the lsattr and chattr programs from
e2fsprogs.
Previously a lot of daemon code used three variables (a string list,
'int size' and 'int alloc') to track growable strings buffers. This
commit implements a simple struct containing the same variables, but
using size_t instead of int:
struct stringsbuf {
char **argv;
size_t size;
size_t alloc;
};
Use it like this:
DECLARE_STRINGSBUF (ret);
//...
if (add_string (&ret, str) == -1)
return NULL;
//...
if (end_stringsbuf (&ret) == -1)
return NULL;
return ret.argv;
Since we implement the new api e2fsck, just change the
internal of e2fsck_f to use e2fsck now.
v1->v2: use optargs_bitmask
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
m: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Add a new api e2fsck with two options:
correct: same as '-p' option of e2fsck
forceall: same as '-y' option of e2fsck
Thanks for Rich's idea.
v1->v2: use optargs_bitmask
v2->v3: change the optargs_bitmask check
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Tweak the error message "e2fsck -f" and "e2fsck -fy".
Indicate the user to use the correct and/or forceall options.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Previously we bound the 'tune2fs -l' command so that we could list out
the tunables of an ext2/3/4 filesystem. Also commands like
set_e2label and set_e2uuid used tune2fs.
This commit binds many of the tunables that can be set using tune2fs.
The coverage is not complete, but we can add more later because this
uses optional parameters so the call is extensible without breaking
ABI. The current change gives us enough for using libguestfs within
OpenStack.
