/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qvm-block treats system disks as attachable block devices #1600

Closed
andrewdavidwong opened this Issue Jan 9, 2016 · 21 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.0 updates
2 participants
@andrewdavidwong @marmarek
@andrewdavidwong
Member

andrewdavidwong commented Jan 9, 2016

qvm-block and Qubes Manager both treat the disk(s) on which Qubes is installed as attachable block devices:

[user@dom0 ~]$ qvm-block -l
dom0:sda     <name>
dom0:sdb     <name>

In Qubes Manager, these disks are available as options to attach to VMs.

sda and sdb are in a RAID1 configuration, with an encrypted LUKS volume on top, and Qubes installed in that volume.

I have not attempted to attach sda or sdb to any VM, for obvious reasons.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 9, 2016

Member

LUKS volumes on secondary internal disks are also treated the same way:

[user@dom0 ~]$ qvm-block -l
dom0:dm-2     luks-<UUID>

(At least when on a RAID1 configuration.)
Member

andrewdavidwong commented Jan 9, 2016

LUKS volumes on secondary internal disks are also treated the same way:

[user@dom0 ~]$ qvm-block -l
dom0:dm-2     luks-<UUID>

(At least when on a RAID1 configuration.)
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 9, 2016

Member

Does anything bad happen if a user accidentally clicks on one of these options in the Qubes Manager "attach block devices" list?

If so, then I think this is pretty serious (but mainly a UI issue). It's very easy to slip and misclick something in the Qubes Manager menu, and the user currently has no way to protect themselves from such a mistake, even if they're fully aware that those options are things they never want to click. If there's any simple, easy-to-implement solution that allows users to hide all dom0 devices from this menu, or something like that, it would be a significant improvement.
Member

andrewdavidwong commented Jan 9, 2016

Does anything bad happen if a user accidentally clicks on one of these options in the Qubes Manager "attach block devices" list?

If so, then I think this is pretty serious (but mainly a UI issue). It's very easy to slip and misclick something in the Qubes Manager menu, and the user currently has no way to protect themselves from such a mistake, even if they're fully aware that those options are things they never want to click. If there's any simple, easy-to-implement solution that allows users to hide all dom0 devices from this menu, or something like that, it would be a significant improvement.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 13, 2016

Member

Potentially easier way to take care of this: Add a confirmation box.

Are you sure you want to attach <device-name> to <vm-name>?
Member

andrewdavidwong commented Jan 13, 2016

Potentially easier way to take care of this: Add a confirmation box.

Are you sure you want to attach <device-name> to <vm-name>?

@marmarek marmarek added bug C: core P: major labels Jan 13, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 13, 2016

Member

I guess the RAID is /dev/md0 or sth like this, right? Devices used by anything theoretically shouldn't be included. It is checked based on /sys/block/sda/holders. But apparently there is a bug in that code...
Check in udev database: udevadm info -q all -n sda and look for QUBES_EXPOSED variable. If it is 0, but device is still visible, I think I know where the problem is.
Member

marmarek commented Jan 13, 2016

I guess the RAID is /dev/md0 or sth like this, right? Devices used by anything theoretically shouldn't be included. It is checked based on /sys/block/sda/holders. But apparently there is a bug in that code...
Check in udev database: udevadm info -q all -n sda and look for QUBES_EXPOSED variable. If it is 0, but device is still visible, I think I know where the problem is.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 13, 2016

Member

I guess the RAID is /dev/md0 or sth like this, right?

Yes, exactly.

Check in udev database: udevadm info -q all -n sda and look for QUBES_EXPOSED variable.

$ udevadm info -q all -n sda | grep QUBES_EXPOSED
E: QUBES_EXPOSED=1
Member

andrewdavidwong commented Jan 13, 2016

I guess the RAID is /dev/md0 or sth like this, right?

Yes, exactly.

Check in udev database: udevadm info -q all -n sda and look for QUBES_EXPOSED variable.

$ udevadm info -q all -n sda | grep QUBES_EXPOSED
E: QUBES_EXPOSED=1
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 13, 2016

Member

On Tue, Jan 12, 2016 at 08:41:18PM -0800, Axon wrote:

$ udevadm info -q all -n sda | grep QUBES_EXPOSED
E: QUBES_EXPOSED=1

Is the array made of all the disk, or just some partition(s)? Check the
same for the partitions. This may be another case of 2nd point of
#1072 (comment)

Basically, the whole disk device (sda in this case) should not be
listed if any partition is busy, for whatever reason.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Member

marmarek commented Jan 13, 2016

On Tue, Jan 12, 2016 at 08:41:18PM -0800, Axon wrote:

$ udevadm info -q all -n sda | grep QUBES_EXPOSED
E: QUBES_EXPOSED=1

Is the array made of all the disk, or just some partition(s)? Check the
same for the partitions. This may be another case of 2nd point of
#1072 (comment)

Basically, the whole disk device (sda in this case) should not be
listed if any partition is busy, for whatever reason.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 13, 2016

Member

Is the array made of all the disk, or just some partition(s)?

Just some partitions.

Check the same for the partitions.

Indeed:

$ udevadm info -q all -n sda1 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sda2 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sda3 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sdb1 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sdb2 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sdb3 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
Member

andrewdavidwong commented Jan 13, 2016

Is the array made of all the disk, or just some partition(s)?

Just some partitions.

Check the same for the partitions.

Indeed:

$ udevadm info -q all -n sda1 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sda2 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sda3 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sdb1 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sdb2 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0
$ udevadm info -q all -n sdb3 | grep QUBES_EXPOSED
E: QUBES_EXPOSED=0

marmarek added a commit to marmarek/qubes-linux-utils that referenced this issue Jan 17, 2016

@marmarek
udev: fix hiding devices from qvm-block 
When device becomes non-attachable (for example because it gets mounted,
or used as part of LVM/RAID/whatever), it should be removed from
advertised available devices. The code for removing QubesDB entry was
buggy - the device is actually a directory in QubesDB, not a single
entry.

QubesOS/qubes-issues#1600
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
22d6892

@marmarek marmarek added this to the Release 3.0 updates milestone Mar 23, 2016

marmarek added a commit to QubesOS/qubes-linux-utils that referenced this issue May 1, 2016

@marmarek
udev: fix hiding devices from qvm-block 
When device becomes non-attachable (for example because it gets mounted,
or used as part of LVM/RAID/whatever), it should be removed from
advertised available devices. The code for removing QubesDB entry was
buggy - the device is actually a directory in QubesDB, not a single
entry.

QubesOS/qubes-issues#1600

(cherry picked from commit 22d6892)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
09bdeab

@marmarek marmarek closed this in marmarek/qubes-linux-utils@efd9854 May 16, 2016

marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue May 18, 2016

@marmarek
tests: block devices listing 
QubesOS/qubes-issues#1600
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
55af042

marmarek added a commit to QubesOS/qubes-core-admin that referenced this issue Jun 25, 2016

@marmarek
tests: block devices listing 
QubesOS/qubes-issues#1600

(cherry picked from commit 55af042)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
4f30e27

marmarek added a commit to QubesOS/qubes-linux-utils that referenced this issue Jun 25, 2016

@marmarek
udev/qvm-block: exclude devices used elsewhere 
Exclude exclude device if mounted/part of other device, or any of its
partition is used (same definition). Update this state whenever device
or it's partition receives udev event.

Fixes QubesOS/qubes-issues#1600

(cherry picked from commit efd9854)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
4fee631
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc21 has been pushed to the r3.1 testing repository for the Fedora fc21 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc21 has been pushed to the r3.1 testing repository for the Fedora fc21 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-fc21-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc22 has been pushed to the r3.1 testing repository for the Fedora fc22 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc22 has been pushed to the r3.1 testing repository for the Fedora fc22 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-fc22-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc23 has been pushed to the r3.1 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc23 has been pushed to the r3.1 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-fc23-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc20 has been pushed to the r3.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc20 has been pushed to the r3.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-dom0-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb8u1 has been pushed to the r3.1 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb8u1 has been pushed to the r3.1 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added the r3.1-jessie-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb9u1 has been pushed to the r3.1 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb9u1 has been pushed to the r3.1 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added the r3.1-stretch-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb7u1 has been pushed to the r3.1 testing repository for the Debian wheezy template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing wheezy-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb7u1 has been pushed to the r3.1 testing repository for the Debian wheezy template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing wheezy-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added the r3.1-wheezy-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc21 has been pushed to the r3.1 stable repository for the Fedora fc21 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc21 has been pushed to the r3.1 stable repository for the Fedora fc21 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.1-fc21-stable and removed r3.1-fc21-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc22 has been pushed to the r3.1 stable repository for the Fedora fc22 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc22 has been pushed to the r3.1 stable repository for the Fedora fc22 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.1-fc22-stable and removed r3.1-fc22-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc23 has been pushed to the r3.1 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc23 has been pushed to the r3.1 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.1-fc23-stable and removed r3.1-fc23-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc20 has been pushed to the r3.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-utils-3.1.9-1.fc20 has been pushed to the r3.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@marmarek marmarek added r3.1-dom0-stable and removed r3.1-dom0-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb8u1 has been pushed to the r3.1 stable repository for the Debian jessie template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb8u1 has been pushed to the r3.1 stable repository for the Debian jessie template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added r3.1-jessie-stable and removed r3.1-jessie-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb9u1 has been pushed to the r3.1 stable repository for the Debian stretch template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb9u1 has been pushed to the r3.1 stable repository for the Debian stretch template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added r3.1-stretch-stable and removed r3.1-stretch-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb7u1 has been pushed to the r3.1 stable repository for the Debian wheezy template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-utils_3.1.9+deb7u1 has been pushed to the r3.1 stable repository for the Debian wheezy template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added r3.1-wheezy-stable and removed r3.1-wheezy-cur-test labels Jul 25, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment