Skip to content
Browse files

Hardcode the qemu-nbd path in mount-alter instead of using an argument

Avoid any security issues related to passing an arbitrary binary path to
a script running under sudo.
  • Loading branch information...
1 parent 06259a5 commit 7012466b0f0117b535750c3ee64a02ad41565b8d @priteau priteau committed Jul 19, 2012
View
8 control/etc/workspace-control/mount.conf
@@ -49,10 +49,6 @@ fdisk: /sbin/fdisk
# being executed. As such, Nimbus IaaS administrators should be careful and
# monitor disk usage when enabling qcow2 support.
#
-# qemu-nbd is used when an HD image is in qcow2 format. qemu-nbd will be used
-# to attach the HD image as an nbd device, which allows to mount the root
-# partition inside.
-#
-# If this setting is empty or missing, qcow2 support will be disabled.
+# If this setting is set to true, qcow2 support will be enabled.
-#qemu_nbd: /usr/bin/qemu-nbd
+qcow2: false
View
14 control/libexec/workspace-control/mount-alter.sh
@@ -87,6 +87,11 @@ CHMOD="/bin/chmod"
MODPROBE="/sbin/modprobe"
EXPR="/usr/bin/expr"
+# qemu-nbd is used when an HD image is in qcow2 format.
+# It will be used to attach the HD image as an nbd device, which allows to
+# mount the root partition inside.
+QEMU_NBD="/usr/bin/qemu-nbd"
+
FLOCKFILE=/opt/nimbus/var/workspace-control/lock/loopback.lock
FLOCK=/usr/bin/flock
if [ ! -O $FLOCK ]; then
@@ -201,16 +206,15 @@ elif [ "$subcommand" = "HDONE" ]; then
targetfiles="$datatarget"
elif [ "$subcommand" = "QCOWONE" ]; then
- if [ $# -ne 6 ]; then
- echo "qcowone subcommand requires 6 and only 6 arguments: qcowone <imagefile> <mntpoint> <datafile> <datatarget> <qemu-nbd-path>"
+ if [ $# -ne 5 ]; then
+ echo "qcowone subcommand requires 6 and only 6 arguments: qcowone <imagefile> <mntpoint> <datafile> <datatarget>"
exit 1
fi
echo " - datafile: $datafile"
echo " - datatarget: $datatarget"
sourcefiles="$datafile"
targetfiles="$datatarget"
- qemu_nbd=$6
else
echo "??"
@@ -332,7 +336,7 @@ done
###############
function qemu_nbd_disconnect () {
- cmd="$qemu_nbd -d /dev/nbd0"
+ cmd="$QEMU_NBD -d /dev/nbd0"
echo "command = $cmd"
if [ "$DRYRUN" != "true" ]; then
@@ -368,7 +372,7 @@ if [ "$subcommand" = "QCOWONE" ]; then
fi
fi
- cmd="$qemu_nbd --connect /dev/nbd0 $imagefile"
+ cmd="$QEMU_NBD --connect /dev/nbd0 $imagefile"
echo "command = $cmd"
if [ "$DRYRUN" != "true" ]; then
View
20 control/src/python/workspacecontrol/defaults/ImageEditing.py
@@ -37,7 +37,7 @@ def __init__(self, params, common):
self.sudo_path = None
self.mounttool_path = None
self.fdisk_path = None
- self.qemu_nbd_path = None
+ self.qcow2_enabled = False
self.qemu_img_path = None
self.mountdir = None
self.tmpdir = None
@@ -51,15 +51,17 @@ def validate(self):
if not self.fdisk_path:
self.c.log.warn("no fdisk configuration, mount+edit functionality for HD images is disabled")
- self.qemu_nbd_path = self.p.get_conf_or_none("mount", "qemu_nbd")
- if not self.qemu_nbd_path:
- self.c.log.warn("no qemu_nbd configuration, mount+edit functionality for qcow2 images is disabled")
+ qcow2 = self.p.get_conf_or_none("mount", "qcow2")
+ if qcow2 and qcow2.strip().lower() == "true":
+ self.qcow2_enabled = True
+ if not self.qcow2_enabled:
+ self.c.log.warn("mount+edit functionality for qcow2 images is disabled")
self.qemu_img_path = self.p.get_conf_or_none("cow", "qemu_img")
if not self.qemu_img_path:
self.c.log.warn("no qemu_img configuration, copy-on-write support is disabled")
- elif not self.qemu_nbd_path:
- self.c.log.warn("cannot enable copy-on-write support without qemu_nbd configuration")
+ elif not self.qcow2_enabled:
+ self.c.log.warn("cannot enable copy-on-write support without qcow2 support")
# if functionality is disabled but arg exists, should fail program
self._validate_args_if_exist()
@@ -594,12 +596,12 @@ def _doOneMountCopyTask(self, imagepath, src, dst, mntpath, hdimage):
if magic[0:3] == 'QFI':
if version == 2:
- if self.qemu_nbd_path:
+ if self.qcow2_enabled:
# Mounting the partition as a qcow2 image
- cmd = "%s %s qcowone %s %s %s %s %s" % (self.sudo_path, self.mounttool_path, imagepath, mntpath, src, dst, self.qemu_nbd_path)
+ cmd = "%s %s qcowone %s %s %s %s" % (self.sudo_path, self.mounttool_path, imagepath, mntpath, src, dst)
error = self._doOneMountCopyInnerTask(src, cmd)
else:
- raise IncompatibleEnvironment("qcow2 image detected, but qemu_nbd configuration is missing from mount.conf")
+ raise IncompatibleEnvironment("qcow2 image detected, but qcow2 support is disabled in mount.conf")
else:
raise IncompatibleEnvironment("qcow image detected with unsupported version number %d" % version)
else:
View
14 docs/src/admin/reference.html
@@ -2565,13 +2565,13 @@
The following file must be altered on each VMM that will support qcow2 images:
<tt class="literal">/opt/nimbus/etc/workspace-control/mount.conf</tt>.
Search for the value
-<tt class="literal">qemu_nbd</tt>.
-<i>qemu_nbd</i> is the path to the qemu-nbd executable included in QEMU and KVM
-packages.
-It is required for the mount-alter script to inject files inside the qcow2
-image, since it is not possible to directly mount a file system included in a
-qcow2 image.
-</p>
+<tt class="literal">qcow2</tt> and set it to <tt class="literal">true</tt>.
+Nimbus uses the qemu-nbd executable to inject files inside qcow2 images, since
+it is not possible to directly mount a file system from such images.
+If your qemu-nbd executable is not using the default path of <tt
+class="literal">/usr/bin/qemu-nbd</tt>, you need to modify the QEMU_NBD
+variable in the <tt class="literal">/opt/nimbus/libexec/workspace-control/mount-alter.sh</tt>
+script.</p>
<a name="cow"> </a>

0 comments on commit 7012466

Please sign in to comment.
Something went wrong with that request. Please try again.