Add full support for capabilities in create_appliance.py script

[SimonDelamare]

Despite #22 resolution, full support for capabilities is still not available. For instance, when building a virtualbox/debian8.yaml image, the second step is bootstrap/prepare_appliance/create_appliance, which runs the following command:

    python ~/g5k/repo/environments-recipes/chroot/steps/data/helpers/create_appliance.py ~/g5k/repo/environments-recipes/build/jessie-x64-min/rootfs.tar.xz \
      --size 15G \
      -o ~/g5k/repo/environments-recipes/build/jessie-x64-min/base_jessie-x64-min \
      --filesystem ext4 \
      --format vmdk \
      --append "quiet net.ifnames=0 biosdevname=0"

This call to create_appliance.py converts rootfs.tar.xz to the vmdk starting image, but looses capabilities on the way

Patch from #22 do not cover this code path, the faulty command is probably:

/usr/bin/xzcat ~/g5k/repo/environments-recipes/build/jessie-x64-min/rootfs.tar.xz | /usr/bin/guestfish -a ~/g5k/repo/environments-recipes/build/jessie-x64-min/.W8ZVA7 -m /dev/sda1:/ tar-in - /

[npf]

The tar-out and tar-in commands of guestfish >= 1.32 have the a xattr:true option, but do not have the equivalent of "--xattrs-include='*'" =>this is not needed for tar-out: archive will store the capabilities, but extracting with tar-in will not restore the capabilities without it.

Hence guestfish >= 1.32 do not solve our problem :-(

[npf]

bug filed to libguestfs: https://bugzilla.redhat.com/show_bug.cgi?id=1384241

[npf]

So unless we wait for the new version of libguestfs-tools, a workaround can be:

1. For the archive phase: use the previous workaround with guestmount/guestumount instead of guestfish tar-out + save the capabilities:

• guestmount
• find --exec getcap {} ; | ... > save the capababities as a guestfish script (use guestfish cap_set_file command)
• tar / + the script.
• guestumount

2. Then for the extract phase:

• extract the guestfish cap_set_file script from the tarball in the out context (host)
• use guestfish tar-in
• run the guestfish script

[npf]

btw:
/tmp/debian8_20160921181636$ sudo find -exec getcap {} ;
./usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
./bin/ping = cap_net_raw+ep
./bin/ping6 = cap_net_raw+ep
-> 3 commands only need the capabilities in the debian8 bootstrap tarball.

[npf]

@SimonDelamare
I'm wondering if the guestmount/tar/guestumount workaround actually archive all files with correct owner/perm without being root... I will check again...

[SimonDelamare]

This is what we did before Kameleon starts using these bootstraps. So I guess the answer is yes.

[npf]

Rrrr... guestfish is weird :-( :

$ guestmount --ro -i -a  base_test.qcow2 .mnt/
$ cd .mnt
$ ls -ld root/
drwx------ 3 root root 4096 Oct 14  2016 root/
$ cd root
bash: cd: root: Permission denied
$ ls root
kameleon_workdir
$ tar cf /tmp/tar.tar .
$ tar tf /tmp/tar.tar | grep -e "^./root/kameleon_workdir/$"
./root/kameleon_workdir/

So we can ls or tar to a root access only directory, but we cannot cd...
This is not a normal situation...

As a result, find cannot descend into the root directory. So yes, it is not likely to have files with capability in here, but this make the method very ugly :-(

[npf]

if not using guestmount, but the guestfish API to capture capabilities:

eval $(guestfish -i -a jessie-x64-min-2016091917.qcow2 --listen) && \
for d in /{,usr/,usr/local/,opt/}{,s}bin; do
  if [ "$(guestfish --remote is-dir $d)" == "true" ]; then
    for f in $(guestfish --remote find $d); do
      if [ "$(guestfish --remote is-file $d/$f)" == "true" ]; then
        cap=$(guestfish --remote cap_get_file $d/$f)
        if [ -n "$cap" ]; then
          echo "cap_set_file $d$f${cap#*=}" >> cap_set_file.script
        fi
     fi
    done
  fi
done
guestfish copy-in  cap_set_file.script /root/kameleon-workdir/
guestfish --remote tar-out > tarball.tar
guestfish --remote exit

We could possibly use the Python API instead of bash: http://libguestfs.org/guestfs-python.3.html
This is pretty slow if we find / in order to check all files...

[npf]

FYI
libguestfs-tools 1:1.32.7-1~bpo8+1 is now available -> backports for Debiab jessie => supports xattrs needed for the tar-out

This however does not fix our issue for the tar-in which needs the xattrs-include option and is not provided in guestfish 1.32.7

[mickours]

What is the status of this? Is it fixed?

[npf]

Not really:

• on grid'5000: they fix a few the know files with the issue (ping, ..), but other file that may be concerned are not tracked.
• regarding libguestfs, I doubt you get the tar-in/out commands to to the trick for capabilities

So it remains to us to export with the environment a list of files which need special capabilities, so that they can be reset when reimporting it.