[PATCH] test: fix 'make assets' failure as root

newer
[PATCH v2] test: fix 'make assets'...

older
[PATCH v2] tap: Drop frames if no...

Yumei Huang

25 Sep 2025 25 Sep '25

7:43 a.m.

Running `make assets` under `test` as root fails with a "Permission denied" error when `prepare-distro-img.sh` invokes `virt-edit` and `guestfish`. This is due to a known bug in libvirt. Work around the issue by switching to the direct backend. Signed-off-by: Yumei Huang --- test/prepare-distro-img.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/prepare-distro-img.sh b/test/prepare-distro-img.sh index 0d967c9..423eea7 100755 --- a/test/prepare-distro-img.sh +++ b/test/prepare-distro-img.sh @@ -3,6 +3,8 @@ IMG="$1" PASST_FILES="$(echo ../*.c ../*.h ../*.sh ../*.1 ../Makefile ../README.md)" +export LIBGUESTFS_BACKEND=direct + virt-edit -a $IMG /lib/systemd/system/serial-getty@.service -e 's/ExecStart=.*/ExecStart=\/sbin\/agetty --autologin root -8 --keep-baud 115200,38400,9600 %I $TERM/g' guestfish --rw -a $IMG -i <

Show replies by date

David Gibson

25 Sep 25 Sep

8:25 a.m.

On Thu, Sep 25, 2025 at 01:43:06PM +0800, Yumei Huang wrote:

...

Running `make assets` under `test` as root fails with a "Permission denied" error when `prepare-distro-img.sh` invokes `virt-edit` and `guestfish`. This is due to a known bug in libvirt.

Work around the issue by switching to the direct backend.

Signed-off-by: Yumei Huang

Reviewed-by: David Gibson The libvirt & libguestfs people don't particularly like this approach, but I think it's reasonable for our needs.

...

--- test/prepare-distro-img.sh | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/test/prepare-distro-img.sh b/test/prepare-distro-img.sh index 0d967c9..423eea7 100755 --- a/test/prepare-distro-img.sh +++ b/test/prepare-distro-img.sh @@ -3,6 +3,8 @@ IMG="$1" PASST_FILES="$(echo ../*.c ../*.h ../*.sh ../*.1 ../Makefile ../README.md)"

+export LIBGUESTFS_BACKEND=direct + virt-edit -a $IMG /lib/systemd/system/serial-getty@.service -e 's/ExecStart=.*/ExecStart=\/sbin\/agetty --autologin root -8 --keep-baud 115200,38400,9600 %I $TERM/g'

guestfish --rw -a $IMG -i <

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

Richard W.M. Jones

10:53 a.m.

On Thu, Sep 25, 2025 at 01:43:06PM +0800, Yumei Huang wrote:

...

Running `make assets` under `test` as root fails with a "Permission denied" error when `prepare-distro-img.sh` invokes `virt-edit` and `guestfish`. This is due to a known bug in libvirt.

Work around the issue by switching to the direct backend.

Signed-off-by: Yumei Huang --- test/prepare-distro-img.sh | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/test/prepare-distro-img.sh b/test/prepare-distro-img.sh index 0d967c9..423eea7 100755 --- a/test/prepare-distro-img.sh +++ b/test/prepare-distro-img.sh @@ -3,6 +3,8 @@ IMG="$1" PASST_FILES="$(echo ../*.c ../*.h ../*.sh ../*.1 ../Makefile ../README.md)"

+export LIBGUESTFS_BACKEND=direct

Please add a comment that this is only added as a temporary hack until we can get a proper fix (in libguestfs possibly, see Dan's earlier email). Rich.

...

virt-edit -a $IMG /lib/systemd/system/serial-getty@.service -e 's/ExecStart=.*/ExecStart=\/sbin\/agetty --autologin root -8 --keep-baud 115200,38400,9600 %I $TERM/g'

guestfish --rw -a $IMG -i <

-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org

Stefano Brivio

11:40 a.m.

On Thu, 25 Sep 2025 09:53:06 +0100 "Richard W.M. Jones" wrote:

...

On Thu, Sep 25, 2025 at 01:43:06PM +0800, Yumei Huang wrote:

...
Running `make assets` under `test` as root fails with a "Permission denied" error when `prepare-distro-img.sh` invokes `virt-edit` and `guestfish`. This is due to a known bug in libvirt.

Work around the issue by switching to the direct backend.

Signed-off-by: Yumei Huang --- test/prepare-distro-img.sh | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/test/prepare-distro-img.sh b/test/prepare-distro-img.sh index 0d967c9..423eea7 100755 --- a/test/prepare-distro-img.sh +++ b/test/prepare-distro-img.sh @@ -3,6 +3,8 @@ IMG="$1" PASST_FILES="$(echo ../*.c ../*.h ../*.sh ../*.1 ../Makefile ../README.md)"

+export LIBGUESTFS_BACKEND=direct

Please add a comment that this is only added as a temporary hack until we can get a proper fix (in libguestfs possibly, see Dan's earlier email).

On the other hand, regardless of that fix, I would be happy to be run this on single-user Alpine L1 guests, eventually, where libguestfs doesn't depend on libvirt (see my caveat 2.), and I usually reserve very little disk space for those. If you don't have compelling reasons (like you're dropping LIBGUESTFS_BACKEND=direct in two weeks), I would simply keep this as long as it works. The day you drop that, we'll drop this too. This part won't be executed as part of automated distribution tests either, so occasional breakages are really unproblematic. Do you see any further issue with it? -- Stefano

Richard W.M. Jones

12:27 p.m.

On Thu, Sep 25, 2025 at 11:40:25AM +0200, Stefano Brivio wrote:

...

On Thu, 25 Sep 2025 09:53:06 +0100 "Richard W.M. Jones" wrote:

...
On Thu, Sep 25, 2025 at 01:43:06PM +0800, Yumei Huang wrote:

...
Running `make assets` under `test` as root fails with a "Permission denied" error when `prepare-distro-img.sh` invokes `virt-edit` and `guestfish`. This is due to a known bug in libvirt.

Work around the issue by switching to the direct backend.

Signed-off-by: Yumei Huang --- test/prepare-distro-img.sh | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/test/prepare-distro-img.sh b/test/prepare-distro-img.sh index 0d967c9..423eea7 100755 --- a/test/prepare-distro-img.sh +++ b/test/prepare-distro-img.sh @@ -3,6 +3,8 @@ IMG="$1" PASST_FILES="$(echo ../*.c ../*.h ../*.sh ../*.1 ../Makefile ../README.md)"

+export LIBGUESTFS_BACKEND=direct

Please add a comment that this is only added as a temporary hack until we can get a proper fix (in libguestfs possibly, see Dan's earlier email).

On the other hand, regardless of that fix, I would be happy to be run this on single-user Alpine L1 guests, eventually, where libguestfs doesn't depend on libvirt (see my caveat 2.), and I usually reserve very little disk space for those.

The upstream default is backend 'direct'. In Fedora & RHEL we override this with 'libvirt': https://src.fedoraproject.org/rpms/libguestfs/blob/rawhide/f/libguestfs.spec... I don't know what Alpine does, but likely it leaves it at the default. (You can try: `guestfish get-backend`)

...

If you don't have compelling reasons (like you're dropping LIBGUESTFS_BACKEND=direct in two weeks), I would simply keep this as long as it works. The day you drop that, we'll drop this too.

We're not dropping the environment variable / feature ever. The problem is that this was cargo-culted into a lot of code over the years, and it does reduce the security of libguestfs on RHEL. We're having an (ongoing) battle to remove this cargo-culting from CNV right now. I'm just not keen to add this line in new places, without at least a comment saying this is a temporary hack, and not generally recommended.

...

This part won't be executed as part of automated distribution tests either, so occasional breakages are really unproblematic.

Do you see any further issue with it?

-- Stefano

Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org

Stefano Brivio

12:54 p.m.

On Thu, 25 Sep 2025 11:27:49 +0100 "Richard W.M. Jones" wrote:

...

On Thu, Sep 25, 2025 at 11:40:25AM +0200, Stefano Brivio wrote:

...
On Thu, 25 Sep 2025 09:53:06 +0100 "Richard W.M. Jones" wrote:

...
On Thu, Sep 25, 2025 at 01:43:06PM +0800, Yumei Huang wrote:

...
Running `make assets` under `test` as root fails with a "Permission denied" error when `prepare-distro-img.sh` invokes `virt-edit` and `guestfish`. This is due to a known bug in libvirt.

Work around the issue by switching to the direct backend.

Signed-off-by: Yumei Huang --- test/prepare-distro-img.sh | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/test/prepare-distro-img.sh b/test/prepare-distro-img.sh index 0d967c9..423eea7 100755 --- a/test/prepare-distro-img.sh +++ b/test/prepare-distro-img.sh @@ -3,6 +3,8 @@ IMG="$1" PASST_FILES="$(echo ../*.c ../*.h ../*.sh ../*.1 ../Makefile ../README.md)"

+export LIBGUESTFS_BACKEND=direct

Please add a comment that this is only added as a temporary hack until we can get a proper fix (in libguestfs possibly, see Dan's earlier email).

On the other hand, regardless of that fix, I would be happy to be run this on single-user Alpine L1 guests, eventually, where libguestfs doesn't depend on libvirt (see my caveat 2.), and I usually reserve very little disk space for those.

The upstream default is backend 'direct'. In Fedora & RHEL we override this with 'libvirt':

https://src.fedoraproject.org/rpms/libguestfs/blob/rawhide/f/libguestfs.spec...

Ah, sorry, I had no idea!

...

I don't know what Alpine does, but likely it leaves it at the default. (You can try: `guestfish get-backend`)

Yes, this is guestfs-tools and libguestfs 1.56.1-r0 on Alpine: # guestfish get-backend direct Same on any modern Debian, openSUSE, Ubuntu.

...

...
If you don't have compelling reasons (like you're dropping LIBGUESTFS_BACKEND=direct in two weeks), I would simply keep this as long as it works. The day you drop that, we'll drop this too.

We're not dropping the environment variable / feature ever. The problem is that this was cargo-culted into a lot of code over the years, and it does reduce the security of libguestfs on RHEL. We're having an (ongoing) battle to remove this cargo-culting from CNV right now. I'm just not keen to add this line in new places, without at least a comment saying this is a temporary hack, and not generally recommended.

Oh, I see, that makes sense. But then, Yumei, we should also add to that comment (sorry, this is becoming much more complicated than I thought...) that the workaround is for Fedora and related distributions. -- Stefao

Yumei Huang

26 Sep 26 Sep

3 a.m.

On Thu, Sep 25, 2025 at 6:54 PM Stefano Brivio wrote:

...

On Thu, 25 Sep 2025 11:27:49 +0100 "Richard W.M. Jones" wrote:

...
On Thu, Sep 25, 2025 at 11:40:25AM +0200, Stefano Brivio wrote:

...
On Thu, 25 Sep 2025 09:53:06 +0100 "Richard W.M. Jones" wrote:

...
On Thu, Sep 25, 2025 at 01:43:06PM +0800, Yumei Huang wrote:

...
Running `make assets` under `test` as root fails with a "Permission denied" error when `prepare-distro-img.sh` invokes `virt-edit` and `guestfish`. This is due to a known bug in libvirt.

Work around the issue by switching to the direct backend.

Signed-off-by: Yumei Huang --- test/prepare-distro-img.sh | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/test/prepare-distro-img.sh b/test/prepare-distro-img.sh index 0d967c9..423eea7 100755 --- a/test/prepare-distro-img.sh +++ b/test/prepare-distro-img.sh @@ -3,6 +3,8 @@ IMG="$1" PASST_FILES="$(echo ../*.c ../*.h ../*.sh ../*.1 ../Makefile ../README.md)"

+export LIBGUESTFS_BACKEND=direct

Please add a comment that this is only added as a temporary hack until we can get a proper fix (in libguestfs possibly, see Dan's earlier email).

On the other hand, regardless of that fix, I would be happy to be run this on single-user Alpine L1 guests, eventually, where libguestfs doesn't depend on libvirt (see my caveat 2.), and I usually reserve very little disk space for those.

The upstream default is backend 'direct'. In Fedora & RHEL we override this with 'libvirt':

https://src.fedoraproject.org/rpms/libguestfs/blob/rawhide/f/libguestfs.spec...

Ah, sorry, I had no idea!

...
I don't know what Alpine does, but likely it leaves it at the default. (You can try: `guestfish get-backend`)

Yes, this is guestfs-tools and libguestfs 1.56.1-r0 on Alpine:

# guestfish get-backend direct

Same on any modern Debian, openSUSE, Ubuntu.

...
...
If you don't have compelling reasons (like you're dropping LIBGUESTFS_BACKEND=direct in two weeks), I would simply keep this as long as it works. The day you drop that, we'll drop this too.

We're not dropping the environment variable / feature ever. The problem is that this was cargo-culted into a lot of code over the years, and it does reduce the security of libguestfs on RHEL. We're having an (ongoing) battle to remove this cargo-culting from CNV right now. I'm just not keen to add this line in new places, without at least a comment saying this is a temporary hack, and not generally recommended.

Oh, I see, that makes sense.

But then, Yumei, we should also add to that comment (sorry, this is becoming much more complicated than I thought...) that the workaround is for Fedora and related distributions.

I will update in v2. Thank you all for the comments.

...

-- Stefao

-- Thanks, Yumei Huang

Age (days ago)

Last active (days ago)

List overview

Download

6 comments

4 participants

participants (4)

David Gibson
Richard W.M. Jones
Stefano Brivio
Yumei Huang