| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Property returns exit code value from nbd-client process for
proxy mode and from nbdkit process for legacy mode.
The initial value for this property is -1 and will be returned
before starting the process and in the process execution time.
Tested manually for proxy and legacy mode:
- initial value before process first run
- initial value in process execution time
- 0 value for successful exit
- specific value for forced process termination
Change-Id: I4cefa423bade522fc2fac0cab620cbba0b66cce2
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
|
This change introduces new 'Mount' API argument - UNIX_FD for named pipe.
This named pipe is utilized to securely send secret data over D-Bus.
Currently data consists of null-terminated char buffers with username and
password.
Data on receiving side is encapsulated into classes whose role is to:
- keep secret as short-lived as possible
- erase secret from memory when it's not needed
- pass secrets (and format them) to another secure container with above
capabilities
New classes:
- Credentials: is a class encapsulating login and password. It zeroes them
at destruction.
- CredentialProvider: contains Credentials, specifies SecureBuffer, allows
to store credentials in SecureBuffer
- SecureBuffer: char vector which zeroes itself at destruction,
used to provision secret data
- VolatileFile: class creating temporary file with 'owner-only' permissions
in /tmp; at destruction overwrites it's contents with '*' and removes it
New behavior:
- when UNIX_FD is provided over D-Bus it's treated as open unix pipe. Data
is read from this pipe and stored securely into CredentialsProvider
- credentials are stored in applications inside CredentialsProvider object,
encapsulated by unique_ptr for as long as it's needed
- strings containing secrets are zeroed immediately after use
- VolatileFile is used to securely pass credentials to nbdkit curl plugin
instead of command line parameters.
Tested:
Manual and automated tests on WilsonCity platform:
- positive and negative tests for authentication on both CIFS and HTTPS
resources
- error injection (ill-formed data transfered over pipe, pipe broken etc.)
Change-Id: I608ae0380b8ad57110bc0939f71eb48604e7dc99
Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
|
Previously implemented error handling for Mount checks only if mounting was
successful and returns boolean with the result.
Following change introduces optional error to existing ReadyState
(a.k.a. "idle state"). If state machine enters ReadyState with error it is
stored into ReadyState field with std::errc and std::string message.
In the case of mount failure with such error information stored, Mount
returns graceful D-Bus error reply with specific error code.
Tested:
Manual and automated tests on WilsonCity platform:
- negative tests for invalid network share, unauthorized share access,
error injection (renaming expected unix socket names etc)
Change-Id: I22cf9b17e9e6342aad0ae68766853734fac79b8e
Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
|
This change introduces integration of virtual-media application with
NBDKit. NBDKit is used here to connect to externally provided image on web
and expose NBD device internally in BMC for NBD subsystem (already
implemented in Proxy mode) to use.
'Mount' D-Bus call accepts 's imgUrl' and 'b rw'. Based on 's imgUrl'
prefix (https:// or smb://) proper mount type is attempted. 'b rw'
determines Read-Only mode for both USB Gadget and NBD stack.
When 'Mount' is called, virtual-media parses arguments, determines mounting
options and attempts to mount external share.
For SMB protocol native CIFS Linux module is used:
1) mount(8) call is used to mound provided CIFS share
2) NBDKit loads file on mounted filesystem and exposes NBD Server on
internal unix socket
3) Pre-existing code takes care of mouting gadget automatically
(connecting socket to /dev/nbdX and then /dev/nbdX to USB Gadget)
For HTTPS protocol provisioning is performed by NBDKit:
1) NBDKit connects to provided resource and exposes NBD Server on internal
unix socket
2) Pre-existing code takes care of mouting gadget automatically
(connecting socket to /dev/nbdX and then /dev/nbdX to USB Gadget)
Tested:
Manual and automated tests on WilsonCity platform:
- mounting and unmounting images over CIFS and HTTPS (single, multiple
at the same time etc)
- positive and negative tests for D-Bus calls
- ensuring proper information is exposed on D-Bus
Change-Id: Ia2b6e8c13603521063f5c94cdfdb06f2e872e9e7
Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
|
MountPoints being inactive for time defined by InactivityTimeout will be unmounted.
Inacitivity is measured based on USB gadget R/W statitics.
InactivityTimeout must be set in json configuration and is common for all MountPoints.
Remaining time to unmount inactive media is exposed per MountPoint on dbus using RemainingInactivityTimeout property.
Change-Id: Ieb80e67dae6c3b4cb0482d801b5b4208884b0809
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
|
This is a first part of bigger functionality which provides host to use
virtual media.
First part provides skeleton and definitions of states and events defining
state machine, also brings working implementation of proxy mode and some
starting point to implement legacy mode.
There are at least three additional patchsets implementing legacy mode with
https and cifs support and secure passing of secrets.
Specifically this change adds StateMachine class used to keep track state of
each mount point:
- StateMachine is made as std::variant of object derived from BasicState.
- Each state has its own possible transitions defined (events).
- Transitions defines appropriate behavior.
- Specific event triggers transition from one to other specific state (1:1
relation).
Tested:
Manual tests on WilsonCity platform:
- mounting and unmounting using redfish and webui
- check state on dbus interfaces
Change-Id: I4b13085e1f8884fcedd7d97e76910c21e87ab7f8
Signed-off-by: Rapkiewicz, Pawel <pawel.rapkiewicz@intel.com>
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Configuration class is used to read configration from file and validate
entries.
Also exposes API to serve stored data.
Change-Id: Id4989ff45ff4a5cf7af7acf76a89b1c5838862f4
Signed-off-by: Rapkiewicz, Pawel <pawel.rapkiewicz@intel.com>
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Added DeviceMonitor which watches for ndb device changes.
Contains:
- Udev library wrappers.
- NBDevice object to manage nbd devices in errorless manner.
- Process library, which manages process spawning.
Change-Id: Iaf3caec56cd6084f1c17ccc5657b9b14c8e82d33
Signed-off-by: Rapkiewicz, Pawel <pawel.rapkiewicz@intel.com>
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Introducing Virtual Media based on State Machine.
- Logging class added
- Stub for Main application
Change-Id: I05ef576c170e2f9acf90800708f4447452f4050f
Signed-off-by: Rapkiewicz, Pawel <pawel.rapkiewicz@intel.com>
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Support for Legacy mode added but only for CIFS resources.
DBus "xyz.openbmc_project.VirtualMedia.MountPoint" interface was
extended to support 'ImageUrl'. This property will be used to expose
on DBus HTTPS/CIFS url already mounted in Legacy mode.
Changes does not cover passing credential needed for CIFS
authentication.
Tested:
- CIFS/SMB resource succesfully mounted with DBus call to the
xyz.openbmc_project.VirtualMedia.Legacy:Mount
- CIFS/SMB resource succesfully unmounted with DBus call to the
xyz.openbmc_project.VirtualMedia.Legacy:Unmount
- checked double mount and unmount DBus calls return an error
and put an appropriate trace in logs.
Change-Id: I25b3d11dad6b273e88325beb35580e0baa8568f8
Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
|
|
This is initial version of virtual media support
this covers:
* udev monitoring
* configuration reading
* exposing appropriate interfaces on dbus
* allows mount/umount images from existing unix socket
Does not cover:
* configuration of usb gadget
Integration with bmcweb will be delivered to bmcweb
Change-Id: I358ab80fe32a7ed933007143bfa00da847a95316
Signed-off-by: Rapkiewicz, Pawel <pawel.rapkiewicz@intel.com>
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
|
