Age | Commit message (Collapse) | Author | Files | Lines |
|
* Force udev change event on init
This change provides temporary workaround for HSD HSD18020136609 ("Can not mount image using Virtual media and CIFS protocol"). When in initial state, additional udev change event is triggered for all NBD devices, which prevents from disconnection on first mount attempt after reboot. The actual issue is a regression, introduced after kernel update from 5.10.67 to 5.14.11. The exact source in kernel is yet to be located; after that an actual fix shall be provided and this change will be reverted.
Abstracts echoToFile to a separate class, that may be used by other classes through inheritance. This way, writing to udev files can be handled by different object than UsbGadget.
Tested:
Successful mounts after reboot for all supported methods (Proxy, Legacy HTTPS, Legacy CIFS).
Change-Id: I2ceb826c73b6e46938397060877d35a9fa1c0e03
Signed-off-by: MichalX Orzel <michalx.orzel@intel.com>
|
|
Removed all -Wextra warnings in VM sources.
-Wno-unused-parameter has to be disabled due to lots of such warnings in
sdbusplus.
Tested:
Compilation generates no warnings
Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
On initial state application cleans mounted resources which
were allocated by user befor application crashed.
Without that busy slot is not avaialble anymore for user.
Tested:
1. Mount CIFS share.
2. Send terminate signal to virtual-media (kill -9).
3. Mount CIFS share on the same slot as during step 1.
Change-Id: I7088e94832fb7bec171a56f73bd66cd29e9b246f
Signed-off-by: Krzysztof Richert <krzysztof.richert@intel.com>
|
|
This change allows virtual-media to pass a zero-length string to
nbdkit curl plugin cainfo parameter, which will allow for capath
to be used.
Tested:
Manually, with Virtual-Media HTTPS test in ATF.
Change-Id: I14ffa2ecbb2bd6cadee3bb8929ef2e1b8bbbf157
Signed-off-by: Golgowski, Wiktor <wiktor.golgowski@intel.com>
|
|
Updated TLS 1.2 cipher list and added TLS1.3 cipher list.
Tested by Oleksandr Shulzhenko on local setup.
Change-Id: I218c245d8ddf7e54dae258a39cd78c3255027b6e
Signed-off-by: Karol Niczyj <karol.niczyj@intel.com>
|
|
According to the latest recommendations obsolete cipher suites shall be
forbidden.
Tested:
Python HTTP server configured TLSv1.2 with ECDHE-RSA-CHACHA20-POLY1305
cipher can't be reached.
Change-Id: I370c125b28c4df4bba744ec63536aa8fdebb961d
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Due to security reasons (by security researcher recommendation) remote
source redirections shouldn't be allowed in order to disallow connection
downgrading
Tested:
Tested with python server script forcing redirection
Change-Id: Ia68884dbcc399abc685dcbcf4e205aa62356478f
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Due to change of recommendation of minimum TLS version from 1.1 to 1.2,
version passed to CURL plugin of Nbdkit is changed appropriately.
Tested:
Manually; TLSv1.1 server is rejected for Legacy/HTTPs.
Change-Id: Ifc8848817deb9f73a44f551d85f1fe9ba20b3e10
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Due to security reasons "user/username" has to be removed from the
information that is logged by application.
Sensitive data has been moved to "Debug"" level (lowest one) and default
one has moved one level up to "Info".
Also some important information allowing to catch basic errors has been
upgraded to "Info".
Tested:
Manually, mounting both Legacy mode remote types (HTTPs and CIFS) and
checking if journal for VirtualMedia service does not contain sensitive
information.
Change-Id: Ie6c3a79c94637e3632af76daf957e986b2dd3b6d
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
When trying to mount virtual media image in Legacy mode
nbd tries to create unix socket and if the parent directory
does not exist mount fails.
Also used noexcept versions of filesystem operations.
Tested:
Locally, by manually removing the socket's parent folder and
mounting an image in Legacy mode (Samba).
Change-Id: If5beb7add655e09a60511b30e4edbd34c8c15ec5
Signed-off-by: Anna Platash <anna.platash@intel.com>
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Invalid status code 500 when slot is inserted twice. Invalid status code 200 when slot is ejected twice.
In both situation code 403 should be returned.
Using [[noreturn]] attribute for handleEvent functions.
Tested:
Manually on hw and verified that status code is 403.
Change-Id: I886c41048d6bcfcb3d47b46fd23a2de564d9dd3e
Signed-off-by: Alicja Rybak <alicja.rybak@intel.com>
|
|
When mounting image with WriteProtected set to true,
it is shown to be false and vice versa.
Change-Id: Id5ff0f0deb5d5822279dd02af0deeb7586dcd065
Signed-off-by: Anna Platash <anna.platash@intel.com>
|
|
Removed following cipher suits:
* AES256-GCM-SHA384
* AES128-GCM-SHA256
* AES256-SHA256
* AES128-SHA256
Tested: - verified manually that listed ciphers are not accepted
- verified manually that it is possible to mount HTTPS resource
using TLS version >= 1.1 and other ciphers
Change-Id: If41dfc8fa8439a1be1fd61dbb639595523a7157d
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
|
|
between Redfish and Web UI
WriteProtected field was not updated in bmcweb.
Added new property WriteProtected to MountPoint interface to
allow bmcweb updating the WriteProtected field value properly.
Tested on manually on ArcherCity by mounting images via RedFish
interface with and without write protection.
Change-Id: I9f642ace2462c52bf964d2e54b0f59fac1b06738
Signed-off-by: Anna Platash <anna.platash@intel.com>
|
|
This change adds nbdkit curl plugin parameters for specifying TLS
version. VM is configured to support TLSv1.1 or greater.
Tested: manually, TLSv1.0 is not negotiated during connection.
Change-Id: I0d1186534ba3ec2f7937fea65c0cc1f01557cf6e
Signed-off-by: Golgowski, Wiktor <wiktor.golgowski@intel.com>
|
|
This reverts commit b253675eb507f07f8072b287c0ea68448808eb0b.
Change-Id: I29c2eb73ecc37e47c4dd44b668c6d9a1ab2f6579
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
This change adds nbdkit curl plugin parameters for specifying TLS
version and not allowed cipher suites (OWASP recommendation).
Tested: manually, TLSv1.0 is not negotiated during connection.
Awaiting confirmation for cipher suites.
Warning: this change may break legacy mode, if used with nbdkit
without ssl-version and ssl-cipher-list (see review #272350).
Change-Id: I06c5acc7a87de6c1bd1b0cdcef2af8585a3da965
Signed-off-by: Golgowski, Wiktor <wiktor.golgowski@intel.com>
|
|
Tested: - verified that mount attempt in active state returns operation
not supported (EOPNOTSUPP) error
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
Change-Id: I3d148a6f360e4ede996f99827185ae653e0ed5c5
|
|
It fixes problem with missing information on VirtualMedia Redfish
resource after user mounts media using legacy method.
Part of VirtualMedia Redfish resource after fix:
{
...
"ConnectedVia": "URI",
"Id": "Slot_2",
"Image": null,
"ImageName": "smb://127.0.0.1/public/openSUSE-15.1-x86_64.iso",
"Inserted": true,
...
}
Tested:
- Mounted and ejected media using legacy method with success.
- Received proper details about mounted image from Redfish.
Signed-off-by: Wludzik, Jozef <jozef.wludzik@intel.com>
Change-Id: I445b37aac27dd290ce07f589834c0a6a10d2ceef
|
|
actiavting/deactivating states
Previously mount/unmount waited until timeout occurs, when
operation was already process it could finish before the timeout
causing mount/unmount to get false positive/negative results.
Tested: - Mount/Unmount dbus calls cause EBUSY exception in
actiavting/deactivating states
Change-Id: Idaacde212531c963aec304ac87e536d014d9d8d2
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
|
|
Added Timeout dbus property for block devices in VirtualMedia.
Added throwing EBUSY exception when Mount/Unmount operation times out.
Added transition from ActivatingState to DeactivatingState.
Tested: Verified that after mounting non-existing HTTPS resource
in proxy mode, VirtualMedia recovers restoring ready state
and throws EBUSY during that transition.
Verfied that resources can be mounter/unmounted in both legacy
and proxy mode.
Change-Id: I3768af13663046cc55976ad59062f8bc1d6396ba
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
|
|
OpenBMC uses custom path for certificates: /etc/ssl/certs not
/usr/lib/ssl/certs like curl plugin default. We need to provide it in
order to make curl plugin work in OpenBMC environment.
Tested:
Certificate Authority added with UI allows to use https server signed
with this certificate.
Change-Id: I702179862e9e977efd162bdf19426208c4ce45f0
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
- Previously machine did not handle AnyEvent correctly,
implementation in BaseState was always run
- Changing from ActiveState to ReadyState was bugged,
previously only one of event SubprocessStopped or UdevNotification
caused state change when it is required to wait for both
- Introduced longer timer when waiting for ReadyState during Eject and
ActiveState during Inject, because ndbkit can timeout during Eject and
it is required to complete before next inject can success.
- Added event notification when process is terminated
- Added resourcess classes to handle deletion and notifications
Signed-off-by: Krzysztof Grobelny <krzysztof.grobelny@intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
Change-Id: Ie914e650c2f15bd73cdc87582ea77a94997a3472
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
|