Age | Commit message (Collapse) | Author | Files | Lines |
|
Socket files needed to serve virtual media devices are created in /tmp
directory which is temporary tmpfs mount. All temporary directories are
subject of systemd's systemd-tmpfiles-clean.service which cleanes up
them basing on age.
Systemd-tmpfiles-clean uses tmpfiles.d entries to manage all temporary
directories. This change moves creation of VM socket directory to
tmpfiles.d - appropriate config has been added for Virtual Media. The
entry will create socket directory without Age limitation.
Socket location is moved from /tmp to /run. Is it more
appropriate place where all daemons should have it's working files
located.
Tested:
Manually mounting proxy and legacy cifs/https share, running
systemd-tmpfiles-clean.service does not render any problems.
Change-Id: I29ace61894587e03449e29c2459930008a2a1d99
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
According to security guidelines, files created by service must be
limited to the narrowest set of permissions required. This must be also
true for 3rd party files used by Virtual Media.
- For all regular files and directories created by service umask is
used.
- For sockets, permissions are limited by permissions of parent
directory. For full reference see man unix(7). Below the most important
fragment:
"In the Linux implementation, sockets which are visible in the
filesystem honor the permissions of the directory they are in. Their
owner, group and their permissions can be changed. Creation of a new
socket will fail if the process does not have write and search (execute)
permission on the directory the socket is created in. Connecting to the
socket object requires read/write permission. This behavior differs from
many BSD-derived systems which ignore permissions for UNIX domain
sockets. Portable programs should not rely on this feature for
security."
Change-Id: I22ff531c96c8a6903fecb5d8cc71caf33150a713
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
For slow nbd devices (where backend is slow like https) sometimes single
burst of data coudn't be read/written within default 30s timeout.
Suggested timeout for such devices is > 60. 90 seconds seems safe here.
This value is just a recommenation, this can be changed for specific
environment.
Tested:
Multiple write/delete operations on mounted device.
Change-Id: Idad644f7d12d346145b86c8954f271b4c3290e84
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Changing endpoint names to Slot_<X> convention.
Tested:
Tested manually, new endpoint names are available
on dbus,redfish and finally on WebUI.
Change-Id: I90c9dc9fab8314f498d7635d0c010dffdcdc24c9
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
|
|
This change brings back Legacy USB devices in VirtualMedia.
It should be accepted after : https://git-amr-2.devtools.intel.com/gerrit/246113 Enable MTLS and VirtualMedia back
Tested:
- Both changes combined allows to mount devices in legacy mode
Change-Id: I6ceb7a1c37f49dbc8ea7a5313bb264cf99051048
Signed-off-by: Ambrozewicz, Adrian <adrian.ambrozewicz@intel.com>
|
|
This change modifies the default configuration and removes ability
to configure endpoints in such mode.
Tests performed:
Tested on WilsonCity for regression. Proxy mode works.
Manual configuration injection (modifying virtual-media.json)
didn't enable Legacy endpoints - they are ignored.
Change-Id: Idb63f1cf0f391dc428d6ad3d8e3684017d509369
Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
|
|
This change introduces integration of virtual-media application with
NBDKit. NBDKit is used here to connect to externally provided image on web
and expose NBD device internally in BMC for NBD subsystem (already
implemented in Proxy mode) to use.
'Mount' D-Bus call accepts 's imgUrl' and 'b rw'. Based on 's imgUrl'
prefix (https:// or smb://) proper mount type is attempted. 'b rw'
determines Read-Only mode for both USB Gadget and NBD stack.
When 'Mount' is called, virtual-media parses arguments, determines mounting
options and attempts to mount external share.
For SMB protocol native CIFS Linux module is used:
1) mount(8) call is used to mound provided CIFS share
2) NBDKit loads file on mounted filesystem and exposes NBD Server on
internal unix socket
3) Pre-existing code takes care of mouting gadget automatically
(connecting socket to /dev/nbdX and then /dev/nbdX to USB Gadget)
For HTTPS protocol provisioning is performed by NBDKit:
1) NBDKit connects to provided resource and exposes NBD Server on internal
unix socket
2) Pre-existing code takes care of mouting gadget automatically
(connecting socket to /dev/nbdX and then /dev/nbdX to USB Gadget)
Tested:
Manual and automated tests on WilsonCity platform:
- mounting and unmounting images over CIFS and HTTPS (single, multiple
at the same time etc)
- positive and negative tests for D-Bus calls
- ensuring proper information is exposed on D-Bus
Change-Id: Ia2b6e8c13603521063f5c94cdfdb06f2e872e9e7
Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
|
Support for Legacy mode added but only for CIFS resources.
DBus "xyz.openbmc_project.VirtualMedia.MountPoint" interface was
extended to support 'ImageUrl'. This property will be used to expose
on DBus HTTPS/CIFS url already mounted in Legacy mode.
Changes does not cover passing credential needed for CIFS
authentication.
Tested:
- CIFS/SMB resource succesfully mounted with DBus call to the
xyz.openbmc_project.VirtualMedia.Legacy:Mount
- CIFS/SMB resource succesfully unmounted with DBus call to the
xyz.openbmc_project.VirtualMedia.Legacy:Unmount
- checked double mount and unmount DBus calls return an error
and put an appropriate trace in logs.
Change-Id: I25b3d11dad6b273e88325beb35580e0baa8568f8
Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
|
|
This is initial version of virtual media support
this covers:
* udev monitoring
* configuration reading
* exposing appropriate interfaces on dbus
* allows mount/umount images from existing unix socket
Does not cover:
* configuration of usb gadget
Integration with bmcweb will be delivered to bmcweb
Change-Id: I358ab80fe32a7ed933007143bfa00da847a95316
Signed-off-by: Rapkiewicz, Pawel <pawel.rapkiewicz@intel.com>
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
|